PRESS RELEASE

PALO ALTO, Calif., April 2, 2024/PRNewswire-PRWeb/ -- TruCentive, a leader in incentive automation solutions, announced a significant enhancement to its platform: HIPAA-compliant personal information de-identification (PII) capabilities. This new feature is designed to strengthen privacy protections and ensure the security of sensitive information, marking a significant step forward in TruCentive's commitment to data protection for researchers worldwide.

With the healthcare industry's increasing reliance on digital platforms, the need for stringent data protection measures has never been more critical. TruCentive's latest update addresses this need by providing a robust solution for de-identifying personally identifiable information, ensuring that all data processed through its platform meets the rigorous standards set by the Health Insurance Portability and Accountability Act (HIPAA).

"This enhancement is a testament to TruCentive's dedication to privacy, security, and compliance," said Lori Laub, CEO of TruCentive. "By integrating HIPAA-compliant de-identification, we're safeguarding participants' personal information and providing our clients with the peace of mind that comes from knowing their incentive programs are fully compliant with federal regulations."

The de-identification process removes all identifiers that could potentially link back to an individual, such as email addresses, names, dates, and compensation selections directly related to an individual. This allows TruCentive's clients to utilize the platform for research compensation while ensuring the anonymity and privacy of individuals' data.

"We are excited to expand Shaip's expertise in data privacy to the Incentive Automation marketplace," said Hardik Parikh, co-founder and CRO of Shaip. "This marks a milestone in blending technological innovation with strict compliance to protect sensitive information and build client trust."

TruCentive's HIPAA compliant personal information de-identification feature is immediately available to Enterprise platform users, reaffirming the company's position at the forefront of secure and compliant incentive automation solutions.

Please visit https://trucentive.com/research-compensation/ for more information about TruCentive and its new HIPAA compliant de-identification capabilities.

About TruCentive

TruCentive helps organizations engage with employees, partners, and customers in personalized, innovative ways. By seamlessly integrating the delivery of merchandise, gift cards, and payments, companies increase the effectiveness of their existing incentive programs and improve relationships. With thousands of merchandise options, 3,000+ gift cards worldwide, 85,000+ local merchant options, Visa, AmEx, and MasterCard cards, payment options including Deposit-to-Debit-Card, PayPal, and Venmo, and integrations with popular marketing, sales, and HR tools, TruCentive is essential to successful HR, demand generation, account-based, and customer appreciation and incentive programs.

About Shaip

Headquartered in Louisville, Kentucky, Shaip is a fully managed data platform designed for companies looking to solve their most demanding AI challenges, enabling smarter, faster, and better results. Shaip supports all aspects of AI training data, from data collection to licensing, labeling, transcribing, and de-identifying, by seamlessly scaling our people, platform, and processes to help companies develop their AI and ML models. To learn how to make your data science team and leaders' lives easier, visit us at www.shaip.com.

TruCentive Enhances Privacy With HIPAA Compliant Personal Information De-identification

A China-linked threat actor had access to a router configuration database that could have completely disrupted coverage, a security vendor says.

Source: rarrarorro via Shutterstock

About six months before the 2022 FIFA World Cup soccer tournament in Qatar, a threat actor — later identified as China-linked BlackTech — quietly breached the network of a major communications provider for the games and planted malware on a critical system storing network device configurations.

The breach remained undetected until six months after the games, when researchers at NetWitness spotted it during a routine audit for the service provider. During that period, the cyber-espionage group gathered up an unknown volume of data from targeted customers of the telecommunications provider — including those associated with the World Cup and vendors providing services for it.

**A Near Miss**

But it's the "what else could have happened" that's the really scary part, says Stefano Maccaglia, global practice manager, incident response, at NetWitness, discussing the incident for the first time with Dark Reading recently.

The access that BlackTech had on the telecom provider's system would have allowed the threat actor to completely disrupt key communications — including all streaming services associated with the game. The fallout from such a disruption would have been substantial in terms of geopolitical implications, brand damage, national reputation, and potentially hundreds of millions of dollars in losses from the licensing rights and ads negotiated prior to the World Cup, Maccaglia says.

"We are normally very collected, but in this case, we were terrified," Maccaglia says of NetWitness' discovery. "The threat actor literally had their finger on the button but didn't push it."

NetWitness' involvement in the Qatar World Cup began in 2022, about six months before the event, when several local service providers hired the company to assess the cybersecurity preparedness of some of the supporting IT infrastructure for the games. Like with other security vendors involved in the effort, the telecom provider gave NetWitness access to a substantial portion of its tech stack and environment — but not to all of it.

According to Maccaglia, the NetWitness team detected and remediated several issues on parts of the provider's tech stack to which the company had access. But it wasn't until early 2023 that the service provider finally opened up the rest of the environment to NetWitness for additional auditing. This was when NetWitness unearthed log activity suggesting that someone had gained access to the provider's network.

**A Rootkit and a Backdoor**

The company's subsequent investigation showed the attacker had planted a sophisticated rootkit and a backdoor, dubbed Waterbear, on a critical configuration management database (CMDB) storing device configurations for the provider's customers. NetWitness found the attackers had used PLEAD — a remote access Trojan commonly associated with the BlackTech APT — to target additional systems within the environment.

"The attacker aimed to control this database \[from\] the beginning, because it would allow him/her to swap configurations on the fly and revert them back, once finished, leaving no traces," Maccaglia says.

BlackTech is a threat actor that the US Cybersecurity and Infrastructure Security Agency (CISA) last year identified as a threat to organizations in the telecommunications, technology, media, electronics, and industrial sectors. In an advisory, CISA described the threat actor (aka Radio Panda, Circuit Panda, Temp.Overboard, and Palmerworm) as particularly adept at modifying router malware without detection and the exploiting routers' domain-trust relationships to gain access to victim networks. "BlackTech actors' TTPs include developing customized malware and tailored persistence mechanisms for compromising routers," CISA noted. "These TTPs allow the actors to disable logging and abuse trusted domain relationships to pivot between international subsidiaries and domestic headquarters' networks."

In the attack on the telecom provider in Qatar, BlackTech actors used their access to the CMDB to change configurations on Asus routers associated with various organizations in such a manner as to make systems belonging to these organizations become accessible over the Internet. They then uploaded PLEAD — concealed in legitimate looking software updates from Asus — to these systems by modifying the DNS resolution of asus.com. The threat actor then leveraged PLEAD to steal data from the victim organizations. Among the systems infected in this manner were those associated with the World Cup games. The attackers would change the router config details for a few hours at a time and then revert back to the original rules to minimize the chances of detection, Maccaglia says.

**Worrying Lack of Visibility**

The fact that no one was able to spot the intrusion in the months leading up to the World Cup, during the event, or for months later is worrisome, Maccaglia says. With the countdown for the 2024 Summer Olympics well underway, it is imperative that the entire technology stack supporting the games be vetted for security issues, he says.

The Olympics, like other major sporting events, such as the Super Bowl, have become huge cyberattack targets in recent years. In 2019, for instance, a threat group later identified and linked to Russia's military intelligence also attempted to disrupt the opening of the Winter Olympics in South Korea after Russian athletes were banned from participating over doping concerns.

"As we saw with the World Cup, threats can live in obscure places and keep a very low profile," Maccaglia says, adding, "You can't find what you aren't allowed to look for," in advocating for broader visibility for companies like NetWitness into the entire supporting infrastructure for the game.

"When you behave as if there's always a threat present, you put yourself in a position to mitigate damage and, potentially, get ahead of the threat in the environment," he says. "This will be critical for the 2024 Summer Games."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

How Soccer's 2022 World Cup in Qatar Was Nearly Hacked

Effective Rhadamanthys phishing campaign spoofs nonexistent "Federal Bureau of Transportation" to compromise recipients, analysts discover.

Source: Frode Koppang via Alamy Stock Photo

An updated version of the Rhadamanthys malware-as-a-service (MaaS) is being deployed against oil and gas companies, using an effective new lure with a concerning amount of success.

Cofense has been tracking the campaign, which uses emails and a PDF file disguised as communications from the "Federal Bureau of Transportation," according to a new flash alert from the email security analysts. No such bureau exists, and may be a mashup of the Department of Transportation and the Bureau of Transportation Statistics, an purview.

"It is not clear as to why this specific sector is \[being targeted\], but the campaign in its current form could be relevant in most sectors if threat actors decided to change targets," the Cofense alert explained. "While the campaign was actively sending emails, it was successfully reaching targets at an alarming rate."

The campaign appeared just days after the LockBit takedown in February, the analysts said. The latest version of Rhadamanthys, 5.0, was updated earlier in 2024 with improvements to its evasion and data stealing capabilities, Cofense added.

The phishing emails are also carefully crafted, the researchers pointed out. The phishers crafted multiple, provocative subject lines like, "Notification: Incident Involving Your Vehicle," and "Attention Needed: Your Vehicle's Collision."

"As peculiar as it might seem to use vehicle incidents as a phishing lure, the threat actor(s) here put immense effort to ensure that their emails along with the infection chain target recipient's emotions," Cofense added. "Each email body and subject are both different than the next, but they can be summarized by notifying an employee of a car incident through an employer notification, possible legal actions, or even a notice of contacting law enforcement."

**About the Author(s)**

Oil &amp; Gas Sector Falls for Fake Car Accident Phishing Emails

As part of its Secure by Design initiative, CISA urged companies to redouble efforts to quash SQL injection vulnerabilities. Here's how.

Source: Casimiro PT via Shutterstock

For more than a decade, injection vulnerabilities have literally topped the charts of critically dangerous software flaws, deemed more serious than all other types of vulnerabilities in the 2010, 2013, and 2017 Top 10 lists maintained by the Open Web Application Security Project (OWASP).

Still, the warnings have failed to weed out the issues. Last year, the Cl0p group stole data from companies using a previously unknown SQL injection (SQLi) vulnerability in MOVEit's file-transfer application. In late March, the Cybersecurity and Infrastructure Security Agency (CISA) called for companies to redouble their efforts to eliminate the security issue, which application security experts consider one of 13 different "unforgivable" classes of vulnerabilities that programmers should catch during development.

"Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk," the agency stated in its March 25 advisory. "Vulnerabilities like SQLi have been considered by others an 'unforgivable' vulnerability since at least 2007."

The root of injection vulnerabilities is a lack of input sanitization; when the application receives variable input, there's always the risk of that input being tainted, says Randall Degges, head of developer relations at application security firm Snyk.

"Although this has been an issue since programming existed, the reason it’s still in the top 10 vulnerabilities after all this time is because there are an infinite number of ways to use input, and often time sanitizing input is tricky," he says.

For software developers looking to nix this particular issue, here's how.

**1\. Educate Yourself and Others**

The first step is always education. OWASP offers cheat sheets on SQLi, how to detect the vulnerability, and ways of creating safe code. Some Web application frameworks aim to educate developers while they are programming, using application programming interface (API) names to make the risk of some functions clear, such as React's "dangerouslySetInnerHTML" function, says James Kettle, director of research at PortSwigger, an application security testing firm.

In addition, developers should not necessarily trust the makers of open source software — especially components that have not been well vetted — to use safe code, and online tutorials are often unsafe as well, he says.

"I think the core issue is that there's a lot of unsafe APIs, where anyone using the API is vulnerable by default," Kettle says. "Even when there are more modern secure APIs available, fresh code is written using the unsafe versions, thanks to old unsafe examples in StackOverflow."

**2\. Harden the DevOps Pipeline Using Automated Tools**

Developers should implement unit tests to check code for SQLi flaws — and other common security issues — during development, add static application security testing (SAST) both prior to and after commits, and include scans for SQLi as part of dynamic application security testing (DAST).

Unit tests can be added using frameworks such as tSQLt for testing Microsoft SQL Server, pgTAP for testing applications that use PostgreSQL, and Pytest and SQLAlchemy for unit testing in Python programs. A variety of SQL unit testing best practices should be followed to make the tests more useful, such as isolating the SQL tests from dependencies and avoiding descriptive naming of the tests.

In addition to automated tests in the development pipeline, developers should make sure to use SQL frameworks, such as SQLAlchemy, because many security improvements are already baked in, says Snyk's Degges.

"Pretty much all modern SQL frameworks and tools provide convenience methods to help with this nowadays, so your best bet is to thoroughly read through the relevant framework documentation to ensure you're using it correctly when building queries," he says.

**3\. Play Around With SQLMap**

The open source program SQLMap is a great tool for penetration testers to experiment with SQLi, exploit any potential vulnerabilities, and dump a database to prove that the vulnerability can be exploited. The tool can also educate application developers to the true dangers of SQLi and how vulnerable code can be exploited.

However, the tool is not necessarily the best way to scan for potential vulnerabilities, says PortSwigger's Kettle.

"In my experience, the detection capabilities are slow, heavyweight, and prone to false positives," Kettle says. "Also, it can't explore websites to find the attack surface, which is one of the biggest challenges for finding these vulnerabilities automatically."

**4\. Consider a DAST Service**

Automating SQL injection scanning using DAST as part of the quality assurance stage — and even earlier in the DevOps pipeline, if possible — can help catch any overlooked vulnerabilities. In addition, DAST scanning is a good way to find SQLi in legacy code.

While Web application firewalls (WAFs) can prevent SQLi attacks from reaching an application, they should be used only as part of a defense-in-depth strategy, Kettle says.

"Personally, I've seen runtime protection like WAFs bypassed so many times that I don't have much confidence in them," he says. "I would recommend a bug-bounty program as an effective way to surface undetected vulnerabilities instead, and use WAFs as a last resort for systems that are in such a bad state that known vulnerabilities can't be patched."

**5\. Expand Beyond SQL**

Finally, companies should also look for other types of injection vulnerabilities and make sure their developers recognize risky patterns, since SQLi is only one class of injection vulnerabilities.

OWASP broadened the definition of an injection vulnerability to be any software flaw where user-supplied data is not validated or sanitized by an application and then sent to an interpreter. Cross-site scripting, SQL, operating system scripting, and parsing the Lightweight Directory Access Protocol (LDAP) are all areas that can be vulnerable to injection.

With the advent of artificial intelligence models, for instance, prompt injection is the latest form of an injection attack.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

How to Tame SQL Injection

Guests affected by the companywide disruption vented their frustrations on social media.

Source: Andrew Shurtleff via Alamy Stock Photo

UPDATE

This story was updated at 3:30 ET on April 4 to reflect new information about the cause of the outage.

Omni Hotels & Resorts last week experienced a cyberattack that led to an outage, bringing down the company's IT systems.

In a notice on the Omni Hotel website, the company explained that after learning of the cyberattack, it shut down its systems to protect its data.

This cyberattack impacted operations and hotel functions such as reservations, hotel room door locks, and point-of-sale (POS) systems, but it is unclear what data, if any, was impacted.

The Omni's website went down Friday as well but was back in service by the weekend, with a notification to customers reading, "Dear valued guest, we are currently experiencing technical difficulties, please try back at a later time."

Customers shared their experiences on social media sites like X (formerly known as Twitter) and Reddit.

On a "r/hotels" Reddit thread, a user posted about the hotel outage, alerting that the computer systems were down. Another user responded saying "It's pretty bad. They have it so you have to text them to come let you into your room, and it usually takes 30+ minutes for an employee to get there and unlock it for you," referencing the inoperable digital locks on hotel rooms.

Omni hasn't disclosed what caused this cyberattack, ransomware or otherwise, though Elise Carmichael, CTO of Lakeside Software, said that identifying the causes of these kinds of outage can be "like finding a needle in a haystack" for some companies.

"Organizations will go into a war room either literally or virtually — pulling a dozen people at all hours to find this needle. Unfortunately, today, finding this needle is exceedingly difficult as nearly every organization is reactionary," Carmichael said in an emailed statement to Dark Reading. 

Carmichael recommended that organizations and businesses collect the kind of data they need to solve these kinds of issues prior to an event like an outage or cyber incident actually happening. 

"With this kind of visibility, they can predict problems before they disrupt the business at wide scale, preventing most of these war room situations," Carmichael added.

Omni has launched an ongoing investigation into the attack and is working to restore whatever systems are not yet fully operational. The hotels will remain open and are accepting new guests and reservations on its website.

Omni Hotel IT Outage Disrupts Reservations, Digital Key Systems

Security teams often confuse tool purchasing with program management. They should focus on what a security program means to them, and what they are trying to accomplish.

Source: Panther Media GmbH via Alamy Stock Photo

COMMENTARY

I've had the pleasure of speaking to hundreds of security teams, and the biggest mistake I've seen is that they often mistake tool purchasing with program management, meaning they often think of the tool driving the program, rather the tool being a part of the program. Instead of focusing on the tool, security teams should focus on what a security program means to them, and what they are trying to accomplish. Below, I share insights that can improve your cybersecurity strategy.

**The Misconceptions and Limitations of Cybersecurity Tools**

Not planning a program end to end can lead to failure. Being able to detect something, but doing nothing about it, isn't useful. Too often, security teams fall for the misconception that a security tool is a comprehensive security program. But can we fault them?

Cybersecurity tools are packaged to be appealing: sleek dashboards, integrations, APIs, multiple language support, the promise to find everything. These features give the illusion of a sure bet for security. Security teams buy these tools expecting, then hoping, finally pleading, that their bet will pay off. 

**The Known-Bug Breach**

Organizations routinely need weeks to months to fix a software vulnerability. Even more startling, in a third of security breaches, the pending security fix was known before it was exploited. Why? This often stems from security tickets falling in priority because of the inability to drive a meaningful vulnerability management program and getting stakeholder buy-in. 

**Best Practices for Building Effective Cybersecurity Programs**

The National Institute of Standards and Technology (NIST) defines a security program "as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions." A security program answers: why this, what to do about it, when, how, and who. It simplifies those answers by forming them into policies and instructions for everyone to follow.

"In my org," a former chief information security officer (CISO) told me, "we didn't greenlight any tool purchasing until a remediation plan was established for the tool." This ex-CISO understands that managing security well is managing the security program, which, in turn, is managing, maintaining, and building a security culture. To be effective, you have to embed the security program in every layer of the business.  

My advice: Before you buy a tool like SAST, lay the groundwork for a security program.

There are so many threat models and definitions out there that it can be overwhelming. Instead, keep it simple to start. Use this tried-and-true formula:

program = tool + people + processes + goals

If you do this, you will avoid the misconception that a tool is a program. These best practices bolster more effective cybersecurity programs that are resilient, adaptable, and capable of remediating bugs. 

In the following two sections, I want to call out two important and often overlooked pieces of this equation that might be misunderstood.

**Stakeholder Engagement in Security Programs**

Stakeholder engagement is crucial to a security program. The vast majority of a security team's success is based on the relationships and buy-in they achieve with key stakeholders, like engineering teams. Forgetting stakeholder buy-in and commitment will fail the vast majority of purchases.

Stakeholder engagement ensures that everyone understands the importance of cybersecurity and eliminates ambiguity. The security program helps every individual understand their role in security and importance in fulfilling that role. In the case of implementing a SAST tool, not having buy-in from your engineering team means you're going to rack up a vulnerability count because you can't act on it. 

**Vulnerability Management **

Vulnerability management is a core component of a strong security program, and generally applicable to most security tools. We've found only the largest of enterprises will hire a dedicated vulnerability manager, and often most organizations don't have someone owning and driving those vulnerabilities.

Vulnerability management involves identifying, assessing, prioritizing, and then addressing vulnerabilities in the system. This is a continuous process that requires regular monitoring and updating. 

For example, in fixing code vulnerabilities from a SAST tool, essential to vulnerability management is remediation and, later, prevention. There is plenty of information about proactive efforts. The big addition I can add here is using cutting-edge tools to achieve rapid maturation for your vulnerability management program — namely, auto-remediation. The recent developments in AI have enabled teams to behave like their counterparts. For example, product managers can now do data science tasks. Additionally, AI is enabling teams to automatically fix vulnerable source code. Security teams can't scale their efforts alone. They need to invest in actions and systems that help them drive programs. 

**Conclusion**

Cybersecurity tools are no replacement for a robust security program. No one buys construction tools and starts building willy-nilly. Without a plan, they'd end up with a chaotic assembly of screwed-in screws, hammered nails, and sawed boards. That isn't productivity. It's busywork. Sadly, a tool without a robust plan behind it can go the same way. A security program assures that security tools are effective and deliver value for your organization — and, ultimately, increase the security of your organization.

**About the Author(s)**

Founder & CEO, Corgea

Ahmad Sadeddin is the founder and CEO of Corgea. A three-time startup founder and product leader, he's worked on building and scaling software products for over 15 years. Securing software products was always a challenge, so Corgea was born from his frustration at the manual and inefficient processes to remediate security issues. Corgea automatically fixes insecure code.

The Biggest Mistake Security Teams Make When Buying Tools

A federal review board demanded that the tech giant prioritize its "inadequate" security posture, putting the blame solely on the company for last year's Microsoft 365 breach that allowed China's Storm-0558 to hack the email accounts of key government officials.

Source: Wachirawit Lemlerkchai via Alamy Stock Photo

A federal review board has called on Microsoft to prioritize its approach to cloud security and stop pushing the burden of it onto customers in the wake of a July 2023 cyberattack that let Chinese threat actors breach Microsoft 365 accounts to spy on key US government officials.

A report released on April 2 by the independent Department of Homeland Security (DHS) Cyber Safety Review Board offered an incendiary review of Microsoft's security culture, putting the blame squarely on the company and a "cascade of security failures" for the cyber espionage attack by China-based threat group Storm-0558, which "never should have happened."

The board — which was investigating the breach at the behest of President Joe Biden — demanded that the technology giant put cybersecurity at the top of its agenda. It also should be held to strict account to make significant revisions to its cloud-security position, even prioritizing these changes ahead of new product features and development.

"To drive the rapid cultural change that is needed within Microsoft, the board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company's security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products," officials said in the report.

**Put Security Before Product Innovation**

As part of its review, the board made a series of recommendations to this end, including that top executives not only develop this plan but also hold leaders at all levels across the company accountable for implementing it.

Microsoft leadership also should consider directing internal Microsoft teams to "deprioritize feature developments across the company's cloud infrastructure and product suite until substantial security improvements have been made," instead assessing and addressing security before deploying any new features, the board concluded.

Given the dependence on the security of Microsoft's cloud-based services and infrastructure, the software giant and other CSPs also need to take more accountability overall for the security outcomes of their customers. An action item at the top of this list is to halt the practice of making customers pay for security-related logging, making it "a core element" of cloud offerings instead of an add-on service for an extra fee.

Microsoft already relented and dropped fees associated with expanded logging access for all levels of 365 license holders shortly after the breach following complaints that it was effectively levying a logging tax on customers.

**This One Is on Microsoft**

The overall finding of the board is that the blame for the breach — which allowed Storm-0558 to gain access to email accounts across 25 government agencies in Western Europe and the US — is solely with Microsoft, and was directly due to a series of security failings on the part of the company.

As the fallout from the breach intensified in the weeks after its initial detection, Microsoft eventually in September 2023 owned up to a series of mistakes that led to Storm-0558 using a Microsoft account (MSA) consumer signing key to forge Azure AD tokens for accessing enterprise email accounts. MSA consumer keys are typically used to cryptographically sign into a Microsoft consumer application or service such as Outlook.com, OneDrive, and Xbox Live.

The company said at the time that a race condition resulted in the signing key being present either in a crash dump or a snapshot of the crashed system. The key eventually ended up with the debugging team on Microsoft's Internet-connected corporate network, where threat actors likely picked it off.

However, government officials held executives feet to the fire over the company's failure to detect the compromise of its "cryptographic crown jewels on its own," as it was a customer — a human rights organization who did not have access to advanced cloud security logging — that first alerted the company to a potential issue.

Moreover, Microsoft has never proven that the key used by attackers ended up in any crash dump or snapshot, and failed to correct statements claiming this as the root cause "in a timely manner." Indeed, Microsoft did not roll back its story on how the key got into the hands of Storm-0558 until last month, when it amended its blog post and acknowledged it never located a crash dump containing the key.

Finally, Microsoft is generally lax in comparison to other cloud service providers (CSPs) when it comes to cloud security, failing to keep security controls to a similar standard, the board found. The company must level up immediately given that its ubiquitously used products "underpin essential services that support national security, the foundations of our economy, and public health and safety," which in turn, requires Microsoft "to demonstrate the highest standards of security, accountability, and transparency," officials concluded.

A Microsoft spokesperson said that the company appreciates the work of the board to investigate the attack, and that in its aftermath the company has recognized a"a need to adopt a new culture of engineering security in our own networks."

To that end, Microsoft unveiled what it's calling a Secure Future Initiative, to mobilize its engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.

"Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries," the spokesperson said, adding that Microsoft will also take into consideration any additional recommendations by the board.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Feds to Microsoft: Clean Up Your Cloud Security Act Now

Working together and integrating cybersecurity as part of our corporate and individual thinking can make life harder for hackers and safer for ourselves.

Source: Anatolyi Deryenko via Alamy Stock Phot

It's clear from the comments by Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), at a recent Congressional hearing on Chinese cyber operations, and from documents leaked from a Chinese hacker-for-hire ring, that there's a growing threat from and demand for a market for cyber vulnerabilities. Even more alarming, however, was Easterly's assessment that "we've made it easy on" attackers through poor software design. To secure our systems and prevent a whole-of-society or whole-of-economy attack like the one that Easterly and her peers descripted to Congress, it will take a whole-of-society effort to reshape the market for cybersecurity to create technologies that are both high-performing and secure.

Cybersecurity statistics from 2023 paint an even clearer picture of how easy it is for hackers: In Chromium, the engine that powers Chrome and Edge, eight previously unknown vulnerabilities (zero-days) were identified. Even software designed to keep users and networks secure was not immune from compromise. CISA opened 2024 with an emergency directive for federal departments and agencies to patch a series of vulnerabilities in VPN software designed for securing employee connections to federal networks. In the coming months, it's also likely that the creation of a market for hacks and hacked data by the likes of iSoon, as well as the growing offensive threat posed by AI, will make cyber defense even more challenging.

As CISA articulated in its Secure by Design initiative, vendors are the first step to creating technologies that are both secure and usable. Taking security into account along with performance and features from day one of a product's development will not only help build a secure technology stack but will also ensure that products truly balance security and performance instead of creating hurdles to good user experience masquerading as security features. But even CISA's ambitions to bring Secure by Design to life as a regulatory framework is insufficient to drive the sea change that's needed to turn the tide against emboldened and AI-empowered hackers — without support from the market, even the most well-intentioned and well-informed regulations will devolve into a box-checking enterprise.

**Cyber-Risk Is Business Risk**

To secure our economy and privately operated infrastructure, businesses must realize, as Easterly put it, that "cyber-risk is business risk" by incorporating cybersecurity into all their business practices. By increasing the stature of CISOs and giving them holistic cybersecurity oversight of the entire business, particularly procurement decisions, companies can incorporate cybersecurity as an organic step in business processes. In doing so, cybersecurity will become less of a last-minute hurdle to business effectiveness and more of an enabler to build a technology ecosystem and operations model that are both successful and secure.

As executives prioritize cybersecurity as a factor in their strategic decisions, cybersecurity and IT professionals — two closely related but often clashing groups — must come together to build networks that are both secure and functional for their users. IT professionals must realize that shortcuts to bypass security controls in favor of user experience or network efficiency incur unnecessary risk for their companies; in return, cybersecurity professionals must proactively look for technology that provides users a good experience while isolating them from technical risks. Both groups need to collaborate to create education for their workforces that are based on a real-time understanding of the risks they face and empowering good decisions about those risks rather than annual, quarterly, or monthly training that too often runs in the background while employees do their "real jobs."

The final piece of a whole-of-society approach to cybersecurity is both the most difficult and the most critical: integrating cybersecurity into the day-to-day lives of citizens. While CISA and the US government writ large have put much of the burden for secure development and secure decisions on companies, citizens must realize that the cybersecurity stakes go far beyond individual credit cards and bank accounts. The doomsday scenario of a simultaneous power, water, and communications disruption brings these stakes into focus, and day-to-day citizens must be willing to increase their cyber literacy and compliance to stop this scenario from unfolding. Just as we accept and comply with the incessant tones that remind us to buckle our seatbelts when driving, we must accept minor cybersecurity "nudges" like multifactor authentication of sensitive work and personal.

It's easy to catastrophize the consequences a Chinese cyberattack could bring — and it's certainly worth talking about response, resiliency, and recovery policies. It's hard to look in the mirror and realize that, in the rush to develop, purchase, and consume feature-rich technology, we've made it "easy" for our adversaries. But this doesn't have to be the case. If we work together and integrate cybersecurity as part of our corporate and individual thinking, we can make life harder for the hackers and safer for ourselves.

**About the Author(s)**

Field CTO, Garrison Technology

Adam Maruyama is a cybersecurity and national security professional and the current Field CTO for Garrison Technology. He served more than 15 years in the Intelligence Community supporting cyber and counterterrorism operations, including numerous warzone tours and co-leading the drafting of the 2018 National Strategy for Counterterrorism. During his time in industry, Adam has served commercial and government customers at McKinsey & Company and Palo Alto Networks.

Why Cybersecurity Is a Whole-of-Society Issue

What cybersecurity professionals around the world can do to defend against the scourge of online disinformation in this year's election cycle.

Shamla Naidoo, Head of Cloud Strategy & Innovation, Netskope

April 3, 2024

5 Min Read

Source: Feng Yu via Alamy Stock Photo

COMMENTARY

In recent global election cycles, the Internet and social media have facilitated the widespread dissemination of false news, misleading memes, and deepfake content, overwhelming voters. Given that it is difficult to directly compromise election systems used to vote and count votes, adversaries turn to the age-old psychological manipulation technique to get the desired outcomes: no hacking needed. With the emergence of generative artificial intelligence (AI) tools, the impact of disinformation campaigns is expected to escalate further. This has led to increased uncertainty and ambiguity regarding reality, with personal biases often shaping perceptions of truth.

In a sense, disinformation is like a cyber threat: As security leaders, we realize that malware, phishing attempts, and other attacks are a given. But we put controls in place to minimize the impact, if not prevent it entirely. We develop defense strategies based on decades of historical knowledge and data to gain the best advantage.

Today's disinformation campaigns, however, are essentially a product of the last decade, and we have not yet designed a mature series of controls to counter it. But we need to. With 83 national elections in 78 countries taking place in 2024 — a volume not expected to be matched until 2048 — the stakes have never been higher. A recent wave of troubling incidents and developments illustrate the many ways that adversaries are attempting to deceive the hearts and minds of the world's voters:

*   In Europe, the French Foreign Minister accused Russia of setting up a network of more than 190 websites intended to spread disinformation to "destroy Europe's unity" and "make our democracies exhausted" in seeking to discourage support for Ukraine. The network, codenamed "Portal Kombat," has also sought to confuse voters, discredit certain candidates, and disrupt large sporting events like the Paris Olympics.
    
*   In Pakistan, voters have been exposed to false Covid-19 and anti-vaccination propaganda, online hate speech against religious groups, and attacks on women's movements.
    
*   The World Economic Forum ranks foreign and domestic entities' or individuals' use of misinformation and disinformation as the "most severe global risk" for the next two years — over extreme weather events, cyberattacks, armed conflicts, and economic downturns.
    

Let's be clear here about the difference between disinformation and misinformation: The latter is information that is wrong, but not intended for mass distribution. The "fake news" distributor may not even be aware of its inaccuracies.

Disinformation, on the other hand, occurs when an entity (such as an adversarial nation-state) knowingly leverages misinformation with the intent of viral distribution.

The psychological manipulation jeopardizes the stability of democratic institutions. Think of disinformation farms as a large office floor with hundreds or even thousands of people doing nothing but making up authentic-looking blogs, articles, and videos to target candidates and positions that contradict their agendas. Once unleashed on social media, these falsehoods spread rapidly, reaching millions and masquerading as real events.

How can citizens best protect themselves from these campaigns to maintain a firm grasp on what's real and what isn't? How can cybersecurity leaders help?

Here are four best practices.

**DYOV: Do Your Own Vetting**

A meme or GIF doesn't stand alone as a credible source of information. Not all professional-looking publications are credible or accurate. Not every statement from a trusted source may be their own. It’s too easy to create fake videos using AI-generated images. There are few arbiters of truth on the Internet, so buyer beware. Moreover, we can't depend on social media platforms to monitor and eliminate disinformation — regardless of whether we agree or embrace it. Section 230 has established immunity for online companies serving as publication resources for third-party content.

It's critical to look at different platforms and reconcile those with what government websites, real news outlets, and respected organizations such as the National Conference of State Legislatures (NCSL) are reporting. Inconsistencies should serve as a warning sign. Also, when seeking out biases from the information source, always ask, "Why should I believe this? Who is the author? What is their interest in this position?"

**2\. Avoid Becoming Part of the Problem**

Social media makes it too easy to run with a post or video that presents a version of "truth" that is anything but. Architects of disinformation campaigns depend upon individual users to spread their messages, i.e., "It came from my sibling/boss/neighbor, so it must be true." Again, DYOV before passing anything along. Be judicious about clicking on "forward" and "like" buttons to avoid being an engine of these campaigns.

**3\. Follow Watchdogs**

Organizations like the Netherlands-based Defend Democracy, the University of Pennsylvania-based FactCheck.org and Santa Monica, Calif.-based RAND Corp. offer resources to better help distinguish fact from fiction. In the academic community, San Diego State University's University Library and Stetson University's duPont-Ball Library maintain a list of watchdog groups, databases, and other resources.

**4\. Take a Leadership Stand**

As cybersecurity professionals, we recognize that threats like brand impersonation and phishing occur beyond our controlled technology environments. We cannot block every email, and our controls won't block or even detect impersonations on technology that we don't control. Instead, we must actively promote cyber education and awareness so employees can learn about the latest phishing attempts and the dangers of clicking on unfamiliar links.

We should take a similar, education-focused approach with disinformation campaigns. We can create employee awareness programs so they understand what to look for, even when the attempts do not involve our technology. We can even promote this knowledge through various platforms — internal company communications, public-facing blogs, articles — where we have a prominent voice. Offer credible and contextual resources against which they can vet information.

Unfortunately, disinformation — especially during political seasons — cannot be avoided, forcing us to field all relevant "facts" through appropriate vetting. However, tools enable everyone to do this while educating employees and the public as cybersecurity leaders. If they do so, 2024 may be remembered as the year when the global community decided that the truth matters.

**About the Author(s)**

Head of Cloud Strategy & Innovation, Netskope

Currently the head of cloud strategy & innovation at Netskope, Shamla Naidoo is a technology industry veteran with experience helping businesses across diverse sectors and cultures use technology more effectively. She has successfully embraced and led digital strategy in executive leadership roles such as Global CISO, CIO, VP, and Managing Partner, at companies like IBM, Anthem (Wellpoint), Marriott (Starwood), and Northern Trust.

Shamla has helped organizations in over 20 countries recognize the impact of digital transformation globally and advise their stakeholders on predicting and navigating the necessary changes in laws and regulations. In addition, she has worked with intelligence communities to use digital and cyber within their organizations to protect businesses and society from technology misuse.

Shamla remains actively engaged in the industry, with organizations like the Security Advisor Alliance, the Shared Security Assessments Group, Institute for Applied Network Security (IANS), Executive Women’s Forum (EWF), HMG Strategy Group, and the Round Table Network. In addition, she is an influential member of the legal community, creating and teaching courses on law, technology, and privacy for the University of Illinois Chicago School of Law. She frequently speaks at the American Bar Association and formerly served as the Committee Chair on Legal Technology for the Illinois State Bar Association. As a practitioner, teacher and coach, she enjoys the opportunity to help seasoned professionals to take their careers to the next level.

'Unfaking' News: How to Counter Disinformation Campaigns in Global Elections

An economic success story in Asia, Vietnam is seeing more manufacturing and more business investment. But with that comes a significant uptick in cybercrime as well.

Source: Jose Vilchez via Alamy Stock Photo

For one week last month, Vietnamese brokerage VNDirect Cyber Systems shut down its securities trading systems and disconnected from the country's two stock exchanges after a ransomware attack encrypted critical data. VNDirect was offline recovering until eight days later when the Ho Chi Minh and Hanoi stock exchanges allowed it to restart trading on April 1.

VNDirect Cyber Systems is just the latest Vietnamese company whose operations have been severely disrupted by a cyberattack.

In 2023, nearly 14,000 organizations across Vietnam suffered a cyberattack, an increase of 10% from the prior year, according to the country's National Cyber Security Centre (NCSC). While estimated damages caused by malicious software declined for the second year in a row to 17.3 trillion VND, or about US $690 million, a variety of other cybersecurity metrics continue to worsen, according to regional experts.

Overall, the country's economic picture is in flux. And that has led to a rise in cybercrime, says Ngoc Bui, a cybersecurity expert at Menlo Security, a provider of secure enterprise browser technology.

"Economic conditions, particularly in regions with limited job opportunities and low wages for high-skilled roles, can drive individuals to turn to cybercrime," he says. "This trend, fueled by the allure of cybercrime's rewards and digital anonymity, emphasizes the need for creating legitimate tech sector jobs to stimulate economic growth and counter cybercrime."

Vietnam is one of the fastest-growing economies in Asia, making the most of its connections to both China and the United States. The country's digital economy is expected to top US $43 billion by 2025, in part because of its focus on technology including initiatives in e-government, smart cities, and artificial intelligence, according to consulting giant PricewaterhouseCoopers. As a result, in mid-March, a delegation of nearly 60 US companies — including giants such as Meta and Boeing — visited the country to seek out investment opportunities.

**Cracked Software, Junk Bank Accounts**

The success has brought rapid technology adoption and significant cybercrime.

Nearly 750,000 systems were attacked by credential-stealing malware in 2023, an increase of 40% compared to the previous year, according to regional cybersecurity firm Bkav Technology Group. Online financial fraud has taken off due to a problem specific to the country: Bank account owners selling access to unused accounts. These so-called "junk accounts" make it difficult to track cybercriminals by following the money, says Nguyen Van Cuong, director in charge of cybersecurity at Bkav.

"Many people simply think that selling accounts they don't use won't be a problem," he said in a statement. "But in reality, bad guys have taken advantage of these bank accounts to carry out illegal transactions, hiding their origin, causing difficulties for investigation agencies."

Pirated or cracked software is another major issue. Fifty-three percent of computers are thought to be using pirated software, according to Bkav.

While the government has issued decrees to increase cybersecurity awareness, citizens continue to participate in these risky digital behavior, such as junk bank accounts and the use of cracked software, says Sarah Jones, a cyber threat intelligence research analyst at Critical Start.

"Vietnam's rapid digital growth creates a larger target for cybercriminals, and a lack of cybersecurity awareness among users makes them more susceptible," she says. "The widespread use of cracked software further exposes individuals and organizations to malware and exploitable weaknesses."

**Countering Cybercrime**

Vietnam's ruling Communist Party has strived to keep pace with cybercrime, issuing a number of directives to strengthen laws around the prevention and investigation of cybercrimes in 2021, and in 2020 launched efforts to raise public awareness of cybersecurity. Another directive, passed in 2019, required public sector organizations to spend at least 10% of their IT budget on cybersecurity. The sustained efforts has boosted Vietnam's ranking in the Global Cybersecurity Index to 25th out of 194 countries in the 2020 report (the latest available), up from 100th in 2017.

The country is already working with the United Nations Office on Drugs and Crime (UNODC) to strengthen the technical skills of law enforcement to tackle money laundering and other crimes.

Yet, divisions within the country are also driving the creation of dark platforms to escape increasing surveillance and Internet censorship by the government. A military group consisting of thousands of service members, known as Force 47, monitors communications and manages censorship in accordance with the government mandates, but also has resulted in the creation of several anonymity-as-a-service groups.

Such efforts will likely result in stronger Dark markets and platforms such as VietCredCare and DarkGate, both created by home-grown APT groups like Ocean Lotus and Lotus Bane, says Ken Dunham, cyber threat director at Qualys's threat research group.

"The threatscape in Vietnam is complicated with APT groups targeting companies for the benefit of the country, \[as well as\] Internet censorship, monitoring, and blocking of content by the Force 47 group," he says.

The next two years will be uncertain for Vietnam in many ways.

The leadership of the Community Party is expected to change by 2026, and economists wonder if the country can continue to deliver strong economic gains. Both uncertainties could breed more cybercrime in the future there.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Source

DARKReading