Businesses need to turn privacy and security into an advantage. Store less data, and live up to customer expectations that their information is protected. Take small steps, be transparent about data management, and chose partners carefully.

Today, the mere threat of a breach can crush your business. The Twitter whistleblower saga shows that, after years of indifference, customers are sensitive to even rumors of data leaks. A few years ago, PR teams could paper over a small breach, and customers would accept it. A decade ago, massive data breaches made headlines, but customers stayed with the vendor because they believed that lightning couldn't strike twice.

Times have changed, though, so how can you protect yourself … and even turn privacy and security into an advantage? The companies that win will embrace small steps, transparency, and the right partners.

**Ex-Twitter Exec Blows the Whistle**

The Twitter whistleblower story will change how the news industry reports on security and privacy moving forward. Just as ransomware went mainstream with the Colonial Pipeline hack, security and privacy stories are going to become mainstream news. Even if your company isn't as high profile as Twitter, the floodgates have opened.

Furthermore, the Twitter story demonstrates that you don't need to be breached to make the news. Former Twitter security executive Peiter Zatko (aka Mudge) made headlines with his concerns about Twitter's security and privacy policies and execution. While there have been well-known Twitter hacks, Zatko's most powerful criticisms are about Twitter's state of security. In his almost 200-page report to federal regulatory agencies and the Department of Justice, the most serious allegations are that Twitter provided regular employees access to central controls and sensitive information without adequate oversight.

**It Doesn't Matter If the Accusations Are True**

If a reporter asked, "Who has access to your data," could you answer? Would you want to answer? You will be convicted in the court of public opinion before you can defend your security posture. I have no inside information on the Twitter case, but it doesn't matter whether it's found to have egregious breaches of standard security protocols. There will be a large contingent that already assumes this information is true.

After so many high-profile breaches (Target, Adobe, Yahoo, and more), companies are considered guilty until proven innocent. Unfortunately, it's almost impossible to prove innocence since you cannot prove the absence of a breach. Furthermore, even if you could, by the time you could prove that you haven't been breached, the news machine already has moved on. You cannot react quickly enough to counteract the rumors.

**Why Are Customers So Sensitive to Privacy?**

Everybody knows that companies are gathering vast amounts of personal data. Clicking on the GDPR-inspired "Track my information" buttons may be a reflex, but we understand that we're always being tracked. Customers accept that their vendors will hold their personal data, but they expect the company to protect their information.

Unfortunately, cybercriminals are targeting personal customer information. Identity theft, spam, phishing, ransomware, and other attacks aren't just theoretical. Everybody knows somebody who's been affected.

With more data and more threats, every customer is sensitive to breaches. Corporate data breaches lead to fines, damaged reputations, and loss of customer trust. Companies are desperate to secure their data because it's the difference between survival and failure.

**How to Protect Yourself: Transparency**

The only way to survive is to be transparent about your data management. Most organizations are hesitant to talk about security and privacy because they know there is a chasm between what they are doing and what they should be doing, but everybody is in the same position. Therefore, whoever steps into the light will immediately take the lead.

When making yourself publicly accountable, you should:

1.  **Create a concrete, achievable plan.** Focus on the most business-critical data and risk areas. Make a short- and long-term plan, so your internal team and external customers will buy-in.
2.  **Set up regular public reviews.** Most organizations review their security and privacy posture with executives and the board of directors. Run that same review with the entire company so employees can participate and see that you care about the mission.
3.  **Get certified.** External auditors and certifications demonstrate that you're willing to hold yourself to a high standard and that you're not hiding anything. Nobody likes being audited, but it keeps you honest.

**Remember, You're Never Done**

Threats and expectations keep evolving, so you must keep ratcheting up your security plan, as well. Since most companies won't give you an unlimited budget, you'll need to plan for how to do more with less  

1.  **Offload work:** You don't need to do all the work on your own. The days of "Do it Yourself" security are past. If you can get a service to cover the basics, you can focus your team on business-specific security and privacy initiatives.
2.  **Use savings to fund initiatives:** Most teams look to push vendors for better discounts, not refresh assets, or overwork their team. Smart teams look for holistic savings. For example, advancements in security and privacy should reduce cyber-insurance premiums.
3.  **Store less data:** Most businesses want to store all their data, messages, and emails forever. Not only is this approach expensive, but it also creates nearly unbounded legal and privacy risks. You need to help your business teams understand the value of reducing retention periods.

**Start Today**

The best way to start protecting your company's reputation is with a single assignment. Pick one dataset — a business-critical application, your CRM system, or your backups. Figure out who has access to them. Create a plan to make them more secure. Then share that plan with your colleagues and hold yourself accountable.

Twitter's security issues are blanketing the news. When even a rumor can destroy your business, it's not the time to wait for consultants and focus groups. Now is the time to make your part of the world a little bit better, every day. Shine a light on how you protect your data, and your customers will trust you.

Twitter's Whistleblower Allegations Are a Cautionary Tale for All Businesses

Expansion of test coverage includes custom scan discovery, custom test scripts and custom test data for REST APIs, enabling developers to leave no paths untouched.

DENVER, Sept. 22, 2022 /PRNewswire/ — StackHawk, the company making application security testing part of software delivery, today announced its Deeper API Security Test Coverage release. This expands StackHawk's solution to help developers scan the entire API layer to uncover potential vulnerabilities. Today's application architectures require different approaches to security testing, and legacy security testing tools result in untested parts of the application, or require tedious manual testing and are too slow for most modern release schedules. With this release. StackHawk provides developers the ability to test APIs deeper and faster, so organizations can be confident every build they release is secure.

The API layer presents the highest level of security risk for software companies. Yet API discovery can be a challenge for many security teams. StackHawk's Deeper API Security Test Coverage release allows teams to leverage existing automated testing tools, such as Postman or Cypress, to guide discovery of the paths and endpoints, provide custom test data to be used during scans and cover proprietary use cases for security testing.

"Modern API and application security requires tooling that integrates into existing engineering workflows and provides thorough test coverage for today's application architectures," said Scott Gerlach, StackHawk co-founder and chief security officer. "With our recent release of Deeper API Security Test features, StackHawk continues to lead the market in depth and accuracy of real API security testing, all while remaining true to our developer-first security approach."

Engineering teams have sophisticated automated test suites in CI/CD to ensure that quality is maintained as they push software changes to production, and security testing should be no different. By integrating into existing testing workflows, StackHawk provides developers with security testing in a familiar way, shifting security left.

StackHawk's comprehensive scan functionalities have expanded to address several key issues, including:

*   Custom Test Data for REST APIs: The ability to use realistic required variables for paths, query, or request body, is something DAST tools historically have struggled with as the use of incorrectly formatted data can prevent the scan from reaching critical logic in the application.
*   Custom Scan Discovery: The ability to use test scripts and data from devtools such as Postman or Cypress for guiding the scanner, resulting in a more comprehensive, thorough test without the need for API docs.
*   Custom Test Scripts: The ability to test for specific use cases like business logic, privacy laws, and sensitive data requires custom scripts. This functionality also addresses the issue of tenancy checks, the top vulnerability in the OWASP Top 10, and testing for Broken Function Level Authorization, which are test cases not covered with the ZAP library.

Those interested in learning more about StackHawk's Deeper API Security Testing can see the functionality in action by registering here for the webinar at 10 AM PT on Wednesday, September 28.

**About StackHawk**

StackHawk is making application security testing part of software delivery. The StackHawk platform empowers engineers to easily find and fix application security bugs at any stage of software development. With a strong founding team that has deep experience in security and DevOps, and some of the best venture investors in the business, StackHawk is putting application security testing into the hands of engineers. Learn more and sign up for a free trial at www.stackhawk.com.

StackHawk Launches Deeper API Security Test Coverage to Improve the Security of APIs

SANTA CLARA, Calif., Sept. 22, 2022 /PRNewswire/ — Palo Alto Networks (NASDAQ: PANW), a Microsoft Azure private MEC ecosystem partner, today announced availability of VM-Series Virtual Next-Generation Firewall (NGFW) technology on the Azure Marketplace. Delivering end-to-end Zero Trust security at the enterprise edge, VM-Series virtual firewalls can now extend best-in-class NGFW capabilities to help protect Azure private MEC applications, providing centralized defense against cyberattacks.

Azure private MEC combines network functions, applications and edge-optimized Azure services managed from the cloud to deliver high-performance, ultra-low-latency 4G/5G private wireless solutions that address the modern business needs of enterprise customers.

"Our long-standing partner solutions with Azure and our VM-Series virtual firewalls have been protecting customer cloud environments for years," said Prem Iyer, vice president, Ecosystems GSI and CSP, Palo Alto Networks. "The new VM-Series 5G capabilities enable enterprises to secure mission-critical applications in industry verticals like manufacturing, healthcare, utilities and public sector, all of which demand the latest in private wireless network technology."

Mobile 5G networks with multi-access edge compute combine AI and cloud technologies to transform enterprises and industries. Customers choose this next-generation mobile technology for its security and reliability, but increasingly sophisticated networks must be safeguarded against a complex and escalating "threatscape." Palo Alto Networks 5G-Native Security on the VM-Series brings advanced Layer 7 security capabilities to help detect and block known exploits, malware, malicious URLs, spyware, and command and control (C2) to 5G-powered edge computing use cases. The VM-Series Next-Generation Firewall enables enterprises to achieve comprehensive security for end-user application traffic that traverses the Azure Private 5G Core, securing edge infrastructure and helping detect and mitigate malicious activity within the user traffic.

Key benefits of the solution include:

*   Faster time to market with a fully tested and validated solution.
*   Simpler deployment at scale from the Azure marketplace, facilitating a rapid rollout of NGFWs.
*   Predefined configuration templates for comprehensive zero-day security.

The Panorama management solution, integrated with Azure, allows for common management of VM-Series virtual firewalls deployed across all cloud and edge environments from a single console and provides centralized visibility and actionable insights into network traffic, logs and threats.

"We're pleased to add Palo Alto Networks 5G security products to Azure Marketplace and our Azure private MEC ecosystem," said Shriraj Gaglani, general manager, Azure for Operators. "This adds an important option for customers when architecting critical end-to-end security frameworks that underpin Industry 4.0 use-cases built on our Azure private MEC solution."

For more information about Microsoft Azure and Palo Alto Networks.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021) and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

Palo Alto Networks 5G-Native Security Now Available on Microsoft Azure Private Multi-Access Edge Compute

The decentralized finance (DeFi) platform was the victim of an exploit for a partner's vulnerable code — highlighting a challenging cybersecurity environment in the sector.

London-based cryptocurrency-trading platform Wintermute saw cyberattackers take off with $160 million this week, likely due to a security vulnerability found in a partner's code. The incident showcases deep concerns around implementing security for this finance sector, researchers say.

Wintermute founder and CEO Evgeny Gaevoy took to Twitter to say that the heist was aimed at the company's decentralized finance (DeFi) arm, and that while the incident might disrupt some operations "for a few days," the company is not existentially impacted.

"We are solvent with twice over that amount in equity left," he tweeted. "If you have a \[money-management\] agreement with Wintermute, your funds are safe. There will be a disruption in our services today and potentially for next few days and will get back to normal after."

He also said that about 90 assets were hit, and appealed to the culprit: "We are (still) open to treat this as a white hat \[incident\], so if you are the attacker — get in touch."

Meanwhile, he explained to Forbes that the "white hat" comment means that Wintermute is offering a $16 million "bug bounty," if the cyberattacker returns the remaining $144 million.

**Filled With Profanity**

He also told the outlet that the theft likely traces back to a bug in a service called Profanity, which allows users to assign a handle to their cryptocurrency accounts (normally account names are made up of long, gibberish strings of letters and numbers). The vulnerability, disclosed last week, allows attackers to uncover keys used to encrypt and pry open Ethereum wallets generated with Profanity.

Wintermute was using 10 Profanity-generated accounts to make rapid trades as part of its DeFi business, according to Forbes. DeFi networks connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading, and other transactions. When news of the bug broke, the crypto-firm tried to take the accounts offline, but due to “human error,” one of the 10 accounts remained vulnerable and allowed the attackers into the system, Gaevoy said.

"Some of these \[DeFi\] technologies also involve third-party integrations and connections where the company may not have the ability to control the source code, leading to additional risk for the company," Karl Steinkamp, director at Coalfire, tells Dark Reading. "In this instance, a vanity digital asset address provider, Profanity, was leveraged in the attack ... An expensive and preventable mistake for Wintermute."

**DeFi Exchanges Will Grow as a Target**

Analysts with Bishop Fox earlier this year found that DeFi platforms lost $1.8 billion to cyberattacks in 2021 alone. With a total of 65 events observed, 90% of the losses came from unsophisticated attacks, according to the report, which points to the difficulty in locking down the sector, which relies on automated transactions.

And, just last month, the FBI issued a warning that cybercriminals are increasingly exploiting vulnerabilities in DeFi platforms to steal cryptocurrency, to the tune of $1.3 billion nabbed between January and March 2022 alone.

Researchers note that enhanced adoption and price appreciation of digital assets has and will continue to attract the attention of malicious individuals — as will the lax state of security in the DeFi area.

"Many of these companies are growing at such a rapid pace, customer acquisition is their primary focus," Mike Puterbaugh, CMO at Pathlock, says. "If internal security and access controls are secondary to 'grow at all costs,' there will be gaps in application security that will be exploited."

The obstacles in shoring up DeFi security are numerous; Wintermute's chief noted that finding appropriate tools is difficult.

"You need to sign transactions on the fly, within seconds," Gaevoy told Forbes, adding that Wintermute had to create its own security protocols since tools are lacking. He also admitted that Profanity didn't offer multifactor authentication, but the company decided to use the service anyway. "Ultimately, that's the risk we took. It was calculated," he added.

Steinkamp notes, "Depending on the architecture of the DeFi platform, there may be a multiple of challenges in securing them. These may range from risk from third parties, to crypto-bridge bugs, human error, and the lack of secure software development, to name just a few."

And Puterbaugh points out that even with out-of-the-box controls and configurations enabled, customizations and integrations could create weaknesses in overall security.

**Best Practices for Shoring Up DeFi Security**

Despite the challenges, there are nonetheless best-practice approaches that DeFi platforms should be implementing.

For instance, Puterbaugh advocates implementing access controls with each new app deployment, along with continuous checks for access conflicts or application vulnerabilities, as key, especially when dealing with easily portable digital currency.

Also, "companies within the DeFi space need to routinely be doing internal and external testing of their platforms to continually ensure they are mitigating threats proactively," according to Steinkamp. He adds that companies should also implement additional enhanced security measures as a part of transactional security, including multifactor authentication and alert triggers on suspicious and/or malicious transactions.

Every layer helps, he adds. "Which would you rather try to gain access to: a house with the door open or a castle with a moat and draw bridge?" he says. "DeFi companies will continue to be prime targets by cyber-thieves until they implement adequate security and process controls to make attacking their platforms less attractive."

Wintermute DeFi Platform Offers Hacker a Cut in $160M Crypto-Heist

SecurityScorecard's ROI Calculator helps organizations quantify cyber-risk to understand the financial impact of a cyberattack.

Security practitioners have to figure out how to accomplish their security goals with the budgets they have. They also must show that their security programs are effective at protecting their organizations. They need to be able to justify the cybersecurity products and tools they have purchased and articulate the return on investment (ROI).

Now there's a tool for that. SecurityScorecard released a content and ROI calculator to help security practitioners figure out high-level estimates to illustrate the organization's overall security posture.

"At a time of economic uncertainty, strengthening cybersecurity postures must be a priority, as bad actors take advantage of volatility," says Cindy Zhou, chief marketing officer at SecurityScorecard. "Organizations must be able to know and articulate if the cybersecurity products and tools they have purchased provide a sound ROI."

Security teams should consider a wide variety of risk factors when considering what to buy for their security programs, Zhou says. The list includes network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leaks, social engineering, and knowing their digital supply chain.

**Calculating Risk to Justify Spend**

Quantifying cyber-risk in financial terms allows organizations to understand the financial impact of a cyberattack, gain insight into the risks their vendors pose, and quantify the reduction in expected losses if issues are resolved. For example, a cybersecurity product may cost $200,000; however, it may defend against a $5 million data breach, thus saving the organization considerable funds in the long run.

"CISOs must be able to quantify their business' cyber-risk to justify the spend on their cybertech stack," Zhou says.

Another key factor is the ability to procure cyber-risk insurance and the associated premiums.

"Many insurers use SecurityScorecard to assess if a company is eligible for a policy," she says. "CISOs and CFOs need to demonstrate their security posture just to be considered for a policy."

The interactive calculator is based on data collected for Forrester Consulting's Total Economic Impact of SecurityScorecard. Forrester Consulting constructed a financial model using a Total Economic Impact formula.

As part of the study, the consultants quantified the effects of having SecurityScorecard in the enterprise, including increased efficiency in risk management, technology efficiencies and consolidation, and improved security posture. This approach not only measures costs and cost reduction within an organization, but it also weighs the enabling value of a technology in increasing the effectiveness of overall business processes.

The ROI calculator expands SecurityScorecard's Cyber Risk Quantification (CRQ) capabilities, which are designed to help customers understand cyber-risk in financial terms as part of holistic business risk analysis.

**Getting Executive Buy-In**

The C-suite and the board are used to focusing on the organization's financial performance, so the CISO needs to be able to quantify cyber-risk in financial terms, says John Hellickson, field CISO at Coalfire. This way, the CISO can also justify and prioritize cyber investments.

This lets all parties make informed decisions about the financial impact and business outcomes of such investments.

"Justifying and accounting for the people, process, and technologies already in place ensures that current mitigating controls are considered in the overall risk calculations," Hellickson says.

From Hellickson's perspective, validating the comprehensiveness of the cybersecurity strategy, knowing the maturity and risk level of current investments, and estimating how future investments will improve that maturity and effectively manage that risk is key to gaining executive trust and support.

"Focusing spend on the assurance of not being breached just about went by the wayside when fear, uncertainty, and doubt tactics stopped working nearly a decade ago when year after year security investments continued to rise," he adds.

Building a cyber program strategy that demonstrates positive business outcomes goes much further in the CISO's ability to influence other executives.

For years, organizations have increased spend, especially application security spend, and they've still failed to achieve the kind of coverage of their application portfolio they desire, says John Steven, CTO of ThreatModeler.

"When organizations see this spend as unsustainable, let alone the requested rate of growth, security executives must demonstrate they're not only getting stuff done, but getting more done for less than peer CISOs, or those that have come before them," he says.

As common as breaches are across the industry, they are probably rare within a single organization, so "time since breach" should be a fairly sleepy indicator of activity and result, Steven adds.

"Focusing on delivery enablement or customer friction can be significantly more impactful," he says.

Quantify Risk, Calculate ROI

The tactic is just one in a constantly expanding bag of tricks that attackers are using to get users to click on links and open malicious documents.

A malicious campaign targeting Internet users in Slovakia is serving up another reminder of how phishing operators frequently leverage legitimate services and brands to evade security controls.

In this instance, the threat actors are taking advantage of a LinkedIn Premium feature called Smart Links to direct users to a phishing page for harvesting credit card information. The link is embedded in an email purportedly from the Slovakian Postal Service and is a legitimate LinkedIn URL, so secure email gateways (SEGs) and other filters are often unlikely to block it.

"In the case that Cofense found, attackers used a trusted domain like LinkedIn to get past secure email gateways," says Monnia Deng, director of product marketing at Bolster. "That legitimate link from LinkedIn then redirected the user to a phishing site, where they went to great lengths to make it seem legitimate, such as adding a fake SMS text message authentication."

The email also asks the recipient to pay a believably small amount of money for a package that is apparently pending shipment to them. Users tricked into clicking on the link arrive at a page designed to appear like one the postal service uses to collect online payments. But instead of merely paying for the supposed package shipment, users end up giving away their entire payment card details to the phishing operators as well.

**Not the First Tine Smart Links Feature Has Been Abused**

The campaign is not the first time that threat actors have abused LinkedIn's Smart Links feature — or Slinks, as some call it — in a phishing operation. But it marks one of the rare instances where emails containing doctored LinkedIn Slinks have ended up in user inboxes, says Brad Haas, senior intelligence analyst at Cofense. The phishing protection services vendor is currently tracking the ongoing Slovakian campaign and this week issued a report on its analysis of the threat so far.

LinkedIn's Smart Links is a marketing feature that lets users who are subscribed to its Premium service direct others to content the sender want them to see. The feature allows users to use a single LinkedIn URL to point users to multiple marketing collateral — such as documents, Excel files, PDFs, images, and webpages. Recipients receive a LinkedIn link that, when clicked, redirects them to the content behind it. LinkedIn Slinks allows users to get relatively detailed information on who might viewed the content, how they might have interacted with it, and other details.

It also gives attackers a convenient — and very credible — way to redirect users to malicious sites. 

"It's relatively easy to create Smart Links," Haas says. "The main barrier to entry is that it requires a Premium LinkedIn account," he notes." A threat actor would need to purchase the service or gain access to a legitimate user's account. But besides that, it's relatively easy for threat actors to use these links to send users to malicious sites, he says. "We have seen other phishing threat actors abuse LinkedIn Smart Links, but as of today, it's uncommon to see it reaching inboxes."

**Leveraging Legitimate Services**

The growing use by attackers of legitimate software-as-a-service and cloud offerings such LinkedIn, Google Cloud, AWS, and numerous others to host malicious content or to direct users to it, is one reason why phishing remains one of the primary initial access vectors.

Just last week, Uber experienced a catastrophic breach of its internal systems after an attacker social engineered an employee's credentials and used them to access the company's VPN. In that instance, the attacker — who Uber identified as belonging to the Lapsus$ threat group — tricked the user into accepting a multifactor authentication (MFA) request by pretending to be from the company's IT department.

It's significant that attackers are leveraging social media platforms as a proxy for their fake phishing websites. Also troubling is the fact that phishing campaigns have evolved significantly to not only be more creative but also more accessible to people who can’t write code, Deng adds.

"Phishing occurs anywhere you can send or receive a link," adds Patrick Harr, CEO at SlashNext. Hackers are wisely using techniques that avoid the most protected channels, like corporate email. Instead, they are opting to use social media apps and personal emails as a backdoor into the enterprise. "Phishing scams continue to be a serious problem for organizations, and they are moving to SMS, collaboration tools, and social," Harr says. He notes that SlashNext has seen an increase in requests for SMS and messaging protection as compromises involving text messaging becomes a bigger problem.

Threat Actor Abuses LinkedIn's Smart Links Feature to Harvest Credit Cards

At the SecTor 2022 conference in Toronto next month, researchers from Lookout will take a deep dive into Hermit and the shadowy world of mobile surveillance tools used by repressive regimes.

While NSO Group's Pegasus spyware is perhaps the highest-profile surveillance weapon used by repressive governments against civil society, a recently discovered, powerful mobile reconnaissance malware dubbed Hermit has come to light, being touted by an Italian developer as a "lawful intercept" tool.

At the upcoming SecTor 2022 conference in Toronto, Christoph Hebeisen, director of security intelligence research at Lookout, and Paul Shunk, security researcher at the firm, will lay out Hermit's surveillance capabilities, against the backdrop of the growing nation-state market and use of these shadowy applications.

So far, Lookout has observed the Hermit spyware being used by the government of Kazakhstan after the violent suppression of protests with the help of Russian armed forces; being applied by Italian law enforcement; and being deployed against the Kurdish minority in the conflict-plagued northeastern Syrian region of Rojava.

**Hermit: Hiding Out 1 Tier Below Pegasus**

The researchers will kick off their Oct. 5 session, entitled "A Hermit Out of Its Shell," with a discussion of where Hermit fits into the mobile spyware picture. It was developed by an Italy-based vendor called RCS Lab and a related company called Tykelab Srl, according to Hebeisen, and is usually distributed on both Android and iOS platforms by masquerading as legitimate mobile apps rather than in attacks that exploit software vulnerabilities.

"There's a varied market for these; NSO Group is certainly placed at the top of the field, and everybody recognizes the name, because they use zero-click exploits to get their surveillance malware onto the device without the user even noticing anything," Hebeisen tells Dark Reading. "But then there is a tier of these weapons just below that, which are distributed as apps, and they are very effective even though they require a little bit of social engineering to get onto a target's device. That's where Hermit plays."

In terms of its capabilities, he adds that Hermit packs an info-vacuuming punch. In addition to "standard" spyware fare like tracking users' locations, accessing device microphones and cameras, eavesdropping on calls and texts, and stealing media files, it also offers the ability to sniff out every scrap of content and data housed in any of the apps that users have installed, including encrypted messaging apps.

"This is a very sophisticated surveillance tool," Hebeisen says. "It takes over the operating system completely and can spy on literally everything. Given how deeply ingrained into our lives phones are these days and especially our all of our private activities, this is practically a perfect tool to find out everything an attacker ever wanted to know about somebody."

He adds that under the hood, the malware is designed to be agile and flexible.

"Hermit is built in a very enterprise way in that it's modular," Hebeisen explains. "So we suspect that that might actually be part of the business model, where they can sell different tiers of this surveillance kit by including or excluding certain modules."

From a broader perspective, Hermit showcases an uncomfortable reality when it comes to next-gen mobile malware: "Despite mobile operating systems being much more modern than many of the desktop systems and having many more security controls already in place, it's still possible for attackers to get past them and then actually use the legitimate functionality of the operating system against targets," Hebeisen says.

**Nation-State Spyware: A Growing Threat**

It should be noted that companies operating in this gray space, including RCS Labs, NSO Group, FinFisher creator Gamma Group, Israeli company Candiru, and Russia's Positive Technologies, maintain that they only sell to legitimate intelligence and enforcement agencies. That however is a claim that many reject, including the US government, which recently sanctioned several of these organizations for contributing to human rights abuses and the targeting of journalists, human rights defenders, dissidents, opposition politicians, business leaders, and others.

Nonetheless, Hebeisen notes that there are more and more mobile spyware tools being developed for the blossoming so-called "lawful intercept" market, indicating ongoing demand. When one is struck down, "there are plenty of other companies standing in the wings just waiting to take over," he says.

The demand makes sense from the geopolitical perspective as nations move away from kinetic conflict.

"As opposed to physical arms, for which you have to deal with all kinds of export controls if you want to sell those to regimes that are known for human rights violations, it seems much easier to get around that when you're dealing with surveillance tools, which are essentially just a different set of weapons in the fight," Hebeisen explains.

Sophisticated Hermit Mobile Spyware Heralds Wave of Government Surveillance

Reduced to pen, paper, and phones, 911 operators ask NYPD for backup in handling emergency calls.

A Sept. 8 ransomware attack on Suffolk County government systems in New York continues to wreak havoc on citizens of the area, driving overwhelmed 911 operators working without the aid of computers to call for backup.

The ransomware attack means that emergency operators are working with pen and paper, then making phone calls to dispatch officers to send help, according to New York's NBC affiliate. The Suffolk County Police Department has asked the New York Police Department for help handling the calls. In response, the NYPD will add five extra officers per shift to help, NBC New York reported.

Emergency lines aren't the only systems that have been impacted in Suffolk County. Police don't have access to their car computers, and even the system for title reporting is shut down, meaning no one can close real estate deals in the area.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Hackers Paralyze 911 Operations in Suffolk County, NY

Data scientists, who often choose open source packages without considering security, increasingly face concerns over the unvetted use of those components, new study shows.

Vulnerabilities in open source components — such as the widespread flaws revealed 10 months ago in Log4j 2.0 — have forced data scientists to reevaluate the open source code frequently used in analysis and the creation of machine learning models.

According to a report by Anaconda, a data-science platform firm, in the past year, 40% of surveyed data scientists, business analysts, and students have scaled back their use of open source components, while a third remained steady, and only 7% incorporated more open source code into their projects. The majority of those surveyed do not report to the information technology department (18%), but work within their own data science or research and development group (47%), according to Anaconda's "2022 State of Data Science" report, released last week.

While software developers and IT have already started vetting secure code, the concerns over the security in open source software is a relatively new trend for the data science world, says Peter Wang, co-founder and CEO of Anaconda.

"We see a tremendous portion of people who are at organizations where IT has created a very strict posture around open source and Python," he says. "These are not expert developers. ... They are data scientists and machine learning people who may not be very seasoned developers at all, using whatever they could download to do their analysis, and then they handed that over that to IT."

The security of open source components — and the software supply chain, in general — has become a primary consideration among software developers, businesses, and national governments over the past two years. In May, for example, the US National Institute of Standards and Technology (NIST) issued guidance for address software supply chain risks. In addition, a growing number of software vendors have joined with the Linux Foundation's Open Software Security Foundation (OpenSSF).

    

While many data science teams scan open source components for vulnerabilities, many create their own software instead. Source: Anaconda's "2022 State of Data Science" report.

Overall, the maturity of organizations' security efforts has improved. About half of firms have an open source security policy in place, which leads to better performance in measures of security readiness, according to the June survey. In addition, the efforts to control open source risk has jumped by 51% in the past 12 months, a study of security maturity stated on Sept. 21.

"\[W\]ith the attention placed on software supply chains, most enterprise organizations are taking a risk-based approach to application security," Jason Schmitt, general manager of the Synopsys Software Integrity Group, said in a statement announcing the study. "Such an approach recognizes that security isn't limited to the codebase; it includes the process of software development where security reviews and testing 'shift everywhere' to continuously improve security outcomes."

**Devs Expand Use of Open Source **

Software companies are not seeing any sort of decrease in open source usage, according to other data. Instead, development organizations are focusing on improving the security of open source software and using security as a primary guide in selecting components.

In the "2021 State of the Software Supply Chain" report, for example, Sonatype found that the top four open source ecosystems — the Maven Central Repository (Java), Node.js (JavaScript), the Python Package Index (Python), and the NuGet gallery (.NET) — housed 37 million open source projects and components, an increase of 20% year-over-year. The demand for those components is likewise increasing: More than 2.2 trillion components were downloaded, a 73% annual increase.

A self-reported move away from open source packages by the data science community is likely indicative of greater awareness of security issues and less about jettisoning open source components in development, says Tracy Miranda, head of open source at Chainguard.

While data science teams and development teams may have reacted differently to major security issues — such as Log4j 2.0 — companies have little recourse when moving away from one open source package than to adopt a different package whose maintainers have put a greater emphasis on security, she says.

"Companies leverage open source as a way to increase their velocity so if they are scaling back, what are they scaling back to? Writing code in-house? Using third-party versions packaged up?" Miranda says, adding that instead, "I do think we can expect to see companies be more discerning about the quality of the open source they use, especially related to security features."

**Data Scientists Are Playing Catch-up**

The disconnect between the two sides is likely due to the different audiences in the various surveys. Anaconda's survey focused on data science professionals, as can be seen from their respondent's choice of programming languages — 58% used Python and 42% used SQL, while only 26% used JavaScript. 

A better measure of software developer sentiments is StackOverflow's "2022 Developer Survey," which found that while 58% of 'people learning to code' use Python, only 44% of professional developers code in that language. On the other hand, 68% of professional developers use JavaScript, according to StackOverflow's survey.

In addition, while data science professional work at companies that overwhelmingly (87%) allow open-source software, about a quarter (26%) have minimal oversight by the IT department of their open source choices, the Anaconda report stated. In another 18% of companies, the IT department only specifies about half of the available open source components.

The maintainers of the most critical projects — of which there are hundreds, if not thousands — need to use secure dependencies, test their own code, and validate the trustworthiness of contributors. The maintainers should also publish a security scorecard — a Google-created initiative now managed by the Open Source Security Foundation (OpenSSF), which gives a security grade to a project based on nearly 20 different criteria.

While awareness is likely increasing, there is no quick solution, Miranda says.

"The reality is that the more secure options have not previously existed," she says. "Trimming unnecessary dependencies to reduce attack surface is sensible, but it's hard to do once the dependency tree has grown large."

Data Scientists Dial Back Use of Open Source Code Due to Security Worries

Attacks against mobile phones and tablets are increasing, and a WannaCry-level attack could be on the horizon.

Enterprises worldwide are living dangerously, skating by with inadequate visibility and security into their mobile attack surface. While many organizations have adopted some level of management over the mobile devices connected to their systems, it's not the same as mobile security and leaves them unprepared for a growing threat. Attacks against mobile phones and tablets continue to increase, and chances are good that a devastating WannaCry\-level attack is just over the horizon.

The WannaCry ransomware attack caught the world unaware in 2017, infecting hundreds of thousands of computers in 150 countries worldwide. And it could have been worse had a British security research group not discovered a kill switch that stopped it from spreading within hours of the attack. But its impact was substantial nevertheless, crippling systems, causing several car manufacturers to stop production, and even forcing some hospitals in the UK to turn away patients. Damage was estimated to be in the billions of dollars.

By heeding the lessons of that attack, enterprises can now work to avoid a "mobile WannaCry" before it hits, rather than dealing with the damage after the fact. A mobile-based attack of that scale is possible, and its impact could be far worse because of the ubiquity and utility of mobile phones, along with the fact that almost everyone's device is vulnerable. As a US House Intelligence Committee recently heard, mobile spyware has even infected the phones of US diplomats worldwide.

**Devices Hold the Keys to the Kingdom — and They're Everywhere**

In the five years since WannaCry's appearance, mobile devices have become even more critical targets than laptops or desktop PCs. Smartphones are with us every minute of the day and are loaded with personal and organizational data. They hold passwords and email accounts, credit card and payment data, and biometric data often used in multifactor authentication (MFA) for logical and physical access. They also have microphones, cameras, and location data that can add to the risks if a device is compromised.

But as much as we depend on them, enterprises have not adequately addressed the mobile attack surface presented by these devices. Beyond changing the security mindset to include the mobile space, there are unique challenges that apply to mobile endpoints. Bring your own device (BYOD) is one of the biggest challenges to addressing an enterprise's mobile attack surface, due to the privacy needs and requirements regarding personally owned devices. Because of privacy concerns, standard products like mobile device management (MDM) are typically used only for corporate-managed devices and are often insufficient in detecting, reporting, and securing mobile devices against modern threats.

Mobile devices can present attackers with virtual keys to the kingdom if they are compromised and used to get past MFA. Email access is a prominent attack tool, but a mobile device also can provide access to accounting, finance, and customer relationship management tools such as Salesforce, Microsoft Office 365, or Google Workspace. And with these tools now available on personal devices, outside the scope and visibility of the security infrastructure, enterprises are putting their data and services at risk in the name of technological benefits like BYOD.

**Mobile Ransomware Would Have a Double Impact**

The risks of mobile ransomware essentially exist on two fronts.

*   **Mobile devices as a delivery mechanism for ransomware:** The compromising of a device, which can be accomplished with or without the owner's knowledge, could allow the sending of a ransomware-spreading email that appears to come from a trusted co-worker or source. Mobile devices can be used to spread traditional ransomware in ways that are very difficult to detect and stop.
*   **Actual mobile ransomware:** Early versions of mobile ransomware were somewhat faux ransomware, using overlays to take advantage of accessibility features. But Apple and Google effectively closed those holes, leading attackers toward actual mobile ransomware.

A mobile attack could lock not only an organization's data and systems, but a user's as well, threatening to wipe out their bank account, for instance, if a ransom is not paid. The attacker who took ownership of that device could leave its microphone and camera on at all times to bug corporate meetings.

The bottom line is mobile ransomware attacks could do everything WannaCry did, plus a lot more.

**The Time to Focus on Security Is Now**

A future large-scale and impactful ransomware attack against mobile is inevitable. Each year, we see mobile malware become more complex, with new features and capabilities introduced to impact the victim. These advancing malware techniques are only proofs of concepts for future attacks, laying the way for larger dangers to mobile endpoints. It is only a matter of time before malicious actors deliver complex mobile ransomware with a significant impact on users and enterprises.

Enterprises have not placed a high-enough priority on mobile security as devices have become indispensable in our personal and business lives. Mobile devices are ripe for an attack of WannaCry proportions, but whether that takes the form of ransomware or something else, the time to focus on mobile security is now, before it's too late.

Source

DARKReading