Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 9.0.

**Description**

Website does incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This fix for this bug https://huntr.dev/bounties/dcf87c0b-6188-4817-8798-ef1e2581b15a/ can be bypassed using bellow payload

    jAvAsCrIpT:alert(origin)
    

**Steps to reproduce \[it works on Firefox (not in chromium based browsers)\]**

1.Go to https://www.rosariosis.org/demonstration/ and login with administrator account

2.Go to https://www.rosariosis.org/demonstration/Modules.php?modname=Resources/Resources.php

3.Create new link with content jAvAsCrIpT:alert(origin)

4.Click the link and observe a pop up

**Image POC**

https://drive.google.com/file/d/11F1mjqytYIgmMVtOEC4EbOHhvVi0pEPh/view?usp=sharing

https://drive.google.com/file/d/1dGPRWE6KRf2bfOezRblbWtHAwM1P29iL/view?usp=sharing

**Impact**

User clicking the link can be affected by malicious javascript code created by the attacker.

CVE-2022-1997: Bypass filter - Stored XSS in Resources  in rosariosis

Passkeys, Safety Check, and Private Access Tokens demonstrated during week-long virtual conference

Passkeys, Safety Check, and Private Access Tokens demonstrated during week-long virtual conference

The 2022 edition of Apple’s Worldwide Developers Conference (WWDC) kicked off this week, with numerous security and privacy developments placed front and center among the firm’s mobile and desktop platforms.

As has become tradition, this year’s WWDC offered a glimpse into Apple’s product and feature pipeline for the coming months.

On Monday (June 6), attendees were given a first look at the redesigned MacBook Air and the updated 13-inch MacBook Pro powered by the M2 chip, along with new features coming to iOS 16, iPadOS 16, macOS Ventura, and watchOS 9.

**What’s new in Safari?**

Apple’s Safari browser – which is now thought to have overtaken Chrome as the most popular mobile browser in North America – will soon include several security and privacy enhancements designed to help protect users and open up new opportunities for developers.

“With both of the new Cross Origin Opener Policy and Cross Origin Embedder Policy HTTP response headers, your site can opt in to process isolation, which means your site will run in its own dedicated webContent process,” said Kendall Bagley, software engineer on the Safari team.

**DON’T MISS** HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

“Our second security enhancement also involves HTTP headers, with our improved support for Content Security Policy Level 3. CSP provides enhanced security control over your loading content and mitigates risk of cross-site scripting \[XSS\] and other vulnerabilities.”

Check out the Safari 16 beta release notes for more information.

WWDC22 attendees watch the unveiling of iOS 16

**Introducing Passkeys**

Garrett Davidson of Apple’s authentication experience team took to the virtual stage at WWDC22 to showcase Passkeys, the company’s “next-generation authentication technology”.

“Passwords are really hard to use securely,” Davidson explained. “All of us know we’re supposed to create strong, unique passwords for every account, but not many people actually do.”

He added: “As you’re designing your apps and websites, there’s this constant trade-off between keeping accounts secure and designing a good experience. And even if your apps and websites do everything right, issues like phishing and password reuse can still lead to account compromise.”

Read more of the latest Apple security news

To tackle this, Passkeys – which will come bundled with the upcoming macOS Ventura and iOS 16 – creates a unique, cryptographically strong key pair for user accounts and stores it in iCloud Keychain so it syncs and works across all devices.

Once the pairing has been created, any future visit to the app or website sign-in form will show the ‘Passkey’ option in the QuickType bar. The user simply needs to tap the option, or use Touch ID, and they are signed in.

Davidson said: “With Passkeys, not only is the user experience better than a password, but also entire categories of security problems, like weak and reused credentials, credential leaks, and phishing, are just not possible anymore. And they are so easy to use.”

Visit Apple’s technical documentation page for implementation information.

**Safety Check**

Also new for Apple devices this year is a new privacy tool called Safety Check, which aims to help users whose personal safety might be at risk from domestic or intimate partner violence.

Designed to allow users to quickly remove all device access that may have granted to others, Safety Check includes an emergency reset that helps users easily sign out of iCloud on all their other devices, reset privacy permissions, and limit messaging to just the device in their hand.

The service also helps users understand and manage which people and apps they’ve given access to.

**Replacing CAPTCHAs**

That’s not all from WWDC22, as two additional privacy and security tools are due to be showcased later this week.

On Wednesday (June 8), the Apple team will demonstrate Private Access Tokens. This new technology is being marketed as a “powerful alternative” to CAPTCHA challenges that help the identification of HTTP requests from legitimate devices without compromising users’ identity.

“We’ll show you how your app and server can take advantage of this tool to add confidence to your online transactions and preserve privacy,” Apple said.

**YOU MIGHT ALSO LIKE** Popular websites leaking user email data to web tracking domains

Lastly, June 10 will see Apple showcase the latest ways to ensure that DNS – the foundation of internet addressing – is secure within an application.

“Learn how to authenticate DNS responses in your app with DNSSEC and enable DNS encryption automatically with Discovery of Designated Resolvers (DDR),” Apple said in its presentation teaser this week.

WWDC22 continues through June 10. Check out the complete list of sessions for further information.

**READ MORE** Google showers top cloud security researchers with kudos and cash

WWDC 2022: Apple showcases next-gen security tech at annual developer event

By Owais Sultan
Remediation following ransomware is a long process during which companies have to do to protect their assets and…
This is a post from HackRead.com Read the original post: How to Recover From a Ransomware Attack

The results of a ransomware attack are different for every organization. You might have paid the ransom and the hackers came through with their end of the deal, i.e. gave you the key to your files. In other scenarios, you might have paid, and data has remained in the hacker’s hands.

If you’ve involved the authorities that used the encrypting device to recover the data, you might have gotten access to your files back without paying the ransom. Regardless of how you initially handled the situation, what follows is the period of remediation.

The recovery period following a cyberattack is the most damaging time for affected organizations. It has been known to drain the finances of companies completely. Also, it causes irreversible damage to the reputation of companies that disclosed the breach to the public.

For ransomware, it’s estimated that it takes between a week and a month to fully recover. Even if your important files are encrypted for just two days, it’s estimated that the downtime will last between 15 and 22 days. 

Downtime considers the time it takes for businesses to get back to 100 percent after the attack interrupts their workflow. Remediation time is crucial because it determines whether your company can get back on its feet — this time preferably stronger and better protected from possible ransomware.

How do you prevent further attacks and strengthen your security?

**Analyze the Documentation of the Attack**

Depending on how you handle the security of your company, your team might have had to remove the malware manually from devices. Alternatively, you may have the tools that decrypt data and remove the malware.

In both cases, you’re left with the forensic report of the incident. During the analysis, find out:

*   How many devices have been encrypted?
*   How did your IT team handle the attack?
*   How long have your files been encrypted?
*   How did the ransomware enter your network?
*   How did the malware bypass the anti-malware software you had?

The analysis of the documents that depict the attack will leave you with an overview of your system. It’ll give you a clear image of what you must work on to strengthen your security, as well as what the most vulnerable parts of your network might be.

**Patch Up Flaws in the System**

If there are any vulnerabilities in your network, they can lead to repeated ransomware attacks. Threat actors might be the same, or new hackers might be going after your organization.

To weed out the flaws in your system, consider how the malware entered your system. Ransomware can get into your system via a phishing email infected with malware that encrypts data.

Another common route for the virus to breach your system is via websites that contain a virus. Therefore, vulnerable parts of your cybersecurity posture could be your employees that need more training. Educate your employees on the protocols and basic cybersecurity hygiene.

That can prevent simple errors such as weak passwords, opening emails from unknown senders, and downloading infected attachments.

**Getting Your Business Ready for Ransomware**

Some actions you can take to protect yourself from possible ransomware include:

*   Backing up important data
*   Preparing the tools that can remove malware
*   Training your employees, deciding on protocols early

Invest in software that can detect malware and remove it from your system even before it can turn into an incident and encrypt your files.

Hackers fundamentally rely on human mistakes and members of your team that may not be familiar with cybersecurity issues or aren’t tech-savvy. They are the ones that might click on a link that leads to malware-infected websites.

Determine how your teams should handle the attack before they occur. How should they mitigate the attack? Does your organization need to report the incident and notify the public? Those are some of the answers you need in advance.

Back up your data in isolated places so that you can reach them even if hackers manage to conduct one more attack. Otherwise, ransomware can disrupt your workflow and set you back by blocking the access to files you need to run your company.

**Monitor the Network to Discover New Ransomware Attempts**

After the vulnerable parts of your system have been patched up, and you’ve set it up to be bulletproof in case of further attacks, it’s necessary to continually scan the system.

Even if you paid the ransom, there is no guarantee that you won’t be the repeated target of these attacks.

Your system is continually changing — sometimes within minutes. Those alterations can result in new flaws that can leave your organization vulnerable to repeated ransomware.

**How Long Until Everything Returns to Normal?**

Ransomware is a major setback for businesses. How long might it take them to recover after the ransomware? That depends on whether they have been preparing for such incidents and how many files have been decrypted.

Did they have the measures, tools, and protocols that govern what to do in case of such an incident?

For companies that were prepared, but hackers still managed to discover a vulnerability and install malware, the best-case scenario would be that their systems are down for two days.

Unprepared businesses can deal with the consequences of ransomware for months to come.

Some businesses never recover after a cyberattack. They may not have the finances to remedy the flaws in the system following the breach.

The extent to which devices have been hit by ransomware also matters. You might have lost the vital files that haven’t been recovered. In other cases, some of your information might have been leaked to the public.

**Hope For the Best, Prepare for the Worst**

A successful ransomware attack can leave IT teams and business owners with a lot of anxiety. 

The best you can do is to patch up flaws to prevent further attacks and get ready for a repeated attack.

Therefore, have the security solutions and protocols ready, employees trained, and continually scan the network to discover signs of the ransomware early.

**More Ransomware Topics**

*   Ransomware Attacks: Everything You Need to Know
*   US Military’s Hacking Unit to take on ransomware gangs
*   How To Prevent Growing Issue of Encryption Based Malware (Ransomware)
*   52 Critical Infrastructure Orgs Hit by Ragnar Locker Ransomware Gang – FBI
*   PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Networks

How to Recover From a Ransomware Attack

A vulnerability was found in Klapp App and classified as problematic. This issue affects some unknown processing of the JSON Web Token Handler. The manipulation leads to weak authentication. The attack may be initiated remotely.

**Knapp daneben ist auch vorbei**

Wir als modzero sehen seit einem Jahrzehnt Sicherheitsschwachstellen und Datenschutzvergehen in verschiedensten Variationen. Unabhängig von der Art oder Komplexität einer Schwachstelle sehen wir sehr oft einen wenig risikobewussten Umgang mit Daten und Ressourcen. Wir schreiben das Jahr 2020, und noch immer werden Applikationen mit der heissen Nadel gestrickt. Time-to-Market hat eine so hohe Priorität, dass nicht einmal grundlegende Sicherheitsprinzipien in die Lösungsarchitektur oder das individuelle Applikationsdesign einfliessen. Man findet an jeder Ecke Applikationen und Datenverarbeitungssysteme, die schlecht, d.h. unsicher, mit den ihnen anvertrauten Daten umgehen. Dies ist umso gravierender, wenn es sich um personenbezogene Daten oder gar Gesundheitsdaten handelt.

In unserem Artikel Mit Webapps gegen COVID-19 wollten wir darauf aufmerksam machen, dass jeder eine Verantwortung hat, dass Software angemessen sicher wird. Heute möchten wir dieses Thema mit einem weiteren Beispiel erneut aufgreifen. Die anhaltende Corona-Pandemie eröffnet neue Herausforderungen aber auch Möglichkeiten bei der Digitalisierung und der Datenverarbeitung. In allen Bereichen sucht man nach Lösungen, und spätestens während des totalen Lockdowns haben auch Schulen festgestellt, dass sie noch Nachholbedarf im digitalen Bereich haben. Es wurde alles eingesetzt was verfügbar war: Zoom, Teams, WhatsApp, Facebook Messenger. In der Schweiz wurde bereits vor drei Jahren eine schweizerische Plattform namens Klapp ins Leben gerufen, welche insbesondere die Kommunikation zwischen Eltern und Schule und Lehrpersonen vereinfachen soll. _Einfache Kommunikation, die klappt!"_, so der Slogan des Unternehmens. Zu Zeiten von Corona hat diese Plattform einen massiven Nutzer-Zuwachs erhalten. Unter den Nutzern ist auch eine unserer MitarbeiterInnen.

**Wie funktioniert Klapp?**

Bei Klapp handelt es sich um ein schweizerisches Start-Up mit dem Sitz in Fislisbach (AG). Zum Zeitpunkt der Veröffentlichung gibt das Unternehmen an mehr als 200 Schulen, 8'600 Lehrpersonen und 45'000 Eltern eine Plattform zur Kommunikation zu bieten. Hier werden gemäss seinen Angaben täglich rund 3'000 individuelle Nachrichten versendet. (siehe hierzu Angaben durch Klapp) Die Daten werden ausschliesslich in der Schweiz gespeichert. Neben der Benutzung im Browser kann die App kann auch mit dem Smartphone (iOS und Android) genutzt werden.

Aus technischer Sicht ist Klapp eine cordova-basierte Web- und Mobile-App. Zur Registrierung als Elternteil oder Schüler benötigt man einen sogenannten Autorisierungs-Code. Nach erfolgreicher Registrierung ist der Zugriff auf die jeweilige Klasse und die damit verbundenen Funktionalitäten möglich. Während der Kurzanalyse wurden folgende Haupt-Funktionen als angemeldetes Elternteil identifiziert:

*   Gruppen und individual Chats
*   Versand von Dateien zwischen Kommunikationspartnern
*   Kalenderfunktionen
*   Informationen über die Klassenmitglieder
*   Namen der Kinder und registrierte Eltern
*   E-Mail-Adressen und Rufnummern (wenn freigegeben)

Damit Schulen die Klapp-Plattform nutzen können, wird zunächst ein Ex- und Import von Stammdaten vorgenommen. Zu diesem notwendigen Ex- und Import Prozess hat Klapp diverse Anleitungen veröffentlicht. Nach erfolgreichem Daten-Import können die Lehrpersonen Einladungsschreiben für die Eltern generieren. Diese enthalten Informationen über Klapp und sind personalisiert. Jedes dieser Einladungsschreiben hat nämlich zusätzlich den Namen des Kindes und einen Autorisierungs-Code für die Eltern aufgedruckt.

Beispielhaftes Einladungsschreiben mit Autorisierungs-Code und Vor- Nachname des Kindes

Dieser Autorisierungs-Code wird bei der Registration benötigt. Hiermit autorisiert sich die Anwenderin als Elternteil eines bestimmten Kindes. Der Autorisierungscode stellt somit das eindeutige Merkmal dar, um die betreffende Person zu identifizieren.

Registrierungs Ansicht in der iOS-App

Der Autorisierungs-Code hat das folgende Format: P-ABCDE1. Das Präfix _"P-"_ steht für _"Parent"_, Autorisierungs-Codes von Schülerinnen haben das Präfix _"S-"_, was für _"Student"_ steht. Die darauffolgenden Werte sind sechs alphanumerische Zeichen, Das bedeutet, dass es maximal 2.17 Milliarden mögliche _"Parent"_ oder _"Student"_ Codes gibt - Bei einer Anfrage pro Sekunde an den Klapp-Server benötigt man 3,7 Wochen um alle möglichen Autorisierungs-Codes zu erraten. Geht man von aktuell 45'000 verfügbaren Autorisierungs-Codes aus, trifft man mit einer Warscheinlichkeit von 52.49%, bei der selben Anfragerate, nach 10 Stunden mindestens einen gültigen Autorisierungs-Code. Würde man den möglichen Raum von Zeichen um Kleinbuchstaben und die Länge des Autorisierungs-Codes auf 10 erweitern, so bräuchte man, bei der angenommenen Anzahl an Anfragen pro Sekunde, 16 Millionen Jahre um alle durchzuprobieren. Die Annahme, dass nur eine Anfrage pro Sekunde möglich ist gilt als sehr konservativ, nicht selten können aktuelle Webserver bis zu 1000 Anfragen/Sekunde abarbeiten.

**Wie steht es bei Klapp um den Datenschutz?**

Die Daten der Applikation (Nachrichten, Chats und Bilder) werden zwar über einen _verschlüsselten Kanal_ auf den Klapp-Server übertragen, werden auf dem Server aber _unverschlüsselt gespeichert_. Das heisst, dass mindestens der Betreiber und alle Involvierten, welche die Daten prozessieren, Informationen mitlesen und manipulieren könnten. Im Falle eines Klassenverbundes heisst das im einfachsten Fall, dass die Klapp GmbH sowie die Dienstleister für den Nachrichtenversand über die registrierten Kinder und Eltern sowie Klassengruppierungen und die versendeten Informationen Bescheid wissen. Werden sensible Informationen wie Krankheiten oder vielleicht Kritik- oder Entwicklungspunkte der Kinder zwischen Personen ausgetauscht, sind diese nicht umfassend gesichert und es ist nicht ersichtlich ob man mit dem legitimen Kommunikationspartner Daten austauscht.

In Ihrer Datenschutzerklärung verspricht die Klapp GmbH:

> "Wir geben keine Personendaten an Dritte weiter und erzielen auch keinen kommerziellen Nutzen daraus. Ihre Personendaten, die Sie uns zur Verfügung stellen, werden von uns weder verkauft, vermietet noch gehandelt".

Weiter schreibt die Klapp GmbH:

> "Ihre Daten speichern wir in der Schweiz. Benutzerdaten werden in der Schweiz gespeichert und verarbeitet und unsere Partner halten die schweizerischen und europäischen Datenschutzverordnung ein".

Und _"Privacy by Design"_ wird ebenfalls als Merkmal benannt. Die Aussage _"Wir wollen mit Ihren Daten kein Geld verdienen. Ihre Benutzerdaten werden unter keinen Umständen an Dritte verkauft oder für Werbung verwendet."_ wirkt vertrauenserweckend.

Auch die Schulen scheinen von der Lösung und deren Sicherheit überzeugt. Auf Anfrage, warum Vor- und Familienname an Dritte ohne Zustimmung mitgeteilt werde teilte eine Schule mit:

> "Die Firma Klapp hat nach der Registrierung nur Name und Vorname plus Schule Ihres Kindes. Diese gehören nach meinem Wissen nicht zu den besonders schützenswerten Daten. Es ist uns aber bewusst, dass ein sorgfältiger Umgang mit Daten zentral ist. Daher haben wir uns bei der App auch für die Firma Klapp entschieden, die einen hohen Standard bei der Datensicherheit garantiert".

Bei einer technischen Betrachtung zeigt sich ein anderes Bild. Klapp verwendet beispielsweise für die Übermittlung der Daten Push-Nachrichten, welche über den US-Amerikanischen Dienst OneSignal versendet werden. Hier werden neben dem Vor- und Familiennamen des Absenders und der Betreff der Nachricht auch weitere Metainformationen über das verwendete Gerät und das Betriebssystem und des Netzwerkbetreibers gesammelt.

Push-Benachrichtigung enthält Informationen über den Absender sowie Betreff der Nachricht

POST /players/8a77f111-c146-402b-88f3-18d874c19872/on\_session HTTP/1.1
Host: api.onesignal.com
Content-Type: application/json
Cookie: \_\_cfduid=dd2b3c2801e2179392b0232eac71bf6bf1597813825
Connection: close
If-None-Match: W/"698f061ae145e46b912b7e8e00450320"
Accept: application/vnd.onesignal.v1+json
SDK-Version: onesignal/ios/021402
Accept-Language: de-ch
Content-Length: 434
Accept-Encoding: gzip, deflate
User-Agent: Klapp/2.0.1 CFNetwork/1126 Darwin/19.5.0

{
  "app\_id" : "bb3877cc-afc0-4d81-ac73-9339554c7686",
  "net\_type" : 0,
  "device\_type" : 0,
  "sdk" : "021402",
  "identifier" : "b5c9f6956a9606a93f564ac0677342ffafd9540b6c34ba170da574fd3f77dc08",
  "language" : "de-CH",
  "device\_os" : "13.5.1",
  "game\_version" : "2.0.1",
  "timezone" : 7200,
  "ad\_id" : "CF7A0B86-311E-4EF7-A469-F7A5322B206A",
  "notification\_types" : 31,
  "carrier" : "Salt",
  "device\_model" : "iPhone11,2"
}

Bei dem Versand via E-Mail verwendet Klapp den Dienstleister Mailgun - ebenfalls ein US-Unternehmen (siehe Datenschutzerklärung). Im Gegensatz zu den Push-Nachrichten beinhalten die E-Mail-Nachrichten auch die versendete Information, sowie Hyperlinks zu den allenfalls angehängten Dokumenten. Was bedeutet, dass neben Klapp auch Mailgun in der Lage ist, sämtliche E-Mail-Inhalte zu lesen oder zu manipulieren. Ob diese Firmen sich der hiesigen Gesetzeslage und Richtlinien unterwerfen, ist für uns aktuell nicht prüfbar. Wir möchten aber auch darauf hinweisen, dass die Daten auch ungewollt als Folge eines Erpressungsversuches oder eines Hacker-Angriffes bei dem Dienstleister geleakt werden könne .

E-Mail erhalten über _Mailgun_ enthält den genauen Text sowie Links zu den angehängten Dateien

Wir geben der Firma Klapp recht. Privacy by Design ist wichtig... und zwar genau aus dem Grund, dass niemand unautorisiertes Drittes unsere Daten einsehen können sollte. Genau deshalb sollte konsequent Ende-zu-Ende-Verschlüsselung eingesetzt werden, wie es zum Beispiel im Leitfaden des Datenschutzbeauftragten des Kantons Zürich empfohlen wird. Deshalb werden Instant-Messengers wie Signal oder Threema von vielen bevorzugt, da der Transportweg sowie jede Zwischenspeicherung verschlüsselt ist und erst am eigentlichen Endgerät entschlüsselt werden kann.

Nachdem wir uns dem Datenschutzversprechen der Firma Klapp GmbH und dem Thema Datenschutz gewidmet haben, möchten wir auf einige der technischen Unzulänglichkeiten eingehen. Viele der identifizierten Fehlerklassen sind trivial und bekannt. Auch wenn die Auswirkungen bei dieser Applikation möglicherweise gering ausfallen, möchten wir diese aufführen, weil wir diese immer wieder sehen.

**Und wie steht es um die Informationssicherheit?**

Datenschutz und Informationssicherheit sind eng miteinander verbunden und das Befolgen von Sicherheitsempfehlung wichtig, um den Datenschutz überhaupt zu Implementieren. Eine oberflächliche Betrachtung der Plattform hat gezeigt, dass grundlegende Sicherheitsprinzipien der Informationstechnik sowie der sicheren Entwicklung für mobile Anwendungen nicht befolgt wurden. Dies ist leider auch im Jahr 2020 immer noch häufig anzutreffen. Gerade in frühen Projektphasen ist die Erarbeitung von Bedrohungsmodellen und das Definieren von Sicherheitsanforderungen ein Kernpunkt, um später beim Lösungsdesign sowie der eigentlichen Entwicklung die richtigen Massnahmen und Methoden zu ergreifen. Gerade die gefundenen Trivialfehlerklassen zeigen, dass Datenschutz und Sicherheit während der Entwicklung der Plattform keine Schwerpunktthemen waren.

Während der Nutzung der Applikation konnte beobachtet werden, dass nicht nur der eigene Autorisierungs-Code vom Klapp-Server übermittelt wird, sondern auch die Autorisierungs-Codes, welche es den anderen Eltern ermöglichen sich eindeutig zu identifizieren.

Auszug aus der Server-Antwort. Zu sehen ist ein JSON-Objekt mit Informationen zu Kindern und Eltern. Ausserdem sind die Autorisierungs-Codes der Eltern enthalten.

Das bedeutet, dass jeder Empfänger das eindeutige Identifizierungsmerkmal aller Klassenteilnehmer besitzt und deren Identität übernehmen kann. Die Auswirkung eines Missbrauchs erscheint vielleicht aktuell nicht weiter schlimm bei einer solchen Verwendung. Soziales Schadenspotenzial ist auf jeden Fall vorhanden und Vertrauensmissbrauch ist möglich. Wichtig ist jedoch zu verstehen, dass eine zukünftige Funktionserweiterung der Plattform noch andere betrügerische Aktivitäten ermöglichen könnte, die heute vielleicht noch nicht absehbar sind. Hätte Klapp eine Implementierung nach den eigens aufgestellten Prinzipien der Datensparsamkeit und Need-to-Know Basis gewählt, wäre dieser Fehler gar nicht aufgetreten. Diese Schwachstelle wurde umgehend dem Klapp-Team gemeldet und Sie wurde am Abend des 24. August 2020 durch ein serverseitiges Update behoben. Daraufhin hat das Klapp-Team auch eine interne Nachricht an die BenutzerInnen versendet in der zu einer manuellen Überprüfung der registrierten Elternteile aufgerufen wird.

In-App Benachrichtigung des Klapp-Teams nachdem die Autorisierungs-Code-Leck Schwachstelle behoben wurde.

Ebenfalls ein Klassiker unter den trivialen Fehlern in Applikationen ist eine Vertrauensstellung durch sehr langlebige Authentisierungsmerkmale. Im Falle der Klapp-Applikation sind es JSON-Web-Token ohne Ablaufzeitpunkt. Jeder, der in den Besitz eines solchen Tokens gelangt, kann ohne zusätzliche Merkmale wie Benutzername oder Passwort andere Nutzer imitieren und hat somit automatische die Identität und Berechtigungen des legitimen Eigentümers. Bei der Klapp-Applikation werden diese Tokens auf dem Endgerät ohne zusätzliche Schutzmassnahmen abgelegt und gelangen so auch auf Backup-Datenträger oder Cloud-Dienste. Auch hier möchten wir darauf hinweisen, dass die Auswirkungen zum Glück in dem heutigen Anwendungsfall moderat ausfallen. Bekannte Schwachstellen zu implementieren ist auf jeden Fall eine schlechte Praxis, auch wenn sie aktuell wenig Relevanz haben.

Unsterblicher JSON-Web-Token da kein Ablaufzeitpunkt (_exp_ angegeben ist.)

Die SQLite Datenbank ist nicht verschlüsselt. Auch die darin enthaltenen Informationen sind nicht durch die App verschlüsselt.

Die SQLite Datenbank befindet sich in einem Geräte Backup.

Der Versand von individual Nachrichten an Lehrer ist eine von der Plattform vorgesehene Funktionalität. Wählt man "Neue Nachricht" aus so erscheint eine Auflistung der Lehrer, welche zum Empfang von Nachrichten autorisiert sind. Jeder Lehrer hat in der Plattform eine eindeutige Benutzerkennung, Beispielsweise 5f3bf6370452c910612c71be. Diese wird beim Versand der Nachricht angegeben. Eine solche Benutzerkennung haben auch Eltern und Schüler. Tauscht man die Benutzerkennung des Lehrers mit der eines anderen Elternteils aus, so wird die Nachricht an den gewünschten Empfänger übermittelt.

In-App Nachricht an ein anderes Elternteil versendet.

Soweit modzero bekannt, ist dies keine vorgesehene Funktionalität. Auch hier müssen wir erneut darauf verweisen, dass solche Fehlerklassen üblich sind. Nur weil eine Benutzeroberfläche eine Einschränkung vorsieht, muss diese von der Applikation nicht zwingend umgesetzt worden sein. Eine Einschränkung in der Benutzeroberfläche ersetzt nicht ein striktes Umsetzen eines ordentlichen Benutzer- und Rollenkonzeptes auch im Backend.

Beiläufig sind noch weitere Probleme aufgefallen, welche hier nicht im Detail beschrieben werden, aber auch mit dem Klapp-Team besprochen wurden:

*   Sensible Informationen in lokaler SQLite-Datenbank (iOS)
*   SQLite Datenbank (iOS) in einem Backup vorhanden
*   Fehlendes Zertifikats-Pinning und Jailbreak-Erkennung
*   Keine Möglichkeit den Zugriff auf die App durch Pass Code oder biometrische Merkmale zu beschränken
**Fazit**

Dies soll kein Aufruf zur Verhinderung von Innovation oder Digitalisierung sein, jedoch bitten wir jeden einzelnen Entwickler, Architekt, CEO... JEDEN Involvierten... seine Verantwortung wahrzunehmen und im Zweifelsfall jemanden hinzuzuziehen, der die Sachlage neutral beurteilen kann.

Natürlich kann in diesem Beispiel argumentiert werden, dass die Auswirkungen der Schwachstellen ja überschaubar sind und die Schutzmassnahmen für das Anwendungsgebiet möglicherweise ausreichen. Das Problem einer solchen Argumentation liegt dabei, dass sich die Umgebung, der Funktionsumfang, die Entwicklungsprozesse sowie die Firmen selbst zukünftig wandeln werden. Selbst wenn zum jetzigen Zeitpunkt ein Unternehmen ehrbare Ziele verfolgt oder eine Applikationsschwachstelle nur eine verhältnismässig geringe Auswirkung aufweist, so kann sich dies schon Morgen ändern. Es ist daher wichtig bereits früh in der Projektphase die richtigen Entscheidungen zu treffen und Fehlfunktionen, Schwachstellen und Bedrohungsmodelle als integral wichtigen Bestandteil zu behandeln.

**Zeitlicher Ablauf***   2020-08-18  Einladungsschreiben der Schule erhalten.
*   2020-08-18  Schwachstellen aufgedeckt.
*   2020-08-19  Klapp kontaktiert. Klapp hat sich zurückgemeldet.
*   2020-08-21  Schwachstellen telefonisch an Klapp übermittelt. Schwachstellen akzeptiert.
*   2020-08-24  Rückmeldung von Klapp erhalten, dass die Autorisierungs-Code Schwachstelle behoben wurde

CVE-2020-36533: Knapp daneben ist auch vorbei

A vulnerability, which was classified as critical, was found in Platinum Mobile 1.0.4.850. Affected is /MobileHandler.ashx which leads to broken access control. The attack requires authentication. Upgrading to version 1.0.4.851 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****SEC Consult SA-20201001-0 :: Broken Access Control in Platinum Mobile**

_From_: SEC Consult Vulnerability Lab <research () sec-consult com>  
_Date_: Fri, 2 Oct 2020 18:17:48 +0000  

SEC Consult Vulnerability Lab Security Advisory < 20201001-0 >
=======================================================================
              title: Broken Access Control
            product: Platinum Mobile
 vulnerable version: 1.0.4.850
      fixed version: 1.0.4.851
         CVE number: -
             impact: critical
           homepage: https://www.platinumchina.com/en/products/p11
              found: 2020-04-24
                 by: M. Li (Office Munich)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Platinum Mobile is a mobile office system based on Platinum HRM and ESS
Workflow to realize HR informatization management, taking portable devices
such as mobile phone, tablet pc as its main form and carrier. The new mobile
solution will enable employees quickly and conveniently deal with affairs and
not limited by time and place, thus effectively expedite the efficiency of
internal communication and operations. Users can directly use their mobile
devices landing on the client side to complete a series of tasks. Meanwhile,
the executive have the access to making decisions and approvals anytime and
anywhere."

Source: https://www.platinumchina.com/en/products/p11

Business recommendation:
------------------------
It is recommended to apply the hotfix or update the server component to version
1.0.4.851.


Vulnerability overview/description:
-----------------------------------
1) Broken access control
The mobile application connects to the company-specific server, which does
not properly restrict the access to confidential data. Thus, an authenticated
attacker can disclose the company's payroll, personal information of other
employees without having appropriate privileges to do so.


Proof of concept:
-----------------
1) Broken access control
The mobile application's request consists primarily of two parts: an XML message
in the body and its MD5 hash in the query string.

POST /MobileHandler.ashx?MessageHash=43a98be456b0213ce45e23fdf54c58b8 HTTP/1.1
Host: \[redacted\]
Content-Length: 276

<Message ID="msg1" MessageType="InvokeServiceMessage" Service="Payslip" Method="getMyPayslipMonthInfoForReleaseMany" 
Language="English" UserCode="user0" TokenID=""><Parameters><String>0000000537</String><DateTime>2020-03-31 
00:00:00</DateTime><null/></Parameters></Message>

Analyzing the mobile application reveals the following algorithm to
calculate the hash:

MessageHash = hex\_md5(escape(XmlMsg) + TokenID);

Furthermore, the server-side part of the application runs the following logic
to verify the message:
- extract the "UserCode" value from the message
- look up the "TokenID" associated with the "UserCode"
- calculate and compare the hash
- if valid, trust and use the parameters in the message, which serves as
  the real reference (rather than the "UserCode") to the business data.

Given this information, an authenticated attacker can craft a message with
an arbitrary value set (e.g. 0000000537) for the element "Parameters" and
calculate the hash with the attacker's "UserCode" and "TokenID".

As a consequence, the pay slip of another employee (e.g. a higher-ranked
manager) can be disclosed. By iterating the values, the attacker can
reveal the entire payroll data of the whole company.

In the following example an authenticated user "user0" can collect
personal information of "user1", including phone number, emails etc.

POST /platinummobile/Handlers/MobileHandler.ashx?MessageHash=bf62c16cad7a6b27b0fee8e1a21409b7 HTTP/1.1
Host: \[redacted\]
Content-Length: 203

<Message ID="msg1" MessageType="InvokeServiceMessage" Service="MyAccount" Method="GetMyInfo" Language="English" 
UserCode="user0" TokenID=""><Parameters><String>user1</String></Parameters></Message>


Vulnerable / tested versions:
-----------------------------
The following version has been tested, which was the most recent one at the
time of the test:
- 1.0.4.864 on Android
- 1.0.4.864 on iOS
- 1.0.4.850 on Server


Vendor contact timeline:
------------------------
2020-05-19: Contact vendor through the provided email address.
2020-05-20: Exchange on the issue.
2020-05-22: Vendor acknowledged the issue, and claimed a hotfix will be released
            before a fix in the next version.
2020-07-22: Contact the vendor again.
2020-07-23: Vendor informed that a hotfix has been released.
2020-08-19: Customer confirmed that the hotfix works.
2020-10-01: Release of the advisory.


Solution:
---------
Apply the hotfix or update the application to the latest version 1.0.4.851.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec\_consult

EOF M. Li / @2020

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SEC Consult SA-20201001-0 :: Broken Access Control in Platinum Mobile** _SEC Consult Vulnerability Lab (Oct 02)_

CVE-2020-36528: Broken Access Control in Platinum Mobile

Apple’s iOS 16 and macOS Ventura will introduce passwordless login for apps and websites. It’s only the beginning.

Your passwords are terrible. Year after year, the most popular passwords leaked in data breaches are 123456, 123456789, and 12345—‘qwerty’ and ‘password’ come close behind—and using these weak passwords leaves you vulnerable to all sorts of hacking. Weak and repeated passwords are one of the most significant risks to your online life.

For years, we’ve been promised a more secure, password-free future, but it seems like 2022 will _actually_ be the year that millions of people start to move away from passwords. At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using “Passkeys” with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination.

So how does it work? Passkeys replace your tired old passwords by creating new digital keys using Touch ID or Face ID, Apple’s vice president of internet technologies, Darin Adler, explained at WWDC. When you are creating an online account with a website, you can use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done,” Adler said.

When you go to log in to that website again, Passkeys allow you to prove who you are by using your biometrics rather than typing in a passphrase (or having your password manager enter it for you). When signing in to a website on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across your devices using iCloud’s Keychain, and the Passkeys are stored on your devices rather than on servers. (The use of iCloud Keychain should also solve the problem of losing or breaking your linked devices.) Under the hood, Apple’s Passkeys are based on the Web Authentication API (WebAuthn) and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are.

A passwordless system would be a significant step forward for most people’s online security. As well as eliminating guessable passwords, removing passwords reduces the likelihood of successful phishing attacks. And passwords can’t be stolen in data breaches if they don't exist in the first place. (Some apps and websites already allow people to log in using their fingerprints or using face recognition, but these usually require you to first create an account with a password.)

Apple’s Passkeys aren’t entirely new—the company first detailed them at 2021’s WWDC and started testing them shortly after—and Apple isn’t the only one that wants to eliminate passwords. The FIDO Alliance, a tech industry group, has been working on the underlying standards needed to ditch passwords for almost a decade, and Apple’s Passkeys are the company’s implementation of these standards.

In recent months, FIDO has taken a series of important steps to bring the password’s demise closer to reality. In March, FIDO announced it has figured out a way to store the cryptographic keys that sync between people’s devices, calling them “multi-device FIDO credentials” or “passkeys.”

This was followed in May by Apple, Microsoft, and Google declaring their support for the FIDO standards. Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, said adoption of the standards would keep more people safe online. At the time, the three tech giants said they would start rolling out the technology “over the course of the coming year.” Microsoft account owners have been able to ditch their passwords since September of last year, and Google has been working on its passwordless technology since 2008.

When all the tech companies have rolled out their version of passkeys, it should be possible for the system to work across different devices—in theory, you could use your iPhone to log in to a Windows laptop, or an Android tablet to log in to a website in Microsoft’s Edge Browser. “All of FIDO’s specs have been developed collaboratively, with inputs from hundreds of companies,” says Andrew Shikiar, the executive director of the FIDO Alliance. Shikiar confirms that Apple is the first company to start rolling out passkey-style technology and says this shows “how tangible this approach will soon be for consumers worldwide.”

Any success for a passwordless future depends on how it works in reality. At the moment, there are unanswered questions about what happens to your Passkeys if you want to ditch Apple’s ecosystem for Android or another platform. (Apple hasn’t yet responded to our request for comment.) And developers still need to implement changes to their apps and websites to work with Passkey. Plus, to gain trust in any system, people need to be educated about how it works. “Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” ​​Alex Simons, the head of Microsoft’s identity management efforts, said in May. In short: If cross-device systems are clunky or a pain to use, people may shun them in favor of weak but convenient passwords.

While Apple’s Passkey and Google and Microsoft’s equivalents are still some months away (at the very least), that doesn’t mean you should idly keep using your weak or repeated passwords. Every password you use—whether it’s for a one-time account used to buy DIY supplies or your Facebook account—should be strong and unique. Don’t use common phrases, names of friends or pets, or personal information linked to you in your passwords.

Instead, your passwords should be long and strong. The best way to achieve this is by using a password manager, which can help you create and store better passwords. You can find our pick of the best password managers here. And while you’re thinking about your security, turn on multi-factor authentication for as many accounts as possible.

Apple Just Killed the Password—for Real This Time

Apple's published some numbers about the number of apps blocked from getting into the App store, along with other security news from the WWDC
The post Rotten apples banned from the App store appeared first on Malwarebytes Labs.

Apple’s App Review process may have received ill wishes from many benevolent developers, but Apple has now revealed how effective it is and why it is so stringent.

According to its review of the year 2021, Apple protected customers from nearly $1.5 billion in potentially fraudulent transactions, and stopped over 1.6 million risky and vulnerable apps and app updates from defrauding users.

**Bad apples**

In 2021, Apple rejected or removed over 835,000 problematic new apps, and an additional 805,000 app updates. Some were removed because they were found to be unfinished or contained bugs that impeded functionality, others because they needed improvements in their moderation mechanisms for user-generated content.

The App Review team also rejected over 343,000 apps for requesting more user data than necessary or mishandling the data they already collected.

To put these numbers in perspective, 107,000 new developers managed to get their apps onto the store. Some of which may have gone through rejection on earlier occasions, but received a stamp of approval in the end.

_Image courtesy of Apple_

**Rotten apples**

Over the same year, the App Review team rejected more than 34,500 apps for containing hidden or undocumented features. They also rejected upward of 157,000 apps because they were found to be spam, copycats, or misleading to users, for example, by manipulating them into making a purchase.

Also, Apple removed over 155,000 apps from the App Store because the developers altered the concept or functionality of the app after receiving approval at first. Altering the app after release is a method threat actors can use to try and bypass the App Review process.

**Fraudulent accounts**

When developer accounts are used for fraudulent purposes, the offending developer’s Apple Developer Program account and any related accounts are terminated.

As a result of these efforts, Apple terminated over 802,000 developer accounts in 2021. Apple rejected an additional 153,000 developer enrollments over fraud concerns, preventing these threat actors from ever submitting an app to the store.

**Financial fraud**

Using both human and tech review, Apple stopped more than 3.3 million stolen cards from being used to make potentially fraudulent purchases. Nearly 600,000 accounts were banned from ever transacting again. In total, Apple protected users from nearly $1.5 billion in potentially fraudulent transactions in 2021.

**User concerns**

If users have concerns about an app, they can report it by clicking on the Report a Problem feature on the App Store or calling Apple Support, and developers can use either of those methods or additional channels like Feedback Assistant and Apple Developer Support.

As part of the App Review process, any developer who feels they have been incorrectly flagged for fraud may file an appeal to the App Review Board.

**Passwords**

Apple also announced at its annual Worldwide Developers Conference (WWDC) that it will introduce support for third-party two-factor authentication apps with the built-in Passwords feature in the Settings app.

iOS 16, which is expected to be released in September 2022, will permit users to edit strong passwords suggested by Safari to adjust for site‑specific requirements.

Apple also confirmed it’s bringing support for passkeys in the Safari web browser, a next-generation passwordless sign-in standard that allows users to log in to websites and apps across platforms using Touch ID or Face ID for biometric verification.

Passkeys never leave your device and are specific to the site you created them for. Which makes phishing for them almost impossible. The passkey mechanism was established by the FIDO Alliance and is already backed by Google and Microsoft. As such, it aims to replace standard passwords by providing unique digital keys stored locally on the device.

Rotten apples banned from the App store

By using artificial intelligence to predict how an attacker would carry out their attack, we can deploy defenses and preemptively shut down vulnerable entry points.

Security teams can't protect what they don't know about. But it is not enough to just understand what they have within their organizations' environment. Defenders also need to put themselves in an adversary's shoes to understand which systems are likely to be targeted and how the attack would be carried out. Technologies such as attack surface management and attack path modeling make it possible for security teams to gain visibility into which assets adversaries can see and how they might gain access.

With attack surface management, organizations are continuously discovering, classifying, and monitoring the IT infrastructure. Unlike asset management, which looks for everything the organization has, attack surface management looks at the IT infrastructure from outside of the organization to determine what is exposed and accessible. Since new assets are always being created and cloud infrastructure can be spun up dynamically, this inventory needs to be updated continuously or the organization will have gaps in its knowledge of all the potential entry points, says Pieter Jansen, CEO of Cybersprint, which was acquired by Darktrace in February for $52.3 million (€47.5 million).

Cybersprint's attack surface management platform gives customers their own "hacker's lens" that they can use to determine where an attacker could strike next, Jansen says. Attack surface management goes beyond tracking Internet-accessible systems by considering how the assets are configured, what security controls are in place, and how the various tools and devices are connected.

Someone creating new infrastructure components within the DevOps environment may think they are working within the test environment, but an attacker doesn't care whether it is in testing or production. "It's an ideal way of getting in \[to the organization's environment\] early and to move to production systems," Jansen says.

Darktrace acquired Cybersprint for its external view of the organization's environment, says Jack Stockdale, CTO of Darktrace. Darktrace's artificial intelligence (AI) technology develops a comprehensive view of the organization's infrastructure, but it is an internal view, he says. Darktrace can see what the organization has within the IT environment — the network, email, cloud assets, and endpoints — as well as OT. Bringing Cybersprint's external view into Darktrace's platform makes it possible to find more threats earlier.

"It's essential to put all those different areas into one platform" instead of maintaining individual silos of information, Stockdale says. "Trying to infer what's happening and stop attacks by looking at individual silos — we truly believe that is not the way to go."

**A Shift to Proactive AI**

Up until now, Darktrace's self-learning AI technology has focused on detection and response, which means it is reactive, Stockdale notes. "Essentially, \[the AI\] sits there and waits for a problem," he says. Teaching the AI about the attacker shifts the balance, since the AI now doesn't have to wait for an attack to do something about the organization's security.

This is where attack path modeling comes in.

Security teams are beginning to think about attack path analysis. For the past few years, Verizon's "Data Breach Investigations Report" (DBIR) has devoted a section to analyzing attack paths. Understanding the paths adversaries are likely to take helps security teams identify places they can add more controls or tools to stop the attack.

"Our job as defenders is to lengthen that attack path. Attackers tend to avoid longer attack chains because every additional step is a chance for the defender to prevent, detect, respond to, and recover from the breach," Verizon's researchers wrote.

Attack path modeling uses the existing view of the environment to determine the most likely and most effective paths attackers would take through the organization, Stockdale says. After identifying the key assets and people, as well as the organization's crown jewels, it is possible to use both the internal and external views to identify the likely path the attacker would follow to reach the crown jewels. After analyzing the path, it is possible to run a simulation to see what would happen in the case of an incident.

"What happens if ransomware was detected on a particular laptop or a particular type of compromise started in a particular environment? How will the attacker most likely move through \[the\] organization to cause the damage or to reach the crown jewels or to sell information?" he asks.

Attack path modeling is more than a red team exercise of a penetration test, Jansen notes, because it allows security teams to identify the most likely steps an attacker would take in order to compromise the organization. AI shines here because it is capable of going down every path and seeing every permutation of possible attacker scenarios. Human teams, in contrast, would be able to run only a limited number of exercises.

Once they can see all the potential entry points, security teams can start testing defenses along those particular paths and determine whether additional resources are necessary. Perhaps they discover four or five most likely routes an attacker could take from a compromised email account or system login. At this point, the team can deploy additional controls or defenses to make those paths unfeasible for the attacker.

**Adding 'Prevent' to the Cybersecurity Loop**

Darktrace's Cyber AI Research Centre has been working on ways to apply AI to attack path modeling for almost two years, Stockdale says. The research is now being incorporated into Darktrace's new product family, Darktrace Prevent, which will be generally available by the summer.

"We're now taking \[attack path modeling\] out of the research center and building it into our next set of products that will go to our customers," he says. Several customers in the early adopter program already have the new technology in their production environments.

Darktrace views security as a continuous loop where the AI learns about the organization, identifies potential attack paths, and feeds those outcomes to detect and respond to harden the environment, Stockdale says. Eventually, the plan is for AI to learn to heal from the damage caused by attacks, as well.

"When we talk to our customers, we tend to look at the areas where human beings are doing lots of repetitive work, or challenging work, that we think AI is a perfect fit for," Stockdale says. There are areas where AI can help make these teams more efficient or allow companies that don't have the resources to hire human teams to add security capabilities.

"Our vision moving forward is to be much more proactive," Stockdale says.

Harnessing AI to Proactively Thwart Threats

The costs associated with a cyberattack can be significant, especially if a company does not have an Incident Response plan that addresses risk.

The costs associated with a cyberattack can be significant, especially if a company does not have an Incident Response plan that addresses risk.

The one-two punch of a cyberattack can be devastating. There is the breach and then the related mitigation costs. Implementing a comprehensive Incident Response (IR) gameplan into a worst-case-scenario should not be a post-breach scramble. And when that IR strategy includes insurance, it also must address a business’s level of cyber risk.

A 2021 study by NetDiligence analyzed over 5,700 claims and the average claim cost for an organization with less than $2 billion in revenue was $354,000. Larger organizations incurred on average over $16 million in costs.

The cost issue is compounded when ransom payments are included in the calculation, which can significantly increase insurance claim payouts. Unsurprisingly, this trend has led many cyber liability insurance carriers, as well as law firms who specialize in data breach, to encourage their clients to strengthen their cybersecurity controls and seek more formal relationships with digital forensics and incident response firms.

For most, an IR retainer will be a formal relationship to safeguard the organization if the worst was to happen. It grants firms expedited response under a pre-agreed service level agreement (SLA) and avoids potential delays around legal and financial decisions when every minute counts. It is incredibly valuable in a crisis but offers limited value when the organization manages to avoid incidents.

****IR Retainers Shouldn’t Just Be Another Insurance Policy****

While the majority of organizations do treat the “hardening” of their controls and the search for an IR retainer as separate projects, the biggest value would come from achieving both under a true “cyber risk” retainer. Pure IR retainers typically don’t offer security leaders flexibility to maximize their investment, but by being permitted to use credits toward preparedness, testing, simulations and so forth, cyber risk can be mitigated. There are three key elements to achieving an effective cyber risk retainer: negotiation, structure and  execution

****One: Negotiate with Transparency****

Identify a firm with experience beyond IR. Are they familiar with incident preparedness needs, such as tabletop exercises, breach and attack simulations, red team exercises, etc?

If gaps in your essential security controls (e.g. MFA, backups, email hygiene) are identified, would this firm have the capability to assist? If an incident leads to a breach of sensitive data, would this firm be able to help with breach notification needs? Would retainer credits cover the costs?

Once you identify an initial set of firms that can satisfy these criteria, it’s helpful to ask what sort of onboarding is needed. Experienced firms will run a thorough process of learning about the client’s IT security program, including what policies and plans they have, as well as to gain an overview of their IT environment. This leads us to step #2, where the fun starts with structuring retainers based on key requirements.

****Two: Structure Retainers According to Your Security Strategy****

Retainer structuring begins with mapping out the most effective allocation of retainer credits.

A cost estimate should be given for common IR scenarios (ransomware and Business Email Compromise, for example) and that becomes a set percentage of the retainer.

The remaining retainer allocation should be mapped to your security strategy. Perhaps the organization is moving to the cloud and will need to deploy MFA to the Azure active directory, for example. A portion of the retainer could be set aside for penetration testing that can identify MFA weaknesses. Simulations and tabletop exercises that are specific to the industry and / or risk appetite should also be conducted to ensure everyone from executives, PR to compliance teams are prepared should the worst happen.

****Three: Execute with Guidance from Your Retainer Partner****

The best cyber risk retainers are collaborative exercises. Keeping in constant contact with the retainer team can provide you with frontline threat intelligence and analysis of complex security issues being faced by organizations like yours. This ensures that investment is also well targeted to areas of potential vulnerability utilized by today’s threat actors.

With most infosec teams critically understaffed, those in your retainer team can become a valuable resource for advising on and prioritizing key cyber resilience issues.

In helping firms to become more secure, retainer teams often also take on the role of project manager. They are in a good position to bring stakeholders to the table, prepare necessary communications and seek appropriate technical permissions.

By encouraging firms to use their excess retainer credits for proactive services overall cyber resilience will be enhanced. More vulnerabilities, gaps in security policies, processes and technology will be identified. Organizations can do risk assessments, penetration tests and tabletop exercises, ensuring that security is not only improved but the wider business is assured of its maturity.

An additional benefit of a longer-term retainer relationship is that the cyber practitioners are afforded the opportunity to learn about a client’s cybersecurity program and the context in which it exists. Knowing the various policies and processes in place, the toolsets that are deployed, along with the configurations in their network can become vital contextual intelligence. With this in-depth knowledge, if a client suffers a cyberattack its on-hand practitioners will already have a solid understanding of the client’s IT environment which will allow them to expeditiously contain and remediate the issue.

In an ideal world incident preparedness and response should be tightly intertwined. True cyber risk retainers allow organizations to do this in a way that not only improves resilience in theory, but equips teams with the practical intelligence to do the very best job they can, both in a crisis and business-as-usual environment.

Tag

#ios