Repairs & Upgrades

May 19, 2019 »

Facebook bans accounts of fake news firm

By Lisa Vaas

Facebook has shut down 265 fake accounts, many linked to an Israel-based social media company, that were being used to spread fake news and influence political discourse in a number of nations – mostly in Africa, but also in Latin America and Southeast Asia.

The company announced on Thursday that the accounts, which were on both Facebook and Instagram, had engaged in what Facebook dubbed “coordinated inauthentic behavior.”

In the ongoing back-and-forth over the use of social media as a platform from which to launch political meddling, companies such as Facebook and Twitter have been wrestling with the way their platforms have been used to spread disinformation. Singling out a company like Facebook did with Archimedes Group is a new twist, though.

The company promises its clients that it can bend reality for them. Archimedes Group, based in Tel Aviv, calls itself a leader in large-scale, worldwide “campaigns” and promises to “use every tool and take every advantage available in order to change reality according to our client’s wishes.”

…at least, the site was promising that when the Washington Post wrote up the news. Its site is strange to navigate, so either I can’t find that text, or perhaps Archimedes Group has yet again warped reality… and tweaked its site to remove the “by any means necessary” message.

Nathaniel Gleicher, Facebook’s head of global cybersecurity policy, said in Thursday’s post that the Pages and accounts weren’t taken down because of their content. Rather, it was their coordinated behavior that set off red flags:

As in other cases involving coordinated inauthentic behavior, the individuals behind this activity coordinated with one another to mislead others about who they were and what they were doing, and that was the basis for our action.

Gleicher said that the people behind the network used fake accounts to run Pages, disseminate content and artificially pump up engagement. They also lied about being locals – including local news organizations – and published what was allegedly leaked information about politicians.


Bots rigged Russian finale of ‘The Voice Kids’ talent show

By Lisa Vaas

Sure, bots might be all over the US electorate, but this is serious. This is The Voice. Think of the children!

That’s what Russian bots were doing, in fact: robo-thinking of the children. Make that one child in particular – the daughter of pop singer Alsou and wealthy businessman Yan Abramov, whom they robo-voted in by a suspiciously large margin to win the sixth season of Russia’s popular TV talent show “The Voice Kids.”

Mikella Abramova, 10, won with 56.5% of the phone-in vote.

The state-owned channel that broadcasts the show, Channel One TV, announced on Thursday that it had decided to cancel the results of the vote.

Channel One said it’s working on boosting the safety of the voting system – before the start of the next season – so this never happens again.

What happened in the 6th season of “Voice of the Child” should be the first and the last case when someone tried to control the audience choice.

It came to the decision after having called on Group-IB to investigate the vote. Group-IB, an infosec firm that analyzes threats originating in Russia and Eastern Europe and which is an official partner of Interpol and Europol, released the initial results of that investigation on Thursday and said that their investigation is ongoing.


Google recalls Titan Bluetooth keys after finding security flaw

By Danny Bradbury

Google had egg on its face this week after it had to recall some of its Titan hardware security keys for being insecure.

Titan is Google’s name for its family of hardware security keys that provide two-factor authentication (2FA) for web users.

Launched in July 2018, they offer a level of physical authentication to complement website passwords. Google provides the Titan key for accessing your Google accounts, but you can also use it with other accounts that support the FIDO U2F standard for hardware keys.

When you switch on hardware key support in a website, it asks you to present your Titan key along with your password before it will let you in. This stops thieves who steal your password from accessing your web account.

How do you present your Titan key? It comes in two flavours: a USB key that you plug into your computer, and a Bluetooth-based key that connects wirelessly to your device. This works with computers and with your smartphone, giving mobile users extra protection for their web accounts.

The problem lies with the Bluetooth key, and in particular with its implementation of Bluetooth Low Energy (BLE). This is the protocol it uses to communicate wirelessly with the device it’s authenticating to.

In normal operation, you’d first register your BLE-enabled Titan key with the web service you’re using, generating a secret that is stored on the key.


Hacking gang stole millions in cryptocurrency via SIM swaps

By Lisa Vaas

Six people have been indicted for allegedly being SIM card swappers who stole victims’ identities and their cryptocurrency, and three mobile phone company employees have been indicted for allegedly accepting bribes to help them steal subscribers’ identities.

On Thursday, federal prosecutors in the US Attorney’s Office for the Eastern District of Michigan said that the six alleged hackers are part of a hacking gang called “The Community.” The gang allegedly carried out seven attacks that netted a cryptocurrency haul valued at more than US $2.4 million.

The unsealed indictment charges Conor Freeman, 20, of Dublin, Ireland; Ricky Handschumacher, 25, of Pasco County, Florida; Colton Jurisic, 20, of Dubuque, Iowa; Reyad Gafar Abbas, 19, of Rochester, New York; Garrett Endicott, 21, of Warrensburg, Missouri; and Ryan Stevenson, 26, of West Haven, Connecticut, with conspiracy to commit wire fraud, wire fraud and aggravated identity theft.

How the crooks swing a SIM swap

As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number …and your telephonic identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.



Europol arrests end GozNym banking malware gang

By John E Dunn

Arrests in Europe and the US appear to have ended the cybercrime careers of the gang behind the GozNym banking malware.

According to Europol, which coordinated the pursuit of 10 people in Ukraine, Moldova, Georgia, Bulgaria, Germany and the US, GozNym stole $100 million by infecting 41,000 devices around the world – mainly business computers.

Among those picked up were the alleged network mastermind, arrested in Georgia, and another individual in Ukraine who unsuccessfully attempted to evade police by producing a firearm. Five unnamed Russians remain on the run.

The GozNym malware was created sometime around 2015 by combining the code of two older pieces of malware, the well-known banking trojans Gozi which leaked in 2010, and the Nymaim dropper, a later malware most often used to unleash ransomware attacks.

The combination combined the best of two slightly different worlds, turning up in attacks on customers of two dozen US and Canadian banks in 2016.

The attacks used a common technique – blasting out the malware in phishing campaigns, or via exploit kits planted on websites; capturing online banking credentials; accessing those accounts to steal money; and laundering the proceeds:

The GozNym network exemplified the concept of cybercrime as a service, with different criminal services such as bulletproof hosters, money mules’ networks, crypters, spammers, coders, organizers, and technical support.

The gang behind it was highly-specialized in their roles, each carrying out different tasks from coding, sending phishing emails, and tending to the flow of money from victims.


May 16, 2019 »

UPDATE NOW! Critical, remote, ‘wormable’ Windows vulnerability

By Mark Stockley

Microsoft has issued a patch for a vulnerability in its Remote Desktop Services that can be exploited remotely, via RDP, without authentication and used to run arbitrary code:

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

It doesn’t get much worse than that.

Fixes are included in for versions of Windows 7 and Windows 2008 (see the advisory for the full list) as part of Microsoft’s most recent Patch Tuesday. Patches have also been made available for versions of Windows XP and Windows 2003 (see the customer guidance for the full list).

The flaw is considered ‘wormable’, meaning that it has the potential to be used in malware that spreads by itself across and between networks.

Millions of computer networks around the world have RDP exposed to the outside world so that they can be managed not only via their local network but also across the internet. Sometimes, that external access was enabled on purpose; sometimes the exposure is an unwanted mistake – but in either case, a network where RDP can be reached from the outside is a potential gateway for an automated attack to reach a new victim.

Given the number of targets, and the potential for an explosive, exponential spread, we suggest you treat it as a matter of when, not if, the patch is reverse engineered and an exploit created, so you should update immediately. For more guidance, check out this article’s What to do? section.


Microsoft fixes Intel ZombieLoad bug with Patch Tuesday updates

By Danny Bradbury

Microsoft’s May 2019 Patch Tuesday fixed 79 vulnerabilities, 19 of which are classed as Critical. Here’s a summary of the most notable ones. 


The update fixed a processor logic flaw (CVE-2018-12130) that allows computer programs to steal each other’s’ data.

Discovered by researchers at the Graz University of Technology and KU Leaven, the attack is able to read data between different threads, which are separate programs running on the same physical computer core.

ZombieLoad is known as a Microarchitectural Data Sampling (MDS) vulnerability, and it shares some characteristics with Spectre and Meltdown, the two side channel attacks announced in January 2018. It is a flaw in Intel processor hardware, meaning that it affects any operating systems running on x86 chips, including Windows. It uses Intel’s speculative execution feature to pilfer other programs’ data. As Microsoft explained in the note associated with the patch:

In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another.

The attack affects both desktop and server-based systems, although exploiting it isn’t trivial. Someone would need to run a malicious app on the target system.

Microsoft’s patch joins other fixes from companies including Apple and Google. It provides a software workaround until Intel fixes the bug in future processor releases. The patch probably won’t affect performance on consumer systems, said the advisory.


May 15, 2019 »

Twitter bug leaks to iOS users’ location data to partner

By Lisa Vaas

On Monday, Twitter said that it goofed: it mistakenly collected and shared some accounts’ location data with one of its partners, even if a user hadn’t opted in to sharing the data.

The bug, which only affected some Twitter users, has already been fixed.

It involved inadvertently collecting and sharing location data at the postal code or city level. The bug specifically affected some people who were using more than one Twitter account on iOS and who had opted into using the precise location feature in one of those Twitter accounts. On the affected devices, the location data sharing accidentally spilled from one opted-in account to other, non-opted-in accounts on the same device, Twitter said.

Twitter told Engadget that employees discovered the glitch.

Separately, Twitter says it intended to remove location data from fields sent to a trusted partner during an advertising process known as real-time bidding. That didn’t go as planned. The partner couldn’t see precise locations, as in, it didn’t get more precise than a postal code or city – an area equivalent to 5km squared, Twitter said.


Update iOS and Mojave now! Apple patches are out

By John E Dunn

Apple has released its May 2019 security updates, taking iOS to version 12.3 and macOS Mojave to version 10.14.5.

There are three elements to this month’s new software – new capabilities (which tend to get the most attention, and which we’ll ignore), a sizable pile of important security fixes, and a smattering of minor security tweaks.

One of the interesting things about Apple’s advisories is the large number of third-party researchers the company name checks.

That’s a positive – the more researchers combing for flaws, the fewer will be exploited and hurt people. What’s less clear without reading deeper into the CVEs (which aren’t always explanatory until user updating has occurred) is which ones are more serious.

iOS 12.3

This month iOS generated 42 CVEs, bulked by the number affecting WebKit, which amount to 20 in all.

The ones that jump out usually involve a vulnerability that might allow a remote attacker or local app to take control of the device at some level – like most of the WebKit flaws.

For example, CVE-2019-8585 in CoreAudio, which could give malware a route to compromise using a malicious movie file. That’s serious because it doesn’t appear it would necessarily require the victim to do anything.


Facebook sues app developer Rankwave over data misuse

By Lisa Vaas

It sounds a lot like Facebook has gotten itself into (or encouraged and is now pretending it’s aghast about it all) another Cambridge Analytica-ish data privacy fiasco.

Facebook announced on Friday that it’s filed a lawsuit against a South Korean social media analytics firm called Rankwave, alleging that the company abused Facebook’s developer platform’s data and that Rankwave has refused to cooperate with the platform’s mandatory compliance audit and Facebook’s request that it delete data.

Facebook already suspended Rankwave’s apps and any accounts associated with the company. Now it’s looking for the court to get it to comply with a data audit and to delete whatever Facebook data it has, as well as to cough up the $9.8m USD it made off selling data it never should have, as Facebook tells it.

From its announcement:

By filing the lawsuit, we are sending a message to developers that Facebook is serious about enforcing our policies, including requiring developers to cooperate with us during an investigation.

The suit, filed in California Superior Court for the County of San Mateo, says that beginning around 2010, Rankwave starting developing apps on Facebook’s platform in order to sell advertising and marketing analytics and models, in violations of Facebook’s policies and terms. It operated at least 30 apps on the Facebook platform, according to the complaint.


Update WhatsApp now! One call could give spies access to your phone

By Mark Stockley

On Monday 13 May, Facebook revealed that an “advanced cyber actor” has been spying on some users of its ridiculously popular WhatsApp messaging app, thanks to a zero-day vulnerability that allowed hackers to install spyware, silently, just by calling a victim’s phone.

The vulnerability is now fixed, which means that if you’re one of WhatsApp’s 1,500,000,000 users you need to go to the well and drink up the latest version.

There’s a good chance your app’s already updated itself, but this is a serious vulnerability so we advise you to check all the same.

WhatsApp isn’t exactly shouting about this. The Facebook Security page, WhatsApp’s company website and WhatsApp’s Twitter feed are bereft of information.

The What’s New sections of the app’s Google Play and Apple App Store listings would love you to know that with the latest version of the app you can now see stickers in full size when you long press a notification but couldn’t find room for this is the only version that doesn’t allow remote spying.

Instead, Facebook has done the digital equivalent of pinning a security advisory for CVE-2019-3568 to the back of the toilet door in an unlit basement while nobody was looking. It reads as follows:

Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

What the description is trying to tell you is that some people who knew about this vulnerability used phone calls to vulnerable devices to install spyware that could listens in on calls, read messages and switch on the camera.


May 14, 2019 »

White label SOS panic buttons can be hacked via SMS

By John E Dunn

A widely used panic alarm handed out to at least 10,000 thousand elderly people in the UK can be remotely controlled by sending it simple SMS commands, researchers at Fidus Information Security have discovered.

The alarm – a small plastic pendant device with an SOS button in the middle – connects to 2G/GPRS cellular networks, which means it can be used anywhere without the need for an intermediary base station and provides a live status feed.

As well as being able to locate the wearer via GPS, it can also detect whether the wearer has taken a fall and comes with a microphone and speaker for two-way communication should an emergency be detected.

On the face of it, a potentially life-saving device, but also one whose unnamed maker doesn’t appear to have factored in even basic security.


Windows 10 brings password-free access another step closer

By Danny Bradbury

Microsoft hammered another nail in the password’s coffin by winning a certification for Windows Hello that will make it easier for people to log into Windows machines. 

Windows Hello is the authentication system in Windows 10, and Microsoft introduced it to wean us off password-based access. It enables machines with the right hardware reader or camera to scan your fingerprint or face to access Windows 10 and your Microsoft account. You can also use it to access third-party services.

This month, the company earned FIDO2 certification for Windows Hello. By becoming a FIDO2 certified authenticator, Microsoft has just enabled 800million Windows 10 users to use a hardware security key with Windows Hello’s password-free system.

FIDO aims to make logins easier and more secure

To understand why this is important, we need to dig into FIDO, which stands for Fast IDentity Online. The FIDO Alliance is an industry group backed by large tech players that aims to make logins easier and more secure. 

Since the FIDO Alliance started in 2013, it has released three specifications. The first, announced in 2014, was the Universal Authentication Framework (UAF). That standard focused on using biometrics like your fingerprint for password-free authentication.

The second standard was Universal Second Factor (U2F). This let people authenticate themselves using hardware devices like USB keys that you could plug into your computer, or near-field communication (NFC) devices that you could tap on a hardware-based reader. Google and Yubico developed this technology for two-factor authentication, meaning you’d use it as an extra layer of protection on top of your regular password.


Feds hook ELECTRICFISH, new Windows malware from North Korea

By Danny Bradbury

The FBI and Department of Homeland Security have identified (Malware Analysis Report AR19-129A) a new strain of malware from North Korea, the latest in a long line of cyber attacks from the country.

The Windows malware, dubbed ELECTRICFISH, sets up a tunnel between a machine on the victim’s network and the attacker’s system, enabling the attacker to receive network traffic from the victim.

Once it has a foothold, it then tries to connect to a source IP address within the victim’s network, and a destination address owned by the attacker. The attacker can also configure a proxy to act as an intermediary between the infected computer and the destination IP, avoiding the need for authentication to get outside the victim’s network. The US CERT advisory says:

If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be funneled between two machines.


May 13, 2019 »

Two people indicted for massive Anthem health data breach

By Lisa Vaas

On Thursday, the Justice Department unsealed an indictment against two people who prosecutors say are part of a sophisticated hacking group, based in China, that was behind not just the Anthem attack, but also attacks against three other US businesses.

The DOJ didn’t name the other businesses but did say they were data-rich. One was a technology business, one was in basic materials, and the third was in communications: all businesses that have to store and use large amounts of data – some of it confidential business information – on their networks and in their data warehouses.

The suspects are 32-year-old Fujie Wang – following the Chinese convention of putting a surname first, that would be Wang Fujie; he also used the Western nickname of “Dennis” – and a John Doe. Investigators haven’t yet figured out Doe’s real name, but the indictment said he goes by various online nicknames, as well as “Deniel Jack,” “Kim Young” and “Zhou Zhihong.”

The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.

The four-count indictment alleges that beginning in February 2014 and up until around January 2015, Wang, Doe and other members of the gang hacked into the targeted businesses using “sophisticated techniques” including spearphishing and malware.

They allegedly rigged tailored spearphishing emails with links to malware and sent the messages to employees at the targeted companies. When employees clicked on the links, their systems would get infected by malware that, among other things, planted a backdoor that gave the hackers remote access via their command and control server.

Once in, the suspects and their accomplices moved laterally across the infected network in order to escalate their network privileges and to thereby boost their ability to get at information and to tweak the network environment.


Study finds Android smartphones riddled with suspect ‘bloatware’

By John E Dunn

One of the oft-discussed downsides of choosing an Android device is the phenomenon of pre-loaded “bloatware.”

Broadly speaking, these are apps and services pre-loaded on smartphones and tablets by phone vendors, mobile carriers, and their partners along with the basic suite of Google apps and Android itself.

Not all of this software is necessarily useless, and some vendors load less than others, but often it can’t be uninstalled, leaving users stuck with space-consuming software they might never use.

Worse still, according to a new study by researchers at the Universidad Carlos III de Madrid in Spain and Stony Brook University in the US, which analysed crowdsourced data from 1,742 devices made by 214 vendors, bloatware can also create hidden security and privacy risks.

Their first discovery was the sheer amount and mysterious origins of the software shipping on Android devices, which totaled 424,584 firmware files, only 9% of which corresponded to app APKs found on Google Play.

That amounted to around 140,000 apps, built using 11,665 different third-party software libraries (TPLs), and 1,200 developers closely associated with smartphone makers.


Break up Facebook, cofounder says: it’s an un-American monopoly

By Lisa Vaas

Mark’s power is unprecedented and un-American. It is time to break up Facebook.

That’s the gist of what Facebook co-founder Chris Hughes had to say in a lengthy op-ed published by the New York Times on Thursday. Of course, he was referring to Facebook CEO Mark Zuckerberg.

Well, he can probably kiss that friendship goodbye, Hughes said in an interview with CBS This Morning. The two were roommates while they attended Harvard and launched what would become the world’s most dominant social media platform. They’ve been friends ever since, even after Hughes left the company 10 years ago.

Do you think you're going to stay friends with Mark Zuckerberg?

"I don't know. Probably not... but there are some friendships where you have disagreements and still stay friends." --

Great guy, perhaps a little power mad, and definitely in charge of a social media monopoly that’s strangling innovation in the cradle, Hughes said of Zuckerberg:

Mark is a good, kind person. But I’m angry that his focus on growth led him to sacrifice security and civility for clicks. I’m disappointed in myself and the early Facebook team for not thinking more about how the News Feed algorithm could change our culture, influence elections and empower nationalist leaders. And I’m worried that Mark has surrounded himself with a team that reinforces his beliefs instead of challenging them.

He has too much power.


Chrome browser pushes SameSite cookie security overhaul

By John E Dunn

Slowly but steadily, web developers are being given the tools with which to tame the promiscuous and often insecure world of the browser cookie.

The latest big idea is an IETF standard called SameSite (aka RFC6265bis), which Google and Mozilla have promoted since 2016 and the former announced this week it will start pushing more aggressively in Chrome from version 76 this July.

Cookies look simple on the surface – they’re a little chunk of text data that a website can ask your browser to remember, and that your browser will return to that website whenever the browser fetches a page, image or anything else from it. As a security measure, cookies can only be handed over to the domain that set them.

The most common use for cookies is user identification – a site stores an ID in a cookie and the browser returns that ID with each request, so that the site knows who it’s talking to. It’s this simple technique that allows sites to provide authentication and personalization.

What gives cookies a bad name are third-party cookies, usually put there by advertisers or social media giants as a way of tracking users across sites.

For example, if a user visits a page on with a Facebook button on it, their browser fetches that button from as the page is loaded. As with any HTTP interaction, the browser will include any cookies in the request to Facebook, along with a referrer header saying what page on the request is coming from.

If you happen to be logged into Facebook (and even sometimes if they aren’t), that request for a button reveals to Facebook who you are, which page you visited and when.

If a social media or advertising company can persuade enough sites to include code hosted on a domain they own, they can turn these cookies into cross-site trackers that build up a map of each user’s behavior and interests as they browse the web.


275m personal records swiped from exposed MongoDB database

By Danny Bradbury

Another day, another massive MongoDB exposure. This time, a security researcher has discovered a public-facing database with over 275 million records containing personal information on citizens in India.

The researcher is Bob Diachenko, who spends a lot of time poring over Shodan search results. Shodan is a search engine, but unlike Google or Bing it indexes devices and software applications connected to the internet and viewable by the public. Shodan regularly surfaces everything from unsecured webcams to exposed databases.

Shodan first indexed the MongoDB instance on 23 April 2019. Its records included not only the individuals’ name, gender, and email address but also their employment history, current employer, current salary, and mobile phone number.

In his blog post on the topic, Diachenko explains that there were no clues in the database about who owned it. His best guess is that the database was the product of a data scraping operation.

Putting people at risk

This is one of the most frustrating things about public database exposures: Someone who doesn’t know what they’re doing can put millions of people in danger, and there’s no way to get hold of them so they can rectify the problem.

We’ve seen this before. Late last month, researchers stumbled on a database with information about 80 million US households, owner unknown.

Diachenko found another last September, again without an owner, exposing email addresses and physical addresses in a 43.5 GB data set. He has a long track record of exposed database discoveries.


FTC renews call for single federal privacy law

By Lisa Vaas

The US Federal Trade Commission (FTC) is yet again beating the drum for the long-discussed, much-debated, when-in-the-world-will-this-happen national data privacy law, the lack of which keeps the country from parity with the EU and its General Data Protection Regulation (GDPR)…

…or, for that matter, with the state of California, with its California’s Consumer Privacy Act (CCPA).

FTC commissioners testified before the House Energy and Commerce subcommittee on Wednesday. As the New York Times reports, they addressed how a national privacy law could regulate how big tech companies like Facebook and Google collect and handle user data.

Besides consumer protection, the FTC is looking for more power. Commissioners asked Congress to strengthen the agency’s ability to police violations, asking for more resources and greater authority to impose penalties.

At this point, as lawmakers squabble over the details of various approaches to a national law, the US lags behind European and other nations that have acted to rein in the growing might of big tech.

In February, both the House and Senate held hearings on privacy legislation, transparency about how data is collected and shared, and the stiffening of penalties for data-handling violations.

A new, single federal law

Lawmakers tend to agree that we need a new, single federal privacy law. At this point, we’ve got a hodgepodge of state laws and a slew of proposed federal laws. Lawmakers are now considering one such: the Data Care Act.

Other bills: In September, Suzan DelBene introduced a privacy bill that would require information transparency and personal data control. In November, Senator Ron Wyden proposed a bill that would throw execs into jail for up to 20 years if they play loosey-goosey with consumer privacy. Senator Marco Rubio announced yet another bill in January, titled the American Data Dissemination Act.


Sextortion mail from yourself? It doesn’t mean you’ve been hacked…

By Paul Ducklin

Over the past few months, we’ve written and spoken many times about a scam known as sextortion.

Sextortion is an online crime that combines sex and extortion – the crooks say that they have embarrassing pictures of you, and they’ll send the pictures to your friends and family…

…unless you pay them blackmail money.

To make the scam seem more believable, the crooks typically claim to have acquired the pics via your own webcam by hacking into your computer using malware and snooping on your online activities.

Sadly, this sort of malware, known as a remote access trojan (RAT), is not only technically possible, but has been used in the past in a number of widely publicised attacks.

One well-known RAT attack involved a college student called Jared James Abrahams, who supposedly spied on 150 young women including Miss Teen USA. Abrahams was caught, pleaded guilty and went to prison back in 2014. More recently, Jonathan Lee Eubanks got seven years for RATting his former employer’s business, wiping servers, diverting the website and ripping off company funds after he was fired.

Even if you never look at porn, sextortion emails are pretty confronting, and raise the question, “How much might the crooks know about me?”


May 8, 2019 »

Latest Android security updates, and Google to fix patch delays for Pixel

By John E Dunn

Google released its May security update for Android this week – but how many Android users will be lucky enough to get it this week, or even this month?

If you own one of Google’s Pixel devices, the answer is immediately. If you’re among the bulk of Android users who own smartphones made by other vendors, that security update could be anytime between this month and several months hence.

It’s a confusing and unsatisfactory situation Google’s been trying to solve for several years, and this week it detailed how it plans to improve things in the next version of Android, currently known as ‘Android Q’.

Currently, Google’s security updates arrive via phone makers as updates that incorporate elements proprietary to each model and vendor. Inevitably, this takes time.

According to details released at the Google I/O 2019 developer conference and in an interview with The Verge, the company’s ‘Project Mainline’ for Q will adopt a radically different approach, updating a list of 14 OS modules over-the-air straight from the Play Store.


Malvertiser behind 100+ million bad ads indicted in the US

By Lisa Vaas

The Netherlands has extradited a Ukrainian man to the US to face charges of taking part in a multi-year, international malvertising campaign in which conspirators allegedly attempted to smear malware onto victims’ computers on more than 100 million occasions.

31-year-old Oleksii Petrovich Ivanov was indicted in a court in Newark, New Jersey, on Friday, according to the US Justice Department.

He’s facing one count of conspiracy to commit wire fraud, four counts of wire fraud, and one count of computer fraud. Dutch police have had Ivanov since his arrest on 19 October 2018, after an international investigation led by the US Secret Service in coordination with Dutch law enforcement. Indicted on 3 December 2018, Ivanov arrived in the US last Thursday and has been detained without bail.

A plate of bogus fed to online ad platforms

According to the indictment, between around October 2013 and on through May 2018, Ivanov and a group of unnamed accomplices allegedly launched online advertising campaigns that came off as legit but which tried to direct unsuspecting visitors toward malware, unwanted ads, and on to other computers that could install malware.

He and his co-conspirators allegedly hid behind fake online personas and phony companies to place ads on third-party sites, such as shopping, news, entertainment, or sports websites. Ivanov and his buddies allegedly told advertising companies they were distributing ads for real products and services and even cooked up false banners and websites showing purported ads. Those advertisements purchased by the ad companies were, however, used to push malware out onto the computers of whoever viewed or clicked on them.


School lunch company exec arrested for skewering rival’s site

By Lisa Vaas

When it comes to school lunch, you’ve got choices.

You can get 1) the French toast sticks, 2) the baked fish sandwich with lettuce and tomato, or 3) to be a ruthless school concession tycoon who hacks into your competition, rips off student data, and tries to anonymously frame them for having crappy security.

Keith Wesley Cosbey, the chief financial officer of a Bay Area company in the student lunch business called Choicelunch, was arrested in April on two felony counts of allegedly choosing menu item No. 3. Or, in legal terms, for “illegal acquisition of student data” from the website of Choicelunch’s archrival, The LunchMaster, of San Carlos, California.

Vishal Jangla, the San Mateo County deputy district attorney, says that Cosbey, 40, is looking at more than three years in prison if he’s convicted of charges of hacking into The LunchMaster’s site to get data about hundreds of students, including their names, their meal preferences, information about allergies, their grades, and more, according to the San Francisco Chronicle.

Cosbey’s been charged with unlawful computer access and fraud, as well as identity theft. Jangla said he hasn’t encountered anybody at the executive level who’s pulled something like this:

Someone who’s an executive, that’s surprising. It’s a first for me.

Cosbey’s accused of not just hacking the data, but also sending it anonymously to the California Department of Education and claiming that The LunchMaster wasn’t appropriately protecting student privacy.


Researchers’ Evil Clippy cloaks malicious Office macros

By Danny Bradbury

Office macros have long been a vehicle for malicious code. Now, a team of security researchers has exploited Microsoft’s patchy macro documentation to hide malicious code inside innocent-looking macros. Researchers at Netherlands-based cybersecurity consultancy Outflank created a tool they say stops most major antivirus tools from detecting malicious macro code.

In Microsoft Office, macros are small helper programs written in Visual Basic for Applications (VBA). They automate repetitive tasks like dropping a company letterhead into a document or formatting tables. Just as with other programs, attackers can make macros that do malicious things like drop malware onto your computer.

Named after Microsoft’s ill-fated Office assistant from the late nineties, Outflanks ‘Evil Clippy’ uses some undocumented features in the way Microsoft stores its macros.

Office stores macros in a file format called Compound File Binary Format (CFBF). Evil Clippy compromises macros stored in this format using a technique called VBA stomping.

VBA stomping uses an undocumented feature within CFBF. The format stores the VBA source code for the Office macro, but it also stores a version of that code compiled into pseudo-code (also known as p-code) that is easier for the VBA engine to run.


MegaCortex ransomware distracts victims with Matrix film references

By John E Dunn

It’s easy to forget that malware authors are regular human beings with hobbies and interests – not that different from their many victims, in fact.

Take the contrived tendency to embed references to popular culture in malware – as the creator behind a new type of ransomware called MegaCortex has done.

Film buffs will recall that MetaCortex is the faceless software corporation that employs Neo, the hero-hacker who swallows the red pill in The Matrix, itself a veiled pop-philosophical reference to notions of choice and free will.

In the case of MegaCortex, instances of which SophosLabs has noticed ticking up significantly in the last week, the idea of choice-under-pressure is apt. Anyone infected is confronted with a ransom note written in the style reminiscent of The Matrix’s Morpheus character:

Your companies (sic) cyber defense systems have been weighed, measured and have been found wanting. The breach is the result of grave neglect of security protocols.


We can only show you the door. You’re the one who has to walk through it.

The posturing pomposity is, of course, all part of a psychological game in which the attackers attempt to project the idea that they, not the victim, are in control.

One moment, the defenders’ network looked secure. The next, as if out of nowhere, the ransom note pops up. For any organization that isn’t anticipating this sort of attack, it’s easy to be put at a disadvantage by such a surprise tactic.

The tactic is to keep defenders in this state for as long as possible using distraction, ideally until they pay up. If that means bombarding them with gratuitous film references, so be it.


May 7, 2019 »

Firefox add-ons with obfuscated code will be banned by Mozilla

By Lisa Vaas

In order to protect Firefox users from malicious add-ons, Mozilla has banned extensions that contain obfuscated code.

Caitlin Neiman, Add-ons Community Manager at Mozilla, said in a blog post on Thursday that the new policy will go into effect on 10 June.

Here’s the gist of that new policy:

We will no longer accept extensions that contain obfuscated code. We will continue to allow minified, concatenated, or otherwise machine-generated code as long as the source code is included.

If your extension is using obfuscated code, it is essential to submit a new version by June 10th that removes it to avoid having it rejected or blocked.

And here’s a link to the add-on policy in full.

Blocking, also called “blocklisting,” add-ons that contain obfuscated code means disabling them in the browser after the user installed them, Neiman explained.

Extensions that violate Mozilla’s policies will face the wrath of a newly proactive Mozilla, Neiman said:

We will be casting a wider net, and will err on the side of user security when determining whether or not to block.

Neiman said that Mozilla will also keep on blocking extensions that intentionally violate its policies or that have critical security vulnerabilities, or that compromise user privacy or skirt user consent or control. Other unexpected “surprises” that Mozilla doesn’t want to see (without a clearly worded opt-in and clearly stated name of what add-on is asking for what) include extensions that change default settings, such as the new tab page, homepage or search engine; extensions that make unexpected changes to the browser or web content; or ones with features or functionality not related to the add-on’s core function(s).


Dark web marketplace Wall Street Market busted by international police

By Lisa Vaas

An international bust has led to the shuttering of two dark web marketplaces for drugs, weapons, hacked data, hacking tools and other illegal goods: the Wall Street Market (WSM) and the Valhalla Market (better known by its Finnish name, Silkkitie).

Europol and German police announced the “double blow” to dark web marketplaces on Friday, saying that German authorities have arrested three suspects and seized over €550,000 in cash, along with cryptocurrencies Bitcoin and Monero in “6-digit amounts,” several vehicles, computers and data storage, and at least one firearm.

An investigation by the Attorney General in Los Angeles also led to the arrest of two suspects who are alleged to be among the markets’ biggest drug sellers.

On Friday, Finnish Customs said that they’d seized the Silkkitie web server earlier this year and seized a “significant” amount of Bitcoin. They said that after shutting down Silkkitie, some of the Finnish drug dealers moved to other illegal sites on the Tor network, including WSM.

German investigators had their eye on the three suspects since March – a 31-year-old from Bad Vilbel, a 29-year-old from the district of Esslingen and one 22-year-old from Kleve, all three of whom are German nationals.

The stench of exit scam

WSM had been stinking of exit scam for a while. The admins switched the platform into maintenance mode on 23 April, then began transferring customers’ funds to themselves. Customers and buyers responded by howling about the “Sorry guys we are currently redesigning WSM” message, which the admins posted on Friday, 26 April, and which said that the “maintenance” would last a week.


Blockchain project settles cross-border payment

By Danny Bradbury

Singapore’s central bank sent a payment to Canada using blockchain technology last week, in a clear signal that the technology has value – as long as you’re realistic about it.

The Monetary Authority of Singapore (MAS) sent $105 Singapore dollars to the Bank of Canada (BoC) in a proof-of-concept project that inches them closer to solving one of banking’s biggest headaches: cross-border payments and settlements.

In a November 2018 report on cross-border interbank payments and settlements, the two organizations and the Bank of England detailed the challenges of settling transactions between banks in different countries. Banks must navigate an array of hurdles including anti-money-laundering and know-your-customer regulations.

If a bank has no presence in the recipient country, it must also rely on another intermediary bank to process the payment on its behalf, in what’s known as the correspondent banking model. All the parties will have their own legacy systems that make it difficult to process the transaction uniformly. It is an expensive process that can take several days, and parties never quite know when the money will arrive.

The biggest problem is counterparty risk – when a bank sends money via an intermediary to buy something, it can‘t be certain that the intermediary will deliver the funds, or that the other bank in the transaction will hold up its end of the bargain.

Reducing counterparty risk

BoC and MAS wanted to use the blockchain to settle payments while reducing counterparty risk. Each organization already had its own distributed ledger for processing the clearing and settlement of payments and securities domestically. In 2016, BoC created Project Jasper, while MAS created Project Ubin. This latest project brought the two distributed ledger technologies together so they could collaborate on transactions.


May 6, 2019 »

Mozilla bug throws Tor Browser users into chaos

By Paul Ducklin

Update. Shortly after publishing this article we were able to fetch Firefox 66.0.4, which claims to fix this issue by repairing a broken certificate chain. We haven’t yet received notification of an update to the Tor Browser, but we expect to see one soon. [2019-05-05T22:15Z]

It’s a long weekend here in the UK, so the atmosphere is relaxed…

…except, we suspect, for any British members of the Mozilla Firefox programming squad.

Mozilla is currently stuck in the middle of a cybersecurity blunder involving digital signatures.

The bug reports we’ve seen so far don’t give much more detail than “expired intermediate certificate” problems, but the symptoms are obvious, especially for Tor users.

We didn’t get hit by this bug immediately – we were off the grid yesterday and left our computing kit at home. (Nothing Bear Gryllsy, you understand – we took ourselves off to Bristol on Brunel’s famous Great Western Railway to visit a bicycle show but left our mobile phone behind entirely by mistake.)

But today, not long after firing up the Tor Browser, which is a special version of Firefox with numerous privacy-centric settings turned on and baked into the build, we received a worrying popup warning.


Belgian programmer solves cryptographic puzzle – 15 years too soon!

By Paul Ducklin

Thanks to Alex Bakewell of SophosLabs for his help with this article.

April 2019 was a good month for bold Belgians!

Professional Belgian cyclist Victor Campanaerts broke the world hour record, covering an amazing, unassisted, undrafted 55km in a velodrome (55,089 meters, in fact) in 60 minutes.

The previous record, set by Sir Bradley Wiggins in 2015, had stood for nearly four years.

But professional Belgian programmer Bernard Fabrot conquered an even more durable challenge.

He cracked a computational puzzle that was set back way in 1999, by none other than Professor Ron Rivest of MIT, who’s the R in the well-known public key encryption algorithm RSA.

Fabrot’s achievement is particularly interesting because Rivest specially designed the puzzle in the hope it would take 35 years to solve, assuming you started as soon as it was published.

In the end, Fabrot required 3.5 years of computer running time, thus outpacing Rivest’s estimate by a factor of 10.

The puzzle is what’s known as a “time-lock problem” – a time-consuming calculation that can only be accelerated by tuning your algorithm or by building faster computer hardware.

Time-lock puzzles are interesting, and important, because they can’t be short-circuited simply by splitting the problem into pieces and throwing more computers at it.

Time-lock puzzles are inherently sequential, typically requiring a number of loops through an algorithm where the input to each iteration of the loop can only be acquired by reading in the output of the previous iteration.

The idea is to put everyone in the same boat: you can be the biggest, richest, most energy-slurping cloud computing company in the world, but all those servers, CPUs and CPU cores won’t let you buy your way to victory.


Criminals are hiding in Telegram – but backdoors are not the answer

By John E Dunn

When it comes to an easy life, the criminals behind the fearful Anubis banking malware have become big fans of Twitter and, increasingly, the secure messaging of Telegram.

There’s nothing new in malware piggybacking on popular services but why Twitter and Telegram, and is the recent migration to secure messaging significant?

As SophosLabs explains in a new analysis, Anubis borrows these services to host the command and control (C2) instructions malware reaches out for after first installing on a target system.

Twitter is attractive because its popularity and ubiquity means that its domains are less likely to be blocked by web filtering.

Despite this, SophosLabs has recently noticed Anubis moving from Twitter to use Telegram almost exclusively, on the face of it a strange thing to do.

Perhaps Twitter’s in-house security has got better at whacking the mole – blocking the Anubis domains as quickly as they are set up. Malware writers know that’s going to happen at some point but if it’s within minutes or a few hours, that can be inconvenient.

In fact, Telegram is also quite good at suspending accounts that abuse its service in this way. Nevertheless, writes SophosLabs’ researcher, Jagadeesh Chandraiah:

By the time Telegram removes the account being used for C2, it’s likely that several victims have already installed the malware and obtained their initial C2 server address from the malevolent Telegram account.

That Anubis has also taken to using Chinese characters as a form of obfuscation perhaps offers a clue to the criminals’ motivation – it’s an attempt to buy a bit more time by making things more complicated for malware analysts.


Cryptocoin theft, scam and fraud could total more than $1.2b in Q1

By Lisa Vaas

In December 2018, the CEO of Canada’s major cryptocurrency exchange, QuadrigaCX, allegedly died of Crohn’s disease while in India without telling anybody the password for his storage wallet.

Oh, really? Funny, that. Experts say that Crohn’s is hardly likely to kill an otherwise healthy 30-year-old. Nor was there an autopsy. Or, apparently, a body. It’s also odd that days earlier, Gerry Cotten made out a will leaving everything to his wife. And that Ernst & Young used public blockchain records to review the transactional activity of the six identified cold wallets set up by Cotten, where his wife claims the assets were locked up without access to the password keys, and found that they’d been emptied of $137m.

And, well, you can see where this is headed: straight into the likelihood that it was one of the year’s most scorching exit scams.

CipherTrace analysts think it’s highly unlikely to be anything but fraud, theft or foul play, they noted in the company’s 2019 Q1 Cryptocurrency Anti-Money Laundering Report. Gerry Cotten probably isn’t really six feet under, they suggest. Rather, he could have slipped underground in another way entirely as he and his “widow” actually work to launder a total of nearly $195m worth of customers’ funds.

We’ll likely never know what really happened. But we do know that the lost QuadrigaCX funds have added to a total estimated US$356 million stolen (stolen or “lost,” if you buy the death-by-Crohn’s story) from exchanges and cryptocurrency infrastructure during the first quarter of 2019.

According to CipherTrace, which develops cryptocurrency and blockchain tracing and security capabilities, that figure could swell further still, given that the New York Attorney General last month accused cryptocurrency exchange Bitfinex and cryptocurrency Tether of an $850m fraud. If the allegations bear out, the total losses in Q1 will be more than $1.2 billion.


Cybersecurity experts battle for right to repair

By Danny Bradbury

A battle is playing out between manufacturers and users over who has the right to repair a product – and tech companies are using cybersecurity concerns as a weapon.

Across the US, states have been mulling right-to-repair legislation that would let users repair their own devices, opening up access to verified parts and technical documentation. It’s a reaction to moves by manufacturers such as Apple to lock down the repair process to authorized partners.

Earlier this week, California State Assembly Democrat Susan Talamantes Eggman pulled proposed right-to-repair legislation from consideration by the State’s Privacy and Consumer Protection Committee because it didn’t have the support it needed. She accused industry lobbyists of shooting down the bill, telling Motherboard:

Manufacturers had sown enough doubt with vague and unpacked claims of privacy and security concerns.

Privacy, security and injury

According to the site, vendors and industry associations had been lobbying lawmakers to argue that the right to repair was a bad idea. Apple warned that people trying to repair their own iPhones might puncture the battery and injure themselves.

Industry group CompTIA had also approached lawmakers with a letter sounding the cybersecurity alarm. It warned them that opening up repair rights to the general public could make products less secure. This is similar to claims it made in March 2017, when it sent a statement to the Nebraska Legislature protesting a potential right-to-repair bill in that state. The Nebraska letter pointed out that hackers are constantly trying to break into devices, adding:

Any weakening of the current standards, including sharing sensitive diagnostic tools and proprietary hardware data, could expose customers to risk.

Not so, say cybersecurity professionals. Last November, technology journalist Paul Roberts founded, an advocacy group that supports right-to-repair legislation. This week, it announced support from over 20 cybersecurity rock stars, who will speak out for right-to-repair legislation across the US.


Google rolling out auto-delete for your location and activity history

By Lisa Vaas

You may be pleased, or perhaps underwhelmed, by the news that you no longer have to remember to log in and delete the stuff you didn’t know Google was tracking about you.

Google announced new auto-delete controls for Location History and activity data on Wednesday.

…not that Location History and Web & App Activity aren’t the best things since sliced bread – or places where sliced bread is served, Google said:

Whether you’re looking for the latest news or the quickest driving route, we aim to make our products helpful for everyone.

The data can make Google products more useful for you – like recommending a restaurant that you might enjoy, or helping you pick up where you left off on a previous search.

However, it’s been getting feedback about users wanting simpler ways to manage or delete all that data.

You can already use your Google Account to access simple on/off controls for Location History and Web & App Activity or to delete all or part of that data manually.


DHS policies allow unlimited, warrantless device search

By Lisa Vaas

A lawsuit against warrantless searches at US border points has revealed that the Department of Homeland Security (DHS) has given its border patrol agents free rein to conduct warrantless, suspicion-less device searches for pretty much any reason at all.

The lawsuit was filed against DHS in 2017 by the Electronic Frontier Foundation (EFF) and the ACLU on behalf of 11 people. Those people include a military veteran, journalists, students, an artist, a NASA engineer, and a business owner, all of whom experienced forced, warrantless searches of their cellphones and laptops at the border.

On Tuesday, the ACLU and the EFF filed evidence in court showing policies and practices of Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) that authorize officers to conduct warrantless, suspicion-less device searches for purposes that have nothing to do with immigration or customs laws, including:

…enforcing bankruptcy, environmental, and consumer protection laws, and for intelligence gathering or to advance pre-existing investigations.

The documents show that border agents are also allowed to consider requests from other government agencies to search devices, the EFF said.

Agents are empowered to search electronic devices even when the actual target isn’t the traveler standing in front of them – such as when the traveler is a journalist or scholar with foreign sources who are of interest to the US government, or when the traveler is the business partner of someone under investigation.

Both agencies also allow agents to retain the data they copy off devices and share it with other government entities, including state, local, and foreign law enforcement agencies. They’re none too careful with that data, either, as we learned in December when the Office of Inspector General (OIG) filed a report with DHS about border agents copying travelers’ data and leaving it kicking around on USB drives that they don’t always erase and sometimes misplace.


Is a sticky label the answer to the IoT’s security problems?

By John E Dunn

If the security of Internet of Things (IoT) devices is one of tech’s big worries, how might this be turned around?

In the UK, the Government just published new details of its surprising and unfashionable answer – a sticky label.

Called ‘Secure by Design’ since first being mooted in 2018, this won’t simply be a nice to have sticker. In time it could become a legal requirement to display it on anything sold with IoT features, such as internet TVs, home security cameras, IoT toys, and home appliances.

Right now, the legal bit remains an aspiration subject to further consultation, but legislation appears to be on the cards at some point, perhaps by next year.

Rather than get mired in complicated security concepts, Secure by Design cleverly zeros in on three fundamental problems that bedevil IoT devices and device security in general.

“IoT device passwords must be unique and not resettable to any universal factory setting.”

The industry has been getting better at avoiding this pitfall in recent years (witness the way broadband routers now ship with unique admin and Wi-Fi passwords) but a lot of mass-market IoT gadgets still ignore this simple principle.

“Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.”

A simple and radical suggestion – if you make something there should be a way for researchers to tell you that something’s broken in it that needs fixing. There’s plenty of anecdotal evidence that some mass-market manufacturers at least, are completely oblivious to this concept.


Extortionists leak data of huge firms after IT provider refuses to pay

By Lisa Vaas

Financial data from some the world’s biggest companies – including Porsche, Oracle, Toshiba and more – has been stolen and published in a ransomware attack on the large, Germany-based IT provider Citycomp.

Citycomp, which says that it maintains over 70,000 servers and storage systems “of every type and size” in 75 countries, issued a statement saying that it had “successfully fended off a hacker attack” in early April and that it has no intention of complying with the blackmail attempt.

Given its refusal to capitulate, Citycomp said, the data couldn’t be saved from being doxxed. “Full transparency” was in place and it informed its customers “right from the start,” it said.

[Citycomp] does not yield to blackmail. The repercussion is the publication of the stolen customer data.

While Citycomp said that the attack had been stopped, a security firm it’s working with and which was authorized to speak to Motherboard told the publication that as of Tuesday, it was ongoing. Michael Bartsch, executive director of Deutor Cyber Security Solutions:

Citycomp has been hacked and blackmailed and the attack is ongoing. We have to be careful as the whole case is under police investigation and the attacker is trying all tricks.

The hackers created a .onion Dark Web site where the stolen data can be browsed and downloaded. The list of victims includes names such as Porsche, Oracle, Toshiba, the New Yorker, Ericsson, Leica, UniCredit, British Telecom, Hugo Boss, NH Hotel Group, and Airbus, among many others. On the site, the hackers claim that they have “312,570 files in 51,025 folders, over 516GBb data financial and private information on all clients.”


US Government halves deadline for applying critical patches to 15 days

By Danny Bradbury

US federal agencies must fix their security bugs more quickly under new rules issued by the Department of Homeland Security (DHS) this week. The rules also expand the scope of bugs that agencies must pay attention to.

The Cybersecurity and Infrastructure Security Agency (CISA), which is a branch of the DHS dealing with cybersecurity, issued the rules in the form of a new Binding Operational Directive (BOD) this week. BODs are rules that federal agencies must follow. Called BOD 19-02, it tightens requirements for federal agencies to fix the vulnerabilities that the DHS finds.

The DHS regularly scans federal agency systems to try and find vulnerabilities. Called the Cyber Hygiene scan, this practice generates a weekly report that the DHS sends to agencies.

The new directive supersedes BOD 15-01, which forced federal agencies to review and remediate critical vulnerabilities on internet-facing systems within 30 days of their weekly Cyber Hygiene report. BOD 15-01 led to a “substantial decrease” in the number of critical vulnerabilities over 30 calendar days, according to the DHS.

BOD 19-02 ups the ante. It forces agencies to remediate critical vulnerabilities within 15 calendar days of detection. They must also now fix high vulnerabilities within 30 calendar days. CISA measures vulnerabilities according to the National Institute of Standards and Technology’s Common Vulnerability Scoring System (CVSS).


« older