At a glance.
- Laptops and the limits of schools acting in loco parentis.
- eCommerce platform sustains data exposure.
- Updates on Pegasus.
- Another incident at Olympus?
Are school laptops surveillance devices?
The pandemic made laptops as essential a school supply as erasers, but as students put more of their lives on school-issued devices, they also expose themselves to increased surveillance. As WIRED discusses, educational monitoring software packages like those offered by Securly and Gaggle are intended to make online learning more secure by blocking inappropriate content, flagging keywords, and even allowing teachers to close tabs. But the line between monitoring and surveillance is a blurry one, and as students from lower-income households are more likely to depend on a borrowed or school-issued device than are their higher-income counterparts, the fairness of this monitoring tech is called into question. Tech policy nonprofit The Center for Democracy and Technology issued a report highlighting this disparity, and the Center’s Elizabeth Laird explains, “Our hypothesis was there are certain groups of students, more likely those attending lower-income schools, who are going to be more reliant on school-issued devices and therefore be subject to more surveillance and tracking than their peers who can essentially afford to opt out.”
WIRED's story emphasizes the disparate effect educational tools have on lower income students, but in truth the privacy issues, insofar as they arise with the use of online learning products, affect students at all income levels. Students who own their own devices commonly are required to purchase and install instructional packages the way past generations would have been required to buy their textbooks. Many of the monitoring features are in the purchased as well as the issued software.
The software also raises questions about the ethics of monitoring. The Baltimore Sun reports that the Baltimore City school district (located in the US state of Maryland), employs software that looks for indicators of suicidal thoughts, and since March nine students were flagged as being in a mental health crisis. In the US state of Minnesota, the Guardian reports that when a transgender eighth-grader wrote about his recovery after a suicide attempt for a school assignment, the software flagged his essay and his school counselor and mother were informed.
Online marketplace leaks private data.
Researchers at SafetyDetectives discovered that Brazilian marketplace integrator platform Hariexpress.com.br exposed nearly 1.8 billion records-worth of private customer and seller data. The leak was the result of a misconfigured Elasticsearch server, and the researchers speculate that the amount of exposed data was likely only increasing with each passing day. Infosecurity adds that, although Hariexpress responded to the researchers’ initial notification about the link, the company hasn't followed up, and it’s unclear whether the leak has been addressed.
Further updates on the Pegasus Project.
The Pegasus Project highlighted the dangers of surveillance software abuse, and the International Centre for Investigative Reporting discusses the impact of spyware on journalism. A study from the Center for International Media Assistance showed that the fear of spyware caused reporters to self-censor their writing. Tough on intercept tool vendors, the report explains, “Thanks to companies like NSO Group, unscrupulous dictators and autocrats who now have a powerful tool to aid in their sinister aims to stifle dissent and quell controversial reporting.”
LiveLaw reports that India’s Attorney General KK Venugopal denied consent to begin criminal contempt proceedings against Pegasus vendor NSO Group for surveillance of a former Supreme Court justice and several staffers, stating that the government’s use of the spyware was sub-judice, or still under judicial consideration.
Sheikh Mohammed bin Rashid al-Maktoum, a ruler of the United Arab Emirates, was accused of using Pegasus to hack the devices of ex-wife Princess Haya bint al-Hussein, as well as those of her British lawyers, amidst a custody dispute over their two children. Citizen Lab senior research fellow William Marczak, who testified in the case, told ZDNet, "NSO Group and its customers sometimes try to justify surveillance against dissidents and journalists by pointing to national security or terrorism concerns, but it's a lot harder to paint your ex-wife and her family court lawyers as terrorists." The Times of Israel reports that after learning of the misuse of the spyware against Princess Haya, NSO Group has disabled Pegasus’ ability to hack cellphones with UK numbers, as well as devices from any of the other members of the Five Eyes alliance.
In the world of consumer-grade spyware, dubbed "stalkerware" as it’s often marketed to spouses looking to keep tabs on their partners without consent, Google decided to ban ads promoting such tracking last August. But as recently as last week, TechCrunch discovered ads from five stalkerware makers were still being displayed. When notified, Google responded, “We immediately removed the ads that violated this policy and will continue to track emerging behaviors to prevent bad actors from trying to evade our detection systems.” Some spyware makers avoided detection by linking the ads to an interstitial website or using a “robots” file to hide from Google’s search index, but Google has vowed to crack down on advertiser accounts that use such evasive tactics.
Another incident at Olympus.
Olympus, hit last month by a BlackMatter ransomware attack, disclosed yesterday that it was investigating a possible cybersecurity incident affecting its business in the Americas. The September ransomware attack had affected operations in Europe, the Middle East, and Africa. There are few details available, yet, about the incident in the Americas.
Stephan Chenette, Co-Founder and CTO at AttackIQ, advises organizations to look beyond the direct cost of ransom and see the potential for reputational damage that attends such attacks, assuming that this latest incident at Olympus does indeed involve ransomware.
“Even after decades of investment in cybersecurity defenses, adversaries are still managing to slip through the cracks. With ransomware attacks today, it’s no longer an issue of just whether or not to pay the ransom – it is likely that organizations will also suffer reputational damage, legal consequences, and loss of data and business.
“Organizations simply don't exercise their defenses enough. To best defend against ransomware attacks, organizations need to take a proactive approach to protecting their data. This should include mapping their security controls to specific attack scenarios, aligned to the MITRE ATT&CK framework, to measure an organization's cybersecurity readiness for the attacks that are sure to come. In doing so, companies can build more resilient security detection, prevention, and response programs mapped specifically to those known behaviors. Additionally, companies should use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to avoid falling victim.”
Erich Kron, Security Awareness Advocate at KnowBe4, notices the criminal structure of BlackMatter, the gang responsible for the earlier attack on Olympus and the group that may have committed the most recent attack. BlackMatter follows the now-familiar double-extortion playbook:
"First reports state this attack was carried out by the BlackMatter ransomware gang, a fairly new group that is claiming to combine the best features of several other ransomware strains, including REvil and DarkSide, and that is said to be targeting only large enterprises. They appear to operate as a profit-sharing Ransomware-as-a-Service (RaaS) provider, which utilizes affiliates to carry out the attacks while the main developers maintain the required infrastructure to support the ransomware and work to evolve their product.
"While it has not been reported yet, BlackMatter typically exfiltrates data prior to encryption and uses the threat of releasing the data to improve the chance they will see a payout from the victim.
"Because ransomware is spread most often through phishing emails, organizations should ensure they have a high-quality security awareness program in place that includes a way to report suspected phishing emails to the security team. In addition, Data Loss Prevention (DLP) controls should be in place to stop the exfiltration of data, and good, tested backups are critical for the recovery phase."
Danny Lopez, CEO of Glasswall, thinks this latest incident amounts to another argument for adopting a zero-trust approach to security:
"Reports of cyberattacks hitting technology companies [are] especially troubling, given the importance of the work being done by these types of organisations. While there is still speculation on the exact details of the latest attack, it is still worth underlining the importance of good security practice -- particularly since it’s the second time the organisation has experienced an attack within a span of weeks.
"Organisations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It's vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the public domain. This will help to limit the blast radius, and in most cases, defeat the data breach.
"Even if all procedures and policies are well executed, then there's no escaping the fact that adversaries are constantly looking to probe vulnerabilities and to insert malware into the environment, often using everyday business documents which we all use. It's vital that technology organisations invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing employees to do their vital work.
"Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside.”
Alex Pezold, CEO of TokenEx, suggests lessons on data protection that might be drawn from this incident:
“The incident of the ransomware attack on Olympus illustrates that attempts to breach data stores are happening more frequently than ever. Tokenization remains one of the best ways to protect the personal data an organization collects and processes. By removing this data from the environment and making it inaccessible to cybercriminals, it can minimize the impact of security incidents like what Olympus has experienced—even if internal systems become compromised. For this reason, every organization must have a plan for which data to protect, and also a strategy for how to build resilience into company systems so rebooting can happen swiftly, if needed.”
Neil Jones, Cybersecurity Evangelist at Egnyte, observes that Olympus is by no means a naive, unsophisticated, or otherwise bereft tech company, and that the incidents it's sustained should serve as a cautionary tale for other, arguably less well-protected organizations:
“The second cyberattack on technology giant Olympus in a month's time should be a major wake-up call–no large global corporation should consider itself exempt from ransomware attacks. Senior executives and IT leaders should also be aware that no technological solution is 100% effective, but a large percentage of ransomware attacks can be prevented with diligent preparation.
"Unfortunately, even in technologically sophisticated organizations like Olympus, the methods and tools being employed don't meet the security and control needs to combat today’s threats. Security must be viewed as much more than a checklist. The best solutions fit in a broader sense of governance but still make it easy to share files with anyone, without compromising users' security and control.
"The reality is that all content and communications are vulnerable without proper data governance, and it’s imperative that organizations protect the data itself. This type of security incident occurs regularly, particularly to multinational companies that have a natural target on them because of their size and the mission-critical systems they use to communicate with thousands of global employees on a daily basis. If secure file collaboration tools with suspicious log-in capabilities are implemented correctly, they can render cybercriminal attacks ineffective. Used in a case like this where adversaries were able to infiltrate the network and impact business activities, the systems themselves would have been inaccessible to outsiders, and the company's valuable data would have remained protected.”
Ralph Pisani, president of Exabeam, is concerned that the ransomware canary in the tech coal mine seems to have stopped chirping:
"Ransomware remains a security Achilles heel. Understanding ‘normal’ versus ‘abnormal’ behavior sheds light on the presence of ransomware and its precursor problems, yet far too few organizations are able to see the canary in the coal mine.
"However, organizations that work to understand the cycle of compromise, taking the time to understand normal behavior, will uncover the ransomware as abnormal before it strikes. If organizations are serious about ransomware, they must up-level their capability to manage intrusions; a leading method of adoption is user and entity behavior analytics (UEBA) to detect behavioral deviation and spot malicious activity at far earlier stages of an attack.
"Since ransomware is the product of earlier undetected intrusions, the window of opportunity for disruption and removal is small. Commodity security tools require too many static rules, generate far too many false positives, and do more harm than good. Organizations without advanced analytics will struggle getting ahead and are extremely vulnerable to the negative outcomes of ransomware.”