Lawmakers and cybersecurity insiders are reacting to a bombshell report from former Twitter security head Mudge Zatko, alleging reckless security lapses that could be exploited by foreign adversaries.

Twitter's former head of security has blown the whistle on what he characterizes as sprawling cybersecurity weaknesses, including vulnerabilities that could lay the social media platform open to cyberattacks that could have major national-security implications.

That's the allegation from Peiter "Mudge" Zatko, who sent a 200+-page disclosure to Congress detailing issues that he claims could allow foreign manipulation of users, account hacking and espionage, and disinformation campaigns ahead of the 2022 US midterm elections.

The disclosure, obtained exclusively by CNN and The Washington Post, most explosively alleges that the tech giant has one or more employees that are actually plants working for foreign intelligence, and that top execs have actively engaged in a cover-up of Twitter's serious security holes.

Zatko, who has a decades-long history and reputation in the ethical hacking space, laid out an internal scene where mismanagement and a lack of cohesive security oversight allows over-permissioned access to the company's most sensitive information and control platforms, while bots (disinformation-focused and otherwise) run amok and corporate leadership looks the other way. To boot, Zatko said that Twitter CEO Parag Agrawal told him to make his reports on Twitter's security problems rosier than they deserved to be, and that he was directed to omit damning data in order for the company to appear to be making progress on the security and privacy fronts.

When it comes to privacy, Zatko also alleged that Twitter does not steward user information well, often losing track of it or not deleting data when it's required to do so (such as when a user cancels an account).

The allegations certainly fall in the "bombshell" category, but some in the security community are unsurprised by the claims, especially given the infamous compromise of verified accounts in 2020 by an attacker who was able to access Twitter's internal control platforms.

"From research that I coordinated after the 2020 incident, it was obvious that Twitter did not have appropriate privileged user management controls nor separation of duty policies for developers and administrators of their systems," says Aaron Turner, chief technology officer of SaaS Protect at Vectra. "If Mudge's disclosure is correct, that Twitter has a significant system hygiene problem combined with the user management controls and policies, then Twitter's entire platform is at risk of compromise."

For its part, Twitter denies the allegations and claims Zatko should be discredited given that he was fired in January for "poor performance."

"Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance," a Twitter spokesperson told CNN. "Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”

Agrawal weighed in on Tuesday, saying in a corporate memo posted on Twitter that the company is reviewing the claims. "What we've seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context," he wrote.

**Lawmakers, Cybersecurity Community React**

Where the truth lies could come to light sooner rather than later, given that Zatko's report has gotten the attention of lawmakers on both sides of the aisle. Senate Judiciary Chair Sen. Dick Durbin (D-Ill.) said that he will "take further steps as needed to get to the bottom of these alarming allegations. …The claims I've received from a Twitter whistleblower raise serious national security concerns."

Sen. Chuck Grassley (R-Iowa), ranking member of the Judiciary Committee, told CNN that the allegations should raise very loud alarm bells.

"Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure, and infuse it with foreign state actors with an agenda, and you've got a recipe for disaster," he said. "The claims I've received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further.”

Casey Ellis, founder and CTO at Bugcrowd, said the scrutiny will hopefully prompt a larger discussion around how much oversight, scrutiny, and regulation that social media platforms should have.

"I can't speak to the specifics of the disclosures themselves, but I’m definitely pleased to see this prompting a discussion around the critical infrastructure characteristics of social media platforms and the implications this has on security and privacy — especially as the US approaches midterms and sets itself up for the 2024 election. It seems clear that this categorization as critical infrastructure is something Twitter and other social platforms wish to avoid, but it is a conversation we need to have."

Meanwhile, members of the cybersecurity community have rallied around Zatko, pointing to his character and track record for integrity.

"Mudge has a long and rock-solid reputation of putting integrity first. He's also one of those infosec elders who rarely sticks their neck out to make a fuss, but when they do it's almost certainly worth paying attention to," Ellis tells Dark Reading. "This dates back to the L0pht testimony in 1998, which was a warning to Congress about computer insecurity well before its time. Judging by the way the infosec community has closed ranks around Mudge this morning, others clearly feel the same way. Infosec doesn't suffer fools and has a keen eye for sensationalism, and I think the reaction today speaks very strongly to both his character and the claims themselves."

Turner echoes those sentiments.

"I've known Mudge since his days at Cult of the Dead Cow," says Turner. "When I was at Microsoft, he and the @stake team helped us fundamentally improve our security strategy and tactics. As I've worked across government projects over the last 20 years, I would say that his work at DARPA made a significant difference in the way that the US government approached cybersecurity. He has always had the highest level of integrity and also adheres to the highest technical standards of development and operation of systems. If Mudge says that Twitter has cybersecurity problems, Twitter has some big problems."

Twitter did not immediately respond to a request for comment from Dark Reading on the allegations.

Mudge Blows Whistle on Alleged Twitter Security Nightmare

Integrated solution offers enterprises modern regulatory compliance safeguards while simplifying corporate legal protection practices.

**Sunnyvale, Calif., Aug. 23, 2022** — Proofpoint Inc., a leading cybersecurity and compliance company, today announced the launch of its Intelligent Compliance Platform, offering enterprises modern regulatory compliance safeguards while simplifying corporate legal protection practices. The platform leverages Proofpoint's proprietary machine learning engine to provide business leaders with AI-powered collection, classification, detection, prevention, search, eDiscovery, supervision, and next generation predictive analytics while meeting complex compliance and information governance obligations.

Proofpoint's AI and machine learning technology transforms the modern-day compliance world, improving efficacy and efficiency through automation. The platform enables intuitive compliance, insider risk, and data management controls to classify and predict risks across a wide array of digital communications channels, files, email, and endpoint activities. This enables Compliance, IT, Information Management, and Legal teams to gain visibility and access information with superior fidelity and context to growing volumes of enterprise data, while detecting and preventing corporate and regulatory risks in real time.

"We understand today's organizations are overwhelmed with growing volumes of data that are incredibly difficult to manage. For Compliance and Legal staff, that means having to manually search and review petabytes of messages or files from regulatory compliance, supervisory, or investigation review queues," said Kevin Leusing, senior vice president and general manager, Compliance at Proofpoint. "The new Intelligent Compliance Platform vastly improves the detection of non-compliant communications and content while quickly pinpointing supervised insider risks."

The new Intelligent Compliance Platform is powered by several Proofpoint leading solutions:

*   **Proofpoint Capture****:** Modernizes data collection from the most critical and popular communications collaboration platforms.
*   **Proofpoint Patrol****:** Ensures full compliance and reputation protection from employee social media accounts by monitoring, remediating, and reporting on social media policy violations at scale with intelligent classifiers, automated workflows, and intuitive reporting.
*   **Proofpoint Track****:** Provides complete visibility into your capture stream, so you can ensure that collected communications are received by downstream services such as repositories and supervision tools.
*   **Proofpoint Archive****:** Simplifies storage, search, legal discovery, supervisory, and end-user data access through a cloud-first archive that provides a secure and scalable central repository.
*   **Proofpoint Discover****:** Makes e-discovery and case management easy with a built-in, high-performance search, advanced dashboards and visualizations, no-cost export, and legal hold.
*   **Proofpoint Supervision**: Satisfies corporate and regulatory compliance requirements by supervising regulated employees and leveraging hundreds of advanced detection scenarios to detect timely communications risks.
*   **Proofpoint Automate****:** Applies market-leading machine learning to your security and compliance stack to help significantly reduce false positives in your data collection, monitoring, search, discovery, and supervisory activities.

Existing customers can leverage the Proofpoint Intelligent Compliance Platform in two ways. For efficiency, compliance and legal teams can reduce supervised communications content review time by up to 84%. For effectiveness, sentiment analysis of communications data and a variety of machine learning models enable early detection of organizational behavioral misconduct to protect customers from insider risks and regulatory fines.

**Customer benefits include:**

*   **Unified Data Collection and Preservation:** Customers can easily manage content from communication platforms including Microsoft Teams, Zoom, Meta, LinkedIn, Slack, Instagram, and Twitter. API-based content collection is automatically centralized with an extensible platform that consumes all data types, including audio, video, and text. Content tracking provides a full audit trail where data in transport is reconciled and scanned for anomalies from source to destination.
*   **Automated Risk Detection in Real-Time Digital Communication:** Customers can automate detection of communication trends to pinpoint the source of supervised insider risk. Customers can proactively monitor sensitive data and be alerted as compliance violations occur.
*   **Supervisory Flag Deduplication**: Compliance, IT, and Legal teams can significantly reduce the amount of time spent on data review by bypassing pre-flagged content (such as replies and forwards).
*   **AI-Powered Data Discovery with Case Management:** Customers can track communications data history interactively with advanced visualizations, intelligent conversation threading, and review content in native chat view.

For more information about Proofpoint's Intelligent Compliance Platform, please visit:

https://www.proofpoint.com/us/solutions/enable-intelligent-compliance

https://www.proofpoint.com/us/resources/solution-briefs/intelligent-compliance

**About Proofpoint, Inc.**

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations' greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyberattacks. Leading organizations of all sizes, including 75% of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube

_Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners._

Proofpoint Introduces a Smarter Way to Stay Compliant with New Intelligent Compliance Platform

The global secure coding competition will be held In October, during Cybersecurity Awareness Month.

**SYDNEY, Australia — Aug. 23, 2022 —** Secure Code Warrior, the global, developer-driven security leader, today announced that it will host its second annual Devlympics secure coding competition Oct. 19-20. The competition will give developers around the world the opportunity to test their skills against vulnerabilities in code and put their secure coding skills to work. The winner will be crowned, "The Ultimate Warrior" and receive a cash prize.

Building a strong organizational culture focused on cybersecurity has never been more important in today's society, where vulnerable code in software remains quite pervasive. Secure Code Warrior is leading the way to help cultivate that culture by exciting and upskilling developers through friendly competition. In the last year alone, the company has hosted over 800 tournaments attended by more than 18,000 participants.

"Last year's inaugural Devlympics saw nearly 2,000 developers participate around the globe, and the impressive turnout further demonstrated why the developer community desires more inclusive, friendly forums like ours to engage and compete with one another to sharpen their skills," said Pieter Danhieux, CEO and co-founder, Secure Code Warrior. "We're proud to serve as that go-to tournament destination and look forward to continuing to make this the most sought after, security skills competition for years to come."

Devlympics 2022 builds on the great successes experienced during last year's inaugural event by doubling its duration (24 straight hours) and offering a wider variety of challenges. The competition is free-to-enter, and will feature two interactive arenas and 11 individual tournaments covering 45 languages. Participants will compete in hands-on challenges at varying degrees of difficulty to earn points against the clock as they climb the leaderboard.

The marquee tournament will run on Secure Code Warrior's flagship Learning Platform, allowing organizations and professionals to build their understanding of preventative secure coding techniques through an interactive, competitive tournament. In addition, developers can now access Secure Code Warrior's recently launched Secure Code Coach, the new go-to community microsite to build security skills and awareness. With a range of handy secure coding guidelines, hands-on missions, and videos, Secure Code Coach offers the latest best practices to ensure developers are equipped with all they need to ship secure code at speed.

Visit https://www.securecodewarrior.com/devlympics to learn more about Devlympics 2022.

**About Secure Code Warrior**

Secure Code Warrior builds a culture of security-driven developers by giving them the skills to code securely. Our flagship Learning Platform delivers relevant skills-based pathways, hands-on missions, and contextual tools for developers to rapidly learn, build, and apply their skills to write secure code at speed. Established in 2015, Secure Code Warrior has become a critical component for over 450 enterprises, including leading financial services, retail, and global technology companies across the world. Visit: www.securecodewarrior.com.

Secure Code Warrior Spotlights the Importance of Developer Security Skills with 2nd Annual Devlympics Competition

The scans used by the Python Package Index (PyPI) to find malware fail to catch 41% of bad packages, while creating plentiful false positives.

The scanners tasked with weeding out malicious contributions to packages distributed via the popular open source code repository Python Package Index (PyPI) create a significant number of false alerts, researchers have found. 

According to a Chainguard analysis of PyPI — the main repository for software components used in applications written in Python — the approach catches 59% of malicious packages but also flags a third of popular legitimate Python packages and 15% of a random selection of packages. 

The research aims to create a data set that Python maintainers and the PyPI repository can use to determine the efficacy of their system for scanning projects for malicious changes and supply chain attacks, the Chainguard researchers stated in a Tuesday analysis.

While the existing approach detects the majority of malware, it clearly needs significant improvements to prevent wasting project managers' time with false alarms, says Zack Newman, a senior software engineer at Chainguard, who collaborated on the research.

"These are volunteers with countless other responsibilities, not security researchers who are willing to spend all day trawling through suspicious code," he says. "They care a great deal about the security of PyPI and work very hard to improve the situation, but the return on effort just isn't there at the moment for these scanners."

False positives are the bane of many software analysis tools, and therefore security teams. Even with a system that is 100% accurate at finding malicious packages, if it has a 1% false positive rate, developers and application-security professionals would still have to dig through 200 alerts each week to determine if any of the 20,000 weekly PyPI releases are actually malicious.

"Hundreds of packages triggered alerts," Newman says. "While we did some spot checks, just a quick look isn't enough to tell for sure whether a package is malicious — that's why malware-detection tools are so important. This gave us a lot of empathy for the repository administrators, who would face this volume of alerts tenfold each week."

He adds, "To be useful, a scanner would need to reduce that false positive rate to around 0.01%, even at the expense of missing some malicious packages."

**PyPI's Malware-Scanning Approach**

PyPI aims to foil software supply chain attacks by checking packages and projects in two ways. The PyPI scans the package's _setup.py_ file using signatures to detect known suspicious patterns — expressed by YARA rules, an industry standard for creating malware signatures — that could indicate the inclusion of malicious functionality. (YARA stands for Yet Another Recursive Acronym, more of an inside industry joke than a descriptive name.) In addition, the repository's scanning tools analyze a projects commits and contributors for suspicious changes that could suggest malicious contributions.

The researchers built their data set using 168 known examples of malicious attacks on the PyPI repository. They then created a second data set with the 1,000 most-downloaded packages and the 1,000 most-imported packages, and when they eliminated duplicates, they ended up with 1,430 popular packages. Finally, they also created a data set of a random selection of 1,000 packages, which resulted in 986 random Python packages, since 14 did not have any Python code.

The popular and randomly selected packages were all assumed to be legitimate, the researchers said. In addition, the popular projects likely had better security hygiene and abided by programming best practices.

"While there is a chance that some of these packages are malicious, the chance that more than a handful of these packages is malicious is vanishingly small," they wrote in the analysis provided exclusively to Dark Reading. "Importantly, these packages are more likely to represent a package selected from PyPI at random."

**Open Source Software Repositories Remain a Cybercrime Target**

The research comes as application-security professionals and software developers look for ways to ensure the security of the open source software components that make up 78% of the code in an average program. 

The Open Source Security Foundation (OpenSSF) has launched a number of initiatives to improve the security of the open source software supply chain, including identifying the most critical packages that need more security scrutiny, and support for the adoption of SigStore, a way of cryptographically linking source code to compiled packages.

Attacks on the software supply chain have increased over the past few years. In the past month alone, security firm Kaspersky found malware in the Node Package Manager (npm) repository, while security firms Check Point and Snyk found nearly a score of malicious packages hosted on the PyPI repository service.

And it came to light that a school-aged kid in Italy uploaded multiple malicious Python packages containing ransomware scripts to PyPI, supposedly as an experiment.

It's unlikely that PyPI is alone in having problematic scanning results. Going forward, the Chainguard researchers plan to extend their analysis to evaluate at least four open source software malware analyzers, such as OSSGadget Detect Backdoor, bandit4ma, and OSSF Package Analysis, as well as translating the PyPI Malware Checks rules to SemGrep, a multilanguage open source static code analyzer.

One-Third of Popular PyPI Packages Mistakenly Flagged as Malicious

Company fortifies its ability to help organizations prepare and obtain CMMC certification.

**WASHINGTON, DC – Aug. 23, 2022 –** Coalfire Federal today announced it has been authorized by the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (The Cyber AB) as a CMMC Third-Party Assessment Organization (C3PAO). Coalfire was one of the first to be named a C3PAO candidate and is now among the first authorized by The Cyber AB to conduct CMMC assessments. The authorization fortifies the company's comprehensive compliance capabilities that enable clients to prepare for and obtain CMMC certification.

"Foreign adversaries are escalating attacks on Defense Industrial Base (DIB) organizations, compromising sensitive information, and threatening the integrity of weapons systems, platforms, tools, and materiel," said Coalfire Federal President Bill Malone. "CMMC is consistent with our mission and extends our commitment to provide cybersecurity services that enable and protect the mission of the DoD and its supply chain."

The Cybersecurity Maturity Model Certification program was created by the DoD to ensure organizations across the DIB achieve and maintain a minimum threshold level of cybersecurity to protect controlled unclassified information (CUI) and federal contract information (FCI). CMMC requirements will apply to all DIB organizations across the DoD's multitier supply chain that handle, store, or transmit CUI.

As the largest pure-play cybersecurity firm, Coalfire conducts thousands of compliance assessments every year. In addition to its early involvement as a C3PAO and CMMC RPO (Registered Provider Organization), the company is the largest FedRAMP provider, supporting more than 70% of the entire assessment, advisory, and engineering marketplace.

"With CMMC, the Department of Defense is addressing a critical problem by enhancing the cyber posture and resilience of companies across the DIB," said Malone. "Coalfire Federal is proud to have been an early participant and contributor to the formation of the accreditation body and an active participant in industry working groups and educational programs. We remain committed to working with the DoD, The Cyber AB, and the DIB to protect sensitive information and strengthen national defense."

**About Coalfire Federal**

Coalfire Federal has 20 years' experience providing cybersecurity services to a wide range of government and commercial organizations, enabling and protecting their mission-specific cyber objectives. Coalfire Federal is the leading FedRAMP 3PAO and offers a full spectrum of cybersecurity risk management and compliance services.

For more information about Coalfire Federal and CMMC, contact us at \[email protected\] or visit: www.coalfirefederal.com

Coalfire Federal Among First Authorized to Conduct CMMC Assessments

Make security training more engaging to build a strong cybersecurity culture. Here are four steps security and IT leaders can take to avoid the security disconnect.

Human error continues to be the leading cause of a cybersecurity breach. Nearly 60% of organizations experienced data loss due to an employee's mistake on email in the last year, while one in four employees fell for a phishing attack.

Employee apathy, while it may not seem like a major cybersecurity issue, can leave an organization vulnerable to both malicious attacks and accidental data loss. Equipping employees with the tools and knowledge they need to prevent these risks has never been more important to keep organizations safe.

A new report from Tessian sheds light on the full extent of employee apathy and its impact on cybersecurity posture. The report found that a significant number of employees aren't engaged in their organization's cybersecurity efforts and don't understand the role they play. One in three employees say they don't understand the importance of cybersecurity at work. What's more, only 39% say they're very likely to report a cybersecurity incident. Why? A quarter of employees say they don't care enough about cybersecurity to mention it.

This is a serious problem. IT and security teams can't investigate or remediate a threat they don't know about.

Employees play an important role in flagging incidents or suspicious activity early on to prevent them from escalating to a costly breach. Building a strong cybersecurity culture can mitigate apathy by engaging employees as part of the solution and providing the tools and training they need to work productively and securely.

**Ways to Improve Cybersecurity Culture**

Here are four ways to improve your cybersecurity culture:

*   **Deliver tailored security awareness training programs.** Global spending on security training continues to rise, but the reality is that most employees aren't engaged in this training. Nearly half (48%) of the security leaders surveyed by Tessian say that training is one of the most important influences on a positive cybersecurity posture. Despite that, only 28% of employees say security awareness training is engaging, and only half say that it is helpful. This is a major disconnect.
    
    Security training should be tailored to individual employees based on factors such as department, tenure, and geography. For example, teach remote employees about the specific types of scams that could target them, whereas the finance department should see real-world examples of wire-transfer fraud and related financial swindles. Rather than yearly or quarterly trainings, employees should receive the information they need in the moment to give context around their own cybersecurity behaviors and help them avoid mistakes.
    

*   **Implement a strong but simple incident-reporting process.** A similar disconnect between security teams and employees exists when it comes to the incident-reporting process. Tessian found that 80% of security leaders believe robust feedback loops are in place to report incidents, but nearly half (45%) of employees don't know who to report security incidents to. A well-defined, accessible reporting process can make it easy for employees to flag potential incidents and give security teams greater visibility into the organization's risk.
    
    For example, security teams can institute a single, defined process such as an email address or a phone number that employees can use to flag a suspicious email or potential cybersecurity incident. Often this process can be automated, as opposed to pulling in security team members at all hours and risking burnout. A strong reporting process will be predictable, automated where possible, and easy for employees to access without fearing they will be punished for making a cybersecurity mistake.
    

*   **Drop the fear, uncertainty, and doubt.** Punishing or shaming employees for making mistakes can lead them to disengage or feel apathy toward the cybersecurity culture. Employees won't trust nor want to engage with a security team that relies on fear or negative reinforcement.  
      
    Tessian's report found that half of employees have had a negative experience with a phishing simulation. Recent headlines show the type of backlash that can occur when companies use "gotcha" style phishing techniques designed to trick employees. Techniques like this can create an adversarial relationship between the security team and the rest of the company.
    
    A strong cybersecurity culture instills collaboration and uses positive incentives to engage employees. For example, reward employees who flag a cybersecurity incident, spot a suspicious email, or complete a training. It doesn't have to be a major investment. Peer recognition can go a long way.
    

*   **Align with the HR team.** Lastly, security training and best practices can be woven into the entire employee life cycle to foster and maintain a risk-aware organization. Security teams should partner with HR to play an active role in onboarding, offboarding, and day-to-day processes. For example, give new employees information on incident reporting and real-world examples of the scams that often target new employees.
    
    Similarly, during the offboarding process, employees should be reminded of data security processes, including why they cannot take documents and other information with them to a new job. In a separate Tessian report, 45% of employees admitted they've taken data before leaving or after being dismissed from a job. This isn't always done maliciously — many employees aren't aware of when documents belong to them and when they don't — so it's important to provide guidance.
    

**Importance of Building Strong Cybersecurity Culture**

Employees have become stewards of their organization's most sensitive data, while channels such as email have become the de facto method of communication across hybrid and remote teams. Security teams must safeguard the employees who manage data day-to-day and combat the apathy and disengagement that can lead to a costly breach.

A strong cybersecurity culture can make the difference between employees who put the organization at risk or who are actively part of the solution.

Virtually all IT and security leaders surveyed by Tessian (99%) agreed that a strong security culture is important in maintaining a strong security posture. However, if the right steps aren't taken, employees won't understand the vital role they play in protecting an organization from today's advanced threats.

Apathy Is Your Company's Biggest Cybersecurity Vulnerability — Here's How to Combat It

Engineering manager Scott Tenaglia describes how Meta extended the security red team model to aggressively protect data privacy.

As several countries and US states prepare to enact new data privacy regulations next year, some companies have begun borrowing from an approach familiar to cybersecurity teams: that the best defense is a strong offense. While security red teams made up of friendly hackers who engage in persistent penetration testing are common, some organizations are now applying that same concept to data privacy.

Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, is among those that formed a privacy red team. Scott Tenaglia, the engineering manager for Meta's privacy red team, described how and why Meta created it during a session at the Black Hat USA 2022 conference in Las Vegas.

In the session "Better Privacy Through Offense: How to Build a Privacy Red Team," Tenaglia emphasized that his presentation was just about the lessons learned from forming a privacy red team. But Meta, for years under scrutiny about how it handles user data, now emphasizes data protection. Earlier this year the company revamped its privacy policy, which it recently just referred to as a Data Policy.

"As privacy and data protection regulations have improved around the world in recent years, we've explored ideas in people-centered privacy design and have worked to make our data practices more transparent," said Meta's chief privacy officer Michel Protti in a recent blog post.

Companies are beginning to create privacy red teams modeled after security red teams, says Orson Lucas, a principal adviser for KPMG's cybersecurity services.

"We're having some early conversations about that," Lucas tells Dark Reading. "It's starting to come up as a point of conversation as a supplemental service, and it's still fairly early and exploratory, but it's something we very much see as an opportunity."

**How Privacy Red Teams Diverge**

Privacy red teams apply the same mindset as their security counterparts, but instead of trying to breach their own networks, they attempt to steal confidential data. Tenaglia acknowledged some overlap between security and privacy red teams but says there are more differences. For instance, he described the impact of attacking an Internet-connected crock pot.

"The security vulnerability might have been pretty vanilla, but the privacy impact of that vulnerability was super high," Tenaglia said. With a privacy compromise, the attacker can access a victim's location, photos, and other sensitive personal information.

"That's really a privacy impact," he said.

Similarly, the focus of a security red team includes mitigating an attack surface. The security red team engages in reconnaissance by scanning their own firewalls, and if they can't break into the network, that suggests there are no vulnerabilities, Tenaglia noted. If a member of the security red team successfully gets through the firewall, however, that would signal the need to get to the source of the vulnerabilities.

Meanwhile, a privacy red team is more focused on large-scale access to personal user information and data, Tenaglia said. A common way of mitigating that risk is by applying rate limits, allowing access to a specific amount of data during a particular time.

"Anytime you find access to sensitive data or important data, things you didn't think you shouldn't get access to, the first thing you're going to do is see how much more of it you can get. You're going to scale up that access. You're going to scrape," Tenaglia said. "If those rate limits are working well, then you probably aren't able to do much there. Otherwise, you probably need to make some tweaks to the rate limits."

**The Separate Goals of Security and Privacy Adversaries**

Tenaglia also described the differences in motives among security threat actors and privacy adversaries. Security adversaries who issue APTs tend to have infinite timescales and resources and usually target specific companies seeking to steal corporate assets. In contrast, privacy red teams go after users' individual or personal information, he said.

Despite the differences, Tenaglia said he believes in recruiting security professionals to join privacy red teams. For example, someone with in-depth knowledge of Linux or Windows makes a good candidate because of their experience breaking apart the operating system.

"We don't really want your knowledge of Windows and Linux — because of course we're not attacking those things — \[but\] we do want your skill set and your know-how to manipulate those things to apply that skill set to our platforms, Facebook, Instagram, Messenger, etc.," Tenaglia said. "And we can teach and give you the knowledge to make you successful manipulating those things."

He added that a critical requirement for someone on a privacy red team is to have privacy instincts. Aside from the distinct focus of privacy red teams, Tenaglia noted that at Meta, they partner with the legal, risk, and security teams.

Tenaglia said that the Meta privacy red team's version of a penetration test is what they call a product compromise test. Besides finding vulnerabilities that give access to user data, the attackers also look to squeeze data out of APIs, which contain various forms of data or connection to data sources. Another exploration is adversarial emulation operations, where an intruder tries to gain access to user data by creating accounts.

**The Subjectivity Issue With Privacy Findings**

Tenaglia explained that findings of privacy vulnerabilities can be much more subjective than security flaws because three different factors influence the very notion of a finding.

First, where an organization operates in the world brings different laws and regulations into effect that can influence the finding. Second, perception of privacy violation is colored by the statements an organization has issued on how it protects users' data.

And third, "even if the prior two are true — meaning your finding is in line with the company statements and it's not violating the law or regulation — you, as a user of that same platform, may say to yourself, 'For me as a user, I still don't think this means the expectation of privacy,'" Tenaglia said. "And you might want to call that a finding."

In the future, Tenaglia said he is hoping for the privacy red team to move from the subjective to the objective. For that to happen, the team needs to "understand these privacy weaknesses better, and to understand how to do privacy by design," he said. "I think we'll get there."

Meta Takes Offensive Posture With Privacy Red Team

Patients face possible disclosure of protected health information (PHI) to Meta, Facebook's parent company, resulting from an incorrect configuration of an online tracking tool.

WINSTON-SALEM, N.C., Aug. 19, 2022 /PRNewswire/ — Novant Health shared that, in an effort to be as transparent as possible, it is mailing letters to some of its patients following possible disclosure of protected health information (PHI) resulting from an incorrect configuration of a pixel, an online tracking tool.

In May 2020, as our nation confronted the beginning of the COVID-19 pandemic, Novant Health launched a promotional campaign to connect more patients to the Novant Health MyChart patient portal, with the goal of improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care. This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those efforts on Facebook. A pixel is a piece of code that organizations commonly use to measure activity and experiences on their website. In this case, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.

Immediately upon becoming aware that the pixel had the capability to transmit unintended information to Meta, Novant Health disabled and removed the pixel as a precaution and began an investigation to learn whether, and to what extent, information was transmitted. Based on that investigation, Novant Health determined on June 17, 2022, that it was possible sensitive information or PHI might have been disclosed to Meta, depending upon a user's activity within the Novant Health website and MyChart portal. This information potentially included an impacted patient's: demographic information such as email address, phone number, computer IP address, and contact information entered into Emergency Contacts or Advanced Care Planning; and information such as appointment type and date, physician selected, button/menu selections, and/or content typed into free text boxes. The information did not include Social Security numbers or other financial information unless it was typed into a free text box by the user. The letter sent to each patient will specifically state whether such financial information may have been involved.

Based on its investigation, Novant Health is unaware of any improper use or attempted use of any patient information by Meta or any other third party. According to Facebook's Terms and Conditions, they have policies and filters that block sensitive personal data and do not incorporate that information into their Ad Manager. However, to be safe and transparent, Novant Health is sending letters to all potentially impacted patients, including some who are patients of independent physicians and facilities who use the Novant Health MyChart medical record. Novant Health has also implemented more structure, governance and policies around the use of pixels and is taking actions to ensure this does not happen again.

New Hanover Regional Medical Center patients are not impacted by this incident.

In addition to the resources shared, patients may call Novant Health at 704-561-6950 or visit www.novanthealth.org/pixel. Additionally, patients may also visit https://consumer.ftc.gov/online-security to learn more about best practices to protect their information online.

Novant Health takes privacy and the care of personal information very seriously and values patient trust to keep patients' medical information private. Novant Health will continue to be as transparent as possible and provide information to patients.

About Novant Health

Novant Health is an integrated network of hospitals, physician clinics and outpatient facilities that delivers a seamless and convenient healthcare experience to communities in North Carolina, South Carolina, and Georgia. The Novant Health network consists of more than 1,800 physicians and over 35,000 team members who provide care at more than 800 locations, including 15 hospitals and hundreds of outpatient facilities and physician clinics. In 2021, Novant Health provided more than $1.1 billion in community benefit, including financial assistance and services.

For more information, please visit our website at NovantHealth.org. You can also follow us on Facebook, Instagram, Twitter and LinkedIn.

Novant Health Notifies Patients of Potential Data Privacy Incident

Google researchers say the nation-state hacking team is now employing a data-theft tool that targets Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials.

Iranian advanced persistent threat (APT) group Charming Kitten has a new data-scraping tool in its arsenal that claws emails from victim Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials, Google researchers have found.

A team from Google Threat Analysis Group (TAG) discovered the tool, dubbed Hyperscrape, last December and has been tracking it since then, it said in a new blog post.

The attacker poses as a legitimate user by either by initiating an authenticated user session that's been hijacked or via stolen credentials, and then runs the scraper to download victims' inboxes, TAG's Ajax Bash said in Google's post.

"It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail" by resulting in an error message, he explained.

If the attacker can't access the account this way, the tool displays a login page for manually entering credentials to proceed, with Hyperscrape waiting until it finds the victim's inbox page, according to Bash.

Hyperscrape appears to have been around since 2020, when its first samples were spotted. Charming Kitten — aka Phosphorus and myriad other names — continues to actively develop the tool. Attacks so far have been limited to less than two dozen accounts located in Iran, the researchers found.

**Modus Operandi**

Once logged in, Hyperscrape changes the account's language settings to English and goes through the contents of the mailbox, individually downloading messages as .eml files and marking them unread, Bash explained.

After downloading messages from the inbox, the tool reverts the language back to its original settings and deletes any security emails from Google. The tool is written in .Net for targeting Windows PCs and is designed to run on the attacker’s machine, he said.

Early versions of Hyperscrape included an option for actors to request data from Google Takeout, a feature that allows users to export their data to a downloadable archive file.

This feature would spawn a new copy of the tool and initialize a pipe communication channel to relay the cookies and account name, both of which are required to accomplish the export. Once received, the browser would navigate to the official Takeout link to request and eventually download the exfiltrated data.

The Takeout feature was never automated in the tool, however, and researchers said they’re not clear on why it was removed.

Google's researchers tested Hyperscrape specifically with a Gmail account, noting that functionality may differ for Yahoo or Microsoft email apps when under attack. Moreover, Hyperscrape won't run unless in a directory with other file dependencies, they explained.

**Furthering Objectives**

Charming Kitten is a prolific APT believed to be backed by government of Iran and known by a number of other names — including TA453, APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus.

The group — which first rose to prominence in 2018 — has been extremely active in the last several years and is best known for targeted cyber-espionage attacks against politicians, journalists, human-rights activists, researchers, scholars, and think tanks.

Some of the APT's more high-profile attacks occurred in 2020, when the group targeted the Trump and Biden presidential campaigns as well as attendees of two global geopolitical summits, the Munich Security Conference and the Think 20 (T20) Summit, in separate and various incidents.

While Hyperscrape doesn’t showcase anything groundbreaking as far as novel malware goes, it does show Charming Kitten's commitment to developing custom capabilities dedicated to a particular purpose, according to Bash.

"Like much of their tooling, HYPERSCRAPE is not notable for its technical sophistication, but rather its effectiveness in accomplishing Charming Kitten’s objectives," he explained.

And while groups like Charming Kitten often have very targeted goals for their cybercriminal activity, Google TAG's disclosure and work with law enforcement against APTs is aimed at raising awareness within both the security community and targeted companies and communities, according to the blog post.

The company encourages high-risk users to enroll in its Advanced Protection Program (APP) and use Google Account Level Enhanced Safe Browsing to ensure a high level of protection against ongoing threats.

Charming Kitten APT Wields New Scraper to Steal Email Inboxes

Security vendor Sucuri says adversaries are injecting malicious JavaScript into numerous WordPress websites that triggers phony bot-related checks.

Threat actors are spoofing Cloudflare DDoS bot-checks in an attempt to drop a remote-access Trojan (RAT) on systems belonging to visitors to some previously compromised WordPress websites.

Researchers from Sucuri recently spotted the new attack vector while investigating a surge in JavaScript injection attacks targeting WordPress sites. They observed the attackers injecting a script into the WordPress websites that triggered a fake prompt claiming to be the website verifying if a site visitor is human or a DDoS bot.

Many Web application firewalls (WAFs) and content distribution network services routinely serve up such alerts as part of their DDoS protection service. Sucuri observed this new JavaScript on WordPress sites triggering a fake Cloudflare DDoS protection pop-up.

Users who clicked on the fake prompt to access the website ended up with a malicious .iso file downloaded onto their systems. They then received a new message asking them to open the file so they can receive a verification code for accessing the website. "Since these types of browser checks are so common on the web many users wouldn't think twice before clicking this prompt to access the website they're trying to visit," Sucuri wrote. "What most users do not realize is that this file is in fact a remote access trojan, currently flagged by 13 security vendors at the time of this post."

**Dangerous RAT**

Sucuri identified the remote-access Trojan as NetSupport RAT, a malware tool that ransomware actors have previously used to footprint systems before delivering ransomware on them. The RAT has also been used to drop Racoon Stealer, a well-known information stealer that briefly dropped out of sight earlier this year before surging back on the threat landscape in June. Racoon Stealer surfaced in 2019 and was one of the most prolific information stealers of 2021. Threat actors have distributed it in a variety of ways, including malware-as-a-service models and by planting it on websites selling pirated software. With the fake Cloudflare DDoS protection prompts, threat actors now have a new way of distributing the malware.

"Threat actors, particularly when phishing, will use anything that looks legitimate to fool users," says John Bambenek, principal threat hunter at Netenrich. As people get used to mechanisms like Captcha's for detecting and blocking bots, it makes sense for threat actors to use those same mechanisms to try to fool users, he says. "This not only can be used to get people to install malware, but could be used for 'credential checks' to steal credentials of major cloud services (such as) Google, Microsoft, and Facebook," Bambenek says.

Ultimately, website operators need a way to tell the difference between a real user and a synthetic one, or a bot, he notes. But often the more effective the tools for detecting bots get, the harder they get for users to decode, Bambenek adds.

Charles Conley, senior cyber security researcher at nVisium, says that using content spoofing of the kind that Sucuri observed to deliver a RAT is not especially new. Cybercriminals have routinely spoofed business-related apps and services from companies such as Microsoft, Zoom, and DocuSign to deliver malware and trick users into executing all kinds of unsafe software and actions.

However, with browser-based spoofing attacks, default settings on browsers such as Chrome that hide the full URL or operating systems like Windows that hide file extensions can make it harder for even discerning individuals to tell what they're downloading and where it's from, Conley says.

Source

DARKReading