In conjunction with Black Hat 2022, pioneer of digital executive protection also announces new security innovations and SOC 2 Type II certification.

In conjunction with Black Hat 2022, pioneer of digital executive protection also announces new security innovations and SOC 2 Type II certification.

ORLANDO, Fla., Aug. 2, 2022 /PRNewswire-PRWeb/ -- BlackCloak, the leading provider of digital executive protection for corporate executives, board members, and high-access employees and their families, today announced the addition of three new mobile device security features to its award-winning Concierge Cybersecurity & Privacy Platform (TM).

Post-pandemic, the attack surface has greatly expanded; and the personal digital lives of company leaders have become the soft underbelly of enterprise security. Attacking executives as a conduit to breach the company has evolved from an occasional nuisance into a mainstream threat. BlackCloak's SaaS-based Platform helps reduce risk to both individuals and their organization by protecting the digital privacy, personal devices, and home networks of key company personnel.

New digital executive protection features unveiled at Black Hat 2022:

— QR Code Scanner - An additional layer of malware protection on personal devices, BlackCloak's QR Code Scanner will automatically validate the legitimacy of a QR codes' underlying URL, and proactively alert members to navigate away from websites determined to be malicious.  
— Malicious Calendar Detection - Using proprietary anti-malware technology, the BlackCloak mobile app will automatically determine the legitimacy of invitations or newly added calendars, giving members the opportunity to delete potentially malicious events before malicious code can be injected.  
— VPN - To reduce the risk of both network and endpoint-driven threats, BlackCloak's enterprise-grade VPN will provide members with the opportunity to establish a secure internet connection from within the app when and where connectivity is suspect or compromised.

The QR Code Scanner, Malicious Calendar Detection feature, and VPN will be available in Q3 on the BlackCloak Platform. Book a meeting with BlackCloak executives at Innovation City Booth 52. 

"Today's announcement reinforces BlackCloak's core value of innovating with speed, passion, and curiosity," said Chris Pierson, BlackCloak founder and CEO. "We have an extensive pipeline of product updates and continue to solicit our clients for additional innovation ideas as well as research and development for new threats. Cyber and Privacy threats are always-evolving, and we will continue to keep pace to help our members beyond expectations — protecting them and their companies — both now and in the future."

BlackCloak also announced today that it successfully completed its System and Organization Controls (SOC) 2 Type II audit for the second year in a row. This distinction ensures that the organization is in compliance with the leading industry standards for managing enterprise data, reports on security controls across key areas relevant to the safe handling of customer data.

Meet BlackCloak at Black Hat 2022. BlackCloak will be exhibiting at Black Hat's Innovation City Booth 52. Schedule a one-on-one meeting or drop by to:

— Learn about the use cases and benefits for digital executive protection  
— See a demo of the platform in action  
— Flop a winning poker hand in a raffle for cash prizes and swag

Learn more at BlackCloak.io and follow the brand on social media @BlackCloakCyber.

About BlackCloak  
BlackCloak protects corporate executives, high-access employees, and high-net-worth individuals and families from targeted cyberattacks, online fraud, and other risks to them and their companies through their personal digital lives. Used by Fortune 1000s and mid-market organizations across all industries, BlackCloak's SaaS-based digital executive protection solution protects the digital privacy, personal devices, and home networks of people with little time and a lot to lose. Executives and high-profile individuals get peace of mind knowing that their family, wealth, reputation, and finances are secured.

Corporate security teams rest easy knowing that their organization is protected from threats to IP, finances, physical security, data and other digital assets that originate in their executives' personal digital lives.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

*   Understanding Machine Learning, Artificial Intelligence, & Deep Learning, and When to Use Them
*   Malicious Bots: What Enterprises Need to Know

Reports

*   Breaches Prompt Changes to Enterprise IR Plans and Processes
*   Implementing Zero Trust In Your Enterprise: How to Get Started

Editors' Choice

Robert Lemos, Contributing Writer, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Ericka Chickowski, Contributing Writer, Dark Reading

Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

Webinars

*   Understanding Machine Learning, Artificial Intelligence, & Deep Learning, and When to Use Them
*   Malicious Bots: What Enterprises Need to Know
*   How Supply Chain Attacks Work - And What You Can Do to Stop Them
*   Ransomware Resilience and Response: The Next Generation
*   Assessing Cyber Risk

White Papers

*   Breaches Prompt Changes to Enterprise IR Plans and Processes
*   Five Best Practices for AWS Security Monitoring
*   Gartner, Quick Answer: How Can Organizations Use DNS to Improve Their Security Posture?
*   Understanding DNS Threats and How to Use DNS to Expand Your Cybersecurity Arsenal
*   AppSec Considerations For Modern Application Development

Events

*   SecTor - Canada's IT Security Conference Oct 1-6 - Learn More
*   Black Hat USA - August 6-11 - Learn More
*   \[FREE Virtual Event\] The Identity Crisis

More Insights

Webinars

*   Understanding Machine Learning, Artificial Intelligence, & Deep Learning, and When to Use Them
*   Malicious Bots: What Enterprises Need to Know

Reports

*   Breaches Prompt Changes to Enterprise IR Plans and Processes
*   Implementing Zero Trust In Your Enterprise: How to Get Started

BlackCloak Bolsters Malware Protection With QR Code Scanner and Malicious Calendar Detection Features

Series C investment from BuildGroup and Gula Tech Adventures, along with appointment of Kevin Mandia to the board of directors, will propel a new chapter of company growth.

COLLEGE PARK, Md., Aug. 2, 2022 /PRNewswire/ — Cybrary, the leading training platform for cybersecurity professionals, today announced it has secured $25 million in a Series C funding round led by current investors, BuildGroup and Gula Tech Adventures.

This latest investment brings Cybrary's total funding to date to $48 million, following its $15 million Series B round announced in November 2019, and will be used to support additional company growth by bolstering research and development (R&D) across its engineering, product, and marketing teams as well as continuing to grow the new CybraryThreat Intelligence Group (CTIG).

"Our continued investment in Cybrary is a testament to our belief in the important work they're doing to address the current cyber skills gap and how they plan to evolve their training programs in the future," said Jim Curry, Co-Founder and Managing Partner at BuildGroup. "We can't wait to see what this next chapter holds for Cybrary and fully support Kevin and his team every step along the way."

Additionally, Cybrary has officially announced that Kevin Mandia, CEO at Mandiant, has now joined its board of directors following Mandiant's announcement in March that it entered into a definitive agreement to be acquired by Google for $5.4B. He joins current members Jim Curry, Ron Gula, Ryan Kruizenga, as well as Cybrary co-founder Ryan Corey and current CEO Kevin Hanes, on the company board.

"I am excited to be joining Cybrary's board of directors during this exciting chapter of growth and momentum for the company," said Mandia. "Its mission to elevate the workforce and narrow the cybersecurity skills gap is inspirational. I am looking forward to helping Cybrary have an even greater impact to elevate the workforce to better defend the cyber domain."

With more than three million cybersecurity professionals using their training courses and certifications to up-skill themselves within the industry and helping to bridge the persistent cyberskills gap, Cybrary has been on a strong growth trajectory since its inception in 2015. This funding news also comes on the heels of the company's appointment of CEO Kevin Hanes in June 2021, recruitment of four new executive leaders in March 2022, and the recent additions of David Maynor and Chloé Messdaghi as the Head of CTIG and Chief Impact Officer, respectively, in May 2022.

"We can't thank BuildGroup and Gula Tech Adventures enough for their continued belief and contributions towards our mission to provide individuals, cybersecurity teams, and organizations with the knowledge, skills, and resources they need to grow careers and defend against the latest cyber threats," said Hanes. "I'm here because we have a tremendous opportunity to make an impact on a problem that matters to millions of people and these added resources will help us accelerate innovation that is centered around our core mission."

To learn more about the latest investment, as well as the company's plans for the rest of this year and beyond, stop by Cybrary's booth (#1381) at Black Hat in Las Vegas, Nevada, from August 10-11. 2022.

**About Cybrary  
**Cybrary is the industry-leading training platform that provides the right training at the right time to fully equip cybersecurity professionals at every stage in their careers. Cybrary offers threat-informed training and certification preparation to help industry professionals build the skills and knowledge to confidently mitigate the threats their organizations face and bridge the persistent cybersecurity skills gap. Cybrary enables more than 3 million learners, from service providers and government agencies to Fortune 1000 organizations and individuals alike, to be armed and ready to respond in the fight against constantly evolving cybersecurity threats. For more information on Cybrary and our offerings, visit www.cybrary.it.

**About BuildGroup  
**BuildGroup is a company that selectively invests in leadership teams with staying power. We back founders who are ambitious enough to want to make a dent in the universe and humble enough to realize they can't do it alone. By providing permanent capital from aligned investors and avoiding forced exits, BuildGroup frees entrepreneurs to focus on serving customers instead of raising the next round. We believe that great businesses are built, not bought, and that's why our team works side-by-side with founders to create conditions for long-term growth. BuildGroup was founded in Austin, Texas, by a team of proven builders who love nothing more than helping build and grow extraordinary companies.

**About Gula Tech Adventures  
**Gula Tech Adventures, a cybersecurity and technology-focused venture capital firm, was founded by cyber industrialists Ron and Cyndi Gula. Gula Tech Adventures seeks to increase the pervasiveness of cybersecurity in critical infrastructure and industries, improve awareness of cybersecurity risks, and provide opportunities for recruitment and training of the cybersecurity workforce. For more information about Gula Tech Adventures, please visit https://Gula.Tech.

Source: Cybrary

Cybrary Lands $25 Million in New Funding Round

From adopting zero-trust security models to dynamic environments to operating under an "assumed breach" mentality, here are ways IT departments can reduce vulnerabilities as they move deliberately to become more secure.

Over the last few years, the modern office has evolved rapidly, with workforces becoming more mobile and geographically distributed than ever before. Even before COVID-19, modern enterprises were embracing the remote work model, and the average Fortune 500 company had more than 300 global office locations. Over the last few years — to attract and retain top talent who often list hybrid work as a priority — innovative companies have added even more emphasis on flexible workplaces. As we move past the worst of COVID-19, it doesn't seem we'll ever see a return to the pre-pandemic office. In fact, it's been estimated that by 2025, 70% of the workforce will work remotely at least five days a month.

To remain productive while working remotely, employees utilize many different cloud-based apps, such as Microsoft Teams and Monday.com. Though these apps are a boon for employee efficiency, their use has created challenges for IT departments and has opened new security vulnerabilities. To improve understanding of what's happening in their networks, IT professionals often rely on an increasing number of monitoring and management tools. Simultaneously, they must defend against hackers who relentlessly pursue new and dangerous attacks.

Even before the swift global adoption of remote work, enterprises faced rapidly rising cyber threats, including professionalization of hacking groups and increased ransomware and phishing attacks. Today, dispersed workforces have expanded threat surfaces, with highly sophisticated threat actors constantly exploiting challenges posed by remote work for financial gain, such as stealing intellectual property, carrying out supply chain attacks, and more.

**Five Ways to Reduce Vulnerabilities**

At SolarWinds, we've seen firsthand how the threat landscape has evolved. Below are just five steps we've taken as an organization we hope can help other IT departments reduce vulnerabilities and become secure by design:

**1\. Limit Shadow IT**

Having control over and visibility into all parts of a network is critical. It means understanding what employees do and what data and resources they access. Unfortunately, dispersed modern workforces make this a particular challenge due to "shadow IT." Shadow IT essentially entails employees who use technologies or services — such as Dropbox or Google Workspace — the company IT department hasn't approved. Though using productivity apps like these may seem like a harmless practice on the surface, shadow IT inherently prevents teams from having control and visibility into their systems, which can result in loss of data and increased apps and services for attackers to target.

**2\. Adopt Zero Trust**

As businesses embrace long-term hybrid and remote work policies, it's critical to monitor and secure not only a company's workforce but its resources and data. At its core, the zero-trust security model closely guards company resources while operating under the "assumed breach" mentality. This means every request to access company information or services is verified to prevent any unauthorized network access. Through policy management, multifactor authentication, and consistent network monitoring, enterprises can leverage zero-trust principles to prevent or flag unusual or unauthorized access to company resources based on user identity, location, and other key criteria. At a time when more employees are accessing more information in more geographies than ever, zero trust is a powerful tool to help improve visibility, effectively identify threats, and mitigate vulnerabilities.

**3\. Strengthen Software Development Processes**

Though the majority of cyberattacks are aimed at stealing data, money, or intellectual property, software development companies must also defend against another unique threat: supply chain attacks. These attacks occur when hackers access and manipulate code capable of impacting users of the affected software. To help prevent and ensure resilience against attacks, the integrity of the software build process and environment must be of the utmost importance for software development companies.

At SolarWinds, we prioritized upgrading and strengthening our own software build process. One thing we learned and we believe other enterprises should adopt involves developing portions of software in multiple separate environments, each of which requires different security credentials to access. Creating code in these parallel, secure environments makes it more difficult for threat actors to obtain or corrupt a complete product. Companies can further strengthen their software development process by implementing dynamic environments, which are build locations automatically destroyed once their use is complete. These dynamic environments are key, as they eliminate the opportunity for attackers to infiltrate and remain inside a network.

**4\. Leverage Red Teams**

Identifying vulnerabilities and assessing threats doesn't need to be a burdensome practice. One strategy enterprises can adopt to reduce the need for IT departments to identify each and every threat is employing the use of red teams, which hunt for vulnerabilities in a network and simulate attacks in real time. Some of these simulations include phishing campaigns or brute-force attacks. These red teams help keep IT employees' skills sharp, ensuring they're ready to adapt, stay a step ahead of bad actors, and thwart breach attempts. In addition to attempting intrusions, red teams also document each step of their process to break down attack methods and implement prevention techniques.

**5\. Make Your People Part of Your Defense**

There's no doubt the technology and automated processes an enterprise employs are a huge part of remaining secure and preventing hacks and breaches. The many proven solutions security experts have developed to stop hackers are nothing short of extraordinary, but regardless of the technology available, a large amount of risk is still produced by humans and our behavior. To create a truly secure network environment, enterprises must treat every employee as though they're part of the security team. Companies should hold regular training sessions to ensure employees practice good cyber hygiene and keep up to date on the latest hacking methods.

Becoming "secure by design" is now a C-level priority and is no longer only a responsibility of the IT department. With the threat landscape rapidly evolving and the new reality that any business — large or small — can and will face new and sophisticated threats, community vigilance across the entire organization and industry at large is required to defend against these challenges.

5 Steps to Becoming Secure by Design in the Face of Evolving Cyber Threats

CREST provides commercially defensible scoping, delivery, and sign-off
recommendations for penetration tests.

ROSELAND, N.J., Aug. 1, 2022 /PRNewswire/ — CREST, the international not-for-profit, membership body representing the global cyber security industry, has announced the release of its CREST Defensible Penetration Test, a specification that provides recommendations on how penetration tests should be scoped, delivered and signed off. With significant growth in the numbers of penetration tests being carried out around the world, the need to define best practice has become increasingly important. CREST has worked alongside industry recognized and peer-selected experts to define a minimum set of expectations associated with a penetration test.

The guidance focuses on defining a CREST Defensible Penetration Test and is designed to help service providers and their clients to work more effectively together to conduct penetration tests.

"A CREST Defensible Penetration Test provides flexibility built around a minimum set of expectations that will drive better outcomes for buyers across the globe," explained Rowland Johnson, CREST President. "It provides the industry with a much needed commercially defensible assurance activity that is appropriately scoped, executed, and signed off."

Across the globe it is widely acknowledged that the definitions, practices, and expectations associated with a penetration test are inconsistent and fluid. This makes it difficult to define or parameterize a series of activities that looks at all possible requirements, engagements or scenarios. For example, a penetration test may need to assess a mobile phone at one end of the spectrum or an aircraft carrier at the other.

This new CREST guidance provides a best practice framework for penetration test defensibility and an assurance of penetration tester competence. It will help organizations that are looking to procure penetration testing services and organizations that deliver penetration testing services.

Only when the following three elements are satisfied will the CREST Defensible Penetration Test be commercially defensible:

— The need for penetration testing service providers to have appropriate policies, procedures, practices and methodologies  
— The need for all individuals involved in a penetration test to have appropriate levels of skills, experience and competency  
— The need for penetration testing service providers and the individuals conducting the assessment to work towards a defined and agreed test specification

More information on the CREST Defensible Penetration Test is available at: Implementation & Procurement Guides — CREST (crest-approved.org)

About CREST

CREST is an international not-for-profit, membership body representing the global cyber security industry. Its goal is to help create a secure digital world for all by quality assuring its members and delivering professional certifications to the cyber security industry.

CREST accredits almost 300 member companies, operating across dozens of countries, and certifies thousands of professionals worldwide. It works with governments, regulators, academe, training partners, professional bodies and other stakeholders around the world.

CREST members undergo a rigorous quality assurance process and employ competent professionals. Organizations buying their cyber security services from CREST members do so with confidence.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CREST Defensible Penetration Test Released

A Justice Department official testifies to a House committee that the cyberattack is a "significant concern."

Testimony provided by a Justice Department official to the US House of Representatives late last week has revealed that law enforcement is investigating a cyberattack on the federal courts' record-management system, reportedly launched by three hostile nation-states.

Head of the DoJ's National Security Division Matt Olsen told the committee that the incident, first discovered in March, is a "significant concern," according to Reuters.

While unable to offer more specific information about the nations behind the cyberattack, Olsen added his division is focused on China, Russia, Iran, and North Korea, Reuters said.

"While I can't speak directly to the nature of the ongoing investigation of the type of threats that you've mentioned regarding the effort to compromise public judicial dockets, this is of course a significant concern for us given the nature of the information that's often held by the courts," Olsen said during his testimony.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DoJ: Foreign Adversaries Breach US Federal Court Records

Customers across several European countries are urged to update credentials in the wake of the attack that affected a gas-pipeline operator and power company.

Following a July 25 announcement that its subsidiaries had been breached in a ransomware attack, Encevo, an energy supplier based in Luxembourg, followed up a few days later with an update that teams were currently investigating the extent of the damage done.   

Now, new reports say the BlackCat ransomware group has posted 150GB of data on its extortion site, purportedly stolen from Encevo, including contracts, passports, bills, and emails — and the group is threatening to release them within hours if the ransom isn't paid. 

BlackCat has emerged as a formidable ransomware actor, formed with members from infamous, and now defunct, groups that include BlackMatter and REvil. 

The attack specifically affected natural gas-pipeline operator Creos and the energy supplier Enovos, Encevo assured users supply would not be disrupted as a result of the attack but recommended that customers update their login details as soon as possible, "insofar the respective sites/portals are accessible," the company said in its statement about the cyberattack.

"For now, the Encevo Group does not yet have all the information necessary to inform personally each potentially affected person. This is why we ask our customers not to contact us for the moment."  

It added, "Once again we apologize to our customers for inconvenience and we do our best to restore full service as soon as possible. Creos and Enovos emphasize once again that the supply of electricity and gas are not affected and that the breakdown service is guaranteed."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat

Canary tokens — also known as honey tokens — force attackers to second-guess their potential good fortune when they come across user and application secrets.

With nearly half of all breaches involving external attackers enabled by stolen or fake credentials, security firms are pushing a high-fidelity detection mechanism for such intrusions: canary tokens.

Canary tokens, a subset of honey tokens, are manufactured access credentials, API keys, and software secrets that, when used, trigger an alert that someone is attempting to use the fake secret. Because the credentials are not real, they would never be used by legitimate workers, and so any attempt to access a resource using the canary token is a high-confidence sign of a compromise.

Last week, secrets-management firm GitGuardian released a version of the technology, _ggcanary_, as an open source project on GitHub. The project, tailored to Amazon Web Services (AWS) credentials, is designed to give developers a simple-to-use tool to detect attacks on their software development pipeline, says Henri Hubert, lead developer for GitGuardian's Secrets Team.

"You can put them almost everywhere," he says. "The best place to put them is in the CI/CD pipeline or in your artifacts used in that pipeline, such as Docker images. But you can also put them in your private repositories and your local environment. You can put them almost anywhere that is related to your developers' work."

    

Credentials are a popular target of theft. Source: 2022 Data Breach Investigations Report, Verizon

As the use of cloud services and APIs have taken off, attackers have increasingly targeted such infrastructure with stolen credentials and API tokens. The average company uses more than 15,000 APIs, tripling in the past year, while malicious attacks on those APIs have jumped seven-fold, according to research released in April. In addition, nearly 50% of all breaches not otherwise due to user error or misuse make use of credentials, according to Verizon's "2022 Data Breach Investigations Report" (DBIR). 

**Tripwires Slow Down Attacks**

Unsurprisingly, more companies are using canary tokens to create digital minefields for which attackers need to be wary or otherwise get caught. By seeding file servers, development servers, and personal systems with files that contain credentials or links that can act as tripwires, companies make lateral movement within their systems much more hazardous for attackers, says Haroon Meer, founder and CEO of Thinkst, a cybersecurity consultancy that created its own infrastructure for canary devices and tokens, including servers, sensors, and credentials.

Yet, attackers really have no choice: They cannot ignore potential legitimate credentials during an intrusion, he says.

"If they happen to find AWS credentials or the keys to someone's Kubernetes cluster, attackers have to try it — it's really hard for them to not to use those," Meer says. "And if you get notified the moment that they try it, then you shrink the exposure window so dramatically because you are not finding out months later after they have done everything to you."

Thinkst's Meer likes to point to comments from penetration testers and red teams that highlight the utility of canary tokens. Attackers have to always second guess any cache of credentials, API keys, or software secrets that they find, and that slows them down, tweeted Shubham Shah, a bug hunter, penetration tester, and chief technology officer at attack-surface management startup Assetnote.

"The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal," Shah said. "If the aim is to increase the time taken for attackers, canary tokens work well."

GitGuardian's _ggcanary_ focuses on Amazon Web Services because of the popularity of the platform and of the infrastructure-as-code management platform, Terraform. In its best-practices document, Amazon highlights that control of AWS access keys equals control of all AWS resources.

"Anyone who has your access keys has the same level of access to your AWS resources that you do," Amazon stated in its "Best practices for managing AWS access keys" document. "Consequently, AWS goes to significant lengths to protect your access keys, and, in keeping with our shared-responsibility model, you should as well."

**Everyone Likes Canaries**

Companies such as Thinkst, GitGuardian and Microsoft are aiming to make canary tokens much easier to deploy — often in minutes.

Yet defenders are not the only ones to find uses for canaries. Attackers have also started using canary tokens as a way to detect when defenders analyze their malware.

In a recent report of an attack by the Iran-linked group MuddyWater, Cisco's Talos Intelligence group noted the simple usage of canary tokens. The initial malware — a Visual Basic script — sends two requests for the same canary token to validate a compromise. If only a single request is detected, which would likely happen during sandboxed execution or during analysis, then the malware does not run.

"A reasonable timing check on the duration between the token requests and the request to download a payload can indicate automated analysis," stated Cisco's threat intelligence team in an advisory. "Automated sandboxed systems would typically execute the malicious macro generating the token requests."

Credential Canaries Create Minefield for Attackers

"Bruggling" emerges as a novel technique for pilfering data out from a compromised environment — or for sneaking in malicious code and attack tools.

Bookmark synchronization has become a standard feature in modern browsers: It gives Internet users a way to ensure that the changes they make to bookmarks on a single device take effect simultaneously across all their devices. However, it turns out that this same helpful browser functionality also gives cybercriminals a handy attack path.

To wit: Bookmarks can be abused to siphon out reams of stolen data from an enterprise environment, or to sneak in attack tools and malicious payloads, with little risk of being detected.

David Prefer, an academic researcher at the SANS Technology Institute, made the discovery as part of broader research into how attackers can abuse browser functionality to smuggle data out from a compromised environment and carry out other malicious functionality.

In a recent technical paper, Prefer described the process as "bruggling" — a portmanteau of browser and smuggling. It's a novel data exfiltration vector that he demonstrated with a proof-of-concept (PoC) PowerShell script called "Brugglemark" that he developed for the purpose.

**The Fine Art of Bruggling**

"There's no weakness or vulnerability that is being exploited with the synchronization process," Prefer stresses. "What this paper hones in on is the ability to name bookmarks whatever you want, and then synchronize them to other signed-in devices, and how that very convenient, helpful functionality can be twisted and misused in an unintended way."

An adversary would already need access — either remote or physical — to the environment and would have already infiltrated it and collected the data they want to exfiltrate. They could then either use stolen browser synchronization credentials from a legitimate user in the environment or create their own browser profile, then access those bookmarks on another system where they've been synchronized to access and save the data, Prefer says. An attacker could use the same technique to sneak malicious payloads and attack tools into an environment.

The benefit of the technique is, put simply, stealth.

Johannes Ullrich, dean of research at the SANS Institute, says data exfiltration via bookmark syncing gives attackers a way to bypass most host and network-based detection tools. To most detection tools, the traffic would appear as normal browser synch traffic to Google or any other browser maker. "Unless the tools look at the volume of the traffic, they will not see it," Ullrich says. "All traffic is also encrypted, so it is a bit like DNS over HTTPs or other 'living off the cloud' techniques," he says.

**Bruggling in Practice**

In terms of how an attack might be carried out in the real world, Prefer points to an example where an attacker might have compromised an enterprise environment and accessed sensitive documents. To exfiltrate the data via bookmark synching, the attacker would first need to put the data into a form that can be stored as bookmarks. To do this, the adversary could simply encode the data into base64 format and then split the text into separate chunks and save each of those chunks as individual bookmarks.

Prefer discovered — through trial and error — that modern browsers allow a considerable number of characters to be stored as single bookmarks. The actual number varied with each browser. With the Brave browser, for example, Prefer discovered he could synchronize, very quickly, the entirety of the book _Brave New World_ using just two bookmarks. Doing the same with Chrome required 59 bookmarks. Prefer also discovered during testing that browser profiles could synchronize as many as 200,000 bookmarks at a time.

Once the text has been saved as bookmarks and synchronized, all that the attacker would need to do is sign into the browser from another device to access the content, reassemble it, and decode it from base64 back into the original text.

"As for what kind of data could be exfiltrated via this technique, I think that's up to the creativity of an adversary," Prefer says.

Prefer's research was primarily focused on browser market share leader Google Chrome — and to a lesser extent on other browsers such as Edge, Brave, and Opera, which are all based on the same open source Chromium project that Chrome is built upon. But there's no reason why bruggling won't work with other browsers such as Firefox and Safari, he notes.

**Other Use Cases**

Significantly, bookmark syncing is not the only browser function that can be abused this way, Prefer says. "There are plenty of other browser features that are used in synchronization that could be misused in a similar way, but would require research to investigate," he says. As examples, he points to autofills, extensions, browser history, stored passwords, preferences, and themes, which can all be synchronized. "With a bit of research, it might turn out that they can also be abused," Prefer says.

Ullrich says Prefer's paper was inspired by earlier research that showed how browser extension syncing could be used for data exfiltration and command and control. With that method, however, a victim would have been required to install a malicious browser extension, he says.

**Mitigating the Threat**

Prefer says organizations can mitigate the risk of data exfiltration by disabling bookmark syncing using Group Policy. Another option would be to limit the number of email domains that are allowed to sign in for syncing, so attackers would not be able to use their own account to do it.

"\[Data loss protection\] DLP monitoring that an organization already performs can be applied here as well," he says.

Bookmark syncing would not work very well if the syncing happened at a slower speed, Ullrich says. "But being able to sync 200,000+ bookmarks, and only seeing some speed throttling after 20,000 or 30,000 bookmarks makes this \[very\] valuable," he says.

Thus, browser makers can make things harder for attackers for instance by dynamically throttling bookmark syncing based on factors like the age of an account or logins from a new geographic location. Similarly, bookmarks that contain base64 encoding could be prevented from syncing, as well as bookmarks with excessive names and URLs, Prefer says.

Chromium Browsers Allow Data Exfiltration via Bookmark Syncing

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Something peculiar seems to be happening high up in the treetops. Any ideas what it could be? Send us your caption ideas for the above cartoon, and the winner of The Edge's August contest will receive a $25 Amazon gift card. 

We offer four convenient ways for you to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge July 2022 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn_._

The contest closes on Wednesday, August 24, 2022.

**Last Month's Winner**

And .... he does it again! AgCredit IT director Allen Campbell, who won our May "Flower Power" contest, captured the most votes for his caption for last month's contest, "On Guard." A $25 gift card is on the way for his clever caption, below. Thank you to everyone who participated.

    

  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Up a Tree

Tech companies play a vital role in global communication, which has profound effects on how politics, policies, and human rights issues play out.

The idea of mixing work and politics has always been a fraught topic, and understandably so. Most companies have customers — and employees — on both ends of the political spectrum, and remaining neutral is often the only way to make sure all parties feel respected and comfortable. They say never to discuss religion or politics at a dinner party; well, the same rule could be applied to the marketplace or workplace. 

The problem is, "politics" is a word that covers a vast expanse of topics, and at some point everyone — even company leaders — need to draw a line. Neutrality isn't always an option. 

Consider, for example, a hypothetical infrastructure bill making its way through Congress. This is politics we likely wouldn't discuss at work for a number of reasons. It might be a sensitive topic; there will likely be extreme positions on both sides of the aisle about whether the bill should be passed, adjusted, or blocked completely. Is it essential for a business to take a public stance on this? Except for a few niche businesses, probably not. Companies can (and often should) remain neutral. 

But what about when it's an issue of human rights? Of war? Genocide? These topics, on a global stage, are often considered politics, but they likely affect a huge percentage of customers in much more profound ways than other issues we consider politics. The decision of whether to remain neutral, therefore, is much more complicated. Some companies choose to take a political stance; others insist on "staying in their lane" and focusing only on their products or services. 

But there, of course, is the rub: the products and services. What if a company's product or service directly affects, benefits, or connects to the issue at hand? Is a neutral stance really possible at that point? Or does neutral mean complicit? 

Tech companies, in particular, must reckon with this question. We can't pretend the products we create aren't used on a global stage, for all kinds of uses — some positive and some downright nefarious. But if our tools are used by, say, governments to commit war crimes, can we really say we're neutral? 

**How Are Your Tools Being Used?**

We must do more. Some of the behemoths of the tech industry have obscene amounts of power over culture, communications, laws, and policies worldwide. With that kind of power, neutrality is impossible. But what exactly does this mean? It means tech companies need to take more ownership of how their tools are being used. 

That could start with something as simple as withdrawing business. If a company is selling products or services to an entity that is knowingly committing harm — and, worse, using those products or services to do so — that company has chosen a side. They are not neutral. Tech companies need to recognize this and make the hard decisions to pull out of these kinds of business relationships. 

My own company recently did just this. We believe we have a responsibility to stand with the people of Ukraine, against Russia, and we have taken steps accordingly. We no longer do business with companies in support of Russia, and we offer our services for free for those actively supporting, or on the ground in, Ukraine. To do otherwise would be tantamount to supporting the Russian invasion; there simply is no neutral option. 

Why do business leaders seem to think that if profit is involved, morality ceases to exist? That mentality belies the real reasoning behind so-called neutrality: If profit is involved, many leaders simply don't care about anything else. It also reveals a certain short-sightedness because, let's be honest, losing profit in the short term for a reason like this will often actually help your business in the long term. Customers care about these things, and they don't take kindly to businesses supporting egregious acts of violence. 

But the imperative goes further than this. So many tech companies today play a vital role in global communication, which has profound effects on how politics, policies, and real human rights issues play out. And yet these companies — social media companies, content platforms, and the like — all still seem to want to remain as neutral as possible. We can't have it both ways. Neutrality inevitably will favor one side or another. As the writer, Nobel laureate, and Holocaust survivor Elie Wiesel summed up so succinctly: "Neutrality helps the oppressor, never the victim." 

We are living in the age of all things digital, in the transformation of every aspect of global society at the hands of technical innovation. This is powerful — thrilling, even — and can truly make this world a better place. That's why so many of us got into tech in the first place, isn’t it? For that hope. That thrill. But it will matter little, or not at all, if the technological advances we make just add fuel to a fire of hate, authoritarianism, or war. We must take responsibility for the technology we're creating; companies must do more. We must use the incredible tools at our disposal to help the oppressed and give up this fruitless quest to be forever "neutral." Neutrality is cowardice.

Source

DARKReading