A list of topics we covered in the week of April 1 to April 7 of 2024

April 8, 2024 - This week on the Lock and Code podcast, we re-air an episode with guest Alec Muffett about online age verification.

April 7, 2024 - In a recent US Chamber of Commerce poll, small businesses identified cybersecurity as their biggest concern.

April 5, 2024 - Resaerchers found that 90% of websites were in violation of one or more privacy regulations concerning cookie consent.

April 4, 2024 - Jackson County has suffered "significant disruptions within its IT systems," and its offices are closed.

April 3, 2024 - Google has issued patches for 28 security vulnerabilities, including a critical patch for Androids with Qualcomm chips.

 A week in security (April 1 &#8211; April 7) 

Google has filed a lawsuit against two app developers for engaging in an "international online consumer investment fraud scheme" that tricked users into downloading bogus Android apps from the Google Play Store and other sources and stealing their funds under the guise of promising higher returns.
The individuals in question are Yunfeng Sun (aka Alphonse Sun) and Hongnam Cheung (aka

Google Sues App Developers Over Fake Crypto Investment App Scam

Ad trackers are out of control. Use a browser that reins them in.

Google's admission that, yes, it does track you while you're in Chrome's Incognito mode, is just the latest in a long line of unsettling revelations about just how keenly Big Tech keeps an eye on our movements every time we connect to the internet. Billions of data records will now be deleted as part of a settlement to a class action lawsuit brought against Google.

As we've written before, Incognito mode and the equivalent modes offered by other browsers aren't as secure as you might think, particularly if you start signing into accounts like Google or Facebook. Your activities and searches as a logged-in user on large platforms can still be recorded, primarily to create advertising that's more accurately targeted toward your demographic.

Google, for its part, says it’s transparent about what data it’s storing and why—and in recent years it has made it easier for users to see and delete the information held about them. To really lock down your privacy and security, though, it’s best to switch to a browser not made by a company that earns billions of dollars selling ads.

And there are alternatives: Below we recommend several browsers built with user privacy and security as a priority. Even better, in many cases they can import data such as bookmarks and passwords from your current browser—Google Chrome, for example.

**DuckDuckGo (Android, iOS, Windows, macOS)**

The DuckDuckGo browser blocks trackers at their source.

DuckDuckGo via David Nield

You might know DuckDuckGo as the anti-Google search engine, but the parent company has branched out to make its own browsers too. They keep you well protected online and at the same time give you plenty of information about the tracking technologies being proactively blocked.

DuckDuckGo starts by enforcing encrypted HTTPS connections when websites offer them, and gives each page you visit a grade based on how aggressively it's trying to mine your data. It'll even scan and rank site privacy policies for you.

When it comes to browsing data, this can be cleared automatically at the end of each session or after a certain period of time. Pop-ups and ads are snuffed out, and of course the DuckDuckGo search engine is built in, free of the Google trappings.

You also get extras like throwaway email aliases you can use in place of your real email address to protect your privacy, and everything about the browser and its features is simple to use: You don't really need to do anything except install them, so you're getting maximum protection with minimal effort.

**Ghostery (Android, iOS, Windows, macOS)**

Ghostery comes with a range of tools to protect your privacy.

Ghostery via David Nield

Install Ghostery on your mobile device or your computer, and straight away it gets to work blocking adverts and tracking cookies that will attempt to keep tabs on what you're up to on the web. There are no complicated setup screens or configurations to manage.

Like DuckDuckGo, Ghostery tells you exactly which trackers and ads it's blocking and how many monitoring tools each website has installed. If you do come across certain sites that are well behaved, you can mark them as trusted with a tap.

Or, if you find a site that's packed full of tracking systems, you can block every single bit of cookie technology on it (for commenting systems, media players, and so on), even if the site ends up breaking. A simple, private search engine is built in to replace Google too.

Ghostery's tools are a little more in-depth and advanced than the ones offered by DuckDuckGo, so you might consider it if you want to take extra control over which trackers are blocked on which sites—but it's simple enough for anyone to use.

**Tor Browser (Android, Windows, macOS)**

Tor connects you to the Tor network, to keep your online activities more private.

Tor via David Nield

Tor Browser markets itself as a browsing option "without tracking, surveillance, or censorship." It is worth a look if you want the ultimate in anonymized, tracker-free browsing—unless you're on iOS, where it isn't available (Tor recommends the Onion Browser instead).

The browser is part of a bigger project to keep internet browsing anonymous: Use Tor and you use the Tor Project network, a complex, encrypted relay system managed by the Tor community, making it much harder for anyone else to follow your activities online.

As well as this additional layer of anonymity, Tor Browser is super-strict on the background scripts and tracking tech that sites can run. It also blocks fingerprinting, a method where advertisers attempt to recognize the unique characteristics of your device.

At the end of each browsing session, everything gets wiped, including cookies left behind by sites and the browsing history inside the Tor Browser app itself. In other words, private browsing that leaves no trace is the default—and indeed the only option.

**Brave (Android, iOS, Windows, macOS)**

Brave gives you a clean, speedy browsing experience.

Brave via David Nield

Brave comes with all the tracking protection features you would expect: Ads are completely blocked, there are tight restrictions on the data that sites can gather through cookies and tracking scripts, and you're always kept informed about what's happening.

The browser comes with an optional built-in VPN, though it costs extra ($10 a month). You can also, if you want, use Brave to access the Tor network we mentioned with the Tor browser and take advantage of its anonymizing relay service that hides your location and browsing data.

There's no doubt about the effectiveness of Brave's tracker-blocking technologies, and getting around the web in Brave is quick and snappy. It's a comprehensive package and one that strikes a well-judged balance between simplicity and power for the majority of users.

Brave has regularly pioneered features related to innovative web technologies, including cryptocurrencies, NFTs, and (most recently) artificial intelligence; there's actually a new AI assistant built into it. In other words, it's not exclusively focused on security and privacy.

**Firefox (Android, iOS, Windows, macOS)**

Firefox is part of a suite of privacy products from Mozilla.

Firefox via David Nield

Firefox has long been at the forefront of online privacy—blocking tracking cookies across sites by default, for example—and it continues to be one of the best options for making sure you're giving away as little data as possible as you make your way across the web.

Firefox also gives you a ton of information on each website you visit regarding the trackers and cookies that pages have attempted to leave, and which ones Firefox has blocked. Permissions for access to your location and microphone can be easily managed as well.

Aside from looking after the interests of its users, Firefox also scores highly for user customization. You can change the look and behavior of the browser in a variety of ways, and there are useful integrations like the built-in Pocket utility that saves web stories on your device so you can read them later.

Firefox developer Mozilla offers plenty of extras, including a free data-breach monitor that tells you when your usernames and passwords may have been exposed somewhere online, a free email alias system to keep your actual email address protected, and a VPN that costs $10 per month. It all adds up to a comprehensive package for keeping you safe online.

**Safari (iOS, macOS)**

Safari has been blocking tracking cookies for some time.

Safari via David Nield

Apple continues to add privacy tech to Safari with each release on iOS and macOS—like requiring user authentication (such as a Face ID scan) when returning to a browsing session—though it's obviously not a browsing option if you're on Android or Windows.

Safari has long been blocking third-party tracking cookies that try to connect the dots on your web activity across multiple sites. It also blocks device fingerprinting techniques that try to identify your devices, and it reports back on the trackers it has disabled.

The browser can now also warn you when you try to use a password that's too weak on a new website or service, and it will make a suggestion of a stronger password if needed. Recent browser updates added support for logging in with passkeys too.

Safari operates against the backdrop of Apple's commitment to collect as little information about you as possible and to keep most of that information locked away locally on your device rather than on Apple's servers.

_Update: April 6, 2024, 8:30 am: This guide was updated to include new guidance for DuckDuckGo and Ghostery, as well as to bring some descriptions of browser providers' data collection policies up to date._

Best Privacy Browsers (2024): Brave, Safari, Ghostery, Firefox, DuckDuckGo

Plus: Microsoft scolded for a “cascade” of security failures, AI-generated lawyers send fake legal threats, a data broker quietly lobbies against US privacy legislation, and more.

It’s been a week since the world avoided a potentially catastrophic cyberattack. On March 29, Microsoft developer Andres Freund disclosed his discovery of a backdoor in XZ Utils, a compression tool widely used in Linux distributions and thus countless computer systems worldwide. The backdoor was inserted into the open source tool by someone operating under the persona “Jia Tan” after years of patient work building a reputation as a trustworthy volunteer developer. Security experts believe Jia Tan is the work of a nation-state actor, with clues largely pointing to Russia, although definitive attribution for the attack is still outstanding.

In early 2022, a hacker operating under the name “P4x” took down the internet of North Korea, after the country’s hackers had targeted him. This week, WIRED revealed P4x’s true identity as Alejandro Caceres, a 38-year-old Colombian American. Following his successful attack on North Korea, Caceres pitched the US military on a “special forces”-style offensive hacking team that would carry out operations similar to the one that made P4x famous. The Pentagon eventually declined, but Caceres has launched a startup, Hyperion Gray, and plans to further pursue his controversial approach to cyberwarfare.

In mid-February, millions of people lost internet access after three undersea cables in the Arabian Sea were damaged. Some blamed Houthi rebels in Yemen, who had been attacking ships in the region, but the group denied it had sabotaged the cables. But the rebel attacks are still likely to blame—albeit, in a bizarre way. A WIRED analysis of satellite images, maritime data, and more found that the cables were likely damaged by the trailing anchor of a cargo ship that the Houthi rebels had bombed. The ship drifted for two weeks before finally sinking, crossing paths with the cables at the time they were damaged.

The myth that Google Chrome’s Incognito mode provides adequate privacy protections can finally be put to rest. As part of a settlement over Google’s Incognito privacy claims and practices, the company has agreed to delete “billions” of records collected while users browsed in Incognito mode. It will also further clarify how much user data can be collected by Google and third parties while Incognito is enabled, and take further steps to protect user privacy. There are other privacy-focused browsers that can replace Chrome. But if you’re still using it, make sure to update it to patch some serious security flaws.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A 58-year-old hospital systems administrator pleaded guilty this week to US federal charges after he was caught using another man’s name for more than 30 years. Matthew David Keirans allegedly stole the identity of William Woods in 1988, when the two men worked at a hot dog cart in Albuquerque, New Mexico, according to the US Attorney's Office for the Northern District of Iowa. Over the decades, Keirans obtained employment, bank accounts, loans, and insurance, and paid taxes, under the Woods name. Keirans even had a child whose last name is Woods.

The real William Woods, meanwhile, reportedly learned that someone else was using his identity in 2019. At the time, Woods was unhoused and living in Los Angeles. He contacted a bank where “William Woods” had an account, providing his real Social Security card and California ID card to prove his identity. However, he could not answer the security questions to gain access. The bank called Keirans—who was pretending to be Woods—and Keirans convinced the bank employee that the real Woods should not have access to the accounts. The Los Angeles Police Department then arrested the real Woods and charged him with identity theft after Keirans provided officers with false documents and information.

In a nightmarish twist, during judicial proceedings, the real Woods accurately maintained that “William Donald Woods” was his true identity, prompting the court to order him to a mental institution. The real Woods ultimately spent 428 days in jail and 147 days in a mental hospital before his release.

The real Woods then continued to work to regain his true identity, eventually contacting authorities after learning that Keirans worked at a hospital in Iowa City. Investigators later confirmed the real Woods’ identity after obtaining a DNA test. Confronted with the evidence, Keirans confessed to a series of crimes and now faces a maximum sentence of 32 years in prison, a $1.25 million fine, and five years of supervised release.

**US Review Board Slams Microsoft for ‘Cascade of Avoidable Security Failures’**

The White-House mandated Cyber Safety Review Board issued a scathing report against Microsoft this week, accusing the tech giant of failing to stop a “preventable” intrusion by China-backed hackers of hundreds of Microsoft Exchange Online email accounts. To gain access to email accounts belonging to 22 organizations and 500 individuals worldwide, the hackers, known as Storm-0558, stole a Microsoft cryptographic key. The CSRB report chastises the company for failing to detect “the compromise of its cryptographic crown jewels,” inadequate security practices, and a “corporate culture that deprioritized both enterprise security investments and rigorous risk management,” among a “cascade” of other defeats.

The report also found that Microsoft still does not know how Storm-0558 obtained its key, accusing the company of making false statements after it initially claimed that the key was accidentally included in an April 2021 “crash dump.” The company has since updated its explanation of the intrusion to say that it still does not know how the hackers obtained the key. The CSRB issued 25 recommended steps that Microsoft—a major government contractor whose systems protect highly sensitive information—should take to better protect its systems.

**AI-Generated Lawyers Caught Spewing Fake Legal Threats**

The owner of the website Tedium received legal threats from a nonexistent “law firm” charging the publication with a copyright violation. The thing is, the “lawyers” behind the complaint were AI-generated. The “law firm” accused Tedium of using a photograph without the owner’s consent, and a "copyright infringement" notice offered to supposedly settle the matter, if only Tedium would agree to properly credit the photo’s “owner” and link out to their website. This was, of course, a backlink scam designed to boost the SEO ranking of the fake copyright holder’s page. Only this time, the scam was bolstered by a cast of AI-generated characters: a hot-shot team of young, "skilled lawyers" purportedly specializing in creative rights and commercial law.

**Data Behemoth Enlists Lobbyists Against Effort in US to Limit Deals With Spies**

An internal feud is underway in the US Congress over the fate of a beleaguered spy program called Section 702 and the commercial deals that US intelligence agencies have struck in recent years with global data brokers, purchasing information that government agents typically need a warrant to obtain. Consequently, the UK owner of LexisNexis—an “amalgam of publishers and data brokers, stitched together into a single information giant”—has retained the services of a Washington, DC, lobbying firm to engage with federal lawmakers over “potential privacy, data security, breach notification, data broker, and FISA reform legislation.” Politico reports that the company, RELX, previously used the firm, Venable, to combat privacy legislation aimed at restricting the kinds of personal data companies are allowed to sell to law enforcement.

**‘Weapon Scanners’ Eyed by New York’s Surveillant Mayor Boasts Abysmal Track Record**

New York City mayor Eric Adams is hastening his crusade against subway violence with a plan to test weapons scanners that claim to use artificial intelligence to detect whether commuters are carrying blades and firearms. Documents obtained by Hell Gate reveal what Adams failed to disclose at a press conference last week: that data already in the city’s hands show the technology is only rarely useful. After police officers permitted to carry firearms were factored out of one study at a Bronx hospital, the scanners were found to be accurate less than 1 percent of the time. (All told, more than 85 percent of the time, the scanners cast false suspicion on New Yorkers who were found to be unarmed.) The move by Adams follows New York governor Kathy Hochul’s deployment of hundreds of National Guard soldiers in the city’s subway systems. Adams first addressed a spate of homicides and stabbings across the city in March by sending hundreds of police officers underground to search commuters' bags at well over 100 subway stations—a tactic that roused resistance from a few locals this week who smashed ticket machines and disabled security cameras at a midtown station to protest the surveillance surge.

Identity Thief Lived as a Different Man for 33 Years

By Deeba Ahmed
Wiz.io, known for its cloud security expertise, and Hugging Face, a leader in open-source AI tools, are combining their knowledge to develop solutions that address these security concerns. This collaboration signifies a growing focus on securing the foundation of AI advancements.
This is a post from HackRead.com Read the original post: Vulnerabilities Exposed Hugging Face to AI Supply Chain Attacks

Cybersecurity firm Wiz.io found that AI-as-a-service (aka AI Cloud) platforms like Hugging Face are vulnerable to critical risks, which allow threat actors to escalate privileges, gain cross-tenant access, and potentially take over continuous integration and continuous deployment (**CI/CD**) pipelines. 

**Understanding The Problem**

AI models require a strong GPU, often outsourced to AI service providers similar to consuming cloud infrastructure from AWS/GCP/Azure. **Hugging Face**’s service is called Hugging Face Inference API.

Wiz Research could compromise the service running custom models by uploading their malicious model and using container escape techniques, allowing cross-tenant access to other customers’ models stored in Hugging Face.

The platform supports various AI model formats, two prominent ones being **PyTorch** (Pickle) and Safetensors. Python’s Pickle format is known for being unsafe and allowing remote code execution upon deserialization of untrusted data although Hugging Face assesses Pickle files uploaded to their platform, highlighting those they deem dangerous.

However, researchers cloned a legitimate Pickle-based model (**gpt2**), modified it to run a reverse-shell upon loading, and uploaded the hand-crafted model as a private model. They interacted with the model using the Inference API feature, obtaining a reverse shell and discovered that crafting a PyTorch model that executes arbitrary code is straightforward, whereas uploading their model to Hugging Face allowed them to execute code inside the Inference API.

****Potential Risks****

The potential impact is devastating as attackers could access millions of private AI models and apps. Two critical risks include shared inference infrastructure takeover risk, where malicious models run untrusted inference infrastructure, and shared CI/CD takeover risk, where malicious AI applications may attempt to take over the pipeline and execute a supply chain attack after taking over the **CI/CD cluster**.

Furthermore, adversaries can attack AI models, **AI/ML applications**, and inference infrastructures using various methods. They can use inputs that cause false predictions, incorrect predictions, or malicious models. AI models are often treated as black-box and used in applications. However, there are few tools to verify the integrity of a model, so developers must be cautious when downloading them.

“Using an untrusted AI model could introduce integrity and security risks to your application and is equivalent to including untrusted code within your application” Wiz Research’s **report** explained.

****Hugging Face- Wiz Research Join Hands****

Open-source artificial intelligence (AI) hub Hugging Face and Wiz.io have collaborated to address the security risks associated with AI-powered services. The joint effort highlights the importance of proactive measures to ensure the responsible and secure development and deployment of AI technologies.

Commenting on this, **Nick Rago**, VP of Product Strategy at Salt Security added that _“_Securing the critical cloud infrastructure that houses AI models is crucial and the findings by Wiz are significant. It is also imperative that security teams recognize the vehicle in which AI is trained and serviced is an API, and rigorous security must be applied at that level to ensure the security of AI supply chains.”

****A Concerning Scenario****

This discovery comes at a time when concerns are already raised regarding data safety under AI-based tools. The AvePoint survey shows that less than half of organizations are confident they can use AI safely, with 71% concerned about data privacy and security before implementation, and 61% worried about internal data quality.

Despite the widespread use of AI tools like ChatGPT and Google Gemini, fewer than half have an AI Acceptable Use Policy. Additionally, 45% of organizations experienced unintended data exposure during AI implementation.

The widespread adoption of AI across various industries necessitates strong security measures. These vulnerabilities could potentially allow attackers to manipulate AI models, steal sensitive data, or disrupt critical operations.

1.  Airbus EFB App Vulnerability Risking Aircraft Data
2.  Vulnerability Exposed Ibis Budget Guest Room Codes
3.  CISA Urges Patching Microsoft SharePoint Vulnerability

Vulnerabilities Exposed Hugging Face to AI Supply Chain Attacks

The IEEE CSR Workshop on Cyber Forensics and Advanced Threat Investigations in Emerging Technologies organizing committee is inviting you to submit your research papers. The workshop will be held in Hybrid mode. The in-person mode will held at Hilton London Tower Bridge, London from September 2nd through the 4th, 2024.

    Dear Colleagues,IEEE CSR Workshop on Cyber Forensics and Advanced Threat Investigations inEmerging Technologies organizing committee is inviting you to submit yourresearch papers. The workshop will be held in Hybrid mode. The in-personmode will held at Hilton London Tower Bridge, London from 2 to 4 September2024Topics include (but not limited to):-Forensics and threat investigations in P2P, cloud/edge, SDN/NFV, VPN, and social networks-Forensics and threat investigations in IoT, smart tech (car, home, city),e/m-health-Forensics and visualization of big data-Tools and services for cyber forensics and threat investigations-Attack detection, traceback, and attribution in emerging technologies-Malware analysis and attribution-Methods for reconstruction of digital evidence in emerging technologies-Security and privacy in P2P, cloud/edge, SDN/NFV, VPN, and social networks-Security and privacy in IoT, smart tech (car, home, city)-Open source intelligence (OSINT)-Dark Web Investigations-Digital evidence extraction/analysis using  AI/ML and data mining-Data exfiltration from networked devices/services(e.g.cyber-physicalsystems, IoT)-Large-scale investigations and ML for the analysis of intelligence datasets and logsWe also encourage contributions describing innovative work in the realm ofcybersecurity, cyber defense, and digital crimes.Important DatesPaper Submission Deadline: June 3, 2024 AOEAuthors Notifications: July 3, 2024 AOECamera Ready submission: July 14, 2024 AOEEarly registration deadline: July 20, 2024 AOEPublicationThe workshop’s proceedings will be published by IEEE and will be includedin IEEE Xplore.Workshop Awards-Best Open-Source Tool Prize, which will be presented in a paper during ourworkshop. The prize, valued at 300 euros,  is being financed by one of ourcollaborators from the industry.-An additional industry collaborator is sponsoring the prestigious BestPaper award, which includes a one-year free license to utilize renowneddigital forensics software.This Workshop is Technically Supported by-Association of Cyber Forensics and Threat Investigators-Industrial Cybersecurity Center-Institute for Systems and Technologies of Information, Control, andCommunicationTo submit your manuscript, please follow the instructions athttps://www.acfti.org/news-events/ieee-csr-cfati-cfp-2024For more information, please don't hesitate to contact the CFATI GeneralChair Dr. Ahmed Elmesiry (a.elmesiry-at-londonmet.ac.uk)To get more news about our events, please join our low-traffic announcementgroup @ https://groups.google.com/g/acftiWe look forward to your submissions.Regards,Andrew Zayin Ph.D., CISSP, CISM, CRISC, CDPSE, PMPACFTI Secretariat

IEEE CSR Workshop 2024 Call For Papers

By Owais Sultan
If used correctly, social media can not only provide businesses with a fantastic (generally free) chance to market…
This is a post from HackRead.com Read the original post: How your business should deal with negative feedback on social media

If used correctly, social media can not only provide businesses with a fantastic (generally free) chance to market their product or services but also, just as importantly, allow them to engage with customers. However, as anyone with any experience on social media will testify, not all the interactions to be had are positive ones.

In this article, limited company formation specialists 1st Formations (who you will find on all major social media platforms) provide a roadmap for how your business should handle any negative feedback that you receive on social media. Let’s get started.

You can’t deal with negative feedback or comments about your business if you don’t see what’s being said. You need to be diligent in ensuring that you catch everything.

Whilst the platforms’ in-built alerts are relatively reliable, it’s still easy to miss important comments, or simply lose track of what’s being said. To ensure that you see everything, use your social media management system (if you’re not yet using one, you really should be) to track all the words and phrases connected to your brand, even if they’re not officially used by you.

This way, if everything has been set up correctly, you will be notified immediately whenever your name is mentioned. This will allow you to keep on top of any discussions that are happening.

Furthermore, you should also set up Google Alerts to cover the feedback that is being shared away from social media on forums and other web pages.

****Deal with the feedback quickly****

Your time is of course precious, and social media activity won’t always be at the top of your to-do list. However, when negative feedback does come through, whether this is a tweet or a comment on Instagram or YouTube, you must respond as soon as you can (within business hours) to prevent the issue from escalating.

If there is a specific issue, rather than a piece of fleeting feedback that you can address there and then, this does not mean that you need to fix the problem immediately. Request all the information that you need (if it’s an existing customer, we’re talking name, order reference, and contact information), and clearly state that you’re looking into the matter and will get back to them shortly.

Providing an exact timeframe in which you will be back in touch is a good idea, but make sure that the deadline you set yourself is realistic, as the customer chasing you down for an update could cause further damage.

Then, when you do get a chance, work with your team and the individuals involved to reach a satisfactory resolution. Hopefully, this isn’t a drawn-out process, but when it is a complicated matter, make sure you provide the individual with regular updates, being sure to thank them for their understanding.

****Take it offline****

The ideal scenario is to take the issue away from public view as soon as possible. At the same time as requesting the information you need to investigate any issue, explain to the individual that you will be in contact with them through email or if convenient, telephone.

This is a genuinely more efficient approach to resolving any issues, rather than the stagnated back and forth that social media provides, and makes sure that the situation isn’t played out in a public forum where reputational damage can be made.

This will not always be convenient for the person you are engaging with. They will generally understand that you will want to tackle the situation in private. When this occurs, simply explain how corresponding away from the social media platform will help resolve the issue quicker. This won’t always work but you must try.

****Remain professional at all times****

Ryanair is perhaps the well-known purveyor of the snarky social media response to less-than-happy customers. This approach works well for them because they’re a household name and it’s very much ‘on-brand’. However, this stance is probably not appropriate for you and your business.

> you may only look out of one https://t.co/goZsZ9zkqb
> 
> — Ryanair (@Ryanair) April 2, 2024

When less than positive comments are made, you must remain professional. Under no circumstances should you partake in an online argument with anyone – even if what they say is wholly incorrect and paints your operation poorly.

Take on an apologetic tone, even if you are in the right. Thank them for the feedback, ask what a satisfactory resolution for them would be, and then do what you can, within your protocols (don’t deviate from these just because it’s on social media) to fix any issues that have arisen.

State your case, if a problem has occurred because the customer has misunderstood something or has not provided the correct information required for their order to be processed, explain this – but again, in a professional manner.

****Know when enough is enough****

When negative feedback oversteps the mark and turns into harassment, you should take necessary action. Certain behaviours do not become acceptable just because it’s aimed at a business account rather than a personal account.

If you are being targeted, you should publicly state your business’s policies regarding harassment. If the abuse continues, you should ignore the comments (admittedly this is easier said than done) and then consider muting or blocking the account in question.

If it continues, you should report the user to the social platform, and if the abuse is extreme, also to the police.

****Try to stay calm****

Anyone who has managed social media activity for business purposes will confirm just how easy it is to take negative feedback personally. Regardless of who is right and who is wrong, it is an upsetting experience. This feeling is magnified if the business that is being criticised is your own, as it does feel personal.

This is completely understandable. Nonetheless, this should not seep into how you deal with the feedback. If you are emotionally affected by what is being said, take the necessary mindful steps to calm and relax yourself, but do not allow this to cloud how the issue is dealt with.

As we stressed above, you must remain polite and professional. If you feel that you are unable to do this, move away from the situation for some time or see if there is someone else on your team who can work to resolve the problem accordingly.

****Listen to the feedback****

No business is perfect. Rather than baulk at the idea of negative feedback coming your way, always try to see these as an opportunity to fix issues and ultimately improve your business.

Once a specific issue has been resolved, do what you can to make sure that it doesn’t happen again. In customer-facing roles, it can be easy to lose empathy for the customer, and simply assume every problem is because of a misunderstanding or basic error on their part. It’s their problem, not yours. This is a big mistake.

Your business must have a joined-up approach. If you have a large team, when situations do occur, ensure that these are shared with all the appropriate people so that permanent fixes can be reached.

****Remember, it’s a branding exercise****

Every interaction you have online is a chance to demonstrate to customers and potential customers just how great your brand is, and how much you appreciate your customers.

When a piece of customer feedback has led to an update in how your service is delivered, shout about this. Publicly thank the customer in question, send them a gift, and ask other customers for their feedback and improvement suggestions.

One of the major benefits of using social media for business is that it allows you to project your brand’s personality. This is done through the tone of voice that you use, the content you share, and more so than anything – the interactions that you have with people.

Whilst negative feedback might not be at the top of your list when it comes to the type of engagement you have, it does provide you with the perfect opportunity to change someone’s impression of you. When handled correctly, even the most scathing reviews can be used to your business’s advantage.

****So, there you have it** **

That’s how your business should deal with negative feedback on social media.

Whilst you’ll never be able to stop these comments coming in (without ceasing all social media activity, which is not advisable for a small business), follow the advice covered in this article to ensure feedback is dealt with in a way that protects your business’s reputation and even enhances it. Thanks for reading.

How your business should deal with negative feedback on social media

Improving security in the applications that drive the digital economy is a necessary undertaking, requiring ongoing collaboration between the public and private sectors.

Neatsun Ziv, CEO & Co-Founder, Ox Security

April 5, 2024

4 Min Read

Source: Martin Shields via Alamy Stock Photo

COMMENTARY

The recent publication "Back to the Building Blocks: A Path Toward Secure and Measurable Software" by the White House Office of the National Cyber Director (ONCD) provides additional detail and strategic direction supporting the National Cybersecurity Strategy released in March 2023. The strategy intends to shift a much greater share of responsibility for cybersecurity to software vendors, service providers, and other entities that develop software applications. This latest report provides a more specific direction by emphasizing an aggressive shift to memory-safe programming languages with software development practices.

**The Memory Safety Imperative**

Traditional programming languages are frequently the weak link in software development, with memory safety vulnerabilities leading to significant incidents. Despite comprehensive code reviews and other security measures, these vulnerabilities persist, accounting for up to 70% of security issues in these languages. A shift toward memory-safe programming languages, as advised by the Cybersecurity and Infrastructure Security Agency's (CISA) road map, is a critical step toward developing software that is secure by design.

**Navigating Legacy System Complexities**

One of the most daunting challenges in this strategic shift is addressing the legacy systems developed in C and C++. These legacy systems are not only numerous but often critical to the operations of many organizations. Rewriting these systems in modern, memory-safe languages can be expensive and complex, resulting in the downtime of critical business processes.

Moreover, memory safety vulnerabilities are primarily observed at the operating system level, affecting significant platforms like Microsoft and Linux. This categorization of issues at the runtime level, rather than the application level, underscores the broader challenge in cybersecurity: the pursuit of advanced security measures must be balanced against the practicalities and costs of implementing these changes, especially for established systems.

**Economic and Technical Considerations**

Many organizations face formidable costs associated with overhauling older systems. Changing coding protocols is not only a technical decision but also a strategic one to ensure the security of the digital infrastructure of the future. As a result, decision-makers considering when to undertake the transition must evaluate the immediate financial and operational impacts versus the long-term benefits.

Fortunately, technological innovations have already been developed that can reduce the cost and disruption of transitioning to safer code. For instance, code analysis tools can analyze legacy applications and semi-autonomously identify instances where C or Python code runs without proper isolation. And because of recent advances in compiler technology, even worst-case unsafe coding practices can be protected if written in an older language. These developments should significantly lessen the barriers to adopting safe coding practices for organizations of any size.

**A Collaborative Effort Toward a Secure Future**

Policymakers and vendors must collaborate closely to balance enhancing security with maintaining essential software services. Embracing memory-safe programming languages, as recommended by the ONCD, is a crucial step in this journey and is integral to advancing our collective cybersecurity. 

Several industry leaders have already made significant investments in memory-safe languages. Examples include: 

*   Mozilla's Rust programming language: With its emphasis on memory safety, Rust offers a solid alternative to traditional programming languages that marries security and performance.
    
*   Microsoft's investment in Rust: Recognizing that older languages have limitations, Microsoft has embraced Rust and used it in several new projects where memory safety was a concern.
    
*   Google's memory safety efforts: Google has invested considerable resources into finding and mitigating memory safety vulnerabilities and has called for using memory-safe languages in new developments. Last week, Google released a new research report, "Secure by Design: Google's Perspective on Memory Safety," advocating for a secure-by-design strategy. The report focuses on adopting languages with robust memory safety features and acknowledges the limitations of evolving C++ to meet these standards.
    

**Moving Forward: Practical Steps to Meet the ONCD Recommendations**

The path in the latest ONCD report is challenging, but rich with opportunity. It demands practical steps from all actors within the software development and cybersecurity ecosystems, including:

*   Education and training: Organizations must commit to teaching their teams about memory-safe languages and secure development practices, ensuring that developers can make the necessary changes.
    
*   Gradual transition plans: Organizations should create plans for transitioning legacy systems to memory-safe and manageable languages. They should address the most critical areas first and phase the project slowly to minimize operational disruption.
    
*   Leveraging automation tools: Organizations should use modern code analysis tools and compilers that automatically find and remediate unsafe code practices while reducing the burden of manual processes.
    
*   Policy and governance: Organizations must develop explicit governance constructs that bake in memory safety and secure development practices throughout the software development lifecycle.
    
*   Community and collaboration: Importantly, organizations should reach outside their walls and the broader tech community in forums, partnerships, and open source projects to share the knowledge, challenges, and solutions around memory safety that come with this journey.
    

Improving security in the applications that drive the digital economy is a lofty and complex but necessary undertaking requiring ongoing collaboration between the public and private sectors. The ONCD's latest report is a solid next step in articulating the strategy; however, more will is needed to realize the vision. Transitioning to memory-safe coding languages for new applications and updating legacy code are enormous challenges. However, progress is being made with recent advancements in software analysis and compiler technologies and commitments demonstrated by many global technology leaders.

**About the Author(s)**

CEO & Co-Founder, Ox Security

Neatsun Ziv is the CEO and Co-Founder of Ox Security, the end-to-end software Active ASPM Platform. Prior to that, he was the VP of Cyber Security at Check Point, where he oversaw all cyber initiatives. His team was one of the first to respond to SolarWinds, NotPetya, and other major attacks, working closely with Interpol, Local CERT, and other enforcement agencies. Neatsun is a passionate and seasoned entrepreneur with vast cybersecurity experience. He served in the IDF Cyber Intelligence Unit and is a frequent speaker at global forums, including RSA and CPX, among others. Neatsun holds a B.Sc. from Israel's Open University (honors) and an MBA from the Technion (Magna Cum Laude).

White House's Call for Memory Safety Brings Challenges, Changes &amp; Costs

Multiple China-nexus threat actors have been linked to the zero-day exploitation of three security flaws impacting Ivanti appliances (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).
The clusters are being tracked by Mandiant under the monikers UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Another group linked to the exploitation spree is UNC3886.
The Google Cloud

Researchers Identify Multiple China Hacker Groups Exploiting Ivanti Security Flaws

Threat actors are luring victims to a fake NordVPN website that installs a Remote Access Trojan.

Most of the malicious search ads we have seen have originated from Google, but threat actors are also abusing other search engines. Microsoft Bing is probably the second best target due to its close ties to the Windows ecosystem and Edge browser.

In this blog post, we look at a very recent malvertising campaign impersonating the popular VPN software NordVPN. A malicious advertiser is capturing traffic from Bing searches and redirecting users to a decoy site that looks almost identical to the real one.

The threat actors went ever further by trying to digitally sign a malicious installer and hosting it on Dropbox. Victims will have the impression they are getting NordVPN as it is part of the package, but will also inadvertently install a Remote Access Trojan known as SecTopRAT on their computer.

We have reported the malicious Bing ad to Microsoft, and other parts of the distribution infrastructure to their respective provider. We want to reiterate that NordVPN is a legitimate VPN provider and they are being impersonated by threat actors.

**Fraudulent Bing ad**

When searching for “nord vpn” via the Bing search engine, we identified a malicious ad that impersonates NordVPN. The ad itself looks suspicious because of the URL in the ad snippet. The domain name _nordivpn\[.\]xyz_ was created one day ago (April 3, 2024). It was probably chosen as it looks quite similar to the official name and can deceive users who aren’t looking too closely.

As we often see, the ad URL is simply used as a redirection mechanism to a fake website that is meant to look identical to the one being impersonated. This is true here as well, where we have a redirect to _besthord-vpn\[.\]com_ (note again the spelling chosen with the ‘_h_‘ looking like an ‘_n_‘) which was created today, only a few hours ago.

The website looks incredibly convincing, and victims will be tricked into downloading the app from there. Unlike the legitimate NordVPN that goes through a sign up process, here you can directly download the installer from Dropbox.

Here’s a summary of the traffic flow from the malicious ad to the download link:

**Malware payload**

The downloaded file is called _NordVPNSetup.exe_ and is digitally signed, as if it was from its official vendor; however, the signature is not valid.

The file contains both an installer for NordVPN and a malware payload. The installer for NordVPN is meant to give victims the illusion that they are actually installing a real file.

The payload is injected into _MSBuild.exe_ and will connect to the malware author’s command and control server at 45.141.87\[.\]216 on port 15647.

That network traffic is detected by Emerging Threats as Arechclient2 Backdoor, an alias for SecTopRAT.

**Conclusion**

Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads. Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters.

ThreatDown customers who have DNS Filtering can proactively block online ads by enabling the rule for advertisements. This is a simple, and yet powerful way to prevent malvertising across an entire organization or in specific areas.

The malicious ad and related indictors have been reported as we work with industry partners to take down this campaign.

**Indicators of Compromise**

Malicious domains

nordivpn\[.\]xyz  
besthord-vpn\[.\]com

Fake NordVPN installer

e9131d9413f1596b47e86e88dc5b4e4cc70a0a4ec2d39aa8f5a1a5698055adfc

SecTopRAT C2

45.141.87\[.\]216

Tag

#google