Microsoft Patch Tuesday, May 2020 Edition

Microsoft today issued software updates to plug at least 111 security holes in Windows and Windows-based programs. None of the vulnerabilities were labeled as being publicly exploited or detailed prior to today, but as always if you’re running Windows on any of your machines it’s time once again to prepare to get your patches on.

May marks the third month in a row that Microsoft has pushed out fixes for more than 110 security flaws in its operating system and related software. At least 16 of the bugs are labeled “Critical,” meaning ne’er-do-wells can exploit them to install malware or seize remote control over vulnerable systems with little or no help from users.

But focusing solely on Microsoft’s severity ratings may obscure the seriousness of the flaws being addressed this month. Todd Schell, senior product manager at security vendor Ivanti, notes that if one looks at the “exploitability assessment” tied to each patch — i.e., how likely Microsoft considers each can and will be exploited for nefarious purposes — it makes sense to pay just as much attention to the vulnerabilities Microsoft has labeled with the lesser severity rating of “Important.”

Virtually all of the non-critical flaws in this month’s batch earned Microsoft’s “Important” rating.

“What is interesting and often overlooked is seven of the ten [fixes] at higher risk of exploit are only rated as Important,” Schell said. “It is not uncommon to look to the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are rated as Important vs Critical.”

For example, Satnam Narang from Tenable notes that two remote code execution flaws in Microsoft Color Management (CVE-2020-1117) and Windows Media Foundation (CVE-2020-1126) could be exploited by tricking a user into opening a malicious email attachment or visiting a website that contains code designed to exploit the vulnerabilities. However, Microsoft rates these vulnerabilities as “Exploitation Less Likely,” according to their Exploitability Index.

In contrast, three elevation of privilege vulnerabilities that received a rating of “Exploitation More Likely” were also patched, Narang notes. These include a pair of “Important” flaws in Win32k (CVE-2020-1054, CVE-2020-1143) and one in the Windows Graphics Component (CVE-2020-1135). Elevation of Privilege vulnerabilities are used by attackers once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges. There are at least 56 of these types of fixes in the May release.

Schell says if your organization’s plan for prioritizing the deployment of this month’s patches stops at vendor severity or even CVSS scores above a certain level you may want to reassess your metrics.

“Look to other risk metrics like Publicly Disclosed, Exploited (obviously), and Exploitability Assessment (Microsoft specific) to expand your prioritization process,” he advised.

As it usually does each month on Patch Tuesday, Adobe also has issued updates for some of its products. An update for Adobe Acrobat and Reader covers two dozen critical and important vulnerabilities. There are no security fixes for Adobe’s Flash Player in this month’s release.

Just a friendly reminder that while many of the vulnerabilities fixed in today’s Microsoft patch batch affect Windows 7 operating systems — including all three of the zero-day flaws — this OS is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s time to think about upgrading to something newer. That something might be a PC with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a reliable lookout for buggy Microsoft updates each month.

Further reading:

SANS Internet Storm Center breakdown by vulnerability and severity

Microsoft’s Security Update catalog

BleepingComputer on May 2020 Patch Tuesday

Docket, a platform for organizing meeting agendas and notes, wins Zoom’s Marketplace App competition

In an episode of Extra Crunch Live last week, Roelof Botha expressed excitement not only about the shift to teleconference platforms like Zoom, but the apps and bots that may spring up on top of the Zoom ecosystem.

Interestingly, Zoom just announced the results of its Marketplace App competition, with Docket taking first place.

Docket was founded in January of 2019 with a mission to bring common sense to meetings. The company claims that more than 70% of meetings, both in-person and remote, happen without an agenda circulated before the meeting begins.

Docket starts from the premise that every meeting should have a prioritized, circulated agenda and then kicks it up a notch. The platform allows you to build and share that agenda, as well as take notes on meeting minutes and decisions made to share those after the fact. Docket also has a Task Manager feature, so users can share action items after the meeting to the folks that need to get things done.

Of course, Docket manages in an archive the notes, to-do lists and agendas from each respective meeting so you can go back and review the important information you need, as well as evaluate the productivity of individual meetings.

Docket integrates with Evernote, Slack and Zoom (of course). With the Docket Bot for Zoom, much of the platform’s functionality actually lives within Zoom. The agenda and recap notes appear directly in the Zoom chat, and meeting guests can take collaborative notes about the meeting without ever leaving their Zoom chat window.

Docket also retrieves the Zoom transcription and recording and attaches it directly to the respective Docket meeting as an artifact, letting you go back and search for the exact wording around a decision or meeting topic.

According to Crunchbase, Docket has $1.5 million in seed funding from startup studio High Alpha, Simon Equity Partners, Elevate Ventures and Allos Ventures. Emergence Capital, Zoom’s largest investor, invested in High Alpha in 2015.

Zoom’s Marketplace App competition was announced at Zoomtopia in October of 2019. The winner, in this case Docket, was selected by Zoom, as well as a variety of Zoom’s investors, including Emergence, Horizons Ventures, Maven Ventures and Sequoia Capital.

Docket will receive up to $2 million in funding from these venture capital orgs, as well as an advisory session with Zoom’s top product leaders. The prize also includes priority development support from Zoom, a DTEN D7 55” all-in-one interactive whiteboard with a three-year Zoom Rooms license and 10 Zoom Pro licenses for three years.

Finalists from the competition include Ambition, Bloom, Discuss.io, Friday, iScribeHealth, Pledgeling, Session, Social27 and Tiled. All the finalists received a Logitech Pro Personal Video Collaboration Kit via a Logitech sponsorship of the competition.

Editor’s Note: This post has been updated to reflect Docket’s investment from High Alpha, which itself has investment from Emergence Capital.

MemSQL raises $50M in debt facility for its real-time database platform

As a number of startups get back into fundraising in earnest, one that is on a growth tear has closed a substantial debt round to hold on to more equity in the company as it inches to being cash-flow positive. MemSQL — the relational, real-time database used by organisations to query and analyse large pools of fast-moving data across cloud, hybrid and on-premise environments (customers include major banks, telecoms carriers, ridesharing giants and even those building COVID-19 tracing apps) — has secured $50 million in debt, money that CEO Raj Verma says should keep it “well-capitalised for the next several years” and puts it on the road to an IPO or potential private equity exit.

The funding is coming from Hercules Capital, which has some $4.3 billion under management and has an interesting history. On the one hand, it has invested in companies that include Facebook (this was back in 2012, when Facebook was still a startup), but it has also been in the news because its CEO was one of the high fliers accused in the college cheating scandal of 2019.

MemSQL does not disclose its valuation, but Verma confirmed it is now significantly higher than it was at its last equity raise of $30 million in 2018, when it was valued at about $270 million, per data from PitchBook.

Why raise debt rather than equity? The company is already backed by a long list of impressive investors, starting with Y Combinator and including Accel, Data Collective, DST, GV (one of Google-owner Alphabet’s venture capital vehicles), Khosla, IA Ventures, In-Q-Tel (the CIA-linked VC) and many more. Verma said in an interview with TechCrunch that the startup had started to look at this fundraise before the pandemic hit.

It had “multiple options to raise an equity round” from existing and new investors, which quickly produced some eight term sheets. Ultimately, it took the debt route mainly because it didn’t need the capital badly enough to give up equity, and terms “are favourable right now,” making a debt facility the best option. “Our cash burn is in the single digits,” he said, and “we still have independence.”

The company has been on a roll in recent times. It grew 75% last year (note it was 200% in 2018) with cash burn of $8-9 million in that period, and now has annual recurring revenues of $40 million. Customers include three of the world’s biggest banks, which use MemSQL to power all of its algorithmic trading, major telecoms carriers, mapping providers (Verma declined to comment on whether investor Google is a customer), and more. While Verma today declines to talk about specific names, previous named customers have included Uber, Akamai, Pinterest, Dell EMC and Comcast.

And if the current health pandemic has put a lot of pressure on some companies in the tech world, MemSQL is one of the group that’s been seeing a strong upswing in business.

Verma noted that this is down to multiple reasons. First, its customer base has not had a strong crossover with sectors like travel that have been hit hard by the economic slowdown and push to keep people indoors. Second, its platform has actually proven to be useful precisely in the present moment, with companies now being forced to reckon with legacy architecture and move to hybrid or all-cloud environments just to do business. And others like True Digital are specifically building contact-tracing applications on MemSQL to help address the spread of the novel coronavirus.

The company plays in a well-crowded area that includes big players like Oracle and SAP. Verma said that its tech stands apart from these because of its hybrid architecture and because it can provide speed improvements of some 30x with technology that — as we have noted before — allows users to push millions of events per day into the service while its users can query the records in real time. 

It also helps to have competitive pricing. “We are a favourable alternative,” Verma said.

“This structured investment represents a significant commitment from Hercules and provides an example of the breadth of our platform and our ability to finance growth-orientated, institutionally-backed technology companies at various stages. We are impressed with the work that the MemSQL management team has accomplished operationally and excited to begin our partnership with one of the promising companies in the database market,” said Steve Kuo, senior managing director technology group head for Hercules, in a statement.

Amazon releases Kendra to solve enterprise search with AI and machine learning

Enterprise search has always been a tough nut to crack. The Holy Grail has always been to operate like Google, but in-house. You enter a few keywords and you get back that nearly perfect response at the top of the list of the results. The irony of trying to do search locally has been a lack of content.

While Google has the universe of the World Wide Web to work with, enterprises have a much narrower set of responses. It would be easy to think that should make it easier to find the ideal response, but the fact is that it’s the opposite. The more data you have, the more likely you’ll find the correct document.

Amazon is trying to change the enterprise search game by putting it into a more modern machine learning-driven context to use today’s technology to help you find that perfect response just as you typically do on the web.

Today the company announced the general availability of Amazon Kendra, its cloud enterprise search product that the company announced last year at AWS re:Invent. It uses natural language processing to allow the user to simply ask a question, then searches across the repositories connected to the search engine to find a precise answer.

“Amazon Kendra reinvents enterprise search by allowing end-users to search across multiple silos of data using real questions (not just keywords) and leverages machine learning models under the hood to understand the content of documents and the relationships between them to deliver the precise answers they seek (instead of a random list of links),” the company described the new service in a statement.

AWS has tuned the search engine for specific industries including IT, healthcare and insurance. It promises energy, industrial, financial services, legal, media and entertainment, travel and hospitality, human resources, news, telecommunications, mining, food and beverage and automotive will be coming later this year.

This means any company in one of those industries should have a head start when it comes to searching because the system will understand the language specific to those verticals. You can drop your Kendra search box into an application or a website, and it has features like type ahead you would expect in a tool like this.

Enterprise search has been around for a long time, but perhaps by bringing AI and machine learning to bear on it, we can finally solve it once and for all.

Ransomware Hit ATM Giant Diebold Nixdorf

Diebold Nixdorf, a major provider of automatic teller machines (ATMs) and payment technology to banks and retailers, recently suffered a ransomware attack that disrupted some operations. The company says the hackers never touched its ATMs or customer networks, and that the intrusion only affected its corporate network.

Canton, Ohio-based Diebold [NYSE: DBD] is currently the largest ATM provider in the United States, with an estimated 35 percent of the cash machine market worldwide. The 35,000-employee company also produces point-of-sale systems and software used by many retailers.

According to Diebold, on the evening of Saturday, April 25, the company’s security team discovered anomalous behavior on its corporate network. Suspecting a ransomware attack, Diebold said it immediately began disconnecting systems on that network to contain the spread of the malware.

Sources told KrebsOnSecurity that Diebold’s response affected services for over 100 of the company’s customers. Diebold said the company’s response to the attack did disrupt a system that automates field service technician requests, but that the incident did not affect customer networks or the general public.

“Diebold has determined that the spread of the malware has been contained,” Diebold said in a written statement provided to KrebsOnSecurity. “The incident did not affect ATMs, customer networks, or the general public, and its impact was not material to our business. Unfortunately, cybercrime is an ongoing challenge for all companies. Diebold Nixdorf takes the security of our systems and customer service very seriously. Our leadership has connected personally with customers to make them aware of the situation and how we addressed it.”

NOT SO PRO LOCK

An investigation determined that the intruders installed the ProLock ransomware, which experts say is a relatively uncommon ransomware strain that has gone through multiple names and iterations over the past few months.

For example, until recently ProLock was better known as “PwndLocker,” which is the name of the ransomware that infected servers at Lasalle County, Ill. in March. But the miscreants behind PwndLocker rebranded their malware after security experts at Emsisoft released a tool that let PwndLocker victims decrypt their files without paying the ransom.

Diebold claims it did not pay the ransom demanded by the attackers, although the company wouldn’t discuss the amount requested. But Lawrence Abrams of BleepingComputer said the ransom demanded for ProLock victims typically ranges in the six figures, from $175,000 to more than $660,000 depending on the size of the victim network.

Fabian Wosar, Emsisoft’s chief technology officer, said if Diebold’s claims about not paying their assailants are true, it’s probably for the best: That’s because current versions of ProLock’s decryptor tool will corrupt larger files such as database files.

As luck would have it, Emsisoft does offer a tool that fixes the decryptor so that it properly recovers files held hostage by ProLock, but it only works for victims who have already paid a ransom to the crooks behind ProLock.

“We do have a tool that fixes a bug in the decryptor, but it doesn’t work unless you have the decryption keys from the ransomware authors,” Wosar said.

WEEKEND WARRIORS

BleepingComputer’s Abrams said the timing of the attack on Diebold — Saturday evening — is quite common, and that ransomware purveyors tend to wait until the weekends to launch their attacks because that is typically when most organizations have the fewest number of technical staff on hand. Incidentally, weekends also are the time when the vast majority of ATM skimming attacks take place — for the same reason.

“After hours on Friday and Saturday nights are big, because they want to pull the trigger [on the ransomware] when no one is around,” Abrams said.

Many ransomware gangs have taken to stealing sensitive data from victims before launching the ransomware, as a sort of virtual cudgel to use against victims who don’t immediately acquiesce to a ransom demand.

Armed with the victim’s data — or data about the victim company’s partners or customers — the attackers can then threaten to publish or sell the information if victims refuse to pay up. Indeed, some of the larger ransomware groups are doing just that, constantly updating blogs on the Internet and the dark Web that publish the names and data stolen from victims who decline to pay.

So far, the crooks behind ProLock haven’t launched their own blog. But Abrams said the crime group behind it has indicated it is at least heading in that direction, noting that in his communications with the group in the wake of the Lasalle County attack they sent him an image and a list of folders suggesting they’d accessed sensitive data for that victim.

“I’ve been saying this ever since last year when the Maze ransomware group started publishing the names and data from their victims: Every ransomware attack has to be treated as a data breach now,” Abrams said.

Sequoia’s Roelof Botha is more optimistic about startups today than he was a year ago

“I just think change unfairly favors the startup, the nimble small company,” says Roelof Botha.

The Sequoia partner, whose portfolio includes Unity, 23andMe, Instagram, Instacart, Xoom and YouTube, says he’s hopeful about the opportunities this pandemic has created for companies across a variety of sectors, including healthcare, cloud computing, social and others.

We spoke for an hour with Botha about several topics, including how user behavior is rapidly evolving, trends he’s seeing, his outlook on economic recovery, how he’s evaluating new investments and how fundraising itself is changing. Fun fact: Sequoia has made 10 investments over Zoom since the coronavirus pandemic forced us to stay at home.

The full conversation was broadcast on YouTube, and the embed appears below.

Side note: Extra Crunch Live is our new virtual speaker series for Extra Crunch members. Folks can ask their own questions live during the chat, with guests that include Aileen Lee, Kirsten Green, Mark Cuban and many, many more. You can check out the schedule here.

Below, you’ll find a lightly edited transcript of our recent chat with Botha. Enjoy!

The differences in fundraising based on stage

When you’re listening to a seed-stage company, it’s often about the story. The founders paint a vision of the future. That’s part of what I love about my job, by the way. You’re sitting there and you’re trying to imagine what the world is going to look like one day and whether this company is on the right side of history. Or is it implausible that this will happen? It’s so much fun to sit there and think about that. At the seed stage, it’s about the story.

As you get to a Series A or Series B stage, the company will definitely start to have some metrics: usage numbers, early adoption numbers. If it’s an enterprise company, what are people willing to pay for your product? You start to get a sense of the metrics that back up the story. If the metrics don’t support the story, then you start to wonder if that company makes sense. In the long run, you need to have financials that flow from the metrics. But that’s typically at a Series C or later stage. And clearly, by the time a company goes public, you need to have connected story to metrics to financials.

The Good, the Bad and the Ugly in Cybersecurity – Week 19

The Good

Every time cybercrime is disrupted, we applaud, but when an entire fraudulent supply-chain is ruined, we’re even happier. In a recent operation, Polish and Swiss law enforcement authorities, with the help of Europol and Eurojust, took down a hacking group involved in distributing stolen user credentials, creating and distributing malware and hacking tools. The group, known as InfinityBlack, had two revenue streams. The first was malware development and sale, focusing on credential stuffing malware. The second, more lucrative, was the use of these same tools to steal credentials and sell them.

The group specialized in creating ‘combos’ of login credentials, mainly of loyalty programs. These were sold on the group’s portal, and utilized by less-skilled cyber criminals, who accessed client accounts and exchanged these points for high-end electronic devices. Law enforcement agencies conducted a cross-border operation leading to the arrest of five individuals in the canton of Vaud, Switzerland. These were the lower-level operators, capitalizing on the stolen data. Their arrest and the seizure of electronic communication equipment led to the arrest of the InfinityBlack members, who were located in Poland. As positive as this whole operation is, it is also testimony to the creativity and audacity of cybercriminals, who manage to find new ways to abuse the digital economy. The fact that this group was unmasked and arrested does give hope that it will deter others from conducting such activities in the future.

The Bad

Remote collaboration and conferencing tools have been under a highly critical microscope as of late. By now we have all heard of the various pros and cons with regards to Zoom, Skype and others. This week, researchers at Abnormal Security disclosed a potentially dangerous attack against Microsoft Teams. This particular impersonation flaw is centered around the automated email notification functionality within Microsoft Teams.

Attackers can target potential victims via specially-crafted email messages. This is actually a compound attack. One component of the attack relies on very well-crafted and convincing phishing emails, paired with equally convincing poisoned webpages. According to reports, the fake Teams notifications are a ‘notch above’ the standard phish and it appears that the actors behind the attack went to great lengths to make the campaign as convincing as possible. This includes registration of new domains proposed for the attack. The second part of the attack is the credential-stealing payload itself. The attackers leverage multi-layered URL redirects, which ultimately lead the victim to a false Office 365 login page (while masking the real hosting urls as much as possible). Once the victim logs into the cloned site, the attackers have achieved their goal.

The Ugly

Nothing is more upsetting than cybercriminals obstructing the valiant efforts of medical crews and researchers trying to treat and find a cure for COVID-19.

This week, a ransomware attack hit Fresenius, Europe’s largest private hospital operator based in Germany. Employing nearly 300,000 people across more than 100 countries, the group provides care and dialysis treatment to patients experiencing kidney failure, which is even more acute nowadays because many COVID-19 ventilated patients develop acute kidney injury and later require dialysis. 

The attack was allegedly Snake ransomware. The full extent and damage are as yet unclear, but it seems it did not affect patient care. Fresenius has notified the appropriate authorities and is working to resolve the incident. 

Ordinary cybercriminals are not the only ones attacking this critical sector. In an alert issued earlier this week, The United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) noted that APT groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations. The targets of these attacks are healthcare organizations, pharmaceutical companies, academia, medical research organizations, and local governments. The goal of these attacks is to collect personal information and intellectual property (some of which may be related to possible COVID-19 cures or vaccines). The attack methods include scanning external websites of targeted companies and looking for vulnerabilities in unpatched software such as Citrix and virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto. Another method used is password spraying to compromise accounts and move laterally across the network to steal additional data and enhance their persistency. 


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Microsoft and AWS exchange poisoned pen blog posts in latest Pentagon JEDI contract spat

Microsoft and Amazon are at it again as the fight for the Defense Department JEDI contract continues. In a recent series of increasingly acerbic pronouncements, the two companies continue their ongoing spat over the $10 billion, decade-long JEDI contract spoils.

As you may recall (or not), last fall in a surprise move, the DoD selected Microsoft as the winning vendor in the JEDI winner-take-all cloud infrastructure sweepstakes. The presumed winner was always AWS, but when the answer finally came down, it was not them.

To make a very long story short, AWS took exception to the decision and went to court to fight it. Later it was granted a stay of JEDI activities between Microsoft and the DoD, which as you can imagine did not please Microsoft . Since then, the two companies have been battling in PR pronouncements and blog posts trying to get the upper hand in the war for public opinion.

That fight took a hard turn this week when the two companies really went at it in dueling blog posts after Amazon filed its latest protest.

First there was Microsoft with PR exec Frank Shaw taking exception to AWS’s machinations, claiming the company just wants a do-over:

This latest filing – filed with the DoD this time – is another example of Amazon trying to bog down JEDI in complaints, litigation and other delays designed to force a do-over to rescue its failed bid.

Amazon’s Drew Herdner countered in a blog post published this morning:

Recently, Microsoft has published multiple self-righteous and pontificating blog posts that amount to nothing more than misleading noise intended to distract those following the protest.

The bottom line is that Microsoft believes it won the contract fair and square with a more competitive bid, while Amazon believes it should have won on technical superiority, and that there was political interference from the president because he doesn’t like Amazon CEO Jeff Bezos, who also owns the Washington Post.

If you’ve been following this story from the beginning (as I have), you know it has taken a series of twists and turns. It’s had lawsuits, complaints, drama and intrigue. The president has inserted himself into it, too. There have been accusations of conflicts of interest. There have been investigations, lawsuits and more investigations.

Government procurement tends to be pretty bland, but from the start when the DoD chose to use the cutesy Star Wars-driven acronym for this project, it has been anything but. Now it’s come down to two of the world’s largest tech companies exchanging angry blog posts. Sooner or later this is going to end right?

Meant to Combat ID Theft, Unemployment Benefits Letter Prompts ID Theft Worries

Millions of Americans now filing for unemployment will receive benefits via a prepaid card issued by U.S. Bank, a Minnesota-based financial institution that handles unemployment payments for more than a dozen U.S. states. Some of these unemployment applications will trigger an automatic letter from U.S. Bank to the applicant. The letters are intended to prevent identity theft, but many people are mistaking these vague missives for a notification that someone has hijacked their identity.

So far this month, two KrebsOnSecurity readers have forwarded scans of form letters they received via snail mail that mentioned an address change associated with some type of payment card, but which specified neither the entity that issued the card nor any useful information about the card itself.

Searching for snippets of text from the letter online revealed pages of complaints from consumers who appear confused about the source and reason for the letter, with most dismissing it as either a scam or considering it a notice of attempted identity theft. Here’s what’s the letter looks like:

A scan of the form letter sent by U.S. Bank to countless people enrolling in state unemployment benefits.

My first thought when a reader shared a copy of the letter was that he recently had been the victim of identity theft. It took a fair amount of digging online to discover that the nebulously named “Cardholder Services” address in Florida referenced at the top of the letter is an address exclusively used by U.S. Bank.

That digging indicated U.S. Bank currently manages the disbursement of funds for unemployment programs in at least 17 states, including Arkansas, Colorado, Delaware, Idaho, Louisiana, Maine, Minnesota, Nebraska, North Dakota, Ohio, Oregon, Pennsylvania, South Dakota, Texas, Utah, Wisconsin, and Wyoming. The funds are distributed through a prepaid debit card called ReliaCard.

To make matters more confusing, the flood of new unemployment applications from people out of work thanks to the COVID-19 pandemic reportedly has overwhelmed U.S. Bank’s system, meaning that many people receiving these letters haven’t yet gotten their ReliaCard and thus lack any frame of reference for having applied for a new payment card.

Reached for comment about the unhelpful letters, U.S. Bank said it automatically mails them to current and former ReliaCard customers when changes in its system are triggered by a customer – including small tweaks to an address — such as changing “Street” to “St.”

“This can include letters to people who formerly had a ReliaCard account, but whose accounts are now inactive,” the company said in a statement shared with KrebsOnSecurity. “If someone files for unemployment and had a ReliaCard in years past for another claim, we can work with the state to activate that card so the cardholder can use it again.”

U.S. Bank said the letters are designed to confirm with the cardholder that the address change is valid and to combat identity theft. But clearly, for many recipients they are having the opposite effect.

“We encourage any cardholders who have questions about the letters to call the number listed on the back of their cards (or 855-282-6161),” the company said.

That’s nice to know, because it’s not obvious from reading the letter which card is being referenced. U.S. Bank said it would take my feedback under advisement, but that the letters were intended to be generic in nature to protect cardholder privacy.

“We are always seeking to improve our programs, so thank you for bringing this to our attention,” the company said. “Our teams are looking at ways to provide more specific information in our communications with cardholders.”

6 Lessons To Be Learned From Security Analysts About Zoom Fatigue

Have you been feeling tired and anxious lately? Sitting too long in a chair, glued to a computer screen? Welcome to the stressful world of working from home. Unlike what we may have imagined when tied to the office all day, working from home didn’t turn out to be the utopian pleasure we’d dreamed of. Instead, many of us have found that having to juggle work and family and continue to be productive in a restricted workspace, cut off from our colleagues, is a real challenge. In addition, many have been feeling worn out due to the longer hours and more solitary nature of working from home and communicating with family, friends and peers via remote working software

This is because the same technology enabling remote work and video-conferencing (Zoom, Teams and the like) is stress-inducing. There’s even a name for this: Zoom fatigue, described as a feeling of exhaustion after a long day of video calls (By the way, this is not limited to Zoom and applies also to using Google Hangouts, Skype, FaceTime, or any other video-calling application or service). 

There are several factors that contribute to this feeling: poor audio quality, the need to maintain eye contact with our counterparts and the ease with which we lose focus during video calls. In addition, we need to ensure our environment is clean, organized and quiet (which is no small feat for people working from small apartments with roommates or young kids).

All these stress-factors combine to drain our mental resources far quicker in video meetings than in real-life meetings.  

There’s More Than Zoom To Drain Your Brain

But the actual strain of working from home isn’t limited to video conferencing. There’s also the constant bombardment of notifications from email, WhatsApp, Slack, Zoom and similar remote working software, alongside “domestic disturbances” (such as kids knocking on the door or yelling in the adjacent room). In short, there’s always noise, and never a dull moment. This erodes our ability to concentrate and respond quickly and accurately. And finally, many people find themselves working longer hours, on average, an additional two hours every day.

No wonder we feel overworked, on constant alert and just waiting for this period to pass.

Our New Normal Is An Analyst’s Regular Day

The state described above is not unlike the day-to-day experience of security analysts. Working tirelessly in a stressful environment, security analysts are overloaded and understaffed. They know all about a similar kind of stress-induced fatigue: alert fatigue. Alert fatigue (a term coined by medical professionals) is now widely associated with passive detection and response security technologies. It causes stress, reduces productivity and, over time, leads to the psychological effects of depression and apathy. Obviously, these can greatly affect an analyst’s ability to function properly and to remain in their position, which is one of the reasons that analysts suffer from significant burn and churn.

Employees Working From Home?
Learn How to Secure Your Enterprise

What Can Security Analysts Teach US About Dealing With Stress?

Analysts are not only required to function in this stressful environment, but their margin of error is far narrower than the average Work From Home employee. If an analyst misses an alert or responds in a sub-optimal manner, an organization could be breached. For most of us, the biggest risk in having an off-moment is likely to be no more serious than forgetting to join a scheduled call or someone seeing us in our pajamas. 

Given the high-stakes involved in their work, analysts have come up with ways to deal with the pressure that enables them to cope and continue to operate at an optimum level, day in and day out. Perhaps we can borrow some of these methods and apply these to our WFH routine as well?

1. Divide and Conquer Your Tasks

On average, a modern SOC encounters hundreds of thousands of alerts everyday. It is impossible for humans to handle such massive amounts of incoming data, so analysts focus on the most severe alerts, and let machines handle the rest. For each case an analyst handles, they may have only a few minutes to deal with it. Focusing on the task at hand and setting aside competing demands on their time is a prerequisite skill.

The lesson to be learned here is that WFH is different from ordinary work. Your environment is likely filled with distractions, disturbances, and competing demands on your time. When we’re in the office, we are typically ‘quarantined’ from our ordinary lives and other demands and worries until lunch time or after office hours. But our new WFH reality mixes and muddies our workspace with our home space, both physically and emotionally. In such a situation, you need to compartmentalize and prioritize just like a SOC analyst. Set aside this time for that, and that time for this, and so on. Within the times allocated, prioritize and focus on the tasks that are most essential.

2. Automate, Automate, Automate!

Whenever possible, alerts in a Security Operations Center are handled by an automated, predefined workflow. Given that the majority of security alerts are of low severity and mixed in with a number of false positives, this enables analysts to focus on the important stuff.  

The lesson to be learned here is, when possible, automate or delegate menial tasks. There are many automation mechanisms available that can eliminate repetitive tasks. If you find yourself repeatedly typing the same response to certain emails, or endlessly copying structured data from one place to another, look into software that can set up scripts and hotkeys to reduce the toil of such tasks. Doing mindless, repetitive things is what computers were built for. Remember: your mental reserves are in short supply in times such as these, and mundane activities can drain them quickly.

3. Workflows – Define and Stick to a Plan

When an incident occurs, an analyst follows a predefined procedure or workflow. SentinelOne’s Vigilance MDR team call this a playbook. Working from a playbook requires defining and categorising problems and then developing a procedure of steps to follow in advance depending on the circumstances. This reduces the need to think of an “attack plan” at the time of encounter, and it avoids endlessly “reinventing the wheel” for problems of a similar nature that you’ve dealt with before.

Try to have templates for everything that you can, from sales emails, to presentation and document templates. This is critical for having productive meetings, too. If the meeting has a well-defined agenda, many of the annoying aspects of video calls (like several people trying to speak at once) could be avoided.

4. Escalation – Pass It On, Move On

Analysts are divided into tiers. A lower-level analyst handles an alert up to a certain stage, and if he can’t resolve it he escalates it quickly to a higher-level analyst or his manager. There’s no shame or embarrassment involved in this; it is the normal protocol.

In a normal office environment, we are all used to holding on to problems and ensuring that we do everything possible to solve them. We all want to deliver and be seen as competent in our roles. But in the office we also have the support of people around us, of a familiar environment and trusted colleagues to bounce ideas off, tap for knowledge at the water cooler or point us to a case file buried in a locker somewhere. This invisible support is missing when we are working from home, and the temptation to hold on to a problem even though we may not have the resources to solve it is a hard habit to kick. 

Employees working from home and who are cut-off from their peers and managers should communicate often with their colleagues and escalate issues to their superiors when the need arises. It will speed up the group’s work and reduce stress.

5. Avoid the ‘Always On Call’ Mentality

It is essential to balance work and rest. Analysts work in shifts, often to provide “follow the sun” security coverage for their organization across the globe. But nobody can work at peak efficiency without proper rest and recuperation. When you’re against the clock and desperate to solve a problem, things only get worse when you don’t take a break. 

Break your day into sessions and eat proper meals. This helps reduce the stress and increase focus. Work hard, but when your work is done, disconnect.

6. Don’t Be a Slave to the Technology

Analysts have learned to make technology work for them. Gone are the days of ugly looking SIEM consoles where it was impossible to identify the acute alert. Modern management consoles are built to assist the analyst in responding quicker and more accurately. For instance, the SentinelOne console automatically groups hundreds of data points into correlated console alerts, showing unified alerts that provide a complete timeline of the incident. This reduces the amount of manual effort needed to investigate an alert.

Likewise, technology should assist those working from home. If the audio quality of your laptop is poor, buy a decent speaker or headphones. If the image quality is unclear, ensure your room is well lit and even invest in an external camera. And finally, use technology that’s appropriate for the task. You don’t have to use video conferencing for every communication, particularly when a phone call or email will do. For example, if a meeting only involves two or three people and does not include any visuals, why not leave the Zoom and simply make it a phone call? And if that’s not practical, you can always turn off the webcam and go audio only. You are guaranteed a much better, less stressful experience.

Summary

We are all experiencing a stressful period, faced with new challenges that have demanded that we adapt quickly. But since this transition was so rapid, it has resulted in stress and ensuing fatigue for many of us, particularly if we do not possess the right tools and processes to be productive in this environment.

This is a great opportunity to learn from the people who operate under similar circumstances and learn from their experience. It’s also a good opportunity to stop and appreciate the hard work these analysts perform every day in keeping us and our organizations safe.  


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security