A man sitting in his living room looking at his smartphone with concern. Image: Getty/damircudic Over two million Android users have downloaded a series of malicious apps that bypassed security protections to get into the Google Play app store, researchers have warned. After installation, the apps use sneaky techniques to hide themselves from the user […] More

Image: Getty Images/iStockphoto
The New South Wales Police task force for investigating the recent anti-lockdown protests in Sydney, Strike Force Seasoned, have arrested an internet commenter. Police said they have pressed four charges of using a carriage service to menace, harass, offend after arresting a 65-year-old Paddington man on Wednesday who allegedly threatened to harm police horses. “Investigators were alerted to comments posted on the website of a media outlet, which referenced the protest and outlined threats to harm police horses,” Police said. “A short time later, a search warrant was executed at a nearby home, where police seized electronic devices, a computer and mobile phones, which will undergo forensic examination.” The man was refused bail to appear in court on Thursday. Police said they have conducted extensive inquiries into the matter. At the recent protests, a man was arrested after allegedly punching a police horse, and after three weeks in custody, he was granted bail yesterday, ABC reported. Related Coverage More

Google has created a new “Open Source Maintenance Crew” who will help upstream maintainers of critical open-source projects to handle bugs and patching processes. The new team is part of Google’s contribution to the White House’s push to improve cybersecurity in open source and protect software supply chains following the White House’s January summit with major tech vendors, including Microsoft, Google, IBM and Amazon Web Services. 

Google I/O 2022

Back then, President Joe Biden signed an executive order that requires the government to provide a Software Bill of Materials (SBOM) that details supply chain relationships of components used in building software. SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesGoogle says the new maintenance crew consists of a dedicated team of Google engineers who will work with upstream maintainers of critical open-source projects.”One issue frequently cited by open source maintainers is limited time. Since under-maintained, critical open source components are a security risk, Google is starting a new Open Source Maintenance Crew, a dedicated staff of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects,” said Google’s Eric Brewer and Abhishek Arya in a blogpost.Google announced the open-source security team at last week’s “Open Source Software Security Summit II”, hosted at the White House and organized by The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) to mark one year since the cybersecurity executive order, which demanded higher security standards based on the NIST’s Secure Software Development Framework (SSDF). The organizations outlined $150 million in funding required from the private sector and a 10-point plan to improve open source by tackling risk assessments, digital signatures, shifting coding from C and C++ to to memory-safe languages like Rust, Go and Java, incident response, code scanning, and code audits. Google’s work to improve open-source security and reduce supply chain risks has previously included $100 million to support groups like OpenSSF to fix security bugs in open source.     Google last year also published the “Know, Prevent, Fix” framework and is working to improve the accessibility of security tools through initiatives like Open Source Vulnerabilities (OSV) database and data format. The format has been adopted by Python, Rust, and Go ecosystems. The Python Software Foundation, for example, created the Python Packaging Advisory Database to centralize advisories for Python packages published on Pypi repository. The Rust Foundation has a similar database for advisories concerning Rust Crates packages. Other databases relying on OSV include vulnerability databases, such as GitHub’s Security Advisories (GHSA) and the Cloud Security Alliance’s Global Security Database.   “The OSV project showed that connecting a CVE to the vulnerability patch development workflow can be difficult without precise vulnerability metadata,” said Google’s Brewer and Arya. They want to see OSV findings distributed to developers through code editors and at the point where developers might deploy vulnerable workloads.   On the ‘Know’ side, Google highlights the Security Scorecards project that gives developers insights about dependencies they might use on a project. Now, there are scorecard scans of one million projects. The Kubernetes project has also started using Sigstore to sign and verify its releases, and makes this part of its Supply Chain Levels for Software Artifacts, or SLSA, compliance. The OpenSFF’s SLSA framework is based on Google’s internal tools to check code integrity.        “An SBOM created using SLSA provenance and metadata is more complete and addresses both source code and build threat vectors,” says Google. SEE: Rocky Linux developer lands $26m funding for enterprise open-source pushOther key projects include Google’s OSS-Fuzz for fuzzing for open-source software, which has helped developers fix 2,300 flaws across over 500 projects during the past year, The ‘Fix’ component was aimed at removing vulnerabilities and improving notifications to help remediate flaws in the most widely used versions of an affected project rather than just the most recent versions. Part of this is the OpenSSF’s Alpha Omega project, which Google and Microsoft gave an initial $5 million to improve supply chain security. The project awarded the widely used Node.js server-side JavaScript runtime project $300,000 to focus on fixing vulnerabilities in 2022.   Another is the Linux Foundation’s Secure Open Source (SOS) project, which Google backed with $1 million in funding. SOS offers up to $10,000 in rewards to developers for hardening software, for example. Google also gave $300,000 to the Internet Security Research Group to improve memory safety by bringing Rust into the Linux kernel. Linux kernel developers have worked on making Rust the second language to C in the kernel for the past two years.   More

A spam campaign which targeted over 100,000 users a day over Christmas and New Year has seen Emotet secure its spot as the most prolific malware threat.
Analysis by cybersecurity company Check Point suggests that Emotet was used to target seven percent of organisations around the world during December.
Emotet has been active since 2014 and is regularly updated by its authors in order to maintain its effectiveness. The malware started life as a banking trojan but has evolved to become much more than that, providing a complete backdoor onto compromised machines which can then be sold on to other cyber criminals to infect victims with additional malware – including ransomware.
While Emotet has worm-like capabilities which allows it to move onto other machines on the same network as the initial victim, it also spreads via the use of phishing emails. But no matter how it arrives, Emotet is excellent at maintaining persistence while also avoiding detection, meaning victims will often have no idea they’ve been compromised until it’s far too late.
“Emotet was originally developed as banking malware which sneaked on to users’ computers to steal private and sensitive information. However, it has evolved over time and is now seen as one of the most costly and destructive malware variants,” said Maya Horowitz, director of threat intelligence and research at Check Point.
“It’s imperative that organizations are aware of the threat Emotet poses and that they have robust security systems in place to prevent a significant breach of their data. They should also provide comprehensive training for employees, so they are able to identify the types of malicious emails which spread Emotet,” she added.
Banking trojan Trickbot is the second most dominant form of malware as we enter 2021. Like Emotet, it’s constantly updated with new capabilities and features, including the ability to customise the malware which allows it to be used in all manner of cyber intrusion campaigns. Like Emotet, Trickbot has become more than a banking trojan and is often installed on systems as a means of providing a gateway to install ransomware.

Credential harvesting malware Formbook was the third most detected malware threat over the reporting period. Formbook is sold on dark web forums at relatively low cost but provides cyber criminal users with everything they need for a powerful information stealing campaign; it harvests usernames and passwords from browsers, collects screenshots, monitors and logs keystrokes and more.
According to Check Point, Trickbot and Formbook campaigns were detected attempting to infiltrate the networks of four percent of organisations around the world each.
Other prominent malware during December included Dridex trojan, XMRig cryptocurrency mining malware and Hiddad Android malware.
One of the best ways for businesses to help prevent falling victim to malware attacks is to ensure the latest security patches are applied across the network as this will prevent cyber attackers from being able to take advantage the known vulnerabilities which cyber criminals exploit to deliver malware.

READ MORE ON CYBERSECURITY More

Image: Mozilla
The handling of clicking on FTP links from within Firefox will soon be passed to other applications, as Mozilla will rip out Firefox’s FTP implementation. A year ago Mozilla announced its intention to shortly disable support for FTP, but it also said it would delay the move pending how the pandemic turned out. By February, FTP was disabled in Firefox’s nightly channel and it is currently also disabled in the Beta channel. For general release, FTP will be disabled in Firefox 88 released on April 19. At this point, when Firefox encounters an FTP link, it will attempt to pass it off to an external application. “Most places where an extension may pass ‘ftp’ such as filters for proxy or webRequest should not result in an error, but the APIs will no longer handle requests of those types,” Mozilla add-ons community manager Caitlin Neiman wrote in a blog post. “To help offset this removal, ftp has been added to the list of supported protocol_handlers for browser extensions. This means that extensions will be able to prompt users to launch a FTP application to handle certain links.” Two release cycles later in late June, Firefox 90 will have the FTP implementation removed altogether. This will also impact Firefox on Android.

“FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources,” Mozilla software engineer Michal Novotny said last year. “Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past.” Related Coverage More