Eliana Willis

StackCommerce

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Some of the most elite careers in tech are in cybersecurity, and the good thing is, you don’t need to become an expert on all aspects of it to break into the field. For instance, the NIST Cybersecurity & Risk Management Frameworks course can teach advanced IT professionals all of the ins and outs of the entire Risk Management process.The U.S. government actually designed the Risk Management Framework. It was created in order to establish a secure and efficient process for integrating privacy and security, as well as the management activities of cyber supply chains. Coordinating the framework with the help of a variety of regulations, directives, laws and executive orders makes navigating it amazingly effective.The NIST Cybersecurity & Risk Management Frameworks course consists of 57 lectures across more than 21 hours. You will develop a firm foundation in the RMF steps which will teach you how to prepare your company to manage privacy and security risks.You will find out how to categorize information and the system, as well as how to authorize that system. You will also learn how to select the correct NIST SP 800-53 controls, implement them and assess how they are operating. Then you will monitor risks and the implementation of the controls.The course is presented, authored, and provided on the iCollege platform by ITProTV, which is well-known for the entertaining, effective talk-show format that it employs for its IT training courses. Previous students awarded this one a 4.39 out of 5 stars average rating.Like many other tech skills, these are highly portable and extremely well-suited for remote work. So if you prefer a nomadic lifestyle, you may want to check out these affordable portable monitors.You really don’t want to pass up this chance to master risk management; get the NIST Cybersecurity & Risk Management Frameworks course now.

More ZDNet Academy Deals More

Cyber criminals are sending out phishing emails containing QR codes in a campaign designed to harvest login credentials for Microsoft 365 cloud applications. Usernames and passwords for enterprise cloud services like Microsoft 365 are a prime target for cyber criminals, who can exploit them to launch malware or ransomware attacks, or sell stolen login credentials onto other hackers to use for their own campaigns.  Cyber criminals are looking for sneaky new ways to dupe victims into clicking links to phishing websites designed to look like authentic Microsoft login pages, accidentally handing over their credentials. One recent campaign detailed by cybersecurity researchers at Abnormal Security sent hundreds of phishing emails that attempted to use QR codes designed to bypass email protections and steal login information. This is known as a “quishing” attack. QR codes can be useful in attempts at malicious activity because standard email security protections like URL scanners won’t pick up any indication of a suspicious link or attachment in the message.  The campaign is run from previously compromised email accounts, allowing the attackers to send emails from accounts used by real people at real companies to add an aura of legitimacy to the emails, which could encourage victims to trust them. It’s not certain how the attackers initially gain control of the accounts they’re using to distribute the phishing emails. The phishing emails claim to contain a voicemail message from the owner of the email account they’re being sent from and the potential victim is asked to scan a QR code in order to listen to the recording. All of the QR codes analysed were created the same day that they were sent.  

SEE: Cybersecurity: Let’s get tactical (ZDNet special feature)  A previous version of the campaign attempted to trick users into clicking on a malicious URL by hiding it behind an audio file. However, this was detected and identified as malicious by antivirus software, leading the attackers to switch to using QR codes.  While using QR codes method can more easily bypass email protections, the victim needs to follow many more steps before they reach the point where they could mistakenly give their login credentials to cyber criminals. For a start, the user needs to scan the QR code in the first place — and if they’re opening the email on a mobile, they’ll struggle to do this without a second phone. However, if the victim doesn’t suspect suspicious activity and follows the instructions, they could mistakenly give their username and password to cyber criminals.  “The use of the QR code presents a unique challenge to those security platforms that look for known bad, as these emails come from legitimate accounts and contain no links, only seemingly benign images appearing to contain no malicious URLs,” said Rachelle Chouinard, threat intelligence analyst at Abnormal Security. “It’s only by understanding that the account is compromised — combined with an understanding of the intent of the email — that this new (and fairly innovative) attack type can be detected,” she added.  In order to stay safe from quishing emails, users should be extremely wary of scanning QR codes presented in unexpected messages, even if they look like they come from known contacts. Applying multi-factor authentication to Microsoft 365 accounts can also help protect login details from being stolen. 
MORE ON CYBERSECURITY More

Proofpoint has uncovered a new, “highly active” threat group that is impersonating the Philippine government and businesses to spread Trojan malware. 

On Wednesday, researchers Selena Larson and Joe Wise said the threat actors, dubbed “Balikbayan Foxes” and tracked as TA2722, are concentrated in the Philippines but are targeting the shipping, logistics, manufacturing, pharmaceutical, business, and energy sectors across the US, Europe, and Asia.  Balikbayan Foxes has conducted campaigns over 2021 in which the group sent phishing emails claiming to be from Philippine government entities including the country’s department of health, employment agency, and customs.  In addition, the threat actors have impersonated DHL Philippines — DHL being a common victim of impersonation worldwide as a delivery service — and the Manila embassy for the Kingdom of Saudi Arabia (KSA). According to the researchers, phishing, spoofed email addresses, and emailed lures are used to snag their victims. These included messages surrounding COVID-19 infection rates, billing, invoicing, and industry advisories. Some of the targets are involved in large supply chains, and so if compromised, these attacks could have a far-reaching impact.  Every campaign tracked by Proofpoint was designed to deploy the Remcos and NanoCore Remote Access Trojans (RATs) for the purposes of surveillance and data theft.

In some cases, phishing emails were sent containing OneDrive links to malicious .RAR files, whereas in others, crafted .PDFs were attached that contained embedded URLs to malicious executables. The group also utilized another common malware payload deployment method — Office documents containing macros which, when enabled, triggered Trojan execution.  Proofpoint believes the threat actor’s activities may go back as far as August 2020 based on the activities of multiple clusters and command-and-control (C2) servers now tied to Balikbayan Foxes.  Recently, the group appears to be expanding its tactics to also include credential harvesting. In September, the name of the Philippines Bureau of Customs CPRS was used to persuade victims to visit a malicious domain and to submit account details in business email compromise (BEC) scams. Of interest is that a single email address tied to multiple IPs associated with this wave of attacks has also been connected with 2017 campaigns designed to deploy the Adwind/jRAT Trojan, which has been available to criminals as a malware-as-a-service offering since 2016. 
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber attackers aren’t just looking for software flaws, supply chain weakness, and open RDP connections. The other key asset hackers are after is identities, especially account details that will give them access to other internal systems. CISA earlier this year warned that the suspected Kremlin-backed hackers behind the SolarWinds attacks were not just trojanising software updates, but also password guessing and password spraying administrative accounts for initial access.

More recently, Microsoft observed an emerging Iranian hacking group using password spraying against Israeli and US critical infrastructure targets operating in the Persian Gulf.  SEE: Ransomware: Industrial services top the hit list – but cyber criminals are diversifying Microsoft estimates that more than a third of account compromises are password spraying attacks, even though such attacks have a 1% success rate for accounts, unless organisations use Microsoft’s ‘password protection’ to avoid bad passwords.  “Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password,” Microsoft explained last year. That approach helps avoid rate limiting, where too many failed password attempt results in a lockout.  Microsoft’s Detection and Response Team (DART) has outlined two main password spray techniques, the first of which it calls ‘low and slow’. Here, a determined attacker deploys a sophisticated password spray using “several individual IP address to attack multiple accounts at the same time with a limited number of curated password guesses.”

The other technique, ‘availability and reuse’, exploits previously compromised credentials that are posted and sold on the dark web. “Attackers can utilize this tactic, also called ‘credential stuffing,’ to easily gain entry because it relies on people reusing passwords and usernames across sites,” Microsoft explains. Legacy and unsecured authentication protocols are a problem because they can’t enforce multi-factor authentication. Attackers are also focussing on the REST API, says DART. Top applications targeted include Exchange ActiveSync, IMAP, POP3, SMTP Auth, and Exchange Autodiscover. “Recently, DART has seen an uptick in cloud administrator accounts being targeted in password spray attacks,” Microsoft notes.    Extra care should also be taken when configuring security controls for roles such as security admins, Exchange service admins, Global admins, Conditional Access admins, SharePoint admins, Helpdesk admins, Billing admins, User admins, Authentication admins, and Company admins. High-profile identities such as C-level execs or specific roles with access to sensitive data are also popular targets, says Microsoft. Microsoft this week warned that the SolarWinds hackers, a.k.a. Nobelium, were employing password spray attacks on new targets, primarily against managed service providers that have been delegated admin access by upstream customers. SEE: Ransomware: Looking for weaknesses in your own network is key to stopping attacks Microsoft found that Nobelium was “targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted relationships to gain access to downstream customers and enable further attacks or access targeted systems.” The attacks are not the result of a product security vulnerability, Microsoft stressed, “but rather a continuation of Nobelium’s… dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts.” DART offers some handy tips to help shape the course of an investigation, such as determining whether the spray attack was successful on at least one account, determining which users were affected, and whether admin accounts were compromised. More

Canberra-based quantum cybersecurity solutions firm QuintessenceLabs (QLabs) has completed a AU$25 million series B funding round that will be used to expand the company globally and more than double its headcount.The funding round was led by Main Sequence and the investment arm of Canadian telco Telus, with participation from Mizuho Financial Group-backed InterValley Ventures and Terry Snow’s Capital Property Group. Speaking to ZDNet, QLabs founder and CEO Vikram Sharma said the investment would help with the continued development of the company’s quantum-based cybersecurity solutions. Specifically, this will include growing QLabs’ US headcount from eight to more than 20 over the next 18 months, starting with hiring a chief revenue officer, followed by expanding its sales, business development, and marketing teams. “We’ve spent the best part of a decade planting a scientific seed, maturing the science, translating that science to technology, and ultimately mapping that technology to solve real-world cyber problems. Through that process, we achieved our customer base of some very strong names, including a dozen Fortune 500 companies, government organisations, defence agencies,” he said. “This round is all about scale-up. We’re really pleased to have closed it and we’re very much looking forward to the next two to three years.”Sharma added QLabs will also be looking to enter the UK market during the first half of next year.

“We already have relationships in the UK. They’ve got such a storied history in cybersecurity, amongst other technology areas, and it’s the second largest cybermarket in the world, so it’ll be a very natural expansion for us,” he said.QLabs will also be developing its existing relationships in Japan and India, Sharma said.Back in 2017, QLabs picked up AU$3.26 million in funding from the Australian Department of Defence to continue the expansion of its quantum key distribution capabilities and develop an Australia-specific solution. This was followed by an additional AU$528,000 to progress encryption work for the department.Australian banking heavyweight Westpac has also previously funded QLabs’ work, boasting a 16% stake in the company as a result.QLabs was formed in 2008 as a spin-off out of the physics department at the Australian National University (ANU) in Canberra, although QLabs’ product suite was developed independent of ANU.Related CoverageQuantum cybers land in Vault Cloud thanks to QuintessenceLabsThe offering has been touted as the world’s first secure and scalable package for enterprise file synchronisation and sharing systems.How the industry expects to secure information in a quantum worldWith all of the good a quantum computer promises, one of the side effects is that it will be able to break the mechanisms currently used to secure information. But the industry is onto it, and Australia’s QuintessenceLabs is playing a key role.QuintessenceLabs harnesses diode ‘flaw’ for new quantum number generatorHijacking a flaw in diodes to harness quantum physics, Australia’s QuintessenceLabs has built a full-entropy quantum random number generator with a 1Gbps output. More

Image: Getty Images
The United States Federal Communications Commission (FCC) has removed the authority of China Telecom to operate in the US, and given it 60 days to pack its bags, and stop providing domestic and international services. Citing a recommendation from the Trump-era Justice Department, the Commission said China Telecom America “failed to rebut” a series of concerns raised. “China Telecom Americas, a US subsidiary of a Chinese state-owned enterprise, is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight,” the FCC said. “China Telecom Americas’ ownership and control by the Chinese government raise significant national security and law enforcement risks by providing opportunities for China Telecom Americas, its parent entities, and the Chinese government to access, store, disrupt, and/or misroute US communications, which in turn allow them to engage in espionage and other harmful activities against the United States.” The FCC also said the national security landscape has changed since China Telecom entered the US market almost two decades ago, the company showed a lack of “candor, trustworthiness, and reliability” when dealing with US authorities, as well as breaking two of five provisions in a 2007 letter of assurance, and it was not possible to mitigate the expressed concerns.”Today, based on the totality of the extensive unclassified record alone, the commission’s public interest analysis finds that the present and future public interest, convenience, and necessity is no longer served by China Telecom Americas’ retention of its section 214 authority,” the FCC said before also stating the classified material backed up its decision. Elsewhere in America on Tuesday, the Republican sections of the Senate Committee on Commerce, Science, and Transportation released a report that said Seagate sold hard drives to Huawei without the required licence.

“The investigation found that Seagate flouted the regulation designed to protect US national security by making unlawful transactions with Huawei for as long as one year, allowing the company to gain significant profits as it monopolised the market,” the GOP members said. The report said Huawei spends $800 million annually on drives and Seagate holds a “large part” in supplying them. “Based on the evidence available to Minority Staff, it appears that Seagate Technology knowingly violated the Foreign Direct Product Rule for more than one year,” the report states. “Seagate likely made the strategic calculation to continue violating national security regulations based on the prospect of earning significantly greater profits through market monopolisation than the potential cost of regulatory penalties. All unlicensed shipments of prohibited products to Huawei should cease without delay.” Related Coverage More

The federal government has launched a new initiative to block scam text messages posing as legitimate government sender IDs. The new initiative was launched following a year-long pilot program that focused on capturing phishing texts appearing to originate from government agencies such as Centrelink, myGov, and the Australian Taxation Office. “The success of this initiative is timely, given the use of MyGov has increased significantly during the COVID-19 pandemic. I have written to NBN Co, Australia Post, and the banks strongly encouraging them to apply the same process to text messages they send,” Minister for Communications, Urban Infrastructure, Cities and the Arts Paul Fletcher said. According to Fletcher, the pilot program blocked around 2,500 scam texts over 12 months. The initiative was developed by the Australian Cyber Security Centre, Services Australia, and the telecommunications sector. At the same time, Fletcher provided an update on the Reducing Scam Calls Code, saying that over 214 million scam calls have been blocked since telcos were required to adopt the code in December. By comparison, telcos had blocked 30 million scam calls last year prior to the code’s rollout.  Australian Communications and Media Authority chair Nerida O’ Loughlin said yesterday at Senate Estimates that while the scam call code has been successfully adopted by telcos, it was now working with the telecommunications industry to create a new code targeting scam text messages.

“We’re now working with the industry around what they do about SMS scams and the industry itself is developing some new enforceable obligations on the telcos to identify, trace, block and disrupt those SMS scams. We expect that they will put a code in by the end of this year,” O’ Loughlin said.On Monday, Home Affairs secretary Mike Pezzullo told Senate Estimates that his department was also in talks with the telecommunications industry, with those discussions being focused on providing telcos additional more powers to block spam and malicious content under the Telecommunications Act.Federal government launches new AU$15 million cyber education programThe federal government has also announced a new cyber education program, called the Questacon Cyber Ready program, aimed at providing cybersecurity skills to students across primary, secondary, and tertiary education. With almost AU$15 million, to be spent over five years, being allocated to the program, the Questacon Cyber Ready program will provide students with training modules that have been designed to build skills relevant to cybersecurity. There are also training modules designed for teachers and professionals within the program. Minister for Science and Technology Melissa Price said the program, which has a particular focus on underrepresented groups, would sit alongside other cyber education initiatives, such as the Engineering is Elementary program, in equipping younger Australians with cyber skills. “We want to increase the cyber education initiatives available to young Australians, including those in regional and remote areas, and boost the participation of women, Indigenous, and neuro-diverse people,” Price said. According to the Hays Salary Guide Report FY21/22, which is based on survey results of nearly 3,500 organisations, 68% of the local technology industry is suffering from skills shortages. “Technology is a huge one because the demand for technology is exponential [such as] cloud-based specialists, UX/UI, cybersecurity. In those areas, there is a real shortage of talent and skills,” Hays Australia and New Zealand managing director Nick Deligiannis said at the time. Updated at 4:20pm AEST, 27 October 2021: Added comments about potential scam text code by ACMA chair Nerida O’ Loughlin.Related Coverage More