Eliana Willis

Facebook has released the Mariana Trench bug hunting software to the open source community.

This week, Dominik Gabi, Facebook software engineer said in a blog post that Mariana Trench was originally an internal tool for the company’s security engineers but has now been released to the public “to help scale security through building automation.” Mariana Trench (MT) is a tool for finding vulnerabilities in Android and Java, with a particular focus on examining code in Android applications. According to the tech giant, MT is able to scan “large mobile codebases” and will alert users to potential security problems found in the code by analyzing data flows prior to production.  MT hones in on data flows as a common source for bugs, whether this is due to incorrect data exposure or collection, or if they contain flaws that allow for the injection of malicious packages. MT scans the source of information and its sinks, tracking possible paths and then will compute models using static analysis to hunt for errors and issues in the codebase. “A security engineer would start by broadly defining the boundaries of the data flows she is interested in scanning the codebase for,” Facebook explained. “If she wants to find SQL injections, she would need to specify where user-controlled data is entering the code, and where it is not meant to go. However, this is only the start — defining a rule connecting the two is not enough. Engineers also have to review the identified issues and refine the rules until the results are sufficiently high-signal.” Facebook warns that this tool is only one addition to a security engineer’s arsenal, and false positives prior to production need to be considered.  “In using MT at Facebook, we prioritize finding more potential issues, even if it means showing more false positives,” the company says. “This is because we care about edge cases: data flows that are theoretically possible and exploitable but rarely happen in production.”

MT is now available on GitHub and a binary distribution has also been released on PyPI. In addition, Facebook has released the Static Analysis Post Processor (SAPP), an analysis tool for analyzing MT results.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Business strategies around technology are constantly evolving. Usually it’s a process that takes time, carefully plotted out in order to avoid disruption.But that wasn’t the case when many office workers were rapidly shifted over to remote working for the past 18 months. Employees who might not have experienced remote working suddenly found themselves working from a laptop on their living-room table, kitchen worktop or bedroom as a result of the pandemic.  

Special Report

Digital Transformation: A CXO’s Guide

Reimagining business for the digital age is the number one priority of many of today’s top executives. ZDNet offers practical advice and examples of how to get your digital transformation right.

Read More

The sudden shift may have helped organisations keep operating, but for many it also came at the expense of cybersecurity. SEE: A winning strategy for cybersecurity (ZDNet special report)Organisations had to transform their business processes, but security didn’t necessarily keep pace, says Ian Wood, head of technology for UK and Ireland at enterprise data management software company Veritas.”That was more of an afterthought — it was all about ‘how do I get up and running, how do I transform the business?’ Not thinking about how to secure things,” he adds. And it’s not just offices that were forced to change. For example, bars and restaurants suddenly found that, due to social distancing rules, they had to alter how they worked. Customers couldn’t queue up to order their food and drinks, so pubs and bars had to provide digital ordering services.

“Pubs which didn’t have much IT infrastructure suddenly had to adopt a huge amount of it,” says Wood. But without guidance some struggled, with privacy activists expressing concerns over the amount of information these applications were collecting — particularly when a lack of experience with collecting and storing all this data could lead to issues with information not being correctly secured.The rush to build new systems caused by the pandemic is an extreme example of digital transformation — one done with a deadline of days, rather than months or even years. However, the same problem — cybersecurity as an afterthought — is also a significant risk in long-term projects.Some boardrooms are focused primarily on efficiency and the bottom line — and when spending on applications and tools to help keep the company secure cuts into those areas, there’s reluctance to spend the money. 

Digital transformation

“There’s this split between the business decision and the view of the business risk, and then the view of the cyber risk, and at the moment, the two can’t combine, don’t collaborate and don’t come together in the way that they need to,” says Lorna Rea, consultant for central government at BAE Systems.That split in decision making means that in some cases of digital transformation, rolling out new ways of doing things takes priority over making sure the methods of doing business are secure. For example, digital transformation projects tend (obviously and inevitably) to involve doing more with technology. From a security point of view, that means they can expand the potential attack surface of the organisation — unless that risk is understood and tackled. “Security just isn’t keeping pace with the digital transformation. Organisations have finite resources, and it’s very difficult to mobilise the limited resources,” says Alastair Williams director of solutions engineering for EMEA at Skybox Security.But even if organisations have limited resources, that doesn’t mean that cybersecurity should simply be ignored: the cost of falling victim to a data breach or ransomware attack could cost a business much more than implementing cybersecurity practices ever would. And that’s without the ongoing damage that could be caused if consumers and partners lose faith in a business because it fell victim to an avoidable cyberattack.SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attackDigital transformation in many cases means investing in cloud computing services. And the basics of securing cloud services is a well understood, if sometimes, ignored practice.For example, securing the cloud means ensuring that multi-factor authentication (MFA) is applied to every user. Then, if usernames and passwords are breached, there’s an additional step that can prevent attackers gaining direct access to the network. Some executives might grumble that MFA cuts down productivity, because people need to take a little time out to verify their identity — but it’s one of the most effective actions that can be taken to help prevent unauthorised access to company services.Ultimately, when looking at digital transformation, one of the best ways to help ensure data protection is prioritised is to invest in an information security team and involve them in every step of the journey. There might sometimes be tension between the business and information security units, but such integration will ultimately ensure that security is baked into the whole process.”Have your security consultants embedded, so the decisions are being made together as a collaborative team,” says Rea. One of the key benefits of digital transformation is that employees can collaborate from anywhere. But to make sure they can do that securely, cybersecurity needs to be a key part of the process from the very start. More

Westpac Group has announced the expansion of its digital gambling block feature to St George, BankSA, and Bank of Melbourne debit cardholders. When the feature was initially released in March, the gambling block feature was available to all Westpac Group credit card customers, as well as Westpac debit card customers.The gambling block feature enables customers to apply an instant block on gambling-related transactions to certain gambling merchants, including casinos, sports betting agencies, and online gambling companies, through their mobile banking app or online banking. Customers can also contact the banks’ customer care teams to apply the block.As part of the update and to prevent underage gambling, a gambling block will also be automatically applied to all Westpac Group debit cardholders under the age of 18, Westpac added.According to Westpac customer vulnerability and financial resilience director Catherine Fitzpatrick, since launch, the feature has been activated more than 30,000 times.  “Problem gambling continues to be a serious issue in Australian communities, and as more people transact online during the pandemic, the digital feature gives customers the ability to manage their gambling spend whenever they might need it,” she said.

“The benefits of being able to apply a block in real-time also it gives customers more control and flexibility in the moment.”Taking this next step by Westpac reinforces an argument that both Visa and Mastercard have each put forward in their response to a question on notice from the Parliamentary Joint Committee on Corporations and Financial Services. The question was about who should be responsible for handling credit card gambling blocks, if it were to be implemented. As Mastercard puts it, it does not see all card transactions that carries its brand — only the banks do, and therefore recommends if any form of payment blocking was to be mandated in Australia then the responsibility should fall with the issuing bank, rather than the card scheme. “A typical transaction on the Mastercard network involves four participants in addition to us: The cardholder, merchant (a business who accepts payment for goods or services provided), issuer (the cardholder’s financial institution) and acquirer (the merchant’s financial institution) … in most cases, cardholder relationships belong to, and are managed by, our bank or financial institution customers,” it said.”Mastercard understands some Australian banks have already made the decision to prohibit the use of credit cards to pay for gambling transactions. In some cases, the decision is based on commercial considerations as gambling transactions tend to result in a greater number of disputed transactions compared to other, non-gambling, transactions.”Some card issuers have card controls that allow cardholders to block certain transaction types or issuers can do it directly at switch/card management level.”Similarly, Visa believes banks can use their existing real-time monitoring capabilities to apply blocks based on merchant category, as they do in the face-to-face environment.”Visa’s licensing and transaction processing processes do not distinguish between acceptance of credit, debit, or prepaid transactions. The Visa rules prohibit acquirers from submitting illegal transactions into the Visa payment system. To comply with this requirement, acquirers must ensure that their merchant’s transaction activity is legal in both the buyer’s and seller’s jurisdiction,” Visa said in its response.”In the event of any conflict between the Visa rules and any applicable laws or regulations, the requirements of the laws or regulations of course govern. Based on the above, issuers would be best placed to execute the block should a regulation be introduced.”This was the same argument Tabcorp put forward when it fronted the committee in early September. At the time, the gaming giant supported the call for banning credit card use by Australians on online gaming platforms, such as betting apps, but believes such mandate should be the responsibility of banks.”If we got more information from the banks that a card was suspect, we could shut it down. If the banks notified us that this was a problem, we would be able to stop dealing with that problem, but this flow of information doesn’t happen,” Tabcorp CEO David Attenborough said.Tabcorp reiterated the point again in response to a question on notice, outlining that banks are “best placed to do so, and many have already proceeded with restricting gambling transactions, even without legislation. Banks are also best placed to determine a customer’s credit worthiness”.IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527Related Coverage More

Some of the world’s largest tech giants — Amazon, Google, Microsoft, IBM, Salesforce/Slack, Atlassian, SAP, and Cisco — have joined forces to establish the Trusted Cloud Principles in what they are claiming is their commitment to protecting the rights of their customers.”The Trusted Cloud Principles will help safeguard the interests of organisations and the basic rights of individuals using cloud services so that they can accomplish what they need in a safe and secure way,” the signatories said in a statement. “This initiative is more important today than ever … when some governments come directly to providers like us for access to customer data without their knowledge — in some cases for legitimate reasons but in other cases for reasons that could hinder basic human rights — it creates a tension that needs to be addressed through both technology and policies.”Our Trusted Cloud Principles make it clear we seek to partner with governments around the world to resolve international conflicts of law that impede innovation, security, and privacy, and to establish and ensure basic protections for organisations that store and process data in the cloud.”Some of the specific principles that have been founded by the signatories include governments should seek data directly from enterprise customers first, rather than cloud providers, other than in “exceptional circumstances”; customers should have a right to notice when governments seek to access customer data directly from cloud service providers; and there should be a clear process for cloud providers to challenge government access requests for customers’ data, including notifying relevant data protection authorities, to protect customers’ interests.Also outlined in the principles is the point that governments should create mechanisms to raise and resolve conflicts with each other such that cloud service providers’ legal compliance in one country does not amount to a violation of law in another; and governments should support cross-border data flows. At the same time, the cloud service providers acknowledge that under the principles they recognise international human rights law enshrines a right to privacy, and the importance of customer trust and customers’ control and security of their data.

The signatories also said they commit to supporting laws that allow governments to request data through a transparent process that abides by human right standards; international legal frameworks to resolve conflicting laws related to data access, privacy, and sovereignty; and improved rules and regulations at the national and international levels that protect the safety, privacy, and security of cloud customers and their ownership of data. “We commit to working with governments to ensure digital connectivity among nations, to promote public safety, and to protect privacy and data security in the cloud in line with international human rights norms and the rule of law,” the signatories added. The Trusted Cloud Principles come days after a separate data cloud framework was stood up between Amazon Web Services, Google, IBM, Microsoft and other major tech giants, plus the EDM Council, a cross-industry trade association for data management and analytics.Under the Cloud Data Management Capabilities (CDMC) framework there are six components, 14 capabilities, and 37 sub-capabilities that sets out cloud data management capabilities, standards, and best practices for cloud, multi-cloud, and hybrid-cloud implementations while also incorporating automated key controls for protecting sensitive data. Among the six components are data governance and accountability, cataloguing and classification, data accessibility and usage, data protection and privacy, data lifecycle, and technical architecture.The CDMC framework is available as a free licence to EDM Council members and non-members alike. “The speed at which businesses are able to respond to change is the difference between those that successfully navigate the future and those that get left behind,” Google Cloud data analytics product management director Evren Eryureksaid. “The CDMC framework is going to be a tremendous resource for companies as they continue to accelerate their digital transformation and reimagine their business through effectively leveraging the power of real-time data.” Related Coverage More

The US House Committee on Oversight and Reform has demanded a briefing with the FBI to determine whether it was justified in withholding the Kaseya ransomware decryption keys.Committee chairwoman Rep. Carolyn Maloney and ranking member Rep. James Comer sent a letter to FBI director Christopher Wray asking him to appear before Congress to explain the FBI’s actions in the case. The FBI’s decision to keep the REvil ransomware decryption key from victims of the attack on Kaseya has caused a furor among some victims and experts who questioned the organization’s judgement.”Public reporting raises questions about the FBI’s response to this summer’s ransomware attack. The FBI has stated that it withheld the ransomware key it had previously acquired so the Bureau could engage in an operation to disrupt the Russian-based hackers without tipping them off. Before the FBI could execute its plan, however, the hackers reportedly disappeared and their platform went offline. During this delay, many businesses, schools, and hospitals suffered lost time and money, especially in the midst of the COVID-19 public health crisis,” the members of Congress wrote. “We request a briefing from the FBI on its legal and policy rationale for withholding the digital decryptor key as it attempted to disrupt this cyber attack, and the FBI’s overall strategy for addressing, investigating, preventing, and defeating ransomware attacks. Ransomware hackers have shown their willingness and ability to inflict damage on various sectors of the US economy. Congress must be fully informed whether the FBI’s strategy and actions are adequately and appropriately addressing this damaging trend.”Maloney and Comer said the FBI’s actions potentially cost “the ransomware victims — including schools and hospitals — millions of dollars.”Last week, the Washington Post reported that the FBI had the decryption keys for victims of the widespread Kaseya ransomware attack that took place in July yet did not share them for three weeks. 

The Kaseya attack affected hundreds of organizations, including dozens of hospitals, schools, businesses and even a supermarket chain in Sweden. Washington Post reporters Ellen Nakashima and Rachel Lerman revealed that the FBI managed to obtain the decryption keys because they accessed the servers of REvil, the Russia-based criminal gang that was behind the massive attack.Despite the large number of victims of the attack, the FBI did not share the decryption keys, deciding to hold on to them as they prepared to launch an attack on REvil’s infrastructure. According to The Washington Post, the FBI did not want to tip off REvil operators by handing out the decryption keys.The FBI also claimed “the harm was not as severe as initially feared”, according to The Washington Post. REvil initially demanded a $70 million ransom from Kaseya and thousands from individual victims before going dark and shutting down significant parts of its infrastructure shortly after the attack. The group has since returned, but many organizations are still recovering from the wide-ranging July 4 attack. ZDNet sent questions to multiple members of Congress and the FBI about whether the ransomware group’s brief disappearance was connected to the planned FBI operation but have not received a response. The FBI eventually shared the decryption keys with Kaseya on July 21, weeks after the attack occurred. Multiple victims spoke to The Washington Post about the millions that were lost and the significant damage done by the attacks. During his testimony in front of Congress last week, FBI Director Christopher Wray laid the blame for the delay on other law enforcement agencies and allies who they said asked them not to disseminate the keys. He said he was limited in what he could share about the situation because they are still investigating what happened.  “We make the decisions as a group, not unilaterally. These are complex…decisions designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world. There’s a lot of engineering that’s required to develop a tool,” Wray told Congress. Congress demanded a response from the FBI by October 6.  More

A number of websites and services reported issues on Thursday thanks to the expiration of a root certificate provided by Let’s Encrypt, one of the largest providers of HTTPS certificates. At around 10 am ET, IdentTrust DST Root CA X3 expired according to Scott Helme, founder of Security Headers. He has been tracking the issue and explained millions of websites rely on Let’s Encrypt services and without them, some older devices will no longer be able to verify certain certificates. Let’s Encrypt operates as a free non-profit that makes sure the connections between your device and the internet are secure and encrypted. Despite advance warning that the expiration date would would be on September 30, when the deadline hit, dozens of users reported issues with a variety of services and websites.Helme told ZDNet that he confirmed issues with Palo Alto, Bluecoat, Cisco Umbrella, Catchpoint, Guardian Firewall, Monday.com, PFsense, Google Cloud Monitoring, Azure Application Gateway, OVH, Auth0, Shopify, Xero, QuickBooks, Fortinet, Heroku, Rocket League, InstaPage, Ledger, Netlify and Cloudflare Pages, but noted that there may be more. “There are a couple of ways to solve this depending on what the exact problem is but it boils down to: The service/website needs to update the certificate chain they are serving to clients or, the client talking to the website/service needs an update,” Helme explained.”For the affected companies it’s not like everything is down, but they’re certainly having service issues and have incidents open with staff working to resolve. In many ways I’ve been talking about this for over a year since it last happened, but it’s a difficult problem to identify. it’s like looking for something that could cause a fire: it’s really obvious when you can see the smoke!”

Some sites posted notices on their website about potential issues and many have resolved the issues. Shopify posted a note on its incident page that by about 3:30 pm, merchant and company partners who were struggling to login had their services restored. Merchant authentication for Support interactions have also been restored, the company said. Fortinet told ZDNet they were aware of and have investigated the issue relating to the expired root CA certificate provided by Lets Encrypt.   “We are communicating directly with customers and have provided a temporary workaround. Additionally, we are working on a longer-term solution to address this edge case issue directly within our product,” the company said in a statement. Digital certificates expert Tim Callan said all modern digital systems depend on certificates for their continued operation, including those that secure our cyber and physical environments. “If software depends on an expired root to validate the trust chain for a certificate, then the certificate’s trust will fail and in most cases the software will cease to function correctly. The consequences of that are as broad and varied as our individual systems are, and many times cascading failures or ‘downstream’ failures will lead to problems with entirely different systems than the one with the original certificate trust problem,” Callan said. “IT systems that enforce or monitor security policies can stop working. Alerting and reporting systems can fail. Or, if the processes that humans depend on to do our work stop functioning, often those people will find “workarounds” that are fundamentally insecure.”Callan added that outages can occur when developers embedded in lines of business operations or other skunkworks projects “obtain certificates” without the knowledge of central IT and then move on to new tasks or otherwise fail to monitor the lifecycle of these certificates. He noted that most systems will be able to weather a root expiration because of modern root chaining capabilities that allow another root to establish trust. “However, legacy systems or those with previously unaddressed (or unknown) certificate handling bugs are at risk for failures like these to occur. In the event of a commonly used root from a popular CA, the risk of these failures goes up considerably,” Callan explained.TechCrunch reported that devices that may face issues include older macOS 2016 and Windows XP (with Service Pack 3) as well as older versions of Playstations and any tools relying on OpenSSL 1.0.2 or earlier. Other experts said PlayStations 4s or earlier devices that have not had their firmware upgraded will not be able to access the Internet. Devices like Android 7.1.1 or earlier will also be affected.According to Callan, most modern software allows the use of sophisticated trust chains that allow root transitions without requiring the replacement of production certificates. But those that are old or poorly designed or containing trust chain handling bugs may not handle this transition correctly, leading to various potential failures. As many of the affected companies have since done, Callan suggested enterprises take an inventory of the systems using certificates and the actual certificates in use before ensuring that software has the latest root certificates in its root store.”By identifying where potential failure points occur, IT departments can investigate these systems ahead of time to identify problem areas and implement fixes. If you can set up a version of the system in a sandbox environment, then it’s easy to test expected behaviour once the root expiration occurs,” Callan said. “Just set the client system clock forward to a date after the expiration date to ensure certificate chaining will work correctly. Alternately, you can manually uninstall or distrust the root that is set to expire (in the sandbox environment, of course) to assure yourself that systems are only using the newer roots.”He added that the popularity of DevOps-friendly architectures like containerization, virtualization and cloud has greatly increased the number of certificates the enterprise needs, while radically decreasing their average lifespan.”That means many more expiration events, much more administration time required, and greatly increased risk of a failed renewal,” he said. Digital Shadows senior cyber threat analyst Sean Nikkel told ZDNet that Let’s Encrypt put everyone on notice back in May about the expiration of the Root CA today and offered alternatives and workarounds to ensure that devices would not be affected during the changeover. They have also kept a running forum thread open on this issue with fairly quick responses, Nikkel added.”A not-great practice that’s been floated already as a workaround to the problem is allowing untrusted or invalid certificates. Users should be cautious about making a move that potentially opens the door to attackers using compromised certificates,” Nikkel said.  “Some users have recommended settings allowing for expired certificates from trusted issuers; however, these can also have malicious uses. In any case, administrators should examine the best solution for them but also understand the risks to any workarounds. Alternatively, administrators can look at alternate trust paths by using the intermediate certificate that Let’s Encrypt has set up or following suggested configurations from their May bulletin.” More

A massive fraud operation slamming e-commerce merchants in account takeover attacks has been revealed by researchers.

On Thursday, fraud prevention company Sift said the ring, dubbed Proxy Phantom, is using over 1.5 million sets of stolen account credentials in automated credential stuffing attacks against online merchants.  Credential stuffing attacks generally rely on a database of stolen credentials — potentially sourced from data breaches or data dumps leaked and sold online — to slam a domain with login requests.  Many of us use the same username and password combinations across different services — although we shouldn’t — and so a data breach at one company could lead to account compromise at another.  Estimates suggest that only 0.1% of credential stuffing attacks are successful. However, once you consider that thousands of account combinations could be tried at the same time, despite the low success rate, these attacks can still be worthwhile — especially when they are used against merchants or financial services.  According to Sift’s Q3 2021 Digital Trust & Safety Index, Proxy Phantom “flooded businesses with bot-based login attempts to conduct as many as 2,691 login attempts per second.”  Connected, rotating IP addresses were also used to make the requests appear to stem from different geographical locations and primarily targeted e-commerce platforms and online services.  

The IP clusters doubled between April and June 2021. “As a result, targeted merchants using rules-based fraud prevention methods would be forced to play a supercharged, global game of “whack-a-mole,” with new combinations of IP addresses and credentials (likely purchased in bulk on the dark web) coming for them at an unthinkable pace,” Sift said. In addition, the report states that account takeover attacks detected by the company increased by 307% over Q3. Specifically, the financial sector is a top target, including cryptocurrency exchanges and digital wallet services.  Earlier this month, Netacea published an index documenting the activities of scalper bots. These types of automated systems are built to beat online queues for high-ticket items such as concert tickets and gaming consoles in order to resell and generate a profit for their operators.  In the past few months, the PlayStation 5, cryptocurrency mining cards, and Nvidia RTX 3000 series chips are highly sought by scalpers.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More