Eliana Willis

In a few days, Amazon will begin enrolling Echo devices, Ring Floodlights, and Spotlight Cams into its Amazon Sidewalk network, a plan to create a huge shared network that will allow other Amazon devices that are experiencing network downtime to automatically connect to a nearby device to get a connection.

ZDNet Recommends

The best smart speakers

Want a speaker for your office that pumps out premium sound and offers Bluetooth streaming or voice control? Here are your best options from all the big players, including Sonos, Bose, Google, Apple, and Amazon.

Read More

Here’s how Amazon describes Sidewalk: “Sidewalk can also extend the working range for your Sidewalk-enabled devices, such as Ring smart lights, pet locators, or smart locks, so they can stay connected and continue to work over longer distances. Amazon does not charge any fees to join Sidewalk.” Your contribution to Sidewalk is a small portion of your internet bandwidth — 80Kbps, capped to a maximum of 500MB a month. In return, you get access to Sidewalk, and if your internet goes down, or you have a device that’s in a location where it has a poor connection, your devices get to tap into that shared bandwidth in order that your devices can continue to send you notifications. Must read: Why is iOS 14 so bad? “By sharing a small portion of their home network bandwidth, neighbors give a little—but get a lot in return,” is how Amazon puts it in its privacy and security whitepaper.

I agree. I’ve come across a lot of commentary related to Amazon Sidewalk. Some sensible, some losing their minds over it. And privacy and security concerns are at the top of people’s worries.

Would I allow Amazon Sidewalk to share my network connection? Having read Amazon’s privacy and security whitepaper, and looking at Amazon’s track record over the years, I’d have no problems using Amazon Sidewalk. Amazon has put a great deal of effort and engineering into this, and it’s a clever solution to a problem that affects more and more people who have an ever-expanding ecosystem of IoT hardware in their homes. If you’re concerned about Amazon’s privacy and security credentials, then I’d question why you have Amazon hardware connected to your network in the first place. I mean, these devices have deep hooks into your life, home, and surroundings, and this hardware is bristling with microphones and cameras that are always ready to start listening and watching. Worrying that someone could do something nefarious with that 80Kbps of bandwidth that you’re making available should be the least of your worries. Also, given the state of home network hardware and how poorly they are patched for knows security issues, that will offer a far bigger and better attack surface than Sidewalk ever will. And Amazon is pretty much on the ball when it comes to patching its hardware, so if bugs do surface — more of a when than an if — patches will be forthcoming and installed in the background. That’s a lot more than your typical home router sees. The fact that Tile users will be able to use this network to find lost items is innovative, and offers real competition to Apple’s AirTags. Amazon Sidewalk is a superb idea. More

A new backdoor used in ongoing cyberespionage campaigns has been connected to Chinese threat actors.  On Thursday, Check Point Research (CPR) said that the backdoor has been designed, developed, tested, and deployed over the past three years in order to compromise the systems of a Southeast Asian government’s Ministry of Foreign Affairs.  The Windows-based malware’s infection chain began with spear phishing messages, impersonating other departments in the same government, in which members of staff were targeted with weaponized, official-looking documents sent via email.  If victims open the files, remote .RTF templates are pulled and a version of Royal Road, an RTF weaponizer, is deployed.  The tool works by exploiting a set of vulnerabilities in Microsoft Word’s Equation Editor (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802).  CPR says that Royal Road is “especially popular with Chinese [advanced persistent threat] APT groups.” The RTF document contains shellcode and an encrypted payload designed to create a scheduled task and to launch time-scanning anti-sandboxing techniques, as well as a downloader for the final backdoor. 

Dubbed “VictoryDll_x86.dll,” the backdoor has been developed to contain a number of functions suitable for spying and the exfiltration of data to a command-and-control server (C2). 

These include the read/write and deletion of files; harvesting OS, process, registry key and services information, the ability to run commands through cmd.exe, screen grabbing, creating or terminating processes, obtaining the titles of top-level windows, and the option to close down PCs.  The backdoor connects to a C2 to pass along stolen data and this server may also be used to grab and execute additional malware payloads. First stage C2s are hosted in Hong Kong and Malaysia, while the backdoor C2 server is hosted by a US provider.  CPR believes it is likely that the backdoor is the work of Chinese threat actors due to its limited operational schedule — 1.00 am — 8.00 am UTC — the use of Royal Road, and due to test versions of the backdoor, uploaded to VirusTotal in 2018, which contained connectivity checks with Baidu’s web address.  “We learned that the attackers are not only interested in cold data, but also what is happening on a target’s personal computer at any moment, resulting in live espionage,” commented Lotem Finkelsteen, head of threat intelligence at CPR. “Although we were able to block the surveillance operation for the Southeast Asian government described, it’s possible that the threat group is using its new cyberespionage weapon on other targets around the world.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

NortonLifeLock has launched a dedicated cryptocurrency mining setup for users of the Norton 360 antivirus platform.Announced on Wednesday, NortonLifeLock says that the new feature, Norton Crypto, will be rolled out today for users signed up to Norton’s early adopter program. Norton Crypto has been designed to allow users to “safely and easily mine cryptocurrency.” In the initial stages, users will be able to mine for Ethereum (ETH).  Mining software leverages a PC’s CPU and graphics capabilities to obtain cryptocurrencies ranging from ETH to Monero (XMR). However, in order to do so, NortonLifeLock says users may have to disable their antivirus solutions — potentially Norton 360 included — and this could allow “unvetted code” to compromise their systems.  The vendor added that cryptocurrency miners taking this risk could lead to the theft of their hard-won coins, or loss if coins are kept in cold storage on user hard drives. To promote the new feature, NortonLifeLock claims that Norton Crypto will protect against these pitfalls by storing coins in a cloud-based wallet, Norton Crypto Wallet.  A company spokesperson told The Verge that once cryptocurrency has been earned, it will be possible to “pull money into Coinbase,” which suggests that Norton Crypto users may also need to sign up for an account with the trading platform — unless other alternative exchanges or means of transfer are also offered. 

“We are proud to be the first consumer Cyber Safety company to offer coin miners the ability to safely and easily turn the idle time on their PCs into an opportunity to earn digital currency,” commented Gagan Singh, NortonLifeLock chief product officer. Users in the US should be aware that cryptocurrency is considered a taxable asset and so earnings may have to be declared.  The timing of the announcement, however, is while the cryptocurrency market is far from flourishing.  The prices of popular coins, including Bitcoin (BTC), ETH, and Dogecoin (DOGE) appear to be on a slow recovery trajectory after cryptocurrencies at large suffered a crash in May, prompted by increasing regulatory scrutiny in China and the US, as well as Elon Musk’s announcement that Tesla would no longer accept BTC as payment.  Norton Crypto will be rolled out and made available to all Norton 360 customers in the coming weeks.  ZDNet has reached out to the vendor with additional queries and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ransomware is one of the most dangerous cybersecurity threats facing organisations today, yet many are still under prepared when it comes to protecting networks from attacks, and about what to do if ransomware causes disruption.High-profile and highly disruptive ransomware attacks have recently hit Colonial Pipeline, Ireland’s HSE health service and global food producer JBS. In the case of Colonial Pipeline, the organisation paid a ransom of over $4 million in Bitcoin for the key required to restore the affected IT network.

ZDNet Recommends

A ransomware attack can, therefore, be highly damaging when it comes to providing services, it can damage the reputation of the organisation and it can cost a lot of money, both in terms of paying the ransom – if the victim chooses to pay, despite warnings it just funds and encourages criminality – and for restoring and securing the network after an incident.It’s vital that the CEO and the rest of the board are fully equipped with the knowledge to deal with the prospect of a ransomware attack hitting their organisation and are doing as much as possible to ensure this doesn’t happen. And in the unwanted event of an incident, they need to be ready with a plan to restore the network, preferably without paying a ransom.In an effort to provide guidance to CEOs, the UK’s National Cyber Security Centre (NCSC) has detailed five key questions for board members to ask about ransomware. 1. As an organisation and as board members, how would we know when an incident occurred?One of the reasons why ransomware attacks have become so successful is because the attackers are able to lurk within the network for a long time without being discovered.

Organisations should, therefore, know what their IT infrastructure looks like, what monitoring is in place on their network – especially with regards to critical assets – and be able to identify when something is potentially suspicious, as well as having mechanisms for reporting and investigating that malicious activity. By identifying potentially suspicious activity on the network, organisations can go a long way to cutting off ransomware attacks before an intruder has had the time to move around the network.2. As an organisation, what measures do we take to minimise the damage an attacker could do inside our network?One of the key aims of a ransomware attack is to encrypt as much of the network as possible, so organisations should examine what they can do to slow down or stop ransomware from spreading through systems.In order to help make it more difficult for malicious intruders to move around the network, organisations can segment networks, preventing the whole network from being compromised by an attacker gaining access to just one device. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  Organisations should also look to implement two-factor authentication across the network as an additional line of defence that makes it harder for malicious intruders to move around the network.3. As an organisation, do we have an incident management plan for cyber incidents and how do we ensure it is effective?”Organisations should think in terms of ‘when’ rather than ‘if’ they experience a significant cyber incident,” warned the NCSC blog post, so it’s essential to plan incident response carefully and to practice for it. SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upThe NCSC’s recommendations for an incident management plan include identifying the key contacts who need to know about it, clear allocation of responsibility, a conference number for emergency incident calls, as well as contingency measures for critical functions.4.  Does our incident management plan meet the particular challenges of ransomware attacks?Some ransomware attacks simply encrypt data and demand a ransom in return for the key. But increasingly, ransomware gangs are engaging in double extortion techniques where they’ll steal sensitive data and threaten to release it if they’re not paid.Situations like this might not be in the incident response plan, so it’s recommended that plans are made for what would happen in the event that data is stolen – and what a recovery looks like when stolen information, potentially including sensitive data about customers, is published online.5. How is data backed up, and are we confident that backups would remain unaffected by a ransomware infection?One of the key things an organisation can do to help protect against the impact of a ransomware attack is to store backups and to regularly update them, as this provides a method of restoring the network relatively quickly without giving into the ransom demand.However, the board should also seek assurances over what data is deemed critical, how frequently it’s backed up and how the backups are stored. Some ransomware attacks will target backups, so it’s important to make sure the backups are stored offline and on a separate network to the rest of the organisation. By asking questions like the above, the boardroom can help make sure that the organisation is as resilient against the growing threat of ransomware attacks as possible.”Cybersecurity is a board-level responsibility, and board members should be specifically asking about ransomware as these attacks are becoming both more frequent and more sophisticated,” said the NCSC guide.MORE ON CYBERSECURITY More

WhatsApp has reversed course on its decision to limit app functionality for users who do not agree with policy changes that have caused controversy in recent months. 

The new terms were first due to roll out in February and were then pushed back to a May 15 deadline amidst concerns that Facebook would be given access to user data and potentially chat content, and thereby erode the privacy that WhatsApp was originally created for. WhatsApp, acquired by Facebook in 2014, said the new privacy policy will change how the Facebook and WhatsApp applications function, and “integrations” would be offered for businesses that want to manage WhatsApp chats with customers via the Facebook platform.  However, the changes did not prove popular — nor WhatsApp’s ‘take it or leave it’ approach to users, who were told to expect limited app functionality if they did not agree to the new terms.  Originally, WhatsApp said that users who refused would encounter persistent reminders for a few weeks and gradual, dialed-back functions, such as being unable to access chat lists.  “After a few weeks of limited functionality, you won’t be able to receive incoming calls or notifications and WhatsApp will stop sending messages and calls to your phone,” the company said in its FAQ.  While chats and user contacts wouldn’t be shared with Facebook, user profile data would be shared once that user communicated with a business on WhatsApp. 

However, this assurance wasn’t enough to placate some of WhatsApp’s two billion users, millions of which have since turned to encrypted chat alternatives including Signal and Telegram.  WhatsApp has since attempted to explain what the privacy changes mean for users, but as the controversial changes prompted German regulators to file an emergency three-month ban prohibiting Facebook from processing personal data from WhatsApp “for its own purposes,” it seems the company has finally dialed back its heavy-handed approach.  The privacy term updates have gone ahead, but users that refuse can carry on using WhatsApp as normal.  “No one will have their accounts deleted or lose functionality of WhatsApp on May 15th because of this update,” the company says.  “Considering the majority of users who have seen the update have accepted, we’ll continue to display a notification in WhatsApp providing more information about the update and reminding those who haven’t had a chance to do so to review and accept. We currently have no plans for these reminders to become persistent and to limit the functionality of the app.” Accounts that do not accept the privacy terms will not be deleted. However, WhatsApp added that there will be “opportunities” for those who have not accepted the changes to do so directly in the app, such as when users reregister or “if someone wants to use a feature that’s related to this update for the first time.” In related Facebook news, at the F8 developer conference, Facebook announced a swathe of changes to the WhatsApp Business API to improve uptake, API onboarding, and overall speed; as well as new messaging features to bolster integration of business chatbots on the platform.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The United States FBI issued a short statement on Wednesday pinning the recent JBS ransomware incident on REvil. “As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities. We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice,” the agency said. “We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber adversaries. “A cyber attack on one is an attack on us all. We encourage any entity that is the victim of a cyber attack to immediately notify the FBI through one of our 56 field offices.” REvil has previously hit Acer, Travelex, and UnitingCare Queensland. Speaking to Australian Senate Estimates on Wednesday, director-general of the Australian Signals Directorate Rachel Noble said the agency has not used its offensive cyber capabilities against the ransomware crew, which at this time is believed to be Russian-based, but JBS has a private incident response provider.Noble added that ASD is able to use its more secretive powers to warn other organisations if they are on a ransomware attacker’s hit list.

“We were very engaged with [Channel Nine during their March attack] and the technical information that they were able to provide us about what happened on their network helped us, using our more classified capabilities, to warn two other entities that they were about to be victims as well, to prevent them from becoming victims,” the director-general said. JBS said on Tuesday it has seen “significant progress” in resolving the attack that hit its North American and Australian operations while leaving its Mexico and UK without impact. The company said it has received strong support from governments in Washington, Canberra, and Ottawa, and was having daily calls with officials. On Wednesday, JBS said its global operations were back to “near full capacity”. “JBS USA and Pilgrim’s continue to make significant progress in restoring our IT systems and returning to business as usual,” JBS USA CEO Andre Nogueira said. “Today, the vast majority of our facilities resumed operations as we forecast yesterday, including all of our pork, poultry and prepared foods facilities around the world and the majority of our beef facilities in the US and Australia.” On Tuesday, Fujifilm said it disconnected and partially shut down its network after a ransomware attack.”Fujifilm Corporation is currently carrying out an investigation into possible unauthorised access to its server from outside of the company. As part of this investigation, the network is partially shut down and disconnected from external correspondence,” the Japanese giant said.”In the late evening of June 1, 2021, we became aware of the possibility of a ransomware attack. As a result, we have taken measures to suspend all affected systems in coordination with our various global entities.”We are currently working to determine the extent and the scale of the issue. We sincerely apologise to our customers and business partners for the inconvenience this has caused.”Last week, it was reported Japanese government data stored in Fujitsu software was accessed and stolen by hackers.”Fujitsu can confirm unauthorised access to ProjectWEB, a collaboration and project management software, used for Japanese-based projects. Fujitsu is currently conducting a thorough review of this incident, and we are in close consultation with the Japanese authorities,” Fujitsu told ZDNet.”As a precautionary measure, we have suspended use of this tool, and we have informed any potentially impacted customers.”  More on meat and ransomware More

Australian Minister for Families and Social Services Anne Ruston has apologised to a survivor who had their personal information breached when the details of their application to the National Redress Scheme were uploaded directly to another person’s myGov account. “I regret most sincerely that this error has occurred, and that any trauma or distress that has been caused to the person whose information has been incorrectly uploaded, I believe those sentiments were passed on to the person directly by the officer who contacted her, but yes, I deeply regret what’s happened,” Ruston told Senate Estimates on Thursday morning.The National Redress Scheme provides support to people who have experienced institutional child sexual abuse.The scheme started on 1 July 2018, and is currently planned to run for 10 years.As first reported by 10 News Queensland, the survivor’s information was uploaded to the account of another survivor. This comprised 12 pages of highly confidential information, including address, phone number, bank account details, and Centrelink number, as well as their application to the scheme outlining the sexual abuse they had suffered.Ruston told senators she was made aware of the breach on the weekend. Department of Social Services deputy secretary Liz Hefren-Webb said she was told last Friday.The representatives were asked if they could give an ironclad guarantee that such a breach would not occur again.

“Obviously, when you’re dealing with a situation where you have a lot of people, you can never give an ironclad guarantee, but I can assure you every measure has been taken and will continue to be taken to make sure that the safety around the privacy of the information of these people is our utmost consideration,” Ruston said. “I can only apologise for what’s happened.”Senators pointed to funding allocated to the National Redress Scheme as part of the federal Budget, with AU$104.8 million allocated last year. Hefren-Webb clarified the incident occurred in October 2018. “The incident we’re referring to happened some time ago, before the upgrade of the systems … we are still investigating how it occurred, but it was prior to the funding,” she said.”[A] large part of that funding was for additional redress support services, so non-government support services for survivors, but there was funding for improvements and we are working to improve the system. We are working to improve training.”Such training, she said, is around privacy. The department has also added further quality checks to the system. “But this error obviously occurred fairly early in the scheme’s life and we absolutely apologise without reservation to the person who it’s affected,” Hefren-Webb said.An initial investigation is underway by the department, alongside its legal team.”We’re currently looking at the systems and what led to that, the issues, so I expect that we’ll have a better understanding during next week,” Ruston said.When asked if the breach could lead to many survivors not reaching out to the scheme, Ruston said privacy is of the utmost concern to the department. “We’re always concerned that we put in place the best possible measures to support survivors through what is most often a very traumatic experience. And obviously, this is a situation that we need to investigate and make sure every precaution is put in place, that the protection of the confidentiality, privacy of survivors is always utmost in everything that we do,” she added.”I regret that this has happened, but we will continue to work tirelessly to make sure that we provide a scheme that is, that reflects what survivors need and want. “I can’t reiterate enough that we take the confidentially and privacy of individuals who are seeking to gain redress through this scheme very, very seriously.”IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527SEE ALSOServices Australia penalised for breaching privacy of a vulnerable customerThe agency’s process for updating personal information in a domestic violence situation was not only alarming, but was found to be a breach of privacy by the Information Commissioner, too.Services Australia reported 20 security incidents to the ACSC in 2019-20Across Social Services, the NDIS, Veteran’s Affairs, and its own operations, Services Australia says no breach of Australian citizen data has occurred.Accidental personal info disclosure hit Australians 260,000 times last quarter85 cases of human error resulted in 269,621 instances of Australians having their personal information disclosed accidentally. More