Information Technology

Suebsiri, Getty Images/iStockphoto

Ransomware attacks targeting the enterprise sector have been at an all-time high in the first half of 2020.
While ransomware groups each operate based on their own skillset, most of the ransomware incidents in H1 2020 can be attributed to a handful of intrusion vectors that gangs appear to have prioritized this year.
The top three most popular intrusion methods include unsecured RDP endpoints, email phishing, and the exploitation of corporate VPN appliances.
RDP — number one on the list
At the top of this list, we have the Remote Desktop Protocol (RDP). Reports from Coveware, Emsisoft, and Recorded Future clearly put RDP as the most popular intrusion vector and the source of most ransomware incidents in 2020.
“Today, RDP is regarded as the single biggest attack vector for ransomware,” cyber-security firm Emsisoft said last month, as part of a guide on securing RDP endpoints against ransomware gangs.
Statistics from Coveware, a company that provides ransomware incident response and ransom negotiation services, also sustain this assessment; with the company firmly ranking RDP as the most popular entry point for the ransomware incidents it investigated this year.

Image: Coveware
Further, data from threat intelligence company Recorded Future, also puts RDP firmly at the top.
“Remote Desktop Protocol (RDP) is currently by a wide margin, the most common attack vector used by threat actors to gain access to Windows computers and install ransomware and other malware,” Recorded Future threat intel analyst Allan Liska wrote in a report published last week about the danger of ransomware to the US election infrastructure.

Image: Recorded Future
Some might think that RDP is today’s top intrusion vector for ransomware gangs because of the current work-from-home setups that many companies have adopted; however, this is wrong and innacurate.
RDP has been the top intrusion vector for ransomware gangs since last year when ransomware gangs have stopped targeting home consumers and moved en-masse towards targeting companies instead.
RDP is today’s top technology for connecting to remote systems and there are millions of computers with RDP ports exposed online, which makes RDP a huge attack vector to all sorts of cyber-criminals, not just ransomware gangs.
Today, we have cybercrime groups specialized in scanning the internet for RDP endpoints, and then carrying out brute-force attacks against these systems, in attempts to guess their respective credentials.
Systems that use weak username and password combos are compromised and then put up for sale on so-called “RDP shops,” from where they’re bought by various cybercrime groups.
RDP shops have been around for years, and they are not something new.
However, as ransomware groups migrated from targeting home consumers to enterprises last year, ransomware gangs found a readily available pool of vulnerable RDP systems on these shops — a match made in heaven.
Today, ransomware gangs are the biggest clients of RDP shops, and some shop operators have even shut down their shops to work with ransomware gangs exclusively, or have become customers of Ransomware-as-a-Service (RaaS) portals to monetize their collection of hacked RDP systems themselves.
VPN appliances — the new RDPs
But 2020 has also seen the rise of another major ransomware intrusion vector, namely the use of VPN and other similar network appliances to enter corporate networks.
Since the summer of 2019, multiple severe vulnerabilities have been disclosed in VPN appliances from today’s top companies, including Pulse Secure, Palo Alto Networks, Fortinet, Citrix, Secureworks, and F5.
Once proof-of-concept exploit code became public for any of these vulnerabilities, hacker groups began exploiting the bugs to gain access to corporate networks. What hackers did with this access varied, depending on each group’s specialization.
Some groups engaged in nation-level cyber-espionage, some groups engaged in financial crime and IP theft, while other groups took the “RDP shops” approach and re-sold access to other gangs.
While some sparse ransomware incidents using this vector were reported last year, it was in 2020 when we’ve seen an increasing number of ransomware groups use hacked VPN appliances as the entry point into corporate networks.
Over the course of 2020, VPNs quickly rose as the hot new attack vector among ransomware gangs, with Citrix network gateways and Pulse Secure VPN servers being their favorite targets, according to a report published last week by SenseCy.
Per SenseCy, gangs like REvil (Sodinokibi), Ragnarok, DoppelPaymer, Maze, CLOP, and Nefilim have been seen using Citrix systems vulnerable to bug CVE-2019-19781 as an entry point for their attacks.

Image: Recorded Future
Similarly, SenseCy says ransomware groups like REvil and Black Kingdom have leveraged Pulse Secure VPNs that have not been patched for bug CVE-2019-11510 to attack their targets.
Per Recorded Future, the latest entry on this list is the NetWalker gang, which appears to have started targeting Pulse Secure systems to deployt their payloads on corporate or government networks where these systems might be installed.

Image: Recorded Future
With a small cottage industry developing around hacked RDPs and VPNs on the cybercrime underground, and with tens of cyber-security firms and experts constantly reminding everyone about patching and securing these systems, companies have no more excuses about getting hacked via these vectors.
It’s one thing to have an employee fall victim to a cleverly disguise spear-phishing email, and it’s another thing not patching your VPN or networking equipment for more than a year, or using admin/admin as your RDP credentials. More

Online education was gaining significant momentum with colleges and universities, even before the coronavirus pandemic. But as dozens and dozens of schools, like USC, Harvard, Rutgers, George Washington University, and UNC at Chapel Hill, take all or some of their Fall 2020 semester online in response to COVID-19, technology is playing an increasingly important role in higher education, both in term of the classroom and student administration. Tasks that were once conducted face-to-face, now have to be accomplished remotely. Blockchain could help schools perform some of these administrative tasks with more security and transparency.
At Salesforce’s Dreamforce 2019 conference, I had a chance to speak with Donna Kidwell, CTO at EdPlus at Arizona State University, about the institution’s plans for blockchain. Kidwell explained that ASU has a goal of supporting 100,000 online learners by 2025. They are already have 55,000 students. Blockchain will play a key role in helping them meet that goal by allowing ASU to better track and certify each student’s “learning accomplishments,” Kidewell said.
Having a trusted, portable record of someone’s educational achievements is particularly important today, as most students don’t follow a traditional four-year college degree path, Kidwell said. Instead, they are “life-long learners” who will earn skills and knowledge at many institutions over the course of their educational and professional careers. Blockchain and a general public ledger when combined with identity management technology can help institutions like ASU build “transparent trust” into each student’s transcript.
The following in a transcript of our interview, edited for readability.
SEE: Online education toolbox: Tips and resources for distance learning (free PDF) (TechRepublic)
Bill Detwiler: So how is ASU using blockchain?
Donna Kidwell: This is one of my favorite questions, so thank you for asking. We have been working on this for about 18 months, give or take. It took maybe six months to figure out should we actually be using blockchain, because that’s a whole thing. Is it the right technology to use? We looked at about a dozen different things that we thought, well, maybe blockchain would be good for this. Maybe blockchain would look good for that, until we really honed in on something that really where the technology of blockchain, the way blockchain allows us to think about things really matters, because otherwise, you don’t want to do it just because it’s blockchain. You want to have a valid reason for it underneath it. That’s how we came up to where we’re at now. We’ve got a roadmap that gets us towards using blockchain for reverse transfer, if you’re familiar with that concept. If not, I can explain it a little.
Bill Detwiler: Sure, why don’t you explain it, so everybody knows?
Donna Kidwell: So a pretty simple story. Let’s say somebody goes to high school, then they decide, I’m going to go to a community college for a little while. They go to the community college. They’re thinking, I really dig this. I’m going to go ahead and do a four year degree. So they transfer in. They could do that and not have their associates. In fact, a large percentage of ASU online students don’t have their associates. End up getting their four year degree, but along that way, they probably get that one English class that they were missing or whatever, how many ever hours they were missing. If we can actually get them to the point where they can get that associates while they’re on the bachelors, then one, they get to actually use that out in the marketplace for themselves, tell their employer, “Hey, I got this,” see if that gets them a raise.
That’s all great. Let’s get them that credential because they’ve earned it by this point, right? They’ve done the work. Let’s give them the actual accomplishment. The other thing it allows us to do is between institutions, we can see what really pathways are happening there? Right now, when you stop going to the community college, basically you go dark. So community college doesn’t know about your journey beyond that. Well, it would be really interesting across these public institutions, across higher ed generally, if we could actually see what was happening to our learners. Now, along that whole way, a big piece of this is privacy and trust, another reason we’re using trust technologies like blockchain. To do that, we need the learner themselves to consent and say, “Yeah, I totally get it, and I would love to have that.”
So we are enabling this very different way of working between institutions. Previously, like Jose in the keynote that I had this morning, a guy like Jose has got to get permission. He’s got to call up his advisor, get his transcripts. Maybe he’s got transcripts from two or three different places, a high school and two community colleges. It’s pretty typical. He compiles all of that and makes it happen. This would allow us to take the friction out of all of that. All he has to do is say, “I consent.” These partners, and we’ve worked with almost every community college already. ASU has been around. We’ve been doing this. We’re not actually transforming anything that’s not a business process that already exists, but now we’re putting that learner right in the heart of it and giving them a lot more agency to be able to actually make all the things happen.
More education: Intel aims to bring AI education to community colleges | Is higher education ready to serve the new traditional and connected students? | How will online education evolve? Coursera’s Leah Belsky has a few ideas | Online learning, now at an all-time high, signals a new future for education
Bill Detwiler: So it allows you to gather that data and create a record-
Donna Kidwell: Right.
Bill Detwiler: … that is portable with the student that they can source.
Donna Kidwell: That’s right.
Bill Detwiler: Blockchain allows you to verify the authenticity of that record-
Donna Kidwell: Absolutely.Bill Detwiler: … as they move through from organization to organization, institution to institution.

ASU EdPlus website
Donna Kidwell: What’s really beautiful about it is the nature of that distributed ledger means I’m not the only one with a copy, which is how it is today. We’ve each got our own little fiefdoms, right, our own little domains. So now we’ve got a general public ledger where all of those learning accomplishments are being recorded across the ledger. I, ASU, issue that credential. Yep, that happened. I verify that it happened. So I’m still issuing the credential. I still, for all practical purposes, I’m doing the kinds of things that universities have always done in terms of owning that data. But now I’ve got it in a place where the learner can say, okay, we’re going to allow others to actually see it, can allow some other transactions to happen a little bit easier. That’s really why the general public ledger ended up making sense.
Bill Detwiler: Right, and so what role does Salesforce play in that process for ASU?
Donna Kidwell: Yeah, so that’s a great question. A couple of different things. One, they’ve been a great technology partner for us all along. So if we’re thinking scale, which we are, we want to get to 100,000 learners in the online space by 2025. We’re at 55,000 now. I expect we’re going to hit that 100,000 well before our 2025 year mark. So if you’re thinking about that many learners, we already need a really strong, what in my world would be a learner relationship management platform. How am I relating to that learner as they’re going through their different journeys? Salesforce was already doing a lot of stuff with us. So Salesforce was trying to figure out what’s going to be their blockchain strategy? We’re trying to figure out, does blockchain even make sense? A design partnership there really, really works.
Frankly, if you’re on a campus, you’ve got student information systems, we’ve got learning management systems, we’ve got CRM systems, a little triumvirate of all this tech. Each of those have their own different jobs, and somewhere in the middle of that is a different job. It’s accomplishment. Like how are we actually recording this accomplishment? Could we give that to a learner across their life now, not just for the four years because we know that’s actually not the path most people are taking. Could we give it to them for the whole duration of their career? That makes you think about the technology differently. Salesforce is thinking about their version of a lifelong learner. All of this was happening around the same time that they’re really creating Trailhead. So here we are, mission aligned towards different types of learning, but at the end, trying to really empower people to, in the nomenclature here, to blaze their own trails. I totally get it. That’s what we want to. So in as much as we can work with them to design what that future looks like, it’s a good thing.
Bill Detwiler: What were some of the challenges that you faced either from the institution, administration side of things at ASU, or just technical challenges with moving to blockchain? Because everybody thinks this is cryptocurrency, right?
Donna Kidwell: Right.
SEE: Technology in education: The latest products and trends (free PDF) (TechRepublic)
Bill Detwiler: But blockchain is more than that. So as a CTO, did you have to convince the administration at ASU? Did you have to convince other stakeholders that this is the right path to take?
Donna Kidwell: So great question, kind of two parts. We’ll take the, how do you get this job done inside a bureaucratic, not so much at ASU, but most public institutions are known for what I’d call bureau viscosity. Things slow down in the bureaucracy and you got to make all that happen. ASU is a horse of a different color in that way. President Crow has really created, over the years that he’s been there, a culture of innovation. So I am, in some ways, very blessed at ASU. It’s really fortunate in that the provost office sponsors this project. It has the registrar there meeting with me. Registrar and I went to Washington DC to talk to the Department of Ed about how this might have policy implications. It’s not-
Bill Detwiler: So how was it? Talk a little bit, I mean, how that … how you were able to maybe overcome some of their concerns, the regulator’s concerns, or maybe they didn’t have any. Maybe they were already moving a role.

Donna Kidwell: Oh no, it’s still a conversation, right? I think that’s part of it, is that I don’t go to the table as a CTO and say, technology enables us to do new things. Instead, we’re having this dialogue and saying, okay, so what if technology enabled us to do new things? Then the registrar is able to say, well, here’s how I’m funded. Here’s the pain points I have. Here’s where the system breaks. Here’s where it works for me, but it doesn’t work for a student, or it works for me, but it doesn’t work for the other registrar in my sister institution, or whatever. If we have these real honest conversations, the same is true for the Department of Ed and FERPA, like a real conversation. Like what does it actually mean to do what we’re trying to do, and does law and policy actually support it?
Those are two different things, right? So how do we actually make all of that happen? It’s all through really sitting down at a table, the same table, but having a diversity of people who are at the table. That’s one of the things where I’d say, at ASU, we really approach the problems that way. So to go back to the second part of your question, the burden on a project that’s an innovative project in a place that’s as entrepreneurial as ASU, but still a public institution. So I’ve really got to prove I have a business case. I’ve got to show, it’s going to make a difference for students. There’s going to be sustainable opportunity in it. It is going to be something that not only can we create this wonderful technology, can be gardens and unique gardeners forever. So not only am I going to be able to build a beautiful garden, but it’s going to be sustainable. Every milestone that we meet is trying to demonstrate value. It’s to demonstrate sustainability. I’ve got to make that case almost as if I were a startup.
Bill Detwiler: For other organizations, whether they’re public institutions like universities, whether they’re healthcare organizations, they’re other privates who are looking at blockchain to solve problems that they have, what advice would you give them?
Donna Kidwell: Well, a couple of lessons learned with us. All of the processes we’re talking about already existed. They just existed in ways that weren’t very easy to work with. So require a lot of man hours, or are business processes that have some automation, but are pretty manual, are still processes where boy, if we could talk to one another, things would be a lot easier. So that’s nice. We’re not actually building something off as something that doesn’t exist. A case like reverse transfer is pretty well known amongst institutions all across the country. You can talk to register to register. They get it. They know what’s happening, so that’s one thing, our admissions to admissions.
The other thing though, is to be able to understand what is that underlying problem? For us, part of the issue is trust. So I think blockchain is one of trust technologies. The other ones that we’re really interested in are around identity management, because lifelong learning, that gets really interesting. So for me, trying to figure out the heart of where we’re going to be able to create value, then let’s you say, okay, well then this is why you’d need that technology. You need it for speed. You need it for scale. Whatever the reason is, blockchain serves itself really well if you need transparent trust.
So in our case, we want to be able to issue something because it’s the university’s name, it’s the faculty’s name. We put a lot of esteem into that, a lot of work into that. We’re going to issue that credential as universities always have. We want that to be verified. We want that to be something other people can double check. We want that process to be transparent, but private and permission-based. So it was that set of rules that then led us to say, oh, this actually … the technology capabilities and the function that we get from the tech matches the same set of business needs and values that we have. You see that a lot in health care. It’s another place where there’d be really, or I think every industry is trying to figure out where’s their mix of that, that same recipe that would help them understand how blockchain may or may not be a fit.
More education:
ZDNET’S MONDAY MORNING OPENER
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.

PREVIOUSLY ON MONDAY MORNING OPENER: More

TikTok has confirmed it will launch a lawsuit against the US government with regards to the Chinese app maker’s ban. Any potential lawsuit, however, will not prevent the company from being compelled to sell off the app in the US market. 
TikTok reiterated its previous stance that it had worked to engage the Trump administration for almost a year to “provide a construction solution” to resolve concerns the latter had about the app. 
“What we encountered instead was a lack of due process as the administration paid no attention to facts and tried to inset itself into negotiations between private businesses,” the company said in a statement issued to several media outlets, after Reuters first broke the news Saturday. 
“To ensure that the rule of law is not discarded, and that our company and users are treated fairly, we have no choice but to challenge the executive order through the judicial system,” TikTok said.
Donald Trump earlier this month signed two executive orders barring any US transaction with TikTok, its parent company ByteDance, and its subsidiaries, as well as with popular Chinese messaging app WeChat and its parent company Tencent. The US President alleged that apps developed in China threatened his country’s national security, foreign policy, and economy. “TikTok automatically captures vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search histories,” the order noted. “This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information, potentially allowing China to track the locations of federal employees and contractors, build dossiers of personal information for blackmail, and conduct espionage.”
TikTok reportedly planned to argue in its lawsuit that Trump’s first August 6 executive order, filed under the US International Emergency Economic Powers Act, deprived the Chinese company of due process. It also planned to fight its label as a national security threat by the US government, Reuters reported. 
TikTok did not specify which court it planned to tap for its lawsuit, but this move would not stop the company from being compelled to relinquish its US operations, which was laid out under Trump’s second executive order issued on August 14 and was not subject to judicial review.
The August 14 order gave TikTok’s parent company ByteDance 90 days to sell of its business in the US. Discussions were ongoing with Microsoft and, more recently, Oracle involving a potential sale.
According to TikTok, 100 million Americans used its platform. It recently unveiled new measures it said aimed to stem misinformation and content designed to disrupt the US elections in November. These included updates to its policies for better clarity on what was and was not allowed on its platform and wider collaboration with fact-checking partners as well as the US Department of Homeland Security, such as on efforts to verify election-related information, in-app reporting of election misinformation, and safeguard against foreign interference. 
It also refuted suggestions it shared user data with the Chinese government or censored content at the government’s request. “In fact, we make our moderation guidelines and algorithm source code available in our transparency center, which is a level of accountability no peer company has committed to,” TikTok had said. “We even expressed our willingness to pursue a full sale of the US business to an American company.”
Trump had suggested the US government should receive a “substantial” cut of the acquisition for “making it possible”.
 RELATED COVERAGE More

Another symbol of a post-Covid future?
Screenshot by ZDNet
I worry we’ve become used to being spied upon.

I don’t suggest this is a good thing. I do wonder, though, whether humanity’s defenses have been permanently weakened. Especially as the Coronavirus has made many of us even more dependent on technology as we work from home.
When, though, does instrusive become abusive?
I only ask because of a moving report emerging from Australia.
The police in Victoria — the state that houses Melbourne — are trying a new way to make sure people are wearing masks.
As 7News Melbourne reports, they’re sending up drones to catch mask miscreants. They’ll also be deputed to discover cars that have gone beyond five kilometers from home, in contravention of current laws.
Melbourne has suffered a return of Covid-19, after many thought it had passed. At the beginning of this month, Melbourne declared, a state of emergency.

The lockdown carries with it fines of up to A$20,000. Failing to wear a mask will cost you A$200.
I can conceive how certain parts of America would warm to such penalties.
And, indeed, how they might warm to the idea that a drone will be spying on their faces, and report on them if they’re not wearing a mask.
One can understand — if not feel comfortable with or even find tolerable — the use of such flying machines at a time like this.

However, one sentence from the 7News report offers a chilling thought: “There are concerns this style of policing won’t end when the pandemic is over.”
That’s the issue with so many technological glories being used for policing. Where does it end? Does it end at all?
It’s the sort of thing that’s driven tech employees themselves to lobby their managements. Recently, Amazon declared it wouldn’t use its facial recognition system to be used by the police for a year. This could be because some believe it’s painfully inaccurate.
Of course, concerns about surveillance heighten with every day one is alive.
Imagine, though, how it might feel if you need milk and bananas, you’ve accidentally forgotten your mask and are quickly running to the store.
Suddenly, you hear a buzzing sound.
A minute or two later, you’re being grabbed from behind.
“You’re not wearing a mask,” says the voice.
And then imagine, in 2021, you need milk and bananas and are quickly running to the store.
Suddenly, you hear a buzzing sound.
A minute or two later you’re being grabbed from behind.
“You’re two minutes over your parking time,” says the voice. More

Image: Freepik Company

Freepik, a website dedicated to providing access to high-quality free photos and design graphics, has disclosed today a major security breach.
The company made it official after users started grumbling on social media this week about receiving shady-looking breach notification emails in their inboxes.
ZDNet reached out to the Freepik Company on Thursday, and while we have not heard back before this article’s publication, the company formally disclosed a security breach today, confirming the authenticity of the emails it’s been sending to registered users for the past few days.
Hacker used an SQL injection to get in
According to the company’s official statement, the security breach occurred after a hacker (or hackers) used an SQL injection vulnerability to gain access to one of its databases storing user data.
Freepik said the hacker obtained usernames and passwords for the oldest 8.3 million users registered on its Freepik and Flaticon websites.
Freepik didn’t say when the breach took place, or when it found out about it. However, the company says it notified authorities as soon as it learned of the incident, and began investigating the breach, and what the hacker had accessed.
Millions of password hashes were pilfered
As for what was taken, Freepik said that not all users had passwords associated with their accounts, and the hacker only took user emails for some.
The company puts this number at 4.5 million, representing users who used federated logins (Google, Facebook, or Twitter) to log into their accounts.
“For the remaining 3.77M users the attacker got their email address and a hash of their password,” the company added. “For 3.55M of these users, the method to hash the password is bcrypt, and for the remaining 229K users the method was salted MD5. Since then we have updated the hash of all users to bcrypt.”
In the process of notifying users
The company said it’s now in the process of notifying all impacted users with customized emails, depending on what was taken. These emails are going out to Freepik and Flaticon users, depending on what service users had registered on. Below are some of these messages, as we received from our readers.

“Those who had a password hashed with salted MD5 got their password canceled and have received an email to urge them to choose a new password and to change their password if it was shared with any other site (a practice that is strongly discouraged),” Freepik said. “Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them.”
Freepik is one of today’s most popular sites on the internet, currently ranked #97 on the Alexa Top 100 sites list. Flaticon is not far behind, ranked #668.
When EQT acquired the Freepik Company at the end of May this year, the company claimed the Freepik service has a community of more than 20 million registered users.
Users registered on Slidesgo, another of the Freepik Company’s websites, don’t appear to have been impacted. More

Updated: Ancestry.com shared a statement about privacy. See below.
When you get a DNA test kit, you’ll get a set of instructions to follow so you can get a sample of DNA from your body to the lab. You’ll either be asked to spit into a tube or wipe a swab around inside your mouth.

directory

Best DNA Ancestry Testing Kits
We compare and contrast the available options,and take a look at exactly why you’d invest in a DNA testing service — including the upsides and the caveats.
Read More

Some folks have difficulty producing enough saliva to do a spit test. If you often have a dry mouth, you might want to consider one of the cheek swab tests. Another trick is to think about lemons, the taste of a lemon, and biting into a lemon. Sometimes just the thought will increase mouth saliva.
Also: My ancestry adventure: When DNA testing delivers unexpected and unsettling results
Saliva. Not your usual ZDNet topic. So, rather than imagine the bitter taste of lemons in your mouth as your face crinkles up slightly from the tart taste and you feel your mouth water, let’s talk about some important things you need to know.
1. Know what DNA testing involves
DNA can tell you a lot about yourself. Imagine you’re reverse engineering source code for a video game. If you find a function that solves a puzzle, you can intuit that the game includes puzzle solving. If you find a function in that code for jumping and climbing, the game might have more action elements.
DNA tests can do this, by looking at your DNA to determine what “functions” it exposes in your genetic code. That’s why some DNA tests are able to provide health and lifestyle information.
Also: Soon, your brain will be connected to a computer. Can we stop hackers breaking in?
With the permission of their customers, many DNA companies store DNA data from thousands or millions of customers. By matching your DNA against the DNA patterns of all those other DNA test participants, some DNA companies are able to tell if you share unique sequences, essentially proving that you share ancestors somewhere in your family history.
That opens up one of the biggest services offered by DNA testing providers: Helping you understand your family tree, the migration patterns of your ancestors, and even identify relatives you never knew you had.
2. Be aware there is a dark side to DNA testing
This also opens up one of the more disturbing aspect of DNA testing: The privacy implications. Your DNA is, fundamentally, the source code to… you. If DNA companies are sharing that code, whether with law enforcement or with other companies, it can be a little unsettling. If you authorized that sharing, it’s one thing.
But if your family member or cousin authorized sharing their DNA, they have also, essentially, allowed a considerable amount of your DNA to be shared. And that doesn’t even include what happens if your testing service provider gets hacked.
Also: Genealogy sites credited with helping ID Golden State Killer CNET
The other issue is for those folks who took DNA tests and got back results they didn’t expect. There are many issues involved with this, from what’s called “misattributed paternity” to issues of race, what you’ve been told as part of your family history, and disturbing discoveries about your family tree. When I tested three DNA services, I got some disturbing results.
Keep these unexpected consequences in mind if you decide to move forward doing DNA testing.
3. Know how to choose a DNA testing service
To help you navigate through the offerings of various DNA testing services, we recently produced a guide for CNET. In it, we looked at how well these providers can help you learn about yourself through DNA. Each provider is shown with the size of its matching database. If you’re looking for family information, the bigger the database, the better the chance you’ll find long-lost family members.
Also: Genealogy database used to identify suspect in 1987 homicide CNET
When it comes to health and lifestyle information, the DNA tests use some of the same information. This is really a matching process, but instead of looking for family members, the test provider looks for matching characteristics, particularly genetic markers for certain diseases and traits.
4. Understand the structure of DNA

DNA, is essentially, code. The order and combination of the code provide instructions for creating organic material.
Segments of DNA convert amino acids into proteins. Proteins do all sorts of things, including create new cells. That’s how you get the building blocks, from amino acids to proteins, proteins to cells, cells to tissues, tissues to organs, and organs to people, dogs, trees, cats, and so on.
Also: The startling future of DNA genome editing TechRepublic
Long strands of DNA are called chromosomes. These chromosomes are passed from both a father and a mother to a child. The child’s DNA contains code that represents characteristics of both parents.
5. Know the limits of DNA matching
These chromosomes not only contain code for genetic characteristics, they also contain something of a genetic fingerprint of the parents in each child. That’s why two siblings, born of the same two parents, will share a considerable amount of chromosomal data.
Cousins, too, share chromosomal data, just not as much. The fingerprint has, essentially, been diluted. As you move back in time to grandparents and great grandparents and great great grandparents, and then down other branches of the tree to first cousins, second cousins, third cousins, fourth cousins, and so forth, less and less of the DNA sequences will match.
The reason you need to understand a bit about chromosomes is that you’re about to make a decision: Which test type do you choose? That’s next.
6. Understand the test types
Generally, there are three different test types: Autosomal, Y-DNA, and mtDNA.
Today, autosomal tests are the most common. They can be administered to both men and women, and trace back through the lineage of both sexes.
The Y-DNA test can only be administered to men, and traces DNA back through the patrilineal ancestry (basically from father to grandfather to great grandfather).
The mtDNA is matrilineal and lets you trace your ancestry back through your mother, her mother, and her mother going back.
Autosomal tests can get you quality genetic information going back about four or five generations. Because the Y-DNA and mtDNA tests are more focused on one side of the line, you can get information going back farther, but with less data about family structure.
Which test you take depends entirely on what you’re looking for. Don’t expect perfect accuracy. They can give you indications, but taking a DNA test won’t magically produce a history book of your family’s background.
My experience
So, there you go. In the guide, we present to you 10 of the more interesting DNA services we’ve found. Some are better than others, so you should not only take our information into account when spending on a service, but look for reviews and stories posted by those who have used the services to see what their experiences have been.
I, personally, have now tested three services: Ancestry, 23andMe and LivingDNA. It’s been interesting — and also disturbing. By combining the DNA tests with Ancestry’s research database, my wife and I were able to answer some long-kept mysteries about our family trees. Here’s my story about that, as well as in-depth reviews of those three services:
Also: My ancestry adventure: When DNA testing delivers unexpected and unsettling results
By the way, a spokesperson at Ancestry reached out to me to talk about the data privacy concerns I raised in this article. They wanted to share this statement:

Protecting our customers’ privacy is Ancestry’s highest priority, and that starts with the basic belief that customers should always maintain ownership and control over their own data. We will not share customers’ personal information with third-parties – including insurers, employers, health providers or external marketers – without their explicit, informed consent. Ancestry will not share any DNA data with law enforcement unless compelled to by valid legal process and will always seek to minimize the impact on our customers’ expectations of privacy.

I am personally fascinated by Ancestry and the work they’re doing, so I hope to be able to bring you more from them over time.
Stay tuned. If I can, I’ll do more tests and report back to you here on ZDNet and CNET about what I learn.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

Previous and related coverage:
Haven Life adds DNA testing, discounts, wills
Haven Life aims to give policyholders more perks for when they’re alive.
92 million accounts for DNA testing site MyHeritage found online
DNA testing site MyHeritage has said the company has been hacked. More

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint security advisory on Thursday, warning about an ongoing wave of vishing attacks targeting the US private sector.

Vishing, or voice phishing, is a form of social engineering where criminals call victims to obtain desired information, usually posing as other persons.
According to the FBI and CISA, in mid-July 2020, cybercriminals started a vishing campaign targeting employees working from home for US companies. The attackers collected login credentials for corporate networks, which they then monetized by selling the access to corporate resources to other criminal gangs.
How attacks happened
The two cyber-security agencies didn’t name targeted companies, but instead described the technique the attackers used, which usually followed the same pattern.
Per the two agencies, cybercrime groups started by first registering domains that looked like company resources, and then created and hosted phishing sites on these domains. The domains usually had a structure like:
support-[company]
ticket-[company]
employee-[company]
[company]-support
[company]-okta
The phishing pages were made to look like a targeted company’s internal VPN login page, and the sites were also capable of capturing two-factor authentication (2FA) or one-time passwords (OTP), if the situation required.
Criminal groups then compiled dossiers on the employees working for the companies they wanted to target, usually by “mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.”
Collected information included: name, home address, personal cell/phone number, the position at the company, and duration at the company, according to the two agencies.
The attackers than called employees using random Voice-over-IP (VoIP) phone numbers or by spoofing the phone numbers of other company employees.
“The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee,” the joint alert reads.
“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA or OTP.”
When the victim accessed the link, for the phishing site hackers had created, the cybercriminals logged the credentials, and used it in real-time to gain access to the corporate account, even bypassing 2FA/OTP limits with the help of the employee.
“The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed,” the FBI and CISA said.
The two cyber-security agencies are now warning companies to keep on the lookout for threat actors targeting their telework (work-from-home) employees using this technique.

To help companies, FBI and CISA experts shared a series of tips and recommendations for companies and their employees, which we’ll reproduce below.
Organizational Tips:
Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.
Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.
End-User Tips:
Verify web links do not have misspellings or contain the wrong domain.
Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.
Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.
Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
For more information on how to stay safe on social networking sites and avoid social engineering and phishing attacks, visit the CISA Security Tips below: More

The open-source project behind the Mozilla-founded systems programming language, Rust, has announced a new Rust foundation to boost its independence following Mozilla’s recent round of pandemic layoffs.  
Firefox-maker Mozilla’s decision to cut 250 roles or 25% of its workforce last week has taken a toll on the open-source project behind Rust. Mozilla is the key sponsor of Rust and provides much of the language’s infrastructure as well as core talent. 

Some Mozilla contributors to five-year-old Rust did lose their jobs in Mozilla’s job cuts, causing some speculation that heavier cuts to the team behind Mozilla’s Servo browser engine – a core user of Rust – might pose an existential threat to the young language. 
Rust’s demise would be bad news for a growing number of developers exploring it for system programming – as opposed to application development – as a modern and memory-safe alternative to C and C++. 
Rust is now in developer analyst RedMonk’s top 20 most-popular language rankings, and it is being used at Amazon Web Services (AWS), Microsoft and Google Cloud among others for building platforms.  And while Mozilla is the main sponsor of Rust, AWS, Microsoft Azure and Google Cloud have come on board as a sponsor too. 
However, discussing Mozilla’s layoffs, Steve Klabnik, a Rust Core member, has pointed out that the Rust community is much bigger than the number of Mozilla employees who contributed to the project and were affected by the layoffs.
“Rust will survive,” wrote Klabnik in a post on Hacker News. “This situation is very painful, and it has the possibility of being more so, but Rust is bigger than Mozilla.”
Nonetheless, as a project born in Mozilla Research and supported heavily by Mozilla, Rust is still currently entrenched in Mozilla’s infrastructure, which, for example, hosts the Rust package manager, crates.io. 
“Mozilla employs a small number of people to work on Rust full time, and many of the Servo people contributed to Rust too, even if it wasn’t their job,” Klabnik wrote. 
“[Mozilla] also pays for the hosting bill for crates.io. They also own a trademark on Rust, Cargo, and the logos of both. Two people from the Rust team have posted about their situation, one was laid off and one was not. Unsure about the others. Many of the Servo folks (and possibly all, it’s not 100% clear yet but it doesn’t look good) have been laid off.”
But Klabnik notes that “vast majority” of Rust contributors are not employed by Mozilla, even though the Mozilla’s talent and infrastructure is important to the language’s survival.  
To resolve issues around ownership and control, the Rust Core team and Mozilla are accelerating plans to create a Rust foundation, which they expect to be operating by the end of the year. 
“The various trademarks and domain names associated with Rust, Cargo, and crates.io will move into the foundation, which will also take financial responsibility for the costs they incur. We see this first iteration of the foundation as just the beginning,” the Rust Core team said in a blog post this week. 
“There’s a lot of possibilities for growing the role of the foundation, and we’re excited to explore those in the future,” it added. 
Addressing the question of Rust’s demise, the team noted that it was a “common misconception that all the Mozilla employees who participated in Rust leadership did so as a part of their employment”. Instead, some leaders were contributing to Rust on a voluntary basis rather than as part of the job at Mozilla.  
The Rust language project has also selected a team to lead the creation of the Rust foundation, including Microsoft Rust expert Ryan Levick and Josh Triplett, a former Intel engineer and a lead of the Rust language team. 
Microsoft Azure engineers are exploring Rust for a Kubernetes container tool, and Microsoft recently released a public preview of Rust/WinRT, or Rust for the Windows Runtime (WinRT), to support Rust developers who build Windows desktop apps, store apps, and components like device drivers.
While a primary sponsor like AWS, Microsoft or Google Cloud could be good news for Rust, the Rust Core team says it doesn’t want to rely too heavily on just one sponsor. 
“While we have only begun the process of setting up the foundation, over the past two years the Infrastructure Team has been leading the charge to reduce the reliance on any single company sponsoring the project, as well as growing the number of companies that support Rust,” the Rust Core team said.
More on Rust and programming languages More