Subterms
Businesses may not be able to dictate what devices employees keep on their home networks, there are still many options available to IT departments to protect company assets. More
TeamTNT has become the first crypto-minining botnet to include a feature that scans and steal AWS credentials. More
US government says its move to restrict the Chinese tech giant from accessing chips made by foreign manufacturers using US technology aims to “impede” Huawei’s attempts to circumvent earlier controls by going through third parties. More
Scammers phoned guests to “confirm” their credit card details for reservations. More
The US Department of Homeland Security (DHS) has signed a contract with Clearview AI to give Immigration and Customs Enforcement (ICE) access to the controversial facial recognition firm’s technology.
Tech Inquiry, a non-profit technology watchdog and rights outfit, spotted documents revealing the deal last week.
The $224,000 purchase order, signed on August 12, 2020, is for “Clearview licenses” relating to “information technology components,” but no further information has been made public. The contract will last until September 4, 2021.
Tech Inquiry has submitted a Freedom of Information Act (FOIA) request for the contracts and communication between Clearview AI and ICE relating to the award. According to the non-profit, ICE received four bids for the contract, and Clearview was selected.
See also: UK and Australian Information Commissioners to investigate Clearview AI
Combining facial recognition searches with ICE, a DHS department already surrounded by controversy due to its detention centers, practices concerning child containment, and now 17 detainee deaths this year, could be an explosive combination.
However, this is not the first time ICE has leaned on machine learning and facial recognition systems. Both the FBI and ICE have used state DMV records as a “goldmine” in the search for undocumented immigrants.
New York-based Clearview AI provides a search engine tool based on a database of billions of photos scraped from Internet-based public sources. Clearview AI claims the service is only for “identifying perpetrators and victims of crimes” and had been used to track down “hundreds” of criminals.
“Clearview AI is not a surveillance system and is not built like one,” the company says. “For example, analysts upload images from crime scenes and compare them to publicly available images.”
Clearview AI CEO Hoan Ton-That told Business Insider that the technology is used by Homeland Security’s Child Exploitation Investigations Unit and this has “enabled HSI to rescue children across the country from sexual abuse and exploitation.”
While not available to the public, regulators and privacy advocates alike have raised concerns that Clearview AI’s tool crosses ethical lines.
CNET: The best outdoor home security cameras to buy in 2020
In May, the American Civil Liberties Union (ACLU) filed a lawsuit alleging that ClearView AI is violating the Illinois Biometric Information Privacy Act (BIPA) and “represent[s] an unprecedented threat to our security and safety.”
Technology companies including Google, Microsoft, and Facebook have also sent cease-and-desist letters to the company, demanding that Clearview AI stops scraping images from their platforms and services.
IBM, Microsoft, and Amazon have pledged to stop selling facial recognition software to law enforcement agencies due to privacy and surveillance concerns.
TechRepublic: How cybercriminals are exploiting US unemployment benefits to make money
In July, the UK Information Commissioner’s Office (ICO) and the Office of the Australian Information Commissioner (OAIC) announced a joint investigation into the startup and a data breach that occurred in February this year.
The security incident exposed Clearview AI’s client list, the majority of which are law enforcement agencies across the United States. Customer names, accounts, and the number of searches clients have made were leaked.
In related news, researchers have developed a tool that introduces garbage code and small changes to the photos of ourselves made public online. Dubbed Fawkes, the software makes tweaks invisible to the naked eye but substantial enough to prevent machine learning algorithms from connecting photos to individual identities.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More
The US Department of Justice (DoJ) has announced the settlement of anti-competition allegations made against CenturyLink in association with the firm’s acquisition of Level 3 Communications.
Louisiana-based Internet Service Provider (ISP) CenturyLink completed the acquisition of Level 3 three years ago.
Agreed for $34 billion in cash and stock a year prior, the merger created a huge network provider for enterprise players and consumers with a pro forma revenue of roughly $24 billion in the time period ending May 2017.
At the time, 75% of its core revenue was estimated to come from business clients.
The deal was delayed for a number of months while the DoJ and US Federal Communications Commission (FCC) approved the sale.
CenturyLink reported revenues of approximately $22.4 billion in 2019.
See also: IoT analytics create new edge computing value props for content delivery networks
Given the increased scope of CenturyLink’s network, regulators set a number of requirements to prevent a monopoly and any potentially anti-competitive practices that could hamper innovation or competition in the networking and communications space.
Therefore, the DoJ barred CenturyLink from soliciting former Level 3 customers who chose to switch their services to the buyer of assets divested due to the acquisition, Syringa (.PDF), in three local areas including Boise City-Nampa, Idaho.
However, US anti-competition regulators alleged that CenturyLink ignored this decree and solicited customers on at least 70 occasions over the course of more than a year.
CenturyLink has not denied these claims.
On Friday, the DoJ said the violation of anti-competitive requirements led to the creation of the complaint and an unopposed motion to amend the original judgment, filed in the US District Court for the District of Columbia.
CNET: The best outdoor home security cameras to buy in 2020
CenturyLink has agreed to extend the non-solicitation period by two years across Idaho and will also appoint an independent compliance monitoring trustee. In addition, the ISP will pay the costs of the investigation into the suspected violations, reported by Reuters as $250,000.
The company says that while it disagrees with the claims of violation, the firm is “pleased” that the issue has been resolved as “reaching a resolution that was in the best interest of all parties.”
TechRepublic: How cybercriminals are exploiting US unemployment benefits to make money
“When a defendant violates the terms of a settlement decree, it must be held accountable to its obligations to the department and the American consumer,” said Assistant Attorney General Makan Delrahim. “Today’s motion to amend the Final Judgment ensures that consumers get the benefit of competition otherwise lost by CenturyLink’s acquisition of Level 3 Communications. I also commend CenturyLink for its cooperation in resolving the department’s concerns.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More
The revelation from the FBI and National Security Agency that Russian military intelligence has built malware to target Linux systems is the latest dramatic twist in the unrelenting cybersecurity battle.
The two agencies have revealed that Russian hackers have been using the previously undisclosed malware for Linux systems, called Drovorub, as part of their cyber-espionage operations. The malware allows hackers to steal files and take over devices.
More on privacy
Drovorub is far from the first piece of malware to target Linux; it’s not even the first piece of Russian malware to target Linux devices. Last year, Microsoft warned about malware that was attacking Internet of Things (IoT) devices, and in 2018 the VPN Filter malware, also likely the work of Russian state-backed hackers, targeted routers. And it’s not just state-backed hackers that Linux users have to worry about either; there’s evidence of password-stealing malware and even some suggestions that ransomware gangs are trying to target Linux, too.
SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)
There’s still a dangerous assumption among many that malware is only a problem for Windows. That might have been more believable a decade or two ago. But the reality is that any computer system that builds up significant market share or plays host to valuable data will now be a target. Linux is increasingly the foundation of many different business systems and vast parts of the cloud. While there are still relatively few threats targeting Linux, there’s no reason why that should remain the case.
None of this is to question the quality of Linux’s in-built security, which many argue is stronger because of the open-source nature of the code. Indeed, in this case, the malware only works against relatively old versions of the Linux kernel. But Drovorub is a reminder that hackers and malware writers are increasingly willing to target any and all systems if they think there is a profit, some other advantage – or simply the opportunity for chaos – to be had.
The most dangerous assumption that many organisations make is that they are not going to be a target. That might be because they think they are too insignificant or because they are too well protected.
Both of those assumptions are likely to be wrong. Even if your business is modest or niche, you may have customers or suppliers who are more interesting to hackers, who will therefore use your systems as a route to attack them. And what about if you think you are too well defended to be a victim? Well, there are plenty of billion-dollar companies that thought the same – and were wrong.
This latest revelations show that all systems and all devices can, and probably will, be targeted, even the ones we least expect. Innovations like the IoT and the cloud simply broaden the threat surface organisations will have to secure. And hackers will not abide by old-fashioned ideas about what software and systems are vulnerable to attack. Complacency is our biggest threat.
ZDNET’S MONDAY MORNING OPENER
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.
PREVIOUSLY ON MONDAY MORNING OPENER: More
Image: CDC
Most of the time, fighting malware is a losing game. Malware authors create their code, distribute payloads to victims via various methods, and by the time security firms catch up, attackers make small changes in their code to quickly regain their advantage in secrecy.
It has been like this since the late 80s, when malware first appeared on the scene, and despite the claims of most security firms, it will remain like this for the foreseeable future.
Once in a while, we do get good news from security researchers or law enforcement authorities. Malware authors can slip up and get arrested, or large-scale coordinated efforts manage to bring down larger botnets.
However, not all malware operations can be hurt this way. Some cyber-criminals either reside in countries that don’t extradite their citizens or have a solid knowledge of what they’re doing.
Emotet is one of the gangs that check both boxes. Believed to operate from the territories of the former Soviet States, Emotet is also one of today’s most skilled malware groups, having perfected the infect-and-rent-access scheme like no other group.
The malware, which was first seen in 2014, evolved from an unimportant banking trojan into a malware swiss-army knife that, once it infects victims, it spreads laterally across their entire network, pilfers any sensitive data, and turns around and rents access to the infected hosts to other groups.
Today, Emotet scares IT departments at companies all over the world and has given massive headaches to the entire cyber-security industry.
Emotet’s secret bug
But under the hood, Emotet is just a piece of software — just like everything else (malware = malicious software). As such, Emotet also has bugs.
In the cyber-security industry, there’s a very dangerous moral line when it comes to exploiting bugs in malware, a line many security companies won’t cross, fearing they might end up harming the infected computers by accident.
However, a rare bug can sometimes appear that is both safe to exploit and has devastating consequences for the malware itself.
One such bug came to light earlier this year, discovered by James Quinn, a malware analyst working for Binary Defense.
The fact that Quinn discovered the bug was no accident. For the past years, Quinn’s primary job has been to hunt Emotet and keep an eye on its operations, but also, as a personal hobby, to raise awareness about this threat part of the Cryptolaemus group. (Read about Cryptolaemus’ fascinating history of hunting Emotet here.)
While trawling through the daily Emotet updates in February, Quinn spotted a change in the Emotet code — in one of the recent payloads the Emotet botnet was mass-spamming across the internet.
The change was in Emotet’s “persistence mechanism,” the part of the code that allows the malware to survive PC reboots. Quinn noticed Emotet was creating a Windows registry key and saving an XOR cipher key inside it.
Image: Binary Defense
But this registry key wasn’t only used for persistence, Quinn explained in a report that’s set to go live after this article. The key was also part of many other Emotet code checks, including its pre-infection routine.
Meet EmoCrash
Through trial and error and thanks to subsequent Emotet updates that refined how the new persistence mechanism worked, Quinn was able to put together a tiny PowerShell script that exploited the registry key mechanism to crash Emotet itself.
The script, cleverly named EmoCrash, effectively scanned a user’s computer and generated a correct — but malformed — Emotet registry key.
When Quinn tried to purposely infect a clean computer with Emotet, the malformed registry key triggered a buffer overflow in Emotet’s code and crashed the malware, effectively preventing users from getting infected.
When Quinn ran EmoCrash on computers already infected with Emotet, the script would replace the good registry key with the malformed one, and when Emotet would re-check the registry key, the malware would crash as well, preventing infected hosts from communicating with the Emotet command-and-control server.
Effectively, Quinn had created both an Emotet vaccine and killswitch at the same time. But the researcher said the best part happened after the crashes.
“Two crash logs would appear with event ID 1000 and 1001, which could be used to identify endpoints with disabled and dead Emotet binaries,” Quinn said.
In other words, if EmoCrash would be deployed across a network, it could allow system administrators to scan or set up alerts for these two log event IDs and immediately discover when and if Emotet infected their networks.
Getting EmoCrash in the hands of defenders
The Binary Defense team quickly realized that news about this discovery needed to be kept under complete secrecy, to prevent the Emotet gang from fixing its code, but they understood EmoCrash also needed to make its way into the hands of companies across the world.
Compared to many of today’s major cybersecurity firms, all of which have decades of history behind them, Binary Defense was founded in 2014, and despite being one of the industry’s up-and-comers, it doesn’t yet have the influence and connections to get this done without news of its discovery leaking, either by accident or because of a jealous rival.
To get this done, Binary Defense worked with Team CYMRU, a company that has a decades-long history of organizing and participating in botnet takedowns.
Working behind the scenes, Team CYMRU made sure that EmoCrash made its way into the hands of national Computer Emergency Response Teams (CERTs), which then spread it to the companies in their respective jurisdictions.
According to James Shank, Chief Architect for Team CYMRU, the company has contacts with more than 125 national and regional CERT teams, and also manages a mailing list through which it distributes sensitive information to more than 6,000 members. Furthermore, Team CYMRU also runs a biweekly group dedicated to dealing with Emotet’s latest shenanigans.
This broad and well-orchestrated effort has helped EmoCrash make its way around the globe over the course of the past six months.
Emotet fixes its code
In a phone interview on Aug. 14, Binary Defense senior director Randy Pargman said the tool purposely didn’t include a telemetry module as not to dissuade companies from installing it on their networks.
Binary Defense may never know how many companies installed EmoCrash, but Pargman said they received many messages from companies that prevented attacks or discovered ongoing incidents.
However, both Pargman and Quinn believe the tool had at least some impact on Emotet operations, as the tool helped drive down the number of infected bots available to Emotet operators.
Binary Defense doesn’t believe the Emotet gang ever found out about their tool, but the gang most likely knew something was wrong. Since February and through the subsequent months, Emotet iterated through several new versions and changes in its code. None fixed the issue.
Either by accident or by figuring out there was something wrong in its persistence mechanism, the Emotet gang did, eventually, changed its entire persistence mechanism on Aug. 6 — exactly six months after Quinn made his initial discovery.
EmoCrash may not be useful to anyone anymore, but for six months, this tiny PowerShell script helped organizations stay ahead of malware operations — a truly rare sight in today’s cyber-security field.
And since it’s always funny when security researchers troll malware operators, Quinn also tried to obtain a CVE for Emotet’s buffer overflow bug from MITRE, the organization that tracks security flaws across software programs.
Sadly, MITRE declined to assign a CVE to Emotet, which would have made it the first malware strain with its own CVE identifier.
Image: Binary Defense More
