Information Technology

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Jakub Porzycki/NurPhoto via Getty Images
Say what you will about Elon Musk, and no doubt there is plenty to say, but should the $44 billion deal to buy Twitter close, at least the person in control of the social media site actually uses the damn thing. A common criticism across recent years over the direction of Twitter has been whether those at the top use the site like its regular users do. Rather than tackle abuse properly by giving everyone access to the German option of autobanning neo-Nazi and white supremacist content, Twitter gave us Fleets, which didn’t even survive a year. That sort of approach looks really good as a box ticking exercise for project managers, but for users, it looks like the company is distracted and doesn’t really understand its own service. Enter Elon Musk with his billions in financing and a plan to remake Twitter. “Free speech is the bedrock of a functioning democracy, and Twitter is the digital town square where matters vital to the future of humanity are debated,” Musk said in the official announcement of the deal. “I also want to make Twitter better than ever by enhancing the product with new features, making the algorithms open source to increase trust, defeating the spam bots, and authenticating all humans.” There is a lot of meaning in that single paragraph to unpack. Even Musk has walked back his prior apparent absolutist approach to free speech, saying if it is legal, it will be allowed. That leaves an awful lot of legal speech that is utterly abhorrent, which Musk will accept. See also: No, Elon, Twitter will never be a platform for ‘Free Speech’ “He has a kind of primitive libertarian notion of free speech, which essentially amounts to freedom of the microphone belongs to the person with the loudest voice and and the biggest club to beat away anybody else,” executive director of the Dart Centre for Journalism and Trauma at Columbia University Bruce Shapiro said on ABC Radio last week. “It’s not really a free speech model. It’s a bullying model, that ends up turning platforms into vehicles for jeering culture wars and indeed, suppressing often more reasoned voices.” The big issue for a future Musk Twitter to consider is laws in places other than America. Traditionally a blind spot for US companies at the best of times, for a social network it takes on new meaning when concepts like defamation, hate speech, and authoritarian regimes are added.For someone sitting in Australia, reading the words “authenticating all humans” from Musk sounds like the Australian government’s dreams come true. With an election due later this month, the anti-trolling Bill — that was actually a big stick for the powerful and cashed up to potentially start lobbying defamation threats and actions against those they disagreed with — lapsed as Parliament rose. Given the bipartisan backing the concept has, it’s best to think of it as sleeping, rather than deceased. The Bill was something that Twitter had raised its own concerns about. “Under this bill, online platforms choose between facing liability in court or turning over private sensitive information about users without a legal determination as to whether the content is in fact defamatory under the law,” Twitter Australia’s director for public policy Kara Hinesley said in March. “We’ve seen a number of people both from a whistleblower space to even domestic violence situations, people that identify within the LGBTQIA community, utilising anonymous or synonymous accounts as ways and basically entry points into conversations about important matters. “We do think that there are potential safety concerns which would be the opposite result of the stated intention of the Bill.” Retrospect: Twitter founder Jack Dorsey regrets playing a role in centralising the internetExecutive director of Digital Rights Watch, James Clark, told ZDNet that anonymity is vital in challenging the powerful. “In an age when our digital footprint is more permanent and traceable than ever before, staying anonymous is a way to maintain a private life alongside a public one online,” he said. “I would also add that given Musk’s history of intimidating critics and whistleblowers, I imagine there are many people who would be rightfully reluctant to upload identification documents to a platform that he controls.” Twitter being a billionaire’s plaything is nothing new — the last one in charge is now using the moniker of Block Head — but it may soon be captured by a shitposting owner focused solely on killing off spambots and pursuing free speech as defined by the US First Amendment. Those in the rest of the world where Musk’s initiatives result in the sort of speech-stifling lawfare he seeks to avoid, are likely to be regarded as nothing more than collateral damage, even as they sink under legal fees. ZDNet’s Monday Morning Opener is our opening take on the week in tech, written by members of our editorial team. We’re a global team so this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US, and 11:00PM in London. PREVIOUSLY ON MONDAY MORNING OPENER :  More

Written by

Mary Jo Foley, Contributor

Mary Jo Foley
Contributor

Mary Jo Foley has covered the tech industry for 30 years for a variety of publications, including ZDNet, eWeek, and Baseline. She is the author of Microsoft 2.

Full Bio

Microsoft rolled out a new Windows 11 Insider test build, No. 22610, to the Dev and Beta Channels on April 29. This build includes a lot of fixes, along with a handful of new features and updates. Today’s test build also no longer enables the SMB1 file-sharing client by default in the name of security. However, testers who have installed SMB1 manually or upgraded from a preview Windows version where SMB1 was installed will not have SMB1 removed from the latest test builds. Build 22610 adds new mobile device management and group policies for IT admins. These new policies can be configured locally using the group policy editor or via Microsoft EndPoint Manager. Among the policies available as of today:Disable Quick Settings flyoutDisable Notification Center and calendar flyoutsDisable all taskbar settingsDisable search (across Start & taskbar)Hide Task View from taskbarBlock customization of ‘Pinned’ in StartHide ‘Recommended’ in StartDisable Start context menusHide ‘All apps’ in StartToday’s test build also includes an update to the Family Safety Widget which provides a new location-sharing view to show where those using the Family Safety app are located. There’s also an update that includes “an improved view” of screen time usage across apps and devices. For those with PCs that support it, the estimated battery life timing will show up in the battery icon in the system tray. Today’s test build does not include the usual build watermark, which typically indicates that Microsoft is closing in on completing a new Windows feature update. However, officials reminded testers “this doesn’t mean we’re done” and said the watermark will be back in a future build. And even once Windows 11 22H2, expected this fall, does “RTM” relatively soon, testers will get updates and fixes for months before 22H2 rolls out to the mainstream.Today’s build also disables the tablet-optimized taskbar feature that Microsoft began rolling out in Build 22563. Officials said they are hoping to bring this feature back “after further refinement of the experience.” Build 22610 also updates the rename, properties, and optimize icons used in the context menu and command bar to improve discoverability and consistency.For a full list of the fixes, updates and known issues in Build 22610, see Microsoft’s blog post.

Windows 11 More

A mass phishing campaign is targeting Windows PCs and aims to deliver malware that can steal usernames, passwords, credit card details and the contents of cryptocurrency wallets. Detailed by cybersecurity researchers at Bitdefender, RedLine Stealer is offered to in a malware-as-a-service scheme, providing even low-level cyber criminals with the ability to steal many different forms of sensitive personal data – for as little as $150. 

ZDNet Recommends

The malware first appeared in 2020, but recently RedLine has added additional features and has been widely distributed in mass spam campaigns during April. The mass phishing emails contain a malicious attachment which, if run, will start the process of installing the malware. Victims being targeted are mostly in North America and Europe. SEE: A winning strategy for cybersecurity (ZDNet special report)The malware uses CVE-2021-26411 exploits found in Internet Explorer to deliver the payload. The vulnerability was disclosed and issued with a patch last year, so the malware can only infect users who have yet to apply the security update. After being executed, Redline Stealer performs initial recon against the target system, scouting for information including usernames, which browsers are installed and whether anti-virus software is running.  From there, it seeks out information that can be stolen and then exfiltrates passwords, cookies and credit card data saved in browsers, as well as crypto wallets, chat logs, VPN login credentials and text from files. Redline is available in underground marketplaces and cyber criminals are offered several levels of tiered service, reflecting how malware has become easily available: would-be crooks can ‘lease’ the software for $100 or they can buy a ‘lifetime’ subscription for $800. The malware is relatively simple, but it’s potent, with the ability to steal vast amounts of sensitive information, even if the affiliates are relatively inexperienced. However, it’s possible to protect against Redline by applying security patches, particularly for Internet Explorer, as that will prevent the exploit kit from taking advantage of the CVE-2021-26411 vulnerability. It’s also recommended that users keep operating systems, applications and anti-virus software up to date, in order to prevent known vulnerabilities being exploited to help deliver malware. MORE ON CYBERSECURITY More

Vulnerable plugins, extensions, and default settings are responsible for a high rate of website compromise, according to new research.

Content management systems (CMSs) are frequently used to structure websites and online services, including e-commerce shops, and make it easier for web admins to manage and publish content.Plugins and extensions add to website functionality and can provide everything from contact forms to SEO optimization, maps, image albums, and payment options. As a result, they are incredibly popular — but if they are vulnerable to exploitation, their use can put entire websites at risk of being hijacked. Sucuri’s 2021 Website Threat Research Report (.PDF) has examined these issues in-depth with a particular focus on CMS usage, including WordPress, Joomla, and Drupal. According to the researchers, vulnerable plugins and extensions “account for far more website compromises than out-of-date, core CMS files,” with roughly half of website intrusions recorded by the firm’s clients occurring on a domain with an up-to-date CMS. Threat actors will often leverage legitimate — but hijacked — websites to host malware, credit card skimmers, or for the deployment of spam. Sucuri says that websites containing “a recently vulnerable plugin or other extension” are the most likely to be abused in these ways. “Even a fully updated and patched website can suddenly become vulnerable if one of the website elements has a vulnerability disclosure and action is not swiftly taken to remediate it,” the researchers commented. In addition, webmasters who leave their CMS websites and control panels on default configurations are considered a “serious liability,” especially when multi-factor authentication (MFA) is not implemented or possible. The report has listed the most common types of malware found on compromised websites. At the top, we have backdoors — forms of malware that give their operators persistent access to a domain and the ability to exfiltrate data, among other features. Sucuri said over 60% of its website compromise cases involved at least one backdoor. In addition, credit card skimmers remain a persistent threat to e-commerce retailers. Skimmers are usually small pieces of code implanted on payment pages, which harvest customers’ card details. and transfer them to an attacker-controlled server. They now account for over 25% of new PHP-based malware signatures detected in 2021.Spam is also one of the most common forms of website compromise. In total, 52.6% of websites cleared up by the firm contained SEO spam, such as URL redirects, which are used to force visitors to landing pages that display malicious content. Furthermore, the team found evidence of spam injectors that hide spam links in hijacked websites to boost their SEO rankings. Most spam-related content relates to pharmaceuticals such as viagra, essay writing services, escorts, gambling, adult websites, and pirated software. “While there is no 100% security solution for website owners, we have always advised that a defense in depth strategy be used,” Sucuri says. “Laying defensive controls helps you better identify and mitigate attacks against your website. […] At its core, maintaining a good security posture comes down to a few core principles: keep your environment updated and patched, use strong passwords, exercise the principle of least privilege, and leverage a web application firewall to filter malicious traffic.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

HackerOne has acquired PullRequest, a code-review-as-a-service platform. 

The deal was announced on Thursday. No financial details have been disclosed.HackerOne is known for its bug bounty platform, a system for security researchers to privately disclose vulnerabilities in services and software to vendors in return for credit and financial rewards.  However, the organization has also branched out into vulnerability management, cloud environment protection, and application security services.  Customers include General Motors, GitHub, Google, Microsoft, and PayPal.  Founded in 2017, PullRequest provides on-demand code reviews by engineers to thousands of organizations. By having more eyes on code before it goes too far down the production line, it is possible to catch vulnerabilities and errors early — and before they could potentially be exploited by threat actors.  Different languages and frameworks, including Go, Python, PHP, and JavaScript are supported across web, mobile, and other platforms.  The company previously raised $12.7 million in funding.  According to HackerOne, the acquisition of PullRequest “builds upon HackerOne’s focus on reducing [it’s] customers’ attack resistance gap – the space between what organizations can defend and what they need to defend.” This “will ultimately help customers release trustworthy software faster by embedding expert security reviewers within their software development lifecycle,” the company added.  HackerOne CTO Alex Rice says that there is a shift occurring from reactive security — finding and patching bugs after code has been published — to a “developer-first” model that will attempt to eradicate vulnerabilities far sooner in software development cycles.  Rice commented: “Over 70% of organizations claim to integrate aspects of security earlier in development to minimize their attack resistance gap, yet less than 25% of security issues are found during development. Clearly, something more is needed. We’re bringing feedback from security experts to the developer workflow so they can quickly fix bugs and get back to building.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The United States, European Union, ex-EU member the United Kingdom, and 32 other nations have committed to the Declaration for the Future of the Internet [PDF], an agreement to strengthen democracy online by agreeing to not undermine elections by running online misinformation campaigns, or illegally spy on people, the White House said on Thursday. The declaration also commits to promote safety, particularly among young people and women, and the equitable use of the internet. Further, the countries have agreed to refrain from imposing government-led shutdowns and committed to providing affordable and reliable internet services.Although not legally binding, the declaration states that the principles should be used “as a reference for public policy makers, as well as citizens, businesses, and civil society organizations”.In a statement the White House claimed it would work together with partner nations to promote the declaration’s principles, but that a mutual respect should be held for each individual nation’s regulatory autonomy. So far, 60 countries have endorsed the declaration, and according to the European Commission, more are expected to join in the coming weeks.Notable omissions include India, China, and Russia. Their absence is hardly surprising given that Ukraine is a signatory, and that the declaration calls on countries to refrain from using social score cards, a transparent criticism of China’s social credit score. Meanwhile, a senior Biden administration official responded to India’s absence by claiming “the hope remains that time isn’t fully passed yet for India to join”.Google responded in support of the declaration, but made clear that the private sector must also play an important role in furthering internet standards when faced with global crisis.”Since Russia’s invasion in Ukraine, our teams have been working around the clock to support people in Ukraine through our products, defend against cybersecurity threats, and surface high-quality, reliable information,” said Google in a statement.Microsoft president and vice chair Brad Smith shared this sentiment as he claimed in a blog post that governments cannot manage the global challenges facing the management of the internet alone.”We need new and innovative internet initiatives that bring governments together with NGOs, academic researchers, tech companies and many others from across the business community,” said Smith.Signatories beyond the US, UK, and 27 EU members include: Albania, Andorra, Argentina, Australia, Cabo Verde, Canada, Colombia, Costa Rica, Dominican Republic, Georgia, Iceland, Israel, Jamaica, Japan, Kenya, Kosovo, Maldives, Marshall Islands, Micronesia, Moldova, Montenegro, New Zealand, Niger, North Macedonia, Palau, Peru, Senegal, Serbia, Taiwan, Trinidad and Tobago, Ukraine, and Uruguay.Related Coverage More

Written by

Mary Jo Foley, Contributor

Mary Jo Foley
Contributor

Mary Jo Foley has covered the tech industry for 30 years for a variety of publications, including ZDNet, eWeek, and Baseline. She is the author of Microsoft 2.

Full Bio

Microsoft is looking to give its Edge browser an extra security boost with a coming feature called “Edge Secure Network.” The coming VPN service will be powered by Cloudflare, as noted in a recently discovered Microsoft Support page about the feature. (Thanks to XDA Developers for the link.)Edge Secure Network isn’t yet available to Edge Dev Channel testers, and there’s no indication when it will be. The new Secure Network feature requires users to be signed into their Microsoft Accounts and provides 1 GB of free data per month that is tied to users’ Microsoft Accounts. Edge Secure Network will encrypt users’ Internet connections by routing data from Edge through an encrypted tunnel to create a secure connection, “even when using a non-secure URL that starts with HTTP,” the support page says. Thanks to this encryption, users will get an extra layer of protection from hackers accessing browsing data via shared public Wi-Fi networks. Cloudflare permanently deletes any diagnostic and support data collected every 25 hours. The Edge Secure Network capability also can help prevent online tracking, keep users’ locations private and will be available for free, the support page indicates. Users will get 1 GB of free data every month when they are signed in with their Microsoft Accounts. Instructions for turning on Secure Network, once it’s available, are on the Edge support page article. Some other browser vendors like Opera already have VPN integration. And Mozilla, while not integrating its own VPN into Firefox, has made its VPN available separately to customers. More

Months on from a critical zero-day vulnerability being disclosed in the widely-used Java logging library Apache Log4j, a significant number of applications and servers are still vulnerable to cyberattacks because security patches haven’t been applied. First detailed in December, the vulnerability (CVE-2021-44228) allows attackers to remotely execute code and gain access to systems that use Log4j. 

Not only is the vulnerability relatively simple to take advantage of, but the ubiquitous nature of Log4j means that it’s embedded in a vast array of applications, services and enterprise software tools that are written in Java – and used by organisations and individuals around the world. SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsIt’s why director of US cybersecurity and infrastructure agency CISA, Jen Easterly, described the vulnerability as “one of the most serious that I’ve seen in my entire career, if not the most serious”. But despite critical warnings over the vulnerability, there’s still a large amount of Log4j instances operating in the wild that have yet to be patched and are still exposed to cyberattacks. According to researchers at cybersecurity company Rezilion, there’s over 90,000 vulnerable internet-facing applications and more than 68,000 servers that are still publicly exposed.  The exposed instances were discovered by running searches through Internet of Things (IoT) search engine Shodan – and researchers warn that what’s been discovered is likely “just the tip of the iceberg” in terms of the actual vulnerable attack surface. Log4j vulnerabilities leave organisations open to various cyberattacks from cyber criminals who can easily scan for vulnerable instances to exploit. Not long after Log4j was disclosed, attempts were made to deploy ransomware and crypto-mining malware on vulnerable servers. State-sponsored hacking groups have also been spotted attempting to take advantage of Log4j vulnerabilities. These include Chinese state-sponsored espionage groups Hafnium and APT41, as well as Iranian-backed hacking groups APT35 and Tunnel Vision. While state-sponsored hacking groups are likely to have deep pockets and plentiful resources, the ability to exploit common vulnerabilities is particularly useful as attacks are less likely to leave traces that could be tied to a specific hacking group.One of the reasons why Log4j vulnerabilities are still lingering is because the flaw could be deeply ingrained in applications, to the extent that it might not even be clear that the Java logging library is even part of that system. SEE: The Emotet botnet is back, and it has some new tricks to spread malwareBut there are steps that can – and should – be taken to ensure the network is protected against attacks trying to exploit Log4j, the most vital of which is identifying and patching insecure instances of Log4j. The network should also be regularly examined to help identify potential vulnerabilities. “You need to have processes in place that continuously monitor your environment for critical vulnerabilities with an emphasis on third-party code,” said the report. If a vulnerable Log4j asset is identified, it’s recommended that information security teams act on the basis that the system has been compromised, to look for signs of potential malicious activity and to prepare to take action.  MORE ON CYBERSECURITY More