Information Technology

Good-faith security researchers no longer have to worry about being prosecuted under the Computer Fraud and Abuse Act (CFAA), the US Justice Department said on Thursday. The federal agency released a new memo, which for the first time clarifies that the 1986 law shouldn’t be used to target white-hat hackers. “The department has never been interested in prosecuting good-faith computer security research as a crime,” Deputy Attorney General Lisa O. Monaco said in a statement, “and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The CFAA prohibits accessing a computer without authorization or in excess of authorization. Its interpretation has been a point of contention for years, particularly because it’s not uncommon for good-faith security researchers to fall into legal trouble. Last year, Republican Missouri Governor Mike Parson called for criminal charges against a journalist who found a website that had revealed teachers’ social security numbers. In 2020, security experts from the firm Coalfire shared how they were arrested at an Iowa courthouse while conducting tests on behalf of the state.The DOJ’s new memo clarifies what it means when it refers to “good faith security research” that won’t be prosecuted: “‘Good faith security research’ means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”The memo also states that any “research” conducted for the intent of extortion doesn’t count as good faith. The Supreme Court last year limited the scope of the CFAA, when it ruled that a police officer didn’t violate the law when he searched a license plate database for an acquaintance in exchange for cash. The court case put to rest some concerns that a broad interpretation of the CFAA could criminalize a large swath of computer activity, including violating a website’s terms of service — like sharing a Netflix password. The new DOJ policy similarly states that the agency won’t pursue CFAA cases that simply deal with terms-of-service violations. It gives examples like “embellishing an online dating profile contrary to the terms of service of the dating website” or “creating fictional accounts on hiring, housing, or rental websites.”  More

The cyber offensive against Ukraine continues with malware attacks and the spread of misinformation, according to security researchers.

So far, Russian, pro-Russian, and Belarusian cyberattackers have employed the most comprehensive array of methods to achieve “tactical and strategic objectives, directly linked to the conflict itself,” according to research by security company Mandiant. However, the impact may be felt more broadly as hackers working for other countries, including China and Iran, are attempting to push their agendas forward. “While these operations have presented an outsized threat to Ukraine, they have also threatened the US and other Western countries,” the Mandiant researchers say. “As a result, we anticipate that such operations, including those involving cyber threat activity and potentially other disruptive and destructive attacks, will continue as the conflict progresses.”Even before Russia’s invasion of Ukraine started, in January, the country and its government’s websites were subject to defacement and tampering, with Russian hackers accused of being behind the attack.Russia invaded on February 24. A day prior, Ukraine’s State Service of Special Communications and Information Protection said the websites of the Ministry of Foreign Affairs, Ministry of Defense, Security Service, and various banks, among others, experienced outages due to a distributed denial-of-service (DDoS) attack.  The cyber offensives have continued since then.  “Concerted information operations have proliferated, ranging from cyber-enabled information operations, including those that coincided with disruptive and destructive cyber threat activity, to campaigns leveraging coordinated and inauthentic networks of accounts to promote fabricated content and desired narratives across various social media platforms, websites, and forums,” the Mandiant researchers say. When it comes to Russia, the researchers say that most current activity is “disruptive and destructive” and includes the deployment of wiper malware. ESET has documented strains, including CaddyWiper, used in targeted, limited campaigns. Some wiper variants have been detected on networks belonging to Ukrainian organizations.  Another version of wiper malware, dubbed Junkmail, was executed on a network belonging to a Ukrainian organization a few hours before Zelenskyy delivered a speech to US Congress.  But malware is not the only activity of concern. In March, hackers known as Secondary Infektion launched and spread a fake message claiming that Ukraine had surrendered through the Ukraine 24 website going so far as to generate a fake artificial intelligence (AI) model of Ukrainian President Zelenskyy delivering the message. While this group continues to promote fake stories, Ghostwriter has also been active as of late. In February, the Computer Emergency Response Team for Ukraine (CERT-UA) warned that the group, also tracked as UNC1151, was responsible for an array of misinformation campaigns, phishing attempts, and assaults against Ukrainian targets. The group is apparently aligned with Belarus state interests.A new campaign tied to Ghostwriter, discovered by Mandiant, is pushing false narratives about refugees, while other groups push a misinformation campaign aimed at an “aggressive defense of Russian strategic interests,” according to the researchers. These activities appear to overlap with Ghostwriter, suggesting there may be a collaboration between the teams. Furthermore, fake narratives are being spread to try and damage relations between Ukraine and Poland. These stories include content that portrays refugees as a burden.APT28, also known as Fancy Bear, continues to post content on Telegram channels related to the conflict, focusing on “weakening Ukrainians’ confidence in their government and its response to the invasion.” Previous and related coverageHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

She’s shocked, I tell you. So shocked.
Screenshot by ZDNet
Does Apple really care about you?Overall, though, the company has done an excellent job of positioning itself as the (only) tech behemoth that’s conscious of humanity’s true meaning.

ZDNet Recommends

The 10 best smartphones

Whatever your priorities — from 5G to an amazing camera — there’s a phone here to meet your every need.

In recent years, Apple has made privacy one of the core tenets of its brand. While all the other tech companies are busily raiding every element of your life and selling it, Apple is merely selling you expensive hardware coupled with increasingly expensive and expansive software. So in its role as guardian of your galaxy, Cupertino released a new ad in which it tries to show what’s really happening to you every day.A young woman is in an effortlessly retro record store. Suddenly, this record store transitions into an auction room. Why this record store? Oh, why not, I suppose. The whole point is to tell you that wherever you are, your personal data is being auctioned to the highest bidder.Which the protagonist of this ad, Ellie, seems not to have known. Could this be true? Surely she has an iPhone. Apple would only ever feature people who look like they own an iPhone in its ads. (We later discover that, gosh, she does.)It follows, then, that she must have seen the entreaties from Apple every time she’s opened an app — the ones encouraging her to ask the app not to track her.It’s a curious phrase. That you have to politely ask a thief to get out of your house? For thievery is precisely what’s being portrayed here. Various data brokers are bidding to sell Ellie’s personal data to anyone and everyone. Though I must say, these data brokers are remarkably well dressed. Wasn’t Apple at least tempted to show the true grubbiness of some of them?

[embedded content]

Ellie is startled that these people are picking over every morsel of her life. From her emails to her drugstore purchases to her location data to her grandmother. Well, her grandmother’s contact information.How could this be? The sheer effrontery.There’s an odd psychology at this point. Having been completely aghast that this is going on, she reaches for her iPhone and asks an app called CarryOut not to track her. As if she’s never seen one of these before.This causes the well-dressed data brokers to disappear. My, CarryOut must be an evil sort.Also: Smartphone malware is on the rise, here’s what to watch out forOf course, Apple is trying, again, to reassure customers that it cares about their lives — even if the company doesn’t exactly stop your data from being collected by apps.It is, too, something of a sadness that, as retired Twitter CEO Jack Dorsey recently observed, the internet was created by such wise brains as himself in such a centralized way.But the real purpose of this ad is to present Facebook, Google and friends as thieves and Apple as the Holy Order of St. Timothy.Apple’s App Tracking Transparency encouragements have hurt both Facebook’s and Google’s business. So much so that Google recently made the concession that Android 13 will limit the data that apps can pilfer from your heart.For Apple, though, the issue is even broader. The swirling clouds of antitrust hover above the Spaceship. What better way to make regulators believe you’re the good one than by presenting yourself as the protector of the human soul? More

An investigation into the Fronton botnet has revealed far more than the ability to perform DDoS attacks, with the exposure of coordinated inauthentic behavior “on a massive scale.”

On Thursday, cybersecurity firm Nisos published new research revealing the inner workings of the unusual botnet. Fronton first hit the headlines back in 2020 when ZDNet reported that a hacktivist group claimed to have broken into a contractor for the FSB, Russia’s intelligence service, and published technical documents appearing to show the construction of the IoT botnet on the intelligence service’s behalf.At the time, it was thought that the botnet was destined to perform distributed denial-of-service (DDoS) attacks on a vast scale. However, after analyzing further documents related to Fronton, Nisos believes that DDoS attacks are only one of many capabilities.  Instead, Nisos says Fronton is “a system developed for coordinated inauthentic behavior,” and the implementation of particular software, dubbed SANA, shows that the botnet’s true purpose could be for misinformation and the spread of propaganda rapidly and automatic fashion.  SANA consists of a web-based dashboard and a variety of functions, including: Newsbreaks: tracks messages, trends, and their responses Groups: bot management Behavior Models: functions for creating bots able to impersonate human social media users  Response Models: how to react to messages & content including breaking news Dictionaries: stores phrases, words, quotes, and comments for use across social media, including positive, negative, and neutral reactions Albums: stores image sets for platform bot accounts.SANA also permits users to create social media accounts with generated email and phone numbers and to spread content across social networks, blogs, forums, and more. In addition, users can set schedules for posts/reactions, and configuration includes how many likes, comments, and reactions a bot should create.  According to the researchers, Fronton operators can also specify how many ‘friends’ a fake bot account should maintain.  “The configurator also allows the operator to specify a minimum frequency of actions, and a minimum interval between actions,” the researchers say. “It also appears that there is a machine learning (ML) system involved that can be turned on or off based on behavior observed on social media.” As of April 2022, the web portal has moved to a different domain but is active. Previous and related coverageHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Companies should immediately patch or remove VMware products affected by newly disclosed critical flaws, warns the US Cybersecurity and Infrastructure Security Agency (CISA).The drastic measure of removing the products if they can’t be patched is based on past exploitation of critical VMware flaws within 48 hours of disclosure, according to CISA. 

ZDNet Recommends

VMware on Wednesday 18 May disclosed multiple security flaws in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. SEE: Just in time? Bosses are finally waking up to the cybersecurity threatThe vulnerabilities are being tracked as CVE-2022-22972 and CVE-2022-22973, which are respectively an authentication bypass with a severity score of 9.8 out of 10, and a local privilege escalation vulnerability with a score of 7.8. An attacker with network access to the management user interface could access it without the need for a password, VMware warns in an advisory. Patches are available and VMware is urging customers to apply them or mitigate the issues immediately, warning in a separate blogpost that the “ramifications of this vulnerability are serious”.   CISA has told US federal civilian agencies to immediately patch them or remove the affected products on the basis of near immediate and widespread exploitation of two VMware flaws – CVE-2022-22954 and CVE-2022-22960 – in the same products in April. VMware released patches for them in April but attackers quickly reverse engineered the patches and chained them together for exploitation. “Malicious cyber actors were able to reverse engineer the vendor updates to develop an exploit within 48 hours and quickly began exploiting these disclosed vulnerabilities in unpatched devices,” CISA said. “Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18, 2022.” Security firm Rapid7 observed active exploitation in the wild on April 12, six days after VMware issued patches. Soon after, several public proof-of-concept exploits were being used to install coin miners on vulnerable systems. Attackers chained together CVE-2022-22954 (a server-side template injection issue affecting VMware Workspace ONE Access and Identity Manager) with CVE-2022-22960 (a local privilege escalation bug) to escalate to root privileges. CISA issued an emergency directive requiring federal agencies to immediately patch the April VMware flaws as it had done with the Apache Log4j “Log4Shell” flaws. SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesThe security authority has issued the same directive to federal agencies for the latest VMware flaws, noting the flaws “pose an unacceptable risk” to federal civilian agencies.   “CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products. Exploiting the above vulnerabilities permits attackers to trigger a server-side template injection that may result in remote code execution (CVE-2022-22954); escalate privileges to ‘root’ (CVE-2022-22960 and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972),” it says. Cybersecurity authorities from other nations have not issued alerts about the latest VMware flaws. CISA, however, recommends all organizations to patch them swiftly if vulnerable systems are accessible from the internet. VMware has published mitigation steps for some of the affected products.  More

Written by

Adrian Kingsley-Hughes, Contributor

Adrian Kingsley-Hughes
Contributor

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over two decades to helping users get the most from technology — whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera. Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs.

Full Bio

Apple released iOS 15.5 on Monday, and while we already knew what new features this release brought with it before it was released, there were a few things we didn’t know that have since become clear.First, we have information on the security contents of the release.

ZDNet Recommends

The best iPhones

You can find iPhone models directly from Apple starting from $399.

This is a big pile of patches — over two dozen. To make matters more serious, quite a few of these can be triggered remotely, and some through malicious websites. And while none of the patched vulnerabilities seem to be actively exploited by attackers at this time, it makes sense to get those installed as soon as possible so that you’re protected. Better to be safe than sorry.You can check out the security information for iOS 15.5 here, and for all Apple updates here.Must read: Not seeing iOS updates? Check these settingsOne of the reasons that people quote for not updating promptly is a worry that the update is going to cause more harm than good. While Apple certainly has had more than its fair share of flakey updates over the years, I’m happy to report that this doesn’t seem to be one of them.The testing I’ve carried out suggests that battery life following this update is good — it’s certainly no worse than the previous update — and so there are no nasty shocks coming your way in this department.I’ve also been testing performance, and overall usability, and again, nothing showstopping has unveiled itself. If anything, I feel like my iPhone is a little more responsive following this update, although such small changes are hard to measure. On the benchmarking front, iOS 15.5 seems to be on par with iOS 15.4.1. No better, but also no worse. And that’s a win.To check what version of iOS your device is running, tap on Settings > General, then on Software Update. Here you will not only be able to see what version of iOS your iPhone is running, but you can also download and install any updates you’ve missed. And it doesn’t take long. On a half-decent internet connection, your iPhone will be done in under 30 minutes.And it’s not just your iPhone that will need updating — there are also updates for iPadOS, watchOS, tvOS, and macOS out the past few days.So get busy updating!

ZDNet Recommends More

Google aims to boost software supply chain security with an initiative that promises to offer enterprise open-source software users access to the same secure packages used by its own developers to build and maintain code.Google said there has been a 650% year-on-year increase in cyberattacks aimed at open-source software suppliers with the intention of exploiting weaknesses in the ecosystem to go after other targets. “That’s what we’ve been having a real hard look at, is fundamentally how to get ahead of any digital supply chain problems so we’re not in the same position we’re in today on the physical supply chain,” said Sunil Potti, VP of Google Cloud Security.

“And the equivalent of that in the digital supply chain is open-source software. In our opinion, while we’ll have to take an end-to-end view of securing the supply chain, pretty much every company on the planet is exposed to open source software,” he added.SEE: A winning strategy for cybersecurity (ZDNet special report)The packages offered to Google Cloud customers as the Assured Open Source Software service are verifiably signed by Google and are regularly scanned and analysed for vulnerabilities in order to ensure users are as protected against bugs and exploits as possible. They are built using Google’s Cloud Build platform, complete with evidence of verifiable compliance with SLSA (Supply chain Levels for Software Artifacts) – a security framework and check-list of standards and controls to prevent code tampering, improve integrity and secure packages, as well as being distributed from an Artifact Registry secured and protected by Google.This is based on the process used within Google where each step of the build is actively secured during the entire end-to-end process, as well as maintaining separate secured copies of the source code.”Assured OSS allows enterprise customers to directly benefit from the in-depth, end-to-end security capabilities and practices we apply to our own OSS portfolio by providing access to the same OSS packages that Google depends on,” said a Google blog post.Supply chain vulnerabilities are a common tool used by cyber criminals and many incidents begin with attackers exploiting newly discovered zero-day cybersecurity vulnerabilities. However, even if a security patch is provided, organisations can be slow rolling them out, making them vulnerable to attackers. With the new offering, Google Cloud hopes to make managing open-source and supply chain vulnerabilities easier – therefore helping organisations of all sizes stay secure against cyberattacks.”It’s a way for every customer – it could be a two-person shop to a 100,000 employee bank – who leverages or builds code to rely on a curated set of open source packages that Google themselves have invested in to protect our own developers over many years, that we’re now bringing to market in the form of this Assured Open Source package,” said Potti.MORE ON CYBERSECURITY More

Cyber attackers regularly exploit unpatched software vulnerabilities, but they “routinely” target security misconfigurations for initial access, so the US Cybersecurity and Infrastructure Security Agency (CISA) and its peers have created a to-do list for defenders in today’s heightened threat environment. CISA, the FBI and National Security Agency (NSA), as well as cybersecurity authorities from Canada, New Zealand, the Netherlands, and the UK, have compiled a list of the main weak security controls, poor configurations, and poor security practices that defenders should implement to thwart initial access. It also contains the authorities’ collective recommended mitigations.  

“Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system,” CISA says. SEE: Just in time? Bosses are finally waking up to the cybersecurity threaThe list of actions includes all obvious candidates, such as enabling multi-factor authentication (MFA) on key systems, such as virtual private networks (VPNs), but which are prone to misconfigurations when implemented in complex IT environments. For example, last year Russian hackers combined a default policy shared by multiple MFA solutions and a Windows printer privilege of escalation flaw to disable MFA for active domain accounts and then establish remote desktop protocol (RDP) connections to Windows domain controllers. This complexity can also be seen in the choice of, deployment and use of VPNs, whose adoption escalated after the pandemic struck.  Recent research by Palo Alto Networks found that 99% of cloud services utilize excessive permissions, against the well-known principle of least privilege to limit opportunities for attackers to breach a system.   The security controls outlined in CISA’s list serve as a useful checklist for organizations, many of which deployed remote-working IT infrastructure hastily due to the pandemic, and amid today’s heightened geopolitical tensions due to Russia’s invasion of Ukraine. It also follows the EU joining the US-Five Eyes in jointly blaming the Russian military on this year’s cyberattack against Viasat’s European satellite broadband users.   As noted in the joint alert, attackers commonly exploit public-facing applications, external remote services, and use phishing to obtain valid credentials and exploit trusted relationships and valid accounts. The joint alert recommends MFA is enforced for everyone, especially since RDP is commonly used to deploy ransomware. “Do not exclude any user, particularly administrators, from an MFA requirement,” CISA notes.Incorrectly applied privileges or permissions and errors in access control lists can prevent the enforcement of access control rules and could give unauthorized users or system processes access to objects.  Of course, make sure software is up to date. But also don’t use vendor-supplied default configurations or default usernames and passwords. These might be ‘user friendly’ and help the vendor deliver faster troubleshooting, but they’re often publicly available ‘secrets’. The NSA strongly urges admins to remove vendor-supplied defaults in its network infrastructure security guidance. “Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup,” CISA notes. “These default credentials are not secure – they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software.” SEE: What is ransomware? Everything you need to know about one of the biggest menaces on the webCISA notes that remote services, such as VPNs, lack sufficient controls to prevent unauthorized access. Defenders should add access control mechanisms like MFA to reduce risks. Also, put the VPN behind a firewall, and use IDS and IPS sensors to detect suspicious network activity. Other key problems include: strong password policies are not implemented; open ports and internet-exposed services that can be scanned via the internet by attackers; failure to detect or block phishing using Microsoft Word and Excel documents booby-trapped with malicious macros; and poor endpoint detection and response. CISA’s recommendations include control access measures, implanting credential hardening, establishing centralized log management, using antivirus, employing detection tools and searching for vulnerabilities, maintaining configuration management programs, and implementing patch management. CISA also recommends adopting a zero-trust security model, but this is likely a long-term goal. US federal agencies have until 2024 to make significant headway on this aim.  The full list of security ‘don’ts’ includes: More