Information Technology

Image: Getty Images
Card-skimming malware is increasingly using malicious PHP script on web servers to manipulate payment pages in order to bypass browser defenses triggered by JavaScript code, according to Microsoft. Microsoft threat researchers have observed a change in tactics used by card-skimming malware. Over the past decade, card skimming has been dominated by so-called Magecart malware that relies on JavaScript code to inject scripts into checkout pages and deliver malware that captures and steals payment card details.  

Injecting JavaScript into front-end processes was “very conspicuous”, Microsoft notes, because it might have triggered browser protections like Content Security Policy (CSP) that stop external scripts from loading. Attackers found less noisy techniques by targeting web servers with malicious PHP scripts.SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systemsMicrosoft in November 2021 found two malicious image files, including one fake browser favicon, being uploaded to a Magento-hosted server. Magento is a popular e-commerce platform. The images contained embedded PHP script, which by default didn’t run on the affected web server. Instead, the PHP script only runs after confirming, via cookies, that the web admin is not currently signed-in, in order to only target shoppers. Once the PHP script was run, it retrieved the current page’s URL and looked for “checkout” and “one page”, two keywords that are mapped to Magneto’s checkout page. “The insertion of the PHP script in an image file is interesting because, by default, the web server wouldn’t run the said code. Based on previous similar attacks, we believe that the attacker used a PHP ‘include’ expression to include the image (that contains the PHP code) in the website’s index page, so that it automatically loads at every webpage visit,” Microsoft explained.There has been a rise in the use of malicious PHP in card-skimming malware. The FBI last week warned of new cases of card-skimming attackers using malicious PHP to infect US business’ checkout pages with webshells for backdoor remote access to the web server. Security firm Sucuri found that 41% of new credit card-skimming malware observed in 2021 was related to PHP skimmers targeting backend web servers. Malwarebytes earlier this month said Magecart Group 12 was distributing new webshell malware that dynamically loads JavaScript skimming code via server-side requests to online stores. “This technique is interesting as most client-side security tools will not be able to detect or block the skimmer,” Malwarebytes’ Jérôme Segura noted.  “Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell.”       But malicious JavaScript remains part of the card-skimming game. For example, Microsoft found examples of card-skimming malware based on JavaScript spoofing Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. This can trick admins into thinking the scripts are benign.  More

It was one of the largest cyber-espionage attacks of recent times: hackers compromised several United States government federal agencies as well as big tech companies, and were inside networks for months before anyone spotted them. These attackers were later revealed to be working for the Russian foreign intelligence service (SVR), and they started their attack in an unexpected way, by targeting a software company called SolarWinds. The hackers accessed builds of the company’s Orion software, and then placed malware into software updates sent out to SolarWinds customers between March and June 2020. The software is used by thousands of organisations around the world. Applying security updates and patches is generally regarded as good cybersecurity practice to protect against software vulnerabilities being exploited to facilitate cyberattacks, so organisations around the world installed the Orion updates from a source they trusted. But it was that action itself that allowed the attackers in. 

ZDNet Recommends

“It became clear early on the threat actor employed novel and sophisticated techniques indicative of a nation-state actor and consistent with the goal of cyber espionage via a supply chain attack. In addition, the operational security of the threat actor was so advanced, they not only attacked SolarWinds but were able to leverage the Sunburst malicious code and avoid detection in some of the most complex environments in the world,” SolarWinds said in its investigation after the attack.SEE: A winning strategy for cybersecurity (ZDNet special report)Among those compromised by the supply chain attack were the US Treasury Department, the Department of Homeland Security, the US Department of State, as well as cybersecurity companies including Microsoft, FireEye and Mimecast. In total, somewhere around 100 companies were targeted by the attackers.Attackers had been active in the network for months before the attack was discovered in December 2020, when FireEye and Microsoft found intrusions into their networks.  The attack on SolarWinds was disclosed just weeks before Sudhakar Ramakrishna was set to take up his new position as CEO of the company in January 2021. Due to the magnitude of the situation, he chose to get involved with the company’s attempt to investigate and resolve the incident right away. “It was a stressful time for all involved,” he told ZDNet. “When the business is in a state of turmoil and crisis, there isn’t time to sit on the sidelines. The decision to jump in and start working with the team was simple.” The first thing that had to be done was to examine what exactly had happened, how it had remained undetected for so long, and how to ensure it can never happen again. Part of that involved bringing in the services of Krebs Stamos Group – a cybersecurity consultancy set up by former US government cybersecurity chief Chris Krebs, and Stanford University professor and ex-Facebook chief security officer Alex Stamos. The UK’s National Cyber Security Centre (NCSC) was also involved in helping SolarWinds in the aftermath of the incident.  But one policy Ramakrishna wanted to introduce from day one was the concept of ‘Secure by Design’ – building products with security more than anything else in mind. Many organisations and software developers say they take security seriously, but when there’s deadlines to meet or products to repeatedly roll out updates for, software security can often get left on the sidelines. “The notion of secure by design, I had it in my mind and in practice at some level well before I joined SolarWinds,” Ramakrishna explains. “Between the time I came to know about the breach and the time I joined, I started formulating my thoughts in terms of how do we organise around secure by design, what does that mean and what are the various elements of that? Then essentially went about business on day one in terms of implementing that as a process.”  Much of this secure by design philosophy applies directly to the software build system, with the process now designed around cybersecurity as the priority. One of the reasons that cyber attackers were able to conduct the supply chain attack was because of the static nature of the software-building process, where everything is done within one pipeline of development. While that’s useful for developers, it also provides a handy target for the attackers.Now, SolarWinds uses a system of parallel builds, where the location keeps changing, even after the project has been completed and shipped. Much of this access is only provided on a need-to-know basis. That means if an attacker was ever able to breach the network, there’s a smaller window to poison the code with a malicious build. “What we’re really trying to achieve from a security standpoint is to reduce the threat window, providing the least amount of time possible for a threat actor to inject malware into our code,” said Ramakrishna. But changing the process of how code is developed, updated and shipped isn’t going to help prevent cyberattacks alone, which is why SolarWinds is now investing heavily in many other areas of cybersecurity. These areas include the likes of user training and actively looking for potential vulnerabilities in networks. Part of this involved building up a red team, cybersecurity personnel who have the job of testing network defences and finding potential flaws or holes that could be abused by attackers – crucially before the attackers find them. Importantly, the rest of the company doesn’t know what tactics and techniques are going to be used in tests against the network and staff – because cyber criminals and hackers don’t declare exactly how they’re going to conduct campaigns, either. “They are paid to attack our internal systems, our behaviors and our internal practices. That improves the overall security consciousness of the company and that improves the overall security posture of the company,” Ramakrishna explained. Analysis is performed to examine which techniques and vulnerabilities are successfully used to launch attacks – but crucially, nobody is made an example of. All of the information gathered from red teaming is put back into teaching everyone how to identify cyberattacks, phishing emails and other malicious activity to help drive good cybersecurity hygiene.  SEE: How do we stop cyber weapons from getting out of control?But Ramakrishna and SolarWinds know that implementing new cybersecurity procedures isn’t just a one-time initiative, it’s something that needs to be repeatedly revisited as threats change, new vulnerabilities emerge, and offensive hacking techniques evolve. “Increasingly, this will simply become part of the fabric of the company and we won’t have to talk about it in explicit terms as much as just believing in it and working on it on a daily basis,” he says, as SolarWinds works to ensure that something like the supply chain attack can’t happen again by making the network more robust and taking a more proactive approach to detecting potential malicious activity. The company also hopes to take the lessons it has learned and help its worldwide customer base improve their cybersecurity.  “We are evolving and helping them digitally transform much faster into the future,” said Ramakrishna. “My hope also is that things like the build system that we have created will become more and more standards in the industry that others can leverage as well”. By sharing what happened, SolarWinds hopes that other organisations can also learn lessons and improve their own cybersecurity strategies, because anyone can potentially be the victim of a cyberattack, particularly if those behind it have vast resources, such as the state-backed operation that breached SolarWinds. “No one is immune, so you cannot think that it will not happen to you. It could happen to you, so just be vigilant about things and constantly learn,” said Ramakrishna. “Don’t try to fight it alone or don’t wish the problem goes away because the problem is not going to go away,” he added. SEE: Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned upSolarWinds is implementing secure by design in its software build process and recommends that all organisations ensure they have cybersecurity frameworks in place to help manage security at every step of the way when conducting business, no matter what that may be. Most victims of cyberattacks don’t speak out about them, and some will never publicly acknowledge they fell victim. But for Ramakrishna, the best way of showing other businesses what threats are out there and how to protect against them is to openly talk about what happened at SolarWinds – and he hopes that others can learn about what happened to help protect their own networks. “I believe the best and maybe the only way to be most safe and secure is by information-sharing more transparently more quickly,” he said. “If you are creating a situation where there is a lot of victim-shaming that goes on, then people do not step forward to highlight what they are learning”. For SolarWinds, there’s also an element of maintaining trust. The company fell victim to one of the most infamous cyber incidents of recent times and Ramakrishna argued it was only right to be transparent with customers about what happened  “I truly believe you owe it to them: how can you earn that without being transparent?” he says. MORE ON CYBERSECURITY More

IBM has expanded a program to improve the cybersecurity defenses of public schools with $5 million in grants. On Tuesday, IBM said $5 million of in-kind grants would be awarded to public schools, including K-12 institutions in the United States. While IBM’s existing grants program has previously focused on US schools, the scheme has now expanded to other countries. 

IBM said these programs are necessary to “help address cybersecurity resiliency in schools, including against ransomware.” SEE: Just in time? Bosses are finally waking up to the cybersecurity threatIn total, six grants are being awarded to US school districts. In addition, four grants are destined for Brazil, Costa Rica, Ireland, and the United Arab Emirates. Each award is worth $500,000, bringing the total to $5 million in resources and hours.  The program is part of IBM’s Corporate Social Responsibility initiatives under IBM Impact, including social, environmental, and governance projects.  IBM teams will work with schools to audit existing defenses and create playbooks for incident response. In addition, they will address cybersecurity awareness and training for staff, students, and parents, and develop a management-level strategic plan for handling communication in the aftermath of a cyberattack.  According to Emsisoft research, more than 1,000 educational establishments in the US alone suffered a ransomware attack in 2021, including school districts, colleges, and universities.  The researchers say that 2,323 local governments, schools, and healthcare providers in the US public sector became the victims of ransomware operators during the course of the past year.  “For schools, a large barrier to strengthening their cybersecurity posture often comes down to constrained budgets, which financially motivated threat actors bet on,” commented Charles Henderson, head of IBM Security X-Force. “In the event of ransomware attacks, the extreme added pressure schools experience to pay a ransom to recover their operations is a profitable wager for the bad guys.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Getty Images
Much like how car manufacturers had to be forced to implement safety features such as seat belts, Australian eSafety Commissioner Julie Inman Grant believes social platforms and tech giants need to be guided by international standards. “What we’re saying is this era of technological exceptionalism has got to end,” Inman Grant said on a panel at the World Economic Forum on Monday. “We’ve got food safety standards, we’ve got consumer protection laws, we need the companies assessing their risks and then building the potential protections in as a forethought, rather than an afterthought … embedding those digital seatbelts and erecting those digital guardrails.” As the world hurtles towards a future that could include augmented reality, metaverses, and other different realities, Inman Grant said such experiences could be supercharged, and that also includes when users are harmed in such environments. “If we don’t learn the lessons of the web 2.0 world, and start designing for the governance and safety by design, and security and privacy for the metaverse world — I mean, what could possibly go wrong with full sensory haptic suits, hyper-realistic experiences, and teledildonics all coming together in the metaverse?” the commissioner said. “If there’s no accountability and no transparency, we’re kind of ignoring that human malfeasance will always exist, and so, how are we going to remediate harm?” Taking a wider view, Inman Grant said as the world gets more polarised and binary, a new balancing of rights may occur. “I think we’re going to have to think about a recalibration of a whole range of human rights that are playing out online — from freedom of speech, to the freedom to be free from online violence, or the right of data protection, to the right to child dignity.” Inman Grant earlier told the forum that freedom of speech does not equate into a total free-for-all, and her agency had seen success in getting harmful content taken down. “Just this week, I issued about AU$4.5 million to a number of sites mostly based in the United States that are hosting the Buffalo manifesto and the gore material.” The eSafety office gained the ability last year to issue takedown notices backed by civil penalties of up to AU$550,000 for companies and AU$111,000 for individuals. See also: Misinformation needs tackling and it would help if politicians stopped muddying the waterExecutive director and co-founder of Access Now Brett Solomon said there was a chance a “state-centric online policing framework” such the eSafety office was not creating a safer internet or world, and could be a dangerous precedent for less liberal nations. “What [esafety] is engaged in — this is a very live experiment on society in real time. And how do we actually know the results?” he said. “How do we know that our communities are safer as a result of this massive, legislative and regulatory model that’s sending a message to the rest of the world, there’s a big risk here that maybe it’s not actually working.” Inman Grant retorted that the agency has helped thousands of people that would not have been able to get  content removed due to not being able to bridge the power gap between themselves and the tech giants and social platforms. Finnish Minister of Transport and Communications Timo Harakka said it was better that any adjustment on rights was done openly and democratically, rather than allowing tech giants to impose decisions themselves. Harakka cited the example of the social platforms eventually getting around to removing former US President Donald Trump. “Twitter and Facebook never saw problem, suddenly they shut down Trump’s Twitter account. So there was a problem but we never got to the real point: What exactly was the policy there?” he said. Harakka said it was “very, very dangerous” that the algorithms used on social platforms have no transparency.”For instance, as soon as the war in Ukraine and the Russian invasion or attacks started, the second most recommended YouTube video was ‘Why West is culpable of this attack to Ukraine’,” he said. “So what was this algorithm about? So it’s promoting this binary world view, promoting aggression, and these algorithms are in many ways something that need [investigation] while taking care of free speech.” Related Coverage More

Written by

Eileen Yu, Contributor

Eileen Yu
Contributor

Eileen Yu began covering the IT industry when Asynchronous Transfer Mode was still hip and e-commerce was the new buzzword. Currently an independent business technology journalist and content specialist based in Singapore, she has over 20 years of industry experience with various publications including ZDNet, IDG, and Singapore Press Holdings.

Full Bio

China has lashed out at a trade initiative led by the US, which aims to establish mutually agreed standards in four key areas including the digital economy and supply chains. Beijing has described the move as the Biden administration’s attempts to “contain” China and create divisions. The Indo-Pacific Economic Framework (IPEF) was launched on Monday with 12 participating nations from the region, including Singapore, Australia, India, Indonesia and Japan. This group accounted for 40% of global GDP and 60% of the world’s population. It is expected to the largest contributor of global growth over the next three decades, according to the US government. It touted the benefits of the new framework for America, adding that trade with the Indo-Pacific supports more than 3 million American jobs. Brunei, South Korea, Malaysia, New Zealand, the Philippines, Thailand, and Vietnam also are part of the trade framework.  

The IPEF aimed to address 21st century economic issues with various arrangements that spanned establishing rules for the digital economy, ensuring secure and resilient supply chains, driving investments in clean energy infrastructure, and improving standards for transparency and fair taxation. Noting that past models did not address challenges across these areas, the Biden administration said a new model was necessary to resolve them. It added that businesses increasingly were looking for alternatives to China and countries participating in the Indo-Pacific Framework would be “more reliable partners” for US businesses. The IPEF, however, will not lay out plans for tariffs or easier market access, which are common objectives of traditional free trade agreements. Rather, the Indo-Pacific framework will pull its partners together through agreed standards across the four key areas.  Singapore Prime Minister Lee Hsien Loong said he welcomed an “open, inclusive, and rules-based order” and stressed the need for the framework to remain so. He added that members should be able to work with other partners in other overlapping agreements.Lee said: “IPEF is of both strategic and economic significance. It can be a valuable platform for the US to exercise economic diplomacy in the region, and it clearly signals the US’ continued commitment to engage with its partners in Asia, and deepen ties across the Pacific.”Strategy to dominate in digital technology standards headed failure The IPEF launch, though, has ruffled feathers in China, where government officials describe the move as the US’ attempts to create division and fuel confrontation. Chinese State Councillor and Foreign Minister Wang Yi said the US-led strategy was bound for failure, according to a report by state-owned media agency Xinhua.  Wang said the IPEF was the US government’s strategy to create division, incite geopolitical confrontation, and undermine peace. Its objective was to “contain” China, he added. Rather than drive free trade, he said the IPEF attempted to pursue protectionism. Noting that the US had pulled out from the Trans-Pacific Partnership (TPP), he added that the US was choosing to undermine existing regional cooperation infrastructures instead of following free-trade rules. Wang said: “Is the US trying to speed up the recovery of the global economy or is it trying to create economic decoupling, technological blockade and industrial disruption, and aggravate the supply chain crisis? The US should learn from the trade war it launched against China a few years ago, which brought severe consequences to the world and US itself.”He said it would be wrong for the US to use the IPEF as a political tool to safeguard its regional economic hegemony and deliberately exclude specific countries. He further questioned the Biden administration’s intent to force governments in this region to choose sides between China and the US. Chinese daily tabloid Global Times, which is owned by state-run People’s Daily, published a commentary highlighting the lack of market access and tariff provisions as a significant problem with the IPEF, giving no practical trade incentives for participating members. It added that the framework had not been approved by the US congress and lacked political sustainability. Global Times also accused the US of using the trade framework to “dominate” rules and standards in digital technologies, such as artificial intelligence and 5G. “IPEF, which excludes China, is driven more by geopolitical considerations rather than economic factors,” the paper said. “Countries in the region do not want to be trapped in the predicament of taking sides between Beijing and Washington, as China is their largest trading partner. China should have confidence in facing the US’ strategic containment. As long as Chinese government keeps the right direction concerning domestic and foreign policies and continues opening up, the US will be unable to stop China’s continuous rise.”In an interview with Nikkei, Singapore’s Lee said the IPEF as an alternative to an FTA arrangement between Asian nations and the US, which failed to materialise under the TPP. He added that the framework reflected the intent to cooperate on economic issues that were relevant to the region, including digital economies, supply chains, and green energy. He noted that details under the IPEF had not been negotiated, though, “broad areas” had been identified. “So we will go in and we will try to work out something as substantive and mutually beneficial as we can,” Lee said, pointing to carbon trading rules, digital economy, and sustainable finance as areas Singapore was keen to discuss as part of the IPEF.RELATED COVERAGE More

US President Joe Biden has launched a new economic framework geared towards countering Chinese influence in Asia and announced the 12 regional partners who will cooperate on shared standards in areas such as clean energy and 5G network advancements.Biden, in his first visit to Japan as president, presented the Indo-Pacific Economic Framework for Prosperity in a speech on Monday, citing four essential pillars — trade, supply chains, sustainable energy, and infrastructure — as well as tax and anti-corruption. Meanwhile, the White House claimed that the framework — as based on these pillars — will ensure that supply chains in the region develop greater resilience to protect against higher prices for consumers.”We’re here today for one simple purpose: the future of the 21st Century economy is going to be largely written in the Indo-Pacific,” Biden said in Tokyo. “[The framework is a commitment to] improving security and trust in the digital economy, protecting workers, strengthening supply chains, and tackling corruption that robs nations of their ability to serve their citizens.Biden added the framework would work towards eliminating critical supply chain bottlenecks, carbon from the economy, and work towards clean energy and developing “early warning systems” to identify problems before they happen.”Let’s start with new rules governing trade in digital goods and services so companies don’t have to hand over the proprietary technology to do business in a country,” Biden said.The 12 regional partners include Australia, Brunei, India, Indonesia, Japan, South Korea, Malaysia, New Zealand, the Philippines, Singapore, Thailand, and Vietnam. All of these partners, excluding Australia and India, were also signatories to China’s Belt and Road Initiative.The framework marks Biden’s latest attempt to shore up US support in the Asia-Pacific region after former President Donald Trump withdrew from the Trans-Pacific Partnership in 2017.Read: China, India, Russia missing from future of internet pledge by US, EU, and 33 othersFurther to this, South Korean President Yoon Suk Yeol pledged his country’s support for the framework, and also announced that South Korea will now become a signatory of the Declaration for the Future of the Internet. Meanwhile, Google said from the announcement that it expects a greater commitment to cybersecurity collaboration in the region, as well as a commitment to the free flow of data between countries and businesses.”This is the moment for Indo-Pacific countries to chart a bold, inclusive and sustainable path forward to address common challenges and seize the tremendous opportunities the digital economy can bring,” Google said.Related Coverage More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

Image: Shutterstock / Ascannio
The Information Commissioner’s Office (ICO) has fined controversial facial recognition company Clearview AI £7.5 million ($9.4 million) for breaching UK data protection laws and has issued an enforcement notice ordering the company to stop obtaining and using data of UK residents, and to delete the data from its systems.In its finding, the ICO detailed how Clearview AI failed to inform people in the UK that it was collecting their images from the web and social media to create a global online database that could be used for facial recognition; failed to have a lawful reason for collecting people’s information; failed to have a process in place to stop the data being retained indefinitely; and failed to meet data protection standards required for biometric data under the General Data Protection Regulation. The ICO also found the company asked for additional personal information, including photos, when asked by members of the public if they were on their database.The privacy watchdog also concluded that given the higher number of UK internet and social media users, Clearview AI’s database is “likely to include a substantial amount of data” from UK residents, and while the company no longer offers services to UK organisations, it continues to do so in other countries, and this may include using personal data of UK residents. Read more: ‘Booyaaa’: Australian Federal Police use of Clearview AI detailed”Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images,” UK Information Commissioner John Edwards said.”The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.”People expect that their personal information will be respected, regardless of where in the world their data is being used. That is why global companies need international enforcement.”The enforcement action follows a joint investigation the ICO carried out with the Office of Australian Information Commissioner (OAIC). The investigation into Clearview AI by both privacy watchdogs has been underway since 2020, and was conducted in accordance with the Australian Privacy Act and the UK Data Protection Act. The pair investigated how the company used people’s images, data scraping from the internet, and biometric data for facial recognition. “This international cooperation is essential to protect people’s privacy rights in 2022. That means working with regulators in other countries, as we did in this case with our Australian colleagues,” Edwards said.Earlier this month, in a landmark settlement, Clearview AI agreed to cease sales to private companies and individuals in the United States, and also agreed to stop making to database available to Illinois state government and local police departments for five years. The New York-based company, however, continue to offer its services to other law enforcement and federal agencies, and government contractors outside of Illinois. Related Coverage More

When I first started using Linux, back in ’97, working with the built-in firewall was not something just anyone could do. In fact, it was quite complicated. Starting around 1998, if you want to manage the security of a system, you had to learn iptables (which is a suite of commands for manipulating the Netfilter packet filtering system). For example, if you want to allow all incoming secure shell (SSH) traffic, you might have to issue commands like this:sudo iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT

That’s all fine and good if you have time to not only master the Linux operating system, but also know the finer points of managing a complicated security system. To be fair, I did spend the time and was eventually able to manage the security of my systems with iptables. However, the busier I got, the harder it became to continue the level of mastery needed to keep up with iptables. Over time, things started getting more accessible and some Linux distribution developers began to realize an easier system was necessary. One of those more accessible Linux firewalls came into being with the Ubuntu distribution (around version 12.04). That firewall is aptly named Uncomplicated Firewall.Uncomplicated Firewall (UFW) is a frontend for iptables, which focuses on simplicity. Compared to iptables, UFW is a leisurely stroll through the park that anyone can handle.Let’s take a walk down UFW lane and see just how simple it makes managing your Linux system firewall.There are two things you should know about UFW: It’s a command-line tool.There are GUI tools available to make it even easier.The UFW command-line basicsThe UFW command is actually pretty simple. Let’s stick with our SSH idea from above. Let’s say you want to allow other systems to access your machine by way of SSH (which listens on port 22). First, you’ll want to see if UFW is even enabled. Guess what…it’s not by default. Test that out by opening a terminal window and issuing the command:sudo ufw status
You’ll probably see the following:Status: inactive
How do you activate it? Issue the command:sudo ufw enable
The output of the command should be:Firewall is active and enabled on system startupCongratulations, your firewall is now active. As to the basic usage of UFW, it looks something like this:sudo ufw ARGUMENT SERVICE
Where ARGUMENT is either allow, deny, reject, limit, status, show, reset, reload, enable, disable and SERVICE is the service you want to work with (such as SSH or HTTP).Next, we need to allow SSH traffic into the system. Believe it or not, that’s as simple as:sudo ufw allow ssh
You could also run the command using the port number, like this:sudo ufw allow 22
Or, if you run SSH on port 2022, that command would be:sudo ufw allow 2022
If you’re working on a server and you need to allow HTTP traffic through, that command would be:sudo ufw allow http
Let’s get a bit more advancedone of the nice things about UFW is that even using more advanced features doesn’t require advanced knowledge. Let’s say, for example, you want to allow SSH traffic in, but only from a specific IP address on your network.If you’ve already allowed incoming SSH traffic, you’ll first need to delete that rule with:sudo ufw delete allow ssh
Now, if you try to SSH into the machine, the firewall will block the attempt. So, let’s allow SSH connections from IP address 192.168.1.152. For that, we’d issue the command:sudo ufw allow from 192.168.1.152 to any port ssh
After running the above command, you should be able to log into the machine, via SSH, only from the remote system at IP address 192.168.1.152.What about the GUI?If the command line isn’t your jam, there’s always a handy GUI tool to make it even easier. One such tool is GUFW, which allows you to point and click your way to UFW firewall rules. If UFW isn’t installed on your Linux distribution by default, you’ll find it in your app store. Once installed, open the app and click on the Rules tab (Figure 1).The GUFW tool makes configuring your firewall even easier.
Image: Jack Wallen
As you can see, I already have a few UFW rules added. One thing to keep in mind is that you cannot edit rules that were added via the UFW command line. Let’s add the same rule via the GUI that we just did from the command line. Click + and then (from the Preconfigured tab), select the following:Policy – AllowDirection – InCategory – AllSubcategory – AllApplication – SSHThat alone will create the rule allowing all SSH traffic into your system. If, however, you want to only allow traffic from a single IP address, you must click the Advanced tab and fill out the following (Figure 2):Name – any name you wantPolicy – AllowDirection – InInterface – All InterfacesFrom – 192.168.1.152Adding a rule to UFW to only allow SSH traffic from IP address 192.168.1.62
Image: Jack Wallen
Click Add and your rule is inserted into the firewall.And that, my friends, is your uncomplicated introduction to the Uncomplicated Firewall. But don’t think UFW is nothing more than a very basic firewall system. You can actually get considerably more complicated but for the basics, UFW is easy enough for anyone to use. More