Information Technology

New research suggests that only half of organizations worldwide reviewed their cybersecurity policies when COVID-19 hit.

The COVID-19 pandemic prompted a rapid shift to working from home. Whereas organizations would often have their employees in the office — and, therefore, access to corporate resources was more centralized there — the need to provide remote options also increased the potential attack surface. Virtual private network (VPN) usage is customary for remotely connecting to company systems. However, the pandemic prompted the more widespread use of personal PCs and handsets with varying levels of security — and reliance on video conferencing tools and emails also caused headaches for security teams. According to research published on Tuesday by the Ponemon Institute, on behalf of Intel, the global enterprise will spend roughly $172 billion on cybersecurity this year. However, only 53% of respondents said they refreshed their existing strategies due to the pandemic — and this could indicate a disconnect between spending the cash and applying it correctly to the modern workplace. When changes were made to existing policies, they were driven by factors including remote working demands, supply chain failures, increased cyberattack rates, and employee turnover.In total, 59% of organizations surveyed in the research said their cybersecurity practices are “innovative,” at least when it comes to threat detection, followed by 51% who believe they are innovative in how technology investments are made. The pandemic has created what could become a permanent hybrid workforce. Enterprise organizations have recognized this requires a shift in investments, with remote work, artificial intelligence (AI), and automation becoming top priorities.
Intel
85% of respondents said that hardware & firmware-based security solutions are now a “high” or “very high” priority when it comes to security solution applications. In addition, 64% of those surveyed said that their companies were trying to boost security at the hardware level, with cloud, data centers, edge computing, and security operations centers (SOC) in mind.
Intel
The integration of zero-trust strategies is also on the table for enterprise players. As the pandemic continues to impact businesses worldwide, 75% of survey respondents said they have an increased interest in adopting zero-trust access and privilege frameworks.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cloud applications and services are a prime target for hackers because poor cybersecurity management and misconfigured services are leaving them exposed to the internet and vulnerable to simple cyberattacks. Analysis of identity and access management (IAM) polices taking into account hundreds of thousands of users in 18,000 cloud environments across 200 organisations by cybersecurity researchers at Palo Alto Networks found that cloud accounts and services are leaving open doors for cyber criminals to exploit – and putting businesses and users at risk. The global pandemic pushed organisations and employees towards new ways of remote and hybrid working, with the aid of cloud services and applications. While beneficial to businesses and employees, it also created additional cybersecurity risks – and malicious hackers know this. 

ZDNet Recommends

“With the pandemic-induced transition to cloud platforms over the past several years, malicious actors have had an easier time than ever following their targets into the cloud,” said John Morello, vice president of Prisma Cloud at Palo Alto Networks.  SEE: Cloud security in 2022: A business guide to essential tools and best practicesAccording to the research, 99% of cloud users, services and resources provide excessive permissions. In most cases, these permissions and administrator privileges aren’t needed by regular users, but there’s the risk that, if cloud accounts are compromised, cyber attackers could take advantage of excess permissions to modify, create or delete cloud environment resources, as well as moving around networks to help expand the scope of attacks. Another practice that isn’t helping IT departments is poor password security, with the majority of cloud accounts – 53% – allowing weak passwords consisting of under 14 characters, while 44% of cloud accounts allow the user to re-use a password that is linked to another account. Weak passwords are vulnerable to brute-force and credential-stuffing attacks, where cyber attackers use automated software to test weak passwords against accounts. Accounts will be at particular risk if the password used to secure them is especially common. 

Password re-use also creates a risk for cloud accounts. If the user has had their password for a separate account leaked or hacked, attackers will test it against their other accounts. If it’s the same password, they’ll be able to access the cloud account, which puts the user and the rest of the corporate cloud services at risk from further attacks. This risk is further exacerbated by cloud accounts being publicly exposed to the web in the first place. According to the research, almost two-thirds of organisations have cloud resources, such as buckets and databases, misconfigured in a way that means they can be accessed without the need for authentication at all.  That means that cyber criminals don’t even need to breach credentials to steal sensitive information, they just need the URL. Identifying these buckets and servers, and ensuring they are not exposed on the open web, is a must for cybersecurity teams. For all cloud services, properly configured IAM can block unintended access, so make sure users are implementing complex, unique passwords – and their accounts should also be protected with multi-factor authentication. IT departments should also consider whether regular accounts need administrator privileges. While a legitimate user with this level of access might not be considered a risk, an intruder with admin access has the keys to the entire cloud kingdom.MORE ON CYBERSECURITY More

Cybersecurity researchers at Zscaler are warning about malware dubbed FFDroider that is designed to steal usernames and passwords, along with cookies from infected Windows computers. FFDroider is mainly focused on stealing login credentials for social media websites, including Facebook, Instagram and Twitter, but it also steals passwords for Amazon, eBay and Etsy accounts. The malware can steal cookies from Google Chrome, Mozilla Firefox, Internet Explorer and Microsoft Edge browsers. The information stolen by the trojan malware can be used to take control of accounts, steal personal information, commit fraud against victims, and could also provide attackers with a means of hacking other accounts if the same email and password is used to access them. 

ZDNet Recommends

Zscaler said it has observed “multiple” campaigns related to FFDroider, which are all connected to a malicious program embedded in cracked version of installers and freeware.SEE: A winning strategy for cybersecurity (ZDNet special report)To avoid being detected after installation, the malware disguises itself as messenger application Telegram – although users who aren’t Telegram users might wonder why folders claiming to be that app have appeared. Once installed on a system, the malware monitors the actions of the victim and – when they enter their username and password into the specified social media platforms – the information is stolen. FFDroider also steals cookies and saved login credentials from the browser. If stolen social media account credentials are linked to a business account, the malware also seeks out billing information, potentially enabling the attackers to steal bank payment details.  The attackers could also use compromised Facebook or Instagram accounts of businesses to run malicious advertising campaigns, take control of additional accounts, steal more payment details, or spread the malware further. Social media accounts hold a lot of personal information and stolen details are a prime commodity for cyber criminals who can exploit the data to commit fraud themselves, or sell to others on underground forums. To stay safe from this particular campaign, people should be extremely wary of unexpected emails claiming to offer free software – especially if that software is something that usually must be paid for, as that’s often a clear sign that the download link can’t be trusted. It’s also helpful to apply multi-factor authentication across all social media platforms, as this helps to stop attackers from accessing accounts, even if they have the right password. In any situation where you think your password might have been stolen, you should change it immediately. MORE ON CYBERSECURITY More

A cross-site scripting (XSS) vulnerability has been patched in the popular Directus engine. Directus is an open source, modular content management system (CMS) promoted as a “flexible powerhouse for engineers.” The platform can be used to wrap SQL databases with GraphQL and REST APIs. Directus has achieved 14.9k stars on GitHub and there are approximately 1,700 forks. Discovered by Synopsys Cybersecurity Research Center (CyRC) researcher David Johansson, the vulnerability is tracked as CVE-2022-24814 and can lead to account compromise.  Impacting Directus v9.6.0 and earlier, CVE-2022-24814 was found in the file upload functionality of the CMS.  “Unauthorized JavaScript can be executed by inserting an iframe into the rich text HTML interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag,” Directus explained. “This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS.” According to Synopsys, authenticated users can create a stored XSS attack that triggers when other users try to view “certain” collections or files on the platform.  A similar issue, tracked under CVEs CVE-2022-22116 and CVE-2022-22117, was previously disclosed in the Directus App. However, the mitigation improvements did not go far enough and so could be bypassed, the researchers added. 

Synopsys disclosed its findings to Directus on January 28. The platform’s team triaged the vulnerability and released v3.7.0 on March 18 to resolve the security issue. In addition, Directus improved a “very permissive’ default value for CORS configuration which could lead to unauthorized access when configurations had not been changed.  The latest build is v3.9.0.  “Synopsys would like to commend the Directus team for their responsiveness and for addressing this vulnerability in a timely manner,” the company said.  In related news, VMware published a security advisory on April 6 urging customers to patch software including VMware Workspace ONE Access, Identity Manager (vIDM), and vRealize Automation (vRA) to patch bugs leading to remote code execution (RCE), among other issues.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Security researchers have observed attackers exploiting the Spring4Shell Java-related flaw to install malware on target systems.   Researchers at security firms Trend Micro and Qihoo 360 watched the attacks emerge almost as soon as the bug become public. 

ZDNet Recommends

While Spring4Shell isn’t quite as dire as Log4Shell, most security firms, the US Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft are urging developers to patch it if they’re using Java Development Kit (JDK) from version 9.0 and upwards if the system is also using Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions.SEE: Windows 11 security: How to protect your home and small business PCs”After March 30, we started to see more attempts such as various webshells, and today, 2022-04-01 11:33:09(GMT+8), less than one day after the vendor released the advisory, a variant of Mirai, has won the race as the first botnet that adopted this vulnerability,” Qihoo 360 researchers noted.Trend Micro researchers have also seen something similar. “We observed active exploitation of Spring4Shell wherein malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region,” said Trend Micro’s researchers.  “We also found the malware file server with other variants for different CPU architectures,” they warned.The Mirai sample is downloaded to the “/tmp” folder.Trend says most of the vulnerable setups were configured with the following features:Spring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higherApache TomcatSpring-webmvc or spring-webflux dependencyUsing Spring parameter binding that is configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs)Deployable, packaged as a web application archive (WAR)Writable file system, such as web apps or ROOTResearchers at Palo Alto Networks’ Unit 42 team believe that Spring4Shell will almost certainly be weaponized because it was straightforward to exploit and all the details how to do it were public on March 31. “Since exploitation is straightforward and all the relevant technical details have already gone viral on the internet, it’s possible that SpringShell will become fully weaponized and abused on a larger scale,” it said. The chief vulnerabilities related to Spring4Shell are CVE-2022-22965, which is a bypass for the 2010 patch CVE-2010-1622, and CVE-2022-22963. Mirai and its many variants remain one of the biggest threats on the internet. They are used for distributed denial-of-service attacks, attacks on passwords, and the deployment of ransomware and cryptocurrency miners.  More

Vendors offering two categories of cybersecurity services in Singapore now must apply for a licence to continue providing such services. They have up to six months to do so or will have to cease the provision of such services, if they do not wish to face the possibility of a jail term or fine.Specifically, companies that provide penetration testing as well as managed security operations centre (SOC) monitoring services will need a licence to offer these services in Singapore. These include companies and individuals directly engaged in such services, third-party vendors that support these companies, and resellers of the licensable cybersecurity services, according to Cyber Security Authority (CSA) Singapore. The industry regulator said the licensing framework, effective from April 11, was parked under the country’s Cybersecurity Act and aimed to better protect consumers’ interests. It also served to improve service providers’ standards and standing over time.

CSA added that the two service categories were prioritised to kickstart the licensing regime because providers of these services had significant access into their customers’ ICT systems and sensitive data. Should such access be abused, the client’s operations could be disrupted, the regulator noted. It added that because these services were widely available and adopted, they also had the potential to cause significant impact on the wider cybersecurity landscape. Existing vendors currently engaged in the provision of either or both service categories had up to October 11, 2022, to apply for a licence. Those that failed to do so on time would have to stop providing the service until a licence was obtained. Services providers that submitted their application for a licence within six months would be permitted to continue delivering the licensable service until a decision on the application was made. Any person who provided the licensable services without a licence after October 11, 2022, would face a fine not exceeding SG$50,000 ($36,673) or a jail term of up to two years, or both. Individuals would have to pay SG$500 for their licence, while businesses would have to fork out SG$1,000. Each licence would be valid for two years. CSA said there would be a one-time 50% fee waiver for applications submitted within the first year, before April 11, 2023. A Cybersecurity Services Regulation Office had been set up to administer the licensing framework and facilitate communications between the industry and wider public on all licensing-related issues. Its responsibilities include enforcing and managing licensing processes and sharing resources on licensable cybersecurity services with the public, such as providing the list of licensees.Commenting on other cybersecurity services that might be licensable in future, CSA said it would “continue to monitor international and industry trends” as well as engage the industry, where necessary, to assess if new service categories should be included.The launch of the licensing framework comes after a four-week consultation period that ended last October. CSA said it received 29 responses from both local and international market players as well as industry associations and members of the public. One such feedback pertained to information required, upon request, to facilitate the regulator’s investigations into matters such as breaches by licensees or related to the licensee’s continued eligibility. There were suggestions that the language of the proposed licence conditions be tightened, so requests were not overly generic, and for there to be more clarity on the types of information that might be requested.CSA said it had revised the language of the licence conditions to reduce uncertainty for licensees and that requests for such information would be limited to what was necessary for the purpose of the investigation. RELATED COVERAGE More

Post-quantum cryptography has arrived by default with the release of OpenSSH 9 and the adoption of the hybrid Streamlined NTRU Prime + x25519 key exchange method. “The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo,” the release notes said. “We are making this change now (i.e. ahead of cryptographically-relevant quantum computers) to prevent ‘capture now, decrypt later’ attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available.” As work on quantum computers inches forward, protecting against future attacks has similarly increased. Thanks to the massive parallelism expected from workable quantum computers, it is believed traditional cryptography will be trivial to crack once such a machine is built. Last month, the NATO Cyber Security Centre did a test run of its quantum-proof network. “Securing NATO’s communications for the quantum era is paramount to our ability to operate effectively without fear of interception,” principal scientist Konrad Wrona said at the time. “The trial started in March 2021. The trial was completed in early 2022. Quantum computing is becoming more and more affordable, scalable and practical. The threat of ‘harvest now, decrypt later’ is one all organizations, including NATO, are preparing to respond to.” Elsewhere in the OpenSSH release that was mostly focused on bug fixes, the SCP command has been moved from its default legacy protocol to using SFTP even though it brings with it several incompatibilities, such as not supporting wildcards with remote filenames or expanding a ~user path, although the latter is supported through an extension. Related Coverage More

Image: Vizio
In my particular lounge room sits a relic of a time long gone, a 15-year-old plasma TV that is dumb as a box of hammers, and thankfully so. As the years go by, I am increasingly grateful that this piece of technology continues to kick on.Of course at some stage, I will need to trudge into the increasingly awful world of smart TVs, but the longer that takes the better.

ZDNet Recommends

The best TVs

Brands like Samsung, LG, and TCL have models at different price points to meet your entertainment needs.

Read More

In recent weeks, TV makers have upped the annoyance and intrusion factor in their so-called smart devices.Vizio announced it had started a beta with Fox in the US to insert ads during the credits of a show in an effort to push users onto the broadcaster’s streaming service.”Jump ads give participating programmers and brands the ability to present an interactive overlay at the conclusion of linear TV programs, directing viewers into a supporting app on Vizio’s operating system to continue their viewing experience,” Vizio said.”The Jump Ads will prompt viewers to continue watching additional episodes of the program or catch up on past episodes on the Fox Now App … this allows viewers to seamlessly extend their viewing experience with a single click of a button, enhancing the smart TV experience for both viewers and content providers alike.”Vizio said ad buyers can control at what point the ads appear, how often they do, and which app the ad points to — and as we’ve learnt after some years at the nexus of advertising and technology, there is no way this seemingly helpful pointer to users will be extended to promote anything, at any time, anywhere in a broadcast. I’d suggest asking, “Why stop at one ad?”, but I really don’t want to give marketers any ideas.Not to have the likes of Vizio offering equal functionality, fellow TV ads inserter Samsung has taken a step into the world of blockchains and TV.The Korean behemoth said last week it has partnered with crypto exchange Gemini and its Nifty Gateway to integrate NFTs on its smart TV platform, allowing users to buy, sell, and view the assets on its 2022 premium TV lines including QLED and Neo QLED.Get a new one anyway: Best OLED TVMost pleasingly from Samsung is this helpful guide to stop your smart TV from being hacked or running malicious code — it involves turning on “smart security”, and call me a cynic but it probably doesn’t do what it says on the tin.The problem with TVs, as my venerable Panasonic display shows, is the lifespan of such devices. No one is going to support a non-desktop consumer device’s operating system and make sure it is secure for almost 15 years after it was made. To give an idea of the longevity of this TV, when it arrived, Android 1.0 was being released. Imagine how long it would take to pop this device if it was able to browse the internet.Samsung needs to be on top of its security to ensure its TVs remain safe, because wherever you find crypto assets, you bet there’s someone who has worked out a way to steal it, and is maybe even using it on OpenSea.Beyond this pair of TV makers, it is not as though the industry has any saints, LG was doing ads years ago, and Sony says in a support article that users cannot turn ads off and points the finger at Google.Besides, there is no reason for manufacturers to make anything but smart TVs for consumers, especially when the answer to those who have issues about smart features is to retort with a line about not connecting it to the internet in the first place.That could work — unless you live near a radio telescope and cannot have a device spamming out Wi-Fi and Bluetooth signals as long as it is connected into a power socket, and the suggested answer is to open the TV and cut its antenna off — but it doesn’t solve the issue of potentially paying thousands of dollars for a device that upgrades itself and pushes increasing amounts of advertising at you. That sort of user experience is best left in the hands of Microsoft to pioneer on its own.After living with smart Wi-Fi for a number of years where setting options are being increasingly pared back by Google, I was recently blasted back into a world where the user can overwrite the so-called artificial intelligence. It didn’t fix everything, but it was delightful to have options again.The TV landscape is far beyond that point, search for dumb options and you’ll end up thinking about buying commercial signage devices or looking to use a big computer monitor as a TV — neither of which are proper fits.It’s a shame TVs have become purchases that cost possibly in the thousands of dollars and for their coin, new owners end up with yet another ad-serving device that will have firmware updates end in a couple of years, if they are lucky. Because as a base concept, TVs exist purely to show someone what they want to see. It shouldn’t be this hard.But if you want to see a low-res pixel art NFT upscaled to glorious 8K resolution, you know which Korean tech giant you need to buy from.ZDNet’s Monday Morning Opener is our opening take on the week in tech, written by members of our editorial team. We’re a global team so this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US, and 11:00PM in London.PREVIOUSLY ON MONDAY MORNING OPENER :  More