Information Technology

It’s one thing for tech companies to urge users to enable multi- or two-factor authentication, but now the White House is urging all US organizations to do it because of potential cyberattacks ahead. Two-factor or multi-factor authentication (MFA) was a concept that needed to be explained carefully to the public a few years ago. It’s an approach to cybersecurity that requires users to sign in to an account with something they physically posses, such as a phone. 

ZDNet Recommends

Most companies don’t use it, even when it’s readily available, according to previously reported data from Microsoft, because they prioritize easy access to information over security.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)But with the Russian invasion of Ukraine happening now, the US government has now told all organizations that MFA is a must. “Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system,” the White House has warned. The message comes as the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) ramp up warnings about Russian hacking of everything from online accounts to satellite broadband networks. CISA’s current campaign is called Shields Up, which urges all organizations to patch immediately and secure network boundaries.  President Biden said the warnings around improving tech security were “based on evolving intelligence that the Russian government is exploring options for potential cyberattacks.”CISA has led most of the US’s efforts and has the authority to require critical infrastructure owners and operators to report ransomware and other incidents within 24 hours. The White House, however, has now urged all organizations, even those that are not considered critical infrastructure, to beef up their defenses.    “We accelerated our work in November of last year as Russian President Vladimir Putin escalated his aggression ahead of his further invasion of Ukraine,” the White House said in a statement. “The US government will continue our efforts to provide resources and tools to the private sector, including via CISA’s Shields-Up campaign.”SEE: How Russia’s invasion of Ukraine threatens the IT industryIt’s rare for the leader of any country to urge everyone to step up cybersecurity defenses. Biden has used executive orders to compel federal agencies to patch software, but the new message urges the private sector to do the same.Beyond the use of multi-factor authentication, the White House also urged companies to take seven other steps:Deploy modern security tools on your computers and devices to continuously look for and mitigate threatsMake sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actorsBack up your data and ensure you have offline backups beyond the reach of malicious actorsRun exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attackEncrypt your data so it cannot be used if it is stolenEducate your employees to common tactics that attackers will use over email or through websitesWork with FBI and CISA to establish relationships in advance of any cyber incidents More

Researchers predict that a surge in social engineering attacks will dominate web3 and the metaverse. 

Web3 is the term coined for what could become the next face of the internet. The web has shifted from pages containing content to the growth of social media, and now, the concept of a decentralized internet is being discussed under the Web3 banner. Part of this transformation could include the ‘metaverse’ — a 3D environment and virtual world for facilitating social connections, whether personal or for work. Your ID in the metaverse may also end up linked to cryptocurrency wallets, Non Fungible Tokens (NFTs), and various smart contracts.  As technology vendors work on these concepts, cybersecurity researchers from Cisco Talos have offered their perspective on the potential threats Web3, and the metaverse will face.  The recent phishing wave experienced by OpenSea users, in which victims were duped into signing off on malicious contract transactions and handing over their NFTs, may highlight the forms of attack we may see more commonly in the future.  The first issue discussed by the team is the use of the Ethereum Name Service (ENS) and potentially upcoming similar services that are used to compact wallet addresses into a format that can be remembered easily.  As some of us speculate on the potential future value of ENS domains and register them — such as ‘businessname.eth’ — these addresses could be used as leverage in phishing attacks, especially as ENS domains are recorded on the blockchain and cannot be removed through trademark disputes easily.  “It may come as no surprise that ENS domains such as cisco.eth, wellsfargo.eth, foxnews.eth and so on are not actually owned by the respective companies who possess these trademarks, but rather they are owned by third parties who registered these names early on with unknown intentions,” Talos says. “The risk here is obvious.” In addition, those that register an ENS domain may use their names, deanonymizing an address and signaling to others what funds an individual has in their cryptocurrency wallet, potentially increasing their risk of being selectively targeted by a threat actor.  A brief search by Cisco Talos on .ENS domain holders who publicized their address revealed a number of ‘whales’ holding vast amounts of cryptocurrency and some rather lucrative NFTs. A number of holders also reveal their home towns, full names, and social media profiles — giving attackers a broader picture of individuals to target in social engineering attacks.  “For many, identifying their real-world identities and physical locations starting from the ENS domain and Twitter account was almost trivial,” the researchers say.  As Web3 will be a new concept that users will need time to learn about, a general lack of education may also make individuals more susceptible to scams and fraud.  “Unfamiliar technology can often lead users into making bad decisions,” Cisco Talos says. “Web3 is no exception. The vast majority of security incidents affecting Web3 users stem from social engineering attacks.” In addition, wallet cloning — already a threat in practice — may become a more popular attack method in the future. This requires victims to give up their seed phrase, the secret key used to retrieve lost wallets and may be requested through social engineering, acting as customer support, or by tricking wallet holders in fake verification processes. 
Cisco Talos
While Web3 is still in development, it is worth taking the time to familiarise yourself with this technology — especially if you plan to explore the decentralized world in the future. Cisco Talos also recommends implementing basic security measures, password managers, multi-factor authentication (MFA), and most importantly, remembering that you should never hand over your seed phrases.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has removed an app with over 1000,000 downloads from its Play Store after security researchers warned that the app was able to harvest the Facebook credentials of smartphone users.Researchers at French mobile security firm Pradeo said the app embeds Android trojan malware known as “Facestealer” because it dupes victims into typing in their Facebook credentials to a web page that transmits the credentials to the attacker’s server, which happens to be a domain that was registered in Russia. If a user adds their credentials, the makers of the Android app then have full access to victims’ Facebook accounts, including any linked payment information, such as credit card details, as well as users’ conversations and searches, according to Pradeo. 

Innovation

“It mimics the behaviors of popular legitimate photo editing applications. In fact, it has been injected with a small piece of code that easily slips under the radar of store’s safeguards,” Pradeo says in a blogpost. SEE: Best cheap 5G phone 2022: No need to pay flagship prices for quality devicesThe app ‘Craftsart Cartoon Photo Tools’ was billed as a tool that lets people “turn stunning looks from real cameras into paintings and cartoons” using advanced artificial intelligence and machine learning.  However, Android users themselves appear to have detected problems with the app, validating the idea that users should always read reviews before installing an app. “Totally fake. The way it was advertising seems like useful. Then find out just a few filter effects for any photo,” wrote one user in March. “No cartoonization anywhere. Don’t download,” wrote another. After users open the bogus photo-editing app, it opens a Facebook login page that requires the users to sign-in before they can use the app. The credentials are then transmitted to the app owner’s server. Google encourages Android users to only install apps from its app store. However, research has shown that malicious apps can make their way into the Google Play store. Google confirmed to ZDNet that the app has been removed from the Play Store and the developer banned.Pradeo in December raised an alarm about Joker malware being distributed on the Play Store that had been installed by over 500,000 users. That malicious app attempted to defraud users through premium mobile services and unwanted ads.  More

Okta says that a rapid investigation into the sharing of screenshots appearing to show a data breach relates to a “contained” security incident that took place earlier this year.  Okta, an enterprise identity and access management firm, launched an inquiry after the LAPSUS$ hacking group posted screenshots on Telegram that the hackers claimed were taken after obtaining access to “Okta.com Superuser/Admin and various other systems.”
Screenshot via Telegram
The images were shared over Telegram and various social media networks this week. 

“For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor[…],” LAPSUS$ said. “Before people start asking, we did not access/steal any databases from Okta — our focus was only on Okta customers.”In an emailed statement on Tuesday, Okta said the screenshots shared online “appear to be connected to a security event in late January.” Okta said: “In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event.” “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” Okta added.  In a tweet, Cloudflare CEO Matthew Prince added to the discussion, commenting: “We are aware that Okta may have been compromised. There is no evidence that Cloudflare has been compromised. Okta is merely an identity provider for Cloudflare. Thankfully, we have multiple layers of security beyond Okta, and would never consider them to be a standalone option.” Lapsus$ is a hacking group that has quickly raised itself through the ranks by allegedly breaking into the systems of high-profile companies, one after the other, in order to steal information and threaten to leak it online unless blackmail payments are made. Recent breaches connected to the group include those experienced by Samsung, Nvidia, and Ubisoft.  On Sunday, a screenshot was shared that suggested an alleged Microsoft breach may have taken place, potentially via an Azure DevOps account, although the post has since been deleted. Microsoft is investigating. Based in San Francisco, Okta is a publicly-traded company with thousands of customers, including numerous technology vendors. The company accounts for FedEx, Moody’s, T-Mobile, JetBlue, and ITV among its clients.  “Lapsus$ is known for extortion, threatening the release of sensitive information, if demands by its victims are not made,” commented Ekram Ahmed, spokesperson at Check Point. “The group has boasted breaking into Nvidia, Samsung, Ubisoft and others. How the group managed to breach these targets has never fully been clear to the public. If true, the breach at Okta may explain how Lapsus$ has been able to achieve its recent string [of] successes.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Most organisations in Asia-Pacific realise their employees need training in digital skills, but few have put in place plans to do so. With cloud and cybersecurity amongst the top digital skills in demand, employers run the risk of missing out on key business benefits if the skills gaps remain unplugged.Specifically, the ability to use cloud-based tools such as accounting and CRM (customer relationship management) software-as-a-service (SaaS) applications emerged as the top-most needed digital skill by 2025, according to a study commissioned by Amazon Web Services (AWS). This was followed by cybersecurity skills, including the ability to develop or deploy protocols as well as techniques to maintain the security of their organisation’s digital systems and data. Conducted last August by consultancy AlphaBeta, the online survey polled 2,166 employers and 7,193 workers across seven Asia-Pacific markets: Singapore, Australia, India, Indonesia, Japan, New Zealand, and South Korea. Employers comprised business and IT managers from organisations in private and public sectors, while workers included tech and non-tech full-time employees who used digital skills in their jobs.

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

The study further revealed that technical support, digital marketing skills, and the ability to manage migration from on-premises to the cloud were amongst the top five most in-demand digital skills. Others that were in demand by 2025 included artificial intelligence and machine learning, cloud architecture design, Internet of Things (IoT) skills, and software development. The desire for digital skills also was felt by employees, especially as the global pandemic fuelled digital transformation across many enterprises.Some 88% of workers said they now needed more digital skills to keep up with changes in their job, with 86% noting that COVID-19 had accelerated the pace of digital adoption in their organisation. In particular, 64% of employees said they needed training in cloud-related skills by 2025, Emmanuel Pillai, AWS’ Asean head of education and training, said in a video interview with ZDNet. Some 54% of workers said they needed to learn how to maintain safe and secure digital systems, while 33% needed to learn how to migrate on-premises facilities to the cloud. Another 27% believed they needed skillsets in cloud architecture design to progress in their careers. However, while 97% of companies recognised the need to train their workers on digital skills, just 29% actually had implemented a plan to do so, Pillai noted. In fact, two-thirds of workers revealed they were not confident they were gaining digital skillsets fast enough to meet their future career requirements. The lack of confidence was most apparent, at 83%, amongst employees aged 55 and above, while 75% of those aged between 40 and 55 felt likewise as did 60% of workers aged 40 and below.Across the board, 93% of organisations and employees faced barriers in accessing digital skills they needed to remain competitive, with time and awareness cited as the top challenges. Some 72% pointed to limited awareness of available training courses as a barrier, while 66% noted limited awareness of the digital skills needed. Another 65% pointed to high training costs as a challenge. Amongst employees, 71% cited the lack of time to pursue training as a barrier, while 64% noted the lack of quality training. Businesses should look at long-term benefits of skills investment Organisations in this region, though, should look at the long-term benefits of digital skills training, rather than perceiving this to be an added cost, noted Genevieve Lim, Asia-Pacific director at AlphaBeta, which is part of Access Partnership.She told ZDNet that amongst organisations that did invest in digital skills training, 88% saw higher staff productivity. Another 83% reported higher employee retention, while 82% clocked increased revenue.With 80% of employees noting that the ability to learn new digital skills led to greater job satisfaction, Lim said such findings could offer insights on how companies could retain talent amidst the global mass resignation phenomenon. If left unaddressed, the gaps in cloud skills also meant organisations would miss out on benefits such technologies brought to the table, she said. For instance, they would take a longer time to innovate if they lacked the talent to help them develop and go-to-market with new products. In addition, they would not gain the cost efficiencies and productivity improvements that digital and cloud technologies were touted to deliver, Lim said. The study estimated that 86 million more employees across the seven Asia-Pacific markets would have to undergo digital skills training over the next year to keep up with technological change. This figure accounted for 14% of the total workforce in those regional markets. With Asia-Pacific enterprises in different stages of their cloud adoption journey, from migration to operating in a cloud-native environment, Pillai said AWS looked to support them across all phases with more than 250 managed cloud services. He added that the cloud vendor not only offered security-specific training and certifications, but also ensured security was “baked” into all its training programs. Pointing to the shared responsibility to safeguard cloud systems and data, he underscored the need for enterprises to understand how to secure and build secured applications. Doing so would further reduce the need to plug gaps later, he noted. He said an AWS customer was able to reduce its time-to-market by 15% to 25% because its engineers were trained to develop applications with a security-by-design mindset. This meant they did not have to spend as much time debugging and fixing bugs, allowing their company to push out the applications faster, Pillai said.RELATED COVERAGE More

At the start of this year, Symphony Technology Group (STG) announced Trellix was the new name for the business unit that resulted from the merger of McAfee Enterprise and FireEye last October.During 2021, STG picked up McAfee Enterprise for $4 billion, before paying $1.2 billion to purchase FireEye. In announcing Trellix, the company detailed the new business would focus on threat detection and response using machine learning and automation. It also said at the time not all of McAfee Enterprise would be bundled into Trellix. The remainder, which is the security service edge portfolio will now come under the newly announced name of Skyhigh Security. This includes cloud access security broker, secure web gateway, and zero trust network access. To be headed by former Cisco security senior VP and general manager Gee Rittenhouse, Skyhigh Security has been created to “satisfy the growing cloud security requirements for lager and small organisations”.”With the majority of data in the cloud and users accessing it from everywhere, a new approach to security is needed,” Rittenhouse said. “Skyhigh Security has created a comprehensive security platform to secure both data access and data use via unified policies and data awareness. Organisations can now have complete visibility and control and seamlessly monitor and mitigate security risks — achieving lower associated costs, driving greater efficiencies and keeping pace with the speed of innovation.” STG added that splitting McAfee Enterprise into two organisations allows it to “better focus on the very distinct markets” of threat detection and response, and the security service edge.  MORE SECURITY NEWS Meta shares how it detects silent data corruptions in its data centresAfter three years of testing, Meta has found its preferred approach for detecting silent data corruptions. Ditching LastPass? Here are some alternatives to tryLastPass changes to the free offering got you down? Not feeling like paying the $36 a year for the premium service. Here are some alternatives. (Updated with reader suggestion). These four types of ransomware make up nearly three-quarters of reported incidentsAny ransomware is a cybersecurity issue, but some strains are having more of an impact than others. Microsoft: Here’s how this notorious botnet used hacked routers for stealthy communicationChange your router’s default password and make it a strong one, warns Microsoft. More

Image: Getty Images
US President Joe Biden has warned local organizations to bolster their cyber defence efforts as Russia is considering conducting cyber attacks in retaliation to sanctions imposed against the country for its invasion into Ukraine. “Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook,” Biden said in a statement. “My administration is reiterating those warnings based on evolving intelligence that the Russian government is exploring options for potential cyber attacks.” In light of this intelligence, Biden has called for the US private sector to act immediately to up their cyber defences. “Most of America’s critical infrastructure is owned and operated by the private sector and critical infrastructure owners and operators must accelerate efforts to lock their digital doors,” Biden said. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has already reached out to critical infrastructure organizations about information and mitigation guidance to help protect their systems and networks. As part of the warning, the US government issued a guidance factsheet for organizations to take certain cyber defence actions. Among those recommendations are for organizations to mandate the use of multi-factor authentication, deploy modern security tools on computers and devices, check with cybersecurity professionals to make sure systems are patched and protected against all known vulnerabilities, update passwords across networks so previously stolen credentials are useless to malicious actors, back up data and ensure offline backups are available, run exercises and drill emergency, encrypt data, educate employees about common forms of malicious activity, and engage proactively law enforcement authorities. CISA and the Federal Bureau of Investigation (FBI) also warned satellite communications network providers last week to beef up cybersecurity efforts. The satellite warning came shortly after the two agencies, alongside European authorities, commenced investigations into a cyber attack against ViaSat’s internet service for fixed broadband customers in Ukraine. The Viasat outage started on February 28, coinciding with Russia’s invasion of Ukraine. The same day German energy firm Enercon reported remote communications to 5,800 wind turbines was down due to a satellite outage.   Related Coverage More

It started as an innocent protest. Npm, JavaScript’s package manager maintainer RIAEvangelist, Brandon Nozaki Miller, wrote and published an open-code npm source-code package called peacenotwar. It did little except add a protest message against Russia’s invasion of Ukraine. But then, it took a darker turn: It began destroying computers’ file systems. 

Ukraine Crisis

To be exact, Miller added code that would delete the file system of any computer with a Russian or Belorussian IP address. Then, its maintainer added the module as a dependency to the extremely popular node-ipc mode. Node-ipc, in turn, is a popular dependency that many JavaScript programmers use. And it went from annoying to a system destroyer. The code has undergone several changes since it first appeared, but it must be regarded as highly dangerous. Underlining its potential for damage, Miller encoded his code changes in base-64 to make it harder to spot the problem by simply reading the code. According to developer security company Snyk, which uncovered the problem, “node-ipc (versions >=10.1.1 More