Information Technology

Owners and operators of US critical infrastructure will now in some cases be legally required to report cyberattacks and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).  The bipartisan provision was passed by the US Senate as part of the $1.5 trillion FY 2022 funding bill with language matching the related Strengthening American Cybersecurity Act, which unanimously passed Senate earlier this month and requires critical infrastructure operators and owners to report substantial cyberattacks, like ransomware, to CISA within 72 hours and within 24 hours of making a ransomware payment.It aims to give the US government, through CISA, greater visibility into the current threat landscape facing US private and public sector organizations. CISA was granted $2.6 billion under the funding bill, or $568 million more than last year to bolster the security of American networks.   The authors of the bill and funding provision, senators Rob Portman (R-OH) and Gary Peters (D-MI), said it was urgently need to counter potential cyberattacks sponsored by the Russian government in retaliation for U.S. support in Ukraine. “This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation’s most essential systems back online so they can continue providing invaluable services to the American people,” said Senator Peters. “Our provision will also ensure that CISA – our lead cybersecurity agency – has the tools and resources needed to help reduce the impact that these online breaches can have on critical infrastructure operations.” CISA can also subpoena operators that fail to report incidents or ransomware payments. Failing to comply with the subpoena can be referred to the Justice Department and could result in a ban on contracting with the federal government.  Reporting ransomware payments within 24 hours to CISA is required for nonprofits, businesses with more than 50 employees, and state and local governments. The bill was introduced in September in the wake of Colonial Pipeline’s week-long outage after suffering a major ransomware attack and a similar attack on meat processor JBS. Colonial paid around $4 million in cryptocurrency to the attackers.  The provision requires that CISA launch a program to warn organizations of vulnerabilities that ransomware actors exploit. It directs the CISA director, Jen Easterly, to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks.The FBI has campaigned against mandatory reporting to CISA, Associated Press reports. “We want one call to be a call to us all,” FBI Director Christopher Wray said last week. “What’s needed is not a whole bunch of different reporting but real-time access by all the people who need to have it to the same report.” He also raised concerns about liability coverage that organizations have when reporting to CISA but not the FBI. CISA’s Easterly said the cyber incident reporting legislation and funding provision was a “game changer”. “CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure,” said Easterly. “This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.” More

A choice of office-based, hybrid or remote work, a human resources team with a strict hiring process, performance reviews, career progression and bonuses – it all sounds like the standard set up at any software development team. But these aren’t the working conditions at a software company, but instead at Conti, a major ransomware group responsible for a string of high-profile incidents around the world, including cyber attacks which have disrupted businesses, hospitals, government agencies and more. Last month, Conti, which many cybersecurity experts believes operate out of Russia, came out in support of the Russian invasion of Ukraine. This annoyed someone who then leaked months of Conti’s internal chat logs, providing inside information on the day-to-day operations of one of the most prolific ransomware operations on the planet. And while Conti’s actions – hacking into networks, encrypting files and demanding ransom payments of millions for a decryption key – could have a dramatic impact on the organisations that fall victim, the leaks paint a relatively mundane picture of an organisation with coders, testers, system admistrations, HR personnel and other staff. The researchers were able to identify a range of different job roles across the organisation from the HR team responsible for making new hires, to the malware coders, testers, ‘crypters’ who work on code obfuscation, sysadmins who build the attack infrastructure as well as the gang’s offensive team who aim to turn a breach into a full capture of the targeted network – and the negotiation staff who try to make a deal with the victims.Many of those involved in Conti will become involved via advertisements on dark web underground forums, but some are approached using more traditional means, like Russian recruitment websites, head-hunting services and word of mouth. Like any other hiring process, the applicants will be interviewed in order to ensure they have the right skills and would be a good fit for the group. According to analysis of the leaks by cybersecurity researchers at Check Point, some people recruited by Conti aren’t even aware they’re working for an illegal operation, at least initially – the leaks suggest that some of those brought in for interviews are told they’re helping to develop software for penetration testers. One leaked chat reveals how one member of the Conti staff, who unlike almost every other member of the group mentions their real name, was confused about what the software they were working on actually did, and why the people he worked with tried to protect their identities so much.  SEE: Cybersecurity: Let’s get tactical (ZDNet special report)In this case, his manager tells the employee he’s helping to build the backend for analytics software. And this wasn’t a one off, there are many members of the Conti gang who seemingly don’t grasp how they’re involved in cyber crime. “There are dozens of employees that were hired via legitimate job processes and not via underground forums. It is tough to tell how many of them don’t understand at all what they are doing, but many of them for sure don’t understand the real scope of the operation and what exactly their employer is doing,” Sergey Shykevich, threat intelligence group manager at Check Point Software told ZDNet. Sometimes these initially-unwitting accomplices to cyber crime later discovered what they were helping to build. In these cases, the managers attempt to reassured their employees with the offer of a pay rise – many opted to stay, the lucrative nature of the work being more appealing than quitting to find another job.While many of the roles are purely online, Conti’s chat logs reveal that it isn’t unusual for members of the group to work from communal offices and workspaces in Russian cities. Once again, the chat logs reveal some of the day-to-day events and incidents that the employees face – for example, someone sent messages asking their colleagues to let them in because a door was jammed from the outside.The leaks have provided cybersecurity researchers with valuable insight into how one of the world’s most notorious ransomware operations works, as well as the tools and techniques it uses to extort ransoms out of victims. But despite the embarrassment for a ransomware operation of having so much internal data leaked – especially given how a key tactic of Conti is to threaten to publish stolen data if their victims don’t pay the ransom – it’s unlikely to be the end of the group, which is still publishing information on new victims. SEE: A winning strategy for cybersecurity (ZDNet special report)Some employees may leave, but even for those who unwittingly signed up to cyber crime, the lure of reliable income could still be enough to encourage them to stay – especially as sanctions against Russia could potentially restrict their employment opportunities. “I don’t see any scenario that they will stop with the cyber crime activity completely,” said Shykevich  “The availability of potential positions in the legitimate tech sector in Russia for developers and pen testers have become much lower, so I think even the unwitting employees that now understand what they are doing, will move to cyber crime, as it will be difficult for them to find a legit job,” he added. Ransomware remains a major cybersecurity threat which can cause a huge amount of disruption to organisations of all kinds. The best way to defend against ransomware is to ensure that the network is as protected from cyber attacks as possible, with appropriate levels of security, including the use of multi-factor authentication across the network. It’s also vital for organisations to apply security updates and patches for known software vulnerabilities as soon as possible, as these, along with weak usernames and passwords, are some of the key entry points exploited to help launch ransomware attacks.MORE ON CYBERSECURITY More

Denso has confirmed a cyberattack impacting the firm’s German operations. 

The company is a global supplier of automotive components, including those developed for autonomous vehicle features, connectivity, and mobility services. Denso says that its technologies are used in “almost all vehicles around the globe.” Clients include Toyota, Honda, General Motors, and Ford. Consolidated revenue in the 2020-2021 fiscal year was reported as $44.6 billion. On March 14, Denso said that four days prior, a third party had “illegally accessed” the firm’s network. When the intrusion was detected, the automotive giant cut off the connection.  While the incident is under investigation, Denso says that there is “no impact” on other facilities and no disruption has been caused to production plants or manufacturing schedules.  Local authorities have been informed and the company has pulled in cyberforensic experts to assist.  “Denso would like to express its sincerest apologies for any concern or inconvenience resulting from this incident,” Denso said. “Denso Group will once again strengthen security measures and work to prevent a recurrence.” It appears that the Pandora ransomware group has claimed responsibility. The group’s leak site, accessed by ZDNet via Kela’s Darkbeast engine, claims that 1.4TB of data has been stolen.  Leak sites are used to pile on the pressure for victims to pay up after a ransomware attack. Cybercriminals infiltrate a corporate network, steal data, and then encrypt a system — and if demanding payment for decryption does not work, they may then threaten to leak stolen information online.  In this case, the leak site appears to show samples of the stolen datasets, including a purchase order, a technical component document, and a sales file. (ZDNet has redacted information contained in the document.)
ZDNet
ZDNet has reached out to Denso with additional queries and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ukraine is reportedly using Clearview AI technologies to track “people of interest” during the Russian invasion.  

Ukraine Crisis

On March 13, Reuters reported that the Ministry of Defence of Ukraine had adopted the firm’s facial recognition engine. Clearview CEO Hoan Ton-That offered the US company’s assistance to Kyiv, and according to the news outlet, the AI tech is being used to “potentially vet people of interest at checkpoints, among other uses,” for free. The startup has not offered the same to Russia, of which President Putin calls the war a “special military operation.” Clearview offers facial recognition technologies to law enforcement for criminal investigations. The US Patent and Trademark Office (USPTO) awarded the company a patent in January for using publicly-available data — including mugshots, social media profiles, and news sites — to match “similar photos using its proprietary facial recognition algorithm.” See also: Ethics of AI: Benefits and risks of artificial intelligenceOver two billion photos have been grabbed from VKontakte, a Russian social network, but over 10 billion are reportedly available for use.  As well as flagging Russian individuals of interest to authorities, it is possible that the Clearview AI search engine could be used to identify misinformation and propaganda online, to identify refugees and family connections, or potentially as a means to try and identify fatalities.  However, no AI algorithm is perfect, and either uncontrolled use or abuse could also result in misidentification or false arrests.  Reuters reports that other Ukrainian government departments will deploy Clearview technologies in the near future. Training is being provided in the use of the technology.According to Ukraine’s economic ministry, the invasion has caused at least $120 billion in damages to the country’s infrastructure.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ubisoft has confirmed a recent “cybersecurity incident” but insists it has not led to user data theft or exposure. The gaming giant, headquartered in Montreuil, France, said on March 10 that the incident took place earlier this month, causing “temporary disruption to some of our games, systems, and services.”

Ubisoft’s IT team is currently working with cybersecurity experts to investigate the situation and, as of now, has decided to initiate a company-wide password reset. However, no further security measures or changes have been made public.   Furthermore, the company says that games and services are now working properly, and there is no evidence, at present, of “any player personal information [being] accessed or exposed as a by-product of this incident.” As reported by The Verge, the LAPSUS$ ransomware gang may be responsible and has reportedly taken credit.  LAPSUS$ previously claimed responsibility for February’s Nvidia hack, in which the group claimed to have stolen approximately 1TB in data. Hashed Nvidia employee credentials were leaked.  “We are aware that the threat actor took employee passwords and some Nvidia proprietary information from our systems and has begun leaking it online,” the vendor responded at the time the incident was made public. “Our team is working to analyze that information. All employees have been required to change their passwords.” According to a Telegram group chat allegedly operated by LAPSUS$, there has been a “delay” in further Nvidia releases due to “one of our members begging Nvidia for stupid amounts of money.” (The post has since been deleted).  In December 2021, Ubisoft said a cyberattack had been launched against the infrastructure supporting the game Just Dance. This incident was caused by a “misconfiguration” that has since been resolved.  ZDNet reached out to Nvidia, which referred us back to the firm’s past statement on the cybersecurity incident.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
Meta, formerly Facebook, has reiterated fact-checking of politician claims will not be part of its measures for preventing the spread of misinformation in this year’s Australian federal election. “The speech of politicians are already very highly scrutinised,” Meta Australia policy head Josh Machin told reporters at a press briefing “It’s scrutinised by [journalists], but also by academics, experts, and their political opponents who are pretty well-positioned to push back or indicate they don’t believe something’s right if they think they’re being mischaracterised.” Misinformation that is political in nature and comes from people who are not politicians will be eligible to be fact-checked, however. In clarifying Meta’s stance about fact-checking politicians, the company said its election integrity measures for Australia’s upcoming federal election are its “most comprehensive” yet. “This is by far the most comprehensive package of election integrity measures we have ever had in Australia,” Machin said. The Australia Electoral Commission (AEC) last month said it received assurances from large social media platforms that they would allocate more resources for monitoring election disinformation and misinformation for the upcoming Australian federal election. As part of these measures, Meta has expanded its third-party fact-checking program in Australia to include RMIT FactLab, which joins Agence France Presse and Australian Associated Press (AAP) to review and rate content on the company’s platforms. The company has also provided one-off grants to these fact-checking organisations for the intent of bolstering misinformation-detection capabilities during the Australian federal election, but the organisations are not required to use those funds for that purpose. RMIT FactLab’s services are already being used by Australian media organisations, such as the ABC, but Machin clarified that the services used by Meta are separate from those. The tech giant is also working with the AAP to re-run the “Check the Facts” media literacy campaign in three additional languages — Vietnamese, Simplified Chinese, and Arabic — as part of efforts to help people recognise and avoid misinformation. The campaign was expanded to these languages due to them being the three largest non-English speaking communities in Australia, Meta said. Meta has also partnered with the online transparency organisation First Draft, which will publish related analysis and reporting on their website about online trends to help creators and influencers track what online misinformation might look like during the election campaign. These measures are in addition to Meta’s LiveDisplay tool, Ad Library that launched last year, and its updated political ad policies, which require advertisers to go through an authorisation process using government-issued photo ID to confirm they are located in Australia. All of these ads are also required to have a publicly visible disclaimer indicating who has paid for the ads. Meta’s announcement of its election integrity measures come in the face of heavy scrutiny by the federal government, which is looking to enact various new laws that aim to make tech giants more accountable for the content that exists on their platforms. Australian parliamentarians are also undertaking a probe to scrutinise major technology companies and the “toxic material” that resides on their online platforms. As part of the social media probe, Liberal MP Lucy Wicks last week criticised digital platforms for touting “very strong community standards policies” despite various instances of users not being protected by those standards. “My concern is that I see very strong community standard policies, or hateful content policies or ‘insert name of keep the community safe’ policies from various platforms. I almost can’t fault them but I find a very big gap with the application of them,” she told Meta during a social media and online safety parliamentary committee hearing. Wicks’ comments were made in light of 15 female Australian politicians, including herself, being the targets of abusive online comments that were only taken down following law enforcement intervention. Related Coverage More

Even if the cloud computing is on the rise, there are still a lot of corporate data centres around and these are a very tempting target for cyber criminals and malicious hackers. To help protect data centres – and the data stored within them – the National Cyber Security Centre (NCSC) and the Centre for the Protection of National Infrastructure (CPNI) have come together to offer security guidance to data centre operators and users. “Operators and users of data centres have a clear responsibility to protect the data that they hold and process – failing to do this poses a massive financial, reputational and, in some cases, national security risk,” said Dr Ian Levy, technical director at NCSC.  “Owning these responsibilities means understanding the array of methods that malicious actors could use to compromise a data centre both physically and digitally,” he added. There are several issues which data centre operators and users should be thinking about, in order ensure best security practices and that data is kept safe and secure. Risk Management Both data centre operators and data centre users should be able to identify their assets, identify threats, assess risks, develop a protective security strategy and implement the correct measures to ensure all these risks are managed. These processes should also be reviewed periodically as risks and threats can change. Measures should also be put in place so in the case of a data centre being targeted by an attack designed to disrupt it, services can be maintained. For data centre operators, risk management should be driven by senior leaders to be most effective. Resilience Data centres need to be resilient against various threats and hazards. While this includes denial-of-service (DDoS) attacks and other cyber attacks, they also need to be resistant to hardware failures, power outages and natural disasters. For power outages, for example, organisations need to ensure there’s a reliable backup system which can keep it going. Users should also make plans based on the assumption that at some point their cyber defences could be breached and know how they’d be able to detect and react to attacks to minimise the impact of cybersecurity incidents. Geography and ownership It’s important for organisations to know where data is stored, particularly if cloud hosting providers operate around the world. The NCSC notes that storing data with service providers which host servers in China and Russia could be considered a risk because of laws around access in those countries. Physical perimeter and buildings It isn’t just cyber attacks which are a threat to data centres, there’s the risk that they could be physically attacked or sabotaged too. Data centres should be physically secure perimeters designed to keep unauthorised visitors out and make the server rooms difficult for anyone without permission to enter. Detection measures should also be put in place to identify intruders and keep them out, including physical security systems, CCTV and alarms. People  With the right training, people can become a force to improve security. Employees and users who are aware of potential cyber threats can help to identify and disrupt potential cyber attacks, while a good security culture throughout the organisation can reduce the risk of insider threats becoming a problem. For data centre customers, it’s important that the data centre provider than demonstrate policies and procedures it has in place to show that it’s personnel operate securely. Supply chain Cybersecurity vulnerabilities can be introduced at any part of the software supply chain, especially if key services like data centres and storage are being purchased from third-party suppliers. As various incidents have proved, it’s possible for cyber attackers to compromise those suppliers and use them to gain access to the networks of their customers. It’s important to understand the potential risks in the supply chain, to research who the provider is and what their security structure is like – and have a plan in place if things go wrong. Cyber It’s important to remember that data centres are valuable targets for cyber criminals and nation-state backed hackers. In many cases, the aim of the attacks is to steal or even destroy data. Those responsible for data centres of their organisation should make plans based around the idea that a successful cyber attack will happen and take steps to ensure incidents can be detected and minimised. MORE ON CYBERSECURITY More

Passwords are a fact of life, and if you’re one of those people who reuses the same couple of passwords because that’s all you can remember, then you really need to think seriously about a password manager.But in a world where there are countless options, which one is the right one for you?Here I’m going to look at two of the most popular options — LastPass and 1Password — and examine the pros and cons of each.

But before I go on, what is a password manager?A password manager is an app, or more commonly these days, a combination of online services and apps that safely and securely store your passwords — it also securely distributes them to all your devices.Because password managers are storing your passwords, it’s important to choose a trustworthy, reliable, and secure service. This is not a job you want to entrust to any old no-name company.The two services I’m going to look at here are LastPass and 1Password. I’ve used both extensively for several months, and I’ve found them both to be very capable password managers. And while on the surface they seem similar, there are some key differences between the two that might influence which one you choose.Note: Neither LastPass nor 1Password have had any input on this review, and neither company got to see it before it was published.The plansLet’s begin by comparing the basics of the plans on offer for each offering. It’s important to realize that only LastPass offers a free plan, but it has become so limited (the one-device limit is very restrictive) that I don’t recommend it for those wanting a free password manager.Note: If you are looking for a free password manager, my recommendation is Bitwarden. 

Like”Power user” feelBroad platform support

Don’t LikeVery limited “free” offeringRelies on browser extensions

LastPassSettings options allow all sorts of customizations via the web interface.Limited “free” option.Uses browser extensions on most desktop platforms.LastPass offers three “single-user and families” plans, along with separate plans for business users.Free: $0Unlimited passwordsAccess on one device type — computer or mobile 30-day Premium trialSave and autofill passwordsOne-to-one sharing Multi-factor AuthenticationPassword generatorPremium: $3 per monthIncludes all Free featuresAccess on all devicesOne-to-many sharing 1GB encrypted file storageSecurity dashboardDark web monitoringEmergency accessPriority tech supportFamilies: $4 per monthIncludes all Premium features6 individual, encrypted vaultsFamily manager dashboard to manage users and securityGroup and share items in folders Individually encrypted storagesPersonal security dashboards and notifications

LikeCustom apps for all platformsFeels “easy” to useEasy setup

Don’t LikeNo free plan

1PasswordFeels “easier” to use, especially for those that don’t want or need to take deep dives into the service.Easy to set up and very easy to move to another device.Custom apps for all platforms.Extra protection from “secret key.”1Password offers two plans for home users, along with separate plans for teams and businesses.Individual: $2.99 per monthApps for Mac, iOS, Windows, Android, Linux, and Chrome OSUnlimited passwords, items, and 1GB document storage24/7 email support365-day item history to restore deleted passwordsTravel Mode to safely cross bordersTwo-factor authentication for an extra layer of protectionShare your sensitive information securely with anyoneFamilies: $4.99 per monthAll the 1Password features, plus:Invite up to 5 guests for limited sharingShare passwords, credit cards, secure notes, and moreManage what family members can see and doRecover accounts for locked out family membersWorking with your passwordsHow you’re going to be working with your passwords varies between the different services.I don’t mind if I have to use a browser extension or an app, but I know that other people have their preferences. Usability is so subjective that it’s borderline pointless to review because I can only tell you what I like and not what might work for you. But my feeling is that 1Password offers a simpler, cleaner approach, while LastPass is more basic and utilitarian. While I’m overgeneralizing here, 1Password is better suited to the average user, while LastPass is a better choice for those who want access to the bowels of the password manager.My advice here is to take LastPass and 1Password up on their free trial offer and see what works for you.EncryptionI don’t really have any concerns about the security offered by either service. But there is one difference that’s worth bearing in mind.Both services decrypt the data on your device, so there’s no risk of unencrypted data floating about the place. LastPass 256-bit AES encryption with PBKDF2 SHA-256 for master passwords.1Password uses 256-bit AES encryption with PBKDF2 password hashing for the master password, offering strong protection against brute force attacks. Additionally, there’s a 128-bit secret key backing up this master password.What this means in basic terms is both are awesome, but 1Password offers an additional step that adds a little more security. That said, I don’t think I’d make a switch to 1Password just for the security of the secret key.Multi-factor authentication and securityRelying on passwords alone is a bad idea, and having the ability to use multi-factor security significantly boosts the security offered.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Both LastPass and 1Password offer a wide array of multi-factor security options, including support for software authenticators and hardware keys (such as YubiKey).Also: Why everyone should have this cheap security toolThere are subtle differences in how this is implemented across both services and the wide array of platforms that each support, but you get full multi-factor authentication support.Both services also support specific device features such as Face ID/Touch ID on iOS and fingerprint readers on Android and other security features offered by platforms and operating systems. Again, this varies depending on service and the device, but it’s there for both.SupportThere may come a time when you need a little help. LastPass paid users to get premium support, but those on the free plan are limited to whatever information is on LastPass’s website. While the chances of you needing support is low, you can never rule it out. While 1Password offers a broad range of support options, the one feature that this company has that elevates it over LastPass, in my opinion, is an active and supportive community forum. In my experience, users will get a solution to most problems here even quicker than going through the support channels, which are themselves quite fast.The bottom lineThe truth is that both LastPass and 1Password are excellent password managers. Some key differences might help you choose between one or the other. However, if you are still totally torn, I recommend taking each company on its free trial offer.

ZDNet Recommends More