Information Technology

Samsung on Monday confirmed that the company recently suffered a cyberattack, but said that it doesn’t anticipate any impact on its business or customers.Last week, South American hacking group Lapsus$ claimed it had stolen 190GB of confidential data, including source code, from the South Korean tech giant’s servers. The group also posted snapshots of the alleged data online.

ZDNet Recommends

Samsung has now confirmed in a statement, without naming the hacking group, that there was a security breach, but it asserted that no personal information of customers was compromised.SEE: DDoS attacks that come combined with extortion demands are on the rise”We were recently made aware that there was a security breach relating to certain internal company data. Immediately after discovering the incident, we strengthened our security system,” the company said.”According to our initial analysis, the breach involves some source codes relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees. Currently, we do not anticipate any impact to our business or customers. We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption.”On whether the company had received a demand for payments or was in negotiation to do so with any hacking group, a company spokesperson declined to comment on the matter.Hacking group Lapsus$ also claimed last month that it had stolen 1TB data from GPU giant Nvidia, while also posting snapshots of some of the data online. In response last week, Nvidia also confirmed that some employee credential and proprietary information was stolen, but also said it doesn’t expect disruption to its business. More

Image: Getty Images
Australia’s electoral body has launched a new disinformation register to debunk misleading and deceptive information regarding how elections are run to protect the integrity of the country’s upcoming federal election.The new register comes in response to an uptick of election conspiracy theories circulating online in recent months due to it being a federal election year. According to the Australian Electoral Commission (AEC), the disinformation register is a regularly updated database containing examples of disinformation and misinformation that has circulated online from late 2021 onwards.  The AEC explained that each piece of disinformation discovered by the commission would be presented in the register with information about which platform it was spread on, the timing, the factual information regarding the matter, and the actions taken by the commission to correct the record. “We’re not messing around,” AEC chief Tom Rogers said.”The Australian vote belongs to all Australians and there is freedom of political communication. However, if you spread incorrect information about the processes we run — deliberately or otherwise — we’ll correct you.”Examples of disinformation flagged in the AEC disinformation register.
Image: Australian Electoral Commission
Examples of disinformation that have already been added to the register are that people will only be eligible to vote if they are fully vaccinated and that pencil marks are erased in the counting process. Both of these pieces of information are mistruths, the register states.Beyond the disinformation register tool, the AEC has been working more closely with social media platforms to quickly remove election misinformation and disinformation. As part of this, all major social media platforms have given “assurances” that they will allocate more resources for monitoring election disinformation and misinformation for the upcoming Australian federal election.”For this election, we’re getting assurances from all of them that they will be expanding their hours of service, including having not just expanded hours of service here in Australia but then actually having staff in other parts of the world so that they can try and get as close to 24/7 coverage — so they’re not confined by the business hours of the staff here in Australia,”  deputy electoral commissioner Jeff Pope said last month.RELATED COVERAGE More

IT? Or MI5?
Image: Shutterstock
The more we’ve come to rely on technology, the more we’ve lurched toward surveillance.In one sense, it’s all too human. Who trusts anyone these days?

In another, however, it’s a dark portent of a world gone twisted.I’ve never been the same since reading the tale — posted to Reddit last year — of a company that used an IM system that offered three status choices: idle, available, or in a meeting. This fine system registered an employee as “idle” if they didn’t touch their keyboard for five minutes. And what a word to use anyway — idle — as if you’re lazing around, thinking about nothing at all. Some of people’s best work is performed when they’re idle, leaning back, and staring into space. I wanted to believe this was an isolated piece of software, even though I felt sure it wasn’t. And then there came the long and torrid story, recently reported by Business Insider, of a company called CoStar. There had been a “mass exodus” at this commercial real estate data firm. People choose to leave tech companies all the time, especially in the current climate of full employment. At CoStar, though, one of the reasons for employee discomfort was reportedly the enrollment of its IT department as, well, something of a spy network.The 15 people in IT were asked to perform 100 video calls to other employees. Spontaneous ones. (CoStar denies this happened.)They were reportedly told to say they were checking to see if the company’s VPN was working as it should.As Business Insider tells it, the IT people were “told to note whether that employee answered the call promptly and enabled their video during the chat, and to log more personal details, including a description of where that person was working and whether they were dressed professionally.”One person’s idea of professional dressing is another person’s “why did you spend so much money on that hat from Neiman Marcus?”

Back to the spying. Apparently, if the employee didn’t respond to the call three times, they were put on the naughty list. Or, worse, shown straight to the door.Too often, technology is being used as a substitute for other skills — management, for example. A good manager understands that some employee metrics can’t be analyzed. There are contributions that can’t be measured, either by a machine or by a spy report.Tracking employees by the minute sucks the humanity and the dignity out of work. Is it so surprising that companies are suddenly finding it difficult to hire good employees — or any, really?Equally, I’m left to wonder about the IT employees asked to perform surveillance. I know a couple IT people. They tell me of occasional requests from management to surveil others — requests that turn their stomachs. When I ask how they deal with it, they shrug, as if it’s simply part of their job these days. Keeping the network together by day, spying by day, too.As business software becomes ever more powerful and ubiquitous, those in charge are tempted toward the sneaky and iniquitous. Too many believe it’s their right to know everything about their employees. Too many have little regard for the one thing that suffers: trust.What are they afraid of?

more Technically Incorrect More

The director of the Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Friday that the agency would be “immediately” sharing incident reports from critical infrastructure organizations with the FBI.The FBI and Department of Justice caused a minor furor on Thursday when both came out harshly against The Strengthening American Cybersecurity Act, landmark cybersecurity legislation that sailed through the Senate unanimously on Tuesday. The act forces critical infrastructure organizations to report cyberattacks to CISA within 72 hours and ransomware payments within 24 hours. In statements to Politico, FBI Director Christopher Wray and Deputy Attorney General Lisa Monaco trashed the bipartisan bill because the FBI and DOJ are not included alongside CISA. Wray said it “would make the public less safe from cyber threats” and Monaco claimed the bill leaves the FBI “on the sidelines and makes us less safe at a time when we face unprecedented threats.”The statements shocked officials on both sides of the aisle in the Senate and House, according to statements provided to Politico. The White House came out in support of the bill on Thursday evening but told CBS that it was “exploring all options, to ensure that the legislation enables all relevant Federal agencies to receive and process these incident reports as quickly as possible to carry out their cybersecurity missions.”On Friday afternoon, CISA director Jen Easterly addressed the issue publicly, writing on Twitter that the agency would “immediately” share the incident reports with the FBI.

We have a terrific operational partnership w/our #FBI teammates & will continue to do so, to include always ensuring that cyber incident reporting received by @CISAgov is immediately shared with them. END— Jen Easterly (@CISAJen) March 4, 2022

“The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a critical step forward in ensuring our nation’s security. As the nation’s cyber defense agency, it gives CISA another key tool to respond to & mitigate the impact of cyber attacks,” Easterly said. “We have a terrific operational partnership w/our #FBI teammates & will continue to do so, to include always ensuring that cyber incident reporting received by CISA is immediately shared with them.”Spokespeople for the lead senators behind the bill, Senate Homeland Security Committee Chair Gary Peters and ranking member Rob Portman, criticized the FBI and DOJ for attacking the bill, telling Politico that both were consulted on it for months. The FBI had previously expressed their desire to be included in any incident reporting legislation during hearings that took place in September. Both Easterly and National Cyber Director Chris Inglis backed the inclusion of the FBI at the time and the Senate changed the bill to mandate that CISA share incident reports with the FBI and other agencies within 24 hours. Despite the changes, Monaco told Politico on Thursday that “changes” still needed to be made to it. The FBI and DOJ did not respond to requests for comment on Friday about whether they will now support the legislation in light of Easterly’s comments. The 200-page act, which combines pieces of the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act — includes several measures designed to modernize the federal government’s cybersecurity posture, and both Peters and Portman said the legislation was “urgently needed” in light of US support for Ukraine, which was invaded by Russia last week. Rep. Jim Langevin, the co-chair of the Cybersecurity Caucus, said getting incident reporting, FISMA and FedRamp across the finish line and onto the President’s desk “should be top priorities for this Congress.””My colleagues in the House and I have worked hard to develop strong language to accomplish these goals, not all of which is included in this bill, such as the need to codify the dual-hat role of the federal CISO,” Langevin told ZDNet. “I look forward to building upon this week’s progress to pass strong cyber legislation out of both chambers, so that we can meet our nation’s urgent cybersecurity needs.” More

When you think of important open-source projects you almost certainly recall Linux, the Apache Web Server, LibreOffice, and so on. And, that’s true. These are vital, but beneath these are the critical software libraries that empower hundreds of thousands of other programs. These are far less well known. That’s why the Harvard Laboratory for Innovation Science (LISH) and the Linux Foundation’s Open Source Security Foundation (OpenSSF), recently put together a comprehensive survey, Census II of Free and Open Source Software – Application Libraries, of these under-the-hood critical programs.

Open Source

This is the second such study. The first, 2020’s “Vulnerabilities in the Core,’ a preliminary report and Census II of open-source software, focused on the lower level critical operating system libraries and utilities. This new report aggregates data from over half a million observations of free and open-source (FOSS) libraries used in production applications at thousands of companies.The data for this report came from the Software Composition Analysis (SCA) scans of codebases of thousands of companies. This data was provided by Snyk, the Synopsys Cybersecurity Research Center (CyRC), and FOSSA.The purpose of this, besides simply wanting to know what were indeed the most popular, open-source application libraries, packages, and components, is to help secure these projects. Until you know that’s important, you can’t know what you need to secure first. For example, the heretofore relatively unknown log4j logging package became a massive security problem when the Log4Shell zero-day was revealed. Jen Easterly, the director of the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) called it  “the most serious vulnerability I’ve seen in my decades-long career.” This bug affected tens or hundreds of millions of devices and programs. Kevin Wang, FOSSA’s Founder and CEO observed, The ubiquitous nature of OSS means that severe vulnerabilities — such as Log4Shell — can have a devastating and widespread impact. Mounting a comprehensive defense against supply chain threats starts with establishing strong visibility into software.” Only by understanding our “open source dependencies can we improve transparency and trust in the software supply chain.”Mike Dolan, the Linux Foundation’s senior vice president of Projects, added, “Understanding what FOSS packages are the most critical to society allows us to proactively support projects that warrant operations and security support. Open-source software is the foundation upon which our day-to-day lives run, from our banking institutions to our schools and workplaces. ” This census breaks down the 500 most used FOSS packages in eight different areas. These include different slices of the data including versioned/version-agnostic, npm/non-npm package manager, and direct/direct and indirect package calls. For example, the top 10 version-agnostic npm JavaScript packages that are called directly are:lodashreactaxiosdebug@babel/coreexpresssemveruuidreact-domjqueryThese, and the other top libraries, need to be closely watched for any security issues. Besides simply listing them, the survey’s authors, from Harvard University, made five overall findings:1) There’s a need for a standardized naming schema for software components. As it is, the names aren’t random, but there’s not a lot of rhyme or reason to them either. 2) We need to clean up the complexities of package versioning. Can you tell at a glance what version a package is? You can if you work on that program, but if you just use it as a brick in your higher-level software, it can be a mystery. 3) Much of the most widely used FOSS is developed by only a handful of contributors. Everyone knows the XKCD cartoon of a giant software stack that all depends on a single developer in Nebraska. The sad and funny thing about this is that it’s not a joke. We still depend on code that relies on a sole programmer.  4) Improving individual developer account security is becoming critical. With hacking attacks on developers becoming more common, we must protect their accounts like the crown jewels of development they are.5) Legacy software in the open-source space needs to be cleaned up. Usually, we think of legacy software in terms of that one guy we all know who’s still running Windows XP. But, old, crufty code lives on in open-source repositories as well.  That said, while this survey is useful, the work is far from done. More and continuing work needs to be done. All the participants in this report are planning on working on another study. This is only a precursor to more exhaustive studies to come to better understand these critical pillars of our information infrastructureRelated Stories: More

Old security vulnerabilities in corporate networks are leaving organisations at risk from ransomware and other cyber attacks as hackers look to actively exploit unpatched systems and legacy software. Analysis by cybersecurity researchers at F-Secure suggests that 61% of security vulnerabilities which exist in corporate networks are from 2016 or even older, despite patches being available for five years or more. Some of the vulnerabilities which continue to be exploited to breach networks are more than a decade old.One of the most common unpatched vulnerabilities plaguing businesses is CVE-2017-11882, an old memory corruption issue in Microsoft Office including Office 365 which was uncovered and patched in 2017, but had existed since 2000. According to F-Secure, it’s one of the most actively exploited vulnerabilities on Windows.  The vulnerability requires little interaction from the user, making it useful for cyber criminals running phishing campaigns. Researchers note that since it was detailed in 2017, the vulnerability has regularly been used by hacking groups, including Cobalt Group. Other common vulnerabilities detailed in the research paper include CVE-2012-1723, a vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7, which was detailed in 2012 and CVE-2013-1493.  Security patches are available to protect against these vulnerabilities and have been available for years, but many organisations haven’t applied the updates, leaving them vulnerable to various cyber criminal intrusions. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)According to the report, organisations see ransomware as the key cybersecurity threat they face, but the exploits can also be exploited by cyber criminals looking to implant trojan malware, or gain access to networks by stealing usernames and passwords. But it’s not just cyber criminals which pose a risk to organisations, nation-state backed hacking groups will often use the exact same vulnerabilities because they can be used to provide relatively easy access to networks.Identifying and managing vulnerabilities can be a difficult task, especially for large organisations with vast IT estates, but the most effective way to prevent cyber criminals from exploiting vulnerabilities is for the IT department and information security teams to know what’s on the network and move to protect it, via applying security patches, hardening defences or both. “Organisations that understand their IT estates, what opportunities they have to detect attacks, and what risks and threats are facing their industry, can prepare themselves to mitigate most of the damages caused by the kind of ransomware attacks we see today,” said F-Secure global head of incident response Joani Green, who also warned that plans should be put in place about how deal with successful attacks. “Detecting attacks is obviously the first step, but organizations that prepare a full plan for responding can put a stop to these incidents in a matter of hours instead of days or weeks,” she said. MORE ON CYBERSECURITY More

Google has made a small but important change to how it presents comment notifications in Docs messages to help users spot phishing email attempts. Over the past year Google Workspace app Docs has gained new collaboration features like @mentions that aim to modernize productivity software. But as ZDNet’s Jonathan Greig noted in January, hackers were exploiting the feature by adding @mentions in Docs that trigger an email to the target’s inbox. In that attack, the commenter mentions the target with an @ and then an email is automatically sent to the target’s inbox. The email arrives from Google with the full comment as well as potentially malicious links and text. But as security firm Avanan noted at the time, the main problem was that the message triggered by the @mention didn’t display the email address of the commenter — only their name. The absence of the commenter’s email address made it easier for the attacker to phish a target for credentials by pretending to be someone the recipient knows and trusts.Google has responded to this phishing attack by now including the email address of the person who @mentioned another person to generate the email from Google.   “When someone mentions you in a comment in a Google Workspace document, we send you an email notification with the comment and the commenter’s name. With this update, we are adding the commenter’s email address to the email notification,” it notes on its Workspace updates blog.  Google says it hopes that users “feel more confident that you’re receiving a legitimate notification rather than a spam or phishing attempt by a bad actor.”It’s a small change on Google’s side that should help not just Gmail users but also Microsoft’s Outlook users. Avanan found that most of the automatically generated comment emails were targeted at Outlook users. That the email comes from Google also helped evade email filtering systems since Google is generally trusted. Google says the update is available for all Workspace customers, legacy G Suit Basic and Business customers, as well as users with a personal Google account. Google also updated Workspace to counter information leaks. Workspace admins can now see events in Drive audit logs that happened in their own organization as well as external organizations. The Drive audit log includes content that users create in Google Docs, Sheets, and Slides. Google has updated its support page for the feature: “Some events involve domains outside your own; for example, when a user copies a file to another domain. Some of these events are reported in the Drive audit logs of both your domain and the external domain. Names of external documents are not included in audit log entries.”Now, actions including moving, copying, and changing access on Drive items that can involve external domains are reported in the Drive audit logs of both domains, it said. More

Microsoft is suspending all new sales of its products and services in Russia in response to its invasion of Ukraine. Microsoft announced its intentions in a March 4 blog post by President and Vice-Chair Brad Smith. Smith said Microsoft is “coordinating closely and working in lockstep with the governments of the United States, the European Union and the United Kingdom, and we are stopping many aspects of our business in Russia in compliance with governmental sanctions decisions.” Earlier this week, Microsoft announced its plans to try to help protect Ukraine from cyberattacks, protect people from state-sponsored disinformation campaigns, and support humanitarian assistance in Ukraine. Microsoft says it found a new malware package — which it calls “FoxBlade” — hours before Russia began its invasion of Ukraine on February 24.  Smith’s blog post didn’t mention existing contracts that Microsoft has with Russian customers. Corporate Vice President of Communications Frank Shaw said that U.S.-government-imposed sanctions also apply to some existing Microsoft Russian customers. Smith’s blog post also did not mention any plans around the Microsoft Russia office and Shaw had nothing further to add on that front.Microsoft “will take additional steps as this situation continues to evolve,” Smith said in his post.  

Ukraine Crisis More