Information Technology

Ukraine’s government has called on Oracle and SAP to end business relationships with entities tied to Russia immediately. 

Ukraine Crisis

On March 2, Ukraine’s Vice Prime Minister and Minister of Digital Transformation, Mykhailo Fedorov, tweeted a copy of letters addressed to Oracle co-founder and CTO Larry Ellison, Oracle CEO Safra Catz, and SAP’s chief executive officer Christian Klein. The letters are similar in their appeals, and both request an end to business relationships in Russia in response to the current invasion of Ukraine by the country.  In the letter sent to Oracle’s leadership, Fedorov said, “Ukraine is now on the frontline of the defense of the principles of democracy and freedom in the face of the war waged by [the] Russian Federation.” “The IT industry always supports values of responsibility and democracy. I believe your country shares them.” The Ukrainian leader went on to say that Ukraine “calls on your company to end any relationships and stop doing business in/with [the] Russian Federation, in particular, to stop providing support, maintenance, and software updates for Oracle products until the conflict is resolved and fair order is restored.”  In communication with SAP, Fedorov said that “modern technology in 2022 is also the way we can defend our country and citizens, and that’s why we need your support.””We hope that you will not only hear, but also do everything possible to protect Ukraine, Europe, and finally, the whole world from bloody Russian aggression. […] Thus, I appeal to you to stop providing SAP services and products until Putin’s attack on our country [is] over.”
Screenshot via Twitter
Update 17.15 GMT: Oracle has tweeted:”On behalf of Oracle’s 150,000 employees around the world and in support of both the elected government of Ukraine and for the people of Ukraine, Oracle Corporation has already suspended all operations in the Russian Federation.”Fedorov responded, “With gratitude from all the free people of Ukraine!”The official also published an open letter to game developers on March 2, requesting a temporary block on all Russian and Belarusian account holders, including a temporary ban on their participation in international e-sports events.  In related news, on Tuesday, Apple said product sales have been paused in Russia, exports to sales channels have been stopped, and the Russian state-controlled RT News and Sputnik News outlet apps have been revoked from the App Store outside of the country. In addition, the iPad and iPhone maker said it “has disabled both traffic and live incidents in Apple Maps in Ukraine as a safety and precautionary measure for Ukrainian citizens.”  Ukraine has also asked for Russia’s top-level domains (TLD) to be revoked, alongside their SSL certificates. ZDNet has reached out to Oracle and SAP, and we will update when we hear back.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The NATO Cyber Security Centre (NCSC) has completed its test run of secure communication flows that could withstand attackers using quantum computing.

Konrad Wrona, principal scientist at the NCSC, told ZDNet that it is becoming increasingly important to create protection schemes against current and future threats.  “Securing NATO’s communications for the quantum era is paramount to our ability to operate effectively without fear of interception,” Wrona said. “The trial started in March 2021. The trial was completed in early 2022. Quantum computing is becoming more and more affordable, scalable and practical. The threat of ‘harvest now, decrypt later’ is one all organizations, including NATO, are preparing to respond to.”The NCSC, which is run by the NATO Communications and Information Agency (NCI Agency), protects NATO networks around the clock and works with UK company Post-Quantum to conduct the test. Allied Command Transformation’s VISTA framework financed the project.Post-Quantum provides organizations with different algorithms to ensure security even if attackers are using quantum computing. A VPN can use algorithms to secure communications, ensuring that only the correct recipient can read the data, the company claimed. Wrona said the NCSC does not have a follow-on contract with Post-Quantum but sees the potential of technologies like what Post-Quantum offers and will continue to look into the technology. Andersen Cheng, CEO of Post-Quantum, called Post-Quantum a ‘Hybrid Post-Quantum VPN’ because it combines both new post-quantum and traditional encryption algorithms. Cheng said that because it will take many years for the world to completely migrate to a “quantum-safe” future, it is more realistic to combine these new algorithms with better understood traditional encryption in order to ensure interoperability. They noted that this kind of software is increasingly relied upon to protect remote connections when working from outside of traditional office environments and can be used to ensure secure communications between organizations in an operational environment.  Cheng founded Post-Quantum 12 years ago and said his team had spent a decade developing encryption capable of withstanding a quantum attack.His team has focused on building useable commercial grade ‘quantum-safe’ products like the Hybrid VPN system NATO tested. “Our encryption algorithm NTS-KEM (now known as Classic McEliece, after merging with the submission from renowned cryptographer Professor Daniel Bernstein and his team), is now the only ‘code-based’ finalist in the National Institute of Standards and Technology (NIST) process to identify a cryptographic standard to replace RSA and Elliptic Curve, for public-key cryptography (PKC). We’ve also designed a new specification for a quantum-safe VPN as part of the Internet Engineering Taskforce (IETF),” Cheng said. “We have undertaken work for a number of high-security stakeholders, such as NATO, but the challenges posed by quantum computers are universal. Everything that we do over the internet today — from buying things online to online banking to nation-state communications — is encrypted. Once a functioning quantum computer arrives, that encryption can be broken. This means that, almost instantly, bank accounts will be emptied, Bitcoin wallets will be drained, and entire power grids will be shut off.”  More

The first Arm-based laptops with Microsoft’s Pluton security co-processor have arrived in the form of Lenovo’s new ThinkPad X13s, which features Qualcomm’s latest Snapdragon 8cx Gen 3 chipset.     Microsoft started talking about its Pluton dedicated security chip in November 2020 and predicted it would take a few years to arrive in PCs. In January 2022, the company announced Pluton would come with Lenovo’s AMD Ryzen-6000 ThinkPad Z series laptops; now Pluton is coming to Lenovo’s newest laptop with an Arm-based mobile chipset from Qualcomm. 

Windows 11

Lenovo’s AMD laptops with Pluton will ship in May, while the ThinkPad X13s with the Pluton processor was just announced at Mobile World Congress (MWC) and will be available in April from $1,099 in the US through AT&T and Verizon, according to ZDNet’s sister site CNET. Both laptops are aimed at the business market.SEE: Best Windows laptop 2022: Top notebooks comparedPluton is a big deal for Microsoft because it is at the centre of the security capabilities for Windows 11, providing protection in the boot, identity, credential protection and encryption processes.Pluton is a security processor architecture designed to store sensitive data like encryption keys securely with hardware that’s integrated into the die of a device’s processor. This makes access more difficult for attackers, even if they have physical possession of a device. With Pluton being on the die of the device’s System on a Chip (SoC), potential attack surfaces, like bus interfaces that pass data between the SoC and other components on a motherboard, are not exposed. Microsoft named Intel as its first partner for the Pluton security processor, but it was also working with AMD and Qualcomm. The Pluton design was first integrated as a DRM feature in its Xbox One game console, which been based on AMD chips since 2013.Microsoft’s director of enterprise and OS security, Dave Weston, details some of the work on hardware and security that’s gone into the collaboration in a blogpost. “Pluton will leverage advanced hardware capabilities while built-in security countermeasures from PAC [Pointer Authentication Codes] protect against common exploit patterns to help customers strengthen their device security posture,” Weston said. The other advantage of Pluton-powered PCs is that users will get firmware updates that Microsoft has verified on a predictable timeline, just like its Patch Tuesday updates on the second Tuesday of each month.”You’re getting better protection against physical attacks, you’re getting Microsoft verification of firmware to stop some of the new firmware attacks, and we’re going to update this thing every month just like it’s Patch Tuesday,” Weston previously told ZDNet. The Arm pointer protection (PAC) will protect boot processes, bus interfaces that pass data between the Qualcomm chip and other components on a motherboard, and will keep the Pluton processor’s firmware up to date through Windows Update. SEE: MWC 2022: Lenovo announces ThinkPads, IdeaPads, Chromebooks, ThinkBooks and moreSo, Pluton-capable laptops won’t necessarily spell the end of firmware updates from multiple hardware manufacturers, but at least this particular piece of hardware won’t depend for delivery on anyone but Microsoft.Weston argues it could also mitigate so-called return-oriented programming (ROP) attacks, which are dangerous and common enough that Intel has developed hardware-based security answers to thwart them. Pluton brings similar protections against ROP attacks to Arm systems.”With Windows 11 on the Snapdragon 8cx Gen 3, the ARM pointer authentication hardware capability provides similar robust mitigation against exploits that leverage return-oriented programming (ROP) or stack modification techniques on ARM-based Windows systems,” Weston said in the blog post.    “Windows binaries are compiled with Pointer Authentication Code instructions, injecting a hash (the PAC) for return addresses at function prologue and verifying the hash immediately before function return to verify that the return address has not been tampered. Windows 11 utilizes the Snapdragon 8cx Gen 3 hardware schemes to generate and verify the PAC to provide resilience against attacks that overwrite the intended return address. This helps to break a common technique attackers use to try to execute malicious code”, he said.The new ThinkPad X13s, which features Qualcomm’s latest chipset.
Image: Lenovo More

Distributed denial of service (DDoS) attackers are using a new technique to knock websites offline by targeting vulnerable ‘middleboxes’, such as firewalls, to amplify junk traffic attacks. Amplification attacks are nothing new and have helped attackers knock over servers with short busts of traffic as high as 3.47 Tbps. Microsoft last year mitigated attacks on this scale that were the result of competition between online-gaming players. 

ZDNet Recommends

But there’s a new attack on the horizon. Akamai, a content distribution network firm, says it has seen a recent wave of attacks using “TCP Middlebox Reflection”, referring to transmission control protocol (TCP) – a founding protocol for secured communications on the internet between networked machines. The attacks reached 11 Gbps at 1.5 million packets per second (Mpps), according to Akamai.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)The amplification technique was revealed in a research paper last August, which showed that attackers could abuse middleboxes such as firewalls via TCP to magnify denial of service attacks. The paper was from researchers at the University of Maryland and the University of Colorado Boulder.Most DDoS attacks abuse the User Datagram Protocol (UDP) to amplify packet delivery, generally by sending packets to a server that replies with a larger packet size, which is then forwarded to the attacker’s intended target. The TCP attack takes advantage of network middleboxes that don’t comply with the TCP standard. The researchers found hundreds of thousands of IP addresses that could amplify attacks by over 100 times utilizing firewalls and content filtering devices. So, what was a theoretical attack just eight months ago is now a real and active threat. “Middlebox DDoS amplification is an entirely new type of TCP reflection/amplification attack that is a risk to the internet. This is the first time we’ve observed this technique in the wild,” it says in a blogpost. Firewalls and similar middlebox devices from the likes of Cisco, Fortinet, SonicWall and Palo Alto Networks, are key pieces of corporate network infrastructure. Some middleboxes however don’t properly validate TCP stream states when enforcing content filtering policies. “These boxes can be made to respond to out-of-state TCP packets. These responses often include content in their responses meant to “hijack” client browsers in an attempt to prevent users from getting to the blocked content. This broken TCP implementation can in turn be abused to reflect TCP traffic, including data streams, to DDoS victims by attackers,” Akamai notes. Attackers can abuse these boxes by spoofing the source IP address of the intended victim to direct response traffic from the middleboxes. In TCP, connections use the synchronize (SYN) control flag to exchange key messages for a  three-way handshake. The attackers abuse the TCP implementation in some middelboxes that cause them to unexpectedly respond to SYN packet messages. In some cases, Akamai observed that a single SYN packet with a 33-byte payload produced a 2,156-byte response, amplifying its size by 6,533%.    More

The TeaBot Remote Access Trojan (RAT) has been upgraded, leading to a huge increase in both targets and spread worldwide. 

Ukraine Crisis

On March 1, the Cleafy research team said TeaBot now targets over 400 applications, pivoting from an earlier focus on “smishing” to more advanced tactics. Smishing attacks are used to compromise mobile handsets via spam text messages containing malicious links. It is often the case that these links — pretending to be from your bank, social media network, or a delivery company, for example — will lead victims to fraudulent websites that request their personal data and account credentials.   When TeaBot emerged at the beginning of 2021, the malware, also known as Toddler/Anatsa, was distributed via smishing and had a list of only 60 lures, including TeaTV, VLC Media Player, DHL, and UPS.  Further research conducted by PRODAFT in July 2021 found that while TeaBot had been configured to strike “dozens” of European banks, successful attacks were traced to 18 financial organizations.  At the time, 90% of TeaBot infections were connected to only five of these companies, leading the researchers to suspect a successful SMS-based phishing campaign was responsible.  TeaBot has migrated from Europe to include new countries, such as Russia, the US, and Hong Kong, and is using an expanded target list beyond online services — banks, cryptocurrency exchanges, and digital insurance providers are now also being impersonated in phishing attempts. 
Cleafy
Risk management firm Cleafy says the malware has also managed to infiltrate official Android repositories through dropper apps. In samples obtained in February by the company, an app published to Google Play, “QR Code & Barcode Scanner” was found to serve TeaBot to users through a fake update.  There is a common tactic by malware developers: publish a legitimate application to an official app repository, clear existing security checks, and then once a large user base has been established — in this case, over 10,000 people — then deploy an update that turns the software malicious. In TeaBot’s case, the fake update/dropper will request permission to download a second application, “QR Code Scanner: Add-On,” that contains the RAT. 
Cleafy
This app is downloaded from one of two GitHub repositories owned by the same developer. Once installed, TeaBot will first abuse the Android OS’ Accessibility services, requesting permissions that allow the malware to perform activities including keylogging and remote device hijacking.  Furthermore, TeaBot will grab screenshots and monitor the handset’s screen to steal credentials including account information and two-factor authentication (2FA) codes.  “Since the dropper application distributed on the official Google Play Store requests only a few permissions and the malicious app is downloaded at a later time, it is able to get confused among legitimate applications and it is almost undetectable by common AV solutions,” Cleafy warns. ZDNet has reached out to Google and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google president of global affairs Kent Walker said the company is taking a variety of actions to help those fleeing the conflict in Ukraine. The tech giant said Google.org and Google employees are contributing $15 million in donations to aid relief efforts in Ukraine, with $5 million coming from the company’s employee matching campaign and another $5 million coming from grants. The company is also offering advertising credits for humanitarian and intergovernmental organizations working on aid and resettlement efforts. 

Ukraine Crisis

“We’ve launched an SOS alert on Search across Ukraine. When people search for refugee and evacuation information, they will see an alert pointing them to United Nations resources for refugees and asylum seekers. We’re working with expert organizations to source helpful humanitarian information as the situation unfolds,” Walker said. “And after consulting with multiple sources on the ground, including local authorities, we’ve temporarily disabled some live Google Maps features in Ukraine, including the traffic layer and information about how busy places are, to help protect the safety of local communities and their citizens. We’ve also added information on refugee and migrant centers in neighboring countries.”Walker also noted that Google’s security teams are working around the clock, tracking Russia-backed hacking and influence operations. He said they have issued hundreds of warnings to people in Ukraine using products like Gmail about security issues over the last year. Google’s Threat Analysis Group (TAG) has also seen threat actors “refocus” their efforts on people and organizations in Ukraine. Walker said they have seen the actors behind the GhostWriter threat group going after Ukrainian government and military officials.”We blocked these attempts and have not seen any compromise of Google accounts as a result of this campaign. We also automatically increased Google account security protections (including more frequent authentication challenges) for people in the region and will continue to do so as cyber threats evolve,” Walker said. “Our Advanced Protection Program — which delivers Google’s highest level of security — is currently protecting the accounts of hundreds of high-risk users in Ukraine. And ‘Project Shield,’ a service providing free unlimited protection against Distributed Denial of Service attacks, is already protecting over 100 Ukrainian websites, including local news services.” 

Great report by Meta. Some thoughts by TAG:TAG has been closely monitoring the Belarusian threat actor, Ghostwriter, for well over a year & continues to take action against them including in the last few days as they attempt phishing against 🇺🇦 gov. (1/3) https://t.co/bkUBghrM0j— Shane Huntley (@ShaneHuntley) February 28, 2022

Google is also joining Facebook and Apple in addressing issues surrounding Russian state-backed news outlets like Russia Today and Sputnik.Walker said YouTube channel connected to Russia Today and Sputnik were blocked across Europe starting on Tuesday. He noted that the company had already paused the monetization of Russian state-funded media across their platforms. Google is also limiting recommendations globally for Russian state-funded media outlets and removed “hundreds of channels and thousands of videos for violating its Community Guidelines.”Walker added that the company is still concerned about the safety of its Ukrainian team and their families. He said Google has worked since January to “provide help, including physical security support, paid leave, assistance options and reimbursement for housing, travel and food for anyone forced to leave their homes.”Google will also comply with any sanction requirements, according to Walker, who noted that tools like Google Pay may become unavailable in certain countries as more individuals, regions and institutions like banks are sanctioned. Most Google products will remain available in Russia, Walker said, including Search, Maps and YouTube. The actions came the same day that Meta and Apple announced similar actions in relation to their business in Russia. Meta announced that it plans to demote content from Russian state-backed media outlets on Facebook and Instagram as part of a wide range of efforts taken. Apple is pausing all product sales in Russia, stopped all exports to the country and limited Apple Pay there as well. Russia Today and Sputnik News are no longer available for download from the App Store outside Russia and Apple disabled both traffic and live incidents in Apple Maps in Ukraine. Twitter is instituting similar measures, including pausing advertisements in Ukraine and Russia “to ensure critical public safety information is elevated and ads don’t detract from it.”Twitch and OnlyFans have reportedly blocked all users from Russia from accessing their accounts, preventing users from withdrawing money earned on their respective platforms amid tougher sanctions being introduced against Russia.   More

Image: Getty Images
The overseas e-voting system used in the Australia Capital Territory contained various flaws as recent as last year, according to an Australian National University (ANU) cryptographer. The ANU cryptographer, Thomas Haines, found several key components within the e-voting system could be compromised when performing a review of the system, which he said opened up the potential for single points of failure for both privacy and integrity. “Avoiding a single point of failure is a very desirable property for an e-voting system — some might say a necessary one — but the current system falls short of achieving this on a few points,” Haines said. “The code and documents were to varying degrees rough, out-of-date, and redacted which made assessing the system hard.” Among the flaws uncovered was that the e-voting system’s desktop application did not check the consistency of the vote storage component’s output with other components. Alarmingly, the Australian Electoral Commission (AEC) thought this was not an issue due to the votes made through the desk application being encrypted and the encryption key being publicly unavailable. Haines explained, however, that if an individual controlled the system’s vote storage component, they did not need to have knowledge of the key to modify votes. Once getting control of this component, an individual would be able to tamper votes through XORing, he said. In response to this particular flaw, the commission said it has “acknowledged the issue” and would work to address it in future deployments of the system. The review also found that the system’s web application, which mediates the users’ interactions with the other components during both registration and voting, could drop or modify votes without detection. “The OSEV Desktop application should validate the received ballots to the greatest extent possible. Specifically, it should check that the data provided by OSEV Vote storage is consistent with OSEV Web app, Verify and Check,” the review said. It added that the website used to register and vote did not directly encrypt the vote as it relies upon TLS to secure the vote in transit to the e-voting system app where it is then encrypted. Haines said he was concerned that the procedural mechanisms used by the commission, for example to protect against denial-of-service attacks, may allow a third party to read votes when they are in transit.   For all of the flaws found by the review, the commission claimed they would have been “mitigated by procedural mechanisms” that are outside the review’s scope. While Haines acknowledged the commission’s claims, he said the commission should seek support from members of the public with relevant expertise to ensure they are aware of, and can address, issues with the system. “Given that the commission may lack the capability to adequately do this in-house we encourage them to seek external advice,” he said. “We encourage the commission to make sufficient information and parts of the system available to public scrutiny, to allow interested members of the public to check that the high-level security properties are achieved.” This is not the first time security researchers have expressed concerns about the integrity of Australia’s voting systems, with Dr Andrew Conway, Dr Thomas Haines, ANU acting professor Vanessa Teague, and T Wilson-Brown previously finding three errors with the territory’s electronic voting and counting system that could have potentially changed the results of an election. More recently, Teague warned of the flaws within New South Wales’ iVote system after an unknown number of voters were unable to cast a vote at the end of last year. This was put down to the state’s iVote online voting system encountering a failure for a portion of the voting period. “Every serious investigation of iVote found serious problems,” Teague tweeted. Since the iVote failure, New South Wales has sent iVote to the bench as it works to rectify the system’s issues by next year’s state general election. Related Coverage More

Bridgestone-Firestone tire factories across North America and Latin America are still struggling to recover from a cyberattack after sending workers home for multiple days. The company did not respond to repeated requests for comment.But USW 1155L, a union representing workers at the factory, took to Facebook to notify employees that the company was still dealing with the cyberattack and did not need people to come in. “Warren hourly teammates who are scheduled to work day shift, March 1st, will not be required to report to work (no hit, no pay, or you have the option to take vacation), the union wrote on Monday. The outages were first announced on Sunday, when the union explained on Facebook that Bridgestone Americas was “investigating a potential information security incident.” The notice appeared to come directly from the company as opposed to the union itself. 

“Since learning of the potential incident in the early morning hours of February 27, we have launched a comprehensive investigation to quickly gather facts while working to ensure the security of our IT systems. Out of an abundance of caution, we disconnected many of our manufacturing and retreading facilities in Latin America and North America from our network to contain and prevent any potential impact, including those at Warren TBR Plant. First shift operations were shut down, so those employees were sent home,” the company explained.”Until we learn more from this investigation, we cannot determine with certainty the scope or nature of any potential incident, but we will continue to work diligently to address any potential issues that may affect our operations, our data, our teammates, and our customers.”On Tuesday evening, the company reiterated that hourly workers scheduled for Wednesday will not be required to report to work.Bridgestone Americas operate dozens facilities across North America, Central America and the Caribbean, with a workforce over 50,000.Local news outlets from across the US reported on outages affecting factories in Iowa, Illinois, North Carolina, South Carolina, Tennessee and in Canada. More