Information Technology

Activists in Myanmar have released troves of data linking the country’s military dictatorship to a company that will be purchasing a majority stake in Telenor Myanmar — a subsidiary of Norwegian telecom giant Telenor that controls the personal data of 18 million Myanmar subscribers. Telenor, which is owned and controlled by the Norwegian government, has faced significant backlash for weeks after it announced a decision to sell its telecom business in Myanmar to a notorious Lebanese company called M1 Group for $105 million. News outlets in Myanmar have reported that M1 is already telling regulators in the country that it plans to sell 80% of Telenor Myanmar to Shwe Byain Phyu, a company with deep, longstanding ties to the country’s brutal military, according to local activist group Justice for Myanmar. Telenor has defended the sale by repeatedly saying it is selling the business to M1 and not a military-owned company.Myanmar’s military took control of the country in a violent coup that began last year, arresting the country’s elected leader — Aung San Suu Kyi — and disbanding her government. Since February, the military has arrested and killed thousands, sparking a revolt that has now spread throughout the country. Activists have expressed fears that once Telenor Myanmar is fully controlled by a government-backed company, the military will not only have access to troves of past data on almost all of the country’s citizens but will also be able to install surveillance tools giving them even more access to phone calls, texts, and other personal data. Telenor has already admitted that they initially rebuffed military efforts to install surveillance equipment on their systems, according to Myanmar Now. The company also said it has already complied with at least 200 requests from the military to hand over customer information in the last year.

Justice for Myanmar, a local group dedicated to exposing the business ties of the country’s brutal military dictatorship, accused Telenor of participating in a cover-up due to their refusal to acknowledge M1’s public plan to sell most of the business to Shwe Byain Phyu.Justice For Myanmar released information showing Shwe Byain Phyu has a long history of working with the Myanmar military and its conglomerates. Shwe Byain Phyu is a group of companies founded and owned by Thein Win Zaw, his wife and two children.The group provided concrete evidence showing Shwe Byain Phyu’s ties to military-controlled companies in the petroleum, telecommunications, mining, and forestry industries. “Shwe Byain Phyu is a conglomerate with deep and longstanding ties to the Myanmar military, including with the previous military junta, military conglomerates and sanctioned entities and individuals. The Norwegian government has been turning a blind eye as Telenor Group, a company they control, proceeds to transfer Telenor Myanmar to Shwe Byain Phyu, together with the historical metadata of more than 18 million people,” Justice For Myanmar spokesperson Yadanar Maung said. “This could amount to complicity in crimes against humanity, by handing the military a potent weapon they can use to track down, arrest, torture and murder civil society activists and journalists. The grave risks that the sale of Telenor Myanmar poses to the lives of Myanmar people are glaringly clear. Telenor must stop fabricating a narrative about how their current course of action is based on human rights considerations and immediately suspend the sale.”Telenor’s responseThe Norwegian government did not respond to requests for comment, but a Telenor spokesperson told ZDNet that the company is in a difficult position when it comes to Telenor Myanmar. Cathrine Stang Lund, director of communications for Telenor Group Asia, said the situation in Myanmar has “developed in a direction where we are currently in a conflict between local laws on the one hand and our values, international law and human rights principles on the other.” “This makes it impossible for Telenor to remain in Myanmar. In a severe and volatile security situation, there are no simple solutions. We have to balance several difficult considerations and have come to the conclusion that a sale is the least detrimental solution for our employees, customers and the community,” Lund claimed. “In the sales process, assessments of human rights, privacy and the safety of our employees have been key considerations.”When pressed about reports that M1 planned to sell most of its stake to a company heavily tied to the military dictatorship, head of Telenor Group Communications Gry Rohde Nordhus said the sales agreement between Telenor and M1 “does not prevent M1 from transferring a majority of the shares after the transaction is concluded.”Nordhus explained that Telenor Myanmar is required by local law to store customer data for several years and that the local business would continue to do so once it changes ownership to M1. “We understand that this creates reactions, but the company is obliged by law to do so. To violate or not comply with the laws that apply in Myanmar would result in completely unacceptable consequences for our employees that neither Telenor Myanmar nor we as owners are willing to live with,” Nordhus said. “After the military take-over in February 2021, the circumstances in Myanmar has dramatically changed. The country is currently controlled by a military council, and large parts of the country is under martial law. Breaking or not complying with local laws and directives in this situation can have serious and unacceptable consequences for our employees. This is the reality our employees are facing, and these are the conditions Telenor Myanmar is operating under.”ZDNet asked Nordhus what Telenor will tell the millions of people in Myanmar affected by the company’s decision to sell their data to a military accused of numerous human rights violations. Nordhus acknowledged that the people of Myanmar “are enduring an extremely difficult situation” but said the company had no choice but to simply abandon the business and the data it has spent years collecting. “Telenor cannot operate in a regime that entails violations of international law, human rights principles and our values,” Nordhus said. “We have turned every stone and considered every option, and our assessment is still that a sale is the least detrimental solution for employees, customers, and the broader society.” More

You can now verify your identity with more than just your username and password with this user-centric authentication mechanism. Your online accounts tend to be linked to your username and password, with an added layer of SMS verification to provide two-factor authentication. However, these types of accounts can be compromised by phishing or social engineering to gain access to your accounts.To solve this issue, New York-based ID authentication company Nametag has launched “Sign in with ID” to access online accounts using its multifactor authentication technology combined with biometric identity verification.
Nametag
There are four steps to signing in with ID: scan a QR code on a website, which invokes the Nametag sign in screen; scan your ID (when you first use Nametag, you must upload your official ID); take a selfie; and tap to confirm and share what information is necessary for the transaction. You do not have to download an app; Nametag pops up whenever ID is requested.If you use iOS, the Nametag app will match the uploaded government-issued ID to the selfie. This means you only need to confirm your identity once — or every time you sign in. The company says that this mechanism is a more secure way for companies to authenticate users online by verifying people. To keep Nametag secure, Nametag uses advanced encryption in transit and at rest to protect data on its platform.

The company says it has also completed steps necessary for AICPA SOC2 Type 1 certification and is currently undergoing a SOC2 Type 1 examination with an independent auditor, with a planned completion date of March 2022.

Nametag is primarily funded by two large, US-based institutional inventors: Glasswing Ventures & Village Global. The Nametag product is priced per use for one-time scenarios, such as employee account recovery or transaction authorization for bank transfers. It is also priced and per user for continuous account access to a website or app.The product uses the face matching technology of hyperscale cloud providers, benefiting from their investments in recognition accuracy. Cosmetic appearance changes, such as gaining/losing weight, do not impact matching.Nametag has also built the product to accommodate gender, name, address, and other factors — confident that it maintains security and matching. A user is never locked out even if they lose their phone, access to their email, or get a new driver’s license. Its multi-layer approach to logging in is similar to Starling Bank, which uses government ID, face, and fingerprint recognition, along with a video clip to authenticate users logging in to the banking app on their deviceAaron Painter, CEO of Nametag, said, “Sign in with ID is the evolution of a more secure internet and password-less future. The key step in fulfilling this vision is knowing the real identity of someone online — this is the missing link needed to keep accounts protected and reduce fraud.”Currently, Nametag is US-centric. It accepts government-issued forms of identification across all 50 US states, but it anticipates adding additional international document types later in Q1. With the rise of successful phishing attacks plaguing companies, authentication methods need to evolve to keep one step ahead of the bad actors. Incorporating more safeguards can only be a good thing. More

Mergers and acquisitions in cybersecurity grew to $77.5 billion in 2021, according to research from cybersecurity consultancy Momentum. In a report on 2021, the firm said 83 cybersecurity company capital raises surpassed $100 million. There were fourteen $1 billion mergers and acquisitions, including deals involving McAfee, Augh0, Mimecast, Thycotic, Proofpoint, and Avast. 

ZDNet Recommends

Proofpoint was acquired in August 2021 for $12.3 billion in cash, while NortonLifeLock merged with Avast PLC in a $8.4 billion deal. Okta acquired Auth0 for $6.4 billion, and Symphony Technology Group bought McAfee’s enterprise security business for $4 billion. There were more than 1,000 financing deals involving cybersecurity companies and 286 mergers and acquisitions. There were five cybersecurity IPOs in 2021 — KnowBe4, DarkTrace, SentinelOne, Riskified, and Forgerock — with an average IPO raising $467 million.The numbers far surpassed 2020, which saw 728 deals with cybersecurity companies and $19.7 billion in mergers and acquisitions activity. 
Momentum
The top categories for financing, mergers, and acquisitions include security consulting/MSSP, risk and compliance, cloud security, data security, and threat intel/incident response. The top categories for VC financing ranged from risk and compliance to data security, network security, and infrastructure security. Dave DeWalt, founder of late-stage cybersecurity VC firm NightDragon and a contributor to the report, told ZDNet that the industry is in the midst of a perfect storm of factors that are causing the greatest level of cybersecurity risk that we have ever seen. 

“This includes factors like geopolitical tensions and crises, increasing digitization of technology, work from home, spread of IoT devices, cloud and more. The cybersecurity industry must innovate to match these new trends, and we are seeing a significant increase in funding to fuel that growth,” DeWalt said.”We are entering a new era of cyber ubiquity, where cybersecurity needs to be a piece of every technology and service available, from the cars we drive, to our corporate networks to our mobile devices. I expect we will see cybersecurity investment continue to increase for at least the next decade as we evolve into this new era.”
Momentum
Bob Ackerman, founder of VC firm AllegisCyber Capital, added that the venture ecosystem “has a herd mentality” and will tend to over-capitalize sectors they believe have tremendous promise.  Investment capital is flooding into the cybersecurity ecosystem, driven largely by explosive demand for cyber defense, according to Ackerman. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“The level of investment is a pure reflection of both the need and the opportunity. In cyber, the stakes are incredibly high; the consequences of getting it wrong — unacceptable; the landscape complex; and the pace of change hard to fathom. You cannot over-invest in cutting edge innovation in this environment. That said, you can over-invest in commodity capabilities and under-invest in essential next generation innovation,” he explained. “The digitization of the Global Economy has fueled explosive growth in the cyber attack surface. Seeking to exploit this environment, the entire spectrum of bad human behavior at every level is also digitizing. The consequence is that every aspect of our lives — business, education, healthcare, critical infrastructure, government, travel, finance, etc. is at extreme risk. Cyber is truly one of the existential risks of the 21st century. The stakes could not be higher, and that drives the demand for effective cyber defenses, which in turn fuels investment in cyber innovation.”The report comes amid news that Microsoft was considering acquiring Mandiant and that Cisco was mulling a $20 billion deal for Splunk. 

Tech Earnings More

Adobe has released an emergency patch to tackle a critical bug that is being exploited in the wild. 

On February 13, the tech giant said that the vulnerability impacts Adobe Commerce and Magento Open Source, and according to the firm’s threat data, the security flaw is being weaponized “in very limited attacks targeting Adobe Commerce merchants.” Tracked as CVE-2022-24086, the vulnerability has been issued a CVSS severity score of 9.8 out of 10, the maximum severity rating possible.  The vulnerability is an improper input validation issue, described by the Common Weakness Enumeration (CWE) category system as a bug that occurs when a “product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.” CVE-2022-24086 does not require any administrator privileges to trigger. Adobe says the critical, pre-auth bug can be exploited in order to execute arbitrary code.  As the vulnerability is severe enough to warrant an emergency patch, the company has not released any technical details, which gives customers time to accept fixes and mitigates further risks of exploit.  The bug impacts Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions. 

Adobe’s patches can be downloaded and manually applied here.  Earlier this month, Adobe issued security updates for products including Premiere Rush, Illustrator, and Creative Cloud. The patch round tackled vulnerabilities leading to arbitrary code execution, denial-of-service (DoS), and privilege escalation, among other issues.  Last week, Apple released a fix in iOS 15.3.1 to squash a vulnerability in Apple’s Safari browser that could be exploited for arbitrary code execution. In February’s Patch Tuesday, Microsoft resolved 48 vulnerabilities including one publicly-known zero-day security flaw. 
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
At the end of last year, Australia’s Security Legislation Amendment (Critical Infrastructure) Act 2021 became law to give government “last resort” powers to direct an entity when responding to cyber attacks, which included introducing a cyber-incident reporting regime for critical infrastructure assets. Those laws were originally drafted to be wider in scope, with Home Affairs proposing other obligations for organisations within critical infrastructure sectors. Provisions seeking to enshrine those obligations were eventually set aside, however, with the federal government deciding to follow a recommendation made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) to have those omitted aspects introduced under a second Bill. That second Bill, Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, was introduced into Parliament by Home Affairs Minister Karen Andrews last week. In this second Bill, the federal government is seeking to introduce risk management programs for critical infrastructure entities and enhanced cybersecurity obligations for those entities most important to the nations, which include providing reports of system information and risk assessments to the Australian Signals Directorate (ASD). The risk management program obligation, if it were to become law, would apply to entities within the 11 sectors classified as critical infrastructure sectors in the first Bill. The enhanced cybersecurity obligations, meanwhile, would apply to a smaller subset of entities that hold assets that are classified as systems of national significance. Appearing before Senate Estimates on Monday morning, Home Affairs Secretary Mike Pezzullo said the Bill before Parliament would create a standardised critical infrastructure framework to enable the ASD to approach cyber attacks in a precautionary fashion due to the additional information it would receive.

“Up until now, we haven’t had common nomenclature, we haven’t had common reporting cadences, we haven’t had common reporting thresholds. Should the second Bill pass, obviously, we’re in the hands of the Parliament, what that will do is provide a standardised framework for both regulating and operating across the 11 designated sectors,” Pezzullo said. He also likened the pair of critical infrastructure legislation to being Australia’s “defence” against cyber attacks, whereas the national ransomware plan acts as the “offence”. “You’ve got to go on the offence, which is where the government ransomware action plan takes you. We’ve also got to play defence, that is to say, you’ve got to mitigate the risk as much as you can because today the attack vector is ransomware. The criminal and state actors who use ransomware will, once [it’s been thwarted], will then find another way,” he said. Home Affairs also made a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), which commenced a new inquiry to scrutinise the Bill on the same day it was introduced into Parliament. In the submission, Home Affairs said the cost for each entity to run the risk management program, on average, would consist of a one-off AU$9.7 million for setting it up and an annual ongoing cost of AU$3.7 million. Due to the cost and additional regulatory burden that the Bill would place onto these critical infrastructure entities, which includes universities, Home Affairs said it has been working closely with industry experts and stakeholders from across the designated sectors for how best to handle that regulatory burden. Home Affairs said the program was drafted following over 100 engagement with those experts and stakeholders.  Later in the day, another Home Affairs representative provided Senate Estimates with more information about its search for a vendor to perform work on the country’s identity-matching services. Home Affairs National Resilience and Cybersecurity deputy secretary Marc Ablong said his department’s search is for a vendor to manage the country’s identity-matching services and the underlying infrastructure.”It’s not about moving forward on the identity matching services beyond what we currently have approval for,” Ablong said.  The country’s identity-matching services currently consist of three components, with one being the DVS, a national online service used to check in real time whether a particular evidence-of-identity document is authentic, accurate, and up to date. The other two are a face-matching services hub and a national driver licence facial recognition solution.”[Home Affairs] does not collect the images, nor do we have a database of those images. They are all kept within the state registry,” he added, when explaining the department’s remit for these services.Other Home Affairs movements included confirmation that a version of the Digital Passenger Declaration (DPD) would be released tomorrow, which will be the first use case to be built on the Permissions Capability Platform. When the DPD was first announced, the federal government said the DPD would replace the current Australia Travel Declaration (ATD) and the paper-based incoming passenger card. For tomorrow’s launch, however, the DPD will only replace the COVID-19 ATD for the moment, with the transition of replacing the incoming passenger card to come at a later date. Functionally, the DPD will link with a person’s QR code vaccination certificate and capture essential information up to 72 hours prior to a person boarding a plane. While the DPD will be launched tomorrow, travellers will still have to submit their travel declarations using the ATD until the end of this week with the new form of submission to be available from February 18 onwards.Updated at 6:23pm AEST, 14 February 2022: added information about DPD release.Related CoverageHome Affairs releases second Critical Infrastructure Bill with leftover obligationsThis new Bill contains obligations that were excluded from the Security Legislation Amendment (Critical Infrastructure) Act 2021.Critical Infrastructure Bill should be split to swiftly give government step-in powers: PJCISAmong the measures the PJCIS wants to have introduced immediately are step-in powers and mandatory reporting requirements.PJCIS concerned TSSR’s ‘do your best’ requirements are not enough anymoreCommittee recommends an Australian telecommunications security working group be established as it says the Telco Act is not enough to secure the nation.PJCIS backs expansion of intelligence oversight powers for IGIS and itselfThe PJCIS wants its intelligence oversight responsibilities to eventually expand to the Australian Federal Police and AUSTRAC.Home Affairs seeking support to build out Australia’s identity-matching systemA government tender has been published seeking new components to build, deploy, and host the country’s identity-matching services. More

Hours before the Super Bowl kicks off, the San Francisco 49ers were added to the list of victims of the Blackbyte ransomware group. The San Francisco 49ers were within a few plays of making it to the Super Bowl two weeks ago.The team did not respond to requests for comment but confirmed the attack to The Record and Bleeping Computer. The San Francisco 49ers showed up on the group’s leak site late Saturday evening and said in a statement that only its corporate IT network was affected by the attack. Law enforcement has been contacted and the company said it is still in the process of investigating the incident. The attack comes just one day after the FBI released a warning about the BlackByte ransomware group. “As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers,” the FBI said. “Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files. In some instances, BlackByte ransomware actors have only partially encrypted files.”The group emerged last year but cybersecurity company Trustwave was able to make a BlackByte decryptor available for download at GitHub in October. Research by the company showed that the first version of the BlackByte ransomware downloaded and executed the same key to encrypt files in AES — rather than unique keys for each session — like those usually employed by more sophisticated ransomware operators. A second, less vulnerable version of the ransomware was released in November, as the FBI noted. 

Emsisoft ransomware expert Brett Callow said Blackbyte is a Ransomware-as-a-service (RaaS) operation and the individuals who use it to carry out attacks may or may not be based in the same country as the primary team. “Like multiple other types of ransomware, Blackbyte does not encrypt computers which use the languages of Russia and post-Soviet countries,” Callow said.  A Red Canary analysis of the ransomware found operators gained initial access by exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) present on a customer’s Microsoft Exchange server.  More

StackCommerce
When you give your partner the gift of learning, you also provide valuable opportunities. And we have 10 amazing e-learning course bundles that are an extra 15% off during our Valentine’s Day Sale. Just use coupon code VDAY2022 at checkout to score your partner the opportunity to learn a new skill.This bundle has 18 courses, but you can qualify for a well-paid ethical hacking position after completing the first one. And you don’t need any tech experience whatsoever to take it.Get The All-In-One 2022 Super-Sized Ethical Hacking Bundle for $36.54 (reg. $3,284) with code VDAY2022.With this bundle, you can train to become certified to teach English as a foreign language. It also includes lessons on how to develop your coaching and mentoring prowess, among other skills.Get The Complete 2021 TEFL Certification Training Bundle for $33.99 (reg. $250) with code VDAY2022.First, this bundle teaches the fundamentals of blockchain technology and how to use it to drive more revenue. You’ll find training material on how to become a Certified Blockchain Solutions Architect (CBSA) or Certified Blockchain Developer (CBDH).Get The Blockchain Bootcamp Certification Training Bundle for $16.99 (reg. $297) with code VDAY2022.

This course provides an overview of cryptocurrency and explains how to open accounts. Then it covers the most popular methods of generating passive income from cryptocurrency.Get Cryptocurrency Wealth Creation: Staking, Lending & Trading Course for $16.99 (reg. $200) with code VDAY2022.This bundle thoroughly covers Bitcoin and cryptocurrency trading. But you will also learn about non-fungible tokens (NFTs), including how to create an NFT of your own.Get The Complete NFT & Cryptocurrency Wealth Building Masterclass Bundle for $25.49 (reg. $1,200) with code VDAY2022.The US government created the Risk Management Framework to make cyber supply chain management more secure. This course will teach you the process of qualifying for a range of government cybersecurity positions.Get NIST Cybersecurity & Risk Management Frameworks for $33.15 (reg. $295) with code VDAY2022.The 2022 Ultimate Cybersecurity Analyst Preparation Bundle provides training for a wide variety of cybersecurity certifications. Start with one, and each one afterward will advance your career another step up.Get The 2022 Ultimate Cybersecurity Analyst Preparation Bundle for $25.49 (reg. $1,600) with code VDAY2022.Python is one of the most popular programming languages and easiest to learn. These 12 courses cover an entire career of Python training, but you can start applying for positions after completing just one. Python skills are excellent for remote work, so you may also want to learn a new language or two if you end up working abroad.Get The 2022 Premium Python Programming PCEP Certification Prep Bundle for $29.74 (reg. $2,400) with code VDAY2022.This is the ultimate e-learning bundle. You get more than 1,000 courses covering a wide variety of industries with StackSkills, another 800 tech courses from Stone River, and over 90 specialized courses on cybersecurity from Infosec4TC, which has an impressive rating of 4.8 out of 5 stars on Trustpilot.Get The Ultimate Lifetime Bundle of StackSkills + Infosec4TC + Stone River for $97.75 (reg. $13,994) with code VDAY2022.Cybersecurity is more crucial than ever, and these six courses will help you prepare for the IT certifications needed to pursue a career in this field. Each course focuses on CompTIA certifications, ensuring you’ll develop a vendor-neutral understanding of IT and security.Get The 2022 Premium CompTIA CyberSecurity & Security+ Exam Prep Bundle for $25.50 (reg. $1,200) with code VDAY2022.

More ZDNet Academy Deals More

One of Europe’s biggest car dealers, Emil Frey, was hit with a ransomware attack last month, according to a statement from the company. 

ZDNet Recommends

The Swiss company showed up on the list of victims for the Hive ransomware on February 1 and confirmed that they were attacked in January. “We have restored and restarted our commercial activity already days after the incident on January 11, 2022,” a spokesperson said, declining to answer more questions about whether customer information was accessed. The company — which has about 3,000 employees — generated $3.29 billion in sales in 2020 thanks to a variety of automobile-related businesses. It was ranked as the number 1 car dealership in Europe based on revenue and the total number of vehicles for sale. The FBI spotlighted the Hive ransomware group in August 2021 after their members attacked dozens of healthcare organizations last year. In 2021, Hive attacked at least 28 healthcare organizations, including Memorial Health System, which was hit with a ransomware attack on August 15. The FBI alert explains how the ransomware corrupts systems and backups before directing victims to a link to the group’s “sales department” that can be accessed through a TOR browser. The link brings victims to a live chat with the people behind the attack, but the FBI noted that some victims have even been called by the attackers demanding ransoms. 

Most victims face a payment deadline ranging between two and six days, but others were able to extend their deadlines through negotiation. On Wednesday, the FBI, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC), and the Australian Cyber Security Centre (ACSC) released a warning indicating that a growing wave of increasingly sophisticated ransomware attacks poses a threat to critical infrastructure and organizations around the world.”We live at a time when every government, every business, every person must focus on the threat of ransomware and take action to mitigate the risk of becoming a victim,” said CISA Director Jen Easterly.  More