Information Technology

Walkie-talkie communication app Zello has become the latest app banned by Russian officials. On Sunday, Russia’s Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications, also known as Roskomnadzor, announced that it is banning Zello for spreading “false information” about the invasion of Ukraine. “On March 4, Roskomnadzor, based on the decision, sent the administration of the American Internet resource Zello a request to stop sending messages to users that contain false information about the course of a special operation of the Armed Forces of the Russian Federation on the territory of Ukraine,” Roskomnadzor said in a translated statement. “The administration of the Zello Internet resource did not comply with the requirement of Roskomnadzor within the period established by law. Due to the failure of the administration of Zello to comply with the requirements of Roskomnadzor, access to this application on the territory of the Russian Federation will be limited within 24 hours.”On Friday, Roskomnadzor announced that it will block access to Facebook, alleging the US social media giant has discriminated against Russian media and information resources. Early last week, Facebook said it would be “demoting” content from Russian state-backed media outlets on Facebook and Instagram as part of a wide range of efforts taken in light of the recent invasion of Ukraine. Nick Clegg, Facebook’s president of global affairs and the former UK deputy prime minister, said the Russian government was already throttling Facebook and Instagram to make it more difficult for Russian citizens to see certain content.Since Russia began the invasion in February, several tech companies like Google, Microsoft and Apple have taken punitive actions against Russia, banning services or ending business in the country. Emsisoft threat analyst Brett Callow noted that Russia has already blocked the BBC and multiple other international media outlets, “Blocking Zello is not a surprise,” Callow said. “The Russian government will likely continue to try to limit access to any sources of non-favorable information about the invasion, so more blocks are highly probable.”Zello did not respond to requests for comment about the situation. The app has become massively popular in Ukraine since the invasion began. 

Ukraine Crisis More

PressReader, a digital platform for hundreds of print newspapers and magazines, said its systems are slowly returning to normal after a cyberattack caused outages since last Thursday. The app provides access to more than 7,000 publications from newspapers, libraries and museums across the world. It first announced the outages on March 3 and later confirmed it was because of a cybersecurity incident. 

In posts on Facebook and Twitter last night, the company said its content processing system is now fully back to normal and all publications sent to the platform since March 6 have been published. But a number of publications remain delayed, even after PressReader received the files from publishers. “We are actively reaching out to publishers to receive and process these publications as soon as possible. Missing issues between March 3rd and March 5th will be processed in the coming days. Magazine content since March 3rd will resume processing from 9am PST, Monday March 7th,” the company said. “While we are still investigating the full-scope of the incident, what we can share is that the PressReader team has been working around the clock to ensure that we stand alongside our partners in our commitment to the free press and the distribution of quality journalism.”

To our readers and partners, PressReader thanks you immensely for your support and understanding as we navigated through this cyber security incident. Updates in thread (1/6)— PressReader (@PressReader) March 7, 2022

The company added on Sunday that its teams in Vancouver and the Philippines have been working around the clock to bring service back. This past weekend, the company said it was prioritizing titles from Europe, Africa, and the Middle East as it scaled its systems back to full capacity. The day before that, PressReader said its security teams were able to determine that the outage was caused by a cybersecurity incident. The company did not respond for requests for comment about whether it was a ransomware attack. But in its initial statement, PressReader claimed the attack was part of a larger trend of companies across North America experiencing “security incidents” over the last few weeks. They said there was no evidence that customer data was compromised in their first public message, but they did not include that line in subsequent statements. Users flooded both the Twitter and Facebook posts to complain about the loss of access to their favorite publications. Hundreds of newspapers released personal messages to readers explaining the outages. Many newspapers — especially those that rely on the platform as their only avenue for publishing daily electronic versions of their daily newspaper — shared PressReader’s statement verbatim. One newspaper said its call center was “experiencing high call volumes and long wait times because of this outage.” They urged customers to stop calling and wait for messages from the newspaper directly.   More

People who use Firefox as one of their browsers should update it now that it’s gained patches for two critical flaws that are being exploited in the wild. Mozilla just released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 with the security fixes. The bugs are also fixed in Thunderbird 91.6.2. 

ZDNet Recommends

Both CVE-2022-26485 and CVE-2022-26486 are critical use-after-free memory-related flaws. CVE-2022-26486 could also lead to an exploitable sandbox escape, according to Mozilla. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)”Removing an XSLT parameter during processing could have led to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw,” Mozilla explains. “An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw.”WebGPU is a browser specification for various interfaces that allow a web page to use a system’s GPU for improved graphics. Mozilla hasn’t released further details, but credits the bug reports to researchers at Chinese security firm Qihoo 360 ATA, Wang Gang, Liu Jialei, Du Sihang, Huang Yi and Yang Kang.    While Firefox user numbers are declining, Mozilla performed fairly well in Google Project Zero’s analysis of how quickly software vendors fixed bugs. Mozilla patched nine of the 10 bugs affecting its software within 90 days of the initial report. It also took an average 46 days to fix bugs compared to 44 days for Google, 69 days for Apple, and 83 days for Microsoft. Looking at browsers, Chrome was the fastest and with 40 fixed bugs it had an average time to patch of 5.3 days. WebKit had 27 bugs and an 11.6-day average time to patch, while Firefox had eight bugs and a 16.6-day average time to fix.  More

Samsung on Monday confirmed that the company recently suffered a cyberattack, but said that it doesn’t anticipate any impact on its business or customers.Last week, South American hacking group Lapsus$ claimed it had stolen 190GB of confidential data, including source code, from the South Korean tech giant’s servers. The group also posted snapshots of the alleged data online.

ZDNet Recommends

Samsung has now confirmed in a statement, without naming the hacking group, that there was a security breach, but it asserted that no personal information of customers was compromised.SEE: DDoS attacks that come combined with extortion demands are on the rise”We were recently made aware that there was a security breach relating to certain internal company data. Immediately after discovering the incident, we strengthened our security system,” the company said.”According to our initial analysis, the breach involves some source codes relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees. Currently, we do not anticipate any impact to our business or customers. We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption.”On whether the company had received a demand for payments or was in negotiation to do so with any hacking group, a company spokesperson declined to comment on the matter.Hacking group Lapsus$ also claimed last month that it had stolen 1TB data from GPU giant Nvidia, while also posting snapshots of some of the data online. In response last week, Nvidia also confirmed that some employee credential and proprietary information was stolen, but also said it doesn’t expect disruption to its business. More

Image: Getty Images
Australia’s electoral body has launched a new disinformation register to debunk misleading and deceptive information regarding how elections are run to protect the integrity of the country’s upcoming federal election.The new register comes in response to an uptick of election conspiracy theories circulating online in recent months due to it being a federal election year. According to the Australian Electoral Commission (AEC), the disinformation register is a regularly updated database containing examples of disinformation and misinformation that has circulated online from late 2021 onwards.  The AEC explained that each piece of disinformation discovered by the commission would be presented in the register with information about which platform it was spread on, the timing, the factual information regarding the matter, and the actions taken by the commission to correct the record. “We’re not messing around,” AEC chief Tom Rogers said.”The Australian vote belongs to all Australians and there is freedom of political communication. However, if you spread incorrect information about the processes we run — deliberately or otherwise — we’ll correct you.”Examples of disinformation flagged in the AEC disinformation register.
Image: Australian Electoral Commission
Examples of disinformation that have already been added to the register are that people will only be eligible to vote if they are fully vaccinated and that pencil marks are erased in the counting process. Both of these pieces of information are mistruths, the register states.Beyond the disinformation register tool, the AEC has been working more closely with social media platforms to quickly remove election misinformation and disinformation. As part of this, all major social media platforms have given “assurances” that they will allocate more resources for monitoring election disinformation and misinformation for the upcoming Australian federal election.”For this election, we’re getting assurances from all of them that they will be expanding their hours of service, including having not just expanded hours of service here in Australia but then actually having staff in other parts of the world so that they can try and get as close to 24/7 coverage — so they’re not confined by the business hours of the staff here in Australia,”  deputy electoral commissioner Jeff Pope said last month.RELATED COVERAGE More

IT? Or MI5?
Image: Shutterstock
The more we’ve come to rely on technology, the more we’ve lurched toward surveillance.In one sense, it’s all too human. Who trusts anyone these days?

In another, however, it’s a dark portent of a world gone twisted.I’ve never been the same since reading the tale — posted to Reddit last year — of a company that used an IM system that offered three status choices: idle, available, or in a meeting. This fine system registered an employee as “idle” if they didn’t touch their keyboard for five minutes. And what a word to use anyway — idle — as if you’re lazing around, thinking about nothing at all. Some of people’s best work is performed when they’re idle, leaning back, and staring into space. I wanted to believe this was an isolated piece of software, even though I felt sure it wasn’t. And then there came the long and torrid story, recently reported by Business Insider, of a company called CoStar. There had been a “mass exodus” at this commercial real estate data firm. People choose to leave tech companies all the time, especially in the current climate of full employment. At CoStar, though, one of the reasons for employee discomfort was reportedly the enrollment of its IT department as, well, something of a spy network.The 15 people in IT were asked to perform 100 video calls to other employees. Spontaneous ones. (CoStar denies this happened.)They were reportedly told to say they were checking to see if the company’s VPN was working as it should.As Business Insider tells it, the IT people were “told to note whether that employee answered the call promptly and enabled their video during the chat, and to log more personal details, including a description of where that person was working and whether they were dressed professionally.”One person’s idea of professional dressing is another person’s “why did you spend so much money on that hat from Neiman Marcus?”

Back to the spying. Apparently, if the employee didn’t respond to the call three times, they were put on the naughty list. Or, worse, shown straight to the door.Too often, technology is being used as a substitute for other skills — management, for example. A good manager understands that some employee metrics can’t be analyzed. There are contributions that can’t be measured, either by a machine or by a spy report.Tracking employees by the minute sucks the humanity and the dignity out of work. Is it so surprising that companies are suddenly finding it difficult to hire good employees — or any, really?Equally, I’m left to wonder about the IT employees asked to perform surveillance. I know a couple IT people. They tell me of occasional requests from management to surveil others — requests that turn their stomachs. When I ask how they deal with it, they shrug, as if it’s simply part of their job these days. Keeping the network together by day, spying by day, too.As business software becomes ever more powerful and ubiquitous, those in charge are tempted toward the sneaky and iniquitous. Too many believe it’s their right to know everything about their employees. Too many have little regard for the one thing that suffers: trust.What are they afraid of?

more Technically Incorrect More

The director of the Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Friday that the agency would be “immediately” sharing incident reports from critical infrastructure organizations with the FBI.The FBI and Department of Justice caused a minor furor on Thursday when both came out harshly against The Strengthening American Cybersecurity Act, landmark cybersecurity legislation that sailed through the Senate unanimously on Tuesday. The act forces critical infrastructure organizations to report cyberattacks to CISA within 72 hours and ransomware payments within 24 hours. In statements to Politico, FBI Director Christopher Wray and Deputy Attorney General Lisa Monaco trashed the bipartisan bill because the FBI and DOJ are not included alongside CISA. Wray said it “would make the public less safe from cyber threats” and Monaco claimed the bill leaves the FBI “on the sidelines and makes us less safe at a time when we face unprecedented threats.”The statements shocked officials on both sides of the aisle in the Senate and House, according to statements provided to Politico. The White House came out in support of the bill on Thursday evening but told CBS that it was “exploring all options, to ensure that the legislation enables all relevant Federal agencies to receive and process these incident reports as quickly as possible to carry out their cybersecurity missions.”On Friday afternoon, CISA director Jen Easterly addressed the issue publicly, writing on Twitter that the agency would “immediately” share the incident reports with the FBI.

We have a terrific operational partnership w/our #FBI teammates & will continue to do so, to include always ensuring that cyber incident reporting received by @CISAgov is immediately shared with them. END— Jen Easterly (@CISAJen) March 4, 2022

“The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a critical step forward in ensuring our nation’s security. As the nation’s cyber defense agency, it gives CISA another key tool to respond to & mitigate the impact of cyber attacks,” Easterly said. “We have a terrific operational partnership w/our #FBI teammates & will continue to do so, to include always ensuring that cyber incident reporting received by CISA is immediately shared with them.”Spokespeople for the lead senators behind the bill, Senate Homeland Security Committee Chair Gary Peters and ranking member Rob Portman, criticized the FBI and DOJ for attacking the bill, telling Politico that both were consulted on it for months. The FBI had previously expressed their desire to be included in any incident reporting legislation during hearings that took place in September. Both Easterly and National Cyber Director Chris Inglis backed the inclusion of the FBI at the time and the Senate changed the bill to mandate that CISA share incident reports with the FBI and other agencies within 24 hours. Despite the changes, Monaco told Politico on Thursday that “changes” still needed to be made to it. The FBI and DOJ did not respond to requests for comment on Friday about whether they will now support the legislation in light of Easterly’s comments. The 200-page act, which combines pieces of the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act — includes several measures designed to modernize the federal government’s cybersecurity posture, and both Peters and Portman said the legislation was “urgently needed” in light of US support for Ukraine, which was invaded by Russia last week. Rep. Jim Langevin, the co-chair of the Cybersecurity Caucus, said getting incident reporting, FISMA and FedRamp across the finish line and onto the President’s desk “should be top priorities for this Congress.””My colleagues in the House and I have worked hard to develop strong language to accomplish these goals, not all of which is included in this bill, such as the need to codify the dual-hat role of the federal CISO,” Langevin told ZDNet. “I look forward to building upon this week’s progress to pass strong cyber legislation out of both chambers, so that we can meet our nation’s urgent cybersecurity needs.” More

When you think of important open-source projects you almost certainly recall Linux, the Apache Web Server, LibreOffice, and so on. And, that’s true. These are vital, but beneath these are the critical software libraries that empower hundreds of thousands of other programs. These are far less well known. That’s why the Harvard Laboratory for Innovation Science (LISH) and the Linux Foundation’s Open Source Security Foundation (OpenSSF), recently put together a comprehensive survey, Census II of Free and Open Source Software – Application Libraries, of these under-the-hood critical programs.

Open Source

This is the second such study. The first, 2020’s “Vulnerabilities in the Core,’ a preliminary report and Census II of open-source software, focused on the lower level critical operating system libraries and utilities. This new report aggregates data from over half a million observations of free and open-source (FOSS) libraries used in production applications at thousands of companies.The data for this report came from the Software Composition Analysis (SCA) scans of codebases of thousands of companies. This data was provided by Snyk, the Synopsys Cybersecurity Research Center (CyRC), and FOSSA.The purpose of this, besides simply wanting to know what were indeed the most popular, open-source application libraries, packages, and components, is to help secure these projects. Until you know that’s important, you can’t know what you need to secure first. For example, the heretofore relatively unknown log4j logging package became a massive security problem when the Log4Shell zero-day was revealed. Jen Easterly, the director of the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) called it  “the most serious vulnerability I’ve seen in my decades-long career.” This bug affected tens or hundreds of millions of devices and programs. Kevin Wang, FOSSA’s Founder and CEO observed, The ubiquitous nature of OSS means that severe vulnerabilities — such as Log4Shell — can have a devastating and widespread impact. Mounting a comprehensive defense against supply chain threats starts with establishing strong visibility into software.” Only by understanding our “open source dependencies can we improve transparency and trust in the software supply chain.”Mike Dolan, the Linux Foundation’s senior vice president of Projects, added, “Understanding what FOSS packages are the most critical to society allows us to proactively support projects that warrant operations and security support. Open-source software is the foundation upon which our day-to-day lives run, from our banking institutions to our schools and workplaces. ” This census breaks down the 500 most used FOSS packages in eight different areas. These include different slices of the data including versioned/version-agnostic, npm/non-npm package manager, and direct/direct and indirect package calls. For example, the top 10 version-agnostic npm JavaScript packages that are called directly are:lodashreactaxiosdebug@babel/coreexpresssemveruuidreact-domjqueryThese, and the other top libraries, need to be closely watched for any security issues. Besides simply listing them, the survey’s authors, from Harvard University, made five overall findings:1) There’s a need for a standardized naming schema for software components. As it is, the names aren’t random, but there’s not a lot of rhyme or reason to them either. 2) We need to clean up the complexities of package versioning. Can you tell at a glance what version a package is? You can if you work on that program, but if you just use it as a brick in your higher-level software, it can be a mystery. 3) Much of the most widely used FOSS is developed by only a handful of contributors. Everyone knows the XKCD cartoon of a giant software stack that all depends on a single developer in Nebraska. The sad and funny thing about this is that it’s not a joke. We still depend on code that relies on a sole programmer.  4) Improving individual developer account security is becoming critical. With hacking attacks on developers becoming more common, we must protect their accounts like the crown jewels of development they are.5) Legacy software in the open-source space needs to be cleaned up. Usually, we think of legacy software in terms of that one guy we all know who’s still running Windows XP. But, old, crufty code lives on in open-source repositories as well.  That said, while this survey is useful, the work is far from done. More and continuing work needs to be done. All the participants in this report are planning on working on another study. This is only a precursor to more exhaustive studies to come to better understand these critical pillars of our information infrastructureRelated Stories: More