Information Technology

Image: Signal
Signal has announced it will allow its users to change the phone number associated with a Signal account. Previously, getting a new number would mean users needed to start again with messages and groups. The messaging service said users would retain their messages, profile information, and groups. To initiate a move, users will need to head into account settings, hit the change phone number option, and complete a form with the old and new phone numbers. Signal warns in a support note that users will not be able undo the shift. Contacts of the shifting user will see an alert that states the user’s phone number has changed. If a Signal user does not have access to the old number, Signal suggests the old process of deleting the account to wipe message history, registering a new account with the new number, and messaging contacts to tell them about the new number. When someone registers will the old number, the message history should be blank, Signal said. “Your contacts will also be made aware of a safety number change if they start messaging with the old number,” Signal stated. The company said the new feature was built “using the foundation of more exciting features to come”.

Last month, Signal founder and CEO Moxie Marlinspike announced his resignation with WhatsApp co-founder Brian Acton to be interim CEO. Marlinspike will remain on the Signal board. Related Coverage More

The Washington State Department of Licensing reported a cyber incident last week that may have exposed the sensitive information of more than 250,000 professionals in the state. The agency said in a statement that it “became aware of suspicious activity involving professional and occupational license data” during the week of January 24.   The Professional Online Licensing and Regulatory Information System (POLARIS) system that was affected stores information ranging from social security numbers, dates of birth and driver license numbers to other personally identifying information. “We immediately began investigating with the assistance of the Washington Office of Cybersecurity. As a precaution, DOL also shut down the Professional Online Licensing and Regulatory Information System (POLARIS) to protect the personal information of professional licensees. At this time, we have no indication that any other DOL data was affected, such as driver and vehicle licensing information. All other DOL systems are operating normally,” the agency said. “If our investigation concludes that your personal information has been accessed, DOL will notify you and provide you with further assistance.”State Sen. Reuven Carlyle told The Seattle Times that he has been briefed on the issue, with the agency telling him that the Office of Cybersecurity became concerned after someone on the dark web claimed to have accessed the data. By the afternoon of January 24, the agency decided to shut down the licensing system entirely. The agency said it is working with the state’s Office of Cybersecurity to protect the licensing data and bring POLARIS back online. The department issues licenses for 39 types of businesses and professions, including cosmetology, real estate brokers, bail bondsmen, architects and more. The licenses are processed, issued and renewed in POLARIS.

A call center has been created for businesses trying to renew their licenses and the agency said it will not fine companies trying to renew their license during the outage. The state Attorney General’s Office keeps a running tally of the data breaches exposing information from citizens of the state. The website shows that in the attacks reported in 2022, more than 21,500 Washingtonians have been affected.  More

The US Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Win32k privilege escalation vulnerability to its Known Exploited Vulnerabilities Catalog, ordering federal civilian agencies to patch the issue by February 18. CISA said it added the vulnerability “based on evidence that threat actors are actively exploiting” it. Cybersecurity company DeepWatch said in a blog last week that proof-of-concept code was publicly disclosed and that threat actors with limited access to a compromised device “can utilize this vulnerability to quickly elevate privileges, allowing them to spread laterally inside the network, create new administrator users, and run privileged commands.””According to the security researcher credited with disclosing the vulnerability to Microsoft, the vulnerability has already been exploited by advanced persistent threat (APT) actors. deepwatch Threat Intel Teams assess with high confidence that threat actors are likely to use the publicly available exploit code for CVE-2022-21882 to escalate privileges on systems in which they have already initially compromised,” the deepwatch Threat Intel Team explained. “Given the vulnerability affects Windows 10, the deepwatch Threat Intel Team advises customers to install updates as soon as possible, prioritizing vulnerable internet-exposed systems.”The vulnerability has a CVSS score of 7.0 and affects Microsoft Windows 10 versions 1809, 1909, 20H2, 21H1, and 21H2 as well as Microsoft Windows 11. Microsoft Windows Server 2019 and Microsoft Windows Server 2022 are also affected. The issue was heavily discussed by cybersecurity experts on Twitter, one of which said they discovered it two years ago. Others confirmed the exploit works. 

Regarding the just-fixed CVE-2022-21882: win32k privilege escalation vulnerability,CVE-2021-1732 patch bypass,easy to exploit,which was used by apt attacks— b2ahex (@b2ahex) January 12, 2022

Microsoft acknowledged RyeLv (@b2ahex) for discovering the issue and confirmed that it has been exploited. The issue is related to another vulnerability — CVE-2021-1732 — that Microsoft released a patch for in February 2021. Bugcrowd founder Casey Ellis said what stood out most to him was that most of the other vulnerabilities covered by 2022-01 provide initial access to systems. “This one is useful for increasing the power of marginal initial access, after it has already been achieved. The significance of this is that it shifts the prevention focus from ‘prevent intrusion’ to ‘assume and contain intrusion,'” Ellis explained. Privilege escalation bugs are the bane of any operating system, according to BluBracket head of product Casey Bisson. Bisson added that every successful OS vendor or community prioritizes fixes for them.”OS bugs can be very serious because they affect such large numbers of systems, but that also triggers a strong and rapid response,” Bisson said. “However, application-level vulnerabilities are often riskier because they can result in similar levels of access, but lack the same attention that OS-level risks often receive.” More

The Internal Revenue Service (IRS) announced on Monday afternoon that it will no longer be using ID.me facial recognition software, adding in a statement that it will “transition away from using a third-party service for facial recognition to help authenticate people creating new online accounts.” The agency said the transition will take place over the coming weeks “in order to prevent larger disruptions to taxpayers during filing season.” The IRS plans to create “an additional authentication process” that does not involve any form of facial recognition and will work with other agencies on the effort. “The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” said IRS Commissioner Chuck Rettig. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”The statement comes after an avalanche of criticism directed toward the IRS from privacy activists as well as Democrats and Republicans in Congress. This morning, two separate groups of Democrats sent letters demanding an end to the IRS use of ID.me’s facial recognition. One congressman introduced legislation that would ban the IRS from using facial recognition at all on Friday. The IRS has defended itself by arguing facial recognition was needed to deal with fraud. The Washington Post reported on Monday that IRS officials met with members of Congress on Friday and said they were looking into alternatives to ID.me that would not use facial recognition. 

This is big: The IRS has notified my office it plans to transition away from using facial recognition verification, as I requested earlier today. While this transition may take time, the administration recognizes that privacy and security are not mutually exclusive. https://t.co/jw7OR7dNo0— Ron Wyden (@RonWyden) February 7, 2022

The IRS signed an $86 million contract with ID.me, according to the Washington Post. More than 70 million Americans who filed for unemployment insurance, pandemic assistance grants, child tax credit payments, or other services have already had their faces scanned.

In November, the IRS announced that by the summer of this year, taxpayers will need to have an ID.me account in order to access certain IRS online resources. In order to check on the status of a return, view balances and payments received, obtain a transcript, and enter into an online payment agreement, people will need to create an ID.me account and give the private company either a government ID, passport, birth certificate, W-2 form, social security card, a bill of some kind, or a “selfie,” among a host of other private documents they may ask for.Several civil rights groups — including Fight for the Future, Algorithmic Justice League, the Electronic Privacy Information Center, and others — started a protest movement last week designed to stop the IRS plan.Caitlin Seeley George, campaign director at Fight for the Future, said the IRS’ plan to use facial recognition on people who are trying to access their tax information online “was a profound threat to everyone’s security and civil liberties.” Seeley George noted that despite the news, several other agencies use ID.me facial recognition. The company’s facial recognition tools are already used by 27 states for their unemployment benefits systems, according to CyberScoop, while 30 states and 10 federal agencies also use the system for other government services.”We’re glad to see that grassroots activism and backlash from lawmakers and experts has forced the agency to back down. But several other Federal agencies are still using ID.me’s discriminatory and insecure software, including the Veterans Affairs Administration and Social Security Administration, as well as 30 states that use it on people trying to access unemployment benefits,” she said.”No one should be coerced into handing over their sensitive biometric information to the government in order to access essential services. The lawmakers who led the charge against the IRS use of this technology should immediately call for an end to other agencies’ contracts, and there should be a full investigation into the Federal government’s use of facial recognition and how it came to spend taxpayer dollars contracting with a company as shady as ID.me.” More

Multiple members of Congress have come out against a plan from the Internal Revenue Service (IRS) to incorporate facial recognition provider ID.me into its processes this summer. The White House continues to ignore requests for comment, but Congressman Ted Lieu, Congresswoman Anna Eshoo, Congresswoman Pramila Jayapal, and Congresswoman Yvette Clarke sent a letter to IRS Commissioner Charles Rettig on Monday demanding the agency “halt its plan to employ facial recognition technology and consult with a wide variety of stakeholders before deciding on an alternative.” 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“Any government agency operating a face recognition technology system — or contracting with a third party — creates potential risks of privacy violations and abuse. We urge the IRS to halt this plan and consult with a wide variety of stakeholders before deciding on an alternative,” the Congress members wrote. Like the letter sent by numerous Senate Republicans last week, the House members question the new biometric requirements that will be necessary for accessing a wide array of vital tools the IRS provides. They note the cybersecurity ramifications of the IRS partnership with ID.me as well as the racial implications of using a flawed technology for IRS services. An ID.me spokesperson even told The Washington Post that there was “variation across demographic groups and skin color” with its facial recognition algorithm, additionally claiming that the variations are “incredibly small.”Questions were also raised by House members about the IRS process that led to ID.me being chosen as well as ID.me’s previous lies about its technology. “Furthermore, the IRS’s Privacy Impact Assessment neglects to mention ID.me is even using this technology on Americans. Given these issues, it is simply wrong to compel millions of Americans to place trust in this new protocol,” the letter said. 

On Monday morning, Senator Ron Wyden released his own letter calling for an end to the IRS plan. Wyden acknowledged the IRS goal of stopping fraud through the facial recognition effort but said it is “simply unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online.” 

“It is also alarming that the IRS and so many other government agencies have outsourced their core technology infrastructure to the private sector. Quite simply, the infrastructure that powers digital identify, particularly when used to access government websites, should be run by the government,” Wyden said. The senator went on to question why the IRS and other agencies were not using Login.gov instead of ID.me, adding that the federal government needs to expand the effort internally to create a product that could match faces to photos held by the Department of Motor Vehicles and the Social Security Administration. “The IRS should redouble its efforts to remind taxpayers that facial recognition scanning is not now and has never been necessary to file taxes or receive a refund, as well as educate taxpayers on ways to access other IRS services without the use of facial recognition technology,” Wyden said. “Second, as a stopgap measure, the IRS should promptly revert its decision to require use of ID.me to transact online through the IRS’ website, delay the phase out of IRS.gov accounts created prior to the implementation of ID.me and restore the ability of taxpayers to create new IRS.gov accounts, which foes not use facial recognition. And finally, in the longer term, the IRS should migrate away from third-party identity verification services and utilize GSA’s government-wide login-gov service.”Senators Roy Blunt and Jeff Merkley sent their own letter last week making many of the same requests of the IRS. In November, the the IRS announced that by the summer of this year, taxpayers will need to have an ID.me account in order to access certain IRS online resources. 

In order to check on the status of a return, view balances and payments received, obtain a transcript, and enter into an online payment agreement, people will need to create an ID.me account and give the private company either a government ID, passport, birth certificate, W-2 form, social security card, a bill of some kind, or a “selfie,” among a host of other private documents they may ask for. The IRS signed an $86 million contract with ID.me, according to the Washington Post. More than 70 million Americans who filed for unemployment insurance, pandemic assistance grants, child tax credit payments, or other services have already had their faces scanned.Since the IRS announced the effort in November, there has been widespread backlash within Congress and among privacy advocates who continue to raise several issues with the effort. The Washington Post reported on Monday that IRS officials met with members of Congress on Friday and said they were looking into alternatives to ID.me that would not use facial recognition. ID.me is already used by 27 states for their unemployment benefits systems, according to CyberScoop, while 30 states and 10 federal agencies also use the system for other government services. Fight for the Future, Algorithmic Justice League, EPIC, and other civil rights organizations launched a website last week — called Dump ID.me — allowing people to sign a petition against the IRS plan. According to Fox Business, Rep. Bill Huizenga introduced a bill on Friday that bans the IRS from using any facial recognition in its processes. Caitlin Seeley George, campaign director at Fight for the Future, said the legislative response has shown that this is a bipartisan issue. “Facial recognition technology and the collection of peoples’ biometric data puts everyone in danger. I also think that in addition to the IRS (and other government agencies) canceling its contract with ID.me, there are a number of questions that legislators have sent to the IRS about how it landed on this tool,” Seeley George said. “It’s critical that we get answers to these questions, and hopefully use them to drive forward legislation to rein in the use of facial recognition and other biometric tools moving forward.”

Government More

Credit: Microsoft
Starting in early April, Microsoft plans to make it tougher to enable VBA macros that are downloaded from the internet in several of its Office apps. The effect, the company hopes, will be to eliminate a popular way for malware to perpetuate. Microsoft plans to block by default VBA macros obtained from the internet in Office on devices running Windows. This will impact Access, Excel, PowerPoint, Visio, and Word, according to a February 7 blog post from the Office product group. The change will begin rolling out in the Current Channel (preview) of Office on Windows and will prevent users from enabling these kinds of macros with a single click. Over time, Microsoft will move beyond the Current Channel with this change and apply it to other Office distribution channels, like the Monthly Enterprise and Semi-Annual Enterprise Channels. This change also will be applied to the Long Term Servicing Channel version of Office, including Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013.

UK cybersecurity expert (and former Microsoftie) Kevin Beaumont tweeted that “this is potentially a game changer for the cybersecurity industry, and, more importantly customers,” as macros account for about 25 percent of all ransomware entry — a figure he called “deeply conservative.”  A message bar noting that a particular downloaded VBA is not trusted will note: “Security Risk: Microsoft has blocked macros from running because the source of this file is untrusted” next to a Learn More button. The Learn More button will take users to an article about the security risk of bad actors using macros, ways to prevent phishing and malware, and instructions for enabling these macros by saving the file and removing the Mark of the Web (MOTW). The MOTW is added to files by Windows when they’re from an untrusted location (internet or Restricted Zone).This article from Microsoft has more information for IT pros/admins about the coming change in macro behavior. More

Google Cloud has announced a new security feature designed to hunt down instances of cryptojacking.On Monday, the tech giant said the public preview of Virtual Machine Threat Detection (VMTD) is now available in the Security Command Center (SCC). The SCC is a platform for detecting threats against cloud assets by scanning for security vulnerabilities and misconfigurations. 

Timothy Peacock, Product Manager at Google Cloud, said that as organizations continue to migrate to the cloud, workloads are often handled with VM-based architectures.  Cloud environments are also a prime target for cyberattackers seeking out valuable data, as well as those intending to execute cryptocurrency mining malware.  Cryptocurrency miners such as XMRig are legitimate programs for mining coins. When in the hands of threat actors, cryptominers can be abused, however, and used without permission on cloud systems.  In what is known as cryptojacking attacks, miners are deployed on compromised systems to steal the victim’s compute resources. Cryptocurrency including Monero (XMR) is often mined by cybercriminals in this way and coins are sent to wallets controlled by the malware’s operators.  According to Google’s latest Threat Horizons report (.PDF), out of a sample of compromised instances, 86% were used for cryptocurrency mining and 10% were used to perform scans for other vulnerable instances.

To combat the specter of cryptojacking attacks against VMs operating in Google Cloud, the company’s VMTD solution will provide “agentless memory scanning” inside SCC. “Traditional endpoint security relies on deploying software agents inside a guest virtual machine to gather signals and telemetry to inform runtime threat detection,” Peacock said. “But as is the case in many other areas of infrastructure security, cloud technology offers the ability to rethink existing models.” Google’s approach is to instruct the hypervisor to collect signals that may indicate infection. VMTD will start as a means to detect cryptocurrency mining, but as it hits general availability, the system will be integrated with other Google Cloud functions.  Users can choose to try out VMTD by enabling it in SCC settings. The service is opt-in and customers can choose the scope of the scanner.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

At the start of August 2018, Vodafone Australia was running services from 2G to 4G on a network that relied heavily on Huawei. Besides the core of its network, Huawei was everywhere else, and the telco relied on the Chinese vendor for its radio network and transmission network. Everything from a mobile device up to the data centre used a single vendor.

Given such reliance and the existing relationship, the telco intended to use Huawei when it began the move to offering 5G services. All that changed by the end of that month, however, as the situation had become untenable in the face of a government ban on Huawei and ZTE for supplying 5G services in Australia. In its reasoning, Canberra said vendors who were subject to “extrajudicial directions from a foreign government” would conflict with local laws, and carriers might not be able to protect their networks properly. For Vodafone Australia, that meant a rethink was needed. “We definitely didn’t expect the ban to come the way that it came. For example, if you look at the situation that they have in Europe — like in the UK, for example, they use Huawei — they have like seven years to vacate and they can still use Huawei on 5G on a limited number of sites. There is kind of a transition plan that has been created there,” formerly Vodafone Australia and now TPG Telecom general manager for wireless and transmission networks Yago Lopez tells ZDNet. “In Australia, probably we didn’t expect at the time, the outcome to be as black and white as it was. We’ve just got to accept what the guidance of the government is and get on with that.”

Lopez says that, since the ruling had little guidance, the mobile carrier needed to consider what its next steps would be. Key in its thinking was how it would handle the existing Huawei network. “You still have a network with Huawei with five million customers that you need to maintain the best experience possible. So you need to find a way to keep investing on Huawei until you get an alternative, and then how to transition from your investment in Huawei into the new vendor in a seamless way,” Lopez says. “[Because] it does not make any sense to stop maintaining the Huawei network where you have all your customers because then when you build a new network, you don’t have customers left.” For Vodafone, this meant the Huawei network needed to have some final upgrades performed, as it was planning to start fresh with 5G. In the end, the telco would select Nokia for radios and management, and Ericsson would supply its new virtualised core. According to Lopez, the ban gave the company, now known as TPG Telecom, the chance to reset and remove a lot of the legacy issues it had carried. The downside being it is set to cost well over AU$1 billion across the six years of the build, once TPG tallies up the full cost.SEE: Vodafone Australia and TPG merger: Everything you need to know”[It’s] more expensive because you need to start from scratch, but then you have benefits of [starting] from scratch. So we are not taking an old platform and upgrading just on the edges to make it 5G-ready. What we are doing is … every site that we swap from Huawei to Nokia, every piece of equipment that we put is new, brand new, and every piece of equipment that we put in is 5G-ready,” he says. “Then in the future, we want to move spectrum that we use today from 3G or 4G into 5G, we can do remotely; we can be very, very agile in the way that we manage our assets.”But on the technical side, we are building one of the most modern networks in the world, right now — so our engineers are happy.” With the new network, Vodafone Australia can switch from 4G to 5G as needed, and move between LTE, 5G non-standalone, and 5G standalone in software. The shift has been no small task. Last year, the telco put in over one million hours of work just on the radio side of its network, with Nokia having to scale up to handle TPG Telecom, Lopez says. Building a new network while keeping an existing one in place meant Vodafone Australia customers saw a lag of around 18 months compared to its competition for 5G, particularly the incumbent with an existing Ericsson network that could be easily upgraded. Optus also had to deal with the Huawei ban, but it chose not to talk to ZDNet for this story.SEE: TPG launches 5G fixed wireless as NBN alternative Throughout this period, Vodafone Hutchison Australia and TPG also had to deal with a protracted merger, announced days after the Huawei ban was imposed, that took just shy of two years to complete. At the time, TPG was beginning to deploy small cell sites in Australian cities, but that plan was abandoned at the start of 2019, with the blame for that decision and the subsequent AU$230 million accounting hit laid at the feet of the ban. While TPG could not bring a functioning mobile network to the merger, it brought spectrum and its fibre network that Vodafone was already paying to use. This approach allowed the merged entity to have end-to-end control of its mobile network and, thanks to weathering the case brought against it by the Australian Competition and Consumer Commission to prevent the merger, Lopez says the company has since moved its mentality to one described as a “very good vibe [and] lots of can-do attitude”. “You have a rollout plan, and that rollout plan is hundreds of millions of dollars that are going in one direction … You have something you have been doing in the same process for seven years … and then overnight you need to think, ‘Okay, I need to keep this alive but I need to stop everything I’m doing. I need to press the reset button and then I need to start to build something new’. “It’s a challenge technically, but also a challenge on the mentality of the company … because [it’s] easiest sometimes just to say, ‘Look, let’s think that is not happening. Let’s keep doing the way we do.’ But we would be in a very bad, a much worse situation right now.” Another change in mentality has been shifting from a single vendor to handling multiple ones on the user-facing side. Now that TPG’s 5G network is up and running, the telco is in trials with Samsung to use commodity hardware for a 5G virtualised radio network, and another area it is looking towards, along with its parent companies Vodafone Group and Hutchison, is Open RAN. In at least one way, the ban has been a blessing in disguise for the telco. “Technically, we are one of the most advanced networks in the world,” Lopez says. “Financially, obviously, there is a lot of extra cost that we have to [pay] upfront right now, which obviously, as a company, we would have preferred not to, but again, we accept the ruling of the government.” Lopez says something the telco would like to see is a program similar to the one in the United States that helps some of the nation’s smaller mobile carriers get funds to help make a transition out of the Huawei ecosystem. “We are still kind of waiting for the Australian government to take that path and help us to carry this burden,” Lopez says. More