Information Technology

The French government is investigating claims from the LockBit ransomware gang that data was stolen from the Ministry of Justice.”The French Ministry of Justice is aware of the alert and has immediately taken actions to proceed to the needed verifications, in collaboration with the competent services in this field,” a government spokesperson told ZDNet. 

ZDNet Recommends

The Ministry of Justice was added to the LockBit leak site alongside data from dozens of European companies and towns, including the French city of Saint-Cloud. LockBit has become well-known for overstating claims of data theft. It has been repeatedly caught adding the names of companies and organizations to its site with no files to show for it.While the claims of an attack on the Ministry of Justice are being investigated, LeMagIT did report this week that the city of Saint-Cloud confirmed it dealt with some kind of cyberattack. Security Week’s Eduard Kovacs was one of the first to report that LockBit 2.0 had added the French Ministry of Justice to its leak site and was threatening to leak documents by February 10. Local journalists later said sources at the Ministry of Justice confirmed the attack but questioned the scope of the incident considering LockBit was only advertising about 8,000 files. 

Trend Micro revealed this week that LockBit now has additional Linux and VMware ESXi variants that have been spotted actively targeting organizations in recent months. The company noted that a number of other ransomware variants have been shifting their efforts to target and encrypt Linux hosts, such as ESXi servers, but that the LockBit move was concerning because of LockBit’s ransomware-as-a-service’s popularity.  More

On Friday, Google debuted a new product developed with OpenMined that allows any Python developer to process data with differential privacy.The two have been working on the project for a year, and Google said the freely available privacy infrastructure will help millions in “the global developer community — researchers, governments, nonprofits, businesses and more — build and launch new applications for differential privacy, which can provide useful insights and services without revealing any information about individuals.”

Google began its differential privacy efforts in 2019 and got significant interest in it, prompting them to launch the new open source differential privacy product in Python. Google’s work with OpenMined included efforts to train third party experts to educate anyone who wants to learn how to leverage differential privacy tech.Google privacy and data protection office product manager Miguel Guevara told ZDNet that they reached out to OpenMined last year to surface the idea of building this Python product, with the goal of making it the most usable end-to-end differential privacy solution freely available. They immediately jumped onboard, Guevara added. “It’s been a truly amazing experience to work collectively with OpenMined towards building a more private Internet. The energy that their developers had through this journey over the past year demonstrated the appetite there is for expanding access to these privacy-enhancing technologies that we believe will play a critical role in the future of the web for every user,” Guevara said. “Beyond the joint work our engineers did for the design and implementation of the library, we’re also thrilled that OpenMined now offers trained experts to provide guidance and resources for any developer looking to implement differential privacy in their projects.”Google initially launched an open-sourced version of its foundational differential privacy library in C++, Java, and Go in 2019. Developers immediately took to the project, wanting to use the library for their own applications. 

Google noted that startups like Arkhn have used it to help hospitals share data, and Australian researchers use it for a variety of scientific studies. “We are also releasing a new differential privacy tool that allows practitioners to visualize and better tune the parameters used to produce differentially private information,” Guevara said. “Finally, we are also publishing a paper sharing the techniques that we use to efficiently scale differential privacy to datasets of a petabyte or more.”Guevara urged researchers and developers to use the tool and provide feedback, noting that Google would continue “investing in democratizing access to critical privacy enhancing technologies.” More

The Federal Trade Commission (FTC) warns consumers to keep an eye out for who they interact with on social media since scams are rising.

This week, a new FTC report showcases just how bad social media scams became in 2021. According to the FTC, more than one in four people who lost money to fraud in 2021 said it started on social media in the form of an ad, post, or message. Findings also show that social media was more profitable to scammers last year than any other method of reaching people.”More than 95,000 people reported about $770 million in losses to fraud initiated on social media platforms in 2021,” the FTC said. “Those losses account for about 25% of all reported losses to fraud in 2021 and represent a stunning eighteen fold increase over 2017 reported losses. Reports are up for every age group, but people 18 to 39 were more than twice as likely as older adults to report losing money to these scams in 2021.”Social media’s popularity with scammers is thanks to the easy ways anyone can make a fake profile or hack into an existing profile and its overall low cost. The FTC said that scammers targeting people use their victims’ profiles to find out their habits, likes, and other personal details to cater directly to them.Also: Cryptocurrency scams pose largest threat to investorsThe top scams identified include investment, romance, and online shopping scams. However, investment scams account for the most reported total losses.”More than half of people who reported losses to investment scams in 2021 said the scam started on social media. Reports to the FTC show scammers use social media platforms to promote bogus investment opportunities and even to connect with people directly as supposed friends to encourage them to invest,” the FTC added. “People send money, often cryptocurrency, on promises of huge returns, but end up empty-handed.”.

Overall, cryptocurrency scams are significantly up in the US and are considered the number one threat for investors in 2022, according to a recent report from the North American Securities Administrators Association (NASAA). Especially since platforms like Facebook have added the option to use crypto for transactions, it’s essential to keep potential scams in mind before sending anything to anyone.The FTC cautions social media users to practice better habits when scrolling their social feeds. Simple ways to reduce the risk of social media scams include limiting who sees your posts and information by setting up privacy controls, opting out of targeted advertising, and checking out any company you find on social media before buying from them. More

There have been a few high-profile security problems with open source software. A disgruntled developer recently delivered intentionally modified releases of his faker.js and colors.js packages, which broke “thousands of projects” that relied on them. Some are wondering if it’s safe to use open source software at all. The White House certainly is — they’ve asked major technology companies to comment about software security in the aftermath of the Log4j issue, which exposed countless servers to remote exploitation. 

Open Source

Is code that’s written by volunteers less secure than code written by professional developers? Do you need to have someone sue if a product fails? Do you really get what you pay for? What is Open Source? Just as it would be a mistake to say that all closed source projects are bug-free, it’s a mistake to say that all open source projects are security risks. Different projects have different focuses; some of them are much more concerned with the security of their releases. Josh Berkus has identified five types of open source projects based on their structure: A solo project is the passion of one individual or, at most, a few dedicated people with the same vision. A monarchy is a successful solo project like Linux that’s gained the support of a large community of contributors, so the original creator acts as a benevolent tyrant. A community project such as PostgreSQL springs up among peers with a similar goal and is driven by consensus. A corporate project is often released as a fork of a commercial project, as when Sun released OpenOffice as an open source fork of StarOffice. Its direction is guided by the company that released it. A foundation, the most formal, is a standalone business structure — of which Apache is perhaps the best example. There, a steering board makes the decisions. In general, solo projects are the most exposed to security risks. Just as a writer can update his web page with any content whatsoever, a solo developer can update her code in the same way. Often, there’s not enough interest in a community to fork solo projects, so they become de facto standards. We saw this with faker.js and colors.js, when Marak Squires modified his code to print flags and enter infinite loops. The security of both open and closed source projects depends on the focus of their contributors, rather than their structure. We’ve been lucky that Linus Torvalds has had security as one of his concerns. Theo de Raadt, has been conscious of security for OpenBSD from the beginning. In contrast, both StarOffice (commercial) and OpenOffice had security holes that allowed remote execution of arbitrary code in XML documents. 

Many eyes focused elsewhere? One of the ironies of open source is the assumption that many eyes improve security. For years, we heard claims that open source was more secure because “the community” could review the code. The problem: “The community” rarely reviews the code, and everyone just assumed that someone else was doing it. That false sense of security really blew up during Heartbleed — the reality of too much code and too few eyes means that we need better processes and automation to improve open source security. There’s another false sense of security, though: Don’t assume that closed source software has better processes just because you can’t see them. In the case of Heartbleed, “the community” did eventually review the holes in OpenSSL, and the solution was … more open source. LibreSSL, a fork of OpenSSL, had a focus on security rather than backward compatibility. Open Source requires shared accountability Although you don’t pay money when you use open source software, that doesn’t mean you don’t have obligations — to your business, to your customers, and to the community. Be responsible when making use of open source software: Know what you’re using. One of the biggest dangers of some ecosystems is the ease with which one open source project can include another. Many projects today include other projects as components. Systems like npm make it easy to bring in code without realizing it. Tools exist to help generate software bills of materials (SBOMs) and to scan your code to see if you’re dependent on something you didn’t know about. Avoid solo and abandoned projects. A single malicious developer can inject a lot of harm — especially if you’re upgrading automatically. The danger of using abandoned projects is that they may not account for modern vulnerabilities. Evaluate the status of the projects you use with every release. Test before you release. Much of the danger with open source projects comes from upgrading without testing. If your code includes an open source library with an exploit, your users will hold you responsible. Certify with specific versions of projects and keep those up to date. Fork open source libraries that you use and dedicate resources to reviewing what has been committed. Plan for updates. The Log4j vulnerability was particularly dangerous because it allowed the execution of arbitrary code on platforms that have software baked into ROM. For some internet-of-things devices, there’s no way to upgrade the Log4j library to fix it. This leaves a persistent vulnerability that can’t be addressed. Don’t put your product in the same predicament. Provide an upgrade (and downgrade!) path for every component. Don’t wait for a security issue to upgrade your code, either — plan to update regularly to more recent versions to improve your code’s hygiene. Contribute to open source projects. Many open source projects deliver useful code with few resources. Commit to contributing either financially or by supplying development or QA resources to the open source libraries you use. Don’t limit your open source contributions to the day you pull the library — open source needs ongoing support, so include open source contributions in your annual budget and long-term planning. You want to be sure the latest release is as secure as the one you first pulled. Invest in DevSecOps. Assume that frequent updates are the norm, not the exception. Whether it’s code created by your own team or code you brought in from an open source project, realize that bugs will happen, updates will be needed, and that, in some cases, rapid iteration will be required to keep up with changes. DevOps, in the form of CI/CD, is now table stakes; up the ante by adding “Sec” — the ability to shift-left automated security checks directly into the dev cycle so that when those updates come in, you’re better prepared to get the fix out the door with fewer all-nighters and much less toil and stress. Wake up from the nightmare If you’re afraid of using open source, it’s too late. You’re unlikely to use a product today without open source components. It’s almost certain that you’re reading this with a browser based on open source technology, served by a web server that has an open source core — all built with open source tools. Although a nightmare isn’t reality, it may be a response to legitimate anxiety. Use open source software responsibly to avoid the goosebumps. This post was written by Senior Analyst Andrew Cornwall and it originally appeared here. 

ZDNet Recommends More

Privacy has become a priority for virtually every company regardless of size, vertical, and geography. Privacy regulations have popped up around the world, including Europe, the US, and China. India will soon be added to the list. Rising customers’ and employees’ privacy expectations are also converging to force businesses to prioritize privacy and will keep doing so in the future. Companies are responding by maturing their privacy programs, developing best practices, and sharpening their respective toolkits. Companies are investing in privacy 

According to Forrester survey data, most companies worldwide have adopted a formal privacy program and have a chief privacy officer (CPO) in place. Half of these CPOs report directly to the company’s CEO. While privacy programs are primarily set up to deliver on compliance requirements, one of the key benefits companies report as a result of their program is increased customer trust. With the volume of individuals’ privacy rights requests on the rise, new requirements being discussed, and emerging risks to tackle, privacy decision-makers expect to increase their privacy budgets in the next 12 months. The appetite for adopting new technology is also rising. While most teams are still relying on spreadsheets to manage their programs, privacy teams are progressively investing in more sophisticated and automated technology to support their efforts. Encryption is one of the main technologies being implemented today. Privacy-preserving technologies, as well as software for privacy training, top the list of new tools privacy decision-makers are planning to adopt in the next future. The reliance on automated technology helps privacy organizations perform better. However, to solve their most significant challenges, they need to think about processes, governance, and policies on top of technology. And they need to establish strategic collaboration with others in the organization. In fact, when asked about the biggest challenges to effectively protect the personal data of their customers and/or employees, most privacy decision-makers reported that the fear of worsening the experience of their customers and/or employees is their biggest challenge. Also: Privacy predictions for EuropeEmployee privacy expectations are greater than most assume Companies have learned that EX — the employee experience — directly influences the quality of their customer experience (CX). As such, they are prioritizing efforts to improve their EX. But employee privacy is still too often left out from the list of key EX — and privacy — initiatives. This is a mistake. How companies treat their personal information has a significant impact on how employees feel about and trust their employers and on how they perform. Employees have strong privacy expectations at work. In fact, data from Forrester’s new Privacy Segmentation shows that as many as 72% of employees globally do not want their personal data used as part of workforce analytics projects without their consent. Additionally, more than half wish they had more privacy protections in the workplace. About the same number take active measures to limit the amount of personal data they share with their employers. 

Companies and their privacy leaders must learn how their employees feel about their personal data at work and develop privacy practices that meet these expectations. Those that understand employee privacy only as a compliance requirement should upgrade their existing practices to address employees’ privacy attitudes beyond mere compliance. Compliance is the floor, not the ceiling. And those that have existing strong employee privacy practices in place must ensure that they continuously improve them to align with changing employee privacy expectations. Organizations can help empower employees with privacy at home 

Employee privacy concerns and interests intersect with their personal lives. The lines start to blur between work and home as companies move to an anywhere work model and have a remote workforce. Companies will have a ceiling when it comes to applying cybersecurity controls that reach into the home. Employees have expectations of privacy; employers have liability concerns, and privacy and labor laws are non-negotiable. To keep privacy top of mind and engage your workforce, you can be a resource for information to empower your employees to level up their personal privacy posture. For example, point to how a credit freeze can help prevent identity theft. This can also include education about tools like VPNs and identity theft monitoring and protection services. You can also highlight privacy and anti-surveillance tools. For example, email and credit card masking tools like Abine and MySudo; secure messaging apps like Signal; and popup blockers and script blockers like Adblock, Ghostery, NoScript, and uBlock Origin. Many ISPs also offer home cybersecurity services today as well. These services are typically delivered via the home router and include capabilities like network and device security, Wi-Fi/network management and optimization, parental controls, and privacy features. Concierge cybersecurity and privacy services like BlackCloak and Cypient Black will take a tailored approach to protect individuals (typically executives and VIPs) from targeted attacks aimed at their home environment. Also: Software development will adapt to a new normalWhile technologies and services can help, privacy-minded behaviors and habits will have the most day-to-day impact. Forrester data shows that US online adults’ common actions to protect their privacy include clearing Internet browsing history and adjusting permissions for specific apps. This is where an organization’s efforts to update and invest in their privacy awareness training programs will help to empower employees the most. This post was written by Principal Analysts Enza Iannopollo and Heidi Shey, and it originally appeared here. More

Qubit Finance took to Twitter last night to beg hackers to return more than $80 million in stolen cryptocurrency this week. On Thursday, the DeFi platform said their protocol was exploited by a hacker who eventually stole 206,809 binance coins from Qubit’s QBridge protocol, worth more than $80 million according to PeckShield. An hour after the first message, the company explained that they were tracking the exploiter and monitoring the stolen cryptocurrency.

They noted that they contacted the hacker and offered them the maximum bug bounty in exchange for a return of the funds, something a number of other hacked DeFi platforms have tried to middling success. They shared multiple messages on Twitter that they purportedly sent to the hacker offering a bug bounty of $250,000 and begging for a return of the stolen funds. “We propose you negotiate directly with us before taking any further action. The exploit and loss of funds have a profound effect on thousands of real people. If the maximum bounty offer is not what you are looking for, we are open to have a conversation. Let’s figure out a situation,” the Qubit Finance Team wrote. 

The company later explained in a blog post that their Qubit protocol “was subject to an exploit to our QBridge deposit function.””The attacker called the QBridge deposit function on the ethereum network, which calls the deposit function QBridgeHandler. QBridgeHandler should receive the WETH token, which is the original tokenAddress, and if the person who performed the tx does not have a WETH token, the transfer should not occur,” the company explained. 

“In summary, the deposit function was a function that should not be used after depositETH was newly developed, but it remained in the contract. The team is cooperating with security and network partners, including Binance. Supply, Redeem, Borrow, Repay, Bridge, and Bridge redemption functions are disabled until further notice. Claiming is available. We are continuing to investigate and are in communications with Binance.”Blockchain security company CertiK released a detailed explanation of how the attack occurred and has been tracking the stolen funds as the hackers move them to different accounts.”For the non-technical readers, essentially what the attacker did is take advantage of a logical error in Qubit Finance’s code that allowed them to input malicious data and withdraw tokens on Binance Smart Chain when none were deposited on Ethereum,” CertiK explained.DeFiYield keeps a running list of attacks on DeFi platforms, ranking the attack on Qubit as the seventh largest after Compound Labs, BadgerDAO, Cream Finance, Boy X Highspeed, Vulcan Forged, and Poly Network. The list does not include other notable attacks on Grim Finance and AscendEX. This week, blockchain analysis firm Chainalysis released a report that said more cryptocurrency was stolen from DeFi protocols than any other type of platform last year. “Many of the hacks we saw this year were of DeFi protocols, so it makes sense that the funds were sent to DeFi services that can handle large amounts of liquidity from really any token you can imagine,” Kim Grauer, head of research at Chainalysis, told ZDNet. “We also know that criminals are always the fastest to adapt to the use of new technologies to evade detections, and this year was no different.”In another report released earlier this year, Chainalysis said at least $2.2 billion was outright stolen from DeFi protocols in 2021. More

The rise in the amount of personal data we’re all producing, combined with the hunger of online crooks to seize on any information they can exploit for their own benefit, has created an “explosive combination” that is putting our privacy at risk.Whether it’s via your smartphone, your web browser or your applications, data about you is being produced all the time. In some cases, you’re explicitly producing it yourself, perhaps by posting on social media, while in other cases it’s because metadata about how you move around the web is being collected and sent to big tech companies, their advertisers and others.

ZDNet Recommends

In some cases, people are aware that information is being shared, because they’ve shared it themselves, while they might be less clear about how data about their activity on the web is being collected – if they’re even aware it’s being collected at all. SEE: A winning strategy for cybersecurity (ZDNet special report)Because not only is there the risk that corporations could paint an intimate picture of your demographics, interests and fears, the more data that’s produced the more that’s available to be mined and harnessed – and not just by multinationals and governments, but cyber criminals too.Personal data, in particular, is extremely cheap, so you can buy somebody’s file for a few dollars, Carissa Véliz, associate professor at the Faculty of Philosophy and the Institute for Ethics in AI at the University of Oxford, and author of Privacy is Power: Why and How You Should Take Back Control of Your Data, told ZDNet Security Update.On the other hand, personal data is extremely valuable because if you have lots of it, you can become extremely rich, she says: “And third, it’s very dangerous because it’s very sensitive and it’s easy to misuse it”.

For example, it’s entirely possible for a dark web cyber criminal to buy stolen bank details and other personal information for a very low price, then use that information to commit identity theft – and in the name of someone else who won’t realise what’s happened until it’s too late. That type of situation can have long-term consequences.”This is a crime that is going up exponentially, because more people are using tech all the time and that means that somebody can use your identity to commit crimes in your name,” said Véliz.”Even simple cases can make your life really difficult because if somebody takes your name and takes out a phone contract and then doesn’t pay back, that can be enough to ruin your credit score,” she added.But it’s not necessarily just criminals who can exploit personal data shared on the internet – governments could abuse it in order to identity activists and other individuals deemed a nuisance in an attempt to clamp down on them. “We are building an architecture of surveillance that could really sustain a dictatorial regime and I worry a lot about that because democracy is fragile and we have to reinvent it and defend it every single day day – and an architecture of surveillance isn’t going to support it very well,” said Véliz. “We should care about privacy, because privacy protects us from abuses of power, both individual and as a collective.”SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened There are steps that individuals can take to improve their online privacy, such as sticking to using devices and apps that don’t track personal data and being careful about what information to share online – and it’s possible to delete old data as well as restricting what new data you put online.”The most valuable personal data will always be the most recent, and so we always have an opportunity to start now. Now is a very, very good time to start,” said Véliz.”It’s never too late because every every data point that you protect can save you from a case of identity theft or discrimination or extortion, and you might not know it.”MORE ON CYBERSECURITY More

Working remotely or working at the office? Choices for the modern workplace.
Photo: Tom Foremski
The Omicron surge has forced businesses to again delay a date for a return to the office. And that means a delay to an inevitable showdown: between workers and managers over remote or office-based work.

Special feature

How to get remote work right

In this special feature, ZDNet helps enterprises and SMBs alike navigate the technical and management challenges of a remote workforce.

Read More

To a degree, every business will have by now adapted to the reality of a hybrid workplace and the fact some staff will remain home-based while others will come back to the office. Any business that cannot offer a hybrid workplace will face problems in recruitment during this worker shortage. And problems in developing in-house, the skills of managing a modern workforce.HOME MONITORSFor work at home advocates the future looks rosy. With the current jobs boom it looks certain that they’ll get what they want – either at their current employer — or somewhere else. But will workers agree to allow their employer to monitor their home office activities? Is it something that can be refused or not? How is the home different from the office where people can be seen to be working at their desks, engaged in meetings, and logging into their IT systems? Do remote workers have a right to refuse to be monitored? Digital.com released a survey late last year that found widespread use of remote worker monitoring software especially in IT (77%) and advertising (83%). 

One in seven workers hadn’t been told about it. Working from home might not be such a wonderful thing when you consider that people worked harder – a 10% boost in productivity was reported in the survey after the software was installed. REMOTE WORKER ANXIETYBeing away from the office can be very isolating and cause anxiety by being out of the informal communication loops.Further anxiety comes from the jobs that aren’t hourly paid – how many hours is enough to prove your worth? You’ll be competing against the unknown productivity of your colleagues.  You’ll feel pressured to go the extra distance especially since 88% of employers said they had fired people based on their remote work reports.Work from home might even become the norm for some organizations because if done right, they get a lot more productivity – and also they can confidently outsource some of their operations for big savings. The home could easily become a dismal backwater for remote workers, always-on and always watching. I’d rather leave all that at the office, imho. See also: More