Information Technology

F5 has launched a new software-as-a-service (SaaS) platform aimed at simplifying the firm’s branching security solutions.

Over the past few years, F5 has expanded its services with software and cloud services designed to tackle the disparity between the enterprise push toward digital transformation and an existing reliance on legacy systems. According to an F5 survey, 88% of organizations say they operate both legacy and modern architectures today.  When these systems, as well as Internet of Things (IoT), edge devices, cloud, remote collaborative tools, and mobile all, have to be considered by IT teams when considering potential attack vectors, managing such complexity and risk can be a challenge.  On Tuesday, the application security company said the portfolio expansion, called F5 Distributed Cloud Services, will “provide security, multi-cloud networking, and edge-based computing solutions.” Also: Deloitte launches new SaaS cyber threat detection and response platformF5 Distributed Cloud is a merger of technologies obtained by F5 from Volterra and Shape security. Functionality includes multi-cloud networking (MCN) functionality, cloud load balancing, cloud-native computing capabilities for edge computing use cases, and a Kubernetes Gateway.

The service will also include a new offering launched today, called the F5 Distributed Cloud WAAP (Web Application and API Protection).  WAAP integrates F5’s web application firewall and protection (F5 Advanced WAF), bot mitigation (F5 Shape AI), distributed denial-of-service (DDoS) monitoring, and API defenses based on Volterra’s machine learning technologies. The SaaS suite will enable teams to deploy each solution automatically and collectively.  “Today’s applications and business models are adapting faster than ever, and that means app security and infrastructure need to be much more agile and effective,” commented Haiyan Song, GM of the Security & Distributed Cloud Product Group at F5. “We are rapidly integrating our portfolio of services onto a distributed cloud services platform and continually innovating new services, so our customers can have the capabilities they need at the pace they require to achieve their ongoing business transformation.”  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The number of hostile nation-state hacking operations is rising as new countries invest in cyber-intrusion campaigns and existing state-backed attack groups take advantage of the rise in organisations adopting cloud applications.Crowdstrike’s 2022 Global Threat Report details how the cyber-threat landscape has evolved during the past year. One of those developments is the rise of new countries engaging in offensive cyber operations, including Turkey and Columbia.

ZDNet Recommends

In accordance with Crowdstrike’s naming conventions, attacks by Turkish-linked groups are detailed as attacks by ‘Wolf’ while attacks by Columbian operations have been Dubbed ‘Ocelot’ – in a similar way to how cybersecurity researchers name Russian government-backed activity ‘Bear’ or Chinese hacking groups ‘Panda’.SEE: Cloud security in 2021: A business guide to essential tools and best practicesActivity by one of these new groups is detailed in the report; a Turkish-based hacking group, dubbed Cosmic Wolf by researchers, targeted data of an unspecified victim stored within an Amazon Web Services (AWS) cloud environment in April 2021.The attackers were able to break into the AWS cloud environment using stolen usernames and passwords, which also provided the attackers with the privileges required to alter command lines. That means they were able to alter security settings to allow direct Secure Shell Protocol (SSH) access to AWS from their own infrastructure, enabling the theft of data.Ultimately, countries are seeing that cyber campaigns can be easier to conduct than traditional espionage and are investing in these techniques.

“There are a lot of countries out there that look at this and realise it’s cheaper, it’s easier and it’s got plausible deniability built into it,” Adam Meyers, senior vice president of Intelligence at Crowdstrike, told ZDNet.”That’s what’s happening – we’re seeing more countries have developed these programmes and they’re going to get better at it over time.”One of the reasons countries are increasing their offensive cyber capabilities is due to the impact of the global pandemic. Lockdowns and stringent travel checks made it harder for traditional espionage techniques to be effective, leading towards investment in cyber operations.”It’s created a little bit more demand or accelerated planning around developing cyber capabilities for some of these countries that would have perhaps relied on other means previously,” said Meyers.The shift towards cloud applications and cloud IT services has also played an unwitting role in making cyberattacks easier. The rise of hybrid working means many employees aren’t based in an office, instead connecting remotely via collaborative applications, VPNs and other services – using a username and password.SEE: A winning strategy for cybersecurity (ZDNet special report)That makes being productive while working remotely simpler for employees – but it’s also made things simpler for hacking groups, who can secretly access networks with a stolen – or guessed – username and password. Some of the biggest cybersecurity incidents of recent years, like the SolarWinds and Microsoft Exchange attacks, have demonstrated how an attack targeting cloud services and cloud supply chains could be powerful, particularly if cloud is misconfigured or poorly monitored. “As organisations are moving to the cloud and looking to develop better capabilities, threat actors are moving there as well,” said Meyers.There are, however, steps that organisations can take to help make their networks and their cloud infrastructure more resistant to cyberattacks, including the adoption of a zero-trust strategy of not trusting devices connecting to the network by default. The research paper also recommends that organisations work towards eliminating misconfigurations in their cloud applications and services by setting up default patterns for setting up cloud, so when new accounts are set up, it’s done in a predictable manner, minimising the possibility of human error going undetected. Cloud architecture should also be monitored and maintained with security updates, like any other software.  MORE ON CYBERSECURITY More

Images: Sopa Images/Getty Images
Canada Deputy Prime Minister and Minister for Finance Chrystia Freeland has announced the government is broadening the scope of the country’s anti-money laundering monitoring and terrorist financing laws to cover crowdfunding platforms and the payment service providers they use. “These changes cover all forms of transactions, including digital assets such as crypto currencies,” she announced during a press conference on Monday night.   “The illegal blockades have highlighted the fact that crowdfunding platforms and some of the payment service providers they use are not fully captured under the proceeds of crime and terrorist financing act. “Our banks and financial institutions are already obligated to report the Financial Transactions and Reports Analysis Centre of Canada or FINTRAC. As of today, all crowdfunding platforms and the payment service providers they use must register with FINTRAC, and they must report large and suspicious transactions to FINTRAC.” The expanded rules are in response to ongoing “Freedom Convoy” protests, started by Canadian truck drivers opposing COVID-19 vaccination and quarantine mandates for cross-border drivers, that have shut down border crossings and halted downtown Ottawa. The protests, which have now entered their third week, have been partly funded by donors to self-described crowdfunding platform GiveSendGo. The platform was hacked on Sunday night, however, resulting in thousands of donor details being stolen. According to nonprofit leak site Distributed Denial of Secrets, it has obtained donor information for the Freedom Convoy campaign from the GiveSendGo platform as of Sunday, including self-reported names, email addresses, and ZIP codes.

Distributed Denial of Secrets said it would only provide the data to researchers and journalists. At the same time, Prime Minister Justin Trudeau invoked rarely used emergency powers under the Emergencies Act in an attempt to quell protests. The Emergencies Act gives government powers for 30 days to ban people from gathering in certain locations, allow officials to tow private vehicles blocking roads, and give power to financial institutions to block funds used to support illegal blockades.”The Emergencies Act will be used to strengthen and support law enforcement agencies at all levels across the country. This is about keeping Canadians safe, protecting people’s jobs and restoring confidence in our institutions,” Trudeau said. “We cannot and will not allow illegal and dangerous activities to continue,” he continued, assuring that the government will not use the Emergencies Act to call in the military. “We’re not suspending fundamental rights or overriding the Charter of Rights freedoms. We are not limiting people’s freedom of speech. We are not limiting freedom of peaceful assembly. We are not preventing people from exercising their right to protest legally,” Trudeau added.  Related Coverage More

Image: Asha Barbaschow/ZDNet
Australia’s eSafety commissioner Julie Inman Grant was questioned by senators on Tuesday morning about the efficacy of the recently enacted Online Safety Act, which expanded the commissioner’s takedown powers to cover more cyberbullying content – including those targeting adults — intimate images of someone that was shared without their consent, abhorrent violent material, and restricted content. The grilling arose in response to a letter written by Western Australia Police Minister Paul Papalia to Federal Communications Minister Paul Fletcher that called for the Online Safety Act powers to be used more expeditiously. Papalia wrote the letter after a TikTok video surfaced online of a stolen vehicle occupied by boys aged 11 and 12, and a girl aged 13, ramming a police car into a tree in Broome, injuring two police officers. The video was posted by the children shortly before they crashed the vehicle.Explaining the aftermath, Inman Grant said her agency was not aware of the TikTok content until Papalia’s letter was published by a media outlet on Sunday evening. After becoming aware of the letter, the eSafety commissioner said her agency contacted the WA Police, Snapchat, and TikTok to ascertain what actions were being taken.Prior to the eSafety commissioner’s office reaching out to WA Police, however, the police agency had made no contact with the commissioner about the incident. The WA Police has also not filed any complaints to the agency as yet either. When asked about the various ways WA Police can work with the eSafety commissioner to exercise the latter’s powers, Inman Grant conceded that a memorandum of understanding (MoU) with WA Police covering the new Online Safety Act capabilities was not yet in place. Inman Grant noted, however, that an MoU is not necessary for law enforcement to report harmful content to her agency.

She also said her agency recently hired new law enforcement liaison staff that would be specifically tasked with updating its MoUs with federal and state law enforcement agencies. “[MoUs] help guide protocol, but if a police agency came to us needing help with removal we wouldn’t require an MOU to do that,” Inman Grant said. Minister for Superannuation, Financial Services and the Digital Economy Jane Hume, who appeared alongside Inman Grant before Senate Estimates, then laid the blame of the Online Safety Act not being exercised for this incident at Papalia’s feet, saying he was “entirely aware that it was a cybercrime well in advance, so he could have made the complaint”. In response to this revelation, Labor Senator Louise Pratt criticised the eSafety commissioner’s job in providing awareness on how to make use of the Online Safety Act’s takedown powers due to the agency’s media campaign so far being focused on updating the eSafety website. “If the creative is ready, surely they should spend it here and now rather than saving the expenditure of that creative. Frankly, when prices escalate because there’s more competition for a media buy during an election campaign,” Pratt said. At the time of writing, the eSafety website’s home page did not have a direct link to the page for reporting harmful content. On online search engines, meanwhile, results of the eSafety website contained a sub-result displaying the reporting page. The eSafety commissioner did not respond directly to Pratt’s critique, saying: “We have been the eSafety regulators since 2015. Not every single citizen or organisation may be aware of us; we do whatever we can in our power to let as many people know and we’ll continue to do that. I’m not sure what more I can say.” “I think this is like any public health campaign. Behavioural change takes a really long time,” she said. Providing an update of the Online Safety Act’s powers since it came into force three weeks ago, Inman Grant said her agency has handled more than 200 complaints from Australian adults experiencing abuse and harassment online. Representing an 85% increase compared to the same period a year ago, these complaints have focused on explicit instructions and encouragement to commit suicide, threats of murder, and the menacing publication of personal details online. RELATED COVERAGE More

Taiwanese electronics manufacturing giant Foxconn and Indian conglomerate Vedanta have signed a memorandum of understanding to form a joint venture that will manufacture semiconductors in India.Under the MoU, Vedanta will hold the majority in the JV, while Foxconn will be a minority shareholder. Vendanta chairman Anil Agarwal will also be the chairman of the new joint venture, the companies said. “This first-of-its-kind joint venture between the two companies will support Indian Prime Minister Narendra Modi’s vision to create an ecosystem for semiconductor manufacturing in India,” the companies added.The location for the new chip plant is still being finalised with a number of state governments in India, according to the companies.At the end of last year, the Indian government announced a plan that will see the nation put ₹2,30,000 crore, around $30 billion, behind a plan to turn India into a semiconductor manufacturing powerhouse. The government added it would be putting ₹55,392 crore, around $7.5 billion, behind its electronics manufacturing schemes, which include large scale electronics manufacturing, IT hardware, promotion activities, and electronics manufacturing clusters.  Establishing a semiconductor facility comes during a time when electronic makers continue to struggle with the global chip shortage, which has been predicted to last up until early 2023.

Also in India, the union government has issued a ban on an additional 54 Chinese apps, including those owned by Tencent and Alibaba. The enforcement was issued by the Ministry of Electronics and IT under section 69a of the Information Technology Act, as reported by Economic Times.”The 54 apps have already been blocked from being accessed in India through the [Google] Play Store,” an official told ET.”Many of the apps from the stable of Tencent and Alibaba, have changed hands to hide ownership. They are also being hosted out of countries like Hong Kong or Singapore, but the data was ultimately going to servers in Chinese destinations.” This latest ban by the Indian government is in addition to the 59 Chinese apps that have been barred from the subcontinent since June 2020. Those affected apps included TikTok, Weibo, and WeChat.MORE FROM INDIA More

Image: snjivo — Shutterstock
The US Securities and Exchange Commission (SEC) has found that crypto lender BlockFi operated for 18 months as an unregistered investment company. The company offered BlockFi Interest Accounts (BIAs) — where users lent crypto assets back to BlockFi for a variable monthly interest payment — which the SEC found were securities, and therefore the BlockFi needed to register with the regulator. Along with the findings, BlockFi has agreed to pay a $50 million penalty to settle with the SEC and another $50 million to settle similar charges in 32 states. The company will also halt offering unregistered products, seek registration of a new lending product, and has 60 days to bring its business into compliance. BlockFi was also found to have made a false and misleading statement for over two years on its site related to the level of risk in loan portfolio and lending activity. “This is the first case of its kind with respect to crypto lending platforms,” SEC chair Gary Gensler said. “Today’s settlement makes clear that crypto markets must comply with time-tested securities laws, such as the Securities Act of 1933 and the Investment Company Act of 1940. It further demonstrates the Commission’s willingness to work with crypto platforms to determine how they can come into compliance with those laws.” The SEC added that the rest of the crypto lending ecosystem should “take immediate notice of today’s resolution” and comply with US securities laws.

BlockFi framed the announcement as being the first company under a “new regulatory framework for crypto sector”. “From the day we started BlockFi, we have always known that strong engagement with regulators would be critical for the adoption of financial services powered by cryptocurrencies. Today’s milestone is yet another example of our pioneering efforts in securing regulatory clarity for the broader industry and our clients, just as we did for our first product — the crypto-backed loan,” CEO and founder Zac Prince said. “We intend for BlockFi Yield to be a new, SEC-registered crypto interest-bearing security, which will allow clients to earn interest on their crypto assets.” The company added that existing customers will keep their accounts, but they cannot add to it, and users will be shifted across to the Yield product unless they tell the company not to. Users outside the US can continue using BIAs as they always have. Related Coverage More

Activists in Myanmar have released troves of data linking the country’s military dictatorship to a company that will be purchasing a majority stake in Telenor Myanmar — a subsidiary of Norwegian telecom giant Telenor that controls the personal data of 18 million Myanmar subscribers. Telenor, which is owned and controlled by the Norwegian government, has faced significant backlash for weeks after it announced a decision to sell its telecom business in Myanmar to a notorious Lebanese company called M1 Group for $105 million. News outlets in Myanmar have reported that M1 is already telling regulators in the country that it plans to sell 80% of Telenor Myanmar to Shwe Byain Phyu, a company with deep, longstanding ties to the country’s brutal military, according to local activist group Justice for Myanmar. Telenor has defended the sale by repeatedly saying it is selling the business to M1 and not a military-owned company.Myanmar’s military took control of the country in a violent coup that began last year, arresting the country’s elected leader — Aung San Suu Kyi — and disbanding her government. Since February, the military has arrested and killed thousands, sparking a revolt that has now spread throughout the country. Activists have expressed fears that once Telenor Myanmar is fully controlled by a government-backed company, the military will not only have access to troves of past data on almost all of the country’s citizens but will also be able to install surveillance tools giving them even more access to phone calls, texts, and other personal data. Telenor has already admitted that they initially rebuffed military efforts to install surveillance equipment on their systems, according to Myanmar Now. The company also said it has already complied with at least 200 requests from the military to hand over customer information in the last year.

Justice for Myanmar, a local group dedicated to exposing the business ties of the country’s brutal military dictatorship, accused Telenor of participating in a cover-up due to their refusal to acknowledge M1’s public plan to sell most of the business to Shwe Byain Phyu.Justice For Myanmar released information showing Shwe Byain Phyu has a long history of working with the Myanmar military and its conglomerates. Shwe Byain Phyu is a group of companies founded and owned by Thein Win Zaw, his wife and two children.The group provided concrete evidence showing Shwe Byain Phyu’s ties to military-controlled companies in the petroleum, telecommunications, mining, and forestry industries. “Shwe Byain Phyu is a conglomerate with deep and longstanding ties to the Myanmar military, including with the previous military junta, military conglomerates and sanctioned entities and individuals. The Norwegian government has been turning a blind eye as Telenor Group, a company they control, proceeds to transfer Telenor Myanmar to Shwe Byain Phyu, together with the historical metadata of more than 18 million people,” Justice For Myanmar spokesperson Yadanar Maung said. “This could amount to complicity in crimes against humanity, by handing the military a potent weapon they can use to track down, arrest, torture and murder civil society activists and journalists. The grave risks that the sale of Telenor Myanmar poses to the lives of Myanmar people are glaringly clear. Telenor must stop fabricating a narrative about how their current course of action is based on human rights considerations and immediately suspend the sale.”Telenor’s responseThe Norwegian government did not respond to requests for comment, but a Telenor spokesperson told ZDNet that the company is in a difficult position when it comes to Telenor Myanmar. Cathrine Stang Lund, director of communications for Telenor Group Asia, said the situation in Myanmar has “developed in a direction where we are currently in a conflict between local laws on the one hand and our values, international law and human rights principles on the other.” “This makes it impossible for Telenor to remain in Myanmar. In a severe and volatile security situation, there are no simple solutions. We have to balance several difficult considerations and have come to the conclusion that a sale is the least detrimental solution for our employees, customers and the community,” Lund claimed. “In the sales process, assessments of human rights, privacy and the safety of our employees have been key considerations.”When pressed about reports that M1 planned to sell most of its stake to a company heavily tied to the military dictatorship, head of Telenor Group Communications Gry Rohde Nordhus said the sales agreement between Telenor and M1 “does not prevent M1 from transferring a majority of the shares after the transaction is concluded.”Nordhus explained that Telenor Myanmar is required by local law to store customer data for several years and that the local business would continue to do so once it changes ownership to M1. “We understand that this creates reactions, but the company is obliged by law to do so. To violate or not comply with the laws that apply in Myanmar would result in completely unacceptable consequences for our employees that neither Telenor Myanmar nor we as owners are willing to live with,” Nordhus said. “After the military take-over in February 2021, the circumstances in Myanmar has dramatically changed. The country is currently controlled by a military council, and large parts of the country is under martial law. Breaking or not complying with local laws and directives in this situation can have serious and unacceptable consequences for our employees. This is the reality our employees are facing, and these are the conditions Telenor Myanmar is operating under.”ZDNet asked Nordhus what Telenor will tell the millions of people in Myanmar affected by the company’s decision to sell their data to a military accused of numerous human rights violations. Nordhus acknowledged that the people of Myanmar “are enduring an extremely difficult situation” but said the company had no choice but to simply abandon the business and the data it has spent years collecting. “Telenor cannot operate in a regime that entails violations of international law, human rights principles and our values,” Nordhus said. “We have turned every stone and considered every option, and our assessment is still that a sale is the least detrimental solution for employees, customers, and the broader society.” More

You can now verify your identity with more than just your username and password with this user-centric authentication mechanism. Your online accounts tend to be linked to your username and password, with an added layer of SMS verification to provide two-factor authentication. However, these types of accounts can be compromised by phishing or social engineering to gain access to your accounts.To solve this issue, New York-based ID authentication company Nametag has launched “Sign in with ID” to access online accounts using its multifactor authentication technology combined with biometric identity verification.
Nametag
There are four steps to signing in with ID: scan a QR code on a website, which invokes the Nametag sign in screen; scan your ID (when you first use Nametag, you must upload your official ID); take a selfie; and tap to confirm and share what information is necessary for the transaction. You do not have to download an app; Nametag pops up whenever ID is requested.If you use iOS, the Nametag app will match the uploaded government-issued ID to the selfie. This means you only need to confirm your identity once — or every time you sign in. The company says that this mechanism is a more secure way for companies to authenticate users online by verifying people. To keep Nametag secure, Nametag uses advanced encryption in transit and at rest to protect data on its platform.

The company says it has also completed steps necessary for AICPA SOC2 Type 1 certification and is currently undergoing a SOC2 Type 1 examination with an independent auditor, with a planned completion date of March 2022.

Nametag is primarily funded by two large, US-based institutional inventors: Glasswing Ventures & Village Global. The Nametag product is priced per use for one-time scenarios, such as employee account recovery or transaction authorization for bank transfers. It is also priced and per user for continuous account access to a website or app.The product uses the face matching technology of hyperscale cloud providers, benefiting from their investments in recognition accuracy. Cosmetic appearance changes, such as gaining/losing weight, do not impact matching.Nametag has also built the product to accommodate gender, name, address, and other factors — confident that it maintains security and matching. A user is never locked out even if they lose their phone, access to their email, or get a new driver’s license. Its multi-layer approach to logging in is similar to Starling Bank, which uses government ID, face, and fingerprint recognition, along with a video clip to authenticate users logging in to the banking app on their deviceAaron Painter, CEO of Nametag, said, “Sign in with ID is the evolution of a more secure internet and password-less future. The key step in fulfilling this vision is knowing the real identity of someone online — this is the missing link needed to keep accounts protected and reduce fraud.”Currently, Nametag is US-centric. It accepts government-issued forms of identification across all 50 US states, but it anticipates adding additional international document types later in Q1. With the rise of successful phishing attacks plaguing companies, authentication methods need to evolve to keep one step ahead of the bad actors. Incorporating more safeguards can only be a good thing. More