More stories

  • in

    Akamai CEO: Linode acquisition makes company 'world's most distributed cloud services provider'

    Akamai CEO Tom Leighton touted the company’s expansion this week on the heels of a Q4 earnings report that saw the company bring in a revenue of $905 million for the quarter and $3.5 billion for the full fiscal year. Akamai announced on Tuesday that it is acquiring infrastructure-as-a-service (IaaS) platform provider Linode for about $900 million. Leighton said Linode is a very developer-friendly IaaS provider that makes it very easy to spin up a virtual machine or a container to build and run applications. “By combining that with Akamai, we’re the world’s leaders in content delivery and web security. We make your applications really fast and we protect them from all sorts of attacks. We have the world’s most distributed edge computing platform for applications that need to be scaled up instantly on a global basis to respond to demand and various geographies in a serverless way,” Leighton told ZDNet in an interview. “Putting them together is a very powerful combination because now developers and enterprises will be able to much more easily do the whole thing on Akamai. They can build the apps on Akamai, run them there, deliver them from Akamai and have them be secured as part of Akamai. Akamai becomes the world’s most distributed cloud services provider, all the way from the cloud to the edge, and we’ll make it really easy to build, run and secure your applications online.”He went on to explain that Linode has great customer support and is already in 11 locations, which Akamai is going to “dramatically” expand. Linode does not have much of a sales force today, so Akamai will help them build that out, Leighton said. Akamai will be integrating in more than 250 employees from Linode’s headquarters in Philadelphia, which will bring them to well over 9,000 employees globally. Leighton also noted the September 2021 acquisition of Israel-based Guardicore, a cybersecurity company that offers a micro-segmentation solution to reduce the potential attack surface of corporate networks, secure applications, and meet compliance standards.

    Leighton said the two acquisitions are the largest they have done in the last 20 years and noted that since closing the Guardicore deal, they have nearly doubled their initial projections of $30 million to $35 million in revenue for the company. “The micro-segmentation that they do is really important for stopping the impact of ransomware. Ransomware is a huge problem today and the visibility it gives our customers into what’s going on in their internal networks is really important,” he explained.  “When you put it all together, Akamai is now positioned as the most distributed cloud services provider, with three market-leading capabilities and pillars to support growth. That’s a pretty exciting place to be.” Akamai saw significant growth throughout 2021 in their security services, which contributed to revenue increases of 25% year over year and growth in their edge application services, which was up 30% year over year. According to Leighton, the company is expecting the cloud compute category — which includes edge applications, its net storage business and Linode — to reach “well over half a billion dollars in 2023.”While the company has seen growth in overall revenue, their earnings per share may grow a bit less than usual due to the acquisitions. But Leighton predicted the EPS would bounce back next year. “We generate a ton of cash so we’re in a position to make acquisitions that would benefit our customers and shareholders. I’m really excited about the future. We have a great history of innovation in the internet, beginning with the invention of content delivery and then bringing high quality streaming online, application acceleration, and of course, web security,” he said. “We were pioneers in edge computing and now we’re taking a big step forward in cloud computing with Linode.”

    Tech Earnings More

  • in

    Linux developers patch security holes faster than anyone else, says Google Project Zero

    There’s a lot of FUD about how Linux is being shown recently to be less secure than proprietary systems. That’s nonsense. But, now there are hard facts from Google’s Project Zero, Google’s security research team, showing Linux’s developers do a faster job of fixing security bugs than anyone else, including Google.

    Project Zero looked at fixed bugs that had been reported between January 2019 and December 2021. The researchers found that open-source programmers fixed Linux issues in an average of only 25 days. In addition, Linux’s developers have been improving their speed in patching security holes from 32 days in 2019 to just 15 in 2021. Its competition didn’t do nearly as well. For instance, Apple, 69 days; Google, 44 days; and Mozilla, 46 days. Coming in at the bottom was Microsoft, 83 days, and Oracle, albeit with only a handful of security problems, with 109 days. By Project Zero’s count, others, which included primarily open-source organizations and companies such as Apache, Canonical, Github, and Kubernetes, came in with a respectable 44 days. Generally, everyone’s getting faster at fixing security bugs. In 2021, vendors took an average of 52 days to fix reported security vulnerabilities. Only three years ago the average was 80 days. In particular, the Project Zero crew noted that Microsoft, Apple, and Linux all significantly reduced their time to fix over the last two years.As for mobile operating systems, Apple iOS with an average of 70 days is a nose better than Android with its 72 days. On the other hand, iOS had far more bugs, 72, than Android with its 10 problems.Browsers problems are also being fixed at a faster pace. Chrome fixed its 40 problems with an average of just under 30 days. Mozilla Firefox, with a mere 8 security holes, patched them in an average of 37.8 days. Webkit, Apple’s web browser engine, which is primarily used by Safari, has a much poorer track record. Webkit’s programmers take an average of over 72 days to fix bugs.Project Zero gives developers 90-days to fix security problems. Besides the average now being well below the 90-day deadline, the team has also seen a dropoff in vendors missing the deadline or the additional 14-day grace period. 

    Last year, only a single bug, a Google Android security problem, exceeded its fix deadline, though 14% of bugs required the extra two weeks. Still, everyone’s doing a much better job of fixing security bugs than they’ve been doing in years past. Why? The Project Zero crew suspects it’s because “responsible disclosure policies have become the de-facto standard in the industry, and vendors are more equipped to react rapidly to reports with differing deadlines.” Companies have also been learning best practices from each other with the increase in transparency. I credit much of this to the growth of open-source development methods. People are realizing that it’s to everyone’s advantage to fix bugs together. Related Stories: More

  • in

    Google's puny pledge to Android privacy leaves iPhone your securest platform

    Google has expanded plans to limit data tracking on its Chrome browser by extending that coverage to apps running on Android devices. The Privacy Sandbox project aims to limit the amount of user data that advertisers can gather from browsing and app usage.

    But details are scant, and it’s not happening just yet.Google will begin by allowing developers to review initial design proposals and share feedback. Over the year, Google plans to release developer previews, with a beta being available by the end of the year.And it’s clear that Google is worried that by making changes too quickly, it could upend its app ecosystem.”Currently over 90 percent of the apps on Google Play are free,” writes Anthony Chavez, VP of Product Management, Android Security & Privacy at Google, “providing access to valuable content and services to billions of users. Digital advertising plays a key role in making this possible. But in order to ensure a healthy app ecosystem — benefiting users, developers and businesses — the industry must continue to evolve how digital advertising works to improve user privacy.”It seems that right out of the gate, Google is worried that making apps more private could scare off developers from making free apps (although where they might go is unclear).

    “We know this initiative needs input from across the industry in order to succeed. We’ve already heard from many partners about their interest in working together to improve ads privacy on Android, and invite more organizations to participate.” Google also took the opportunity to take a pop at Apple at its App Tracking Transparency feature: “We realize that other platforms have taken a different approach to ads privacy, bluntly restricting existing technologies used by developers and advertisers. We believe that — without first providing a privacy-preserving alternative path — such approaches can be ineffective and lead to worse outcomes for user privacy and developer businesses.”One of those businesses is Meta (Facebook), which estimates the changes that Apple made will cost it $10 billion this year alone.Problem is, Apple’s path has been effective for the people that matter — the users. And users, when given a choice as to whether they want apps to track them or not, have overwhelmingly chosen to retain their privacy. Apple also paved the way for greater transparency by forcing app developers to outline how data collected by apps would be used.It’s clear that Google feels it needs to make some positive sounds with regards to privacy, but it’s also clear that simply handing the reigns of control to users isn’t what Google wants to do, and instead, the company wants to come up with a solution that’s more within its control.What does this mean for users? It means that if you want privacy on a mobile device, the choice is clear — you should be ditching Android and buying an iPhone.

    ZDNet Recommends More

  • in

    NIST outlines what IoT and software 'security labels' could look like

    Cybersecurity labels could convey a software product’s or connected gadget’s cybersecurity status. But would these labels be useful, and what is a software product anyway in connected cars and consumer appliances? The idea of cybersecurity labels for Internet of Things (IoT) and consumer software has been kicked around for years, and has recently been looked at more seriously in the EU, Australia, UK and elsewhere. In October, Singapore and Finland agreed to recognize each other’s cybersecurity labels for IoT devices.But labels were required to be seriously considered in the US as part of president President Biden’s May 2021 cybersecurity Executive Order 14028, “Improving the Nation’s Cybersecurity”. Biden signed the EO shortly after the massive SolarWinds software supply chain attack and a spate of ransomware attacks on critical infrastructure. Part of the order required the US National Institute of Standards and Technology (NIST) to consider product labelling for IoT devices and software development practices for consumer software, in order to boost cybersecurity education. NIST only makes guidelines for a US cybersecurity labelling scheme, which would more likely be enforced by the Federal Trade Commission (FTC), given its existing oversight of consumer protection and data privacy laws.NIST released its guidelines for such labels on February 4, and now its two leads for consumer software and IoT have shared their views on the pros and cons of cybersecurity labels.As they point out, there are working examples of labels for food safety, device performance, and the electrical safety of appliances. These help consumers make informed choices and provide incentives to improve product safety and quality. But software is different.

    Michael Ogata, NIST Computer Scientist, says that developing the recommended criteria for consumer software labelling was a “nerve-wracking experience”, in part because of the difficulties in defining where software begins and ends today. “What is consumer software? Is the firmware in your car consumer software? What about an online service like an office suite or email client? Certainly, a video game counts as consumer software, but do you measure a mobile game, a console game, and a PC game in the same ways?,” he writes.A definition of consumer software eventually emerged as: “software normally used for personal, family, or household purposes.”One of NIST’s key recommendations for labels, whichever scheme runs it, is that they’re “binary”, in that the product either 1) does meet the criteria at a given time or 2) does not. Additionally, they should not be “bogging down” non-technical consumers with jargon.  Another complication in labelling software can be seen in soda cans that list the number of calories per serve. Is the tool used to measure calories accurate? So there’s an explicit and implicit claim being made on soda cans. NIST recommended software labels should cover both explicit and implicit claims.These include both descriptive claims and security software development claims. Descriptive claims cover whether the labelled software is still receiving security patches and how these are delivered to consumers. Also, what body stands behind the claims, and when the claim was made.On the secure development side, NIST leaned on its own NIST Secure Software Development Framework (SSDF) as the basis for industry best practice. It’s a non-prescriptive document, but it “identifies common practices that are represented in, and mapped to, existing formalized industry guidance.”      “Our recommendations encourage scheme owners to express development requirements by way of the SSDF while also identifying specific elements that signal that industry best practices have been employed,” explains Ogata. Katerina Megas, a program manager for NIST’s Cybersecurity for IoT program, offers a snapshot on how complicated it would be to create cybersecurity labels for IoT devices. After surveying other labelling schemes around the world, Megan says her team was reassured that there seemed to be a developing “general consensus” that IoT products include not just the device but also its supporting software, such as a smartphone app or hardware such as a controller device.Megas says the group took a risk-based view of the question of baseline security with “risk being both contextual (based on specific use) as well as on the unique nature of IoT products being capable of interacting with the physical world by collecting data or effecting changes without human intervention.” NIST guidelines also acknowledged “no-one-size-fits-all when it comes to IoT.” NIST appears to prefer the market leads in creating a baseline rather than having hard rules handed down to manufacturers.  “Allowing for a marketplace of standards, programs, and schemes to evolve would permit the market to drive how best to achieve the desired outcomes and offer the flexibility to suit a variety of stakeholders’ needs. Doing so also would accommodate, and not hinder, a rapidly evolving technology landscape,” writes Megas. More

  • in

    Cybercrime: Dark web carding forum users are getting worried after a string of shutdowns

    Cybercriminals are getting spooked by the sudden disappearance of a number of prominent dark web marketplaces, leading some to wonder if time is up on their illegal, underground activities.Cybersecurity researchers at Digital Shadows have analysed activity on carding forums – dark web marketplaces where criminals buy and sell stolen credit card information and other personal data – and discovered that clients are despondent, following a series seizures and forums going dark.This comes at a time when some ransomware affiliates have been getting worried after action targeting REvil and other ransomware groups.On January 2022, a message appeared on a prominent carding forum stating that the Russian Internal Affairs Ministry had shut down the site as part of a “special law enforcement operation”. In a joint cooperation with US agencies, Russia’s Federal Security Service (FSB) identified alleged members of hacking group “The Infraud Organization,” including someone who served as administrator for the forum.A few days later, it was announced that six more suspects had been arrested on charges linked to selling stolen credit card information, and the same seizure notice appeared on more carding forums.SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happenedOther forums appear to have voluntarily gone on a temporary hiatus in what could be an effort to avoid being targeted. “Due to recent events, we are going on vacation for 2 weeks,” said the admins of one carding site, adding: “Thank you for understanding! We’ll be back soon, so don’t worry!” The marketplace hasn’t returned and the ability to get refunds has been cancelled.

    One prominent dark web carding market that had been active for almost a decade has also recently shut down – in this case, the operators claimed they were retiring, having made enough money.But the shutdowns and disappearances appear to be having an impact on some users, who are starting to get worried.One described it as “most scary moment in the carding history” and a “nightmare for people involved in this business”. Another suggested that “at this tempo there won’t be a Russian darknet by the end of the year.” Others are more confident that the string of shutdowns is a temporary blip and that, as previously, other marketplaces will rise up to fill the void. “Some partial restore will happen in some days or weeks,” said one user. Others suggest that the future of carding will move to other platforms, like Telegram – although not all users trust the instant messaging service.The shutdowns have led to discussions about operational security, as some forum members fear they could also be arrested. “Hard times have come. Take care of yourself and remember your safety,” said one user. “EVERYTHING has changed, go on vacation!” warned another.Shutdowns and takedowns make engaging in cybercriminal activity more difficult, but there’s likely always to be some who will continue on, viewing the risk as worthwhile because of the money that can be made.”It seems unlikely that cybercriminals will do as some forum users joked and go to work in the ‘factories,'” Digital Shadows researchers said. “We saw one threat actor commenting that, although now would be a ‘great time’ if ‘someone has long wanted to retire,’ the carding world would ‘be ok for the rest of the hard workers.'”MORE ON CYBERSECURITY More

  • in

    Microsoft aims to improve anti-phishing MFA for White House 'zero trust' push

    Microsoft has laid out some key documents for federal agencies to use as they implement the White House’s ‘zero trust’ goals within the new US cybersecurity strategy.In January, the Biden Administration released its new cybersecurity strategy following President Biden’s May 2021 executive order (EO 14028), signed in the wake of the SolarWinds software supply chain attack and ransomware attacks on critical infrastructure like Colonial Pipeline.

    ZDNet Recommends

    Core to that strategy are ‘zero trust’ architectures, for which US tech and cybersecurity vendors were canvassed for suggestions by the US National Institute of Standards and Technology (NIST), specifically about how to protect software supply chains from attack. Zero trust assumes breach and that basically nothing should be trusted.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)But even as supply chains are targeted, email phishing remains one of the main methods that attackers use to breach a network, creating the starting point for a later supply chain attack.In May, it wasn’t known whether Russian intelligence hackers used a targeted email phishing attack to breach SolarWinds’ software build systems. But the attack group, tagged Nobelium by Microsoft, has subsequently relied heavily on credential stuffing, phishing, API abuse, and token theft in attempts to obtain account credentials to victims’ networks.Despite the onslaught of state-sponsored and criminal attackers targeting work account credentials, Microsoft earlier this month warned that just 22% of customers using Azure Active Directory (AAD) had implemented strong identity authentication, such as multi-factor authentication (MFA). In 2021, Microsoft blocked 25.6 billion AAD brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365.  

    To help protect cross-organization collaboration against phishing, Microsoft this month announced a public preview of cross-tenant access settings for inbound and outbound access when both organizations use AAD, as well as reducing MFA requirements for trusted users across AAD-using organizations.”Inbound trust settings let you trust the MFA external users perform in their home directories,” Microsoft explains.  Upcoming zero trust capabilities aimed at countering phishing threats for organizations that collaborate with business partners and suppliers include the “ability to enforce phishing-resistant authentication for employees, business partners, and vendors for hybrid and multi-cloud environments.”Microsoft also plans to boost phishing-resistant MFA support, including in remote desktop protocol (RDP) scenarios. RDP is one of the most common entry points for ransomware attackers.SEE: Linux malware attacks are on the rise, and businesses aren’t ready for itMicrosoft has previously outlined how its zero trust approach aligns with the NIST’s goal to develop “practical, interoperable approaches” to zero trust architectures. The Cybersecurity and Infrastructure Security Agency (CISA) is also providing agencies with technical support and operational expertise in implementing zero trust. The US government hopes the private sector will also follow the federal government’s lead. For its government customers, Microsoft has now published five ‘cybersecurity assets’ explaining how to achieve a zero trust architecture from a Microsoft technology perspective. It covers: cloud adoption for Azure; rapid modernization plans; architecture scenarios mapped to NIST standards; a multi-factor authentication (MFA) deployment guide focussing on Azure Active Directory (AAD); and an “interactive guide” on the EO.It’s mostly a collection of existing documents, blogposts and Microsoft help articles, but it nonetheless provides a central repository for agencies moving to comply with the new federal rules. More

  • in

    Thanks, dad: Jammer used to stop kids going online, wipes out a town's internet by mistake

    A father who used a signal jammer to rein in his children’s internet use managed to wipe out an entire town’s connectivity by mistake.The French Agence Nationale des Fréquences, the organization responsible for managing radio frequencies in the country, received a strange complaint (translated) from a mobile phone operator. 

    The carrier had detected odd signal drops that were impacting the telephone and internet services of residents in the French town of Messanges.  According to the ANFR (via Bleeping Computer), there was one strange detail that stood out in the report: services were cut consistently from midnight to roughly around 3am every day.  As residents slept, a member of the Toulouse Regional Service of the ANFR began walking the streets to investigate. While the examiner watched the clock tick over to midnight, their spectrum analyzer equipment took on a familiar shape — revealing a jammer was in use.  The waves emitted by the device were followed to a house in a neighboring town. The next day, one of the residents admitted responsibility and revealed that he had purchased a multi-band jammer to prevent his teenage children from going online at night without permission. 

    The father claimed that his teenagers had become “addicted” to social media and browsing the web since the start of the COVID-19 pandemic, a situation potentially made worse due to social restrictions and lockdowns.  The jammer was intended to stop them from covertly using their smartphones to go online when they were meant to be asleep. However, the jammer also managed to wreck connectivity havoc for other residents and the neighboring town.  “By wanting to ban the internet in his home, he applied the same sentence to his entire neighborhood,” the agency said.  The problem is that using a jammer is not legal in France, and as a result, the man faces a maximum fine of €30,000 and even a jail term of up to six months.  In another example of a town resident’s use of technology having inadvertent consequences, in 2020, telecoms engineers spent 18 months frustrated and perplexed over the sudden but consistent disappearance of a Welsh village’s internet at 7am every morning.  It turned out that all of the broadband and BT service issues endured by hundreds of residents were caused by one individual who was turning on an old, secondhand television set at that time every day. The TV was sending out electrical bursts capable of disrupting signals.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    New RCE flaw added to Adobe Commerce, Magento security advisory

    Adobe has updated its advisory on an actively-exploited critical vulnerability in the Magento and Commerce Open Source platforms to include another RCE bug.

    The tech giant published revisions to the advisory on February 17. Adobe originally issued an out-of-band patch on February 13 to resolve CVE-2022-24086, a critical pre-auth vulnerability that can be exploited by attackers to remotely execute arbitrary code.  CVE-2022-24086 has been issued a CVSS severity score of 9.8. Adobe said the security flaw was being actively exploited “in very limited attacks targeting Adobe Commerce merchants.” Now, Adobe has added a further vulnerability to the advisory, CVE-2022-24087.  “We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087),” Adobe said.  The vulnerability has also been issued a CVSS score of 9.8 and impacts the same products in the same manner. 

    The security flaws do not require any administrative privileges to trigger and both are described as improper input validation bugs leading to remote code execution (RCE). As CVE-2022-24086 is being abused in the wild, Adobe has not released any further technical details. However, cybersecurity researchers from the Positive Technologies Offensive Team say they have been able to reproduce the vulnerability. Adobe Commerce and Magento Open Source 2.3.3-p1 – 2.3.7-p2, and 2.4.0 – 2.4.3-p1 are impacted. However, versions 2.3.0 to 2.3.3 are not affected by the vulnerabilities, according to the company.  Adobe has provided a guide for users to manually install the necessary security patches.  Researchers Eboda and Blaklis were credited with the discovery of CVE-2022-24087. In a tweet, Blaklis said the first patch to resolve CVE-2022-24086 is “not sufficient” and has urged Magento & Commerce users to apply the new fixes.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More