Information Technology

Google and IBM are urging tech organizations to join forces to identify critical open source projects after attending a White House meeting on open source security concerns. The meeting, led by White House cybersecurity leader Anne Neuberger, included officials from organizations like Apache, Google, Apple, Amazon, IBM, Microsoft, Meta, Linux, and Oracle as well as government agencies like the Department of Defense and the Cybersecurity and Infrastructure Security Agency (CISA). The meeting took place as organizations continue to address the Log4j vulnerability that has caused concern since it was discovered in December. 

more Log4j

Kent Walker, president of global affairs at Google and Alphabet, said that, given the importance of digital infrastructure to the world, it is time to start thinking of it in the same way we do our physical infrastructure. “Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges,” Walker said.In a blog post, Walker explained that during the meeting, Google floated several proposals for how to move forward in the wake of the Log4j vulnerability. Walker said a public-private partnership is needed to identify a list of critical open source projects, and criticality should be determined based on the influence and importance of a project. The list will help organizations prioritize and allocate resources for the most essential security assessments and improvements.  IBM’s enterprise security executive Jamie Thomas echoed Walker’s comments and said the White House meeting “made clear that government and industry can work together to improve security practices for open source.”

“We can start by encouraging widespread adoption of open and sensible security standards, identifying critical open source assets that should meet the most rigorous security requirements, and promoting a collaborative national effort to expand skills training and education in open source security and reward developers who make important strides in the field,” Thomas said. Walker touted the work of organizations like the OpenSSF — which Google invested $100 million into — that are already seeking to create standards like this. 

He also said Google proposed setting up an organization to serve as a marketplace for open source maintenance, matching volunteers from companies with the critical projects that most need support. He noted that Google was “ready to contribute resources” to the move. The blog post notes that there is no official resource allocation and few formal requirements or standards for maintaining the security of critical open source code. Most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, “is done on an ad hoc, volunteer basis.””For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that ‘many eyes’ were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all,” Walker said.  More

If you’re a real network administrator, you know and love open source Wireshark. For over 15-years, it’s been the tool that professionals use for network traffic protocol analysis. Nothing else even comes close. Now, Sysdig, the container and cloud security company, has hired Gerald Combs, its creator and project leader, to join its open source team. There, Combs will help them with Sysdig-related open-source projects such as  Falco, Prometheus, eBPF, and Sysdig Inspect. In addition, Sysdig will sponsor and manage the Wireshark community and extend Wireshark to monitoring and analyzing cloud networks. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Wireshark is an open source GUI network package capturing tool for those who don’t know Wireshark yet. With it, you can monitor network traffic, learn protocols and packet basics, and troubleshoot network problems. For network admins, Wireshark is the de facto standard for checking the health and security of networks at a microscopic level. If you want to know more about how to use Wireshark, I highly recommend Chris Sander’s
Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems

.Besides being the open-source tool for real-time network packet capture and analysis, you can also save its findings for later viewing and analysis. Armed with this information, you can filter through that traffic to find evidence from day-to-day network problems and attacks from hackers. Wireshark can be used on almost any platform, including Windows, Linux, and macOS.Wireshark is already the world’s foremost and widely-used traffic protocol analyzer, even without a company behind it. More than 60 million downloads have been downloaded in the last 5 years.A big reason Combs is joining Sysdig is that Loris Degioanni, Sysdig’s CTO and Founder, partnered with him to launch Wireshark. While studying network analyzers and working on his Ph.D. in Italy, Loris was invited to the United States to do research, which is where he met Gerald. Gerald joined Loris at CACE Technologies in the early 2000s, where they collaborated and grew Wireshark. CACE Technologies was later acquired, and since that time, Gerald has focused on growing the tool and ensuring Wireshark and its community have the resources needed to thrive.Degioanni added, “Gerald and I have been friends for a long time, starting when Wireshark was called Ethereal. At that time, a capture library that I developed while I was a university student in Italy, WinPcap, was used to port Ethereal to Windows. That was my first contribution to the project. Since the beginning, my work at Sysdig has been heavily inspired by the “packet capture stack” that Gerald and I helped define: Wireshark, tcpdump, libpcap, BPF. One of the reasons why Sysdig’s instrumentation is universally considered the most accurate, rich, and scalable is that we built it on top of the ideas behind that stack, adapting them to the modern world of cloud and containers. Countless times, during Sysdig’s early days, we were inspired by Gerald’s work.”

Networking

“I am excited to be reunited with Loris and explore the opportunity we have to expand Wireshark to the cloud,” said Combs, now Sysdig’s Director of Open Source Projects. “My move to Sysdig and the subsequent move for Wireshark will give Wireshark the corporate sponsor it needs to continue moving forward. This is a significant milestone for Wireshark, and with Sysdig’s backing, we will have the assistance we need to continue to evolve use cases for Wireshark.””It’s amazing to see the lasting heritage of Wireshark, led by Gerald. I can guarantee most of the fortune 2000 companies are actively using Wireshark,” said Degioanni. “I am excited to be reunited with Gerald and to advance the project in the same way Sysdig supports Falco and the Sysdig open source project. This move ensures Wireshark will continue to innovate. Our goal at Sysdig is to empower Wireshark.”Looking ahead, Sysdig will back the Wireshark community, including supporting Gerald as its leader. Together they’ll make sure Wireshark has the resources it needs to operate and sponsor SharkFest, its international developer conference. Sysdig’s open-source team will also contribute to the Wireshark project. Reunited, working together again, Gerald and Loris will investigate new innovative ways to address challenges with securing the cloud. Degioanni added, Wireshark “opens up a universe of possibilities. Wireshark is an incredibly important tool. Its UI is part of the muscle memory of every software professional. Its feature set has saved our butts countless times. At the same time, the world is changing quickly. Software today runs in the cloud, orchestrated by Kubernetes. With the help of Gerald, Sysdig wants to invest in making Wireshark even more useful in modern cloud environments. We’ll work on expanding its feature set and make sure it remains the cornerstone of troubleshooting and security investigation, even when software is containerized and runs in the cloud.”Finally, another reason for this move is they both want to make sure Wireshark remains a healthy open-source project. The Log4j and OpenSSL vulnerabilities have shown that large and small organizations are relying on open-source projects and major trouble comes when critical vulnerabilities are found in these tools. Maintaining the project’s health is of the utmost importance considering Wireshark’s widespread adoption.I’m looking forward to seeing what the two friends can do together. I’ve been a Wireshark user for over a decade. The idea that I’ll soon be able to use it in cloud-native environments is an exciting one. Just as it’s made network troubleshooting very easy, I can see that it Related stories:  More

When you set up a Windows PC for the first time, you’re required to create a user account that will serve as the administrator for the device. Depending on your Windows edition and network setup, you have a choice of up to four separate account types.On business editions (Pro, Pro for Workstations, Enterprise, and Education), the Windows Setup program asks you to choose whether you want to set the PC up for personal use or for use on a network managed by your organization, as shown below. If you choose the second option, you can set up the PC using an account in your Windows Active Directory domain or you can sign in using an Azure Active Directory account, such as the one associated with an Office 365 Business or Enterprise subscription.This choice is only available with Windows 10 Pro or EnterpriseOn Windows 10 Home edition, that choice isn’t available, and you’re limited to only the personal options: a local account or a Microsoft account. The Setup program is extremely persistent about trying to coax you into signing in with a Microsoft account. Windows 11 Home edition gives you only the option for a Microsoft account, although can add a local account (or remove the connection to the Microsoft account) after you’ve signed in for the first time.In this post, I’ll explain the pros and cons of each account type and explain why your best option might be a combination of two account types.

Windows 11 FAQ

Everything you need to know

What’s new in Windows 11? What are its minimum hardware requirements? When will your PC be eligible for the upgrade? We’ve got the answers to your questions.

Read More

Microsoft accountThis is Microsoft’s free online account for personal use, required for signing in to the company’s consumer services, including OneDrive, Xbox Live, Skype, and Microsoft 365 (formerly Office 365) Family and Personal subscriptions, among others.If you have an email account at Outlook.com or Hotmail.com (or, for old-timers, at live.com or msn.com), you already have a Microsoft account. You can also sign up for a new account anytime, choosing a new address at Outlook.com or using your own email address.Signing in to your Windows 10 or Windows 11 PC with a Microsoft account offers several distinct benefits:On PCs designed for Windows 10 or Windows 11, signing in with a Microsoft account automatically enables full-disk encryption for the system drive, even on systems running Home edition. If you turn on BitLocker encryption (Pro and Enterprise editions only), your recovery key is stored in OneDrive, allowing you to retrieve your data if you find yourself locked out.Signing in with a Microsoft account stores a record of your successful activation, allowing you to easily restore your activation (no product key required) if you ever have to reinstall Windows.Windows allows you to sync settings between PCs where you sign in using the same Microsoft account. That includes personalization settings like your desktop background, saved passwords (including Wi-Fi profiles), language and regional settings, and more. (For a full list, see “Windows 10 roaming settings reference.”)You can sign in automatically to any Microsoft consumer service using your saved Microsoft Account credentials.You can sync data and settings for preinstalled Windows apps (Mail and Calendar, for example) and easily restore apps you download from the Store.

Note that Windows telemetry data is tied to your device and isn’t associated with a Microsoft account.And, of course, you can create a Microsoft account and use it exclusively for signing in to Windows while keeping your email, cloud storage, and other services elsewhere. But if you do use a Microsoft account for services such as Office 365 and OneDrive, it makes sense to sign in to Windows using the same account. Local accountA local account is about as old school as Windows gets. You don’t need a network connection or an email address; instead, you create a username (up to 20 characters) and a password, both of which are stored on the PC where you create them and grant access only to that device.There’s no particular security or privacy advantage to signing in with a local account (indeed the lack of device encryption is a negative, in my book); but if that’s your preference, you can do so when you first set up Windows 10 (any edition) or Windows 11 Pro on a new PC.Windows 11 Home requires you to sign in with a Microsoft account during initial setup. You can do so by creating a brand-new Microsoft account, and then, after signing in for the first time, go to Settings > Accounts > Your Info. Under the Account Settings heading, choose Sign In With A Local Account Instead and follow the prompts.On Windows 10, when you reach the Sign In With Microsoft screen shown here, click the “Offline Account” option in the lower left corner; then click “No” on the Sign In With Microsoft Instead screen, which appears next.That option in the lower left corner allows you to set up a local accountAfter you get past those speed bumps, you can enter your username and password. With a Microsoft account, you have multiple options to recover if you forget your password. With local accounts, you’ve historically had no such option if you forget your password. On Windows 10, setting up a local account on Windows 10 requires that you fill in answers to three security questions, to help you recover in the event you forget your password.You can’t bypass those questions, nor can you choose alternatives other than the six predefined questions. If you’re worried that a thief with a search engine can guess those answers, do as I do and … be creative. For example, you can answer the three security questions with a three-word passphrase of your own, entered one word at a time. Or, if you’d prefer to bypass the whole feature, just mash the keyboard to create random “answers” that no one (including you) could possibly guess. If you choose either option, don’t blame me if you forget your password.You can switch at will between a local account and a Microsoft account, using options in Settings > Accounts > Your Info.Even if you prefer a local account, consider signing in first with a Microsoft account. After you confirm that your system is properly activated and the activation status is recorded with that Microsoft account, switch back to a local account and go on about your business.Likewise, if you’re fussy about the name of your default user profile folder, consider signing in with a local account first, and then attach your Microsoft account. If you follow that procedure, Windows uses the exact local username you specify as the folder name and retains that name when you switch; if you start with a Microsoft account, your user profile folder name is the first five characters of the portion of your email address to the left of the @ sign.Active Directory (domain join)On an enterprise network with a Windows server running as a domain controller, you can join a Windows 10 ow Windows 11 PC to the domain. Creating that type of account requires that a domain administrator create an Active Directory account, after which you can sign in using the credentials in the format domainusername (or username@domain, if the domain is associated with a fully qualified domain name).Ironically, before you can join a PC to a domain and sign in with your Active Directory account, you have to first create a local account.Azure Active DirectoryThis is the newest option in the lineup of Windows account types. Like a domain account, an Azure AD account is managed by an organization’s administrator, but it doesn’t require a local server. Instead, the credentials are managed in Microsoft’s Azure cloud.If your organization uses Microsoft 365 or has an Office 365 Business or Enterprise subscription, you have an Azure AD account. It behaves similarly to a Microsoft account, with the ability to sync settings across devices where you’re signed in with the same account. The big difference is that your access to the device is managed by your organization’s administrator, who can apply security settings and restrict some options.To manage Azure AD accounts, administrators use the Azure AD admin center, which also includes the option to synchronize the cloud-based directory with a local domain’s Active Directory, an option called Azure AD Connect.Administrators can manage Azure AD from this portalA basic Azure AD account is free, but like all Microsoft enterprise services, upsell options abound. Paying for Azure AD Premium (included with an Enterprise Mobility and Security E5 subscription) unlocks advanced security features.And you can mix and match account types on the same device for the sake of flexibility. You might want a local account to handle routine administrative tasks, a Microsoft account for personal use, and an Azure AD account for connecting to your organization’s servers. (To set up additional accounts after the first one, use Settings > Accounts > Family & Other Users > Add Someone Else To This PC). Just choose the right account when you first sign in to a new session.

Windows 10 More

Chances are unless you’re a JavaScript programmer, you’ve never heard of the open-source Javascript libraries ‘colors.js’ and ‘faker.js.” They’re simple programs that respectively let you use colored text on your node.js, a popular JavaScript runtime, console, and create fake data for testing. Faker.js is used with more than 2,500 other Node Package Manager (NPM) programs and is downloaded 2.4 million times per week. Colors.js is built into almost 19,000 other NPM packages and is downloaded 23 million times a week. In short, they’re everywhere. And, when their creator, JavaScript developer Marak Squires, fouled them up, tens of thousands of JavaScript programs blew up.

Thanks, guy.This isn’t the first time a developer deliberately sabotaged their own open-source code. Back in 2016, Azer Koçulu deleted a 17-line npm package called ‘left-pad, ‘which killed thousands of Node.js programs that relied on it to function. Both then and now the actual code was trivial, but because it’s used in so many other programs its effects were far greater than users would ever have expected.  Why did Squires do it? We don’t really know. In faker.js’s GitHub README file, Squires said, “What really happened with Aaron Swartz?” This is a reference to hacker activist Aaron Swartz who committed suicide in 2013 when he faced criminal charges for allegedly trying to make MIT academic journal articles public.Your guess is as good as mine as to what this has to do with anything.What’s more likely to be the reason behind his putting an infinite loop into his libraries is that he wanted money. In a since-deleted GitHub post, Squires said, “Respectfully, I am no longer going to support Fortune 500s ( and other smaller-sized companies ) with my free work. There isn’t much else to say. Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it.”Excuse me. While open-source developers should be fairly compensated for their work, wrecking your code isn’t the way to persuade others to pay you. 

This is a black eye for open-source and its developers. We don’t need programmers who crap on their work when they’re ticked off at the world.Another problem behind the problem is that too many developers simply automatically download and deploy code without ever looking at it. This kind of deliberate blindness is just asking for trouble. Just because a software package was made by an open-source programmer doesn’t mean that it’s flawless. Open-source developers make as many mistakes as any other kind of programmer. It’s just that in open source’s case, you have the opportunity to check it out first for problems. If you choose to not look before you deploy, what happens next is on you.

Some criminal developers are already using people’s blind trust to sneak malware into their programs. For example, the DevOps security firm JFrog recently discovered 17 new JavaScript malicious packages in the NPM repository that deliberately attack and steal a user’s Discord tokens. These can then be used on the Discord communications and digital distribution platform.Is that a lot of work? You bet it is. But, there are tools such as NPM audit, GitHub’s DependendaBot, and OWASP Dependency-Check that can help make it easier. In addition, you can simply make sure that before any code goes into production, you simply run a sanity check on it in your continuous integration/continuous distribution (CI/CD) before deploying it to production. I mean, seriously, if you’d simply run either of these libraries in the lab they would have blown up during testing and never, ever make it into the real world. It’s not that hard!In the meantime, GitHub suggests you revert back to older, safer versions. To be exact, that’s colors.js 1.40 and faker.js 5.5.3. As CodeNotary, a software supply chain company, pointed out in a recent blog post, “Software is never complete and the code base including its dependencies is an always updating document. That automatically means you need to track it, good and bad, keeping in mind that something good can turn bad.” Exactly!Therefore, they continued, “The only real solution here is to be on top of the dependency usage and deployment. Software Bill of Materials (SBOMs) can be a solution to that issue, but they need to be tamper-proof, queryable in a fast and scalable manner, and versioned.CodeNotary suggests, of course, you use their software, Codenotary Cloud and the vcn command-line tool, for this job. There are other companies and projects that address SBOM as well. If you want to stay safe, moving forward you must — I repeat must — use an SBOM. Supply chain attacks, both from within projects and without, are rapidly becoming one of the main security problems of our day.Related Stories: More

There are really only a few ways to make money from cryptocurrency. You can buy it, making a profit when you eventually sell it. You can mine it and make enough coins to make a profit when you eventually sell it. 

You can run a cryptocurrency exchange and make a profit from every transaction. You can even invent your own cryptocurrency and make money when your idea eventually grows big enough to make a profit. What have I left out? Ah, yes. The risks and the costs. You can buy cryptocurrency, but you’ll only make a profit if the currency’s value goes up — and goes up enough to exceed the fees involved in buying and selling. Whether or not that happens is anyone’s guess. It’s very similar to buying stocks. Safe bets don’t necessarily net big returns, but high-risk bets can cause you to lose your shirt.See also: Cryptocurrency comes with one colossal caveat: Remember the tulips.You can mine cryptocurrency, but there’s a cost to the mining rigs and an even greater cost in electricity and cooling. If you’re just using a spare computer during its idle time, you’re never going to make enough for it to be worth the time and effort. But if you dedicate machines or an entire facility, the cost in hardware and power may exceed the value of the coin you mine. You can set up an exchange, but there’s an enormous level of effort to build in the infrastructure and security, as well as the marketing necessary to be accepted as the crypto equivalent of a bank. It’s not an easy task.

You could create your own coin and hope investors jump on it as a bandwagon. Generally, unless you have someone as high profile as Elon Musk touting it, you’re probably not going to reach critical mass. But what if there was a risk-free way to make big crypto profits? Scammers and criminals, it turns out, have figured out a way. They’ve created malware that does crypto mining when placed on an unsuspecting user’s computer. The scammers don’t have to spend on energy or gear. All that is paid for by their victims. The criminals need to rake in the profits from selling coins they spent nothing to gather. Fortunately, antivirus and anti-malware products like Norton 360 scan for crypto-mining malware. So if you don’t want your machine’s cycles sucked away by a criminal enterprise, invest in a subscription to Norton’s service, and your PC will be crypto-mining free… or… wait… what? We’re about to split some very ugly hairs here

We covered this last summer. When you install Norton 360, you also install a program called NCrypt.exe in the program’s Windows directory. Recently, the Verge did a deep dive on how this works. NCrypt is an Ethereum crypto-mining application. Fortunately, and we can give slim kudos to NortonLifeLock (the company behind the software), the crypto-mining application is not automatically turned on. Instead, the installer presents a big green nag screen promising you can “Turn your PC’s idle time into cash.” This leads to the switch that enables the crypto-miner. So while Norton isn’t running a crypto-miner without your permission, it is installing the software automatically and without prior permission. It’s definitely a step up from malware vendors because you can turn the feature on and off. That said, there’s an element of “the house always wins” at work here, and Norton 360 users are definitely not “the house.” Norton’s cynical bet When Bitcoin was first introduced, its shadowy creator came up with a scheme for creating value. The idea was that as more and more coin was “mined” using complex computer algorithms, the computer overhead would increase. In other words, it took more computer work and power to mine the 100th Bitcoin than the 10th. Today, mining popular currencies like Bitcoin and Ethereum takes tremendous processing power. You could take all the spare cycles of your desktop computer and run it every night for a year and make less than $250. While an extra $250 is nothing to sneeze at, the gotcha is that it will cost at least that much in electricity. In fact, the Verge did a mining test using NCrypt.exe. Their testing showed, “In real numbers, a night of mining on an RTX 3060 Ti netted $0.66 worth of Ethereum and cost $0.66 in off-peak electricity.” The thing is, Norton takes 15% of all the cryptocurrency that users mine using Norton 360. I reached out to Norton’s PR team to ask what percentage of Norton 360 users turn on crypto but have not yet received a response. We can assume there’s a fair number. After all, the promise of “Turn your PC’s idle time into cash” would seem pretty compelling to most users. See also: I bought Bitcoin from PayPal. Here’s what happened.Even if you keep your machine on all the time, it uses considerably less power than if you’re running crypto-mining algorithms. With that, let’s deconstruct Norton’s cynical bet.

Most users will lose a considerable amount in terms of power expense and wear and tear on their machines because even though the mining and power costs broke even for the Verge with today’s Ethereum mining overhead, it will only get more costly in terms of calculation effort and power over time. Norton also doesn’t release the Ethereum sliver unless a user reaches a minimum threshold, and that could take a very long time. Then, and only then, can the user transfer the Norton-mined Ethereum to Coinbase, and both the transfer and the sale of the transferred Ethereum will also result in fees. Norton has to know that most users won’t make any money. In fact, they have to know that most users will lose money, never actually derive any value, and never take the step to move that tiny little bit of mined Ethereum to Coinbase. Norton has to know that what it’s really doing is almost the same as malware vendors: using unsuspecting users’ gear and power to mine coin, from which Norton takes a no-way-to-lose 15% cut. Norton is cynically betting that most of its users are too unsophisticated to do the analysis. Norton is also cynically betting that most users will respond positively to an offer that appears to be easy money. So not only does Norton charge
$50 to $250 a year for Norton 360

 (the price goes up in subsequent years, because of course it does), they’re betting that users will spend another $200+ a year on electricity based on the promise of turning “your PC’s idle time into cash.” That’s just cold. Too juicy a scheme I think Norton has unleashed a very dangerous and very disturbing genie here. Because while Norton is an early player in the bundled crypto-mining game, they sure won’t be the last. Shaving 15% in profits off the top, using users’ power and gear to do all the work and pay all the expenses, is just too promising a scheme for other companies to avoid. Without a doubt, expect a darker future where technology vendors embed crypto-miners in their code. The more up-and-up companies may give users the option to opt-in or opt-out, while the less aboveboard businesses are likely just to embed their own mining code and hope nobody calls them out. See also: In just a week, my Bitcoin ‘investment’ plummeted by almost 14%How many connected devices are there out there? How many smart bulbs, smart microwaves, anti-malware software suites, smartphone apps, and games — oh, you can definitely expect this crap from game makers — how many will embed mining software into their programs and sleeze that 15% off the top? Mark my words. Cryptocurrency mined using increasing processor work algorithms is a pox on humankind. Go ahead, comment below. Crypto fans, tell me why being a crypto-miner will make you rich and cool. You know you want to. Go ahead. Thoughtful folks, please feel free to weigh in on the implications of this kind of scheme. Voices of reason are welcome, too.
Disclosure: NortonLifeLock was previously known as Symantec. Back in the days of wooden computers and iron programmers, a way, way, waaay long time ago, I was an executive at Symantec.You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

A prison in New Mexico had an unplanned lockdown due to a ransomware attack. 

As reported by Source NM, the Metropolitan Detention Center in Bernalillo County, New Mexico, went into lockdown on January 5, 2022, after cyberattackers infiltrated Bernalillo County systems and deployed malware. Local government systems were impacted by the cyberattack, including those used to manage the prison.  Inmates were made to stay in their cells as the ransomware outbreak reportedly not only knocked out the establishment’s internet but also locked staff out of data management servers and security camera networks.  The incident came to light in court documents, with one public defender representing the inmates suggesting that their constitutional rights were violated due to the sudden lockdown, which also meant that visitations were canceled.  Concerns were also raised surrounding the lack of internet access, with inmates left with only payphones to communicate with court representatives.  Employees of the jail, too, had to rely on unstable cellular connections to make phone calls or access email, and video conference-based court proceedings – imposed widely across the United States due to COVID-19 – could not proceed on the day of the lockdown.  

A number of databases are suspected of being corrupted by the cyberattack, including an incident tracker which records inmate fights, attacks, as well as allegations of prison rape and sexual assault.  In addition to the lack of data access and camera feeds, prison guards were left unable to manage automatic doors. However, physical keys could still be used and access to this particular system was restored by the afternoon of January 5.  Federal law enforcement has been contacted, however, the sudden lockdown has meant that the prison may have been unable to comply with a decades-old court order and settlement relating to allegations of poor prison conditions.Speaking to The Register, as of January 12, a spokesperson for the prison said that services “are still being repaired.” In a statement dated January 10, Bernalillo County said employees are working remotely as “the county assesses and recovers from cyber issues affecting certain computer systems,” and normal services are yet to resume. County officials added that “no in-person visitation” is allowed “until further notice” at the prison, and “phone contact is limited.” Bernalillo County Sheriff’s Office Advisory and Review Board (SOARB) has canceled its latest meeting due to “a computer network issue affecting certain computer systems of Bernalillo County.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A UK judge has sentenced a man for using Remote Access Trojans (RATs) to spy on adults and children, stealing explicit material in the process. 

On January 11, the UK National Crime Agency (NCA) said that Robert Davies first appeared on the radar in 2019 after purchasing and downloading a variety of malware, including crypters – used to encrypt, hide, and obfuscate payloads such as Trojans – and a number of RATs.RATs can be used to forge a remote link between an attacker and a victim device, steal information, and conduct surveillance through microphones and cameras.Law enforcement says that the 32-year-old was also a customer of Weleakinfo, an online marketplace that offered stolen credentials. According to the NCA, the platform hosted roughly 12 billion stolen credential records obtained from over 10,000 data breaches.  Weleakinfo’s domain was seized in 2020 in an operation involving the NCA, US Department of Justice (DoJ), and other criminal agencies.  Davies, a resident of Nottingham, spent years using malware to infect phones and PCs. The RATs were packaged up through crypter software and victims were lured into downloading the malware, often through private messages.  “Davies was using numerous fake online profiles to mask his identity and contact his victims on various messaging apps, in an attempt to build a relationship with them and attack their devices using links sent through the chats,” the NCA says. “There was evidence that he had been doing this over a number of years.”

Once malware was executed on a victim’s device, Davies would use his remote access to rifle through PCs and handsets, stealing any explicit material stored on them.  In at least one case, he also spied on a teenage girl through her webcam and covertly took indecent images of her without consent.  UK law enforcement arrested Davies three times between 2019 and 2021 and seized a number of devices from his home. The NCA has identified over 30 victims and obtained 28 explicit images and videos of children. Overall, most of the images discovered by police were of females. It took some time for investigators to realize the full scope of his activities, resulting in charge after charge being stacked against him. Davies pleaded guilty to voyeurism, three counts of possessing indecent images of children, the possession of extreme pornographic content, and a total of 24 Computer Misuse Act offenses.  Sentencing took place this week at Nottingham Crown Court and Davies will spend 26 months in prison. In addition, the judge imposed a 10-year sexual harm prevention order, a 10-year restraining order on five victims, and Davies has been placed on the sex offender’s register.  “Davies had amassed what can only be described as a cyber criminal’s toolkit,” commented Andrew Shorrock, Operations Manager of the NCA’s National Cyber Crime Unit. “Not only was he using these tools to break into peoples’ devices, he was using them to spy on his unsuspecting victims and to steal naked images of them for his own sexual gratification.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Lazarus, Cobalt, and FIN7 hacking groups have been labeled as the most prevalent threat actors striking financial organizations today. 

According to “Follow the Money,” a new report (.PDF) published on the financial sector by Outpost24’s Blueliv on Thursday, members of these groups are the major culprits of theft and fraud in the industry today. The financial sector has always been, and possibly always will be, a key target for cybercriminal groups. Organizations in this area are often custodians of sensitive personally identifiable information (PII) belonging to customers and clients, financial accounts, and cash.  They also often underpin the economy: if a payment processor or bank’s systems go down due to malware, this can cause irreparable harm not only to the victim company in question, but this can also have severe financial and operational consequences for customers.  PII for identity theft, bank accounts to make fraudulent purchases, a high probability a financial firm would rather submit to a ransomware blackmail demand rather than disrupt operations: these potential attack vectors mean that it is no surprise cyberattackers are relentless in their quest to compromise players in the sector. The COVID-19 pandemic, and the disruption to operations and training it has caused, has only made the situation worse. Blueliv’s whitepaper, based on the unit’s threat intelligence gathering, outlines the main ways in which financial entities are targeted. Phishing, Business Email Compromise (BEC) scams, malware, and credential theft all make an appearance: of which Azorult, Arkei, Redline, Raccoonstealer, and Collector are the top five credential stealers as of October 2021.

TinyBanker/Tinba, Dridex, Anubis, Trickbot, and Kronos Trojans are commonly associated with financial service attacks, and some of these malware families may also be used to pull and execute second-stage ransomware strains including BitPaymer.  Banks and payment processors also face other threats including point-of-sale (PoS) malware, ATM compromise, digital card skimmers physically placed at outlets that are used to clone consumer cards, and distributed denial-of-service (DoS) attacks designed to disrupt a business by flooding their online platforms with illegitimate traffic.  When it comes to the most dangerous threat actors focused on the banking sector, Lazarus, Cobalt, and FIN7 have secured the top spots.  Lazarus is a state-sponsored advanced persistent threat (APT) group from North Korea and has been linked to high-profile attacks against Sony Pictures Entertainment, the Bangladesh Bank via SWIFT, and the spread of WannaCry ransomware in 2017.  The group has targeted the SWIFT transaction system in a number of attacks. In February last year, the US Department of Justice (DoJ) charged two members of Lazarus for their roles in attacks including those taking place against banks in Vietnam, Bangladesh, Taiwan, Mexico, and other countries.  Cobalt/Gold Kingswood has also been named. Believed to have been active since at least 2016 and appearing on the scene with an ATM jackpotting attack on a Taiwanese bank, Cobalt has been linked to attacks against financial institutions worldwide, leading to the theft of millions of dollars. Despite arrests, the group is still thought to be active.  FIN7 is another major, financially-motivated threat group. FIN7/Carbanak specializes in BEC and the deployment of Point-of-Sale (PoS) malware designed to steal vast numbers of consumer credit card records from retailers.  Other cybercriminal groups of note, according to the researchers, are Dridex and TA505. “In order to maintain a deeper level of defense, financial institutions need to take stock of their current cybersecurity posture and prepare their organizations to adapt, making cybersecurity a core part of not just their business strategy, but also their culture,” Blueliv says. “While cybersecurity strategies within the banking and finance sector are maturing, there are still many improvements that can be made.” In related news this week, Which? has conducted an investigation into the security posture of the top 15 UK banks. HSBC, NatWest, and Barclays scored the best results overall, but few managed anything close to a stellar performance in online banking services, including the use of encryption, account management, and secure login systems.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More