Information Technology

ErickPHOTOPRO — Shutterstock
Apple just released
iOS 15.2 and iPadOS 15.2

. The iPhone and iPad updates are available to install right now, bringing with them a new
Digital Legacy feature

that grants contacts of your choosing access to your iCloud data after your death. There’s also a new Apple Music Voice price plan that’s $4.99 a month and is designed for use through Siri. There’s also another notable change in the update and that’s Apple’s new App Privacy Report feature. Once enabled, you’ll be able to see what private data each app is accessing on your device, and how often it’s happening. My ZDNet colleague Adrian Kingsley-Hughes covered the early beginnings of this feature when iOS 15 was released back in September.Below I’ll walk you through where to find the new App Privacy Report, turn it on, and how to make sense of the information it provides. 
Screenshot by Jason Cipriani/ZDNet
How to turn on the App Privacy Report on your iPhone, iPadBefore you’ll find the switch to turn App Privacy Report on, you’ll first need to update your iPhone or iPad to iOS 15.2 and iPadOS 15.2. To do that, open the Settings app on your device and then go to General  > Software Update and follow the prompts. After your device has updated, once again open the Settings app and then select Privacy from the list of options. Next, scroll to the bottom of the list where you’ll find the App Privacy Report option; tap on it. If you already had Record App Activity turned on, you won’t have to do anything. However, if you hadn’t turned that on, you’ll be presented with a brief description of what App Privacy Report is. Tap Turn On App Privacy Report. Since you just turned it on, you’ll need to wait until apps start accessing your data before you’ll see any information. How to view your App Privacy Report and what it means

To get to your App Privacy Report, go back into the Settings app and then select Privacy and scroll to the bottom of the screen then tap App Privacy Report. After using your iPhone or iPad for a while, or letting it sit idle and allowing apps to access your data (as you’ll see they often do) while running in the background, the App Privacy Report will fill up with data. On the report screen, you’ll see several apps listed under four different categories: Data & Sensor Access, App Network Activity, Website Network Activity, and Most Contacted Domains. Data & Sensor Access
Screenshots by Jason Cipriani/ZDNet
Select an app or tap Show All under the Data & Sensor Access section. Each app that has accessed your private data in the last week will show up here. Tap on an app’s name to view more information about what type(s) of data the app is using, then tap on the category to see a complete timeline of how often it’s being used. For example, the Find My app on my iPhone has accessed my location and contacts during the past week. Both of which I would have fully expected it to use. But what was surprising to me is that it has only checked my location a handful of times over the last week, and it’s not constantly monitoring my movement. I can only guess that each time it’s accessed my location is when someone in my Find My family and friends list has opened the app on their phone, prompting Apple’s servers to query where I’m at and displaying it within their app. At the top of the screen, you can change how the list is organized. By default, you see the most recent apps that have used your data. However, you can change it to alphabetical order. To my surprise, the Mail app frequently accessed my Contacts information. I assume it happens every time I open the app and/or an email arrives so the app can show the proper name and information. But, still, it’s eye-opening. App Network Activity
Screenshots by Jason Cipriani/ZDNet
Under the App Network Activity section you’ll find a list of apps and the domains and similar network activity each app has conducted over the last week. The Facebook app had the most network activity on my phone over the last week. Its number one contacted domain is inappcheck.itunes.apple.com. A quick Google search leaves me with the impression that the domain might be used by Apple to verify in-app purchases, or as some form of verification for app developers. It’s hard to say, and I wish Apple would include information bout commonly used domains — especially the ones it owns. I know this domain is commonly used because if you tap on it, a list of other apps that have also contacted that domain will show up. The list on my iPhone is the bulk of the apps I use regularly. Website Network ActivityEvery time you visit a website, it contacts other domains to do things like serve ads or download pictures and videos that it needs to display a webpage. Apple now tracks which domains a website contacts whenever you visit it and provides a list of them. The number one domain websites have contacted during my normal use is mask.iCloud.com, which is yet again a very vague Apple-related domain. Another Google search makes me believe it has something to do with Apple’s Private Relay feature that’s currently available in beta. However, I have the feature turned off on all of my devices and only The New York Times, Reddit, and Safari are listed as having contacted the same domain. I would think every app or website would use that URL if it were active. 
Jason Cipriani/ZDNet
Most Contacted DomainsFinally, the Most Contacted Domains section is a list of domains your phone or tablet has accessed in the last week. Tap on a domain to see a list of apps and the last time it contacted that URL. Once again, some of the URLs listed on my iPhone appear to be Apple-related, while others appear to be related to serving ads from Google are at the very least collecting user data. It would benefit the end user if Apple added some additional context about known domains. By far my most-used section of the App Privacy Report will be the Data and Sensors section. It’ll be easy to see if Facebook really is listening to conversations to better serve ads (as has been rumored, but never proven for years). Are you going to turn on App Privacy Report? Let me know in the comments below why or why not. More

Brazil’s Ministry of Health has suffered a second cyberattack in less than a week, which has compromised various internal systems, including the platform that holds COVID-19 vaccination data.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

The news emerged after a first major ransomware attack three days earlier, from which the department was still recovering. Confirming the second attack on Monday (13) evening, health minister Marcelo Queiroga said the latest event, which took place in the early hours of that same day, was smaller than the first attack. According to Queiroga, the department is working to recover the systems as soon as possible. However, he said the second attack means ConecteSUS, the platform that issues COVID-19 vaccine certificates, would not be back online today (14) as originally planned. Queiroga noted the attack had been unsuccessful and that no data had been compromised, but this second event “caused turmoil” and “got in the way” of bringing systems back online. The minister did not provide an estimate of when the impacted systems would be reestablished. The ministerial confirmation of the second cyberattack was preceded by a statement released by the Ministry of Health saying that Datasus, the department’s IT function, carried out a preventive systems maintenance exercise on Monday, meaning systems would be temporarily unavailable. The second attack meant civil servants had to be sent home on Monday since it was not possible to access the health ministry’s core systems, such as the platforms that generate reports relating to the COVID-19 pandemic. Also, last night, the Institutional Security Office (GSI) of the Brazilian government released a statement that confirmed new attacks against cloud-based systems run by government bodies had taken place. However, it did not specify which departments or services had been targeted. It added teams are being instructed to preserve evidence and that best practices around incident management are being followed.

In the first cyberattack, which became known on Friday (10), all websites under the Ministry of Health became unavailable. According to a message left by the Lapsus$ Group, which has claimed responsibility for the attack, some 50TB worth of data has been extracted from the MoH’s systems and subsequently deleted. Queiroga later said the department holds a backup for the supposedly accessed data in the cyberattack. According to the Federal Police, which is investigating the case, data on COVID-19 case notifications, as well as the broader national vaccination program, was compromised in the first attack, in addition to ConecteSUS. The National Data Protection Authority (ANPD) is also working on the case and has contacted the Institutional Security Office and the Federal Police to collaborate with the investigations. It also notified the Ministry of Health to provide clarifications on the case, as per Brazil’s general data protection rules. More

Top US government cybersecurity officials fear advanced hackers will have a field day with the Log4j vulnerability that’s likely present in hundreds of millions of devices.  Security experts are already seeing widespread scanning for the Log4j vulnerability (also dubbed ‘Log4Shell’) on internet-connected devices running vulnerable versions of Log4j version 2, which have been under attack since December 1, although the bug became common knowledge on December 9.  So far, Microsoft has seen attackers compromise machines to install coin miners, the Cobalt Strike pen-testing framework to enable credential theft and lateral movement, and exfiltration of data from compromised systems. LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW These attacks appear to be opportunistic cyber-criminal activity thanks to its ease of exploitation, but top officials at the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) fear “sophisticated actors” will also pounce on the bug soon.  “This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” Jen Easterly, director of CISA said in a call shared with CNN. Easterly has spent 20 years in various federal cybersecurity roles. “We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” she said. The call, with US critical infrastructure owners and operators, was first reported by CyberScoop.   Jay Gazlay of CISA’s vulnerability management office warned that hundreds of millions of devices are likely to be affected.

Log4J is a popular Java library for logging error messages in applications. It’s vulnerable to a critical flaw, tracked as CVE-2021-44228, that lets any remote attacker take control of another device on the internet, if it’s running Log4J versions 2.0 to 2.14.1. 

ZDNet Recommends

The remotely exploitable flaw is present in hundreds of major enterprise products, from the likes of Oracle, Cisco, RedHat, IBM, VMware and Splunk, and cloud features from Amazon Web Services and Microsoft Azure, as well as security appliances and developer tools. Google Cloud is investigating the impact of the Log4j bug on its products and services, and is working with VMware to deploy fixes to the Google Cloud VMware Engine. Google has updated WAF rules to defend against Log4j attacks.   The Apache Software Foundation has released version 2.15.0 to address the flaw, but product vendors still need to apply the fix in their products and then end-user customers need to update their devices once their vendor’s fix becomes available.           The flaw highlights known risks arising from software supply chains when a key piece of software is used within multiple products across multiple vendors and deployed by their customers around the world. LOG4J FLAW COVERAGE – HOW TO KEEP YOUR COMPANY SAFE It’s not a simple fix to address all vulnerable devices. As Sans Internet Storm Center notes: “There is no generic ‘log4j2′ patch to patch everything. In some cases, vendors including Log4j, need to patch their software to include the new version.” Rapid7 had a similar warning: “Organizations should be prepared for a continual stream of downstream advisories from third-party software producers who include Log4j among their dependencies.” SEE: Hackers are turning to this simple technique to install their malware on PCs Rapid7 itself has been investigating its products’ exposure to the Log4j bug and has deployed server-side fixes for several affected products.  Historically slow uptake of new security patches means attackers will likely have months if not years to find and exploit vulnerable devices, security experts warned this week.  The Log4j bug is internet-wide, prompting advisories from Australia, New Zealand, Canada, the UK, Sweden, Germany, Singapore, and elsewhere. Canada’s Revenue Agency took some services offline on Friday after learning of the flaw, according to CBC.   More

A ransomware attack has hit agencies and commissions within the Virginia legislature, according to a statement from the governor’s office to the Associated Press. Alena Yarmosky, spokesperson for Virginia Governor Ralph Northam, said the governor has been briefed on the attack, which currently affects Virginia’s Division of Legislative Automated Systems, the General Assembly’s IT agency. Yarmosky did not respond to requests for comment about the specifics of the attack. Legislative leaders in the state were emailed about the incident and told that hackers attacked the state systems on Friday. The website for the Division of Capitol Police was taken down by the attack and all of the internal systems for bill drafting or bill referrals were hit hard during the ransomware incident, according to The Associated Press. The Assembly’s voicemail system was down and many of the systems involved in budgeting were disrupted due to the attack. The Virginia Law Portal is also down because of the attack. The FBI and other law enforcement agencies are now involved. Cybersecurity firm Mandiant took to Twitter to confirm that they are assisting in response to the incident. Yarmosky told The Washington Post that the ransom note received by the agencies provided little information. Most of the organization’s servers were shut down to stop the spread of the ransomware. The Richmond Times-Dispatch reported that the attack began at the Department of Legislative Automated Systems on Sunday before spreading to “almost all legislative branch websites.” The only things spared were the Legislative Information System on the General Assembly site and the executive branch agencies.

In September, the Virginia Defense Force and the Virginia Department of Military Affairs revealed that they were impacted by a cyberattack in July. Ransomware groups have made millions from attacking local governments at the city, county and state level. Experts told The Washington Post in August that for 2020, at least 2,354 governments, healthcare facilities and schools across the US were hit with ransomware. Dozens of local governments have opted to pay ransomware actors to get their systems back. After being attacked by the Ryuk/Conti gang, Jackson County, Georgia; Riviera Beach, Florida; and LaPorte County, Indiana paid ransoms ranging from $130,000 to nearly $600,000.   More

A new data strategy was announced by the federal government on Tuesday morning, outlining a goal for Australia to have a modern, data-driven society by 2030. The data strategy, a first for Australia, will focus on initiatives based around maximising the value of data, trust and protection, and enabling data use. The strategy sits alongside an action plan that sets out those initiatives and their expected delivery timeframes up to 2025. At the end of 2025, the federal government will then update the data strategy to implement new initiatives up to 2030, said Stuart Robert, the Minister responsible for digital transformation. Robert said the strategy was developed in consultation with private, research, and not-for-profit sectors. “The data strategy is part of our commitment to deliver better services to all Australians, and it will power our national ambition to become a modern, data-driven society by 2030,” Robert said. In relation to the strategy’s focus of maximising the value of data, the government will look to create a new “front door” for accessing Australian government open data, communicating about data better, and implementing the Data Availability and Transparency Scheme. “Access to the right data and analytics can help government and private decision-makers tailor how they deliver these services. For example, Census data can not only be used to identify where services are needed, but also how to best tailor those services for the needs of Australians,” the strategy outlines.

Practically, this will entail transitioning the data.gov.au website to become the “one-stop shop” for all Australians interacting with Australian government data by the end of next year. On the trust and protection front, the strategy has called for the continued expansion of the consumer data right, as well as a review of the Privacy Act to see whether its enforcement mechanisms are fit for purposes in the digital age. The AU$40 million investment into extending the National Disability Data Asset announced last week also falls under the strategy’s scope. Other initiatives within the data strategy include measuring the data maturity of government agencies, developing guidance on embedding data professional roles within all parts of Australian government agencies, investigating new and enhanced data collection and reporting methods, and establishing a new International Data Policy function within the Australian Public Service. The national data strategy’s release comes a fortnight after the federal government updated its digital government strategy, which saw it place more emphasis on uplifting digital ecosystems and reusing technologies to deliver more value for money. When the digital government strategy refresh was announced, the federal government had been receiving backlash by a Senate committee for its lack of progress in auditing its IT capabilities, especially as it did not have a central data collection process related to IT expenditure across government.   Related Coverage More

For those unable to patch the Apache Log4Shell vulnerability, cybersecurity firm Cybereason has released what they called a “fix” for the 0-day exploit. Cybereason urged people to patch their systems as soon as possible, but for those who cannot update their systems or do so immediately, they have created a tool they are calling “Logout4shell.”

Log4j coverage

It is freely available on GitHub and Cybereason said it “is a relatively simple fix that requires only basic Java skills to implement.” “In short, the fix uses the vulnerability itself to set the flag that turns it off. Because the vulnerability is so easy to exploit and so ubiquitous—it’s one of the very few ways to close it in certain scenarios,” said Yonatan Striem-Amit, CTO of Cybereason. “You can permanently close the vulnerability by causing the server to save a configuration file, but that is a more difficult proposition. The simplest solution is to set up a server that will download and then run a class that changes the server’s configuration to not load things anymore.”The “vaccine” garnered a mixed response from experts, some of whom praised the company for stepping up while others said it wasn’t nearly enough to protect those affected by the vulnerability. Dr. Richard Ford, CTO of Praetorian, said the Log4j vulnerability can be subtle, and while it is sometimes revealed with simple scanning, it is also frequently found buried deep in customer infrastructure, where it can be trickier to trigger. “For this reason, I am concerned that some of the well-meaning responses I’ve seen from the industry can cause longer-term problems. In the case of Logout4Shell, it’s not always as trivial to exploit as entering a simple string into ‘a vulnerable field.’ Knowing which field is vulnerable can be tricky, and with many folks now filtering traffic en route knowing your string even reached the server intact is not trivial,” Ford explained.

“If we inadvertently give a customer the impression that just popping ${$jnfi… into a string is good enough, folks could end up with a false sense of security. In addition, generically patching a server could have unpleasant unintended consequences, and it’s up to customers to figure out what risks they can tolerate in a production system. Cybereason’s tool is an interesting approach, but would not recommend a customer solely rely on it.”Randori’s Aaron Portnoy said hot patching solutions such as this can be effective stop-gap mitigations, but this solution will only be effective for the lifetime of the Java Virtual Machine. “If the application or the system restart, the ‘vaccine’ would need to be re-applied. The best remediation is to upgrade the log4j2 library and apply default-deny firewall rules on outbound traffic for systems that may be susceptible,” Portnoy said. Bugcrowd CTO Casey Ellis noted that to run this without permission on someone else’s infrastructure “is almost certainly in violation of anti-hacking laws like the CFAA, which creates legal risk regardless of whether the intent is benevolent or malicious.” “While folks may be well-intentioned, it’s important for them to understand the legal risk it creates for them. It’s a similar technique to what the FBI and DOJ did earlier in the year to mitigate HAFNIUM web shells on Exchange servers, only the FBI had the legal blessing of the DOJ,” Ellis said. “Aside from that, I quite like the ‘chaotic good’ nature of this solution – especially given the chaos organizations are experiencing in finding all of the places that log4j might exist within their environment. The script basically takes the workaround first flagged by Marcus Hutchins which disables indexing and then uses the vulnerability itself to apply it. The fact that solutions like this are coming out so quickly is telling regarding the ubiquity of this vulnerability, the complexities of applying a proper patch, and the sheer number of ways that it can be exploited.”Ellis added that the tool’s effectiveness is limited because it does not work for versions prior to 2.10, requires a restart, and the exploit must fire properly in order to be effective. Even when it does run properly, it still leaves the vulnerable code in place, Ellis explained. Because of the complexity of regression testing Log4j, Ellis said he already heard from a number of organizations that are pursuing the workarounds contained in the Cybereason tool as their primary approach. He expects at least some to use the tool selectively and situationally but said it is critical to understand that this isn’t a solution – it’s a workaround with a number of limitations. “It has intriguing potential as a tool in the toolbox as organizations reduce log4j risk, and if it makes sense for them to use it, one of the primary reasons will be speed to risk reduction,” Ellis said.  More

Cybersecurity experts believe CVE-2021-44228, a remote code execution flaw in Log4j, will take months, if not years, to address due its ubiquity and ease of exploitation.

Log4j coverage

Steve Povolny, head of advanced threat research for McAfee Enterprise and FireEye, said Log4Shell “now firmly belongs in the same conversation as Shellshock, Heartbleed, and EternalBlue.” “Attackers began by almost immediately leveraging the bug for illegal crypto mining, or using legitimate computing resources on the Internet to generate cryptocurrency for financial profit… Further exploitation appears to have pivoted towards theft of private information,” Povolny told ZDNet.”We fully expect to see an evolution of attacks.”Also: Log4j zero-day flaw: What you need to know and how to protect yourselfPovolny added that the vulnerability’s impact could be enormous because it is “wormable and could be built to spread itself.” Even with a patch available, there are dozens of versions of the vulnerable component.Due to the sheer number of observed attacks already, Povolny said it was “safe to assume many organizations have already been breached” and will need to take incident response measures. 

“We believe log4shell exploits will persist for months if not years to come, with a significant decrease over the next few days and weeks as patches are increasingly rolled out,” Povolny said.  Since December 9, Sophos senior threat researcher Sean Gallagher said the attacks using the vulnerability evolved from attempts to install coin miners — including the Kinsing miner botnet — to more sophisticated efforts.”The most recent intelligence suggest attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts. There are also signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks,” Gallagher said. Paul Ducklin, principal research scientist at Sophos, added that technologies, including IPS, WAF, and intelligent network filtering, are all “helping to bring this global vulnerability under control.” “The very best response is perfectly clear: patch or mitigate your own systems right now,” Ducklin said. Dr. Richard Ford, CTO at Praetorian, explained that because exploiting the vulnerability often does not require authentication or special access, it has exposed an incredible array of systems. “There are even unconfirmed reports that simply changing your phone’s name to a particular string can exploit some online systems,” Ford said. Ford and his company’s engineers said it is “one of the largest exposures [they] have seen at internet scale.” Also: Log4j RCE activity began on December 1 as botnets started using vulnerabilityOther experts who spent the weekend watching the vulnerability said hackers got to work almost immediately in exploiting the flaw. Chris Evans, CISO at HackerOne, said they have gotten 692 reports about Log4j to 249 customer programs, noting that major companies like Apple, Amazon, Twitter, and Cloudflare have all confirmed that they were vulnerable. “This vulnerability is scary for a few reasons: Firstly, it’s really easy to exploit; all the attacker has to do is to paste some special text into various parts of an application and wait for results. Secondly, it’s hard to know what is and isn’t affected; the vulnerability is in a core library that is bundled with many other software packages, also making remediation more complicated. Thirdly, it’s likely that many of your third-party vendors are affected,” Evans said. Imperva CTO Kunal Anand said that since rolling out updated security rules more than 13 hours ago, the company observed more than 1.4 million attacks targeting CVE-2021-44228. “We’ve observed peaks reaching roughly 280K attacks per hour. As with other CVEs in its class, we expect to see this number grow, especially as new variants are created and discovered over the coming days and weeks,” Anand said.  More

HR management platform Kronos has been hit with a ransomware attack, revealing that information from many of its high-profile customers may have been accessed. UKG, Kronos’ parent company, said the vital service will be out for “several weeks” and urged customers to “evaluate and implement alternative business continuity protocols related to the affected UKG solutions.”  

In a statement to ZDNet, UKG said it “recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud,” which they said “houses solutions used by a limited number of our customers.” “We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working diligently to restore the affected services,” the company said.The statement comes hours after the company posted a message on the Kronos community message board, explaining that staff  noticed “unusual activity impacting UKG solutions using Kronos Private Cloud” on Saturday night. This private cloud houses data for UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions.”At this time, we are not aware of an impact to UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, which are housed in separate environments and not in the Kronos Private Cloud,” Kronos’ executive vice president Bob Hughes wrote. The attack caused a stir online, with some cybersecurity experts reporting multiple messages from companies that could no longer process payroll as of Monday morning due to the outage. 

Other sources said the outage would cause them to miss payroll for this week — a harrowing idea considering how close Christmas is — while many are scrambling to find alternative solutions. Many organizations use Kronos to organize timesheets, meaning schedules for the next few weeks will be thrown into disarray by the outage. “Every time they call in for help, they get a different answer about what is going on,” the source said, adding that in one initial call, the Kronos representative did not even know a ransomware attack had occurred. Kronos’ work management software is used by dozens of major corporations, local governments, and enterprises, including: the City of Cleveland’s government, Tesla, Temple University, Winthrop University Hospital, Clemson University, and UK supermarket chain Sainsburys. The City of Cleveland sent out an urgent message on Monday, telling WKYC that UKG contacted them and other clients to tell them that the ransomware attack may have compromised employee information like names, addresses, social security numbers, and employee IDs.Ransomware expert Allan Liska criticized how the conversation about the attack is playing out online. “Some people on Twitter are blaming the small businesses, who are victims here, for not having a backup plan in place for payroll. I feel that’s crap; you are outsourcing your payroll to a company that is supposed to have contingency plans in place for you,” Liska said.The company would not answer questions about which ransomware group was behind the attack.  More