Information Technology

Insecure cloud-computing services can be a huge risk for organisations because they’re a regular target for cyber criminals. Researchers have demonstrated how vulnerable or misconfigured cloud services can be, after deploying hundreds of honeypots designed to look like insecure infrastructure, some of which lasted just minutes before being compromised by hackers. Cybersecurity researchers at Palo Alto Networks set up a honeypot compromised of 320 nodes around the world, made up of multiple misconfigured instances of common cloud services, including remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgres databases. 

ZDNet Recommends

The honeypot also included accounts configured to have default or weak passwords — exactly the sort of things that cyber criminals are looking for when trying to breach networks.  SEE: Cloud security in 2021: A business guide to essential tools and best practices And it wasn’t long before cyber criminals discovered the honeypot and looked to exploit it — some of the sites were compromised in minutes while 80% of the 320 honeypots were compromised within 24 hours. All of them had been compromised within a week.  The most attacked application was secure shell, which is a network communication protocol that enables two machines to communicate. Each SSH honeypot was compromised 26 times a day on average. The most attacked honeypot was compromised a total of 169 times in just a single day.  Meanwhile, one attacker compromised 96% of the 80 Postgres honeypots within a single 90-second period. 

“The speed of vulnerability management is usually measured in days or months. The fact that attackers could find and compromise our honeypots in minutes was shocking. This research demonstrates the risk of insecurely exposed services,” said Jay Chen, principal cloud security researcher at Palo Alto Networks.  Exposed or poorly configured cloud services like those deployed in the honeypot make tempting targets for cyber criminals of all kinds.   Several notorious ransomware operations are known to exploit exposed cloud services to gain initial access to the victim’s network in order to eventually encrypt as much as possible and demand a multi-million dollar ransom in exchange for the decryption key.   Meanwhile, nation state-backed hacking groups are also known to target vulnerabilities in cloud services as stealthy means of entering networks in order to conduct espionage, steal data, or deploy malware without detection.  SEE: A winning strategy for cybersecurity (ZDNet special report) And as the research demonstrates, it doesn’t take long for cyber criminals to find exposed internet-facing systems.  “When a vulnerable service is exposed to the internet, opportunistic attackers can find and attack it in just a few minutes. As most of these internet-facing services are connected to some other cloud workloads, any breached service can potentially lead to the compromise of the entire cloud environment,” said Chen.   When it comes to securing accounts used to access cloud services, organisations should avoid using default passwords and users should be provided with multi-factor authentication to create an extra barrier to prevent leaked credentials being exploited.   It’s also vital for organisations to apply security patches when they’re available in order to prevent cyber criminals from taking advantage of known exploits — and it’s a strategy that applies to cloud applications, too.   “The outcome [of the research] reiterates the importance of mitigating and patching security issues quickly. When a misconfigured or vulnerable service is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service. There is no margin of error when it comes to the timing of security fixes,” said Chen. 
MORE ON CYBERSECURITY More

Twitter has announced the expansion of its private information policy to include the sharing of private media, such as photos and videos, without permission from the individuals that are depicted in them, as the social media platform aims to improve user privacy and security.”Sharing personal media, such as images or videos, can potentially violate a person’s privacy, and may lead to emotional or physical harm,” Twitter shared on a blog post. “The misuse of private media can affect everyone, but can have a disproportionate effect on women, activists, dissidents, and members of minority communities. When we receive a report that a Tweet contains unauthorized private media, we will now take action in line with our range of enforcement options.”Under its existing policy, publishing other people’s private information, such as phone numbers, addresses, and IDs, or threatening to expose a person’s private information and incentivising others to do so is already not allowed on Twitter.The company took the opportunity to also outline the actions it would take when it is notified by individuals that they did not give permission to have their private image or video shared. “We will remove it,” the company wrote. It noted, however, the policy would not apply to media featuring “public figures or individuals when media and accompanying Tweet text are shared in the public interest or add value to public discourse”.

The company added that in instances where account holders share media of individuals to help someone in a crisis situation, it would “try” to assess the context in which the content is shared.”In such cases, we may allow the images or videos to remain on the service,” Twitter said. “For instance, we would take into consideration whether the image is publicly available and/or is being covered by mainstream/traditional media (newspapers, TV channels, online news sites), or if a particular image and the accompanying tweet text adds value to the public discourse, is being shared in public interest, or is relevant to the community.”The expansion of the policy comes a day after Twitter founder and CEO Jack Dorsey announced his resignation, telling employees in a letter that CTO Parag Agrawal would be taking over the position. Twitter has been rolling out a slew of features in a bid to mitigate harmful content on its platform. In September, it rolled out a feature called Safety Mode that temporarily blocks certain accounts for seven days if they are found insulting users or repeatedly sending hateful remarks.Prior to that, Twitter said it was conducting a test that would allow users in the United States, South Korea, and Australia to report misleading tweets.More Twitter News More

A DNA testing company has reported a data breach that leaked the personal information — including Social Security Numbers and banking information — of more than 2 million people, according to a notification letter the company is sending out to those affected. Bleeping Computer, which first reported the breach, said 2,102,436 people had their information exposed by DNA Diagnostics Center, an Ohio-based DNA testing company. In a notice shared on the company’s website, DNA Diagnostics Center said that on August 6, officials with the company discovered “potential unauthorized access to its network, during which there was unauthorized access and acquisition of an archived database that contained personal information collected between 2004 and 2012.”Further investigation revealed that hackers had removed files and folders from portions of the database between May 24 and July 28. “The impacted database was associated with a national genetic testing organization system that DDC acquired in 2012. This system has never been used in DDC’s operations and has not been active since 2012. Therefore, impacts from this incident are not associated with DDC. However, impacted individuals may have had their information, such as Social Security number or payment information, impacted as a result,” the company said in a statement. “Upon learning of this issue, DDC proactively contained and secured the threat and executed a prompt and thorough investigation in consultation with third-party cybersecurity professionals. DDC has also coordinated closely with law enforcement following the discovery of this incident. Our investigation determined that the unauthorized individual(s) potentially removed certain files and folders from portions of our database between May 24, 2021 and July 28, 2021. DDC has been and remains fully operational, and the systems and databases that are actively used by DDC were not infiltrated. The in-depth investigation concluded on October 29, 2021, and DDC has begun notifying individuals potentially affected by this incident.”DDC added that the archived system was never used directly by the company and that anyone whose personal information was accessed is being offered Experian credit monitoring. 

They noted that if you were forced to get a relationship DNA test as a part of court proceedings or got independent, individual testing between 2004 and 2012 but have not received a mailed letter from DDC, you should call 1-855-604-1656 for more information.DDC claimed it is working with cybersecurity experts to “regain possession” of the stolen information but is recommending anyone who thinks their information may be involved to put in place a 1-year “fraud alert” on their credit files. DDC did not respond to requests for comment but noted that it conducts more than one million DNA tests each year. Chris Clements, a vice president at Cerberus Sentinel, criticized DDC for “disingenuously attempting to deflect responsibility for the breach” due to their comments about the system not being associated with their company directly. “It doesn’t matter what organization ‘started’ with the data, once you acquire it, it becomes your responsibility. I might be more forgiving if the data was only recently obtained by DDC, but by now they’ve had it nearly a decade,” Clements said. “If you aren’t aware a given asset exists, you can’t begin to properly secure it. A second observation is the almost three-month delay between the beginning of the breach and first detection. DDC has not revealed what triggered the realization that they had suffered a cyberattack, but most organizations discover a compromise has occurred only when contacted by a third party such as security researchers that have traced a stolen dataset on the dark web back to their company, or when contacted by the threat actor themselves with extortion demands.” More

Cybersecurity firm Zscaler reported fiscal Q1 revenue and profit that topped Wall Street analysts’ expectations Tuesday afternoon.Revenue in the quarter rose 62% year over year to $230.5 million, yielding a profit of 14 cents per share. Analysts had been modeling $208.43 million in revenue and 12 cents per share.Non-GAAP net income reached $21 million in the quarter. The report sent Zscaler shares up more than 4% in late trading. Zscaler CEO and Chairman Jay Chaudhry said CISOs and CIOs are looking to phase out legacy network security in favor of Zero Trust architecture, due to increasing cyber and ransomware risks and accelerating digital transformation. “This architecture shift continues to drive strong demand for our Zero Trust Exchange platform,” Chaudhry says in the report. “We delivered outstanding results for the first quarter.”For the current quarter, the company expects revenue of $240 million to $242 million and an EPS around 11 cents. For the full-year fiscal 2022, the company predicted revenue in a range of $1 billion to $1.01 billion and EPS ranging from $0.50 to $0.52. 

Tech Earnings More

Beijing-backed hackers might soon start trying to steal encrypted data — such as biometric info, the identities of covert spies, and weapons designs — with a view to decrypting it with a future quantum computer, according to analysts at US tech consultancy Booz Allen Hamilton (BAH). 

ZDNet Recommends

“In the 2020s, Chinese economic espionage will likely increasingly steal data that could be used to feed quantum simulations,” the analysts write in the report Chinese Threats in the Quantum Era. At risk are data protected by the current algorithms underpinning public-key cryptography, which some fear may be rendered useless for protecting data once quantum computers become powerful enough.Also: Spy chief’s warning: Our foes are now ‘pouring money’ into quantum computing and AI The big question is when such a quantum computer might arrive. However, Booz Allen Hamilton’s analysts suggest it doesn’t matter that an encryption-breaking quantum computer could be years off because the type of data being targeted would still be valuable. Hence, there’s still an incentive for hackers to steal high-value encrypted data.  Recent studies suggest it would take a processor with about 20 million qubits to break the algorithms behind public-key cryptography, which is much larger than the quantum processors that exist today. But a quantum computer that threatens today’s algorithms for generating encryption keys could be built by 2030. The report frames the threat from China around its past cyber-espionage campaigns and the nation’s ambitions to be a major quantum computing player by mid-2020, as major US tech firms such as Google, IBM, IONQ and others race towards ‘quantum supremacy’.

“China’s current capabilities and long-term goals related to quantum computing will very likely shape the near-term targets and objectives of its cyber-enabled espionage,” the report states. It’s warning cybersecurity chiefs to be aware of China’s espionage targeting encrypted data as an emerging risk.”By the end of the 2020s, Chinese threat groups will likely collect data that enables quantum simulators to discover new economically valuable materials, pharmaceuticals, and chemicals,” the analysts warn.However, they add that while China will remain a major player in quantum computing, it probably won’t surpass the US and Europe in quantum computing by the mid-2020s. The consultancy notes that data decryption poses a “high risk” in the 2020s, but it reckons China’s chances to build a cryptography-breaking quantum computer before 2030 are “very small”. Nonetheless, they argue, the distant promise of quantum and the opportunities at stake will make encrypted data an enticing target in the years to come. “Still, the outsized threat of a rival state possessing the ability to decrypt any data using current public-key encryption rapidly generates high risk,” the report states. “Encrypted data with intelligence longevity, like biometric markers, covert intelligence officer and source identities, Social Security numbers, and weapons’ designs, may be increasingly stolen under the expectation that they can eventually be decrypted.”See also: Dark web crooks are now teaching courses on how to build botnets.BAH warns that it could take organizations a “decade or longer” to implement an organizational strategy for deploying post-quantum encryption. However, the US Institute of Standards and Technology (NIST) is looking for answers to post-quantum cryptography and selected a shortlist of candidates for exchanging digital keys and adding digital signatures, as CNET’s Stephen Shankland reported. As NIST notes, it took almost two decades to deploy our modern public key cryptography infrastructure. More

The rise of technologies like artificial intelligence (AI) and quantum computing is changing the world — and intelligence services must adapt in order to operate in an increasingly digital environment, the head of MI6 has warned.

ZDNet Recommends

In his first public speech since taking the role of “C” in October 2020, Richard Moore, chief of the UK Secret Intelligence Service (MI6), discussed the challenges posed by the rapid evolution in technology.While developments in computing like AI and quantum computing can provide society with what he described as “revolutionary advances,” Moore warned that they also lead to additional security threats which MI6 will need to face.”Others would speak to you about the benefits of these new discoveries — and they are myriad — but I’m paid to look at the threat side of the ledger. MI6 deals with the world as it is, not as we’d like it to be — and the digital attack surface that criminals, terrorists and hostile states seek to exploit against us is growing exponentially,” he said, in a speech at the International Institute for Strategic Studies (IISS).Moore warned that China, Russia and Iran are the most significant nation-state threats to the UK who could exploit technology to meet their aims, citing the SolarWinds cyber attack, which has been attributed to the Russian foreign intelligence, as a key example of this.Also: Hackers could steal encrypted data now and crack it with quantum computers later, warn analystsIn order to confront the challenges posed by the growing global digital environment, MI6 needs to ensure that it has the human intelligence capabilities to analyse and understand data which could help provide insights, keep agents in the field informed and ultimately help protect the UK from threats.

“There is no longer such a thing as an analogue intelligence operation in this digital world,” said Moore. “All of this requires insights from data, the tools to manipulate data and, most importantly, the talent to turn complex data into human insight. The combination of technological prowess and insights from human intelligence gives the UK a powerful edge.”He warned: “Our adversaries are pouring money and ambition into mastering artificial intelligence, quantum computing and synthetic biology because they know that mastering these technologies will give them leverage.”Moore warned that MI6 “needs to be at the vanguard of what is technologically possible” in order to stand the best chance of protecting the UK from security threats.But while MI6 has traditionally worked in the shadows, now it’s stepping out of them in order to ensure it has access to have the people required to help solve the problems faced by new technologies.”We can’t match the scale and resources of the global tech industry, so shouldn’t try. Instead, we should seek their help. Through the National Security Strategic Investment Fund, we are opening up our mission problems to those with talent in organisations that wouldn’t normally work with national security. Unlike Q in the Bond movies, we cannot do it all in-house,” said Moore.By looking to outside experts in emerging technologies, the aim is to help improve MI6 operations and innovate faster than the UK’s adversaries – and it represents a significant shift from the secretive operations of the past, one he stressed also requires increased diversity to represent better the population MI6 serves.”I cannot stress enough what a sea-change this is in MI6’s culture, ethos and way of working since we have traditionally relied primarily on our own capabilities to develop the world-class technologies we need to stay secret and deliver against our mission,” said Moore, adding “We must become more open, to stay secret,” he added.By adapting MI6 to be able to bring in expertise to help work with emerging technologies, it’s hoped that it’ll allow the intelligence service to keep the UK safe from threats, no matter where in the world they come from. “My mission as Chief is to ensure the successful transformation and modernisation of our organisation: extending MI6’s secret human relationships to reflect the changing nature of power and influence in the world; investing in the skills a global intelligence agency needs in the digital age and meeting the technological challenge head-on by opening up — to an unprecedented degree — to partners who can help us master the technologies we need for our operations, and enable us to innovate faster than our adversaries,” Moore said. More on cybersecurity: More

F-Secure
HP has patched critical flaws impacting approximately 150 printer models.  Printers are usually connected to business networks — and potentially forgotten when it comes to security — so they can easily provide an avenue of attack. Highlighting this issue is PrintNightmare, CVE-2021-34481, a Windows Print Spooler service vulnerability that permits attackers to escalate privileges to system level, which was patched in August. In addition, HP patched a separate, 16-year-old privilege escalation driver flaw in July.

Also: Microsoft just revealed another Print Spooler bug Now, researchers from F-Secure have documented “Printing Shellz,” a set of vulnerabilities impacting multifunction printers (MFPs).  On Thursday, the research team said that their tests involved the HP MFP M725z. However, the vulnerabilities — dating back to 2013 — impact an estimated 150 products. These include models in the HP Color LaserJet Enterprise, HP LaserJet Enterprise, HP PageWide, HP OfficeJet Enterprise Color, and HP ScanJet Enterprise 8500 FN1 Document Capture Workstation ranges. The first issue the researchers discovered was CVE-2021-39238. Assigned a CVSS severity score of 9.3, this potential buffer overflow issue could allow the creation of a “self-propagating network worm capable of independently spreading to other vulnerable MFPs on the same network,” according to F-Secure researchers Alexander Bolshev and Timo Hirvonen.  The second issue, CVE-2021-39237 (CVSS 7.1), is described by HP as an information disclosure bug. F-Secure says this flaw was caused by exposed physical ports, so local access is required as an avenue for attack. 

It’s possible to exploit these flaws locally via physical access to the device, such as by printing from USB. And when it comes to CVE-2021-39238, another potential attack vector involves sending an exploit payload directly from a browser via cross-site printing (XSP).  “These vulnerabilities give attackers an effective way to steal information: defenders are unlikely to proactively examine the security of a printer, and so the attacker can simply sit back and steal whatever information it comes across (via employees printing, scanning, etc),” F-Secure comments. “They could also use the MFP as a pivot point to move through the corporate network.” HP was informed of F-Secure’s discoveries on April 29 and has since released two advisories (1,2), detailing the vulnerabilities. Patches and firmware updates were released in November. There is no evidence of exploitation in the wild.  “Any organizations using affected devices should install the patches as soon as they’re available,” the researchers say. “While exploiting these issues is somewhat difficult, the public disclosure of these vulnerabilities will help threat actors know what to look for to attack vulnerable organizations.”
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

By urbans/Shutterstock
Queensland government-owned energy generator CS Energy said on Tuesday it was responding to a ransomware incident that occurred over the weekend. First reported by Energy Source & Distribution, the company said the incident has not impacted electricity generation at Callide and Kogan Creek power station, and it was looking to restore its network. “We immediately notified relevant state and federal agencies, and are working closely with them and other cybersecurity experts,” CEO Andrew Bills said. “We have contacted our retail customers to reassure them that there is no impact to their electricity supply and we have been regularly briefing employees about our response to this incident.” In response to the incident, ANZ regional director at Claroty, Lani Refiti, said critical infrastructure has been increasingly targeted by ransomware gangs since the infrastructure firms cannot afford any disruptions or downtime. “The usual vector for ransomware is via corporate systems/networks and most organisations in the power sector will segment their operational technology systems from their corporate networks to avoid an attack via this route,” Refiti said. “Hopefully this is the case for CS Energy, who are one of Queensland’s three main power generation companies along with Stanwell Corporation and Cleanco.”

Refiti’s hope is likely dashed thanks to Bills pointing out that segregation occurred after the incident began. “CS Energy moved quickly to contain this incident by segregating the corporate network from other internal networks and enacting business continuity processes,” Bills said. Earlier in the year, Callide suffered a fire in its turbine hall that led to outages across Queensland. Speaking earlier this month, Telstra energy head Ben Burge said the telco was able to keep the lights on for 50,000 families during that event, thanks to the telco being able to utilise standby power assets, including batteries, used in its telecommunication infrastructure to stabilise the grid and address market shortages.”The physical assets we have already activated would be enough to cover nearly 50,000 customers. In the next few years we expect to grow that coverage to over 200,000 customers,” Burge said. Telstra has gained authorisation to operate in New South Wales, Queensland, and South Australia and is looking to enter the energy market during 2022. Last month, the Australian government has announced a new set of standalone criminal offences for people who use ransomware under what it has labelled its Ransomware Action Plan, including a new criminal offence has for people that target critical infrastructure with ransomware. “The Ransomware Action Plan takes a decisive stance — the Australian Government does not condone ransom payments being made to cybercriminals. Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk,” Minister for Home Affairs Karen Andrews said at the time. The plan will also roll out a new mandatory ransomware incident reporting regime, which would require organisations with a turnover of over AU$10 million per year to formally notify government if they experience a cyber attack. Last week, the Critical Infrastructure Bill passed both houses of federal parliament and is currently waiting for Royal Assent. Related Coverage More