Information Technology

Getty Images/iStockphoto
Here’s how this works. You’re searching a well-known jobs board and you see a remote work listing from a company you know and respect. The job fits your skill set and background well, so you apply. You upload your resume data as well as the usual personal identification data a prospective employer needs to see.

After a short but expected delay, you’re invited to a Skype interview. You take a shower, put on your best shirt and tie, comb your hair, and prepare for the meeting. At the appointed time, you join the interview and speak for some time to Jennifer and Antonio. The interview goes well. Also: HTTPS threats grow more than 314% through 2021You spend a day or so hoping that this will be the one. You’re really desperate for a new gig, and this looks promising. Finally, you find out that you’ve been hired. You’ve got the job! Not only do you have the job, but the company has a work-from-home allowance for furniture and gear for your home office. You’re sent a check for several thousand dollars, but you’re told you need to make your purchases at an approved supplier. Unfortunately, the check takes a while to clear and meanwhile, you need to get started working. So, knowing the money is in the bank (or about to be), you go ahead and make your furniture purchases. Technically, you’re using your own money, but those expenses will be covered in a few days from your new blue chip employer. It’s at this point — and you probably don’t know it yet — you’ve been scammed out of a few thousand bucks.

Yeah, there are people out there scamming people who need work out of what’s left of their savings. Credit goes to the folks at Wordfence for doing a deep dive on this scam. Anatomy of a scam As you’ve probably figured out, “Jennifer” and “Antonio” are not their real names. And the blue chip employer you think you’ve been hired by did not post that job listing. The preferred supplier you bought your office furniture from doesn’t exist. The thousands of dollars will never clear in your account. And you’ve just sent PII and the last of your savings to the scammers. The perpetrators of this style scam are apparently very active, posting job listings that seem legitimate. According to Wordfence, lots of people are falling victim to this scam. Because, yes, what the world needs is scam listings on job boards. So how do you protect yourself? At the start of the process, it’s going to be hard to tell legitimate job listings from scams. As we always advise, keep an eye out for telltale signs: misspellings, grammatical errors, listings that don’t seem internally consistent, and so forth. Pay attention in the interview. I’d say keep an eye out for interviewers that don’t seem polished, but after having had far more Skype and Zoom meetings than I’d care to think about in the past two years, I must admit that the verifiably legitimate corporate types I’ve worked with (especially since the pandemic has been wearing on for so long) aren’t displaying the old-school corporate polish anymore either. Also: Microsoft warns over uptick in password spraying attacksInstead, keep a situational awareness of the interview and job-related knowledge. Does it feel like a comprehensive job interview? Listen to your Spidey-Sense. And finally — don’t spend money with preferred suppliers. Don’t do it. If you’re required to have a certain laptop or certain furniture, get it from a known supplier with a clear return policy. Wait until funds are cleared into your account. Don’t give out your account number. I know this last one is hard in a world of direct deposit, but point out this scam to your new employer. Another tactic: open up a new account just for that employer to deposit into, until you’re sure it’s safe. A legitimate employer will understand your need to wait a few paychecks before parting with this level of confidential information. And, if you have a new employer who shows no empathy, skip it. Whether they’re actually hiring or trying to scam you, it’s not worth taking a job from an employer who doesn’t respect your need to protect yourself from this kind of scam. It will end badly anyway. So that’s it. Keep your head on a swivel. Good luck and stay safe out there. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

This is not a nice person. You must defend yourself.
Screenshot by ZDNet
You know why you bought an Amazon Ring or a Google Nest video doorbell, don’t you?

It’s because everyone on the street has them, and you’ll be darned if you’re going to be left behind in the surveillance game.Yes, you might be helping the police along the way, but you’ll also be able to see who comes to your door from miles away. And haven’t we always wanted to do that?But there’s a certain dishonest niceness in the way that Amazon and Google peddle these devices. It’s all about giving you the additional veneer of safety — and Big Tech the additional hope that it can track you just that little bit more.I was uplifted to thoughts of taking a smiling selfie, therefore, when I saw how a smaller video doorbell rival was approaching its marketing.Wyze, a company created by former Amazon employees, believes it’s “the most customer-centric smart home technology.” It insists it’s offering “access to high-quality products at great prices.”And it would like you to buy its video doorbell not because of price, but because of something far more emotional. In Wyze’s own words, emerging from a new ad: “The world is full of little turds like this one.”

The tiny poop-person is, indeed, someone who thinks it’s funny — or, perhaps, deeply meaningful — to leave some of his personal waste product on the pristine American doorsteps of his neighbors.

[embedded content]

But the tiny poop-person isn’t the only awful human being in the world. And, given that he’s only around ten years old, you might argue there’s still hope for him.

Less so for the package delivery man who kicks your package to your porch from his van. And what happens if you try to rectify these difficult situations yourself? Well, the tiny poop-person has tiny, poopy little friends who will chase you and throw raw eggs at you. (I wonder if they had them delivered by Amazon.)Oh, there are supposedly some other benefits to getting a
Wyze Video Doorbell Pro

. The joy of the chime being included, for example. The delight of six months battery life, too.But America is currently a country of permanent conflict. Our neighbors are no longer our friends. Our service people have no interest in making us happy. Even little children are programmed to cause us strife at any given moment. Do you want a burning bag of excrement on your doorstep? No, of course you don’t.We therefore, have to stand our ground and defend our personal peace with every piece of technology we can.”Wyze Video Doorbell Pro, For Everything Out There,” says the ad.What the company really means is: “Buy One Of Our Video Doorbells Because Other People Are Truly Awful And Disgusting.”A far more honest strategy, that.

ZDNet Recommends More

While hackers are often associated with criminal acts, the difference between white hat and black hat activities is important to remember. These days, with cyberattacks increasing in scope and complexity, we need professional, ethical hackers to help protect the day-to-day services we all use. And we especially need to encourage younger people who already have an interest in this field.If you’re looking for holiday gifts that will appeal to someone interested in cybersecurity or programming, the hunt can be a challenge. We’ve rounded up our picks for the top gift options, including books for study or entertainment, fun stocking stuffers, high-tech kits, and more for your loved one to enjoy. Here are interesting, fun, and useful gift options for the hacker in your life throughout the 2021 holiday season.

Learn about the digital arms race

Amazon

This Is How They Tell Me the World Ends by Nicole Perlroth should be on the bookshelves of those interested in cybersecurity. Perlroth, a cybersecurity reporter, explores the role of the United States in the digital arms race and includes tales of zero-day exploitation, hacker-for-hire mercenaries, and even how the country’s own specialists were duped into working against them.  

Learn how to program

Raspberry Pi

The Raspberry Pi 400 is a mini computer — within a keyboard — that is a great starting point for learning the basics of computing programming. The Pi 400 includes a memory card preloaded with the Raspberry Pi operating system, 4GB RAM, 4K video playback, wireless connectivity, and other features. (Monitor not included.)Learn more: 

Learn about modern surveillance

Amazon

Kevin Mitnick’s The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data is a classic book that anyone interested in cybersecurity would appreciate. Mitnick, once on the FBI’s Most Wanted list, explores modern surveillance and how we can limited its impact on our privacy and security.

Learn about hacking, programming, and DIY electronics

Hacker Boxers

For a slightly different option, check out HackerBoxes, a monthly subscription box full of interesting gadgets and tools for those interested in programming, DIY electronics, and hacking. Past boxes have included Capture the Flag projects, radio-over-internet kit, novelty items, and proximity detection gadgets. 

Learn about intelligence gathering

Hak5

An interesting gift for researchers and pen testers, the Shark Jack is a portable tool for network reconnaissance and wired network auditing. The kit comes with a rapid nmap payload and both attack/arm switches. Payloads can also be developed in bash and by using Linux tools. 

Learn how social engineering is used in hacking

Amazon

Social Engineering: The Science of Human Hacking by Christopher Hadnagy is an older but still valuable guide on how social engineering is used to phish, impersonate others, obtain their data, secure access to restricted buildings and services, and more. If you know someone interested in security and psychology, this could the perfect gift this holiday season. 

Learn the ins and outs of a USB attack platform

Hak5

Bash Bunny is another option from Hak5. The latest version, Mark II, is a payload deployer over USB and can go from “plug to pwn in 7 seconds” claims the company. Bash Bunny has been improved to be quicker and now supports wireless geofencing and microSD.

Learn how to command the airspace

Hak5

Wi-Fi Pineapple, Mark VII, is kit designed for wireless security assessments and auditing. Among its features is a dashboard for active and passive monitoring, a rogue access point facility for conducting Man-in-The-Middle (MiTM) attacks, and report generation.This device is available in basic Mark VII all the way up to enterprise specifications. 

Learn about the security of IEEE 802.15.4/ZigBee systems

Hacker Gadgets

The APIMOTE ZigBee Security Tool is a professional tool designed for academic researchers and students. Likely to make a valued gift for these individuals, the kit is pre-flashed with KillerBee and can be used to investigate IEEE 802.15.4/ZigBee systems.

How did we choose these products?It can be a challenge to find specialist gifts — whether the field you’re interested in is cybersecurity or otherwise — so we examined products that would appeal to the widest customer base available. Or, at least products that will keep the hackers in your life busy and out of mischief. Need more gift ideas?Check out our ZDNet Recommends directory or Holiday Gifts hub for some more inspiration. 

More Black Friday Deals More

The Solarwinds software supply chain attack is the one everyone knows about. But supply chain attacks are becoming commonplace, and that’s bad news. There are efforts afoot, such as the Linux Foundation’s Software Package Data Exchange® (SPDX) project, which ensures transparency and improves compliance for software bill of materials (SBOM). But, we need SBOMs now. As President Joseph Biden’s Executive Order on Improving the Nation’s Cybersecurity says, we must provide “a purchaser with an SBOM for each application.” Codenotary Community Attestation Service wants to help you with that.

Open Source

It is a free, open-source notarization and verification service. Its parent company Codenotary promises it will enable businesses to easily create an SBOM, attesting to the provenance and safety of their code.The Community Attestation Service provides end-to-end protection for software development and workloads. Codenotary also promises that it’s scalable to millions of transactions per second, which makes it ideal for continuous integration/continuous delivery (CI/CD) services. It gives developers a way to attach a tamper-proof SBOM for development artifacts that include source code, builds, repositories, and Docker container images. These SBOMs are built without uploading any data to the service.  Instead, it notarizes these artifacts using cryptographic verification to uniquely identify development artifacts. Each artifact retains a cryptographically strong identity stored in Codenotary’s immutable database, immudb. This is a fast and cryptographically-verifiable ledger database. This, unlike other SBOM systems, makes no guarantee about the safety of the components in your program. What it does do is assure your customers that the programs, code, libraries, container images, and so on truly are the ones you’ve promised them. This is no small thing.”More and more software companies are being asked by their customers to provide a software bill of materials and to give guarantees about its veracity,” said Dennis Zimmer, Codenotary’s co-founder and CTO. “We’re providing an easy way for developers to build an SBOM and let their customers and users know the provenance of their software is cryptographically and very easily verifiable, effectively enabling true Zero Trust application delivery.”

This is more than just a promise. Home Assistant, an open-source home automation company with hundreds of thousands of users, is using Codenotary’s Community Attestation Service to ensure that only its approved code runs at the homes using its Internet-of-Things (IoT) software. “The open-source nature of Community Attestation Service, the easy integration and real-time revocation is a real game-changer,” said Pascal Vizeli, Home Assistant’s founder and core developer. “That is how software trust and integrity should look and feel.”Home Assistant isn’t the only one who’s bought into Codenotary’s approach. Jack Aboutboul, community manager of the CentOS replacement Linux distro AlmaLinux, said, “AlmaLinux is working on integration with the Community Attestation Service to provide a secure Software Bill of Materials for the AlmaLinux OS distribution and to guarantee the provenance of our builds.”Sound interesting? Head over to Community Attestation Service and start creating your own tamper-proof SBOMs.Related Stories: More

StackCommerce

If you’re an entry-level IT professional interested in getting your foot in the door of a cybersecurity career, the extremely affordable Palo Alto Networks Cybersecurity Fundamentals (PCCSA) E-Course can help you with that by training you in firewall maintenance. In 27 lectures across almost seven hours of content, you will be able to build a solid foundation in cybersecurity contexts. First, you will have to learn all of the basics of networking, systems, and security solutions, including the basic concepts of cloud security. And, of course, you will learn the skills that are necessary in order to deploy firewalls. This will allow you to enable traffic that is based on credentials such as the user or app ID, content, and policy.You will learn how to identify the most common cybersecurity threats and cyberattack techniques. Then, as your skills develop, you will progress toward the levels required to become a Palo Alto Networks Certified Network Security Engineer (PCNSE).

[embedded content]

The entry-level PCCSA certification was created to verify that you possess the expertise required for configuring, installing, maintaining, and troubleshooting all of the various Palo Alto Network Operating Platform executions and next-generation firewalls.The course is provided, authored, and presented by ITProTV on the iCollege platform. ITProTV is noted for the entertaining and effective talk-show format it uses for IT training courses. Former students have awarded this one an average rating of 4.4 out of 5 stars.You will have lifetime access to this content 24/7 on both desktop and mobile devices. That means you can train at your own pace without taking time off from your current job, even if you are working full-time.If you’re an entry-level IT professional, don’t miss this chance to get this firewall certification; grab the Palo Alto Networks Cybersecurity Fundamentals (PCCSA) course now.

More ZDNet Academy Deals More

Ransomware is the most significant cybersecurity threat facing organisations today as increasingly professional and sophisticated cyber criminals follow the money in order to maximise the profit from illicit campaigns.  ENISNA, the European Union Agency for Cybersecurity, has released the latest edition of the ENISA Threat Landscape (ETL) report, which analyses cyber criminal activity between April 2020 and July 2021. It warns of a surge in cyber criminality, much of it driven by the monetisation of ransomware attacks. 

Although the paper warns that many different cybersecurity threats are on the rise, ransomware represents the ‘prime threat’ faced by organisations today, with a 150 percent rise in ransomware attacks during the reporting period. And there are fears that despite the problem of ransomware attracting the attention of world leaders, the problem will get worse before it gets better.  “We are observing the golden era of ransomware — it has become a national security priority — and some argue that it has not yet reached the peak of its impact,” the paper warns. Cyber criminals trigger a ransomware attack by secretly compromising networks — often via phishing attacks, compromising cloud services or exploiting vulnerabilities — before installing file-encrypting malware across as many systems as possible. Victims are locked out of files and servers, and the cyber criminals demand a ransom payment — made in cryptocurrency — in exchange for the decryption key. In many cases, the victim will pay up. SEE: A winning strategy for cybersecurity (ZDNet special report)     One of the key drivers behind the increased threat of ransomware is the amount of money that can be made; cyber criminals can walk away with millions of dollars from a single attack. It’s likely that the success of ransomware campaigns will only encourage more bad actors to get involved with ransomware, particularly when it comes to hands-on operations that can cripple an entire network. 

“Our assessment is that more cyber criminals will very likely be attracted to shifting their targeting to focus on targeted ransomware operations and replicate these successes,” said the ENISA paper.  Incidents like the Darkside ransomware attack against Colonial Pipeline demonstrated how disruptive a ransomware attack can be, to the extent it has an impact on everyday lives. The incident led to gas supply shortages in the North Eastern United States, causing people to try and stockpile supplies. In the end, Colonial paid cyber criminals almost $5 million for the decryption key.  While events like this receive a lot of attention, it’s believed that there are many more ransomware attacks where victims quietly pay the ransom without any publicity. “The incidents that are publicly disclosed or that receive media attention are only the tip of the iceberg,” ENISA warns.  However, the report also notes that action is being taken on ransomware, with governments having “stepped up their game”, recognising the threat and conducting multinational efforts in an attempt to deal with the issue. The report also details how the last year has seen several arrests made over involvement in ransomware gangs, indicating that, for some cyber criminals at least, their actions have consequences. “Given the prominence of ransomware, having the right threat intelligence at hand will help the whole cybersecurity community to develop the techniques needed to best prevent and respond to such type of attacks,” said ENISA executive director, Juhan Lepassaar    “Such an approach can only rally around the necessity now emphasised by the European Council conclusions to reinforce the fight against cyber crime and ransomware more specifically.”  Organisations are encouraged to develop a mitigation strategy involving secure backups, so in the event of a ransomware attack, the network can be restored without giving into the ransom demand. Operating systems and software should also be kept updated with the latest security patches so cyber criminals can’t exploit known vulnerabilities to enter or move around the network. Applying multi-factor authentication to accounts can also help prevent intrusions that could eventually lead to a ransomware attack. 
MORE ON CYBERSECURITY More

Cybersecurity firm Zscaler has released their latest State of Encrypted Attacks Report, highlighting the growth in HTTPS threats since January as well as other attacks facing tech companies and retailers. 

The report found that HTTPS threats have increased by more than 314% while attacks on tech companies grew by 2,300% and retail companies saw an 800% increase in attacks. According to the report, the tech industry accounted for 50% of all attacks they tracked. Instances of malware were up 212% in the report and phishing rose by 90%. Also: Microsoft warns over uptick in password spraying attacksThe report tracks more than 20 billion threats blocked over HTTPS and analyzes about 190 billion daily transactions through its Zero Trust Exchange that took place from January to September. From there, the Zscaler ThreatlabZ research team goes through the data to compile the report. Deepen Desai, CISO at Zscaler, said most enterprise IT and security teams struggle to implement SSL/TLS inspection policies due to a lack of compute resources and/or privacy concerns.”As a result, encrypted channels create a significant blind spot in their security postures. Zscaler’s new report on the state of encrypted attacks demonstrates that the most effective way to prevent encrypted attacks is with a scalable, cloud-based proxy architecture to inspect all encrypted traffic, which is essential to a holistic zero trust security strategy,” Desai said. See also: Cloud security: A business guide to essential tools and best practices.

The researchers found that cryptomining is becoming less prevalent as cybercriminals move toward more lucrative options like ransomware. Zscaler noted that attacks on retailers are likely to increase during the holiday season as more companies offer digital purchase options and promote e-commerce solutions. The company predicts a wave of malware and ransomware attacks targeting e-commerce platforms and digital payment systems between Black Friday and Christmas. “Additionally, as the world begins its return to normal, and as businesses and public events are opening up around the globe, many employees are still working in relatively insecure environments. Getting access to critical point-of-sale systems is extremely attractive to cybercriminals as it opens the door to huge profits,” the report noted. 
Healthcare and governmental organizations saw a decrease in attacks but overall, seven industries saw attack rates increase from threats in SSL and TLS traffic.Desai attributed the decrease to increased law enforcement scrutiny following the attacks on Colonial Pipeline and other critical industries. Desai noted that both healthcare and government were the most frequently targeted sectors in 2020, prompting many organizations within both industries to stiffen their security posture. Also: Best gifts for hackersThe UK, US, India, Australia and France led the way as the top five targets of encrypted attacks.When broken down by region, Zscaler ThreatLabz researchers found that Europe saw the most attacks at more than 7.2 billion, followed by the Asia Pacific region at almost 5 billion and North America, which had about 2.8 billion. The UK led Europe with 5.4 billion encrypted attacks targeting them followed by the US and India, which both had more than 2 billion attacks sent their way.  More

The National Rifle Association (NRA) has released a statement today after a ransomware gang claimed to have attacked the organization. The Grief ransomware gang — which has ties to the prolific Russian cybercrime group Evil Corp — posted about the NRA on its leak site, setting off hours of headlines and concerns from members of the group. By Wednesday afternoon, NRA Public Affairs managing director Andrew Arulanandam took to Twitter to say the group is doing what it can to protect the data of its members.”NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations – and is vigilant in doing so.” Arulanandam said. Cybersecurity researchers began posting about the incident on Wednesday after Grief said it had 13 files allegedly from the NRA’s databases. Analysis of the released documents show it is minutes from a recent NRA board meeting as well as documents related to grants. It threatened to leak more files if the NRA did not pay an undisclosed ransom. 
Brett Callow
The NRA will be faced with a difficult decision considering Evil Corp was sanctioned by the US Treasury Department in 2019, meaning the gun rights group would have to ask permission before paying any ransom. The rules were pushed following an attack on Garmin, a tech wearables company, that was hit by the WastedLocker ransomware. WastedLocker is another ransomware group with purported links to Evil Corp. Evil Corp was implicated in a wide-ranging ransomware attack last week on Sinclair Broadcast Group, which controls hundreds of news stations in the US. 

Grief has spent much of 2021 attacking school districts and local governments across the US including ones in New York, Alabama, Mississippi, Indiana, Washington and Texas, according to Comparitech. Paul Bischoff, privacy advocate at Comparitech, said NRA members should take steps to protect themselves from any repercussions that might arise as a result of this breach. “A gun won’t help. Even if the NRA pays the ransom, there is no guarantee that Grief will destroy the stolen data,” Bischoff said. “The inclusion of tax forms is particularly concerning because cybercriminals can use them to perpetrate tax fraud. Be sure to file taxes early and make sure no one else files in your name. Grief has led several attacks in the US against targets in government, healthcare, and education.” More