Information Technology

Image: Getty Images
China Telecom has reportedly gone to court in a bid to reverse the United States Federal Communications Commission’s (FCC) decision to revoke the company’s authorisation to operate in the country. The FCC issued an order for China Telecom to stop providing domestic and international services in late October in response to recommendations from the Trump-era Justice Department. “China Telecom Americas, a US subsidiary of a Chinese state-owned enterprise, is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight,” the FCC said in its order. “China Telecom Americas’ ownership and control by the Chinese government raise significant national security and law enforcement risks by providing opportunities for China Telecom Americas, its parent entities, and the Chinese government to access, store, disrupt, and/or misroute US communications, which in turn allow them to engage in espionage and other harmful activities against the United States.” The order is set to take effect on December 4, unless it is stayed or revoked. According to Reuters, China Telecom told the US Appeals Court for the District of Columbia on Monday that the revocation of its authorisation would cause irreparable harm to its business, reputation, and relationships. It also reportedly claimed that the FCC had no evidence of the company being a national security or law enforcement risk.

China Telecom’s argument is similar to the one used by Xiaomi at the start of the year when it requested to be removed from the Department of Defense’s official list of Communist Chinese military companies (CCMC). In those legal proceedings, Xiaomi said the CCMC designation would cause “immediate and irreparable harm to Xiaomi”, including cutting Xiaomi’s access to US capital markets. The US courts eventually went on to rule in favour of Xiaomi, with Defense agreeing to remove the designation and allow the company to operate in the country. Related CoverageFCC kicks China Telecom out of United StatesChinese telco given 60 days to stop providing domestic and international services.US President Biden signs law to ban Huawei and ZTE from receiving FCC licencesThe Secure Equipment Act of 2021 received bipartisan support prior to it being signed by Biden.Blaming China is handy when trying to keep telco infrastructure away from BeijingAustralia is funding the potential purchase of a Pacific telco for only one reason, to ensure China Mobile doesn’t get to it first. More

A new form of Internet of Things malware, which uses over 30 different exploits, has been spotted by security researchers.Detailed by cybersecurity researchers at AT&T Alien Labs, BotenaGo malware can use a number of methods to attack targets then create a backdoor on compromised devices. “Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices,” said the researchers.

Some anti-virus suites detect the malware as a variant of Mirai, the IoT malware botnet which overwhelmed large sections of the internet with DDoS attacks in 2016. While the payload does initially look similar, it’s actually also significantly different because it’s written in the Go programming language. Go has been gaining popularity among developers in recent years – and it’s also becoming increasingly popular with malware authors. BotenaGo scans the internet looking for vulnerable targets, and analysis of the code reveals that the attacker is presented with a live global infection counter which tells them how many devices are compromised at any given time. The attackers are able to exploit the vulnerabilities in the internet-facing devices and can execute remote shell commands — and it’s something which attackers could potentially use as a gateway to the wider network, if not secured properly.  SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) 

Attackers also have the ability to use this option to distribute malicious payloads, but at the time researchers were analysing BotenaGo, these had apparently been removed from the servers hosted by the attackers, so it wasn’t possible to analyse them. BotenaGo could potentially compromise millions of devices that are exposed to the vulnerabilities detailed by researchers but currently there isn’t any obvious communication with a command and control server. According to researchers, there are three options. First, it could mean that BotenaGo is just one module of a larger malware suite that isn’t being used in attacks right now. There’s also the possibility that it’s connected to Mirai, used by those behind Mirai when targeting specific machines. Finally, researchers also suggest that BotenaGo is still in development and a beta of it has accidentally been released early – hence why it doesn’t do much yet. Even if it is inactive, the number of vulnerabilities BotenaGo can exploit means millions of devices are potentially vulnerable.  In order to protect against this and other IoT malware threats, it’s recommended that software is well-maintained with security updates being applied as soon as possible in order to minimise the time for attackers to exploit newly disclosed vulnerabilities. It’s also recommended that IoT devices aren’t exposed to the wider internet and that a properly configured firewall is deployed to protect them.  MORE ON CYBERSECURITY More

A new survey of 400 IT decision-makers from Insight Enterprises found that 95% of IT decision-makers say the impact of the pandemic accelerated business transformation priorities.

The 2022 Insight Intelligent Technology Report found that nearly all of the IT leaders surveyed have been affected in some way by the IT supply chain disruption. The survey featured the responses of 400 North America-based IT leaders to a 23-question survey in September. About two-thirds said they believe their enterprise has successfully adapted to the COVID-19 pandemic and adjusted to new realities using new tech and IT processes. Stan Lequin, senior vice president and general manager of solutions at Insight, said the question is now about how companies can sustain and build on their progress. “This comes down to being ambitious in their pursuit of new business transformation strategies while investing in the underlying IT infrastructure that powers everything — from collaboration tools enabling remote work to automation and edge computing,” Lequin said. “But IT executives are grappling with real challenges. Talent shortages and global supply chain issues impede progress as IT is being tasked with more responsibility than ever before to power the business, and our new report also identifies several internal roadblocks, too.”More than half of all IT leaders cited security as the top investment they plan to prioritize when modernizing their IT foundation. Nearly 40% said cloud infrastructure and platform managed services would be prioritized, while another 37% said data analytics would be focused on. Others mentioned software as a service and cloud monitoring as well. 

When looking ahead for the next three years, respondents said their work would be most affected by AI, machine learning, high-performance computing, data analytics, and digital workplace technologies.Surprisingly, 61% said internal challenges would be the biggest hindrance to IT modernization, followed by security and data privacy issues, competing priorities and upfront costs. “C-Suite executives must think holistically about the IT ecosystem and how digital transformation and IT modernization go hand in hand. With resources at a premium, the emphasis has been on building resiliency vs. returning to innovation,” said Matt Jackson, vice president of digital innovation at Insight. “But now is also a good time for business leaders to plan for the future. They have an opportunity to re-envision what their businesses will look like moving forward, and the results suggest they’re starting to lean into this more.”Almost 80% said IT departments had taken on the new challenge of cybersecurity since February 2020. When asked about the “greatest perceived threats,” 62% of respondents mentioned competitor products or services improvements, while more than half said innovative market disruptors. Many also cited a shortage of IT talent, and 52% said their team suffered from employee attrition. More than 44% said there was a gap in skills and talent because of market demands. Almost all respondents said they planned to rely on third parties in order to handle “the depth of the business imperatives owned by IT.” Nearly 90% said they expected to offload more projects onto third parties over the next year. In response to the IT supply chain issues, 44% said they planned to “shift application processing requirements to the cloud to lessen the impact of IT supply chain disruption.””The difficult reality is that global supply chain issues will continue well into 2022 and likely beyond,” Megan Amdahl, a senior vice president at Insight. “While this is a very challenging time, the disruption has forced organizations to make necessary changes in planning, purchasing and processing that will better position them to manage volatility now and in the future.”  More

JupiterOne and Cisco announced an expanded cloud security and security operations partnership on Monday designed to provide businesses with a range of cybersecurity services.

The Cisco Secure Cloud Insights with JupiterOne hopes to offer enterprises greater visibility into all of their cyber assets, paths toward identifying security and compliance gaps and ways to fast-track investigations as well as responses to issues.Al Huger, senior vice president at Cisco Security Platform and Response, told ZDNet that more than ever, as hybrid work takes hold, security teams need visibility into their applications, whether they are hosted in the public cloud, in a private cloud, or in a private data center. “Cisco Secure Cloud Insights with JupiterOne provides deep context on the security posture across an organization’s cloud-native and hybrid IT environments,” Huger explained. “When combined with SecureX, Secure Cloud Insights simplifies protecting users, devices, data, and applications anywhere and everywhere, across any network or cloud; from headquarters to the branch office to the home office.”The two companies said Secure Cloud Insights would bring “comprehensive public cloud inventory and insights, relationship mapping to navigate cloud-based entities and access rights, and security compliance reporting.”Cisco executives said the company has seen organizations struggle with IT sprawl and contend with visibility issues when it comes to their cyber assets. Companies will be able to track and normalize data across multi-cloud and hybrid environments using Cloud Insights. 
JupiterOne

“Cisco has benefitted from this first-hand when it deployed JupiterOne to monitor its public cloud footprint earlier this year. Cloud Insights provides a knowledge graph of consolidated metadata pertaining to configurations, access policies, settings, tags, rules, and more that govern interactions between entities,” they said in a statement.  “Entities encompass users, roles, groups, policies, databases, datastores, devices, code repositories, storage buckets (e.g. AWS S3), cloud compute instances (e.g. AWS EC2), containers, functions, etc. APIs ingest this data from approximately fifty pre-defined integrations covering public cloud environments, vulnerability scanners, endpoint protection and network security tools, development and code repositories, identity providers, and more. Custom integrations are also supported using SDKs and webhooks.”The platform comes with a search function that “maps to over 550 pre-built queries, with the option to create custom queries.””Secure Cloud Insights with JupiterOne is a game-changing new offering. Integrating JupiterOne cyber asset context into Cisco technologies provides a deep knowledge base to support customers’ cybersecurity programs,” said Erkang Zheng, founder and CEO of JupiterOne.  “In addition, augmenting SecureX, Secure Code Analytics, and the rest of the Cisco security suite levels up customers’ capabilities.” More

Costco has confirmed a card skimming attack that forced them to send out notification letters to victims last week. In a statement to ZDNet, the global retail giant said that in August, they discovered five card skimmers on payment card devices in four of their Chicago-area warehouses. 

“We promptly removed the skimmers, notified law enforcement, and engaged a forensics firm to analyze the devices,” a Costco spokesperson said. “It appears that these skimmers had the ability to capture information on the magnetic stripe of a payment card, including name, card number, expiration date, and CVV. We identified the members who conducted swipe payment card transactions on the affected devices during the relevant time period and notified them individually. We also offered them complimentary credit monitoring and identity theft-related services,” the company added.  The spokesperson said less than 500 customers were affected by the situation and that all of the customers were notified by letter on November 5.The company believes the attack took place in August but did not answer questions about how long they believe the card skimmers were active. Costco inspectors did not find similar card skimmers at any other locations, according to their spokesperson. Costco is the fifth largest retailer in the world and fourth largest in the US, with 810 stores worldwide.

Multiple people from across the globe took to social media over the past few weeks to complain about fraudulent charges tied to their Costco credit cards or accounts. Others said they began to see the charges after using their cards at Costco locations, particularly Costco gas stations. “Noticed a fraudulent charge on my credit card, so I called to get it handled. The guy on the phone asked if I pay at the pump usually for gas, and I said yes. Apparently, skimmers for information are common on pay at pump systems and car washes,” one Reddit user wrote. “That was the only place he saw in my history that was likely to have stolen my information. He recommended paying inside, but Costco doesn’t even have that option. Just a reminder to always check your credit card statements and watch for fraudulent charges!”The letter Costco sent to the hundreds of victims they believe were affected by the card skimming attack advises the victims to call their bank to “discuss possible options for avoiding potential problems in case” their card was inappropriately used. Costco is offering victims IDX identity theft protection services which include 12 months of credit monitoring, a $1 million insurance reimbursement policy, and ID theft recovery services. More

Microsoft has reminded users to upgrade from Windows 10 version 2004, the April 2020 Update, which reaches end of life on December 14, 2021. This means no more security or quality updates for that version of Windows 10 after the December 2021 Patch Tuesday update, Microsoft notes in a new blogpost. Windows 10 version 2004 was released in April 2020.  

For those who choose to remain on Windows 10, the two main versions are: Windows 10 version 21H1, aka the May 2021 Update, and the soon-to-be released Windows 10, version 21H2, the November 2021 Update. Microsoft appears to be aiming to release it in November, but it’s already mid-November.SEE: Windows 11 FAQ: Our upgrade guide and everything else you need to knowWindows 10, version 21H2 will be a minor update containing a “scoped set of features focused on productivity and security, prioritized to meet based on your feedback,” Microsoft says. Version 21H1 reaches end of life on 13 December, 2022 for Home, Pro, Pro Education and Pro for Workstations. Enterprise and Education editions reach end of life on the same date. Windows 11 is being offered to more devices as Microsoft gradually ramps up availability for its latest OS. It’s expected to be a slow roll out due to Microsoft’s minimum hardware requirements. However, that should accelerate if more consumers and businesses buy new hardware. 

As a reminder, Microsoft notes that Windows 11 will get annual feature updates scheduled for the second half of the year and comes with 24 months of support for Home, Pro, Pro for Workstations, and Pro Education editions; and 36 months of support for Enterprise and Education editions. Microsoft is sticking with its regular Patch Tuesday updates for security fixes on the second Tuesday of each month. Windows 10 users can install Microsoft’s PC Health Check app to see if their hardware meets Microsoft’s requirements for the Windows 11 upgrade. Microsoft says it will continue to support Windows 10 until October 2025. What happens to feature updates between 21H2’s release and 2025? Microsoft hasn’t said whether or not it will continue to make two feature updates per year for Windows 10 after 21H2. 

Windows 11 More

China has released draft regulations that seek to classify online data based on their importance to national security and public interest, amongst others. Data protection requirements then will be tied according to this classification.  The Cyberspace Administration of China (CAC) on Sunday unveiled a set of laws that included a proposed data classification and security framework. It is seeking public feedback on the draft legislation through to December 13.  The regulator said the proposed rules would better safeguard the legal rights of individuals and institutes as well as national security and public interests, reported state-owned newspaper Global Times. 

Under the draft regulation, data would be classified into three main categories–core, important, general–according to their impact and importance to national security, public interest, or legal rights and interests of individuals and organisations.  Citing industry observers, the report noted that data from a military aircraft or airports would be classified as core data, while cargo transportation information at civil airports would be important data, and data on general flights would be considered general data.  The proposed legislation, which comprised nine chapters, further detailed requirements on how data must be secured according to their classification.  It also outlined how data collected inside China should be transferred overseas, including notifying the owners of such data with details about the recipients, such as their name and contact information as well as the purpose for the data transfer.

The draft law further stipulated that fines of up to 10 million yuan ($1.56 million) could be meted out, if rules governing the transfer of data to markets outside of China were breached.  The use of biometric data, such as face, fingerprint, gait, and voice, also should not be used as the only means of personal identification, according to the draft legislation. This aimed to restrict efforts to compel individuals to provide their personal biometric data.  The proposed law also stated the inclusion of data security incidents as part of the national cybersecurity incident emergency mechanism, which meant such measures should be activated and rolled out in a timely manner to mitigate potential damage and security risks. In addition, organisations must not refuse to provide services or “hinder” normal services, should data owners choose not to consent to the collection of their personal information not deemed necessary for the provision of such services.  IPOs in Hong Kong may require cybersecurity review The draft regulation also would require organisations, which data-processing activities would or might influence national security, to undergo a cybersecurity assessment if they were looking to list in Hong Kong, reported South China Morning Post (SCMP). If passed, this could introduce another regulatory oversight for Chinese tech companies such as Bytedance and Didi Chuxing that might be considering an IPO in Hong Kong.  The proposed laws did not detail criteria that would constitute as national security concerns, but listed a range of “important data” that might be considered as such, including unpublished government data, scientific research, data on genetics, and data on key sectors such as telecoms and energy, SCMP noted. The legislation was designed to be implemented alongside China’s other regulations that governed data use and collection, namely, the 2017 Cybersecurity Law as well as the Data Security law and Personal Information Protection Law (PIPL) that were passed this year.  Passed in August, PIPL came into effect November 1, laying out ground rules around how data is collected, used, and stored. It applies to foreign organisations that process personal data overseas for the purpose of, amongst others, providing products and services to Chinese consumers as well as analysing the behaviours of Chinese consumers. They also will have to establish designated agencies or appoint representatives based in China to assume responsibility for matters related to the protection of personal data.  PIPL encompasses a chapter that applies specifically to cross-border data transfers, stating that companies that need to move personal information out of China must first conduct “personal information protection impact assessments”.Violators that fail to comply with orders to rectify the breach will face fines of up to 1 million yuan ($150,000), while the person responsible for ensuring compliance can be fined between 10,000 yuan ($1,500) and 100,000 yuan ($15,000). For “serious” cases, Chinese authorities also can dish out fines of up to 50 million yuan ($7.5 million) or 5% of the company’s annual turnover for the previous fiscal year. In addition, its business operations may be suspended or business permits and licences revoked. RELATED COVERAGE More

Image: Dzelat/Shutterstock
The FBI has placed the blame for a weekend fake email incident on a misconfiguration in its Law Enforcement Enterprise Portal (LEEP) that allowed emails to be sent from the ic.fbi.gov domain.”LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners,” it said. “While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network.”The FBI said it initially took the “impacted hardware” quickly offline, and later said it quickly remediated the “software vulnerability” as well as confirmed its network integrity.Spamhaus said it saw two waves of email being sent.Brain Krebs reported the sender of the emails found they were able to send emails because the FBI was generating a client-side  one-time code to sign up to a new account on LEEP, and it was sent along with an email subject and body as a POST request to the FBI’s servers. Manipulating the request parameters enabled the emails to be sent, and a script was used to automate the sending process.It would seem all the so-called misconfigurations and software vulnerabilities were in the way the FBI had its portal built, with the cherry on top being how it exposed and piped user input to a mail server. Pretty embarrassing and worthy of a dozen facepalms, at least. More