Information Technology

Apple software head Craig Federighi, unsurprisingly, has come out against Europe’s proposal to tear down Apple’s iOS walled-garden and allow sideloading of apps, which is possible on Android but discouraged by Google. Why? Malware, according to Federighi, who used his speech at the Web Summit conference in Lisbon, Portugal, about online privacy to contrast Android’s malware problem with that of Apple’s iOS. He highlighted that third-party data on malware attacks on different platforms including iOS, Android and Windows showed that attacks on iOS “barely registered”. By contrast, there were five million attacks on Android per month. “But there’s never been this widespread consumer malware attack on iOS. Never.” the Apple exec said. “Why is this? The single biggest difference is that other platforms allow side loading. Sideloading would mean downloading software directly from the open internet or from third-party stores, bypassing the protections from the App Store.”With sideloading those extra protections are undone. There’s no human app review and no single point of distribution for sideloaded apps. The floodgates are open for malware.”Apple is facing a mounting challenge in Europe, the US, Asia and Australia over its control over app distribution — it is by design a gatekeeper in terms of the apps installed on the iPhone, iPad and Apple Watch. 

Federighi’s claims aren’t a new angle from Apple; last month it published a paper arguing that if Europe forced Apple to allow sideloading it would turn iPhones “into ‘pocket PCs,’ returning to the days of virus-riddled PCs.”Apple was railing against Europe’s proposed Digital Services Act (DSA) and the Digital Markets Act (DMA), which would mandate tighter controls on online content and impose new rules for “gatekeepers” — like Apple, Google and Amazon — to help foster competition and improve interoperability between mobile platforms. Apple claimed that even if the EU’s proposal was limited to allowing apps to be installed from third-party app stores — as Android allows but Google actively discourages — this would increase malware due to insufficient reviews. To make his point, Federighi quoted from Europol’s advice to “only install apps from official app stores”. “Companies should only permit the install of apps from official sources on those mobile devices that connect to the enterprise network.”But Apple’s paper and Federighi’s comments come after the European Commission (EC) in April informed Apple of its preliminary view that Apple had distorted competition in the music streaming market as it abused its dominant position for the distribution of music streaming apps through its app store.”The investigations concern, in particular, the mandatory use of Apple’s own proprietary in-app purchase system and restrictions on the ability of developers to inform iPhone and iPad users of alternative cheaper purchasing possibilities outside of apps,” the EC said.    More

StackCommerce

Make 2022 the year you turbocharge your career path. If you want to break into the lucrative tech industry or advance further in less time, there is no better way to do it than with the CompTIA Campus Premium 1-Year Subscription.Instead of paying thousands to go back to school for several semesters, you can just keep expanding your skills over the course of a year by preparing for exams to gain certifications that will make your resume stand out among a sea of competitors. And for a limited time only during our sitewide pre-Black Friday sale, you can use coupon code SAVE15NOV to get an additional 15% off the current sale price and pay only $296.65 instead of the $399 MSRP.These 11 exam prep e-courses give you members-only access to exclusive practice labs, a learning community, and other resources for 12 months, including any new releases during the year. CompTIA certifications are recognized the world over as validation of high-quality skills, and iCollege is an authorized partner of the company, so you know their training is effective. In fact, students have awarded this bundle an impressive rating of 4.7 out of 5 stars.CompTIA IT Fundamentals+ (ITF+) for exam FC0-U61 and CompTIA A+ for exams 220-1001and 220-1002. There are also courses on Linux for exam XK0-004 and the cloud for exam CV0-002, as well as Project+ for exam PK0-004. Two Networking courses will help you pass exams N10-007 and N10-008, plus the Server+ that will get you through exam SKO-004.There are four courses to turn you into a cybersecurity professional. Security+ covers exam SY0-601 and PenTest+ preps you for PT0-001. The final two classes will earn you CybersecurityAnalyst (CySA+) and Advanced Security Professional (CASP+) certifications.If you feel like you need to free up some time to fit these courses in, adding a second display to your laptop and mobile devices is a good way to boost productivity. And we know of 13 portable monitors on sale.Don’t pass up this opportunity to get a year’s worth of tech training that can send your career skyrocketing, get the CompTIA Campus Premium 1-Year Subscription while you can use coupon code SAVE15NOV for a limited time only during our sitewide pre-Black Friday sale to get an additional 15% off the current sale price and pay only $296.65 instead of the $399 MSRP.

More ZDNet Academy Deals More

US prosecutors have indicted a UK national for allegedly conducting a SIM-swapping scheme resulting in cryptocurrency theft.On Wednesday, the US Department of Justice (DoJ) named Joseph O’Connor, also known as “PlugwalkJoe,” as the subject of the indictment. Prosecutors claim that O’Connor and his co-conspirators plotted to steal $784,000 in cryptocurrency from an unnamed crypto exchange based in Manhatten. At the time, the firm “provided wallet infrastructure and related software to cryptocurrency exchanges around the world,” the DoJ says.  According to the indictment (.PDF), O’Connor conducted SIM-swapping attacks to target the company’s executives. SIM-swapping uses social engineering techniques — including the impersonation of an intended victim or, in some cases, hiring internal help — to have a phone number transferred to a handset controlled by an attacker.  In this often short window, the victim can no longer receive calls or texts. Instead, calls and messages are rerouted to another device outside of their control.  Cybercriminals can then grab two-factor authentication (2FA) codes and account details, granting them access to financial services and cryptocurrency wallets linked to the compromised phone number. 

US law enforcement says that between roughly March and May in 2019, O’Connor and others involved in the scheme used SIM-swaps to target at least three company employees.  One particularly successful attempt granted the cyberattackers access to numerous company accounts and systems, including corporate G-Suite services.  “Within hours of this SIM-swap attack, O’Connor and his co-conspirators leveraged control of Executive 1’s phone number to obtain unauthorized access to Company 1’s accounts and computer systems,” the indictment reads.  The group then allegedly plundered wallets owned by two of the firm’s clients, leading to the theft of 770.784869 Bitcoin Cash (BCH), 6,363.490509 Litecoin (LTC), 407.396074 Ethereum (ETH), and 7.456728 Bitcoin (BTC).  The 22-year-old was arrested in Spain, and the US government is currently seeking extradition.  O’Connor is being charged with conspiracy to commit computer intrusions, wire fraud, aggravated identity theft, and conspiracy to commit money laundering. If found guilty of all charges, the UK resident could face decades behind bars.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Kyndryl, a managed services giant spun off from IBM, will officially become a publicly traded independent company on Wednesday and the company has a long to-do list that includes boosting innovation, delivering revenue growth and forging a cohesive employee culture. Martin Schroeter, CEO of Kyndryl, said at the company’s inaugural investor day that Kyndryl will “ramp up our focus on innovation, going after new market opportunity and using our experience and our IP to benefit our customers.”In the meantime, Kyndryl will remain known for being the largest integrator with $19.1 billion in revenue as well as 90,000 employees. According to Gartner, Kyndryl will be the largest implementation services leader followed by DXC, Atos, Fujitsu and Accenture. Kyndryl operates in 63 countries, manages 750,000 virtual servers, 270,000 network devices and 25,000 SAP and Oracle systems. Schroeter’s plan revolves around extending its implementation and managed services into other areas with more growth. Here’s a look at the plan, markets and potential growth through 2024. In short, Kyndryl will ride intelligent automation, data services, cloud services and security to deliver more value and enable digital transformation. ×kyndryl-stair-step.pngThe argument for Kyndryl is that companies are starting their digital transformations and the company has time to expand even as it simplifies customer infrastructure. Schroeter also said Kyndryl will offer an ESG platform and strategy to address customers’ environmental, social and governance challenges.Among the key areas Kyndryl aims to address:Data services with a move beyond managing storage systems to focusing on data engineering, orchestration and curation. Kyndryl has established practices around the following.Cloud infrastructure services that will move to the broader ecosystem beyond IBM Cloud. Artificial intelligence services. Digital workplace services. Applications management. Security and resiliency. And network and edge computing.

Indeed, Kyndryl has the customer base to expand. It has more than 4,000 customers and only 15% of revenue comes from the top 10. Kyndryl counts 75% of the Fortune 100 as customers and the average customer relationship is more than 10 years. But the challenge will be pivoting Kyndryl story from implementation to innovation. ×kyndryl-digital-transformation.pngThe detailsKyndryl’s investor day revolved around convincing Wall Street that the company was a solid investment. IBM shareholders will receive one Kyndryl share for every 5 IBM shares held. Kyndryl shares are distributed after market close on Nov. 3 with trading under the KD ticker on Nov. 4. As for the balance sheet, Kyndryl will start with $2 billion in cash and $3.2 billion of debt with an incremental $3 billion credit facility. The revenue streams for Kyndryl are also predictable. The company said that about 85% of its expected revenue is under contract at the start of every year. In addition, ABN Amro recently announced a $400 million tech services deal with Kyndryl. Wall Street analysts were generally cautious following Kyndryl’s investor day. For instance, Wedbush analyst Moshe Katri said in a research note that Kyndryl will need to manage cannibalization to its services business and cut costs with restructuring. “We see a long and challenging road for a recovery at Kyndryl,” said Katri. Perhaps the biggest issue facing Kyndryl is that it must operate in an environment that’s moving toward cloud models with little capital investment up front and a heavy dose of automation. Simply put, Kyndryl has its own transformation to deliver. Kyndryl doesn’t expect revenue growth until 2025 and there is potential sales contraction leading up to that date. Stifel Nicolaus analyst David Grossman said there are multiple opportunities to expand as Kyndryl expands its ecosystem and partnerships. CultureKyndryl’s management team is roughly split between IBM executives, external hires and IBM alums and external hires. The diversified set of opinions and experiences is something that can set Kyndryl apart, said Schroeter. Indeed, Kyndryl’s executive team includes former CIOs of State Street, GE and NBC Universal. The company’s name is derived from the words kinship and tendril to evoke growth and working together well. At the Kyndryl investor day, executives emphasized that culture and people were the core assets for success. Kyndryl noted that its employees are continually learning, earning certifications and badges and reskilling on the fly. ×kyndryl-opps.pngMore importantly, Kyndryl has been expanding its skillsets in Amazon Web Services, Microsoft Azure and Google Cloud. Those skills will be critical to making Kyndryl a broader player.To celebrate the spin-off, Kyndryl will plant a tree for each employee. The company will also aim to build a purpose-driven firm from the ground up.  More

A code execution vulnerability has been patched in the TIPC module of the Linux Kernel.

The Transparent Inter Process Communication (TIPC) module has been designed to facilitate intra-cluster communication across Ethernet or UDP connections and is capable of service addressing, tracking, managing communication between nodes, and more. This protocol is implemented in a kernel module package with major Linux distros.  On Thursday, SentinelOne researchers said that CodeQL has been used recently in bug hunting investigations on open source projects. CodeQL is a semantic code analysis engine that allows users to query code “as if it were data,” and it was this tool that allowed the team to find a severe bug in the TIPC module project.  According to the researchers, a heap overflow vulnerability was uncovered that could be exploited either locally or remotely to gain kernel-level privileges, “allowing an attacker to not just compromise a single service but the entire system itself.” SentinelOne found a feature introduced in September 2020 as part of the TIPC module roadmap, a new user message type called MSG_CRYPTO, was the source of the issue.  While the module correctly validates Message and Header sizes against packet lengths received, there is a lack of validation for the keylen member of the MSG_CRYPTO message and the size of key algorithm names.

“This means that an attacker can create a packet with a small body size to allocate heap memory, and then use an arbitrary size in the keylen attribute to write outside the bounds,” the researchers explained. “This vulnerability can be exploited both locally and remotely.” “While local exploitation is easier due to greater control over the objects allocated in the kernel heap, remote exploitation can be achieved thanks to the structures that TIPC supports.” The security flaw impacts kernel version 5.10. There is currently no evidence of in-the-wild abuse and it should also be noted that while the module is included with major distributions, it has to be loaded for the protocol to be enabled — and so only builds with this feature active may be vulnerable to exploit.  SentinelOne reported the flaw to the Kernel.org team on October 19. A patch was finalized by the module’s maintainers by October 21 and released on lore.kernel.org four days later. The fix has now also been added to the mainline repository, released on October 29 under version 5.15.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

attack on Colonial PipelineIn messages obtained by a member of the vx-underground group, the prolific BlackMatter ransomware group has said it is closing shop due to increased law enforcement pressure. The group — hawking a rebranded version of the DarkSide ransomware used to attack Colonial Pipeline earlier this year — posted a message on its private ransomware-as-a-service website on November 1st saying some members of the gang are “no longer available” after “the latest news.””Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) — project is closed,” the group wrote. “After 48 hours the entire infrastructure will be turned off, allowing: Issue mail to companies for further communication [and] Get decryptor. For this write ‘give a decryptor’ inside the company chat, where necessary. We wish you all success, we were glad to work.” While the group did not explain what they meant by “the latest news,” there are a variety of stories tied to the ransomware gang’s activities over the last two months. After closing shop to due law enforcement scrutiny following the attack on Colonial Pipeline in May, the group re-emerged in July under the “BlackMatter” banner. They attacked dozens of companies and CISA identified the group as the perpetrators of multiple attacks on agriculture companies ahead of harvests. Last week, Emsisoft CEO Fabian Wosar revealed that his company discovered a flaw in the BlackMatter ransomware allowing them to help victims recover all of their files. The group eventually figured it out and released an updated version of their malware, but Wosar hinted that they were working with law enforcement agencies and others to help victims. 

On Wednesday, the Washington Post reported that US Cyber Command and a foreign government were responsible for the disruption of the REvil ransomware group. Chats from REvil actors were seen by the newspaper and indicate the group’s leaders were spooked once they realized law enforcement entities were in their system, shutting down operations for the second time this year. Officers from Europol also arrested the Ukrainian group behind the MegaCortex, Dharma and LockerGoga ransomwares. The twelve people arrested allegedly perpetrated more than 1,800 ransomware attacks on critical infrastructure and large organisations around the world.The immense amount of pressure now facing ransomware groups was noted by General Paul Nakasone, head of US Cyber Command. “I’m pleased with the progress we’ve made,” he said, “and we’ve got a lot more to do,” he said during a speech at the Aspen Security Forum on Wednesday. Bleeping Computer reported on Wednesday afternoon that BlackMatter operators have already begun moving victims over to the LockBit ransomware site so that they can continue negotiating ransoms. The group is also pulling cryptocurrency out of the Exploit hacking forum and deactivating accounts, according to Bleeping Computer. Most experts were quick to note that ransomware groups have now made it a standard practice to close shop and reorganize under a new name. Multiple ransomware groups have done it, some multiple times, as soon as law enforcement pressure gets to be too much to handle. Xue Yin Peh, senior cyber threat intelligence analyst at Digital Shadows, said DarkSide, Avaddon and Egregor are just some examples of groups that folded their operations following the after-effects of a prominent attack. “Although BlackMatter’s announcement would suggest a halt in operations, if we consider previous events, there are a few possibilities as to the future of BlackMatter: Members or affiliates lie low for a period of time, staying inactive while taking a break from ransomware activities and Member or affiliates are absorbed into the ransomware-as-a-service programs of other groups,” Yin Peh said. “Or, BlackMatter will rebrand into a new program under another name. Given how highly lucrative ransomware operations are, it is unlikely that those behind BlackMatter will cease operations entirely. An eventual rebranding seems more probable, but how soon this will happen remains to be seen. With law enforcement hot on their heels, it is more likely that BlackMatter will take their time to let the law enforcement dust settle, re-develop their tools, and then re-emerge with a new and improved payload.”Picus Security’s Dr. Süleyman Özarslan noted that ransomware gangs typically rebrand in 6-month cycles.Other experts, like BreachQuest CTO Jake Williams, said better backups and other preparation by victims were decreasing ransom payment rates in some instances, forcing ransomware groups to increasingly rely on double extortion methods to regain leverage. “The creation of the data exfiltration tool shows that groups are not only worried about standardizing their encryption operations, but also their extortion operations. The mere existence of the tool shows how important the double extortion process has become for operators,” Williams said. “At this point it’s not clear whether core group members are ‘unavailable’ because they are in custody or have simply decided the stakes are too high to continue operations. But the note specifically mentions local law enforcement pressure, and that’s a sign that saber rattling appears to be helping. But we shouldn’t forget that due to a bug in BlackMatter ransomware, operators and affiliates lost millions in ransom payments in the last month. This was already hurting relationships with affiliates. It’s not hard to imagine given the strained operations model, it might not take much pressure from authorities for core BlackMatter members to hang up their hats.” More

Brazilian workers have come to terms with the lack of privacy at work and are open to being monitored by their employers, but insufficient knowledge of security issues could endanger companies, a new study has found. According to the survey carried out with 11,000 consumers across 11 countries by Unisys, 87% of the 1,000 Brazilians polled said they are comfortable with being monitored remotely by the companies they work for. More than half of the respondents (52%) are comfortable with their employers tracking their computer access time, through login and logout events. This represents a 12 percentage points increase in relation to the global average of 40%. In addition, 65% of Brazilians say they feel responsible for the security of their data.

On the other hand, the study points to a lack of awareness about security issues, which could pose a risk to employers as organizations move towards hybrid working approaches, whereby employees can divide their time between the office and working from home. Only a third of those polled claim to be familiar with the threat of SIM jacking, a scam in which criminals transfer the victim’s phone number to a device they control.As for smishing, whereby scammers send SMS messages asking for personal or financial information, about six in 10 Brazilians (59%) say they are not aware of the threat. In addition, the study pointed out that 76%of those polled do not know which institutions to report scams in case they are targeted by cybercriminals. The findings emerge in a context of a growing preoccupation among Brazilians in relation to cybersecurity. According to the Unisys report, Brazil is the third country in a ranking of nations where concerns about online security are high, after Colombia and Mexico. About 75% of those polled said they are afraid of clicking on suspicious links.

In September, the Brazilian banking sector and the Ministry of Justice started the discussions around the creation of a national strategy to tackle cybercrime. The vision outlined by the banks includes the development of public awareness campaigns on cyber risks and fraud. More

The US Commerce Department has sanctioned four cybersecurity companies for allegedly selling spyware and other hacking tools to repressive foreign governments. The department’s Bureau of Industry and Security added Israeli companies NSO Group and Candiru as well as Russia-based Positive Technologies and Singapore-based Computer Security Initiative Consultancy (COSEINC) to the Entity List “for engaging in activities that are contrary to the national security or foreign policy interests of the United States.”The US said NSO Group and Candiru were added to the list because officials had found “evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.” The Commerce Department noted that the governments given these tools repressed a number of people in other countries beyond their borders, explaining that some authoritarian governments target “dissidents, journalists and activists outside of their sovereign borders to silence dissent.”Positive Technologies and Computer Security Initiative Consultancy are accused of trafficking “in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide.””The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad,” said US Secretary of Commerce Gina Raimondo.  The ruling was made in coordination with the Defense Department, the State Department, the Treasury Department and the Energy Department

Officials said the Entity List restricts the “export, reexport, and in-country transfer of items subject to the EAR to persons (individuals, organizations, companies) reasonably believed to be involved, have been involved, or pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.”There will be no license exceptions are available for exports, reexports, or transfers in-country to the entities being added to the Entity List, the Commerce Department added. The NSO Group has become infamous for its involvement in a series of global scandals earlier this year involving their Pegasus spyware. Citizen Lab and dozens of researchers revealed that the spyware was being used widely by cybercriminals, dictators and others to spy on prime ministers, diplomats, journalists and human rights activists. One dictator even used it to spy on his ex-wife and her lawyers. The company denied the allegations in a statement to The New York Times, claiming its “technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.”Positive Technologies has long been accused of providing hacking tools and support to the intelligence arm of the Russian government. The $1 billion-dollar cybersecurity company was sanctioned in April by the Treasury Department for providing computer network security solutions to the FSB and GRU as well as Russian businesses, foreign governments and international companies. The company even hosts “large-scale conventions that are used as recruiting events for the FSB and GRU.” Despite its ties to Russian Intelligence, the company nearly went public this year and was valued at $2.5 billion thanks to ties to Samsung, Microsoft and IBM, according to Forbes. Haaretz reported in 2019 that the secretive Candiru specialized in hacking computers and servers. The news outlet said Isaac Zack founded the company and was also involved in the founding of the NSO Group. Both Microsoft and Citizen Lab published reports in July on DevilsTongue, a spyware created by Candiru. According to The Record, the Computer Security Initiative Consultancy has ties to Pwn0rama, an exploit acquisition program. “This effort is aimed at improving citizens’ digital security, combatting cyber threats, and mitigating unlawful surveillance and follows a recent interim final rule released by the Commerce Department establishing controls on the export, reexport, or in-country transfer of certain items that can be used for malicious cyber activities,” the Commerce Department said in a statement. BreachQuest CTO Jake Williams told ZDNet that each of the additions to the Entity List are interesting in its own right, but the most significant in his eyes was NSO Group. While NSO tried to spin its software as being used for legitimate purposes, it’s clear that it has been used repeatedly to target journalists, activists, and government officials, Williams explained. “It isn’t just the targeting of these individuals that got NSO in hot water, it’s that entities unfriendly to the US used NSO tools to target friendly journalists, activists, etc. That’s never a winning business plan,” Williams said, adding that the COSEINC and Positive Technologies “are perhaps more academically interesting.””While Positive Technologies (a Russian company) isn’t a surprise to see on this list, COSEINC (a Singapore company) is. COSEINC has largely flown under the public radar before today, though prior reporting from Joseph Cox of Motherboard/VICE identified the firm as a zero-day vendor in 2018. It appears likely that COSEINC was found to be selling exploits or collaborating with foreign intelligence organizations or cybercriminals to have gained such a designation on the Entity List.”Oliver Tavakoli, CTO at Vectra, said the sanctions are “mostly represent a speed bump for these companies” considering the murky business of supplying offensive cyber capabilities to governments across the world invariably leads these companies to make judgments on what constitutes “appropriate use” of the technologies and whether their clients can be trusted to honor the spirit of constraints — often expressed in vague terms referring to “threats” and “security” — written into contracts.”It’s pretty clear that most governments ignore those constraints and do what they believe to be in the self-interest of the government and its current leader, though the companies can then claim plausible deniability,” Tavakoli said.  More