Information Technology

ZDNet Recommends

Microsoft has announced it’s adding even more security features to the protection it offers to open-source operating systems.Defender for Endpoint on Linux server gained endpoint detection and response (EDR) abilities a few months ago and now has extra capabilities for Azure Defender customers. It makes sense for Microsoft to develop security products for Linux, given that Linux distributions dominate virtual machine OSes on its Azure cloud.  One key change is that Linux EDR detection and live response is now in public preview. The live response allows for in-depth investigations and quick threat containment by giving security teams forensic data, the ability to run scripts, share suspicious entities, and hunt for possible threats. See also: A winning strategy for cybersecurity (ZDNet special report).Microsoft also has extended support for Amazon Linux 2 and Fedora 33+. And it now has a public preview of RHEL6.7+, CentOS 6.7+. Previously, EDR was available for: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian 9 or newer; or Oracle Linux 7.2 or higher.”The complete set of the previously released antivirus (AV) and EDR capabilities now applies to these newly added Linux distributions. [Threat and vulnerability management] coverage will be expanded with Amazon Linux and Fedora in coming months,” Microsoft says. Users need to be on Microsoft Defender for Endpoint version 101.45.13. It also notes that previously released AV and EDR capabilities also apply to RHEL6.7+, CentOS 6.7+. Supported kernel versions are listed here. 

Microsoft is also bringing TVM to Linux Debian. A public preview of TVM for Debian 9+ public preview will be available in the coming weeks. It’s also making Defender antivirus generally available on Linux, bringing the ability to monitor processes, file system activities, and how processes interact with the OS using Microsoft’s cloud security. “With behavior monitoring, Microsoft Defender for Endpoint on Linux protection is expanded to generically intercept whole new classes of threats such as ransom, sensitive data collection, crypto mining, and others. Behavior monitoring alerts appear in the Microsoft 365 Defender alongside all other alerts and can be effectively investigated,” Microsoft notes. See also: The IoT is getting a lot bigger, but security is still getting left behind.It promises to address ransomware threats too with machine-learning techniques. “Behavior monitoring provides effective measures against ransomware attacks which can be achieved using a variety of legitimate tools (for example, gpg, openssl) while carrying similar patterns from OS behavior perspective. Many of such patterns can be picked up by the behavior monitoring engine in a generic way.”Admins can also explore security events locally using the Microsoft Defender for Endpoint on the Linux command line interface.  More

Cisco has released security updates to fix vulnerabilities in multiple products that, if left unpatched, could allow an attacker to take control of affected systems and give them the ability to perform a variety of malicious actions.The newly disclosed critical security vulnerabilities affect Cisco Policy Suite Static SSH Keys and Cisco Cisco Catalyst PON Series Switches Optical Network Terminals. The US Cybersecurity & Infrastructure Security Agency (CISA) has urged users and administrators to review the Cisco advisories and apply the necessary updates.

ZDNet Recommends

Cisco Policy Suite – a software package for data management – contains a vulnerability (CVE-2021-40119) in the key of its Secure Shell (SHH) cryptographic network authentication mechanism, which could allow an unauthenticated, remote attacker to login to unpatched systems as the root user. SEE: A winning strategy for cybersecurity (ZDNet special report)This ability could provide them with unrestricted permissions to access, read and write files, something that is extremely desirable for attackers looking to access data, install malware or perform other malicious activities.There are also two critical security vulnerabilities in Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminals that are used to help deliver deliver internet access to multiple endpoints on a single network. The vulnerabilities (CVE-2021-34795 and CVE-2021-40112) in the web-based management interface of Cisco PON terminals could allow an unauthenticated, remote attacker to login with default credentials if Telnet – a network protocol used to virtually access a computer for collaboration and communications channels – is enabled.

These vulnerabilities also allow attackers to perform command injections and modify configurations, both of which could be exploited for malicious actions.The specific Cisco products vulnerable to CVE-2021-34795 and CVE-2021-40112 are:Catalyst PON Switch CGP-ONT-1PCatalyst PON Switch CGP-ONT-4PCatalyst PON Switch CGP-ONT-4PVCatalyst PON Switch CGP-ONT-4PVCCatalyst PON Switch CGP-ONT-4TVCWBy default, Cisco PON Series Switches only allow local LAN connections to the web management interface, so they’re only exploitable if remote web management has been enabled. Users are urged to visit Cisco Security Advisories as soon as possible in order to download the security patches required to fix the vulnerabilities.SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets betterUnpatched vulnerabilities are one of the most common methods cyber criminals, nation state-backed hacking operations and other malicious operations exploit in order to enter networks.But despite cybersecurity organisations like CISA stressing the importance of patching networks, it’s still common for attackers to be able to exploit years-old vulnerabilities to gain access to networks because, in many cases, the updates aren’t being applied. MORE ON CYBERSECURITY More

Four out of five Internet of Things (IoT) device manufacturers are failing basic cybersecurity practices by not providing a way for people to disclose security vulnerabilities in their products – something that can potentially put users of the device at risk of cyberattacks and breaches of privacy.Research by the IoT Security Foundation (IoTSF) – a tech industry group that aims to help encourage securing the Internet of Things – analysed hundreds of popular IoT product manufacturers and found that only just over one in five advertise a public channel for reporting security vulnerabilities in order for them to be fixed.

The 21% of vendors offering this kind of channel has risen slightly since last year, something that the IoT Security Foundation report describes as “glacial” progress on providing what it describes as “a basic hygiene mechanism”.SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) That’s despite countries around the world including the UK, the US, Singapore, India and Australia as well as the European Union attempting to emphasise the importance of cybersecurity in IoT devices and the ability to be able to make vulnerability disclosures.The report notes that some of the lack of vulnerability disclosure policy could be attributable to “non-traditional IT businesses” entering the IoT market for the first time, such as fashion providers launching connected products or kitchen appliance manufacturers adding smart features to their products. In these cases, it’s very likely the manufacturer’s first experience of having to think about building cybersecurity into products themselves, so not only could vulnerabilities find their way into devices, there’s no set pathway for reporting them.

Nonetheless, the report points out how “IoT-related best practice has been freely available for anyone with an internet connection since 2017” and that the way in which four out of five companies are failing to provide a mechanism for allowing security vulnerabilities to be reported so they can be fixed is “unacceptably low” – and that could point to wider problems. “This is often the tip of the iceberg – it’s an insecurity canary that makes you realise that these companies probably also pay very little attention to security,” David Rogers, CEO of Copper Horse, the company behind the research, told ZDNet.”Some companies are still stuck in the dark ages when it comes to attitudes to security researchers. Their response will be to get the lawyers onto the researchers or try to force them into NDAs. It’s really foolish behaviour considering we’ve had ISO standards for this since 2014 and it’s been seen as good practice for even longer. When legislation comes, some of these companies are going to have a big shock,” he added.

Internet of Things devices are increasingly a fixture in homes and offices. While many household brands do ensure their products are equipped with good security practices – the report cites technology firms including Sony, Panasonic, Samsung, LG, Google, Microsoft, Dell, Lenovo, Amazon, Logitech and Apple among these – it’s common for consumers to purchase cheaper alternatives that don’t have as much of a focus on security.SEE: Cloud security in 2021: A business guide to essential tools and best practicesThat means if security vulnerabilities are uncovered and there’s no means for informing the manufacturer, it could put users at risk. That’s particularly the case for companies that appear to have shut down – which the report notes, some have – meaning even if there was a means of reporting the vulnerability, it’s unlikely to be fixed.But while the research paper often presents a grim picture of the IoT security landscape today, the IoT Security Foundation believes that eventually, that will change and it will become a fundamental part of product design.”Security is a bit like quality. For it to be properly delivered, it needs to be endemic within all processes within a company so that it is assured throughout – that is, not an afterthought or bolted on,” John Moor, manager director of the IoT Security Foundation, told ZDNet. “It is my belief that security will follow a similar path to that of quality over the past 30 years as we transform our society and economies to be more digital – if we establish a general understanding of its fundamental importance and get the processes right, we’ll do it naturally – not as an add-on,” he added.MORE ON CYBERSECURITY More

Research into how the enterprise handles and deploys security certificates has revealed risks to data that may be overlooked. On Thursday, the Detectify Labs team published a report based on the initial analysis of public SSL/TLS certificates, conducted from June 2021.The team says that there are “pitfalls” to the deployment of these certificates that “can lead to company data being exposed or compromised by malicious actors.” SSL/TLS certificates, issued by certificate authorities (CA), are used to authenticate and secure connections made through a browser. Encryption is used to protect communication streams during online sessions.  When important information is transferred — including the submission of personal data or when financial transactions are performed — encryption via certificates is key to preventing theft, eavesdropping, and Man-in-The-Middle (MiTM) attacks.  “SSL/TLS certificates make the internet a safer place, but many companies are unaware that their certificates can become a looking glass into the organization — potentially leaking confidential information and creating new entry points for attackers,” the cybersecurity researchers said.  The Detectify analysis included the examination of over 900 million SSL/TLS certificates and associated events generated from issuing organizations including Google, Amazon, Let’s Encrypt, and Digicert, made possible through public data points. While the investigation is ongoing, the team has highlighted some of the risks associated with SSL certificates in particular.

The first problem is that the “overwhelming majority of newly certified domains” have been given descriptive names. According to Detectify researcher Fredrik Nordberg Almroth, this may appear harmless. Still, if certification is issued at a development stage, this can give competitors time to undermine new companies or products before they reach the market.  In addition, wildcard certificates, often a less expensive option for businesses, may be susceptible to Application Layer Protocols Allowing Cross-Protocol Attack (ALPACA). Approximately 13% of the data set related to wildcard use.  The US National Security Agency (NSA) warned of ALPACA in October this year. The attack vector can be used to trick servers with unencrypted protocols to steal cookies, user data or to perform cross-site scripting (XSS) attacks.  These are only two potential risks associated with security certificates, but the team says there is more to examine.  “We have only just begun digging into the data,” Almroth commented. “There are several ways an attacker could use public information about SSL/TLS certificates to map out a company’s attack surface to understand where the weaknesses are. For example, an attacker could see if a certificate is about to expire or has been signed using a weak signature algorithm. The latter can be exploited to listen in on website traffic or create another certificate with the same signature — allowing an attacker to pose as the affected service.” So, what can organizations do in the meantime? Detectify recommends that you do implement SSL/TLS certificates, but it is also necessary to continually monitor them for weaknesses or suspicious behavior.  Past research has also found that software bugs and the misinterpretation of industry standards are normally the cause for incorrectly-issued SSL certificates. In other certificate news this week, Microsoft said that a certificate that expired on October 31 has impacted Windows 11 features, including the built-in snipping tool, touch keyboard, and voice typing. A fix is set to be pushed to users affected by the issue.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cisco and National University of Singapore (NUS) have teamed up to launch a “corporate laboratory” to drive research development in five key areas, including artificial intelligence (AI), cybersecurity, and healthcare. The partners have pledged an investment of SG$54 million ($40 million) over five years. Called the Cisco-NUS Accelerated Digital Economy Corporate Laboratory, the research facility is located at the university’s Kent Ridge campus and is supported by National Research Foundation Singapore (NRF), according to a joint statement released Friday. The lab would employ more than 100 researchers, analysts, engineers, and students, and work on 15 research projects. Scholarships also would be awarded to doctoral students involved in such projects.

Singapore puts budget focus on transformation, innovation

After tilting last year’s budget towards ’emergency support’ in light of the global pandemic, Singapore’s government will spend SG$24 billion ($18.1 billion) over the next three years to help local businesses innovate and build capabilities needed to take them through the next phase of transformation.

Read More

The research facility aimed to deliver 17 new products and services as well as 12 “improved” offerings in areas such as AI, healthcare, supply chain, urban infrastructure, and cybersecurity, It also would look to partner with at least 100 Singapore-based companies to use and finetune the developed technologies. Apart from AI, security, and healthcare, the la’s research would encompass urban infrastructure and future workforce and productivity. Amongst other objectives, research efforts would aim to explore the use of machine learning to scale customer service operations for large enterprises, develop an intelligent infrastructure for hospitals and healthcare at home, and improve productivity through understanding how employees learn and identifying skillsets needed in future workforce. Researchers, for instance, would develop AI algorithms to improve search, extraction, and knowledge learning from data collected in workplace environments. In healthcare, researchers would look to equip hospitals with “distributed and coordinated” intelligence to improve operational and clinical efficiencies. “These technologies are key not just in relation to successful digital transformation of businesses, but also to efforts of governments across the world as they look to digital adoption to improve citizen services,” NUS and Cisco said. “This is especially critical right now as companies and countries prepare for a post-pandemic future where digital-first interactions, a hybrid workforce, and smart urban infrastructure are likely to become ubiquitous.”

They added that cybersecurity would underpin such developments and enable businesses and governments to protect critical information infrastructures against malicious attacks. “Digital transformation is an inevitable direction for businesses and societies, and this has been accelerated by the COVID-19 situation. We need to be nimble and innovative to reap the benefits of digitalisation,” NUS President Tan Eng Chye said, adding that the university’s key research capabilities included data sciences, AI, and optimisation.Cisco’s Asean president Naveen Menon said: “Over the past 18 months, we have seen the role technology has played in keeping the world running as we grappled with the pandemic. As we prepare for a post-pandemic future, one thing is clear — technology will be central to every aspect of businesses and governments, and their interaction with consumers and citizens. In this digital-first era, building local innovation capabilities that deliver globally relevant solutions will be critical to the success of countries.”The lab is jointly led by Cisco Singapore’s co-innovation center manager Jeremy Lim and NUS’ Department of Electrical and Computer Engineering faculty member and associate professor Biplab Sikdar.RELATED COVERAGE More

Image: Getty Images
Australia’s plan to force social media users to identify themselves could damage people, harm international relations, and even breach human rights obligations, according to participants in a media roundtable on Friday. The Morrison government’s recent rush to identify users is based on the assumption that this would reduce online abuse. But according to Kara Hinesley, Twitter’s public policy director for Australia and New Zealand, there are few reasons to think it would work. “The concerns around anonymity in this current debate have been over-simplified, and system design changes cannot solve social problems without actual social change,” Hinesley said. “It’s not clear that anonymity is the primary driver of abusive and antisocial behaviour online. It’s even less clear that requiring government identification for social media would do anything to fix the situation. “I want to emphasise — I cannot emphasise this enough — a tech solution cannot fix the social problem.” Twitter organised the roundtable in conjunction with Digital Rights Watch, whose executive director, Lucie Krahulcova, was even more critical. Krahulcova is “incredibly frustrated” by this question of pursuing people when they’re anonymous online. It’s been her “extensive experience” that law enforcement isn’t particularly interested in pursuing people who libel, malign, harass, or commit similar crimes online.

“They’re not actually very excited about enforcing [existing laws] on behalf of women, people of colour, and historically I think there’s plenty of evidence of that in Australia,” Krahulcova said. “When we are speaking now about an attack on anonymity, it is because white men are uncomfortable with the criticism they get online. And that’s not just politicians, it’s also certain reporters and kind of sports stars and stuff. It is precisely because this societal group of privilege is frustrated with criticism,” she said. “None of these people were upset when Yassmin Abdel-Magied was bullied basically off the internet for having a controversial opinion.” Anonymity is a ‘critical tool’ for individual protection According to Hinesley, removing anonymity “could damage the people who rely on anonymity and pseudonymity online”, and those people are many. She and other panellists listed groups such as journalists protecting whistleblowers and other sources; people exploring their sexuality or gender identity; ethnic or religious minorities exploring their heritage; people escaping domestic violence and other abuses; human rights defenders; dissidents; and artists. “Anonymity can be a form of protection and a critical tool for people… Evidence is overwhelmingly pointing to anonymity bans being ineffective,” Hinesley said. According to Dr Emily van der Nagel, a social researcher at Monash University, “using a real name is not as straightforward for a lot of people online”. “Separating real names from social media profiles and usernames is an essential strategy for compartmentalising contexts, and for getting the most out of social media,” she said. Indeed, names even have the potential to signal which audience we’re communicating with. Think of the different dynamics of the full name, the nickname, the stage name, or even no name at all. “We know that real name policies and mandatory identity verification, they don’t make the internet safer or kinder,” van der Nagel said. “Instead, they damage attempts to contextualise our communication, forge the kinds of connections that matter on social media, and get in the way of us experiencing the kind of joy that’s possible in these spaces.” These issues are explored further in van der Nagel’s doctoral thesis, Social Media Pseudonymity: Affordances, Practices, Disruptions [PDF] and other academic writing. Anonymity is part of the right to freedom of expression Anonymity and pseudonymity are not only important, but they’re “guaranteed by human rights law”, according to law professor David Kaye, a former United Nations special rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression. “There’s a history of more or less explicit recognition that freedom of expression includes the freedom to speak, to seek, receive, impart information and ideas anonymously,” he said. This understanding is built on article 19 of the International Covenant on Civil and Political Rights, to which Australia is a signatory. “Anonymous speech, certainly in the development of democratic societies, has been essential to public debate. It’s been essential to individual human development in repressive societies,” Kaye said. “Undermining anonymity has rarely been shown to be necessary in the circumstances, and has often been shown to be a kind of interference based on illegitimate purposes, for example, a desire to find out who’s criticising you.” Kaye believes that anonymity and the confidentiality of communications are currently under threat everywhere. “It’s under threat in democratic societies. It’s under threat in authoritarian ones. There tend to be different reasons for that threat, but it’s very much under threat,” he said. “Australia’s proposals, I think, go beyond what we’ve seen in most rule of law-oriented societies.” Australia is of course the only major democracy that lacks a bill of rights. As Krahulcova noted, Australia’s policies are already being “mentioned in paperwork” in Europe and in the US, and she worried about the potential repercussions. “I worry that the approach that the Australian government is taking is actually just incredibly reckless. It’s not just bad policy. It’s reckless,” she said. “Australia needs to have a serious think about the system that it’s putting out into the world.” Last month Twitter outlined its views on regulating social media in a position paper, Protecting The Open Internet: Regulatory principles for policy makers [PDF]. “The Open Internet is global, should be available to all, and should be built on open standards and the protection of human rights,” it said. “Content moderation is more than just leave up or take down. Regulation should allow for a range of interventions, while setting clear definitions for categories of content.” Regulations should also protect competition, choice, and innovation, rather than entrenching the existing platforms, Twitter said. Related Coverage More

Yesterday afternoon, South Australia’s Department for Infrastructure and Transport confirmed that mySA Gov accounts were compromised through a cyber attack. mySA Gov is the South Australian government’s online platform and app that provides residents with single account access for the state’s services, such as checking into a venue or completing transactions for vehicle registration. The department said hackers accessed these accounts as account holders used the same or a similar password for their mySA Gov account as they had used for their account with an unrelated website. The hackers then used the passwords they had obtained from the unrelated website to access a number of mySA GOV accounts. The department did not provide details about the unrelated website. According to the ABC, 2,601 mySA Gov accounts were accessed in the attack, with 2,008 of them containing registration and licensing information. The department became aware of the breach on Tuesday, and has since blocked people from logging in if compromised passwords are used. It has also notified affected accountholders by email of the potential access to their account. The department said there was “no evidence of any unauthorised transactions” on the impacted accounts.

“It is strongly recommended that when choosing a new password for their account, customers do not use a password that has been previously used or is currently being used for any other accounts,” the Department for Infrastructure and Transport said in a statement. “This is timely reminder to all mySA Gov account holders and South Australians more generally to always set complex passwords and do not use the same password for more than one account.” As details could have been accessed by an unauthorised third party, the department has also encouraged all affected account holders to change their driver’s licence number by attending a Service SA Centre. Related Coverage More

The US State Department is continuing its offensive against ransomware groups, announcing an up to $10 million reward for any information “leading to the identification or location of any individuals holding key leadership positions in the DarkSide ransomware variant transnational organized crime group.”State Department spokesman Ned Price added that there is a $5 million reward “for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident.””The DarkSide ransomware group was responsible for the Colonial Pipeline Company ransomware incident in May 2021, which led to the company’s decision to proactively and temporarily shut down the 5,500-mile pipeline that carries 45 percent of the fuel used on the East Coast of the United States,” Price said. “In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cyber criminals. The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware.” The financial rewards are part of the Transnational Organized Crime Rewards Program and the State Department noted that it has paid $135 million in rewards since it was created 1986. The news of the rewards comes just one day after the cybercriminals behind the BlackMatter ransomware — a rebranded version of DarkSide — said they were closing shop due to increased pressure from law enforcement. In messages obtained by a member of the vx-underground group, the prolific BlackMatter ransomware group said that due to “certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) — project is closed.”

“After 48 hours the entire infrastructure will be turned off, allowing: Issue mail to companies for further communication [and] Get decryptor. For this write ‘give a decryptor’ inside the company chat, where necessary. We wish you all success, we were glad to work,” the group said in messages on its website. The message did not explain what “news” caused the closure but the last two weeks have featured dozens of stories and incidents that reflect an increasingly precarious environment for the group. The group attacked multiple agricultural companies after rebranding under the BlackMatter name but cybersecurity company Emsisoft created a decryptor that was able to help many victims of the ransomware. US Cyber Command and a foreign government conducted a successful disruption operation on the REvil ransomware group while officers from Europol arrested the Ukrainian group behind the MegaCortex, Dharma and LockerGoga ransomwares last week. Emsisoft threat analyst Brett Callow wondered whether the former Darkside/BlackMatter affiliates who reportedly lost millions due to the gang’s ineptitude would be tempted by the rewards offered by the State Department.”Given the right motivation, cybercriminals would happily throw each other under the bus — and they all know that. And cash is absolutely the right motivation,” Callow said. “The reward will create even more distrust in the criminal underworld, and that will make it harder for the gangs to operate. This is a very smart move from the US.” More