Information Technology

Microsoft has laid out some key documents for federal agencies to use as they implement the White House’s ‘zero trust’ goals within the new US cybersecurity strategy.In January, the Biden Administration released its new cybersecurity strategy following President Biden’s May 2021 executive order (EO 14028), signed in the wake of the SolarWinds software supply chain attack and ransomware attacks on critical infrastructure like Colonial Pipeline.

ZDNet Recommends

Core to that strategy are ‘zero trust’ architectures, for which US tech and cybersecurity vendors were canvassed for suggestions by the US National Institute of Standards and Technology (NIST), specifically about how to protect software supply chains from attack. Zero trust assumes breach and that basically nothing should be trusted.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)But even as supply chains are targeted, email phishing remains one of the main methods that attackers use to breach a network, creating the starting point for a later supply chain attack.In May, it wasn’t known whether Russian intelligence hackers used a targeted email phishing attack to breach SolarWinds’ software build systems. But the attack group, tagged Nobelium by Microsoft, has subsequently relied heavily on credential stuffing, phishing, API abuse, and token theft in attempts to obtain account credentials to victims’ networks.Despite the onslaught of state-sponsored and criminal attackers targeting work account credentials, Microsoft earlier this month warned that just 22% of customers using Azure Active Directory (AAD) had implemented strong identity authentication, such as multi-factor authentication (MFA). In 2021, Microsoft blocked 25.6 billion AAD brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365.  

To help protect cross-organization collaboration against phishing, Microsoft this month announced a public preview of cross-tenant access settings for inbound and outbound access when both organizations use AAD, as well as reducing MFA requirements for trusted users across AAD-using organizations.”Inbound trust settings let you trust the MFA external users perform in their home directories,” Microsoft explains.  Upcoming zero trust capabilities aimed at countering phishing threats for organizations that collaborate with business partners and suppliers include the “ability to enforce phishing-resistant authentication for employees, business partners, and vendors for hybrid and multi-cloud environments.”Microsoft also plans to boost phishing-resistant MFA support, including in remote desktop protocol (RDP) scenarios. RDP is one of the most common entry points for ransomware attackers.SEE: Linux malware attacks are on the rise, and businesses aren’t ready for itMicrosoft has previously outlined how its zero trust approach aligns with the NIST’s goal to develop “practical, interoperable approaches” to zero trust architectures. The Cybersecurity and Infrastructure Security Agency (CISA) is also providing agencies with technical support and operational expertise in implementing zero trust. The US government hopes the private sector will also follow the federal government’s lead. For its government customers, Microsoft has now published five ‘cybersecurity assets’ explaining how to achieve a zero trust architecture from a Microsoft technology perspective. It covers: cloud adoption for Azure; rapid modernization plans; architecture scenarios mapped to NIST standards; a multi-factor authentication (MFA) deployment guide focussing on Azure Active Directory (AAD); and an “interactive guide” on the EO.It’s mostly a collection of existing documents, blogposts and Microsoft help articles, but it nonetheless provides a central repository for agencies moving to comply with the new federal rules. More

A father who used a signal jammer to rein in his children’s internet use managed to wipe out an entire town’s connectivity by mistake.The French Agence Nationale des Fréquences, the organization responsible for managing radio frequencies in the country, received a strange complaint (translated) from a mobile phone operator. 

The carrier had detected odd signal drops that were impacting the telephone and internet services of residents in the French town of Messanges.  According to the ANFR (via Bleeping Computer), there was one strange detail that stood out in the report: services were cut consistently from midnight to roughly around 3am every day.  As residents slept, a member of the Toulouse Regional Service of the ANFR began walking the streets to investigate. While the examiner watched the clock tick over to midnight, their spectrum analyzer equipment took on a familiar shape — revealing a jammer was in use.  The waves emitted by the device were followed to a house in a neighboring town. The next day, one of the residents admitted responsibility and revealed that he had purchased a multi-band jammer to prevent his teenage children from going online at night without permission. 

The father claimed that his teenagers had become “addicted” to social media and browsing the web since the start of the COVID-19 pandemic, a situation potentially made worse due to social restrictions and lockdowns.  The jammer was intended to stop them from covertly using their smartphones to go online when they were meant to be asleep. However, the jammer also managed to wreck connectivity havoc for other residents and the neighboring town.  “By wanting to ban the internet in his home, he applied the same sentence to his entire neighborhood,” the agency said.  The problem is that using a jammer is not legal in France, and as a result, the man faces a maximum fine of €30,000 and even a jail term of up to six months.  In another example of a town resident’s use of technology having inadvertent consequences, in 2020, telecoms engineers spent 18 months frustrated and perplexed over the sudden but consistent disappearance of a Welsh village’s internet at 7am every morning.  It turned out that all of the broadband and BT service issues endured by hundreds of residents were caused by one individual who was turning on an old, secondhand television set at that time every day. The TV was sending out electrical bursts capable of disrupting signals.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Adobe has updated its advisory on an actively-exploited critical vulnerability in the Magento and Commerce Open Source platforms to include another RCE bug.

The tech giant published revisions to the advisory on February 17. Adobe originally issued an out-of-band patch on February 13 to resolve CVE-2022-24086, a critical pre-auth vulnerability that can be exploited by attackers to remotely execute arbitrary code.  CVE-2022-24086 has been issued a CVSS severity score of 9.8. Adobe said the security flaw was being actively exploited “in very limited attacks targeting Adobe Commerce merchants.” Now, Adobe has added a further vulnerability to the advisory, CVE-2022-24087.  “We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087),” Adobe said.  The vulnerability has also been issued a CVSS score of 9.8 and impacts the same products in the same manner. 

The security flaws do not require any administrative privileges to trigger and both are described as improper input validation bugs leading to remote code execution (RCE). As CVE-2022-24086 is being abused in the wild, Adobe has not released any further technical details. However, cybersecurity researchers from the Positive Technologies Offensive Team say they have been able to reproduce the vulnerability. Adobe Commerce and Magento Open Source 2.3.3-p1 – 2.3.7-p2, and 2.4.0 – 2.4.3-p1 are impacted. However, versions 2.3.0 to 2.3.3 are not affected by the vulnerabilities, according to the company.  Adobe has provided a guide for users to manually install the necessary security patches.  Researchers Eboda and Blaklis were credited with the discovery of CVE-2022-24087. In a tweet, Blaklis said the first patch to resolve CVE-2022-24086 is “not sufficient” and has urged Magento & Commerce users to apply the new fixes.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Updates have been released for UpdraftPlus, a WordPress plugin with over 3 million installations, after a vulnerability was discovered by security researcher Marc Montpas. In a blog post, the Wordfence Threat Intelligence team explained that the vulnerability allows any logged-in user, including subscriber-level users, to download backups made with the plugin. Backups are a treasure trove of sensitive information, and frequently include configuration files which can be used to access the site database as well as the contents of the database itself, the WordPress security company explained. The researchers examined the patch and were able to create a proof of concept. In an original version of the blog, Wordfence said the attacker would need to begin their attack when a backup was in progress, and would need to guess the appropriate timestamp to download a backup. But it was later updated to say Wordfence found that it is possible to obtain a full log containing a backup nonce and timestamp at any time, “making this vulnerability significantly more exploitable.”UpdraftPlus patched the vulnerability on Thursday in version 1.22.3 and they urged users to check their website to make sure they were running the latest version. “UpdraftPlus is a popular back-up plugin for WordPress sites and as such it is expected that the plugin would allow you to download your backups. One of the features that the plugin implemented was the ability to send back-up download links to an email of the site owner’s choice. Unfortunately, this functionality was insecurely implemented making it possible for low-level authenticated users like subscribers to craft a valid link that would allow them to download backup files,” Wordfence explained. “The attack starts with the WordPress heartbeat function. The attacker needs to send a specially crafted heartbeat request containing a data[updraftplus] parameter. By supplying the appropriate subparameters, an attacker is able to obtain a backup log containing a backup nonce and timestamp which they can then use to download a backup.”

The company said the issue revolves around the UpdraftPlus_Options::admin_page() === $pagenow check. Attackers can can fool the $pagenow check into thinking that the request is to options-general.php, while WordPress still sees the request as being to an allowed endpoint of admin-post.php, according to Wordfence. Wordfence added that in order to exploit the vulnerability, the hacker would need an active account on the target system.”As such it is likely only to be used in targeted attacks. The consequences of a successful targeted attack are likely to be severe, as they could include leaked passwords and PII, and in some cases site takeover if the attacker is able to obtain database credentials from a configuration file and successfully access the site database,” Wordfence said. “As such we urge all users running the UpdraftPlus plugin to update to the latest version of the plugin, which is version 1.22.3 as of this writing, as soon as possible, if you have not already done so, since the consequences of a successful exploit would be severe.”Netenrich’s John Bambenek told ZDNet that WordPress represents one of the largest backends of websites on the Internet and the security problems come from its vast ecosystem of plugins that run the gamut from capable developers to hobbyists. “Access to the backups and database will likely first be used for credential theft but there are many possibilities for attackers to take advantage of the information,” Bambenek said. Vulcan Cyber engineer Mike Parkin suggested creating a firewall rule to mitigate this vulnerability until the patch is applied More

Security researchers with Qualys have discovered several vulnerabilities affecting Canonical’s Snap software packaging and deployment system. In a blog post, Qualys director of vulnerability and threat research Bharat Jogi explained that they found multiple vulnerabilities in the snap-confine function on Linux operating systems, “the most important of which can be exploited to escalate privilege to gain root privileges.” Jogi added that Snap was developed by Canonical for operating systems that use the Linux kernel. “The packages, called snaps, and the tool for using them, snapd, work across a range of Linux distributions and allow upstream software developers to distribute their applications directly to users. Snaps are self-contained applications running in a sandbox with mediated access to the host system. Snap-confine is a program used internally by snapd to construct the execution environment for snap applications,” Jogi said, noting that the main issue was CVE-2021-44731. “Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu.”After discovering the vulnerabilities and sending an advisory to Ubuntu in October, the Qualys Research Team worked with Canonical, Red Hat and others to address the issue. Canonical did not respond to requests for comment. In addition to CVE-2021-44731, Qualys discovered six other vulnerabilities. They provided a detailed breakdown of each issue and urged all users to patch as soon as possible.
Qualys
There are no mitigations for CVE-2021-44731 and Jogi noted that while the vulnerability is not remotely exploitable, an attacker can log in as any unprivileged user and the vulnerability can be quickly exploited to gain root privileges.

Vulcan Cyber engineer Mike Parkin said Snap has become reasonably widespread in the Linux world, with a number of major vendors distributing packages using it. While any exploit that can give root access is problematic, being a local exploit reduces the risk somewhat, Parkin explained, adding that patching vulnerable systems should be a priority.”This is both very widespread and also very dangerous, given that it enables a cyber criminal to escalate their privileges to gain root access.  With that access threat actors can distribute malware, plant deepfakes, move laterally within corporate networks, and many other forms of being compromised,” said Viakoo CEO Bud Broomhead. “Linux is widely used as the embedded operating system for IoT devices, which typically there are 5-10X more of than traditional IT devices in an organization.  Currently there is no mitigation for this vulnerability, but when one becomes available it will likely remain exploitable for some time.  Unlike IT systems, IoT devices often lack automated methods of remediating vulnerabilities, giving the potential for this vulnerability to be present for a long time.” More

Image: Getty Images
Ever wondered why your Uber rating wasn’t at least a 4.9? You always greet the driver, mind your own business, and tip generously. So what gives with your not-5.0 rating? Well, you’re not alone, and Uber seems to have heard enough of what many riders are calling “Uber Anxiety”. Yesterday the company rolled out an update to iOS and Android which permits users to view their previous rider ratings and be able to tally up the average themselves. While you won’t be able to see the ratings based on the driver and date, you can see how many 1s, 2s, 3s, 4s, and 5s you’ve accumulated throughout your Uber journey.
GIF: Uber
How to view your previous ratings from the app:On the iOS or Android Uber app, tap on your profile picture on the upper right corner, and then Settings. Swipe down, tap on Privacy, and then Privacy Center.Swipe across the middle carousal of widgets until you find one that asks, “Would you like to see a summary of how you use Uber?”Once open, swipe down to the Ratings box and tap View my ratings.You should now see a chart quantifying all the ratings you’ve received in the past. Uber will only show the scores of your last 500 trips. Uber’s tips to improve your rating:Along with the new data feature, Uber has shared five tips that, according to drivers, are best practices for scoring high ratings:Do not slam the door. This is the most cited reason for why drivers give low ratings, as no one likes a damaged car. Always clean up after yourself. The driver shouldn’t have to pick up any trash or unwanted items that you leave behind. Always buckle up. By fastening your seat belt, the ride is safer for you and the driver. Be considerate of the driver’s time. You should be ready to get in the Uber when it arrives, and ready to get out when you’ve arrived at your destination. Treat the driver and car with respect. As with any customer-facing service, you should always treat others the same way you want to be treated. Do you find Uber’s new rating transparency helpful? Let us know in the comments below. More

US Senator Bob Menendez and other lawmakers this week demanded the Internal Revenue Service (IRS) and ID.me contact taxpayers who have uploaded biometric information to the platform and inform them of their right to delete their selfie or photo account immediately after the service is available.In a letter to IRS Commissioner Charles Rettig, Menendez and Senators Cory Booker, Alex Padilla, and Catherine Cortez Masto called on the IRS to provide taxpayers with plain language instructions in multiple languages on how to complete the process of deleting their selfie. 

The IRS announced last week that it will no longer be using ID.me facial recognition software after signing an $86 million contract with the company, adding in a statement that it will “transition away from using a third-party service for facial recognition to help authenticate people creating new online accounts.” The IRS had faced overwhelming backlash from civil rights groups and members of Congress from both parties, all of whom questioned how the IRS could begin the use of facial recognition without advance warning. But the announcement did little to quell outrage about the initial decision to use ID.me’s tools and senators on both sides of the aisle continue to raise concerns about what information ID.me gained access to. “Despite well-documented concerns with this technology — especially for individuals who have poor internet service at home, rely on computers in public libraries, use older phones, or for whom English is not their first language — the IRS required the use of this technology to access and review advanced child tax credit (CTC) payment information,” the senators added. “Nearly 35 million families received the advanced Child Tax Credit last year, including numerous Black, Hispanic, Asian, and Native American families, and many immigrant families using an Individual Taxpayer Identification Number.” 

Menendez said the IRS and ID.me need to clarify whether facial recognition will remain an option for verification during the 2022 filing season. “If it will remain an option, we request the IRS clarify how it will ensure taxpayers using ID.me — especially last-minute filers — are not forced to rely on facial recognition technology as their only practical option to avoid long wait times for live-video verification,” the letter said.

The senators demanded the IRS and ID.me send them a list of all federal, state, or local law enforcement agencies that would have been provided access to biometric data through the IRS’ ID.me verification system no later than Friday, February 25. “Congress has repeatedly expressed concern with the development of an unconstrained and pervasive surveillance infrastructure, fueled by systems like ID.me. The Project on Government Oversight (POGO), a leading oversight watchdog, has cautioned that the use of this type of technology often plays an outsized role in law enforcement investigations, despite serious flaws that can lead to wrongful arrests and civil rights violations,” the senators wrote.The letter also explains a range of concerns Congress has about how ID.me will manage the vast amount of government documents provided by American taxpayers since the IRS started using the platform last summer. “We are concerned about whether taxpayers will be offered a meaningful choice to protect their biometric data, whether ID.me will properly manage the vast amount of biometric data provided by taxpayers, and whether there has been substantial oversight of this facial recognition technology since the launch of ID.me verification at the IRS last summer,” the letter added.The senators’ letter comes as 46 civil rights organizations continue the push to stop other government agencies at the federal and state level from using ID.me for vital services. ID.me says it is used by agencies in 30 states as well as by the Veterans Affairs Administration and Social Security Administration. 

Led by EPIC in partnership with Algorithmic Justice League and Fight for the Future, the organizations’ letter demands that all federal and state government agencies immediately end their use of ID.me and any other facial verification tools. It also highlights the lack of assessments by federal and state agencies to determine whether face verification technology has a disproportionate impact on marginalized groups, and argues that “sensitive biometric data should not be used to access government services.” The letter also asserts that ID.me’s recent announcement about offering a non-facial verification option to all users doesn’t adequately address the massive privacy and security concerns created by ID.me’s tools, arguing that “the vast majority of people are not aware of the risks associated with handing over their sensitive biometric information, and making this tech ‘optional’ puts the onus on the individual to have the right information about those risks.”Evan Greer, director of Fight for the Future, said in addition to ending all contracts, a full scale investigation is needed to reveal how it came to be that US tax dollars were used “for such invasive and unsafe technology.””The revelations about ID.me exploiting its workers, lying about its facial recognition technology, and continuing to recklessly amass millions of people’s personal data all point to the same conclusion: it’s irresponsible and unacceptable to do business with a company as shady as ID.me, much less allow it anywhere near our most personal information,” Greer said.

Government More

The US Justice Department announced on Thursday that seasoned prosecutor Eun Young Choi has been chosen to lead the National Cryptocurrency Enforcement Team (NCET). Before working as senior counsel to Deputy Attorney General Lisa Monaco, Choi was an Assistant US Attorney for the Southern District of New York serving as the office’s Cybercrime Coordinator. She helped lead the investigations into a number of cybercrimes, including a hack involving J.P. Morgan Chase, while also prosecuting those connected to Coin.mx. 

The Harvard graduate previously argued in the appeal case of Silk Road founder Ross Ulbricht and participated in the only US prosecution brought in connection with the “Panama Papers.” Choi is starting work in her new position at NCET today. “The department has been at the forefront of investigating and prosecuting crimes involving digital currencies since their inception,” said Choi, who will serve as director of NCET. “The NCET will play a pivotal role in ensuring that as the technology surrounding digital assets grows and evolves, the department in turn accelerates and expands its efforts to combat their illicit abuse by criminals of all kinds. I am excited to lead the NCET’s incredible and talented team of attorneys, and to get to work on this important priority for the department.”  NCET was created last year to tackle “the criminal misuse of cryptocurrencies and digital assets,” with a focus on virtual currency exchanges, mixing and tumbling services, infrastructure providers, and other entities. Blockchain analytics company Chainalysis said last month that cybercriminals managed to launder at least $8.6 billion worth of cryptocurrency in 2021, a 30% increase compared to 2020. The company released another report this week highlighting the connections between cybercriminals and a vast crypto exchange infrastructure designed to launder stolen funds.  

The Justice Department is coming off of a streak of successes. A DOJ restraining order revealed that $30 million was seized from NetWalker ransomware affiliate Sebastien Vachon-Desjardins, who was sentenced to seven years in prison for hacking several companies. Two weeks ago, the Department of Justice announced the seizure of more than $3.6 billion in cryptocurrency that was stolen during an attack on the Bitfinex cryptocurrency exchange in August 2016. The DOJ arrested 34-year-old Ilya Lichtenstein and his 31-year-old wife Heather Morgan for their role in attempting to launder 119,754 bitcoin that were stolen during the attack on the Hong Kong exchange. Deputy Attorney General Lisa Monaco called the seizure the “department’s largest financial seizure ever.”Assistant Attorney General Kenneth Polite Jr. said NCET will serve as the focal point for the department’s efforts to tackle the growth of crime involving cryptocurrency. He called Choi an “accomplished leader on cyber and cryptocurrency issues” and noted that the problem has emerged as one of the most important the office deals with. “With the rapid innovation of digital assets and distributed ledger technologies, we have seen a rise in their illicit use by criminals who exploit them to fuel cyberattacks and ransomware and extortion schemes; traffic in narcotics, hacking tools and illicit contraband online; commit thefts and scams; and launder the proceeds of their crimes,” Polite Jr. said.   More