Information Technology

Microsoft has released a workaround for a privilege elevation flaw that affects all versions of Windows 10 and could give attackers the ability to access data and create new accounts on systems. Microsoft this week confirmed a serious elevation of privilege flaw, tagged as CVE-2021-36934, that could allow a local attacker to run their own code with system privileges. 

While the bug is important, the attacker must have already gained the ability to execute code on the target system in order to exploit the flaw, according to Microsoft. SEE: Network security policy (TechRepublic Premium)The bug affects the Security Accounts Manager (SAM) database in all versions of Windows 10 from version 1809. It may be more urgent to patch or mitigate because details of the flaw are publicly available. The SAM database is a sensitive component of Windows 10 since it is the location for storing user accounts, credentials and domain information. While credentials are hashed in SAM, the flaw gives attackers the opportunity to exfiltrate the hashed credentials and crack them offline.    “An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database,” Microsoft says in an advisory. 

“An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”Per The Record, the flaw was found by Jonas Lyk over the weekend. The issue is being referred to as SeriousSAM. Lyk discovered shadow copies of SAM were available for attackers to exploit while probing a preview of Windows 11, Microsoft’s next version of Windows. SEE: GDPR: Fines increased by 40% last year, and they’re about to get a lot biggerSecurity firm Blumira explains why CVE-2021-36934 is a serious flaw.  “The SYSTEM and SAM credential database files have been updated to include the Read ACL set for all Users for some versions of Windows,” the company notes in a blogpost. “This means that any authenticated user has the capability to extract these cached credentials on the host and use them for offline cracking, or pass-the-hash depending on the environment configuration.”The US CERT coordination center notes several more ways the bug can impact affected Windows 10 machines. An attacker could:Extract and leverage account password hashes.Discover the original Windows installation password.Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.Obtain a computer machine account, which can be used in a silver ticket attack. More

It seems that a delay in Apple pushing out the iPadOS 14.7 update was responsible also for the delayed publication of the security content of both iOS and iPadOS 14.7.But now that iPadOS has been released, we have the full picture… and yes, you need to update, and do it promptly.Must read: Don’t make this common, fatal iPhone or Android mistakeWe already knew that the Wi-Fi bug that could cause denial of service was addressed, but there are over two dozen more bugs fixed in these releases.For example, there are four WebKit bugs, three of which that could cause a malicious webpage to run code.The Measure app — do you even use that app? — has seven vulnerabilities fixed, and there’s also a fix for a Find My bug that may allow a malicious application to access Find My data.This is a pretty big set of bugfixes, on top of the items listed in the release notes:MagSafe Battery Pack‌ supports iPhone 12, iPhone 12 mini, iPhone 12 Pro and iPhone 12 Pro Max.Apple Card‌ Family adds the option to combine credit limits and share one co-owned account with an existing ‌Apple Card‌ user.The home app adds the ability to manage timers on ‌HomePod‌.Air quality information is now available in Weather and Maps for Canada, France, Italy, Netherlands, South Korea, and Spain.The podcasts library allows you to choose to see all shows or only followed shows.Share playlist menu option missing in Apple Music.Dolby Atmos and ‌Apple Music‌ lossless audio playback may unexpectedly stop.The battery service message that may have disappeared after reboot on some iPhone 11 models is restored.Braille displays could show invalid information while composing Mail messages.

To install the update, go to Settings > General > Software Update and download it from there. More

Image: Getty Images
Earlier this year, Australia’s Productivity Commission released an interim report that looked into vulnerable supply chains, focusing on imports. A final report is now sitting with the government and expected to focus on exports.The purpose of the work led by the Productivity Commission is explained as examining the nature and source of risks to the effective functioning of the Australian economy and Australians’ wellbeing associated with disruptions to global supply chains, and to identify any significant vulnerabilities and possible approaches to managing them.”Improvements in technology and trade liberalisation have made it easier and cheaper to source many goods and services from overseas. This has brought benefits from specialisation and economies of scale. It has also lifted the complexity of supply chains — modern supply chains often rely on inputs from across the globe and can consist of thousands of firms,” the report [PDF] said, using the Toyota supply chain as an example, which consists of over 2,100 suppliers.”This intricate web of economic interdependencies means that a supply chain is potentially exposed to the many types of shocks that can affect every business, both in Australia and overseas: Geopolitical (for example, a trade war), environmental (a natural disaster), economic (a financial crisis), societal (a pandemic), and infrastructure-related (cyber attacks).”While the interim report was prepared ahead of the Colonial Pipeline and Kaseya ransomware attacks, and in the same month as when the details of the Microsoft Exchange vulnerabilities emerged, it was compiled with knowledge of many other cyber incidents affecting supply chains but it was still light on the “cyber”.In its submission [PDF] to the Productivity Commission, IBM said cybersecurity should be highlighted as the biggest risk to supply chain productivity. It said, however, part of the challenge was that there is no single, functional definition of supply chain security and mitigating this risk would be a “moving target and mounting challenge”. “Supply chains are increasingly complex global networks comprised of large and growing volumes of third-party partners who need access to data and must provide assurances they can control who sees that data,” it wrote. “Further challenges are introduced by today’s constraints on staff, budgets, rapid unforeseen changes to policy or geopolitics, partner strategies, and the supply and demand mix.”

Big Blue called out the interim report for only making cursory mention of both cyber attacks as an infrastructure-related risk and broader technology implications. The report does mention some technology implications, however, these are limited to the Internet of Things and cyber risk.”This is a significant gap,” it said. “Widespread situational awareness across supply chain elements is needed so that any vulnerabilities are quickly discovered and remediated, and any consequences of exploitation be detected as soon as possible.”Security should not be seen as a separate consideration to any of the technology or infrastructure concerns above, but as overall embedded ‘security by design’ across the supply chain network.”In addition to mentioning IoT, the report also touched on blockchain and artificial intelligence.”Technological advances have made it easier for firms to understand their supply chains. Advances in tracking technologies, data analytics, and machine learning have made it easier to predict where and when disruptions might occur. These advances have also made it easier to access real-time information about disruptions, facilitating a quicker response and recovery,” the report said.One of the risks and costs associated with the use of IoT, the report said, was the increased vulnerability of a chain to cyber attacks. It also said blockchain has applicability in record-keeping, for example to track the origin of goods and establish trust in shared supplier information. For AI, the report noted many companies have used the tech to automate many aspects of supply chain management, including warehouse operations, transport and logistics, and inventory management.IBM would argue the use of AI, blockchain, and adopting cyber resilience centres — such as underway at the Port of Los Angeles, in partnership with IBM — demonstrated a security-by-design approach and ensured that risk management could be a key factor in the supply chain enabled by technology. “It’s critical that this risk management approach considers all elements of the supply chain, so that maturity can rise equally and therefore limit opportunities for adversaries to exploit any link in the chain,” IBM said.Elsewhere in IBM’s submission, it said “infrastructure needs to give greater attention to how emerging technology is mutually exclusive to IT systems”.”With a focus on maintaining supply chain productivity, Australia cannot afford to simply ‘react’ to another ‘black swan’ event (eg, another pandemic). Whilst technology investment is inevitable to drive resilience and transparency, this topic should be considered from two capabilities: Becoming cognitive (adopting a level of AI, blockchain, IoT, and automation maturity); and on the cloud (embracing a combination of public, private, and mainframe modernisation),” it wrote. “Supply chain workflows are ideal to leverage AI, blockchain, IoT, and automation to reach new levels of responsiveness. These workflows challenge siloed processes allowing supply chains to work as a consortium rather than individual partnerships.”RELATED COVERAGE More

Image: Getty Images
The Cyberspace Administration of China (CAC) on Wednesday passed a special action to ban people under the age of 16 from appearing in content within online live-streaming and video platforms.The special action explains that digital platforms will be required to clear various content where minors are involved, which includes gaming, fundraising, violent, and vulgar content. In addition, digital platforms have been called to investigate cyberbullying and violent behaviours that reside within their communities, forums, or groups. The special action was made in response to soft pornographic images of children appearing on various digital platforms, such as Kuaishou, Tencent QQ, Taobao, Sina Weibo, and Xiaohongshu, the CAC said.All of these platforms have been fined for displaying the content, while also being ordered to remove flagged content and ban accounts that show this type of content.According to the CAC, the flagged content was used as part of efforts to garner traffic and views.The CAC added that moving forward it would take a “zero tolerance” approach towards enforcing these new rules, with the internet regulator saying companies would need to more carefully monitor the content present on their digital platforms.The crackdown on inappropriate content involving minors comes shortly after the government publicly made known it was ramping up scrutiny against local tech giants.

At the start of this month, China’s State Council issued a statement indicating it would crack down on the corporate sector across a range of areas, spanning from anti-trust to cybersecurity to fintech.A day prior to that statement being made, Didi was removed from Chinese app stores following an order from the government to do so, with CAC releasing a statement that it had put Didi under a cybersecurity review to “prevent national data security risks” and safeguard public interest.Beyond Didi, other Chinese tech giants like Alibaba and Tencent have come under government scrutiny in recent months, with Alibaba being hit with a record 18.2 billion yuan fine. 33 other mobile apps have also been called out by Beijing for collecting more user data than deemed necessary when offering services.RELATED COVERAGE More

Just when Narendra Modi’s Hindu nationalist government is trying to recover from widespread international and local condemnation for its culpability in India’s COVID apocalypse, it is now being derided for what some are calling India’s Watergate.A powerful surveillance tool called Pegasus, made by Israeli firm NSO and licensed only to governments, was allegedly used in India to snoop on mobile phones of up to 1,000 people over the past six years, according to a groundbreaking global collaborative investigation by a consortium called the Pegasus Project.The Project comprised more than 80 journalists working for 17 media organisations around the world, including the Guardian, India’s The Wire and the Washington Post.Indian targets were people from a variety of professions, including journalists, political opponents, or critics of Modi’s policies.Opposition party leader Rajiv Gandhi was reportedly selected twice for surveillance. So was ace political strategist Prashant Kishor, who helped Modi win the 2016 election but has since become a critic of the politician. Kishore recently engineered a stunning defeat of Modi and the BJP in the West Bengal state elections, but little did he know at the time that his phone had been hacked up to the day it was examined for breaches, according to the report.Social justice and labour activists who have pushed back against what they see are anti-democratic and regressive laws over the last few years were also reportedly targeted by the surveillance tool, along with Tibetan Buddhist clerics, and the head of the Bill and Melinda Gates Foundation. All up, around 1,000 numbers were apparently listed for surveillance but the investigation could not provide a precise figure unless devices were examined.

The Indian government has strongly rejected the report.”The allegations regarding government surveillance on specific people have no concrete basis or truth associated with it whatsoever,” India’s ministry of electronics and information technology said in a statement. “Any interception, monitoring, or decryption of any information through any computer resource is done as per due process of law.”NSO Group, the maker of Pegasus, has also strongly denied any involvement and said that “NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations”.WHAT IS PEGASUS?In Greek mythology, Pegasus is known for being a white-winged horse, but these days the Israeli spyware of the same name could now be the more well known of the two.The spyware allows customers to hack into mobile phones and peek into messages, camera feeds, and microphones — in other words a person’s entire life. The developer of the tech NSO says it flogs the software to governments as a tool to fight terrorism and crime.It isn’t clear how many of the thousand or so numbers selected for surveillance in India were actually snooped upon.However, the Washington Post reported that a sampling of 22 smartphones in India for evidence of hacking through forensic analysis revealed that 10 had been successfully infected with Pegasus.Eight of the remaining 12 phones tested as inconclusive but were all Android phones, which apparently do not log the information required to detect the intrusion.All-in-all, 50,000 such phone numbers around the world belonging to politicians, judges, lawyers, teachers and others have apparently been tapped by various governments.Currently, this ignominious club includes the governments of Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, the United Arab Emirates, and India.The bank of 50,000 numbers around the world was first accessed by the nonprofit journalism organisation Forbidden Stories and Amnesty International before they both later roped in media organisations to be part of the Pegasus project.Forbidden Stories coordinated the investigation while and Amnesty’s International’s Security Lab spearheaded the forensic analyses.While the Indian government has strongly refuted the report, observers have pointed out that any plans to snoop on citizens have to be approved by senior officials at the Home Ministry, which means they do not require judicial oversight to go ahead.RELATED COVERAGE More

For years it has pushed an ambitious plan to lead the global stage with its unabashed adoption of technology, but Singapore now appears to have forgotten its smart nation roots amidst a current COVID-19 outbreak. In managing the spread, the government could have leveraged the strides it made in using data and technology–instead, it has chosen simply to revert to tighter restrictions that may erode public confidence and have long-term impact on local businesses.  Just weeks before, Singapore had championed its vision of an “endemic norm” where COVID-19 could be managed as a less threatening disease much like influenza or chickenpox.  “The bad news is that COVID-19 may never go away. The good news is that it is possible to live normally with it in our midst,” the country’s COVID-19 taskforce, comprising its health, finance, and trade ministers, wrote in an opinion piece published June 24 by local daily The Straits Times.

The team laid out a roadmap to get the nation towards this “new norm”, which centred on vaccination, testing, treatment, and social responsibility.  “History has shown that every pandemic will run its course,” the ministers persuaded. “We must harness all our energy, resources and creativity to transit as quickly as we can to the desired end-state. Science and human ingenuity will eventually prevail over COVID-19.” However, it seems the virus continues to prevail as Singapore on July 22 reverts to restrictions from which it had just emerged a month ago, with F&B dine-in barred and social gatherings limited to two. Only days earlier, the government had said it would allow dine-in to continue for up to two in a group or five if everyone in the group were vaccinated.  The latest lockdown came as two large clusters surfaced in the local community, pushing daily infections from single-digit figures less than two weeks ago to 182 on July 20 and 179 on July 21. 

Health Minister Ong Ye Kung last week said hospital capacity, specifically intensive care units (ICUs), was a key consideration in deciding Singapore’s safety measures. If capacity was under pressure, measures would need to “tighten up” so capacity could be preserved and hospitals could function properly, Ong said.  However, even with the spike in daily cases, the number of ICU patients had remained at one and patients needing oxygen supplementation also stagnant at five for the past five days.  According to Ong, Singapore has an ICU capacity of some 1,000 beds for COVID-19 cases, which clearly is far from being under pressure at the current numbers. The country also is on track to have two-thirds of the population fully vaccinated by August 9, up from 49% that currently are vaccinated or more than 2.7 million people. To date, more than 6.8 million doses of the COVID-19 vaccine have been administered.As further indication we’re in a better shape today than we were 18 months ago, people I speak with today are less concerned about falling critically ill from catching COVID-19 than they are about the inconvenience of having to quarantine if they come in close contact with an infected individual.So it’s baffling why the government has deemed it necessary to reinstate restrictions now, so prematurely, and so soon after it preached the need for its population to accept living with a new endemic norm. The knee-jerk reaction suggests a sense of panic and risks eroding public confidence that this vision of a new norm can actualise. Technology can facilitate new endemic norm   More importantly, there are opportunities here for Singapore to better leverage its aggressive adoption of technology, especially in the past 18 months since the start of the pandemic.   For one, it had invested significant efforts in developing and pushing the rollout of TraceTogether, its COVID-19 contact tracing platform. The adoption rate of the app and token has hit more than 90% of the local population.  It is widely used alongside SafeEntry, a digital checkin tool that collects visitors’ personal data when they enter venues such as supermarkets, restaurants, shopping malls, and workplaces. 

Singapore wants widespread AI use in smart nation drive

With the launch of its national artificial intelligence (AI) strategy, alongside a slew of initiatives, the Singapore government aims to fuel AI adoption to generate economic value and provide a global platform on which to develop and testbed AI applications.

Read More

This can be integrated in the backend with HealthHub, a healthcare portal and mobile app that enables citizens to manage and view their medical information, including their vaccination status.  Together, they could be used to facilitate, for instance, a mandate to provide entry only to vaccinated individuals at these locations and all other venues, such as hawker centres and food courts, the government identifies as essential in containing any potential outbreak.  An integrated TraceTogether, SafeEntry, and HealthHub system should be set up to automatically pull only the visitor’s vaccination status, so any data security risks can be mitigated and privacy concerns quelled. When the individual’s vaccinated status is verified, the reader automatically beeps green, and the visitor is cleared to enter the venue.  This will ease the burden of business owners and venue operators to manually check every visitor’s vaccination status and minimise human error in carrying out such checks.  Above all, mandating vaccinated-only entry will encourage recalcitrant individuals to get their shots and compel them to also exercise social responsibility along with the rest of the local population. In particular, the COVID-19 ministerial taskforce has highlighted the urgent need to push vaccination rates of elderly folks, of whom some 200,000 above 60 years remain unvaccinated. The health ministry also has collected at least a year’s worth of data on COVID-19 cases and there is a corresponding timeline worth of contact tracing data, thanks to the early rollout of TraceTogether. Here, machine learning and artificial intelligence (AI) can be applied against geosocial data, so vulnerable groups such as the elderly can be quickly identified in emerging clusters and isolated. AI-powered forecasts can further help with healthcare resource management. In the UK, for instance, the NHS in February began trials of a machine-learning system to anticipate demand for equipment such as ICU beds and ventilators triggered by COVID-19. Singapore already has earmarked AI as a critical technology that can create economic value and enhance citizen lives, investing significant resources in driving its development and adoption here. Hence, it shouldn’t be a far reach to leverage this in its COVID-19 efforts.  Given enough thought, I’m pretty sure there are several other ways technology can be better used to help Singapore navigate its way towards a new endemic norm. Ways that may prove more effective than simply rolling in and out restrictions whenever a cluster deemed big enough emerges.  As it is, businesses have shuttered and others struggle to cope with the disruptions. Small F&B businesses, in particular well-loved hawkers, that are passed down over generations also risk folding under the COVID-19 curbs, taking with them decades-old recipes and heritage.  There is a clear case study to be learnt here for business leaders. It is pointless having a strong vision and policy roadmap if you lack the gumption and stamina to see it through. And when there’s panic at the top, it can trickle down to the rest of the organisation. It also suggests a lack of resilience and resolve amongst the leadership team, who really should be navigating the ship with conviction, rather than the lack of.  Ironically, Singapore last September retained its pole position for the second year in a global smart city index, thanks partly to its use of technology in combating the COVID-19 pandemic. The IMD-SUTD Smart City Index, which is a collaboration between IMD and Singapore University of Technology and Design (SUTD), defines a smart city as “an urban setting that applies technology to enhance the benefits and diminish the shortcomings of urbanisation for its citizens”. Can it continue to do so as it attempts to shift towards a new endemic norm? With its smart nation strides, Singapore is in a good position to do so–if it harnesses all its “energy, resources, and creativity” so “science and human ingenuity” will eventually prevail. RELATED COVERAGE More

The Justice Department announced that 22-year-old Joseph O’Connor has been arrested by Spanish National Police in Estepona, Spain after he was indicted for allegedly hacking into Twitter and taking over prominent accounts like those owned by President Joe Biden and former President Barack Obama. O’Connor was charged in the US District Court for the Northern District of California with three counts of conspiracy to intentionally access a computer without authorization and obtaining information from a protected computer, along with six other counts. O’Connor is also facing charges for cyberstalking a juvenile victim and for his involvement in an effort to take over TikTok and Snapchat user accounts.According to a lengthy report released by the New York State Department of Financial Services in October, O’Connor and at least three others pretended to work for Twitter’s Information Technology department in July 2020. The hackers called employees purporting to be part of the IT team addressing VPN issues “and then persuaded employees to enter their credentials into a website designed to look identical to the real VPN login website.”From there, the hackers gained access to Twitter’s backend and used prominent accounts of politicians and celebrities to trick people into sending them Bitcoin. “I am giving back to the community,” the messages said before providing a link. In addition to Obama and Biden, the hackers also took over the accounts of Benjamin Netanyahu, Warren Buffet, Bill Gates, Elon Musk, Michael Bloomberg, Kim Kardashian and Kanye West. 

Twitter shut down all of the accounts once the scam tweets were sent out.The hackers only ended up stealing about $118,000 worth of Bitcoin and were only able to access the direct messages of about 30 of the accounts they stole, according to the report. The DOJ said it worked with the FBI, Secret Service and IRS-Criminal Investigation Cyber Unit on the case as well as the The UK’s National Crime Agency.Graham Ivan Clark, a Florida 17-year-old, pleaded guilty to a raft of charges related to the hack and was given a three-year prison sentence.In addition to O’Connor and Clark, UK national Mason Sheppard is also facing charges along with Florida resident Nima Fazeli. Twitter has faced significant backlash from regulators concerned about how easy it was for four people — two of whom were teenagers at the time — to gain access to the accounts of some of the world’s most powerful people. “The fact that Twitter was vulnerable to an unsophisticated attack shows that self-regulation is not the answer,” New York state official Linda Lacewell in a statement.  More

A government official told Kyodo News on Wednesday that login IDs and passwords for the Tokyo Olympic ticket portal had been posted to a leak website following a breach.The official said the leak was “not large” but admitted that the IDs and passwords would give someone access to a person’s name, address, bank account information and more.Speaking anonymously, the government source said the body organizing the Games has launched an investigation. The leak also included names, addresses and bank account information of people who bought tickets to the Paralympics as well as another portal for volunteers. They did not say how many accounts had been leaked. The news came one day after the FBI released a private industry alert urging organizations working with the Tokyo 2020 Summer Olympics to prepare for a wave of “DDoS attacks, ransomware, social engineering, phishing campaigns, or insider threats to block or disrupt live broadcasts of the event, steal and possibly hack and leak or hold hostage sensitive data, or impact public or private digital infrastructure supporting the Olympics.””Malicious activity could disrupt multiple functions, including media broadcasting environments, hospitality, transit, ticketing, or security,” the FBI notice said on Tuesday. “The FBI to date is not aware of any specific cyber threat against these Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments.”The notice goes on to reference the Pyeongchang cyberattack that took place during the last Olympics in February 2018, where Russian hackers deployed the OlympicDestroyer malware and damaged web servers during the opening ceremony.The hackers “obfuscated the true source of the malware by emulating code used by a North Korean group, creating the potential for misattribution,” according to the notice. In October, the Justice Department indicted six Russian intelligence operatives for the attack on the Pyeongchang Games. 

In addition to widespread spearphishing campaigns and more targeted at Olympic officials in Japan, the notice also warns of potential attacks on “hotels, mass transit providers, ticketing services, event security infrastructure or similar Olympics support functions.”The FBI added that two months ago, Japanese IT giant Fujitsu reported a breach that leaked data from many of its government clients including the Tokyo 2020 Organizing Committee and the Japanese Ministry of Land, Infrastructure, Transport, and Tourism.In October, the UK released a similar warning explicitly naming the Russian government as backers of a widespread campaign to launch attacks against the coming Olympic Games. Foreign Secretary Dominic Raab said Russia’s military intelligence service, the GRU, was conducting “cyber reconnaissance” against officials and organizations at the 2020 Olympic and Paralympic Games. He added that the GRU’s actions against the Olympic and Paralympic Games were “cynical and reckless.”Tony Cole, CTO of Attivo Networks, said that in discussions with Olympic organizers focused on cyberdefense in Rio 2016 and Tokyo 2021, some told him that even years of preparation may not be enough to protect everything.   “Well-resourced and determined adversaries will find a path into the environment sooner or later, so early detection is the key to countering these attacks and mitigating possible impacts,”  Cole said.  More