Information Technology

Image: Affindi
Affinidi CEO Glenn Gore says he is optimistic that digital verification certificates will enable air travel to resume safely and securely.While speaking during the virtual Amazon Innovation Day on Wednesday, Gore pointed out that Singapore’s Changi Airport is proof that such a system could work. He noted that Affinidi’s Universal Verifier solution is currently being used by the airport to digitally authenticate travellers arriving in the country have had tested negative to COVID-19, as well as any other required health credentials. “This solution is already live now. Actually, if you visit Singapore and pass through Changi Airport, we’ll be going through the Affinidi’s Universal Verifier with immigration,” he said. “We recognise 15 different global standards today, so that the immigration officer doesn’t matter what country you’re coming from, [and has] a consistent presentation of that information in a safe and secure way to allow free passage.”He explained that using a self-sovereign identity verifiable solution helps remove the need for immigration to “deal with complex sets of information of different pathology reports from around the world”, while also enable individuals to own and control who they share their health data with. “Using verifiable credentials, the passenger experience starts with us, booking our ticket online, just like we normally do. At the completion of purchasing that ticket, the airline is actually going to send me some instructions as to this new requirement where I need to go and visit a clinic, and take a COVID swab test … the clinic is going to issue me a COVID test result. In that test result will be a QR code that I can look at, along with the printed details,” Gore said.  “I can head to the airport and the first experience I’m going to have is talking to the checking agent, as I go to check in for my flight. They’re going to ask to see my credential, so that’s already on my device, that airline agent is able to use universal verification to check the data that’s on my device safely and securely; they can see that it hasn’t been tampered with, that it’s not fraudulent, and apply this against rules engines and have all the rules for the source and destination countries that we go to,” Gore added.

“Ultimately, they’re doing this to issue me a green tick saying I meet all of the entry requirements, so they can issue a boarding pass and I can get on that flight.”When I arrive, I need to do an international border crossing, and again the immigration officer is going to want to see proof … so again, I’m going to use exactly the same QR code, the immigration officer is going to scan that apply it to the exactly same rules engine.”In addition to using it for flights, Gore believes the system could be used for a range of other domestic scenarios including checking into a hotel, to entering large scale sporting events and concerts, and “all the things we enjoyed before COVID”. Related Coverage More

Image: Macquarie Telecom
Macquarie Telecom has announced it is building what it is calling its “largest ever” data centre to be based in the company’s existing Macquarie Park data centre campus in Sydney.According to Macquarie Telecom, it will invest an initial AU$78 million to build the core and shell of the new 32-megawatt Intellicentre 3 (IC3) Super West facility. The facility will be based in the Sydney North Zone at the company’s existing Macquarie Park Data Centre Campus and help bring the company’s total IT load at the campus to 50 megawatts. It will also be designed to connect with the IC3 East facility.The new facility will also be home to a new Sovereign Cyber Security Centre of Excellence, which according to the company, will be responsible for monitoring and managing cybersecurity events around the clock. An initial 31 cyber specialists are expected to run and operate the centre by 2024. “This global scale data centre will be one of the most certified facilities in the region,” Macquarie Data Centres group executive David Hirst said, pointing out IC3 Super West will be designed to adhere to a range of standards including ISO 27001, PCI DSS 3.2, ISO 45001, and ISO 14001.”Data is growing exponentially, and we have demonstrated time and time again our ability to deliver infrastructure to meet that growth. Our data centres are sovereign, secure and certified to manage Australia’s most important data and drive the digital economy,” Hirst added.Subject to being granted permission by the board in early 2022, construction of phase 1 of IC3 Super West is expected to be completed by the second half of calendar year 2023.

Plans for the IC3 Super West facility follows Macquarie completing the build of its IC5 Bunker facility in Canberra, and Phase 1 of the IC3 East at its Macquarie Park Data Centre Campus.In June, Macquarie Telecom’s Canberra Campus was one of three providers certified by the Australian government to store sensitive data locally. The Digital Transformation Agency said the campus was certified against the requirements defined in the Hosting Certification Framework, which it has administered since March 2019.Related Coverage More

(Image: Apple)On June 23, Apple unleashed messaging to explain why users should only install Apple-approved apps through its App Store on iOS. This is an extension of the US District Court case between Apple and Epic, where Apple positioned “sideloading,” the practice of installing apps outside its App Store, as dangerous. While it is true that Apple has led the industry in privacy — in particular making it difficult for businesses and rogue apps to obtain unnecessary personal information — connecting this messaging to non-Apple installs seems a bit of an overreach. Moreover, it sets up a challenging dichotomy for developers: Do you promise choice or reassurance as your app’s key marketing message? 

Smartphone As A “Pattern-Of-Life” Device Apple has cited at least one study saying,”[…] devices that run on Android had 15 times more infections from malicious software than iPhone.” In a June 16 interview, Tim Cook said that Android has 47 times more malware than iOS does. These are interesting numbers, given the relative sizes of the Android and iOS markets. Android has almost 73% market share worldwide, while iOS sits at just under 27%. As with the PC and Mac markets, it makes sense that the prime targets are those with the largest market share. However, this also brings up an interesting conundrum — there are billions of PCs and, pointedly, Macs in the world, and they don’t have locked ecosystems. Apple further makes the argument that smart devices are carried with you all day, so they can gather more “pattern-of-life” details than traditional computers. But how well does this apply to iPads, which are just as mobile as iPhones, and that Apple is also positioning as traditional laptop replacements? What This Means For The Mobile Developer Regardless of messaging, Apple’s tactics have an impact on app developers. Small development shops may suffer remembering the hoops they jumped through to sign an iOS app before Xcode 8. Even today, some developers hold their breath when submitting to the App Store. In 2020, Apple says it rejected almost a million new apps. Of those, about half were misleading, violated privacy guidelines, contained undocumented features, or had fraudulent violations. Regardless, as an iOS developer, you have two basic choices: Ship using the App Store or not. If you are a smaller developer and want to monetize to any reasonable degree, you must use the Store. However, let’s say you’re not as worried about monetization — perhaps you are a larger organization with different needs. What options do you have to distribute your app outside the App Store? Use the web. Despite the limitations that Apple has put on web APIs, you can still do a lot with JavaScript on Safari. Creating a progressive web app allows you to “install” it. You’ll have to walk your users through adding your icon to the home screen, but if you can live without push notifications, geofences, Bluetooth, serial connections, magnetometers, light sensors, NFC, and battery life (among other things), you can create code that runs in Safari. Microsoft recently did this to allow cloud streaming of Xbox games. The good news for web developers: Biometric ID support was added in Safari 14 (PublicKey.isUserVerifyingPlatformAuthenticatorAvailable), and camera and microphone APIs were added in Safari 11 (MediaDevices.getUserMedia). Geolocation has been around since Safari 3 (Geolocation.getCurrentPosition).Join the Apple Developer Enterprise Program. If your app is meant for employees of your company and you work with more than 100 employees, your company can apply to enter the Apple Developer Enterprise Program. This will permit you to ship your app to employees without going through the App Store. In the past, enterprise certificates were used to distribute apps outside an organization; now, Apple has said it reserves the right to review apps distributed via enterprise certificates. Use ad hoc distribution. If you have a small number of high-value customers, you can distribute your app as a .ipa file that you generate and make available for download. Installation can be tricky: You will need to get the UDID of each device (up to 100) and entitle the devices in your account on developer.apple.com. Some developers point users to http://whatsmyudid.com/ to walk them through the process. You’ll also have to manage revoking and readding UDIDs and reissuing provisioning profiles on your own if your users switch devices. Ship the source. Since 2015, Xcode has allowed you to build software for iOS devices without a developer account. Telling users how to download and install the Xcode binaries, and possibly the Xcode command line binaries, if you want to automate an install is not trivial. However, it does allow you to deploy your software to customer devices — if those customers have a Mac with a version of macOS that supports the Xcode version you want to use. Since users have your source, they are free to change it. You can package your code into a framework or library to reduce what users can modify. Require a jailbroken device. This is extreme and limits your user base to those who have the technical skill to hack their device. There’s also the obvious concern of taking advantage of security defects to run arbitrary code, and there may not be exploits for all iOS devices. However, your more technical users may have already jailbroken. Jailbreaking requires a Mac, and some jailbreaks require that the phone remain tethered to a computer while booting. Once jailbroken, a user can install your app from a third-party app store — Cydia is a commonly used one. Of course, there’s also a sixth option, which we don’t recommend: Give up on Apple. Given that Android apps will run not just on Android devices but now Windows 11 desktops and laptops, that is an option for those who want to make their own decisions about security, privacy, and what they install. 

Really, it comes down to use case. For consumer-facing or information-worker apps, you likely have to abide by Apple’s sideloading philosophy. However, for task worker apps, where enterprises provision the device to employees or even business partners, sideloading flexibility has some value. If you are supporting franchisees or an extended network of suppliers, you have the option of preferring Android rather than navigating Apple’s restrictions. This post was written by Senior Analyst Andrew Cornwall, and it originally appeared here.  More

Cybersecurity companies and organizations are banding together to create a cybersecurity first responder credentialing program designed to support both large and small organizations dealing with cyber incidents. The ISA Global Cybersecurity Alliance is working with CISA on the effort alongside the Incident Command System for Industrial Control Systems (ICS4ICS) and more than 50 other cybersecurity companies, universities and corporations. The groups will be incorporating FEMA’s Incident Command System framework for response structure, roles, and interoperability, according to a statement from ISA. Deloitte, Dragos, Ford Motor Company, Fortinet, Honeywell, Johnson Controls, KPMG, Nozomi Networks, Pfizer, Tenable, CyberOwl and Idaho State University are just a few of the organizations involved in the ISA Global Cybersecurity Alliance. “For many years, we’ve needed ICS4ICS, to enable collectively organized cyber and physical responses in a unified way. Credentialing cybersecurity first responders is an important milestone in this valuable public-private partnership,” said ISAGCA Advisory Board chairperson Megan Samford, Samford, who is also chief product security officer of Schneider Electric’s energy management business, said the groups have “developed an adjudication process and certified our first four responders.”The first round of credentials were given to Samford, CISA branch chief of cyber defense coordination Mark Bristow, FireEye senior manager of industrial control systems Neal Gay and the US Army Reserve’s Brian Wisniewski. 

“I’m proud to be one of them and stand ready to help companies recover from cyber incidents,” Samford added. FEMA’s Incident Command System framework is currently used in response to natural disasters, industrial accidents and other incidents while the ICS4ICS’ methods are used by organizations to identify incidents, assess any damage, address immediate challenges, communicate with stakeholders and eventually resume operations. 

“The framework applies traditional Incident Command Systems best practices to cybersecurity incidents, ensuring common terminology and enabling diverse incident management and support entities to work together,” the groups said in a statement.  “ICS4ICS provides clearly defined command structures, including standard roles needed in a response, and the framework can scale to support small or extremely large-scale incidents that impact many organizations.”A committee within ICS4ICS will manage the adjudication process, which the organization said will involve applications and candidate evaluations by a panel of incident command system subject matter experts. “The proven approach is vetted by industry companies and subject matter experts and the program has significant value for small to medium sized entities that do not have the time, finances, or personnel to assign a full-time cyber response unit, but still need to develop plans and train employees accordingly,” the groups said.  More

Did you know that that handy video your Ring doorbell takes of anyone coming by your door isn’t private? If you get a Ring Protect Plan, not only are your videos kept in the Amazon Web Services (AWS) cloud, it’s transmitted in the clear. A sufficiently motivated hacker, or your local police force, can easily watch who’s walking by your door. Until now. Starting today in the US (and soon, throughout the world), you’ll be able to encrypt your video stream to keep it private.

This is done with Amazon’s Video End-to-End Encryption (E2EE). If you decide to install this optional privacy feature, you’ll need to install a new version of the Ring application on your smartphone. Once installed, it uses a Public Key Infrastructure (PKI) security system based on an RSA 2048-bit asymmetric account signing key pair. In English, the foundation is pretty darn secure.Earlier, Ring already encrypted videos when they are uploaded to the cloud (in transit) and stored on Ring’s servers (at rest). Law enforcement doesn’t have automatic access to customer devices or videos. You choose whether or not to share footage with law enforcement. With E2EE, customer videos are further secured with an additional lock, which can only be unlocked by a key that is stored on the customer’s enrolled mobile device, designed so that only the customer can decrypt and view recordings on their enrolled device.In addition, you’ll need to opt into using E2EE. It doesn’t turn on automatically with the software update. You’ll also need to set a passphrase, which you must remember. AWS doesn’t keep a copy. If you lose it, you’re out of luck.  Before using E2EE, you should know AWS hasn’t integrated E2EE fully into the Ring’s feature set. In other words, there are many features — such as sharing your videos, being able to view encrypted videos on Ring.com, the Windows desktop app, the Mac desktop app, or the Rapid Ring app, and the Event Timeline — that you won’t be able to use. E2EE also won’t work with many Ring devices. In particular, E2EE won’t run on Ring’s most popular, least expensive, battery-powered Ring doorbells. Even with E2EE security, the police can ask for or demand your video and audio content. As Matthew Guariglia, an Electronic Freedom Foundation (EFF) policy analyst, has pointed out: “If your town’s police department has a partnership with Ring, you can also anticipate getting email requests from them asking for footage from your camera any time a suspected crime occurs nearby.”

According to a Ring representative, Ring’s E2EE is designed so that even the company cannot decrypt your end-to-end encrypted video. That includes law enforcement officers because the private keys required to decrypt the videos are only stored on customer’s enrolled mobile devices.Until recently, by default, police could send automatic bulk email requests to individual Ring users in an area of interest of up to a square half-mile. Now, police can publicly post their requests to Ring’s Neighbors app. Guariglia also observed, “Ring’s default setup is primed to instill paranoia: Ring doorbells send you an alert whenever the motion activation is triggered, which means that your phone will buzz every time a squirrel, falling snow, a dog walker, or a delivery person set off the Ring.” For example, many people now believe that violent crime is worse than ever in the US. That’s simply not true.Privacy, on the other hand, is under siege. If you value your privacy, and you still like the convenience of Ring, I encourage you to use E2EE. I will be.Related Stories: More

Microsoft has released 117 security fixes for software including a remote code execution (RCE) vulnerability in Exchange Server found by participants of the Pwn2Own competition.

The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for 117 flaws tackling RCEs, privilege escalation, spoofing, memory corruption, and information disclosure. Thirteen are considered critical and nine are zero-days — with four under active exploit. Products impacted by Microsoft’s latest security update, issued on July 13, include Microsoft Office, SharePoint, Excel, Microsoft Exchange Server, Windows Defender, Windows Kernel, and Windows SMB.  Read on: Some of the most interesting vulnerabilities resolved in this update are:  CVE-2021-31206: A Microsoft Exchange Server RCE found during Pwn2Own. CVE-2021-34448: An actively exploited scripting engine memory corruption vulnerability, requiring a victim to actively visit a malicious website or to click a malicious link.CVE-2021-34494: A Windows DNS Server RCE, albeit restricted to DNS servers only.CVE-2021-34458: A Windows Kernel RCE which permits a single root input/output virtualization (SR-IOV) device, assigned to a guest, to potentially tamper with PCIe associates. The latest round of patches comes just a week after an emergency fix was issued by Microsoft to rectify a security flaw nicknamed “PrintNightmare.” Tracked under CVE-2021-1675 and CVE-2021-34527, the combination of RCE and a local privilege escalation flaw is already impacting some printers, and exploit code has been released. In total, four of the vulnerabilities — CVE-2021-34527 (PrintNightmare), CVE-2021-34448, CVE-2021-31979, and CVE-2021-33771 — are listed as exploited in the wild. 

Microsoft thanked researchers from Google Security, Checkmarx, the Trend Micro Zero Day Initiative, and Fortinet’s FortiGuard Lab, among other organizations, for reporting the now-patched security flaws, A number of vulnerabilities were also reported by Microsoft Threat Intelligence Center (MSTIC). According to the Zero Day Initiative (ZDI), which reported 17 of the bugs, this month’s volume of fixes “is more than the last two months combined and on par with the monthly totals from 2020.” Last month, Microsoft resolved 50 vulnerabilities in the June batch of security fixes. These included seven zero-day bugs, six of which were reported by the Redmond giant as being actively exploited.  A month prior, the tech giant tackled 55 security flaws during May Patch Tuesday. Four of which were deemed critical, and three were zero-days. Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

Security researchers are reporting that all of the dark web sites for prolific ransomware group REvil — including the payment site, the group’s public site, the ‘helpdesk’ chat and their negotiation portal — are offline.It is still unclear what caused the outages but dozens of theories were floated online. On Friday, US President Joe Biden made news when he said he spoke directly to Russian President Vladmir Putin following REvil’s massive ransomware attack on Kaseya that affected almost 1,500 organizations.”I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden said. “And secondly, we’ve set up a means of communication now on a regular basis to be able to communicate with one another when each of us thinks something is happening in another country that affects the home country. And so it went well. I’m optimistic.”White House officials are expected to meet with members of the Russian government to discuss ransomware this week. While some security researchers believe the group may have taken their own websites down, either because of internal squabbles or fear over increased law enforcement scrutiny, others think it may be the result of official actions taken by government agencies. “We all want to believe it is law enforcement, but this is a pretty extensive takedown across multiple providers,” said Allan Liska, a ransomware expert and CSIRT at Recorded Future.

“This early on the more likely scenario is that it is a self-directed takedown. But I wouldn’t rule out ‘self-directed after a conversation with the Kremlin.’ We’ve been speculating about this since the Kaseya attack: Biden gets a win because a major ransomware gang is gone, Putin gets a win because he ‘helped’ and REvil gets to keep all of their money (and their heads). The timing, the day before the next ransomware summit tomorrow, also lines up. But, that is all speculation.”Jake Williams, CTO at BreachQuest, added that Ransomware gangs operating in Russia “were on borrowed time the second Colonial was hit,” explaining that the Russian government didn’t care about the cybercrime occurring within its borders as long as it didn’t impact Russia itself. “That has clearly changed – the Russian government can clearly see they are being impacted by the actions of these actors. Whether REvil was taken out of commission by the Russian government, saw the writing on the wall and took infrastructure down, is simply rebranding like so many groups have (likely including REvil itself), or something else is unknown at this point,” Williams said. 

The Digital Shadows Photon Research Team has been scouring Russian-language forums for chatter about the outage and said that while discussion is limited, “some threat actors have speculated that even if law enforcement agencies have successfully targeted REvil, this will not spell the end of the group’s activities.” “Some predicted that the group will reappear under another name or split into smaller groups to attract less attention,” the team said.”The inaccessibility of the REvil ransomware group’s websites is unusual because the group’s infrastructure has historically been more stable than that of other ransomware groups. The outage could be down to temporary technical issues or upgrades, or it could signify a law enforcement disruption of the group’s operations. REvil’s representatives have not appeared on high-profile Russian-language cybercriminal forums for several days.”Others, like Check Point Software spokesperson Ekram Ahmed, compared the situation to the DarkSide ransomware group, which shut down its operations in May after their attack on Colonial Pipeline drew global headlines and outrage in the US. DarkSide also saw some of its infrastructure disrupted by US law enforcement agencies after the attack. “Though it might be too early to celebrate, another viable possibility is that the ransomware gang has decided to lay low, given all the attention and spotlight they’ve underwent recently from the Kaseya, Colonial Pipeline and JBS attacks,” Ahmed explained. “It’s possible that REvil has gone into ‘retirement’, or at least a temporary one, as they did with the GandCrab ransomware a few years ago.”REvil has attacked at least 360 US-based organizations this year, according to Emsisoft threat analyst Brett Callow. The RansomWhere research site says the group has brought in more than $11 million this year, with high profile attacks on Acer, JBS, Quanta Computer and more.  Egnyte cybersecurity evangelist Neil Jones said people should be wary of celebrating the group’s potential downfall because new ransomware infrastructure can be brought online quickly. Steve Moore, chief security strategist at Exabeam, theorized that the outage “could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise.” “If the outage is the result of an offensive response, this then sends a new message to these groups that they have a limited window in which to work,” Moore said. “Furthermore, if a nation responds to criminals backed by and hosted in another country, this will change the definition of risk for affected private organizations.” More

Facebook is adding a new perk to its bug bounty program that will pay bonus rewards to researchers based on the time it takes the social network to fix a vulnerability after it’s found and reported by bug hunters. 

Essentially, Facebook is acknowledging that it’s sometimes slow to reach a bounty decision and is using this bonus payment to encourage patience among the researchers in its bug bounty community.  The Payout Time Bonus will reward reports that are paid more than 30 days from the time Facebook receives all the necessary information for a successful reproduction of the report and its impact, Facebook said. The bonuses will be paid on a sliding scale, with payouts made between 30-59 days receiving a 5% bonus; payouts made between 60-89 days receiving a 7.5% bonus; and payouts made after 90 days or more receiving a 10% bonus. Reports that require clarification from the researcher will have the payments adjusted accordingly.Facebook has always maintained a friendly relationship with the infosec community, and is one of the few companies managing its own bug bounty program. Facebook is known for offering large payouts on a regular basis, and often open-sourcing many security-focused tools.After the Cambridge Analytica scandal, Facebook intensified its efforts into improving the security of its main platform and mobile apps, but also its adjacent third-party app ecosystem.In 2018, Facebook started paying significant bug bounties to researchers who discovered exposures of user data in popular Facebook third-party apps and games. The following year, the social network expanded its bug bounty program to offer rewards for finding cases where third-party services exposed Facebook user access tokens. Around the same time, Facebook also began offering rewards of up to $40,000 to researchers who found vulnerabilities that could lead to account takeovers.

Facebook stepped up its efforts to woo bounty hunters last year with the launch of Hacker Plus, the first-ever loyalty program for a tech company’s bug bounty platform. Designed after the loyalty programs used by airlines and hotels, Facebook said Hacker Plus would provide extra bonuses and special perks to bug hunters based on their past reports. More