Information Technology

Costco has confirmed a card skimming attack that forced them to send out notification letters to victims last week. In a statement to ZDNet, the global retail giant said that in August, they discovered five card skimmers on payment card devices in four of their Chicago-area warehouses. 

“We promptly removed the skimmers, notified law enforcement, and engaged a forensics firm to analyze the devices,” a Costco spokesperson said. “It appears that these skimmers had the ability to capture information on the magnetic stripe of a payment card, including name, card number, expiration date, and CVV. We identified the members who conducted swipe payment card transactions on the affected devices during the relevant time period and notified them individually. We also offered them complimentary credit monitoring and identity theft-related services,” the company added.  The spokesperson said less than 500 customers were affected by the situation and that all of the customers were notified by letter on November 5.The company believes the attack took place in August but did not answer questions about how long they believe the card skimmers were active. Costco inspectors did not find similar card skimmers at any other locations, according to their spokesperson. Costco is the fifth largest retailer in the world and fourth largest in the US, with 810 stores worldwide.

Multiple people from across the globe took to social media over the past few weeks to complain about fraudulent charges tied to their Costco credit cards or accounts. Others said they began to see the charges after using their cards at Costco locations, particularly Costco gas stations. “Noticed a fraudulent charge on my credit card, so I called to get it handled. The guy on the phone asked if I pay at the pump usually for gas, and I said yes. Apparently, skimmers for information are common on pay at pump systems and car washes,” one Reddit user wrote. “That was the only place he saw in my history that was likely to have stolen my information. He recommended paying inside, but Costco doesn’t even have that option. Just a reminder to always check your credit card statements and watch for fraudulent charges!”The letter Costco sent to the hundreds of victims they believe were affected by the card skimming attack advises the victims to call their bank to “discuss possible options for avoiding potential problems in case” their card was inappropriately used. Costco is offering victims IDX identity theft protection services which include 12 months of credit monitoring, a $1 million insurance reimbursement policy, and ID theft recovery services. More

Microsoft has reminded users to upgrade from Windows 10 version 2004, the April 2020 Update, which reaches end of life on December 14, 2021. This means no more security or quality updates for that version of Windows 10 after the December 2021 Patch Tuesday update, Microsoft notes in a new blogpost. Windows 10 version 2004 was released in April 2020.  

For those who choose to remain on Windows 10, the two main versions are: Windows 10 version 21H1, aka the May 2021 Update, and the soon-to-be released Windows 10, version 21H2, the November 2021 Update. Microsoft appears to be aiming to release it in November, but it’s already mid-November.SEE: Windows 11 FAQ: Our upgrade guide and everything else you need to knowWindows 10, version 21H2 will be a minor update containing a “scoped set of features focused on productivity and security, prioritized to meet based on your feedback,” Microsoft says. Version 21H1 reaches end of life on 13 December, 2022 for Home, Pro, Pro Education and Pro for Workstations. Enterprise and Education editions reach end of life on the same date. Windows 11 is being offered to more devices as Microsoft gradually ramps up availability for its latest OS. It’s expected to be a slow roll out due to Microsoft’s minimum hardware requirements. However, that should accelerate if more consumers and businesses buy new hardware. 

As a reminder, Microsoft notes that Windows 11 will get annual feature updates scheduled for the second half of the year and comes with 24 months of support for Home, Pro, Pro for Workstations, and Pro Education editions; and 36 months of support for Enterprise and Education editions. Microsoft is sticking with its regular Patch Tuesday updates for security fixes on the second Tuesday of each month. Windows 10 users can install Microsoft’s PC Health Check app to see if their hardware meets Microsoft’s requirements for the Windows 11 upgrade. Microsoft says it will continue to support Windows 10 until October 2025. What happens to feature updates between 21H2’s release and 2025? Microsoft hasn’t said whether or not it will continue to make two feature updates per year for Windows 10 after 21H2. 

Windows 11 More

China has released draft regulations that seek to classify online data based on their importance to national security and public interest, amongst others. Data protection requirements then will be tied according to this classification.  The Cyberspace Administration of China (CAC) on Sunday unveiled a set of laws that included a proposed data classification and security framework. It is seeking public feedback on the draft legislation through to December 13.  The regulator said the proposed rules would better safeguard the legal rights of individuals and institutes as well as national security and public interests, reported state-owned newspaper Global Times. 

Under the draft regulation, data would be classified into three main categories–core, important, general–according to their impact and importance to national security, public interest, or legal rights and interests of individuals and organisations.  Citing industry observers, the report noted that data from a military aircraft or airports would be classified as core data, while cargo transportation information at civil airports would be important data, and data on general flights would be considered general data.  The proposed legislation, which comprised nine chapters, further detailed requirements on how data must be secured according to their classification.  It also outlined how data collected inside China should be transferred overseas, including notifying the owners of such data with details about the recipients, such as their name and contact information as well as the purpose for the data transfer.

The draft law further stipulated that fines of up to 10 million yuan ($1.56 million) could be meted out, if rules governing the transfer of data to markets outside of China were breached.  The use of biometric data, such as face, fingerprint, gait, and voice, also should not be used as the only means of personal identification, according to the draft legislation. This aimed to restrict efforts to compel individuals to provide their personal biometric data.  The proposed law also stated the inclusion of data security incidents as part of the national cybersecurity incident emergency mechanism, which meant such measures should be activated and rolled out in a timely manner to mitigate potential damage and security risks. In addition, organisations must not refuse to provide services or “hinder” normal services, should data owners choose not to consent to the collection of their personal information not deemed necessary for the provision of such services.  IPOs in Hong Kong may require cybersecurity review The draft regulation also would require organisations, which data-processing activities would or might influence national security, to undergo a cybersecurity assessment if they were looking to list in Hong Kong, reported South China Morning Post (SCMP). If passed, this could introduce another regulatory oversight for Chinese tech companies such as Bytedance and Didi Chuxing that might be considering an IPO in Hong Kong.  The proposed laws did not detail criteria that would constitute as national security concerns, but listed a range of “important data” that might be considered as such, including unpublished government data, scientific research, data on genetics, and data on key sectors such as telecoms and energy, SCMP noted. The legislation was designed to be implemented alongside China’s other regulations that governed data use and collection, namely, the 2017 Cybersecurity Law as well as the Data Security law and Personal Information Protection Law (PIPL) that were passed this year.  Passed in August, PIPL came into effect November 1, laying out ground rules around how data is collected, used, and stored. It applies to foreign organisations that process personal data overseas for the purpose of, amongst others, providing products and services to Chinese consumers as well as analysing the behaviours of Chinese consumers. They also will have to establish designated agencies or appoint representatives based in China to assume responsibility for matters related to the protection of personal data.  PIPL encompasses a chapter that applies specifically to cross-border data transfers, stating that companies that need to move personal information out of China must first conduct “personal information protection impact assessments”.Violators that fail to comply with orders to rectify the breach will face fines of up to 1 million yuan ($150,000), while the person responsible for ensuring compliance can be fined between 10,000 yuan ($1,500) and 100,000 yuan ($15,000). For “serious” cases, Chinese authorities also can dish out fines of up to 50 million yuan ($7.5 million) or 5% of the company’s annual turnover for the previous fiscal year. In addition, its business operations may be suspended or business permits and licences revoked. RELATED COVERAGE More

Image: Dzelat/Shutterstock
The FBI has placed the blame for a weekend fake email incident on a misconfiguration in its Law Enforcement Enterprise Portal (LEEP) that allowed emails to be sent from the ic.fbi.gov domain.”LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners,” it said. “While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network.”The FBI said it initially took the “impacted hardware” quickly offline, and later said it quickly remediated the “software vulnerability” as well as confirmed its network integrity.Spamhaus said it saw two waves of email being sent.Brain Krebs reported the sender of the emails found they were able to send emails because the FBI was generating a client-side  one-time code to sign up to a new account on LEEP, and it was sent along with an email subject and body as a POST request to the FBI’s servers. Manipulating the request parameters enabled the emails to be sent, and a script was used to automate the sending process.It would seem all the so-called misconfigurations and software vulnerabilities were in the way the FBI had its portal built, with the cherry on top being how it exposed and piped user input to a mail server. Pretty embarrassing and worthy of a dozen facepalms, at least. More

The federal government has released a new set of voluntary principles aimed at providing guidance to organisations in how they protect critical technologies from cyber attacks. Labelled the Critical Technology Supply Chain Principles, Minister of Home Affairs Karen Andrews said the voluntary principles were designed to give organisations and consumers the confidence to allocate more resources towards critical emerging technologies such as artificial intelligence, quantum computing, blockchain, and algorithmic automation. “These principles come at a vital time — both for Australia and for our critical industries. We face unprecedented threats from a range of malicious cyber actors, growing geostrategic uncertainty, and are increasingly reliant on technologies that can be hacked, held to ransom, or otherwise disrupted,” Andrews said. The principles were developed in partnership with industry, non-government organisations, state and territory governments, and the community.  There are 10 new principles in total, with the four of them being: Understand what needs to be protected, why it needs to be protected, and how it can be protected; understand the different security risks posed by an organisation’s supply chain; build security considerations into all organisational processes, including into contracting processes that are proportionate to the level of risk; and raise awareness of and promote security within supply chains;In relation to these four principles specifically, Home Affairs hopes they will allow less-resourced organisations to implement appropriate measures for protectecting critical technology. “When security is built in by-design it also means customers do not need to have expert knowledge and that they are not unfairly transferred risk that they are not best placed to manage,” Home Affairs said.

The remaining principles are: Know who critical suppliers are and build an understanding of their security measures; set and communicate minimum transparency requirements consistent with existing standards and international benchmarks for suppliers; encourage suppliers to understand and be transparent in the depth of their supply chains, and be able to provide this information to customers; seek and consider the available advice and guidance on influence of foreign governments on suppliers; consider if suppliers operate ethically, with integrity, and consistently with international law and human rights; and build strategic partnering relationships with critical suppliers.Home Affairs warned that consideration of these principles are important as the lack of security measures can have flow-on impacts to the broader community and Australia’s national interest. As part of the principles being announced, Andrews said the federal government itself would be implementing the principles for its own decision-making practices. “Alongside important legislation currently before the Senate to support and assist critical industries confront cyberattacks, wide adoption of these new principles will safeguard Australia’s security, and prosperity for years to come,” Andrews added.The release of the principles follows the federal government recently submitting a revised Security Legislation Amendment (Critical Infrastructure) Bill 2020 into Parliament. The revised Bill is a stripped-down version of the original version, only containing the elements that would introduce government assistance mechanisms and mandatory notification requirements. Meanwhile, parts of the Bill that have been cut out will be considered in a future Bill down the road. The Bill was revised in response to recommendations made by the Parliamentary Joint Committee on Intelligence and Security, which said this two-step approach would enable the quick passage of laws to counter looming threats against Australia’s critical infrastructure, while giving businesses and government additional time to co-design a regulatory framework that provide long-term security for the country’s critical infrastructure. The federal government is also developing a new set of standalone criminal offences for people who use ransomware as part of its Ransomware Action Plan. Related Coverage More

There has been considerable debate within the cybersecurity community about Randori, a security firm that waited one year before disclosing a critical buffer overflow bug it discovered in Palo Alto Networks’ GlobalProtect VPN.The zero-day — which has a severity rating of 9.8 and was first reported by ZDNet — allows for unauthenticated, remote code execution on vulnerable installations of the product.The issue affects multiple versions of PAN-OS 8.1 prior to 8.1.17, and Randori said it found numerous vulnerable instances exposed on internet-facing assets, in excess of 70,000 assets. It is used by a number of Fortune 500 companies and other global enterprises.Aaron Portnoy, principal scientist at Randori, explained to ZDNet that in October 2020, his team was tasked with researching vulnerabilities with the GlobalProtect Portal VPN. By November 2020, his team discovered CVE-2021-3064, began authorized exploitation of Randori customers, and successfully landed it at one of their customers — over the internet — not just in a lab. They did not notify Palo Alto Networks until a few weeks ago, according to the timeline they provided.Palo Alto Networks released its own advisory about the issue, has patched it and said there is no evidence it has been exploited in the wild. But Randori’s actions in the case have caused considerable backlash from some in the cybersecurity community, who argue the company should not have waited 12 months before disclosing it to Palo Alto Networks. Portnoy has released multiple statement on Twitter defending the company from criticism. 

Others have taken issue with Randori’s decision to use the 0-day in red team exercise and others questioned whether they held back notification of the issue in order to further publicize their work and their business. Despite the backlash, some have come to Randori’s defense, arguing that their actions are commonplace.David Wolpoff, Randori’s CTO, told ZDNet that the company “weighed a lot of factors when determining disclosure to minimize industry harm,” including analysis of the software, patch status, versioning issues, existing remediation strategies, and more.”We cannot respond in granular detail, as we are intentionally staying away from disclosing technical details that would enable exploit. We would like to increase the transparency of our decision process because people didn’t seem to grasp the nuance, but we still very much believe in our policy and our decision,” Wolpoff said.Randori would not answer questions about why they waited 12 months to disclose the vulnerability. But Wolpoff said there “are always concerns” and argued that the company is “acutely aware of the risks of having a capability like this.”Yet he argued that knowing about the vulnerability “doesn’t increase the risk.””If we knew about the bug or didn’t, the risk profile to the public is the same. In this case — a minor release within a major version of software — we knew remedies already existed being recommended by the vendor,” Wolpoff said. “This factored into our decision. We were aware of the nuance in regards to the PAN update, and it (along with other metrics) factored into our weighing of the risks associated.”Opinions among experts varied. Casey Ellis, founder and CTO at Bugcrowd, said vulnerability equity decisions are difficult to trust when there’s an obvious commercial conflict of interest. Vulcan Cyber CEO Yaniv Bar-Dayan told ZDNet that there are several approaches to responsible vulnerability disclosure but most critical is the expediency of all involved parties, and an altruistic collaboration between researchers and responsible organizations. “Time is of the essence if the goal is systems and data security. The intent of vulnerability disclosure programs breaks down if the disclosure goals of researchers or vendor organizations ever deviate from pure security,” Bar-Dayan said. “As an example, the recently announced Google Project Zero requires the full details of a vulnerability to be published within 90 days after discovery regardless of whether or not the vendor organization has provided a patch or mitigation option.”ThreatModeler CEO Archie Agarwal explained that there is a long tradition of cybersecurity professionals finding security holes in popular software and disclosing the vulnerability to the development company and then afterwards the public. The idea, Agarwal said, is that the ‘good guys’ find the problems before the ‘bad guys.’ “There is nothing ethically wrong with this practice as long as the disclosure is responsible and all efforts are made to coordinate with the company in terms of remediation and allowing them time to create a patch before it becomes publicly known as appears to be the case in this instance,” Agarwal explained. “Legitimate bug bounties operate the same. The unfortunate part is criminals also see the public disclosure and are getting faster and faster at exploit development and so those not updating the patch fast enough are often left open to automated attacks.”J.J. Guy, CEO of Sevco Security, argued that the job of a red team is simple: emulate the adversary. “If adversaries are using 0-days, our red teams should be using them too. We can’t prepare for the reality of how we’ll react to compromise if red teams are pulling punches. Many organizations must protect high-value assets from real-world attacks by adversaries bringing this level of capability. It is extremely valuable for these orgs to practice their ability to detect and respond to 0-day. They know they must defend against unknowns,” Guy said. “Software is not and never will be perfectly secure. There are an infinite number of 0days waiting to be discovered, so if your IT team believes they can patch all the holes, they’re wrong.” More

RHEL 8.5, the newest version of Red Hat Enterprise Linux (RHEL), is out. As Joe Brockmeier, Red Hat Blogs’ Editorial Director, said, “Whether you’re deploying RHEL on-prem, in the public cloud, at the edge — or all of the above — RHEL 8.5 has improvements that users will be eager to dig into.” He’s not wrong.

In particular, as we continue to move to a container and Kubernetes-based world, RHEL 8.5 comes with significant container improvements. These include: Containerized Podman: The RHEL 8 Podman container image is now generally available and can help unlock the usage of Podman in cloud continuous integration/delivery (CI/CD) systems, on Windows Subsystem for Linux (WSL) 2, under Docker Desktop on macOS, and (of course) on RHEL 6, 7 and 8. You can use the Podman container image to help develop and run other container images. Verify container image signatures by default: In RHEL 8.5, users can pull container images with confidence. Out of the box, RHEL 8.5 will check container image signatures to verify that they are, in fact, from Red Hat and haven’t been tampered with or manipulated. Native OverlayFS as a Rootless container user: RHEL 8.5 offers better performance when building and running rootless containers, with native support for OverlayFS.Returning to RHEL basics, its web console, which is based on the open-source Cockpit project, now enables you to live patch the kernel from it. Previously, you could only keep your Linux running while updating the kernel in real-time by using the shell. The updated web console also includes an enhanced-performance metrics page. With this, you can more easily identify high CPU, memory, disk, and network resource usage spikes and their causes. In addition, you can also more easily export metrics to a Grafana server for a deeper look at what’s going on in your servers.Red Hat is also continuing to integrate its Ansible DevOps program into RHEL. RHEL’s system roles now use Ansible roles and modules to configure, automate, and manage RHEL services. Its new or enhanced system roles include: RHEL system role for VPN: Reduces the time to configure VPN tunnels and reduces the risk of misconfiguration or use of non-recommended settings. Also supports host-to-host and mesh VPN configurations.RHEL system role for Postfix: In tech preview for some time, the RHEL system role for Postfix is fully supported with RHEL 8.5. It enables administrators to skip the manual configuration of Postfix, automating how you install, configure, and start the server, as well as specify custom settings to better control how Postfix works in your environment.RHEL system role for timesync: Uses a new Network Time Security (NTS) option as part of the existing timesync system role.RHEL system role for Storage: Adds support for LVM (Logical Volume Manager) VDO (Virtual Data Optimizer) volumes and volume sizes that can be expressed as a percentage of the pool’s total size.There are numerous other improvements as well. This includes OpenJDK 17, the latest open-source reference implementation of Java SE. And, for better network and system security, RHEL now includes network time security (NTS) for Network Time Protocol (NTP). 

In addition — showing how much things have changed since Microsoft and Red Hat were at each other’s throats — RHEL now comes with a system role for Microsoft SQL Server. This enables IT administrators and DBAs to automatically and quickly install, configure, and tune SQL Server. It also now includes Microsoft’s latest .NET 6 release. The new NET 6 is now available for Windows, Linux, and macOS. It provides a unified platform across cloud, desktop, IoT, and mobile apps.In short, RHEL 8.5 is ready to run today on any platform you care to name. Want to know more? Check out the RHEL system roles overview to learn how to install and use RHEL system roles.Related Stories: More

CISA has released a notice urging administrators to apply updates to a variety of industrial control systems after discovering vulnerabilities in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations.In the advisory, CISA said the issues were found in equipment from Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), and TwinOaks Computing.

The equipment containing the vulnerabilities includes CycloneDDS, FastDDS, GurumDDS, OpenDDS, Connext DDS Professional, Connext DDS Secure, Connext DDS Micro, and CoreDX DDS. “Successful exploitation of these vulnerabilities could result in denial-of-service or buffer-overflow conditions, which may lead to remote code execution or information exposure,” CISA explained.They provided links to each company’s patches or fixes for the issue, but they noted that GurumNetworks did not respond to their messages. CISA said organizations using GurumNetworks’ tools should contact them directly. Dr. Dennis Hackney, head of industrial cybersecurity services development at ABS Group, told ZDNet that many industrial control system owners don’t realize that their systems are full of open-source software, much like OpenDDS. “The reasons for this are multifaceted but often stem from the proprietary and tailored nature of each control system. OEMs and engineers develop solutions that are as functional as possible without adding unnecessary costs. Be warned, by their very nature, ICS are open,” Hackney explained. 

“They use connectivity called OPC which stands for Object Linking and Embedding (OLE) for Process Control, otherwise known as open process control specifications. Open refers to non-authenticated communication between computers and equipment. There are increasingly new authenticated models but that does not cover the majority of what are in operation today. The concern being, when there is a vulnerability in components like OpenDDS, there are limited options to control access and ensure quality of service due to the nature of ICS designs.” OpenDDS vulnerabilities are a concern, he added, because these applications are based on a subscription model. The vulnerabilities are also concerning because they can be exploited remotely and have a low attack complexity, he said. Like CISA’s notice, Hackney suggested that affected organizations install the latest updates, isolate systems from business IT networks, utilize firewalls, and secure remote access through VPNs. Other experts, like Netenrich principal threat hunter John Bambenek, explained that this advisory stood out because it impacts a wide variety of vendors and open-source solutions that address the data distribution layer of real-time systems. Typically, a vulnerability only impacts specific products. The fact that all involved have released updates in a coordinated fashion shows that CISA is taking its role of protecting critical infrastructure and coordinating response between many organizations seriously, Bambenek said. “While CISA has said there are no known public exploits for these vulnerabilities, this announcement will certainly drive those attackers interested in attacking these systems to develop them quickly. Affected organizations should patch quickly while there is still time,” Bambenek added.  More