Information Technology

Image: Getty Images
US President Joe Biden has revoked and replaced various executive orders made by former President Donald Trump that had sought to block apps like AliPay, TikTok, and WeChat from US app stores. When Trump made those orders, he had labelled the Chinese apps as national security threats with respect to  information and communications technology, and services supply chain. With the latest directive, AliPay, CamScanner, TikTok, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat, WeChat Pay, and WPS Office are no longer set to be banned. The Trump administration ordered for TikTok to be banned unless it was divested to a US company. After months of negotiations following the Trump order, TikTok had come to a preliminary deal to be sold to Oracle and Walmart. That deal was then shelved indefinitely, however, after Biden came into office, according to The Wall Street Journal.While TikTok is no longer set to be banned, the executive order does not address the potential sale of the app, which is currently being reviewed by the Committee on Foreign Investment in the United States. In addition to being a replacement of Trump’s executive orders, the new directive also sets new criteria that the Commerce Department must use to review whether apps tied to foreign adversaries pose an “unacceptable risk,” according to a White House fact sheet. The criteria for determining if an app poses an “unacceptable risk” is if it is owned, controlled, or managed by persons that support foreign adversary military or intelligence activities, or are involved in malicious cyber activities, or involve applications that collect sensitive personal data, the fact sheet said.

The executive order also directs the Commerce Department to work with other agencies to come up with recommendations to protect US consumer data from foreign adversaries, as well as make recommendations for additional executive and legislative actions to further address the risk associated with foreign adversary connected software applications. Related Coverage More

RSA Security is spinning out its Fraud & Risk Intelligence business into a new standalone company called Outseer. The new organization will be led by CEO Reed Taussig.

Outseer said it will continue to build out RSA’s anti-fraud and payments security portfolio, which includes fraud detection and management, and payments authentication services. All of the RSA-branded products are being renamed to match Outseer’s new corporate identity. Outseer said its product portfolio is supported by deep investments in data and science, including a global network of verified fraud and transaction data, and a risk engine that the company said delivers 95% fraud detection rates.  Payments fraud and risk tend to receive less public attention than topics such as ransomware and cybersecurity, but payment card schemes, issuing banks, and commerce providers have experienced a record number of fraudulent transactions and orchestrated attacks in payment networks during the pandemic.Outseer plans to work its portfolio toward the EMV 3-D Secure payment standard and incorporate new technology integrations across its payments and commerce ecosystem. EMV 3-D Secure is a messaging protocol that enables consumers to authenticate card-not-present (CNP) e-commerce transactions with their card issuer.”RSA’s Fraud & Risk Intelligence business provides Outseer with a solid foundation to address the urgent need to protect both the customers and the revenues of the digital economy,” said Taussig. “At Outseer, we want to liberate the world from digital transaction fraud and fill an apparent gap in the market by delivering science-driven solutions for 3-D Secure payment authentication and account monitoring. 3D Secure Card Not Present Authentication is a well-proven solution in Europe and in our view, will be the dominant solution to combat card not present fraud as we move into the future.”RSA announced in 2020 that it would operate as an independent company via acquisition by Symphony Technology Group, valuing the company at $2.1 billion. More

Entropy is a term used for the statistical uncertainty of a piece of data, one example of which are the randomly generated numbers that are used in cryptographic keys, and that are hard to crack to the extent that such strings are truly hard for a computer to predicts.  Arguing that today’s encryption isn’t unpredictable enough, New York-based startup Qrypt on Wednesday formally publicly announced its intent to offer “entropy-as-a-service,” or EaaS, to provide businesses as well as individuals with truly random number generation capabilities.  “Everyone has an inherent right to privacy; we believe that right is under attack by Russia, China, any bad actor you want to pick,” said founder and CEO Kevin Chalker in an interview with ZDNet via Zoom.  Qrypt’s main claim is that the current regime of cryptographic tools, based on things such as the RSA algorithm and the public-private key exchange, is already vulnerable because the pseudo-random number generation capabilities of such a network can be cracked with sufficient compute power.  Down the road, quantum computing should have sufficient power to routinely crack the pseudorandom code, a looming risk that has already been widely discussed as the extinction of conventional cryptographic tools. Also: Quantum computers could crack today’s encrypted messages. That’s a problem In cases where codes can’t be broken at the moment, malicious types who steal data will park that data in its encrypted form on disk, as a harvest awaiting the day when the quantum tools are available to decrypt the data.

The inspiration comes from the one-time pad cryptographic cipher generators used for covert operations. While full details of Qrypt’s approach are still somewhat limited, basically, Qrypt partners with a Barcelona-based, privately held company called Quside Technologies, for quantum-based random number generation.  Quside, which spun out of Barcelona’s Institute of Photonic Sciences, uses semiconductors lasers to generate interference patterns that can be sampled to produce a random number.  Sampling a real-world physical process in this way, such as the interference pattern of photons, is generally regarded as the most secure way to arrive at a truly random “seed” for a random-number generator. The quantum nature of such measurement is deemed more random than a roll of the die, which is a classical mechanical operation.  The Qrypt EaaS, using appliances connected together in a distributed fashion, take the Quside seed and use it to generate what’s called a source of entropy, raw randomness, that can then be used to generate a one-time pad at each communicating party’s computer on either end of an otherwise non-secure communications line. The service is an alternative to quantum key distribution, or QKD.  Where a QKD network has two key generator devices connected over a trusted communications line, Qrypt’s EaaS network distributes the raw random sources digitally to the users in a distributed fashion, and then runs a so-called BLAST algorithm that generates the one-time pads simultaneously on either end of the communication.  The BLAST algorithm was developed by Yevgeniy Dodis, the firm’s chief cryptographer, who is a fellow with the International Association for Cryptologic Research and who has numerous publications on techniques of things such as key exchange.  CEO Chalker previously was a CIA “operations officer,” a covert operative in the field within what’s called clandestine services, focused on Iran. Qrypt’s chief technical officer is Denis Mandich, also formerly with the CIA, also a covert operative, focused on Russia. Both individuals make the point that the Qrypt EaaS is designed to bring to the retail/consumer market the same level of cryptographic strength for secure messaging and other applications.  “We’re trying to democratize that same level of security that we relied on for all these years,” said Chalker.  “We can do it right now with commercial, off-the-shelf infrastructure, you don’t have to build anything new, completely digitally, from here to the other side of the world,” said Mandich. Existing encryption, notes Mandich, can be broken even without quantum, especially in cases of poor practices in the use of one-time pads. “If you re-use one-time pads, or your don’t have really random one-time pads, they become breakable.”  The Qrypt appliances are placed in data centers around the world, “geographically, politically distributed,” said Mandich.  Qrypt has been funded by Chalker out-of-pocket thus far. He declined to disclose that total funding amount.  Qrypt’s service is available for trial via a free account on the Web site that invites one to set up a free account.  In addition to Qrypt’s data sheet on its Web site, additional interesting material can be found in two U.S. patents issued to the firm in 2019. One, “End-to-end double-ratchet encryption with epoch key exchange,” credited to Mandich and Dodis, describes an algorithm for distributing to two communicating devices an asymmetric key-generation function.  A second patent, “Multi-source entropy and randomness aggregation and distribution network,” describes an as-a-service network for distributing entropy. 

Tech Earnings More

An emerging ransomware operation appears to have links to a veteran cyber criminal group in the space – while also attempting to piggyback on the reputation of one of the most notorious forms ransomware.Prometheus ransomware first emerged in February this year and not only do the criminals behind it encrypt networks and demand a ransom for the decryption key, they also use double extortion tactics and will threaten to leak stolen data if their demands for cryptocurrency aren’t met.Analysis by cybersecurity researchers at Palo Alto Networks details how, like many ransomware operations in 2021, the group runs like a professional enterprise, even going so far as to refer to victims of cyber attacks as “customers” and communicating with them via a ticketing system.The cyber criminals behind Prometheus claim to have hit over 30 victims around the world so far, including organisations in North America, Europe and Asia. Sectors Prometheus claims to have hit include government, financial services, manufacturing, logistics, consulting, agriculture, healthcare services, insurance agencies, energy and law. However, only four victims have paid to date, according to the group’s leak site which claims that a Peruvian agricultural company, a Brazilian healthcare services provider and transportation and logistics organizations in Austria and Singapore paid ransoms, Palo Alto said.One notable trait of Prometheus is that it uses the branding of another ransomware group across its infrastructure, claiming to be ‘Group of REvil’ on the ransom note and across its communication platforms.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

REvil is one of the most infamous and most successful ransomware operations, claiming a string of high profile victims. The FBI recently attributed the ransomware attack against meat processor JBS to the group, which is believed to work out of Russia.However, despite the use of REvil’s name, there doesn’t appear to be any link between the two operations – and it’s likely that Prometheus is attempting to use the name of an established criminal operation in order to increase their chance of receiving a ransom payment.”Since there is no solid connection other than the reference of the name, our running theory is that they are leveraging the REvil name to increase their chances of securing payment. If you search for REvil, the headlines are going to speak for themselves versus searching Prometheus ransomware where probably nothing major would’ve come up,” Doel Santos, threat intelligence analyst at Unit 42, Palo Alto Networks told ZDNet. Researchers note the operation does have strong links to Thanos ransomware.Thanos ransomware first emerged for sale on underground forums in the first half of 2020 but the behaviour and infrastructure of it is almost identical to Prometheus, which could suggest that Thanos and Prometheus are run by the same group of criminals.See: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upWhile researchers haven’t been able to identify the exact method Prometheus is delivered to victims, Thanos is known to be distributed with the aid of buying access to networks which have previously been compromised with malware, brute-force attacks against commonly used passwords and phishing attacks.After compromising victims with ransomware, Prometheus tailors the ransom depending on the target, with demands ranging from $6,000 to $100,000 – a figure that’s doubled if the victim doesn’t pay within a week. The ransom is demanded in Monero, rather than Bitcoin, a decision likely made because Monero transactions are more difficult to track than Bitcoin – so there’s less chance of the group being detected or their assets seized by law enforcement operations. It’s believed that the group is still active and will continue as long as attacks remain profitable.”As long as Prometheus keeps targeting vulnerable organizations, it will keep running campaigns,” said Santos. “Going forward we would expect this group to keep adding victims to their leak site, and change their techniques as needed,” he added.Given how Prometheus and other ransomware groups often rely on breaching user accounts to embed themselves on networks, one thing which organisations can do to help protect against ransomware attacks is use multi-factor authentication.Deploying this to all users provides an additional barrier to attacks, making it harder for cyber criminals to exploit stolen credentials as a starting point for ransomware campaigns.MORE ON CYBERSECURITY More

Content delivery network (CDN) Fastly has explained its major outage yesterday, which knocked out many of the world’s top websites, from Amazon to ZDNet.  The breadth of the outage demonstrated once again how CDNs, which bring content to end users from globally distributed points of presence (POPs), can also be a single point of failure. 

ZDNet Recommends

Fastly has POPs across the globe running on solid state drives (SSDs) that make up its “edge cloud” for delivering web content from data centers that are closer to end users. Instead of accessing a website’s servers directly, users access a cache of the site from cache storage maintained by the CDN.  SEE: Network security policy (TechRepublic Premium) Its global outage yesterday briefly prevented web users from accessing The Guardian, the Financial Times, The New York Times, ZDNet, Reddit, Twitch, Amazon, PayPal, and the UK government website gov.uk.  Nick Rockwell, Fastly’s senior vice president of engineering, said the hour-long outage happened because a customer pushed a configuration change that triggered the undiscovered software bug.  Rockwell doesn’t explain what exactly happened, other than saying that on May 12, the company deployed a software update that “introduced a bug that could be triggered by a specific customer configuration under specific circumstances.”

Then yesterday, June 8, a customer pushed a configuration change that met the conditions to trigger the bug, which caused 85% of its network to return errors. End users visiting affected sites saw the “Error 503 Service Unavailable” error message in browsers.  Fastly yesterday said that issue was causing customers to see an “increased origin load and lower Cache Hit Ratio (CHR)”. CHR is a measure of how many requests a cache can deliver compared to how many requests it receives. “Once the immediate effects were mitigated, we turned our attention to fixing the bug and communicating with our customers. We created a permanent fix for the bug and began deploying it at 17:25,” said Rockwell.  The disruption began at 9:47 UTC.  Fastly is the seventh largest CDN provider, following Google, Cloudflare, F5, Amazon CloudFront, and jsDelivr, according to Datanyze. SEE: GDPR: Fines increased by 40% last year, and they’re about to get a lot bigger The pitfall of CDNs is that when they go down, as Cloudflare did in 2019 – due to a buggy configuration change – users can’t access websites that rely on the CDN to deliver content.  Rockwell recognized that the company should have seen this bug before the customer accidentally triggered it. He also apologized to customers.  “Even though there were specific conditions that triggered this outage, we should have anticipated it. We provide mission-critical services, and we treat any action that can cause service issues with the utmost sensitivity and priority,” he wrote.   “We apologize to our customers and those who rely on them for the outage and sincerely thank the community for its support.” More

Apple has agreed to a multi-million dollar settlement to resolve a lawsuit with a woman whose explicit photos were leaked online by employees repairing her iPhone. 

The woman, a past student at the University of Oregon, handed over the mobile device in 2016 for repair for an unspecified issue at a Pegatron facility in California, as reported by The Telegraph. Pegatron has acted as a long-term supplier and partner with the iPhone and iPad maker. At the time, two employees of the firm allegedly accessed explicit images and video stored on the device. This content was then posted on the woman’s Facebook account, to appear as if she shared it.  The explicit material has been described as “photos of her in various stages of undress and a sex video.” The woman was only made aware of the technicians’ activities when a contact alerted her to the leak, and she was able to take the images and video down.  However, the damage was done and the student then launched a claim against Apple for privacy violations and the emotional distress caused. 

Apple reportedly settled for a multi-million dollar amount which was reimbursed by Pegatron. According to reports, the agreement includes a clause to prevent the woman from disclosing the value of the settlement.  The tech giant also apparently demanded confidentiality, but a legal battle between Pegatron and its insurer — which disputed the amount requested for reimbursement — resulted in Apple’s role being identified.  The technicians have been fired.  Apple said in a statement that upon learning of the incident and “egregious violation” of data privacy and security policies, “we took immediate action and have since continued to strengthen our vendor protocols.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers say zero-day vulnerabilities fixed in Microsoft’s recent Patch Tuesday round have been used in targeted attacks against the enterprise. 

According to Kaspersky, a wave of “highly targeted attacks” on several organizations was traced that utilized a chain of zero-day exploits in the Google Chrome browser and Microsoft Windows systems over April 14 and 15, 2021. The attackers have been named PuzzleMaker. The first exploit in the chain, while not confirmed, appears to be CVE-2021-21224, a V8 type confusion vulnerability in the Google Chrome browser prior to 90.0.4430.85.  Google issued a patch for the severe flaw on April 20, which if exploited, allowed remote attackers to execute arbitrary code inside a sandbox via a crafted HTML page. Sandboxes, by design, are intended for developer environments, tests, and protection, and so segregate activities away from a main system. For an exploit chain to work, a sandbox escape would then be a necessary next step.  According to the researchers, this escape was found in two Windows 10 vulnerabilities — both of which are zero-day bugs that were patched in Microsoft’s latest Patch Tuesday update.  The first, CVE-2021-31955, is a Windows Kernel information disclosure vulnerability in the file ntoskrnl.exe, used to expose the addresses of the Eprocess structure kernel for executed processes. The second, CVE-2021-31956, is a heap buffer overflow vulnerability in the Windows NTFS driver that can be exploited for privilege escalation.

Kaspersky says that when chained together, the vulnerabilities allowed the attacker to escape the sandbox and execute malicious code on a target machine.  Malware is then deployed which includes stager, dropper, service, and remote shell modules. The first module will first check that exploitation was a success, and if so, will grab the dropper module from a command-and-control (C2) server for execution.  Two executables then land on the target machine which masquerades as legitimate Windows files. The first is registered as a service and is used to launch the second executable, which contains remote shell capabilities.  This payload is able to download and exfiltrate files, as well as create system processes. The malware is also capable of putting itself to ‘sleep’ for a time or self-destruct.  It is recommended that organizations maintain frequent patch schedules and apply relevant fixes — more so if bugs are being actively exploited. As we saw with the Microsoft Exchange Server incident in March, attackers will quickly jump on security issues as soon as they are publicly known. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Huawei Technologies has kicked into PR overdrive, pledging its commitment to cybersecurity with the opening of its latest transparency centre in Dongguan, China. It also releases the “security baseline framework” that the Chinese tech vendor says is adopted for its products, outlining requirements for implementation and compliance of legal and regulatory requirements.The new Dongguang facility is amongst seven transparency centres Huawei operates worldwide, including in Belgium, Germany, Canada, and the UK, where its first was launched in 2010. These sites have hosted 700 customer exchange over the past decade. According to Huawei, the centres offer a platform on which its products and software can be tested and security verified by customers and governments. The facilities provide technical documents, testing tools and environments, as well as technical support. 

When asked, Huawei told ZDNet that customers and governments also would be able to view the source codes of its security framework. The spokesperson said independent third-party testing organisations would be able to perform “fair, objective, and independent security tests and verifications” based on “industry-recognised” cybersecurity standards and best practices.”[The centre] allows outsiders to remotely access Huawei’s source code, our ‘crown jewels’,” he noted. Along with the launch, Huawei unveiled the security baseline framework that it said was integrated into its product development process and developed to address legal and regulatory requirements. The framework comprised 54 requirements spanning 15 categories for product implementation, such as backdoor prevention, access channel control, encryption, application security, and secure compilation. The vendor added that this was the first time its security baseline was made available to the industry. 

Huawei also urged the need for a “unified approach” to cybersecurity, pointing to industry bodies such as GSMA and 3GPP that had pushed the adoption of standards such as NESAS (Network Equipment Security Assurance Scheme) and independent certifications. “At present, the industry still lacks a standards-based, coordinated approach, especially when it comes to governance, technical capabilities, certification, and collaboration,” the Chinese vendor said. NESAS is a voluntary initiative introduced to provide a security enhancement programme that focused on mobile network infrastructure equipment. It encompasses equipment designed to facilitate functions defined by 3GPP (3rd Generation Partnership Project), and deployed by mobile network operators on their networks. Specifically, it comprises security assessments of vendor development and product lifecycle processes as well as security evaluations of network products. The programme has been adopted by a handful of vendors, namely, Nokia, Ericsson, and ZTE.”These baselines have seen wide acceptance in the industry and will play an important role in the development and verification of secure networks,” Huawei said, adding that its 5G and LTE equipments had passed NESAS evaluation. Through its transparency centres, the vendor said it had conducted more than 200,000 training courses covering cybersecurity and privacy process development as well as verification and testing. Last year, it also carried out risk assessment and monitored more than 4,000 suppliers of various cybsersecurity services. It said the emergence of 5G networks and services also would increase security risks, further underscoring the need for collective efforts to combat such threats.Huawei said: “Industry digitalisation and new technologies like 5G and AI (artificial intelligence) have made cyberspace more complex, compounded by the fact that people have been spending a greater portion of their lives online throughout the COVID-19 pandemic. These trends have led to a rise in new cybersecurity risks.”It noted that digitalisation also blurred the physical boundaries of traditional networks, leading to more network threats as well as the consequences of vulnerabilities and attacks that were more serious. Huawei’s rotating chairman Ken Hu said: “Cybersecurity risk is a shared responsibility. Governments, standards organisations, and technology providers need to work closer together to develop a unified understanding of cybersecurity challenges. This must be an international effort.”The Chinese vendor said its research and development (R&D) spending on cybersecurity and privacy components accounted for 5% of its overall R&D budget, and its global headcount included more than 3,000 cybersecurity R&D professionals.Huawei last week launched HarmonyOS 2 across 100 of its devices in China, including smartphones, smart watches, and tablets, further driving its aim to have the mobile OS installed on more than 300 million devices.  It said in April that it would continue to diversify its product focus as it looked to buffer a decline in its smartphone sales, which were impacted by ongoing US export sanctions that blocked access to Google’s Android ecosystem. With HarmonyOS still unavailable outside of China, though, it remains to be seen if the mobile OS will be adopted as widely internationally as its distribution across multiple consumer device categories may further trigger security and privacy concerns.RELATED COVERAGE More