Information Technology

Some of the world’s largest tech giants — Amazon, Google, Microsoft, IBM, Salesforce/Slack, Atlassian, SAP, and Cisco — have joined forces to establish the Trusted Cloud Principles in what they are claiming is their commitment to protecting the rights of their customers.”The Trusted Cloud Principles will help safeguard the interests of organisations and the basic rights of individuals using cloud services so that they can accomplish what they need in a safe and secure way,” the signatories said in a statement. “This initiative is more important today than ever … when some governments come directly to providers like us for access to customer data without their knowledge — in some cases for legitimate reasons but in other cases for reasons that could hinder basic human rights — it creates a tension that needs to be addressed through both technology and policies.”Our Trusted Cloud Principles make it clear we seek to partner with governments around the world to resolve international conflicts of law that impede innovation, security, and privacy, and to establish and ensure basic protections for organisations that store and process data in the cloud.”Some of the specific principles that have been founded by the signatories include governments should seek data directly from enterprise customers first, rather than cloud providers, other than in “exceptional circumstances”; customers should have a right to notice when governments seek to access customer data directly from cloud service providers; and there should be a clear process for cloud providers to challenge government access requests for customers’ data, including notifying relevant data protection authorities, to protect customers’ interests.Also outlined in the principles is the point that governments should create mechanisms to raise and resolve conflicts with each other such that cloud service providers’ legal compliance in one country does not amount to a violation of law in another; and governments should support cross-border data flows. At the same time, the cloud service providers acknowledge that under the principles they recognise international human rights law enshrines a right to privacy, and the importance of customer trust and customers’ control and security of their data.

The signatories also said they commit to supporting laws that allow governments to request data through a transparent process that abides by human right standards; international legal frameworks to resolve conflicting laws related to data access, privacy, and sovereignty; and improved rules and regulations at the national and international levels that protect the safety, privacy, and security of cloud customers and their ownership of data. “We commit to working with governments to ensure digital connectivity among nations, to promote public safety, and to protect privacy and data security in the cloud in line with international human rights norms and the rule of law,” the signatories added. The Trusted Cloud Principles come days after a separate data cloud framework was stood up between Amazon Web Services, Google, IBM, Microsoft and other major tech giants, plus the EDM Council, a cross-industry trade association for data management and analytics.Under the Cloud Data Management Capabilities (CDMC) framework there are six components, 14 capabilities, and 37 sub-capabilities that sets out cloud data management capabilities, standards, and best practices for cloud, multi-cloud, and hybrid-cloud implementations while also incorporating automated key controls for protecting sensitive data. Among the six components are data governance and accountability, cataloguing and classification, data accessibility and usage, data protection and privacy, data lifecycle, and technical architecture.The CDMC framework is available as a free licence to EDM Council members and non-members alike. “The speed at which businesses are able to respond to change is the difference between those that successfully navigate the future and those that get left behind,” Google Cloud data analytics product management director Evren Eryureksaid. “The CDMC framework is going to be a tremendous resource for companies as they continue to accelerate their digital transformation and reimagine their business through effectively leveraging the power of real-time data.” Related Coverage More

The US House Committee on Oversight and Reform has demanded a briefing with the FBI to determine whether it was justified in withholding the Kaseya ransomware decryption keys.Committee chairwoman Rep. Carolyn Maloney and ranking member Rep. James Comer sent a letter to FBI director Christopher Wray asking him to appear before Congress to explain the FBI’s actions in the case. The FBI’s decision to keep the REvil ransomware decryption key from victims of the attack on Kaseya has caused a furor among some victims and experts who questioned the organization’s judgement.”Public reporting raises questions about the FBI’s response to this summer’s ransomware attack. The FBI has stated that it withheld the ransomware key it had previously acquired so the Bureau could engage in an operation to disrupt the Russian-based hackers without tipping them off. Before the FBI could execute its plan, however, the hackers reportedly disappeared and their platform went offline. During this delay, many businesses, schools, and hospitals suffered lost time and money, especially in the midst of the COVID-19 public health crisis,” the members of Congress wrote. “We request a briefing from the FBI on its legal and policy rationale for withholding the digital decryptor key as it attempted to disrupt this cyber attack, and the FBI’s overall strategy for addressing, investigating, preventing, and defeating ransomware attacks. Ransomware hackers have shown their willingness and ability to inflict damage on various sectors of the US economy. Congress must be fully informed whether the FBI’s strategy and actions are adequately and appropriately addressing this damaging trend.”Maloney and Comer said the FBI’s actions potentially cost “the ransomware victims — including schools and hospitals — millions of dollars.”Last week, the Washington Post reported that the FBI had the decryption keys for victims of the widespread Kaseya ransomware attack that took place in July yet did not share them for three weeks. 

The Kaseya attack affected hundreds of organizations, including dozens of hospitals, schools, businesses and even a supermarket chain in Sweden. Washington Post reporters Ellen Nakashima and Rachel Lerman revealed that the FBI managed to obtain the decryption keys because they accessed the servers of REvil, the Russia-based criminal gang that was behind the massive attack.Despite the large number of victims of the attack, the FBI did not share the decryption keys, deciding to hold on to them as they prepared to launch an attack on REvil’s infrastructure. According to The Washington Post, the FBI did not want to tip off REvil operators by handing out the decryption keys.The FBI also claimed “the harm was not as severe as initially feared”, according to The Washington Post. REvil initially demanded a $70 million ransom from Kaseya and thousands from individual victims before going dark and shutting down significant parts of its infrastructure shortly after the attack. The group has since returned, but many organizations are still recovering from the wide-ranging July 4 attack. ZDNet sent questions to multiple members of Congress and the FBI about whether the ransomware group’s brief disappearance was connected to the planned FBI operation but have not received a response. The FBI eventually shared the decryption keys with Kaseya on July 21, weeks after the attack occurred. Multiple victims spoke to The Washington Post about the millions that were lost and the significant damage done by the attacks. During his testimony in front of Congress last week, FBI Director Christopher Wray laid the blame for the delay on other law enforcement agencies and allies who they said asked them not to disseminate the keys. He said he was limited in what he could share about the situation because they are still investigating what happened.  “We make the decisions as a group, not unilaterally. These are complex…decisions designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world. There’s a lot of engineering that’s required to develop a tool,” Wray told Congress. Congress demanded a response from the FBI by October 6.  More

A number of websites and services reported issues on Thursday thanks to the expiration of a root certificate provided by Let’s Encrypt, one of the largest providers of HTTPS certificates. At around 10 am ET, IdentTrust DST Root CA X3 expired according to Scott Helme, founder of Security Headers. He has been tracking the issue and explained millions of websites rely on Let’s Encrypt services and without them, some older devices will no longer be able to verify certain certificates. Let’s Encrypt operates as a free non-profit that makes sure the connections between your device and the internet are secure and encrypted. Despite advance warning that the expiration date would would be on September 30, when the deadline hit, dozens of users reported issues with a variety of services and websites.Helme told ZDNet that he confirmed issues with Palo Alto, Bluecoat, Cisco Umbrella, Catchpoint, Guardian Firewall, Monday.com, PFsense, Google Cloud Monitoring, Azure Application Gateway, OVH, Auth0, Shopify, Xero, QuickBooks, Fortinet, Heroku, Rocket League, InstaPage, Ledger, Netlify and Cloudflare Pages, but noted that there may be more. “There are a couple of ways to solve this depending on what the exact problem is but it boils down to: The service/website needs to update the certificate chain they are serving to clients or, the client talking to the website/service needs an update,” Helme explained.”For the affected companies it’s not like everything is down, but they’re certainly having service issues and have incidents open with staff working to resolve. In many ways I’ve been talking about this for over a year since it last happened, but it’s a difficult problem to identify. it’s like looking for something that could cause a fire: it’s really obvious when you can see the smoke!”

Some sites posted notices on their website about potential issues and many have resolved the issues. Shopify posted a note on its incident page that by about 3:30 pm, merchant and company partners who were struggling to login had their services restored. Merchant authentication for Support interactions have also been restored, the company said. Fortinet told ZDNet they were aware of and have investigated the issue relating to the expired root CA certificate provided by Lets Encrypt.   “We are communicating directly with customers and have provided a temporary workaround. Additionally, we are working on a longer-term solution to address this edge case issue directly within our product,” the company said in a statement. Digital certificates expert Tim Callan said all modern digital systems depend on certificates for their continued operation, including those that secure our cyber and physical environments. “If software depends on an expired root to validate the trust chain for a certificate, then the certificate’s trust will fail and in most cases the software will cease to function correctly. The consequences of that are as broad and varied as our individual systems are, and many times cascading failures or ‘downstream’ failures will lead to problems with entirely different systems than the one with the original certificate trust problem,” Callan said. “IT systems that enforce or monitor security policies can stop working. Alerting and reporting systems can fail. Or, if the processes that humans depend on to do our work stop functioning, often those people will find “workarounds” that are fundamentally insecure.”Callan added that outages can occur when developers embedded in lines of business operations or other skunkworks projects “obtain certificates” without the knowledge of central IT and then move on to new tasks or otherwise fail to monitor the lifecycle of these certificates. He noted that most systems will be able to weather a root expiration because of modern root chaining capabilities that allow another root to establish trust. “However, legacy systems or those with previously unaddressed (or unknown) certificate handling bugs are at risk for failures like these to occur. In the event of a commonly used root from a popular CA, the risk of these failures goes up considerably,” Callan explained.TechCrunch reported that devices that may face issues include older macOS 2016 and Windows XP (with Service Pack 3) as well as older versions of Playstations and any tools relying on OpenSSL 1.0.2 or earlier. Other experts said PlayStations 4s or earlier devices that have not had their firmware upgraded will not be able to access the Internet. Devices like Android 7.1.1 or earlier will also be affected.According to Callan, most modern software allows the use of sophisticated trust chains that allow root transitions without requiring the replacement of production certificates. But those that are old or poorly designed or containing trust chain handling bugs may not handle this transition correctly, leading to various potential failures. As many of the affected companies have since done, Callan suggested enterprises take an inventory of the systems using certificates and the actual certificates in use before ensuring that software has the latest root certificates in its root store.”By identifying where potential failure points occur, IT departments can investigate these systems ahead of time to identify problem areas and implement fixes. If you can set up a version of the system in a sandbox environment, then it’s easy to test expected behaviour once the root expiration occurs,” Callan said. “Just set the client system clock forward to a date after the expiration date to ensure certificate chaining will work correctly. Alternately, you can manually uninstall or distrust the root that is set to expire (in the sandbox environment, of course) to assure yourself that systems are only using the newer roots.”He added that the popularity of DevOps-friendly architectures like containerization, virtualization and cloud has greatly increased the number of certificates the enterprise needs, while radically decreasing their average lifespan.”That means many more expiration events, much more administration time required, and greatly increased risk of a failed renewal,” he said. Digital Shadows senior cyber threat analyst Sean Nikkel told ZDNet that Let’s Encrypt put everyone on notice back in May about the expiration of the Root CA today and offered alternatives and workarounds to ensure that devices would not be affected during the changeover. They have also kept a running forum thread open on this issue with fairly quick responses, Nikkel added.”A not-great practice that’s been floated already as a workaround to the problem is allowing untrusted or invalid certificates. Users should be cautious about making a move that potentially opens the door to attackers using compromised certificates,” Nikkel said.  “Some users have recommended settings allowing for expired certificates from trusted issuers; however, these can also have malicious uses. In any case, administrators should examine the best solution for them but also understand the risks to any workarounds. Alternatively, administrators can look at alternate trust paths by using the intermediate certificate that Let’s Encrypt has set up or following suggested configurations from their May bulletin.” More

A massive fraud operation slamming e-commerce merchants in account takeover attacks has been revealed by researchers.

On Thursday, fraud prevention company Sift said the ring, dubbed Proxy Phantom, is using over 1.5 million sets of stolen account credentials in automated credential stuffing attacks against online merchants.  Credential stuffing attacks generally rely on a database of stolen credentials — potentially sourced from data breaches or data dumps leaked and sold online — to slam a domain with login requests.  Many of us use the same username and password combinations across different services — although we shouldn’t — and so a data breach at one company could lead to account compromise at another.  Estimates suggest that only 0.1% of credential stuffing attacks are successful. However, once you consider that thousands of account combinations could be tried at the same time, despite the low success rate, these attacks can still be worthwhile — especially when they are used against merchants or financial services.  According to Sift’s Q3 2021 Digital Trust & Safety Index, Proxy Phantom “flooded businesses with bot-based login attempts to conduct as many as 2,691 login attempts per second.”  Connected, rotating IP addresses were also used to make the requests appear to stem from different geographical locations and primarily targeted e-commerce platforms and online services.  

The IP clusters doubled between April and June 2021. “As a result, targeted merchants using rules-based fraud prevention methods would be forced to play a supercharged, global game of “whack-a-mole,” with new combinations of IP addresses and credentials (likely purchased in bulk on the dark web) coming for them at an unthinkable pace,” Sift said. In addition, the report states that account takeover attacks detected by the company increased by 307% over Q3. Specifically, the financial sector is a top target, including cryptocurrency exchanges and digital wallet services.  Earlier this month, Netacea published an index documenting the activities of scalper bots. These types of automated systems are built to beat online queues for high-ticket items such as concert tickets and gaming consoles in order to resell and generate a profit for their operators.  In the past few months, the PlayStation 5, cryptocurrency mining cards, and Nvidia RTX 3000 series chips are highly sought by scalpers.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

This year’s Amazon hardware event was quite a doozy. The Seattle-based company showcased an updated health band with a nutritionally-guided personalized shopping service, a flying security drone, more indoor and outdoor cameras, and an autonomous sentry robot.  All of which are powered in some way by AWS machine learning and left me thinking about one word: privacy.

Do I really want all of these products in my own home and as part of my life? Admittedly, there is a certain appeal to Amazon’s pitch of having their technology live in the background, transparently, to enable our real-world experiences better. The best user interface is the effectively invisible one, like the ever-watchful and ready-to-talk computers on shows like Star Trek. They’re benevolent AIs that always look out for us, keeping us out of harm’s way while accepting our queries and commands. Granted, I’ve already accepted a lot of these devices into my life. I have five Alexa-compatible smart speakers positioned in different parts of the house, so I have full coverage to deal with home automation issues. I also have a Google Home in the kitchen, plus multiple Siri-enabled mobile devices (Watch, iPhone, iPad, Mac, Apple TV). And of course, I have webcams for doing Zoom calls and the like on my Mac workstation and on my iPad and iPhone — all of which aren’t on unless I want them to be, presumably. But so far, I have resisted the notion of having cameras all over the place, peering inside the home’s interior spaces. Sure, I have some Ring devices guarding the front of the house, but there’s nothing recording inside. Part of this stems from the fact that I have no children, so I do not need to check up on them. I also rarely travel for extended periods away from my home. Besides my wife, my two miniature poodles are the only other residents of Chateau Perleaux. I live in a gated community with only one way in and out, and I’m alerted immediately if someone should be let through if they aren’t on my regular list.  Would I want cameras inside if I had young children? I honestly don’t know. I can tell you that I see very little value from doing it now, and quite frankly, my lifestyle tends to border on the, shall we say, bohemian. I live in a warm-weather state, and if I don’t have guests over, full clothing is optional, especially when using my pool and spa during hot afternoons and humid evenings, which is a big part of living in Florida. So I have no desire for Ring, Blink, or Astro to be capturing my spouse or me in various states of undress. I don’t need something that chases me around my house like an attention-deprived puppy, constantly scanning everything around it. I have no idea where that video is going and if a human will ever review it for improving machine-learning purposes.

This is not to say I might not come around to the idea of having a robot, eventually. But besides being an Echo Show on wheels, Astro doesn’t do anything except act as a constant sentry. Unlike the Tesla Bot, which doesn’t even exist in demos yet, it doesn’t have arms to manipulate things and perform general-purpose tasks.

It’s not just the cameras, though. It’s this constant desire by Amazon to suck up and process data created by its customers using its products so it can further monetize it. And that’s the big difference I see between Amazon and its industry peers like Apple. This is especially true when we see things like the new Nutrition service attached to their Halo band, automatically formulating a meal plan and ordering groceries from Whole Foods based on your health data. I’m not sure I like the idea of Amazon telling me what I should eat, either. With Apple products, such as the Watch, that collect a lot of personalized data from its sensors, all of the metrics can be reviewed by the end-user and easily erased. They have tools within iOS to adjust permissions of Health data and which applications have access to it. Amazon doesn’t have this level of user control for everything that goes into its cloud, or at least it isn’t easy to get to or isn’t centralized under a single console.  I can get to my voice command history, detect sounds on Alexa (for its opt-in Guard service), and set expirations for three months, 18 months, or until I delete it. Still, I have no idea what other noises are detected or recorded — and if humans ever review them. I also can’t hear the captured sounds and voices in the UX; I can only view a log that it was recorded and be given the option to delete it. With Ring, I can view the video recordings stored in the cloud. Do users have full control over what Astro or their flying Ring drone uploads to AWS? Besides law enforcement, what humans can view these video recordings, besides customer-chosen third-parties, for its newly announced security service? I have no idea. Amazon needs to do a better job detailing and disclosing what data is recorded, where it goes, who can review it, and providing better tools to manage this recorded information. Otherwise, I’m not sure any of us will ever feel fully comfortable having these devices in our homes.

Amazon event More

Computer networks are being aggressively bombarded with billions of password-guessing attacks as cyber criminals attempt to exploit the growth in remote desktop protocol (RDP) and other cloud services in corporate environments. Cybersecurity researchers at ESET detected 55 billion new attempts at brute-force attacks between May and August 2021 alone – more than double the 27 billion attacks detected between January and April. 

ZDNet Recommends

Successfully guessing passwords can provide cyber criminals with an easy route into networks and an avenue they can use to launch further attacks, including delivering ransomware or other malware. Once in a network, they’ll attempt to use that access to gain additional permissions and manipulate the network, performing actions like turning off security services so they can go about their activities more easily. SEE: A winning strategy for cybersecurity (ZDNet special report) One of the most popular targets for brute-force password-guessing attacks are RDP services. The rise in remote working has led to an increase in people needing to use remote-desktop services. Many of these are public-facing services, providing cyber criminals with an opportunity to break into networks – and it’s an opportunity they’re eager to exploit. The sheer number of attacks means most will be automated, but if accounts are secured with simple-to-guess or common passwords – and many are – then they can make easy pickings for attackers. Once a password has been successfully breached, it’s likely an attacker will take a more hands-on approach to reach their end goal. “With the number of attacks being in the billions, this is impossible to do manually – so these attack attempts are automated. Of course, there is always a manual aspect when cybercriminals are setting up or adjusting the attack infrastructure and specifying what types of targets are in their crosshairs,” Ondrej Kubovič, security awareness specialist at ESET, told ZDNet. 

In addition to targeting RDP services, cyber criminals are also going after public-facing SQL and SMB services. These services will often be secured with default passwords that attackers can take advantage of. 

One of the reasons why brute-force attacks are successful is because so many accounts are secured with simple, one-word passwords. Requiring passwords to be more complex could go a long way to preventing the accounts from being breached in brute-force attacks. The National Cyber Security Centre suggests users use three memorable words as a password – something that’s far more robust against brute-force attacks than a single word. SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesOrganisations can also provide an additional layer of protection against brute-force password-guessing attacks – and other campaigns – by deploying multi-factor authentication (MFA). Using MFA means that, even if the attackers know the correct password, there’s an extra barrier to prevent them from automatically being able to access the network.  MORE ON CYBERSECURITY More

A recent investigation into how Pegasus spyware is being used to monitor civil rights agencies, journalists, and government figures worldwide is being abused in a new wave of cyberattacks. 

Pegasus is a surveillance system offered by the NSO Group. While advertised as software for fighting crime and terrorism, a probe into the spyware led to allegations that it is being used against innocents, including human rights activists, political activists, lawyers, journalists, and politicians worldwide.  Israel-based NSO Group denied the findings of the investigation, conducted by Amnesty International, Forbidden Stories, and numerous media outlets.  Apple has since patched a zero-day vulnerability utilized by Pegasus, a discovery made together with Citizen Lab.  Now, cybercriminals unconnected to Pegasus are attempting to capitalize on the damning report by promising individuals a way to ‘protect’ themselves against such surveillance — but are secretly deploying their own brands of malware, instead.   On Thursday, researchers from Cisco Talos said that threat actors are masquerading as Amnesty International and have set up a fake domain designed to impersonate the organization’s legitimate website. This points to an ‘antivirus’ tool, “AVPegasus,” that promises to protect PCs from the spyware. 
Cisco Talos

However, according to Talos researchers Vitor Ventura and Arnaud Zobec, the software contains the Sarwent Remote Access Trojan (RAT).The domains associated with the campaign are amnestyinternationalantipegasus[.]com, amnestyvspegasus[.]com, and antipegasusamnesty[.]com. Written in Delphi, Sarwent installs a backdoor onto machines when executed and is also able to leverage a remote desktop protocol (RDP) to connect to an attacker-controlled command-and-control (C2) server.  The malware will attempt to exfiltrate credentials and is also able to download and execute further malicious payloads.  The UK, US, Russia, India, Ukraine, the Czech Republic, Romania, and Colombia are the most targeted countries to date. Talos believes the cyberattacker behind this campaign is a Russian speaker who has operated other Sarwent-based attacks over 2021.  “The campaign targets people who might be concerned that they are targeted by the Pegasus spyware,” Talos says. “This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination there. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals using a ransomware-as-a-service scheme have been spotted complaining that the group they rent the malware from could be using a hidden backdoor to grab ransom payments for themselves.REvil is one of the most notorious and most common forms of ransomware around and has been responsible for several major incidents. The group behind REvil lease their ransomware out to other crooks in exchange for a cut of the profits these affiliates make by extorting Bitcoin payments in exchange for the ransomware decryption keys that the victims need. 

ZDNet Recommends

But it seems that cut isn’t enough for those behind REvil: it was recently disclosed that there’s a secret backdoor coded into their product, which allows REvil to restore the encrypted files without the involvement of the affiliate.  SEE: A winning strategy for cybersecurity (ZDNet special report) This could allow REvil to takeover negotiations with victims, hijack the so-called “customer support” chats – and steal the ransom payments for themselves. Analysis of underground forums by cybersecurity researchers at Flashpoint suggests that the disclosure of the REvil backdoor hasn’t gone down well with affiliates. One forum user claimed to have had suspicions of REvil’s tactics, and said their own plans to extort $7 million from a victim was abruptly ended. They believe that one of the REvil authors took over the negotiations using the backdoor and made off with the money. 

Another user on the Russian-speaking forum complained they were tired of “lousy partner programs” used by ransomware groups “you cannot trust”,  but also suggested that the status of REvil as one of the most lucrative ransomware-as-a-service schemes means that wannabe ransomware crooks will still flock to become affiliates. That’s particuarly the case now the group is back in action after appearing to go on hiatus earlier in the summer. For those scammers who think they’ve been scammed, there’s not a lot they can do (and few would have sympathy for them). One forum user suggested any attempt at dealing with this situation would be as useless as trying to arbitrate “against Stalin”. Ransomware remains one of the key cybersecurity issues facing the world today. For victims of ransomware attacks, it ultimately doesn’t matter who is on the other end of the keyboard demanding payment for the decryption key – many will just opt to pay the ransom, percieving it as the best way to restore the network. 

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

But even if victims pay the ransom – which isn’t recommended because it encourages more ransomware attacks – restoring the network can still be a slow process and it can be weeks or months before services are fully restored. SEE: A cloud company asked security researchers to look over its systems. Here’s what they foundBe it REvil or any other ransomware gang, the best way to avoid the disruption of a ransomware attack is to prevent attacks in the first place. Some of the key ways organisations can help stop ransomware attacks is to make sure operating systems and software across the network is patched with the latest security updates, so cyber criminals can’t easily exploit known vulnerabilities to gain an initial foothold. Multi-factor authentication should also be applied to all users to provide a barrier to hands-on attackers being able to use stolen usernames and passwords to move around a compromised network. MORE ON CYBERSECURITY More