Information Technology

Google recently pledged $100 million to groups that manage open source security priorities and help fix vulnerabilities, and it has now detailed eight of the projects it has chosen to support. Just last month, the Linux Foundation announced it would directly fund people to work on the security of open-source projects. It’s got support from Google, Microsoft, the Open Source Security Foundation and the Linux Foundation Public Health foundation. The Linux Foundation coordinates fixes when bugs are found.  The foundation and peers are looking for previously unknown security issues via security audits that will be undertaken by the Open Source Technology Improvement Fund (OSTIF). These projects include two Linux kernel security audits.

ZDNet Recommends

Now Google has thrown its weight behind a chunk of OSTIF’s immediate audit plans. “Google’s support will allow OSTIF to launch the Managed Audit Program (MAP), which will expand in-depth security reviews to critical projects vital to the open source ecosystem,” said Kaylin Trychon, a security comms manager on the Google Open Source Security team.Probably the biggest of the eight audit projects Google is funding is Git, the “de facto” version control software created by Linux kernel creator Linus Torvalds and which forms the basis of platforms like GitHub and GitLab.”Git is the second-most critical application in C and the 10th-most critical application across all platforms,” OSTIF notes, adding that it is “undoubtedly one of the most critical pieces of open-source software in the world.”   

The rest are important JavaScript and Java tools and frameworks for web development, including: Lodash, a modern JavaScript utility library for web development that’s used in Chrome and other browsers; Laravel, a PHP web application framework; SLF4J or Simple Logging Facade for Java; the Jackson-core JSON for Java and the Jackson-databind package; and Httpcomponents-core and Httpcomponents-client. “The eight libraries, frameworks and apps that were selected for this round are those that would benefit the most from security improvements and make the largest impact on the open-source ecosystem that relies on them,” explained Trychon. The contribution from Google will help OSTIF find and fix bugs in key open source projects. OSTIF has identified a total of 25 MAP projects targeted for funding, including the eight that Google has funded to date. Other projects with funding pending support include well-known systems and tools developers use, such as the Drupal and Joomla web content management systems, webpack, reprepro, cephs, Facebook-maintained React Native, salt, Gatsby, Google-maintained Angular, Red Hat’s Ansible, and Google’s Guava Java framework.    After a meeting between US president Joe Biden and top US tech companies last month, Google announced a $10 billion commitment to improving expanding zero-trust programs, helping to secure software supply chains, and enhancing open source security.  More

Now that travel is becoming more normal; you may want to start thinking about a couple of things in addition to where you go and what you’ll pack. Especially if you’ll be visiting foreign destinations, you may want to learn a new language and choose a powerful VPN. So it’s a good thing you can get a great deal on three years of HotSpot Shield VPN Premium at the moment.

When comparing VPNs, there are several different factors you need to consider. Obviously, you want one with powerful security, and HotSpot Shield has you covered. You get military-grade encryption, as well as a kill switch. So if you get disconnected from a HotSpot Shield server, you automatically get disconnected from the internet, which ensures not one single bit of your data is put at risk.

HotSpot Shield also offers the ultimate privacy protection. There is a strict policy of zero-logging, and you are guarded against phishing attempts. Also, when traveling internationally, you don’t want to have to worry about what content is available where when you’re ready to stream your favorite shows. With over 3,200 servers spread among 80 countries, HotSpot Shield makes that a non-issue.Speed is another factor. While some VPNs have to sacrifice at least a little bit of connection speed to maintain the highest security, HotSpot Shield actually offers super-fast connections that go up to 1Gbps. So no matter what you’re doing online, you don’t have to worry about latency or buffering. As a matter of fact, there are actually has specific gaming and streaming modes. TechRadar said HotSpot Shield had “More than twice the top speed we’ve seen from many competitors”, while Ookla’s Speedtest called it the “world’s fastest VPN” for two years in a row.You don’t want to miss this opportunity to grab an excellent bargain on three years of speedy, powerful VPN protection that includes unlimited bandwidth. Get HotSpot Shield VPN Premium: 3-Yr Subscription today while it’s available for just $89.99.

ZDNet Academy Deals More

A new strain of malware, written in Go, has been spotted in cyberattacks launched against WordPress and Linux systems. 

On Thursday, Larry Cashdollar, senior security researcher at Akamai said the malware, dubbed Capoae, is written in the Golang programming language — fast becoming a firm favorite with threat actors due to its cross-platform capabilities — and spreads through known bugs and weak administrative credentials.  Vulnerabilities exploited by Capoae include CVE-2020-14882, a remote code execution (RCE) flaw in Oracle WebLogic Server, and CVE-2018-20062, another RCE in ThinkPHP. The malware was spotted after a sample targeted an Akamai honeypot. A PHP malware sample arrived through a backdoor linked to a WordPress plugin called Download-monitor, installed after the honeypot’s lax credentials had been obtained through a brute-force attack. This plugin was then used as a conduit to deploy the main Capoae payload to /tmp, a 3MB UPX packed binary, which was then decoded. XMRig is then installed in order to mine for the Monero (XMR) cryptocurrency. Alongside the cryptocurrency miner, several web shells are also installed, one of which is able to upload files stolen from the compromised system. In addition, a port scanner has been bundled with the miner to find open ports for further exploitation.  “After the Capoae malware is executed, it has a pretty clever means of persistence,” Cashdollar says. “The malware first chooses a legitimate-looking system path from a small list of locations on a disk where you’d likely find system binaries. It then generates a random six-character filename, and uses these two pieces to copy itself into the new location on the disk and deletes itself. Once this is done, it injects/updates a Crontab entry that will trigger the execution of this newly created binary.”

Capoae will attempt to brute-force attack WordPress installations to spread and may also utilize CVE-2019-1003029 and CVE-2019-1003030, both of which are RCE flaws impacting Jenkins, and infections have been traced to Linux servers.  Cashdollar said that the Capoae campaign highlights “just how intent these operators are on getting a foothold on as many machines as possible.” Major signs of infection include high system resource use, unexpected or unrecognizable system processes in operation, and strange log entries or artifacts, such as files and SSH keys. “The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here,” Cashdollar commented. “Don’t use weak or default credentials for servers or deployed applications. Ensure you’re keeping those deployed applications up to date with the latest security patches and check in on them from time to time.” In a second blog post, Akamai has also examined the evolution of Kinsing, malware that utilizes known vulnerabilities in unpatched systems to operate and spread a cryptocurrency mining botnet.  According to researcher Evyatar Saias, Kinsing was first spotted in February by Akamai and, at first, only targeted Linux. However, a recent upgrade has allowed the botnet to also strike Windows systems across the Americas, Asia, and Europe. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has detailed how it recently saw hackers exploiting a dangerous remote code execution vulnerability in the MSHTML aka Trident rendering engine of Internet Explorer through rigged Office documents and targeted developers.Microsoft security researchers discovered the flaw being actively exploited on Windows systems in August and this week’s Patch Tuesday update included a patch for the previously unknown bug, tracked as CVE-2021-40444.  

The attacks were not widespread and the vulnerability was used as part of an early stage attack that distributed custom Cobalt Strike Beacon loaders. Cobalt Strike is a penetration testing tool. SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesRather than the work of state-sponsored hackers, Microsoft found the loaders communicated with infrastructure that it links to several cyber-criminal campaigns, including human-operated ransomware, according to Microsoft’s analysis of the attacks. The social-engineering lure used in some of the attacks suggesting an element of deliberate targeting, Microsoft said: “The campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted.” At least one organization that was successfully compromised by this campaign was previously compromised by a wave of similarly themed malware, Microsoft said. In a later wave of activity, however, the lure changed from targeting application developers to a “small claims court” legal threat.

The attackers in this case were using the IE rendering-engine flaw to load a malicious ActiveX control via an Office document. Despite the attack gaining access to affected devices, the attackers still relied on stealing credentials and moving laterally to affect the entire organization. Microsoft recommends customers apply Tuesday’s patch to fully mitigate the vulnerability, but also recommends hardening the network, cleaning up key credentials, and taking steps to mitigate lateral movement. SEE: Half of businesses can’t spot these signs of insider cybersecurity threatsMicrosoft considers this attack to be the work of an emerging or “developing” threat actor and is tracking the use of the Cobalt Strike infrastructure as DEV-0365. It seems to be operated by a single operator. However, Microsoft believes that follow-on activity, for example, delivered the Conti ransomware. The software giant suggests it could be a command-and-control infrastructure that’s sold as a service to other cybercriminals. “Some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads — activity that overlaps with a group Microsoft tracks as DEV-0193. DEV-0193 activities overlap with actions tracked by Mandiant as UNC1878,” Microsoft notes. The BazaLoader malware has been used by malicious call center operators who use social engineering to trick targets into calling operators who attempt to trick victims into voluntarily installing malware. The groups do not use malicious links in emails reaching out to targets, thereby bypassing common email-filtering rules. More

The Federal Trade Commission (FTC) has warned that health apps and devices that collect or use personal health information must comply with rules requiring them to notify consumers if their health data is leaked.”Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” said FTC chair Lina Khan.

ZDNet Recommends

The best smartwatch: Apple and Samsung battle for your wrist

It’s been six years since the first Apple Watch was released, and it’s pretty clear to most that Apple’s wearable is the best smartwatch available. It requires an iPhone, though, so Android phone owners need a different companion… and there are plenty of good options available.

Read More

She pointed to a study warning of problems with health apps ranging from insecure transmission of user data including geolocation, to unauthorized dissemination of data to advertisers and other third parties in violation of the apps’ own privacy policies.”While users have been adopting health apps at a rapid rate, the commercial owners of these apps too often fail to invest in adequate privacy and data security, leaving users exposed,” Khan said. SEE: Over 60 million wearable, fitness tracking records exposed via unsecured databaseThe Commission said that health apps, which track everything from glucose levels to heart health to fertility and sleep, are collecting sensitive and personal data. Consequently, the data they collect must be secured, and unauthorized access prevented.The FTC’s Health Breach Notification Rule requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorization.

“In practical terms, this means that entities covered by the rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information,” the FTC said.Under the rule a ‘breach’ is not just defined by a cyberattack; unauthorized access, including sharing of covered information without an individual’s permission, also triggers notification obligations. “As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever. Firms offering these services should take appropriate care to secure and protect consumer data,” the FTC said. Although the Health Breach Notification Rule has been in place for over a decade, it has never been used. And the FTC worries that, with the rise of health apps and other connected devices, there are still too few privacy protections in place. The Commission said it “intends to bring actions to enforce the rule” with violations leading to civil penalties of $43,792 per violation per day.SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesThe breach notification rule provides some accountability for tech firms that abuse our personal information, but a more fundamental problem is the commodification of sensitive health information, with companies using this data to feed behavioral ads or power user analytics, said Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk,” she said.The FTC said a health app would be covered under the rule if it collects health information from a consumer and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. More

Image: Getty Images
Australia, the UK, and the US are setting up a trilateral partnership aimed at addressing defence and security concerns in the Indo-Pacific region. The security partnership, called AUKUS, will look to promote deeper information and technology sharing between the three governments, with Australian Prime Minister Scott Morrison saying the new security partnership would enhance existing networks such as ANZU, the Quad, and the Five Eyes alliance. “We will foster deeper integration of security and defense-related science, technology, industrial bases, and supply chains. And in particular, we will significantly deepen cooperation on a range of security and defense capabilities,” the governments said in a joint statement. While the three countries didn’t mention China by name, the initiative appears to be a response to China’s expansionist drive in the South China Sea and increasing belligerence towards Taiwan. “Our world is becoming more complex, especially here in our region, the Indo-Pacific,” Australian Prime Minister Scott Morrison said on Thursday morning, alongside the respective leaders of the UK and US. Speaking from Washington DC, US President Joe Biden said the three countries needed to address “the current strategic environment in the region and how it may evolve”. “The future of each of our nations and indeed the world, depends on a free and open Indo-Pacific enduring and flourishing in the decades ahead,” Biden added.

The first initiative AUKUS will embark on is helping Australia acquire nuclear-powered submarines. Morrison said the three countries would spend the next 18 months drawing up a joint plan to assemble the new Australian nuclear-powered submarine fleet. The submarine fleet will be built in Adelaide. UK Prime Minister Boris Johnson, meanwhile, touted the project would be “one of the most complex and technically demanding projects in the world, lasting decades and requiring the most advanced technology”. In announcing this initiative, the governments jointly said the submarines are not an attempt to acquire nuclear weapons or establish a civil nuclear capability, and that the countries would continue to meet their nuclear non-proliferation obligations. Along with the submarines, AUKUS will also look to create initiatives that increase cyber capabilities, artificial intelligence, quantum technologies, and additional undersea capabilities, the governments said.The new trilateral partnership follows the three governments, along with the North Atlantic Treaty Organization (NATO) and other nations accusing China of being the actor responsible for Exchange hack back in April.Meanwhile, Australia last year did almost everything but name China as the actor responsible for cyber attacks that targeted all levels of government in Australia, as well as the private sector.”Australia doesn’t judge lightly in public attributions, and when and if we choose to do so, it is always done in the context of what we believe to be in our strategic national interest,” Morrison said at the time.  Related Coverage More

Nonprofit foundation Open Web Application Security Project (OWASP) has released an updated draft of its ranking of the top 10 vulnerabilities, the first changes to the list since November 2017.The new list features considerable changes, including the emergence of Broken Access Control, which moved from fifth on the list to number 1. The organization said 94% of applications have been tested for some form of broken access control and “the 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.” Cryptographic Failures also moved up the list to number 2 due to its connection to sensitive data exposure and system compromise. Injection moved down to the third spot but OWASP noted that 94% of the applications were tested for some form of injection, which now includes cross-site scripting. A new category — Insecure Design — made its way into the fourth spot on the list followed by Security Misconfiguration, which moved up one spot compared to the 2017 list. Security Misconfiguration now includes external entities and the lists’ authors said it was not surprising considering 90% of applications were tested for some form of misconfiguration and that there has been more shifts to highly configurable software. Vulnerable and Outdated Components was ranked number 9 in 2017 but moved up to number 6 for this year’s ranking.”It is the only category not to have any CVEs mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores,” the lists’ authors noted. 
OWASP

Identification and Authentication Failures — previously called Broken Authentication — fell significantly from number 2 to 7, with OWASP explaining that the increased availability of standardized frameworks has helped in addressing it. Software and Data Integrity Failures is an entirely new category for 2021 and focuses primarily on assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. “One of the highest weighted impacts from CVE/CVSS data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category,” OWASP said.Security Logging and Monitoring Failures was previously last on the list but moved up one spot and has expanded to include other types of failures. While these are challenging to test for, they can “directly impact visibility, incident alerting, and forensics.”Last on the list is Server-Side Request Forgery, which has a “relatively low” incidence rate but was cited highly by industry professionals. OWASP said that overall, there were three new categories and four others that had either name or scope changes made for the 2021 list. OWASP, which has put the list together for more than a decade, compiles the list based on contributed data and industry surveys. “We do this for a fundamental reason, looking at the contributed data is looking into the past. AppSec researchers take time to find new vulnerabilities and new ways to test for them. It takes time to integrate these tests into tools and processes,” OWASP said. “By the time we can reliably test a weakness at scale, years have likely passed. To balance that view, we use an industry survey to ask people on the front lines what they see as essential weaknesses that the data may not show yet.”Jayant Shukla, CTO of K2 Cyber Security, told ZDNet that instead of old risks going away, OWASP has consolidated existing risks into several categories and new risks have been added, reflecting the increased threats facing web applications. Shukla noted that one of the reasons Server-Side Request Forgery attacks authentication issues are becoming more severe is because of the rapid increase in the use of microservices in building applications.”These new risk categories emphasize the need to shift left and improve pre-production testing. Unfortunately, these problems are often hard to find during testing, and sometimes they arise and are only a problem when different application modules interact, making them even harder to detect,” Shukla said. “In fact, the National Institute of Standards and Technologies has recognized these shortcomings, and last year updated their SP800-53 application security framework to include Runtime Application Self Protection and Interactive Application Security Testing to better protect against these critical software weaknesses. It’s time the software development industry got on board and adopted these more effective technologies.” More

Dell unveiled a slate of new features that come with its NAS solution EMC PowerScale on Wednesday, announcing that the tools “provide more flexible consumption, management, protection and security capabilities to eliminate data silos and help you effectively use unstructured data.” In a statement, the company said the PowerScale hybrid (H700 and H7000) is able to provide 75% more performance than comparable nodes. In contrast, archive nodes (A300 and A3000) are two times more effective than similar products.  “New PowerScale OneFS and DataIQ software enhancements expand storage management, performance monitoring, auditing and compliance capabilities to simplify file storage at scale. Enhancements to our API-integrated ransomware protection capabilities keep data protected from cyberattacks and now offer cloud deployment options in addition to on-premises,” Dell explained in a release. “Dynamic NAS Protection, available with PowerProtect Data Manager, delivers a simple, modern way to protect NAS systems through enhanced backup for file data enabling up to 3X faster backups and up to 2x faster restores.”The H700, H7000, A300 and A3000 represent what Dell called a “refresh” of the Isilon line of products that were unveiled last year. Dell said the new nodes offer more cores, memory and cache, additional networking options and more compatibility options. Nassos Galiopoulos, CTO at the University of Texas, San Antonio, said the Dell EMC PowerScale provides multiple nodes for transferring unstructured data at high speeds across the school’s HPC environment and scaling quickly to support their exponential data growth. “We now handle billions of records, along with big data analytics, AI, and machine learning, with tremendous velocity, variety, and volume,” Galiopoulos said. 

Later this quarter, Dell will also be releasing updates to OneFS that will allow the OS to “deliver writable snapshots, faster upgrades, secure boot, HDFS ACL support, and improved data reduction and small file efficiency.”DataIQ was enhanced recently to make it easier for users handling large scale clusters, and the updates allowed for UI enhancements as well as the ability to run reports to analyze volumes by time stamps.Dell unveiled new security features designed to help organizations deal with ransomware attacks. The “Cyber Protection and Recovery solution from Superna for PowerScale” was built to assist enterprises in responding and recovering from ransomware attacks. It now includes the Superna Ransomware Defender tool as well.”With this solution, customers can recover their data from a cybersecurity event leveraging the public cloud. A new Superna AirGap Enterprise provides more advanced automation to the air gap feature,” Dell explained. “Additional new productivity features to Superna’s Search and Recover and Easy Monitor capabilities also further expand PowerScale’s exceptional management and control capabilities. For organizations looking to manage easily, incremental-forever NAS data protection with rapid recovery at the file level, today we announced Dynamic NAS Protection, a simple, modern way to protect your NAS systems.” USC Australia infrastructure analyst Drew Hills noted that his organization has multiple policies using a variety of backup methods to protect files on their NAS and Windows File Clusters. “With PowerProtect Data Manager, Dynamic NAS Protection automatically slices shares, filesystems and volumes into multiple streams that run in parallel within the same policy,” Hill added. “It also automatically balances and scales across resources, simplifying management while accelerating backups faster than ever before.” More