Information Technology

Image: Google
Google will follow in the footsteps of Apple and is set to introduce privacy information requirements for developers that publish apps in its Play Store. The company said in a blog post that developers will need to state what data is collected and stored, such as location, contacts, name, email address, and types of files stored; how the data is used, such as whether it changes app functionality or personalisation; which security practices, such as encryption, the app uses; and if the app follows Google’s families policy. App makers will also need to state whether apps need the data to function and whether users have a choice in sharing it, and whether users can request data deletion upon uninstalling an app. Google said it will additionally require developers to declare if the stated privacy information is verified by an independent third party. The company added that the onus will be on developers to be truthful, and if they are found to be telling fibs, they could be “subject to policy enforcement”. “All apps on Google Play — including Google’s own apps — will be required to share this information and provide a privacy policy,” the company said. Laying out the timeline for these requirements, the new policy is set to appear in the next quarter and developers will be able to voluntarily disclose the privacy information in the final quarter of 2021. Meanwhile, users will be able to view the information in the first quarter of 2022 before the hard requirement lands in the second quarter of 2022.

At the end of last year, Apple began to publish privacy summaries in all of its app stores across iOS, iPadOS, macOS, watchOS, and tvOS. Google notoriously took a long time to begin publishing iOS privacy summaries. Related CoverageGoogle is going to start automatically enrolling users in two-step verificationIf you use Google services, get ready for two-step verification to become the norm.Google introduces Woolaroo AI translation app to preserve endangered languagesSnap a photo of an object and Woolaroo will use machine learning to translate it into one of 10 endangered languages supported on the app.Google expects 20% of employees to work from homeEmployees will be offered opportunities to permanently work remotely, or to transfer to other offices, based on their role and team needs, Google said Wednesday.Chromebook units surge 275% in Q1, says CanalysChromebook first quarter shipments are being compared to the beginning of the COVID-19 pandemic a year ago. More

Show More (3 items)

You don’t need to spend a fortune on making your home office secure, and thanks to mobile technology, our options are now far beyond a locked door and window fastenings.  Smart video doorbells that record both video and audio feeds in real-time when you have a visitor; motion and sound sensors that can be used in and outside, digital door locks, cameras with excellent night vision — the range of products that leverage mobile connectivity, apps, and Internet of Things (IoT) sensors are endless.  That is not to say that all smart home security products are created equal, and not every home needs to have bells and whistles on when it comes to security — sometimes, a few select pieces can create a home ecosystem that is enough to protect your home (and office) against intruders, as well as alert you when suspicious activity is detected.  It is also worth noting that any device with connectivity may contain vulnerabilities themselves that could be exploited — and may endanger their users’ privacy as a result — and so when you pick an IoT device vendor, it should be one that maintains a frequent security program and patch cycle. ZDNet has created a list of recommendations suiting a variety of budgets and setups to help homeowners and remote workers decide how best to protect their properties, ranging from full kits to useful window sensors and cameras suitable for use both in and outdoors. 

Smart video doorbell

A smart video doorbell is one of those products that you didn’t realize could be a great addition to daily life until you invest in one. It may seem like overkill to go for a doorbell with Internet connectivity, video and audio feeds, and the ability to check-in remotely, but once you get used to the convenience of being able to chat to visitors and delivery staff no matter where you are, you can see their value. Convenience, however, is just one benefit, as these types of products can be a useful security addition, too, as you can clearly see visitors before opening the door, as well as deter potentially unwanted ‘visitors’ checking out your home. Currently on sale at $169.99, the Ring Video Doorbell Pro is one product for consideration. The hardwired doorbell is able to record 1080p HD footage with two-way talk, and also comes with infrared night vision, sensors, and customizable ‘zones’ for motion detection alerts. Compatible With iOS, Android, Mac, and Windows 10, users can check in on their doorbell at any time. Live view is free but continual recording requires a subscription.Pros:Useful for security and convenience when it comes to visitors, deliveriesReliable and a modern designCons:You need to buy a separate, traditional ‘Chime’ accessory for a traditional sound alertNeeds either frequent battery charging or a hardwired power source

Full, customizable smart home security system

If the Ring ecosystem appeals to you, Ring also offers a full smart home security system that can be customized depending on the property and the user’s wishes when it comes to security. You can create your own security system by combining elements including home alarms, motion sensors, window and door contact sensors, keypads, a smart doorbell, panic buttons, and both indoor and outdoor cameras. Ranging in price from single $19.99 window sensors to a robust security package costing hundreds of dollars, the Ring range considers every point of entry into a home, whether you live in a small condo or a large house with extensive grounds. Pros:You can tailor your home security and tackle any areas of real concern by choosing each product separately and bringing them into one networkEasy installationYou can hand over monitoring to a professional as an optional add-onCons:A full package can prove to be expensive Some users do not find the siren to be as loud as they would like 

Standalone security camera that plugs into an outlet

For do-it-yourself types who want a few security gadgets but not an entire setup, Google’s Nest Cams are worth considering. Nest Cam Indoor products are standalone security cameras that plug into an outlet. Once connected to the Nest mobile app, users are sent alerts when motion is detected and it is also possible to tap into the camera at any time to see what is going on at home. Built-in speakers and a microphone are included. Event-based or continual recording is on offer, and for free, snapshots taken over a three-hour time period are saved and viewable. A subscription option for 24/7 recording and storage is also available. Outdoor alternatives are on sale for $199.Pros:Stylish and discreetNight vision is a useful addition if you are away from homeCons:Pets may trigger the camera by accident in the homeA subscription is required for premium features

$299 at Walmart

$299 at Adorama

Includes Nest Guard, an alarm, keypad, and motion sensor

If your smart home is making use of the Nest ecosystem and already includes products such as Google Home or Nest fire or C02 alarms, the Secure package could be of interest to bolster home security. The $399 Nest Secure (currently on sale at Lowes) includes Nest Guard, an alarm, keypad, and motion sensor; two Nest Detect sensors suitable for use in monitoring doors, windows, or entire rooms, two open/close magnets for doors or windows, two Nest tags that are used to enable or disable alarms quickly, and mounting brackets.The Nest Detect sensors are able to detect motion and sound, and can also be set to chime when a door or window is opened — a useful feature if you have young children at home.A limited free option is available, alongside a feed monitoring and storage subscription. As Secure products are compatible with Google’s overall IoT ecosystem, users can ask their assistant to arm or disarm the Nest alarm remotely, and if the system thinks you have left home without arming, a reminder can be sent to your smartphone. Pros:Versatile accessories in one kit that are enough to guard your average home’s entry pointsCons:Only compatible with Google Home and not Amazon Alexa or Apple’s HomeKit

Includes motion sensor, entry sensor, panic button, and a key fob

For hunters of a full security system without a long-term subscription, SimpliSafe’s home security system should be considered. SimpliSafe offers a $160 entry-level kit containing a motion sensor, entry sensor, panic button, and a key fob, which can be customized to include additional products such as a siren, video doorbell, glass break sensor, or smoke, water, and CO2 sensors. The Wi-Fi-connected system has a backup battery in case of a power outage, and the vendor maintains six monitoring centers to keep an eye on homes within the network — with operators alerting the police even if the devices are damaged by intruders. SimpliSafe offers a variety of subscriptions and accounts for over three million users in the United States. Pros:No contract or long-term subscription requiredCan be extended with sirens, water damage sensors, fire alarmsCons:Expensive to set up beyond the entry kit

$239 at Amazon

$244 at SimpliSafe

Includes motion sensors, key fobs, and a camera

Another popular option on the market is Honeywell’s home security kit. The bundle contains a selection of motion sensors, key fobs, and a camera able to record visual and audio footage in 1080p HD video. Night vision is also included. Honeywell’s security system can be set to automatically arm itself when you leave home, and if you forget to shut a window or door where a sensor is installed, for example, you can be sent alerts to this oversight. A key selling point about this option is versatility, as the security system can be set up to operate in existing IoT setups offered by various vendors. Amazon’s Alexa voice assistant is inbuilt to accept commands.Pros:1080p night vision cameraCompatibility with Alexa assistant built-inExtendable with multiple sensorsCons:The design won’t appeal to everyone

Includes hub, a motion sensor, door sensor, and a keyfob

Abode’s offering is a budget-friendly package that comes with an Abode hub, a motion sensor suitable for entryways or specific rooms, a small window or door sensor, and a keyfob for quickly arming or disarming the system. Users can install the system themselves and connect the hub to their mobile device, as well as control their kit through Amazon Alexa, Google Assistant, or Apple HomeKit. If you want to extend your security system further, additional Abode sensors and cameras can be added to the network. A basic, free plan or more extensive subscription is available. Pros:Smart assistant supportAffordableCellular backup options available in the case of internet failure (subscription)Cons:Additional accessories, such as door and window sensors, are expensive

$229 at Abode

Monitor the lock status of a door

An additional component you might want to consider for your home security setup is a smart lock. An alternative to a traditional deadbolt, a lock such as the August Wi-Fi Smart lock, available in black and silver, connects to a user’s mobile device or Alexa assistant to monitor the lock status of a door.You do not need to replace your existing lock-and-key setup; instead, you attach the smart lock to a deadbolt. It is possible to set up the product to automatically detect when you come home and unlock the door, and in the same way, auto lock when the door closes. If you want to grant others access to your home, “secure keys” can be sent to their mobile devices via the August app. However, it is worth noting this smart lock requires a 2.4GHz Wi-Fi network. The August Wi-Fi Smart lock is currently on sale for $202. Pros:Useful for visitors that you want to grant access to remotelyHeightened security for your doorCons:The setup process can be arduousSome users have reported issues with smart assistant integration

Why are sensors important in a home security product?

Sensors are the key ingredient in effective, discreet home security. There are many different kinds of sensors that are utilized in Internet of Things (IoT) products, including infrared, magnetic, audio, and motion, and each use depends on the type of security product involved.For example, motion sensors are used for video doorbells and both indoor and outdoor cameras — and heat sensors may also be thrown into the mix — whereas door and window products may use a combination of motion and magnetic sensors to detect unauthorized entry.

Do you need an internet connection?

When it comes to today’s smart, connected, IoT home security systems, the answer is usually yes. In comparison to business security offerings that are often monitored remotely, the central focus of home systems is to give the user power and visibility — and this generally requires internet connectivity and a mobile device.

Do you need a subscription?

Subscriptions aren’t compulsory when you buy a home security solution. In many cases, ‘basic’ setups will ping alerts to your handset when a sensor detects activity, allowing you to check your home in real-time — but will not necessarily keep any feeds or recordings for a long duration.It is worth signing up for a subscription if you want to make sure you have access to past event feeds. In addition, subscription services will usually sweeten the pot with additional layers of security such as automatic emergency calls and multiple device monitoring.

Which security system is right for you?

Unlike a business premise, homeowners do not need to spend a fortune in order to adequately protect their assets. Instead, a few products that have been carefully selected and placed in weak spots or entry points — including a front porch, garden, or close to ground floor windows — can be all that is needed.A camera or two — preferably with night vision — sensors monitoring windows, and, perhaps, a video doorbell or smart lock to protect your front door. Larger properties can benefit from additional security components linked to the same network, but in either case, today’s smart home security products can give you peace of mind both in or outside of the house.Many of us have been working from home during the pandemic, but as things begin to unlock and we do spend more time away from our residences, now may be the time to consider a security option that is right for you.

Our selection process

We wanted to consider as many security angles to protecting a home and home office as possible. Entry points including windows and doors can be protected through smart door locks, sensors, and cameras, and should an intruder manage to get into a property, monitoring systems that send alerts to homeowners can make all the difference between perpetrators being caught or getting away with their actions. More

Network security and content delivery network provider Cloudflare this afternoon reported Q1 revenue that topped expectations, and profit in line with Wall Street’s forecast,  and an outlook for this quarter’s, and the full year’s revenue that was higher as well. The report sent Cloudflare shares up by 6% in late trading. CEO and co-founder Matthew Prince noted the company had a “record-setting start to the year, citing revenue growth but also the company’s retention rate among its customers of 123%. “We crossed 4 million total customers, and our large customer count was up 70% year-over-year, accounting for more than half of our total revenue,” said Prince. Added Prince, “We delivered terrific financial results while also investing in innovation, the fuel our engine runs on. “Firing on all cylinders, we’ve already announced or delivered more than 100 products and capabilities this year. There’s no slowing down as we continue to deliver business-critical offerings and displace point solutions with Cloudflare’s robust global network.”Revenue in the three months ended in March rose 51%, year over year, to $138.1 million, yielding a net loss of 3 cents a share, excluding some costs.

Analysts had been modeling $131 million and negative 3 cents per share.For the current quarter, the company sees revenue of $145.5 million to $146.5 million, and net loss per share in a range of 3 cents to 4 cents. That compares to consensus for $139 million and a 3-cent loss per share.For the full year, the company sees revenue in a range of $612 million to $616 million, and EPS of $TK to $TK. That compares to consensus of $593 million and a 9-cent loss per share.

Tech Earnings More

Million of users in the UK could potentially be affected, estimated Which?, as vulnerable routers present an opportunity for hackers.
Kittichai Boonpong / EyeEm / Getty Images
Millions of households in the UK are using old broadband routers that could fall prey to hackers, according to a new investigation carried out by consumer watchdog Which? in collaboration with security researchers. After surveying more than 6,000 adults, Which? identified 13 older routers that are still commonly used by consumers across the country, and sent them to security specialists from technology consultancy Red Maple Technologies. Nine of the devices, it was found, did not meet modern security standards.  Up to 7.5 million users in the UK could potentially be affected, estimated Which?, as vulnerable routers present an opportunity for malicious actors to spy on people as they browse, or to direct them to spam websites. 

One major issue concerns the lack of upgrades that older routers receive. Some of the models that respondents reported using haven’t been updated since 2018, and even in some cases since 2016.  The devices highlighted for their lack of updates included Sky’s SR101 and SR102, the Virgin Media Super Hub and Super Hub 2, and TalkTalk’s HG523a, HG635, and HG533. Most of the providers, when they were contacted by Which?, said that they regularly monitor the devices for threats and update them if needed.  Virgin dismissed the research, saying that 90% of its customers are using later-generation routers. TalkTalk told ZDNet that it had nothing to add to the release. 

The researchers also found a local network vulnerability with EE’s Brightbox 2, which could let a hacker take full control of the device.  An EE spokesperson told ZDNet: “We take the security of our products and services very seriously. As detailed in the report, this is very low risk vulnerability for the small number of our customers who still use the EE Brightbox 2. (…) We would like to reassure EE Brightbox 2 customers that we are working on a service patch which we will be pushing out to affected devices in an upcoming background update.” In addition, BT Group – which owns EE – told Which? that older routers still receive security patches if problems are found. Red Maple’s researchers found that old devices from BT have been recently updated, and so did routers from Plusnet. The consumer watchdog advised that consumers who are still using one of the router models that are no longer being updated ask their providers for a new device as soon as possible. This, however, is by no means a given: while Virgin Media says that it gives free upgrades for customers with older routers, the policy is not always as clear with other providers. “It doesn’t hurt to ask,” said Hollie Hennessy, senior researcher at Which?. “While an internet provider is not obliged to provide you with a new router for free, if you call and explain your concerns you might get lucky, especially if your router is quite old.” For consumers whose contracts are expiring soon, Hennessy suggested asking for a new router as a condition to stick with a given provider – and consider switching if the request is not met. Weak passwords remain a top concern On top of being denied regular updates, many older routers were also found to come with weak default passwords, which can be easily guessed by hackers and grant an outsider access.  This was the case of the same TalkTalk and Sky routers, as well as the Virgin Media Super Hub 2 and the Vodafone HHG2500. The first thing to do, for consumers who own one of these models, is to change the password to a stronger one, as opposed to the default password provided, said Which?. The organization, in fact, is calling for the government to ban default passwords and prevent manufacturers from allowing consumers to set weak passwords as part of a new legislation that was proposed last month. As part of an effort to make devices “secure by design”, the UK’s department for Digital, Culture, Media and Sport has announced a new law that will stop manufacturers from using default passwords such as “password” or “admin”, to better protect consumers from cyberattacks. The future law would also make it mandatory to tell customers how long their new product will receive security updates for. In addition, manufacturers would have to provide a public point of contact to make it easier to report security vulnerabilities in the products. In a similar vein, Which? called for more transparency from internet service providers. The organization said that providers should be more upfront about how long routers will be receiving firmware and security updates, and should actively upgrade customers who are at risk. Only Sky, Virgin Media and Vodafone appear to have a web page dedicated to letting researchers submit the vulnerabilities that they found in the companies’ products, according to Which?.  More

Google will soon start pushing more Gmail users and Google Account holders to enable two-step verification — the extra layer of security that can protect people when their credentials have been phished or exposed through a data breach.  May 6 is “World Password Day” which is largely about making people less reliant on them for securing online accounts.  Google’s contribution this year is to nudge more people into enabling two-step verification, otherwise known as two-factor authentication.  Today, Google prompts its two billion Gmail users to enroll in two-step verification (2SV) but soon it will be automatically enrolling users.  “Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured. (You can check the status of your account in our Security Checkup),” Mark Risher, director of product management in Google’s Identity and User Security group, notes in a blogpost.  “You may not realize it, but passwords are the single biggest threat to your online security – they’re easy to steal, they’re hard to remember, and managing them is tedious,” he says.   That second factor, be it a security key or a smartphone, means that someone in possession of your username and password — in most cases — can’t log into your account unless they have physical access to your device. 

Google has refined its processes over the years to make 2SV less of an obstacle, but it can still be fiddly if you change a mobile phone number. Today, after signing in with a username and password, users who have enrolled in 2SV get a code via SMS, voice call or the Google app.  The other option is a security key like Google’s Titan key. Google has also built its security keys in Android phones and last year delivered the same capability for iPhones via its Smart Lock app for iOS.  “Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone,” notes Risher.  Passwords, unfortunately, are still rife some 17 years after Microsoft co-founder Bill Gates predicted they would one day disappear. Since then world has only seen a proliferation of new username and password combinations, but two-factor authentication is more widely adopted and supported in online consumer services and in the enterprise.  Multi-factor authentication does work. According to Microsoft, 99.9% of the compromised accounts it tracks every month did not use multi-factor authentication.  Microsoft has also been doing its bit in tackling outdated password policies that lead to people choosing bad passwords.  Two years ago it changed a Windows 10 security baseline that until then recommended enterprise users change their password every few months. “Periodic password expiration is an ancient and obsolete mitigation of very low value,” Microsoft declared at the time.  Google’s other key password assistant is the built-in password manager in Chrome. Apple offers the same feature in its Safari browser.  Risher also points to an experimental feature in Chrome called “password import” recently spotted by the Verge. It lets users import passwords from a CSV file.   More

An open database has revealed the identities of over 200,000 individuals who appear to be involved in Amazon fake product review schemes. 

There is an ongoing battle between the e-commerce giant and dubious sellers, worldwide, who wish to hamstring competitors and gain an edge by generating fake reviews for their products. This can include paying individuals to leave a glowing review or by offering free items in return for positive, public feedback.  How they operate and stay under Amazon’s radar varies, but an open ElasticSearch server has exposed some of the inner workings of these schemes.  On Thursday, Safety Detectives researchers revealed that the server, public and online, contained 7GB of data and over 13 million records appearing to be linked to a widespread fake review scam.  It is not known who owns the server but there are indicators that the organization may originate from China due to messages written in Chinese, leaked during the incident.  The database contained records involving roughly 200,000 – 250,000 users and Amazon marketplace vendors including user names, email addresses, PayPal addresses, links to Amazon profiles, and both WhatsApp and Telegram numbers, as well as records of direct messages between customers happy to provide fake reviews and traders willing to compensate them. 

According to the team, the leak may implicate  “more than 200,000 people in unethical activities.”The database, and messages contained therein, revealed the tactics used by dubious sellers. One method is whereby vendors send a customer a link to the items or products they want 5-star reviews for, and the customer will then make a purchase. Several days after, the customer will leave a positive review and will send a message to the vendor, leading to payment via PayPal — which may be a ‘refund,’ while the item is kept for free.  As refund payments are kept away from the Amazon platform, it is more difficult to detect fake, paid reviews.  The open ElasticSearch server was discovered on March 1 but it has not been possible to identify the owner. However, the leak was noticed and the server was secured on March 6.”The server could be owned by a third-party that reaches out to potential reviewers on behalf of the vendors [or] the server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors,” the researchers said. “What’s clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon’s terms of service.” Amazon’s community and review guidelines do not allow vendors to review their own products or offer a “financial reward, discount, free products, or other compensation” in return for positive reviews — and this includes through third-party organizations. However, as Amazon is a prominent online marketplace, it is likely that some vendors will continue to try and abuse review systems to bolster their revenue.  “We want Amazon customers to shop with confidence knowing that the reviews they read are authentic and relevant,” an Amazon spokesperson commented. “We have clear policies for both reviewers and selling partners that prohibit abuse of our community features, and we suspend, ban, and take legal action against those who violate these policies.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

There’s been a big rise in the number of ransomware gangs that threaten to release information stolen from the victims if they don’t pay the ransom for the decryption key required to restore their network.The idea behind these ‘double extortion’ ransomware attacks is that even if the victim organisation believes it can restore its network without giving into the ransom demands of cyber criminals – which regularly cost millions of dollars in Bitcoin – the threat of sensitive information about employees or customers being exposed could still push victims to giving into the blackmail, and paying the ransom.

Even then, there’s no guarantee that the cyber criminals behind the ransomware attack will delete the stolen data – they could exploit it down the line, or sell it onto other crooks on dark web forums.SEE: Security Awareness and Training policy (TechRepublic Premium)These attacks have become extremely successful – and lucrative – for cyber criminals and cybersecurity researchers at ZeroFox have tracked the activity of over two dozen dark web leak sites associated with ransomware attacks over the past year, as more and more cyber-criminal groups move towards this form of extortion.The ransomware gangs that are most successful with double extortion attacks are those that first adopted it in their attacks, such as Revil, Maze, Netwalker, and DoppelPaymer, but others have followed in their footsteps and are finding plenty of success in 2021.Groups like Conti and Egregor have become most prolific over the course of this year – with the report pointing out how the latter group has allegedly gained success by recruiting members of other ransomware gangs, including Maze, which supposedly shut down in November last year.

The recruitment of authors of other ransomware operations indicates how this particular type of malware has developed into a competitive market. Much like legitimate software companies, groups want to hire the best people to ensure that their product is as successful as possible – unfortunately, in this case, success comes at the cost of innocent victims who find their networks have been encrypted by a ransomware attack.But it isn’t just threats to leak data now, as the report points out how some ransomware groups are launching Distributed Denial of Service (DDoS) attacks against victims, overwhelming what remains of the network with traffic to the extent that it isn’t usable – and leveraging that as an additional method of forcing the victim to pay up.SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upUltimately, double extortion techniques have become so common amongst ransomware gangs because the attacks work and many organisations are unfortunately giving into ransom demands as cyber criminals in this space get more persistent and more aggressive.For organisations, the best way to avoid having to make a decision over paying cyber criminals in the hope they don’t publish their stolen data online is for their network to be secure enough to prevent cyber criminals from being able to get in to start with.Cybersecurity procedures that can stop cyber criminals from infiltrating the network in the first place include applying security patches as soon as possible, so attackers can’t exploit known vulnerabilities and deploying two-factor authentication across all users, so that if attackers do breach an account, it’s difficult for them to move laterally around the network.MORE ON CYBERSECURITY More

Security researchers have provided insight into how a single student unwittingly became the conduit for a ransomware infection that cost a biomolecular institute a weeks’ worth of vital research. 

In a report due to be published on Thursday, Sophos described the case, in which the team was pulled in to neutralize an active cyberattack on a biomolecular facility in Europe.  Sophos found that Ryuk ransomware had made its way onto the facility’s network, and set out to determine how the infection took place.  Ryuk is a prolific form of malware that is constantly evolving. The Ryuk family, including new strains equipped with worm-like capabilities and the ability to self-propagate over networks, encrypts networks and files, locking victims out of their systems until a ransom payment is made.  According to AdvIntel and HYAS, the operators behind Ryuk are estimated to have generated over $150 million in profit from their victims, with payments often made in Bitcoin (BTC).  While the name of the biomolecular institute has not been disclosed, the European organization is involved in the life sciences and research related to COVID-19. The institute works closely with local universities and collaborates with students in some projects.  It was a student, unfortunately, that proved to be the unwitting conduit for the Ryuk infection. 

The student was on the hunt for a free version of a data visualization software tool which would have cost them hundreds of dollars per year if licensed. After posting on a forum asking for a free alternative, the student eventually elected to find a cracked version instead.  As cracked software — modified to remove elements such as trial expiration dates or the need for a license — is deemed suspicious, antivirus software will usually flag and block its execution.  In this case, Windows Defender triggered, and so the student disabled the software as well as their firewall.  However, instead of launching the software they wanted, the executable loaded a Trojan which was able to harvest the student’s access credentials to the biomolecular institute’s network. In hindsight, in what was an unwise decision, the research institute allowed students to use their personal devices to access its network via remote Citrix sessions.  13 days after the student executed the ‘cracked’ software, a remote desktop protocol (RDP) connection was registered by the institute, using the student’s credentials, under the name “Totoro,” — an anime character from a 1988 film.  “A feature of RDP is that a connection also triggers the automatic installation of a printer driver, enabling users to print documents remotely,” Sophos says. “This allowed the Rapid Response investigation team to see that the registered RDP connection involved a Russian language printer driver and was likely to be a rogue connection.” The team believes that access to the institute was sold on in an underground market, and the RDP connection may have been made in order to test access.  It was 10 days after this connection was made that Ryuk was deployed on the network, costing the institute a week of research data as backups were not fully up-to-date. In addition, system and server files had to be “rebuilt from the ground up,” according to the researchers, before the institute could resume normal working activity.  “This is a cautionary tale of how an end user’s security misjudgement can leave an organization exposed to attack when there are no solid security policies in place to contain the mistake,” commented Peter Mackenzie, manager of Rapid Response at Sophos. “In this instance, the target was at risk the moment the external user clicked the ‘install’ button for a cracked copy of a software tool that turned out to be pure malware. […] The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More