Information Technology

Image: ProtonMail
Hosted email service provider ProtonMail has responded to criticism about its end-to-end encryption capabilities after French authorities obtained the IP address of a French climate activist who used the company’s services, saying all companies have to comply with laws, such as court orders, so long as they operate within 15 miles of land. “No matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law,” Yen said in a blog post.First reported by TechCrunch, the data collection performed by French authorities was part of an investigation into a group of climate activists who have occupied a number of apartments and commercial spaces in Paris. According to ProtonMail, French authorities, with the help of Europol, were able to acquire the IP address through receiving approval from Swiss courts to do so. After Swiss courts issued the legal order, ProtonMail was required to log IP information on a climate activist’s account, which was then provided to French authorities and led to the individual being identified and arrested.ProtonMail founder and CEO Andy Yen said that while it is not subject to French or EU requests, due to being based in Switzerland, it still must comply with requests from Swiss authorities. “Proton can be forced to collect information on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account,” the company said. “The internet is generally not anonymous, and if you are breaking Swiss law, a law-abiding company such as ProtonMail can be legally compelled to log your IP address.”

Yen noted that ProtonMail neither collects the identity of its users nor user data due to it being encrypted — which meant the activist’s emails, attachments, calendars, and files were not accessed by French authorities — as there is no requirement to do so under Swiss laws. Certain court orders can compel ProtonMail to delay notifying users about their private data being used in criminal proceedings, however, according to the company’s law enforcement page.When stating the requirements that ProtonMail must follow under Swiss law, Yen also took the opportunity to criticise the approach taken by French authorities to acquire the IP address. “We are on your side, and our shared fight is with the authorities and the unjust laws we have been campaigning against for years. The prosecution in this particular case was very aggressive. Unfortunately, this is a pattern we have increasingly seen in recent years around the world,” Yen said. According to ProtonMail’s most recent transparency report, the number of orders the company receives from Swiss authorities has grown exponentially, rising from 13 in 2017 to 3,572 last year. Of the 3,572 orders it received last year, 195 of them were foreign requests.  Related Coverage More

It seems that every tech security vendor is talking up ‘zero trust’ as an answer to increasingly dangerous cyberattacks, but UK cybersecurity experts warn customers its definition is a bit slippery and they should proceed with caution. The UK’s National Cyber Security Centre (NCSC) this week said zero trust has become a “very fashionable term” in the tech world. To address the slipperiness of its definition, NCSC has outlined a few traps and pitfalls that organizations running a zero trust migration should be mindful of. 

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

So what is zero trust, according to the NCSC?   “Zero trust is the idea of removing inherent trust from the network. Just because a device is within the internal “trusted” side of a firewall or VPN, it should not be trusted by default,” it explains in a new blogpost.  “Instead, you should look to build confidence in the various transactions occurring. You can do this by developing a context through the inspection of a number of signals. These signals are pieces of information like device health or location, and can give the confidence needed to grant access to a resource.”SEE: Developers, DevOps, or cybersecurity? Which is the top tech talent employers are looking for now?However, NCSC acknowledges that not every organization will be ready to adopt a zero trust architecture. It also stressed it isn’t a standard or specification, but rather “an approach to designing a network” — meaning it can be difficult to know if you’re doing it right. 

On top of this, there may be direct and indirect costs that arise from a migration to a zero trust network design. Direct costs include new products, devices, and services. Indirect costs include training engineers, new licensing costs, and subscriptions. NCSC notes that these ongoing costs could, however, be less than the cost of maintaining and refreshing existing network services.”Moving to a zero trust architecture can be a very disruptive exercise for an organisation,” NCSC warns. “It can take several years to migrate to a “fully zero trust” model due to the extent to which changes may need to be made across your enterprise.”Defining an end state for a migration is difficult when the model you’re aiming for may evolve during rollout.”There are also broader implications for the many organizations that run big systems that just don’t mesh with zero trust concepts, for example a legacy payroll system that lacks modern authentication methods, such as two-factor authentication.   Then there are products and services that don’t mesh well with zero trust, such as BYOD architectures. Organizations could have difficulties assessing whether devices are secure without intruding on the privacy of workers. Alternatively, an air-gapped network might not able to use a cloud-based zero trust service. Finally, NCSC warns of vendor lock-in and cloud lock-in that may restrict an organization’s ability to move some systems to other services in the future.SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attackJust last week, Google announced a $10 billion commitment to help the US improve the security of critical infrastructure after a meeting with US president Joe Biden. Microsoft committed $20 billion. Both companies are focussing on zero trust capabilities to address recent software supply chain and ransomware attacks on critical infrastructure. IBM is also boosting its zero trust services through the relatively new category of Secure Access Service Edge (SASE) services. All three, including 15 more vendors, are working with the US NIST to create benchmarks for zero trust architectures.   NCSC lays out five reasons why zero trust might be a good philosophy to adopt:In a zero trust model, every action a user or device takes is subject to some form of policy decision. This allows the organisation to verify every attempt to access data or resources, “making life very difficult for an attacker”.Zero trust allows strong authentication and authorisation, while reducing the network overhead of extending your corporate network out into your users’ homes.Some zero trust security controls can enable a much better user experience. For example, by using single sign-on users only have to enter credentials once, rather than every time they want to use a different application.Greater control over data access means you can grant access to specific data to the right audience.Enhancing your logging capability to include events from user devices and services gives you a much richer picture of what’s happening in your environment, allowing you to detect compromises with more accuracy. More

A very popular NPM package called ‘pac-resolver’ for the JavaScript programming language has been fixed to address a remote code execution flaw that could affect a lot of Node.js applications. The flaw in the pac-resolver dependency was found by developer Tim Perry who notes it could have allowed an attacker on a local network to remotely run malicious code inside a Node.js process whenever an operator tried to send an HTTP request. Note.js is the popular JavaScript runtime for running JavaScript web applications. 

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

“This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy autodetection & configuration in Node.js,” explains Perry. SEE: Developers, DevOps, or cybersecurity? Which is the top tech talent employers are looking for now?PAC or “Proxy-Auto Config” refers to PAC files written in JavaScript to distribute complex proxy rules that instruct an HTTP client which proxy to use for a given hostname, notes Perry, adding these are widely used in enterprise systems. They’re distributed from local network servers and from remote servers, often insecurely over HTTP rather than HTTPs.  It’s a widespread issue as Proxy-Agent is used in Amazon Web Services Cloud Development Kit (CDK), the Mailgun SDK and Google’s Firebase CLI. The package gets three million downloads per week and has 285,000 public dependent repos on GitHub, Perry notes in a blogpost. 

The vulnerability was fixed in v5.0.0 of all those packages recently and was marked as CVE-2021-23406 after it was disclosed last week.It will mean a lot of developers with Node.js applications are potentially affected and will need to update to version 5.0. It affects anyone who depends on Pac-Resolver prior to version 5.0 in a Node.js application. It affects these applications if developers have done any of three configurations: Explicitly use PAC files for proxy configurationRead and use the operating system proxy configuration in Node.js, on systems with WPAD enabledUse proxy configuration (env vars, config files, remote config endpoints, command-line arguments) from any other source that you wouldn’t 100% trust to freely run code on your computer”In any of those cases, an attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely run arbitrary code on your computer any time you send an HTTP request using this proxy configuration,” notes Perry.  More

Researchers have explored what the perfect victim looks like to today’s ransomware groups.

On Monday, KELA published a report on listings made by ransomware operators in the underground, including access requests — the way to gain an initial foothold into a target system — revealing that many want to buy a way into US companies with a minimum revenue of over $100 million. Initial access is now big business. Ransomware groups such as Blackmatter and Lockbit may cut out some of the legwork involved in a cyberattack by purchasing access, including working credentials or the knowledge of a vulnerability in a corporate system.  When you consider a successful ransomware campaign can result in payments worth millions of dollars, this cost becomes inconsequential — and can mean that cybercriminals can free up time to strike more targets.  The cybersecurity company’s findings, based on observations in dark web forums during July 2021, suggest that threat actors are seeking large US firms, but Canadian, Australian, and European targets are also considered.  Russian targets are usually rejected immediately, and others are considered “unwanted” — including those located in developing countries — likely because potential payouts are low.  Roughly half of ransomware operators will, however, reject offers for access into organizations in the healthcare and education sector, no matter the country. In some cases, government entities and non-profits are also off the table.

In addition, there are preferred methods of access. Remote Desktop Protocol (RDP), Virtual Private Network (VPN)-based access prove popular. Specifically, access to products developed by companies including Citrix, Palo Alto Networks, VMWare, Cisco, and Fortinet.   “As for the level of privileges, some attackers stated they prefer domain admin rights, though it does not seem to be critical,” the report states.
KELA
KELA also found offerings for e-commerce panels, unsecured databases, and Microsoft Exchange servers — although these may be more appealing for data stealers and criminals attempting to implant spyware and cryptocurrency miners.   “All these types of access are undoubtedly dangerous and can enable threat actors to perform various malicious actions, but they rarely provide access to a corporate network,” the researchers noted. Roughly 40% of listings were created by players in the Ransomware-as-a-Service (RaaS) space. 
KELA
Ransomware operators are willing to pay, on average, up to $100,000 for valuable initial access services. In a past study, KELA observed another trend of note in the ransomware space: increasing demand for negotiators. RaaS operators are attempting to better monetize the stage of an attack when a victim will contact ransomware operators to negotiate a payment, but as language barriers can cause miscommunication, ransomware groups are trying to secure new team members able to manage conversational English.  Intel 471 has also found that cybercriminals involved in Business Email Compromise (BEC) scams are trying to recruit native English speakers. As phishing email red flags include poor grammar and spelling mistakes, scam artists are trying to avoid being detected at the first hurdle by paying English speakers to write convincing copy.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Working in cybersecurity can be challenging, but it’s important for information security professionals to maintain a healthy work/life balance – otherwise they risk burnout.All parts of the technology industry have their own pressures, but the demand on security staff has certainly increased recently. Businesses of all sizes need a cybersecurity team to help keep users secure and the organisation safe from phishing, malware, ransomware, and other cyber threats. Defending the network against data breaches and cyber criminals was already tricky, but things have only got tougher in the past 18 months as many cybersecurity teams have needed to adapt to the rise of remote working, which has made keeping users safe from online threats even more difficult. 

On top of that, many cybersecurity staff are doing this activity while working from home themselves, an environment that can make it difficult to separate working life from home life. It’s become common for people to work extra hours now their day isn’t being broken up by travelling to and from an office, and research has identified increasing hours and workloads in cybersecurity – already a high intensity environment for people to work in.SEE: A winning strategy for cybersecurity (ZDNet special report) While many security professionals feel as if working those extra hours is necessary to help keep the business secure and safe from cyberattacks, it could be coming at the cost of their own wellbeing.Cybersecurity workers get a real buzz out of solving problems, John Donovan, chief information security officer at Malwarebytes, told the ZDNet Security Update video series. “But I think we’ve got to balance that – there are definitely some folks on the team who do handle it well, but even they need to remember to take a break and to deal with their stress,” he said. 

In order to help this process along, human resources teams or senior managers need to get involved in the activity to encourage people to take breaks and make sure that they’re not working overly long hours. “If you have a people or human resources team, it’s really important to take in the human element, not just for cybersecurity training and awareness, but making sure that people are taking care of their mental health, making sure that people do take time off, and when you take time off, to actually really take time off,” said Donovan. SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attackSmall tweaks can help, like for staff working remotely, it could be useful to mark holidays, breaks and lunchtime in the calendar, so there’s actually an alert reminding them that they should step away from the screen for a bit. Doing this can help staff better divide up their work time and their personal time. Not only is this good for the mental wellbeing of people in cybersecurity, being well rested and in a good place will help if they do need to react to a cybersecurity incident. “It’s important to make sure that you figure out how to have that work/life balance, because you’re not going to be any good if you’re stressed out when that big incident happens. You need to be ready and prepared to take it on,” said Donovan. MORE ON CYBERSECURITY More

Apple has paused plans to scan devices for child abuse and exploitation material after the tool prompted concern among users and privacy groups.  

Announced last month, the new safety features were intended for inclusion in iOS 15, iPadOS 15, watchOS 8, and macOS Monterey. The first was a feature for monitoring the Messages application, with client-side machine learning implemented to scan and alert when sexually explicit images are sent, requiring input from the user of whether or not they want to view the material. “As an additional precaution, the child can also be told that, to make sure they are safe, their parents will get a message if they do view it,” the company explained. The second batch of changes impacted Siri and Search, with updates included to provide additional information for parents and children to warn them when they stumbled into “unsafe” situations, as well as to “intervene” if a search for Child Sexual Abuse Material (CSAM) was performed by a user. The third was a CSAM-scanning tool, touted as a means to “protect children from predators who use communication tools to recruit and exploit them.” According to the iPhone and iPad maker, the tool would use cryptography “to help limit the spread of CSAM online” while also catering to user privacy. Images would not be scanned in the cloud, rather, on-device matching would be performed in which images would be compared against hashes linked to known CSAM images. “CSAM detection will help Apple provide valuable information to law enforcement on collections of CSAM in iCloud Photos,” the company said. “This program is ambitious, and protecting children is an important responsibility. These efforts will evolve and expand over time.”

In a technical paper (.PDF) describing the tool, Apple said: “CSAM Detection enables Apple to accurately identify and report iCloud users who store known CSAM in their iCloud Photos accounts. Apple servers flag accounts exceeding a threshold number of images that match a known database of CSAM image hashes so that Apple can provide relevant information to the National Center for Missing and Exploited Children (NCMEC). This process is secure, and is expressly designed to preserve user privacy.”However, the scanner gained controversy online, prompting criticism from privacy advocates and cryptography experts.Associate Professor at the Johns Hopkins Information Security Institute and cryptography expert Matthew Green said the implementation of cryptography to scan for images containing specific hashes could become “a key ingredient in adding surveillance to encrypted messaging systems.” While created with good intentions, such a tool could become a powerful weapon in the wrong hands, such as those of authoritarian governments and dictatorships.  The Electronic Frontier Foundation also slammed the plans and launched a petition to put pressure on Apple to backtrack. At the time of writing, the plea has over 27,000 signatures. Fight for the Future and OpenMedia also launched similar petitions.  On September 3, Apple said the rollout has been halted in order to take “additional time” to analyze the tools and their potential future impact.  “Previously we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them and to help limit the spread of Child Sexual Abuse Material,” Apple said. “Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.” Green said it was a positive move on Apple’s part to take the time to consider the rollout. The EFF said it was “pleased” with Apple’s decision, but added that listening is not enough — the tech giant should “drop its plans to put a backdoor into its encryption entirely.” “The features Apple announced a month ago, intending to help protect children, would create an infrastructure that is all too easy to redirect to greater surveillance and censorship,” the digital rights group says. “These features would create an enormous danger to iPhone users’ privacy and security, offering authoritarian governments a new mass surveillance system to spy on citizens.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Dallas Independent School District — one of the biggest school districts in the United States — has released an advisory saying the personal data of students and employees was accessed and downloaded during a “data security incident.”The school district serves more than 150,000 students and said in a notice that any student, employee, parent or contractor with the school district since 2010 is affected by the incident. When asked by ZDNet whether this was a cyberattack, the school district would not say. The district received notice of the data security incident on August 8 and said federal law enforcement agencies are now involved in the effort to address what happened. Although the investigation is still ongoing, they believe someone accessed the school district’s network, downloaded data and temporarily stored it on an encrypted cloud storage site. The notice claims the data has been “removed from the site” but does not explain how this was done, whether the data was put somewhere else or sent to someone else. Data that the school district is allegedly “required by law to maintain” was exposed during the attack, including the first and last names, addresses, phone numbers, social security numbers and dates of birth for current and former students, employees and parents. Some students even had information about their custody status and/or medical condition exposed during the attack. 

For employees and contractors, the hackers also gained access to their dates of employment, salary information and reason for ending employment.”Despite our efforts, the district is now one of a growing number of public and private organizations experiencing cyberattacks,” the school district said.”The district’s IT team, assisted by forensic consultants, has addressed specific vulnerabilities that were exploited during this event and will continue efforts to augment security going forward. We regret any inconvenience this incident may have caused and believe it is our responsibility to inform the public that we are taking steps to notify individuals whose records have been impacted.” The district will be updating a website with information about the attack and said anyone who would like to sign up for free credit monitoring should call (855) 651-2605. The hotline is being run by identity protection technology company Kroll, which the Dallas Independent School District hired to manage the aftermath of the attack. The school district said it would be providing more specific information about what data from each person was accessed and would be sending it to Kroll, which could then let people know if they call the hotline. Kroll is offering victims just 12 months of credit monitoring and ID theft recovery services. The school district is creating a website that allows victims to enter their information to access credit monitoring. Victims can also call to activate the monitoring. The credit monitoring website will be available to victims on September 10. “We continue to investigate and remediate this incident. The district is conducting a comprehensive review of its systems and implementing additional security measures. We are confident these changes will decrease the possibility of a future incident,” the district statement explained.  More

CISA released a note this week urging IT teams to update a Cisco system that has a critical vulnerability. The vulnerability affects Cisco Enterprise Network Function Virtualization Infrastructure Software Release (NFVIS) 4.5.1 and Cisco released software updates that address the vulnerability on Wednesday.The vulnerability “could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator,” according to Cisco. The vulnerability is in the TACACS+ authentication, authorization and accounting (AAA) feature of NFVIS. “This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device,” Cisco said.”There are no workarounds that address this vulnerability. To determine if a TACACS external authentication feature is enabled on a device, use the show running-config tacacs-server command.” Cisco urged IT teams to contact the Cisco Technical Assistance Center or their contracted maintenance providers if they face any problems. 

“The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory,” Cisco added, thanking Cyrille Chatras of Orange Group for reporting the vulnerability.John Bambenek, threat intelligence advisor at Netenrich, said it is a “pretty major problem for Cisco NFV devices that highlights software engineers still struggle with input validation vulnerabilities that have plagued us for almost three decades.” “Easy acquisition of administrative rights on any device should be concerning and organizations should take immediate steps to patch their devices,” Bambenek added. More