Information Technology

StackCommerce
With the frequency and severity of cyber threats increasing practically by the day, it’s become more important than ever to put strong measures in place to protect your privacy and your most confidential data. The most effective way to do this is to protect yourself online with an excellent VPN, and protect the files on your computer with encrypted cloud storage such as Internxt Drive offers. Since both of those services are ridiculously inexpensive, there is no excuse for leaving you and your data vulnerable.

The Internxt – 2TB Decentralized Cloud Storage: 1-Year Subscription that is currently available for just $9.99 offers zero-knowledge decentralized cloud storage with end-to-end encryption that provides uncompromising security. It encrypts your uploaded files and then divides them into fragments on your end so that you’re the only one with the decryption key that is required to retrieve them.However, in spite of its complex power, Internxt is very easy to use. The user interface is quite intuitive and the service is convenient to access. An app is available for all of your devices, including desktop and browser, as well as Android and iOS mobile devices.Also, while your files are supremely protected, sharing them is still a simple matter. Internxt Drive users can share their data over other cloud storage services such as Dropbox, Google Drive, Apple iCloud, and Microsoft OneDrive. That makes it easy for teams to privately collaborate with customized features and user-to-user solutions.If you want truly private and secure cloud storage, it’s hard to beat what Internxt offers, especially when you can get a year’s subscription at a discount. As TechRadar notes: “Unlike popular cloud storage services like Google Drive, Dropbox, and Microsoft OneDrive, Internxt is a zero-knowledge file storage service that supports end-to-end encryption.”Don’t pass up this chance to enjoy the peace of mind that a vast amount of high-security storage can offer. Get Internxt – 2TB Decentralized Cloud Storage: 1-Year Subscription while it’s on sale for just $9.99, instead of the normal price of $126.

ZDNet Recommends More

The UK has announced plans to change data protection and privacy laws in what the government describes as a new mandate that promotes innovation and economic growth.A new series of ‘data adequacy partnerships’ will allow Britain to drive international trade with countries and bodies including the United States, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia, the Department for Digital, Culture, Media & Sport (DCMS) has said.

more on GDPR

According to the government, the data adequacy partnerships will remove the need for costly measures around data compliance when transferring personal data to other countries. In a statement, DCMS said this will happen while also ensuring that “high data protection standards are maintained”.Any changes to data transfer rules will also need to be deemed adequate by the European Union — if they’re not, there’s a risk that data transfers between the United Kingdom and the EU will be affected.The proposed changes form part of the government’s plans to “use the power of data to drive growth and create jobs”, although some data privacy experts have voiced concerns that the changes could be used to roll back data privacy for consumers brought in as part of General Data Protection Regulation (GDPR). GDPR was brought in across the European Union in May 2018, and despite the UK having voted to leave the EU, the data protection laws were applied. But now the government claims that, following Brexit, the country can benefit from diverging its data protection laws from the rest of Europe. “Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy,” said Secretary of State for Digital, Culture Media and Sport Oliver Dowden.

“It means reforming our own data laws so that they’re based on common sense, not box-ticking,” he added  In an interview with The Telegraph, Dowden singled out policies around “pointless” cookie requests as something the UK could now diverge from — but several data privacy experts have pointed out that cookies come under a completely different directive to GDPR.Data privacy experts have also voiced concerns that the proposed plans will change the role of the Information Commissioner’s Office (ICO) from being a privacy regulator to promoting economic growth.A DCMS spokesperson told ZDNet “we’re not going to compromise our high data standards and people’s privacy and data protection”.The government is set to launch a consultation on the role of the ICO in September so that “it can be empowered to encourage the responsible use of data to achieve economic and social goals as well as preventing privacy breaches before they occur”.DCMS has also announced a preferred successor to Elizabeth Denham as Information Commissioner: John Edwards, who is currently New Zealand’s Privacy Commissioner. “There is a great opportunity to build on the wonderful work already done and I look forward to the challenge of steering the organisation and the British economy into a position of international leadership in the safe and trusted use of data for the benefit of all,” said Edwards. According to Oliver Dowden, Edwards brings the experienced required to “pursue a new era of data-driven growth and innovation at the ICO”. “John Edwards’s vast experience makes him the ideal candidate to ensure data is used responsibly to achieve those goals,” Dowden added. MORE ON CYBERSECURITY More

A recently disclosed flaw in chipsets from Taiwanese semiconductor company Realtek is being targeted by a botnet based on the old IoT malware, Mirai.German security firm IoT Inspector reports that the Realtek bug, tracked as CVE-2021-35395, affects over 200 wi-fi and router products from 65 vendors, including Asus, Belkin, China Mobile, Compal, D-Link, LG, Logitec, Netgear, ZTE, and Zyxel. The flaw is located in a Realtek software developer kit (SDK) and is currently under attack from a group using a variant of the IoT malware, Mirai, which is designed to function on devices with budget processors and little memory.  Should an attack be successful, it would give the attacker full control of the wi-fi module and root access to the device’s operating system.  

Internet of Things

The attacks highlight vulnerabilities in the software supply chain that US president Joe Biden hopes to patch up with billions of dollars promised this week by Microsoft and Google. This follows recent cyberattacks on US critical infrastructure, which have compromised top US cybersecurity firms and classical critical infrastructure providers, such as east coast fuel distributor Colonial Pipeline.While Mirai poses some threat to information stored on devices such as routers, the greater damage is caused by high-powered distributed denial of service (DDoS) attacks on websites using compromised devices. In 2016, Mirai was used to launch the world’s biggest DDoS attack on Dyn — a domain name service (DNS) provider that matches website names with numerical internet addresses. Oracle acquired the firm shortly after the Mirai attack. Researchers at IoT Inspector found a bug within the Realtek RTL819xD module that allows hackers to gain “complete access to the device, installed operating systems and other network devices”. The firm identified multiple vulnerabilities within the SDK. 

Realtek has released a patch, but device brands (OEMs) need to distribute them to end-users on devices that, for the most part, lack a user interface, and therefore can’t be used to communicate that a patch is available. Vendors need to analyse their firmware to check for the presence of the vulnerability. “Manufacturers using vulnerable Wi-Fi modules are strongly encouraged to check their devices and provide security patches to their users,” warned Florian Lukavsky, managing director of IoT Inspector.   The attacker generally needs to be on the same wi-fi network as the vulnerable device, but IoT Inspector noted that faulty ISP configurations can expose vulnerable devices directly to the internet. Per security firm Recorded Future, IoT security firm SAM said that attackers were observed remotely exploiting CVE-2021-35395 over the web on August 18.IoT Inspector notes that Realtek’s poor software development practices and lack of testing allowed “dozens of critical security issues to remain untouched in Realtek’s codebase for more than a decade”. More

The trial successfully demonstrated, according to Verizon, that it is possible to replace current security processes with protocols that are quantum-proof.    
Image: Bloomberg / Contributor / Getty Images
To protect our private communications from future attacks by quantum computers, Verizon is trialing the use of next-generation cryptography keys to protect the virtual private networks (VPNs) that are used every day by companies around the world to prevent hacking. Verizon implemented what it describes as a “quantum-safe” VPN between one of the company’s labs in London in the UK and a US-based center in Ashburn, Virginia, using encryption keys that were generated thanks to post-quantum cryptography methods – meaning that they are robust enough to withstand attacks from a quantum computer. According to Verizon, the trial successfully demonstrated that it is possible to replace current security processes with protocols that are quantum-proof.  VPNs are a common security tool used to protect connections made over the internet, by creating a private network from a public internet connection. When a user browses the web with a VPN, all of their data is redirected through a specifically configured remote server run by the VPN host, which acts as a filter that encrypts the information.

This means that the user’s IP address and any of their online activities, from sending emails to paying bills, come out as gibberish to potential hackers – even on insecure networks like public WiFi, where eavesdropping is much easier. Especially in the last few months, which have seen many employees switching to full-time working from home, VPNs have become an increasingly popular tool to ensure privacy and security on the internet. The technology, however, is based on cryptography protocols that are not un-hackable. To encrypt data, VPN hosts use encryption keys that are generated by well-established algorithms such as RSA (Rivest–Shamir–Adleman). The difficulty of cracking the key, and therefore of reading the data, is directly linked to the algorithm’s ability to create as complicated a key as possible.  

In other words, encryption protocols as we know them are essentially a huge math problem for hackers to solve. With existing computers, cracking the equation is extremely difficult, which is why VPNs, for now, are still a secure solution. But quantum computers are expected to bring about huge amounts of extra computing power – and with that, the ability to hack any cryptography key in minutes. “A lot of secure communications rely on algorithms which have been very successful in offering secure cryptography keys for decades,” Venkata Josyula, the director of technology at Verizon, tells ZDNet. “But there is enough research out there saying that these can be broken when there is a quantum computer available at a certain capacity. When that is available, you want to be protecting your entire VPN infrastructure.” One approach that researchers are working on consists of developing algorithms that can generate keys that are too difficult to hack, even with a quantum computer. This area of research is known as post-quantum cryptography, and is particularly sought after by governments around the world. In the US, for example, the National Institute of Standards and Technology (NIST) launched a global research effort in 2016 calling on researchers to submit ideas for algorithms that would be less susceptible to a quantum attack. A few months ago, the organization selected a group of 15 algorithms that showed the most promise. “NIST is leading a standardization process, but we didn’t want to wait for that to be complete because getting cryptography to change across the globe is a pretty daunting task,” says Josyula. “It could take 10 or even 20 years, so we wanted to get into this early to figure out the implications.”  Verizon has significant amounts of VPN infrastructure and the company sells VPN products, which is why the team started investigating how to start enabling post-quantum cryptography right now and in existing services, Josyula adds.One of the 15 algorithms identified by NIST, called Saber, was selected for the test. Saber generated quantum-safe cryptography keys that were delivered to the endpoints – in London and Ashburn – of a typical IPsec VPN through an extra layer of infrastructure, which was provided by a third-party vendor. Whether Saber makes it to the final rounds of NIST’s standardization process, in this case, doesn’t matter, explains Josyula. “We tried Saber here, but we will be trying others. We are able to switch from one algorithm to the other. We want to have that flexibility, to be able to adapt in line with the process of standardization.” In other words, Verizon’s test has shown that it is possible to implement post-quantum cryptography candidates on infrastructure links now, with the ability to migrate as needed between different candidates for quantum-proof algorithms. This is important because, although a large-scale quantum computer could be more than a decade away, there is still a chance that the data that is currently encrypted with existing cryptography protocols is at risk.  The threat is known as “harvest now, decrypt later” and refers to the possibility that hackers could collect huge amounts of encrypted data and sit on it while they wait for a quantum computer to come along that could read all the information.  “If it’s your Amazon shopping cart, you may not care if someone gets to see it in ten years,” says Josyula. “But you can extend this to your bank account, personal number, and all the way to government secrets. It’s about how far into the future you see value for the data that you own – and some of these have very long lifetimes.” For this type of data, it is important to start thinking about long-term security now, which includes the risk posed by quantum computers. A quantum-safe VPN could be a good start – even though, as Josyula explains, many elements still need to be smoothed out. For example, Verizon still relied on standard mechanisms in its trial to deliver quantum-proof keys to the VPN end-points. This might be a sticking point, if it turns out that this phase of the process is not invulnerable to quantum attack. The idea, however, is to take proactive steps to prepare, instead of waiting for the worst-case scenario to happen. Connecting London to Ashburn was a first step, and Verizon is now looking at extending its quantum-safe VPN to other locations. 

Quantum Computing More

Image: Symantec
In less than a week, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has conducted a review into the Foreign Intelligence Legislation Amendment Bill that will allow for the practice of incidentally collecting the data of Australians, and recommended it be passed.The Telecommunications Interception and Access Act (TIA Act) previously banned the practice, but the government and its security agencies have argued that Australia has been falling behind foreign agencies. “The challenge with the existing foreign communications warrant is that the interception of domestic communications (communications that both start and end within Australia) is prohibited, even where that interception is inadvertent or unavoidable,” the PJCIS report said. The report said this approach made sense when interception warrants were introduced in 2000, and the main ways to communicate where telephone and fax lines, which had “reliable geographic identifiers such as country code, city code and exchange code”, but the use of the internet has changed that environment. “Advances in technology — particularly widespread use of internet‑based communications and mobile applications — mean that it can be impossible to know, at the point of interception, if a communication is foreign or domestic,” the report added. “Currently, to avoid breaching the TIA Act, intelligence agencies do not intercept foreign communications where there is even the smallest risk of incidentally intercepting domestic communications. This considerable constraint on the collection of foreign intelligence is creating the real risk that intelligence agencies are missing critical foreign intelligence.” The committee argued the changes would be accompanied by a set of “robust safeguards” including warrants only being able to be issued for obtaining foreign intelligence from foreign communications, the warrant request must specify the risk of interception domestic data, as well as having the Attorney-General create a mandatory written procedure that will cover screening domestic communications, destroying all domestic records captured, and that agencies need to alert the Inspector‑General of Intelligence and Security (IGIS) of when domestic data is captured.

The one loophole for keeping domestic data will be when communications “relates, or appears to relate” to circumstances that involve a “significant risk to a person’s life”. “Only in the exceptional circumstance where there is a significant risk to life will intelligence agencies be able to rely on inadvertently intercepted domestic communications. This exception will ensure Australia’s intelligence agencies can respond to, for example, an imminent terrorist attack,” the report said. Prior to the Attorney-General creating or modifying the procedure, they must consult with the Foreign Minister, Defence Minister, IGIS, and the head of ASIO. “The Attorney‑General must review the mandatory procedure as soon as practicable within one year of it being issued, and then every 3 years,” the report said. The Bill also includes powers allowing the Attorney-General to issue foreign intelligence warrants to collect “foreign intelligence on Australians in Australia who are acting for, or on behalf of, a foreign power”. This practice is also currently banned. “These amendments will close a legislative gap where foreign intelligence can be collected offshore on an Australian working for a foreign power, but that same intelligence cannot be collected inside Australia on that Australian under a warrant,” the report said. “There are circumstances where Australian citizens and permanent residents are of legitimate foreign intelligence interest. For example, where an Australian citizen is acting as an agent of a foreign state.” The committee said during its inquiry it had been assured that non-compliance would be reported to IGIS, and recommended the Bill be amended to the PJCIS would also be informed about changes to the procedure, and the committee could review the Bill within five years of it receiving assent. “The committee notes that this Bill aligns Australia with the Five Eyes community but with a stronger set of safeguards,” it said. “These are not powers that the Parliament provides lightly and the committee sees its role in reviewing the provision of such powers as one of its most important functions.” The Bill was referred to the PJCIS on Friday, and handed down its report on Wednesday after a single classified hearing. “It is not ordinarily the preference of the committee to conduct private inquiries nor to do so on an expedited basis,” it wrote. “The committee only agreed to in this instance because of the unique circumstances of this bill and the additional risks to Parliamentary sittings caused by the current COVID outbreaks.” At the time of writing, the Bill had cleared the House with amendments and was in its second reading in the Senate. On Wednesday, the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 cleared Parliament, and hands new powers to the Australian Federal Police and the Australian Criminal Intelligence Commission that would allow them to modify, add, copy, or delete data when dealing with online crime. The new powers have a sunset clause of five years. PJCIS justifying its proposed protections against Australia’s Five Eyes allies.
Image: PJCIS
Related Coverage More

Huawei has reportedly received licence approval from the United States to buy chips for the auto component portion of its business. Reported by Reuters, the United States has granted licences authorising suppliers to sell chips to Huawei for vehicle components, such as video screens and sensors. The licence approval from the United States is a shift from its usual position in relation to Huawei. The Chinese technology giant was added to the US entity list in 2019, which banned US companies from selling goods and technology to the company without special licences from government.The US then added further restrictions last year, banning overseas companies from selling chips to Huawei if they contained US equipment.During this time, the US has also rallied other countries to exclude Huawei from their 5G networks over spying concerns. Despite Huawei repeatedly denying the allegations, Australia, Sweden, the UK, among other countries have banned the networking equipment giant from their 5G networks. All of Canada’s major telcos have also gone elsewhere for their 5G rollouts and, although not officially banned, Huawei has not made any inroads in New Zealand after GCSB prevented Spark from using Huawei kit in November 2018.  In the face of these restrictions, Huawei reported a steep decline in its first-half revenue for 2021, with its business to the end of June reporting 320 billion yuan in sales, compared to 454 billion yuan at this time last year.

Automotive manufacturers have struggled to produce cars since the pandemic started due to chip shortages, with some countries’ car production being halved during that period. Ford, for example, lost around 700,00 vehicles that were planned for production in the second quarter of 2021, while General Motors has stated that losses caused by the lack of semiconductors could cost up to $2 billion in profit. RELATED COVERAGE More

Following a cybersecurity meeting at the White House on Wednesday, President Biden secured promises from major tech companies to spend significant sums improving the nation’s cyber resiliency. Microsoft and Google, for instance, each committed billions to specific cybersecurity investments. The meeting comes in the wake of a series of dramatic cybersecurity incidents, including the Colonial Pipeline ransomware attack that shut down gas and oil deliveries throughout the southeast, the SolarWinds software supply chain attack and an extensive hack on Microsoft Exchange servers.In a statement, the White House said a “whole-of-nation effort” is needed to address cybersecurity threats. To that end: Microsoft announced it will invest $20 billion over the next five years to advance “cyber security by design” and deliver advanced security solutions. The company also announced it will immediately make available $150 million in technical services to help federal, state and local governments upgrade their security.Google committed $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain and enhance open-source security. The company also said it will help 100,000 Americans earn industry-recognized digital skills certificates.Apple will establish a new program to make the technology supply chain more secure. As part of that effort, it plans to work with its suppliers to drive the mass adoption of multi-factor authentication, security training, vulnerability remediation, event logging and incident response. IBM said it will train 150,000 people in cybersecurity skills over the next three years, and it will partner with more than 20 Historically Black Colleges & Universities to establish Cybersecurity Leadership Centers. Amazon announced it will offer Amazon Web Services account holders a free multi-factor authentication device. It also plans to make its security awareness training, which it currently offers to employees, free to the public.  The White House also received commitments from cyber insurance providers and educational organizations to improve the nation’s security posture. President Biden issued a cybersecurity executive order in early May, requiring federal agencies to modernize their cyber defenses. The Biden Administration earlier this year also launched a 100-day initiative to improve cybersecurity across the electric sector. On Wednesday, the administration announced the initiative has improved the cybersecurity posture of more than 150 electric utilities and would now expand to natural gas pipelines. Additionally, the White House Wednesday said the National Institute of Standards and Technology (NIST) will develop a new framework to improve the security and integrity of the technology supply chain.  To do so, it will work with partners including Microsoft, Google and IBM. More

“We have almost made the decision around which cloud meaningless to our customers,” says Elastic CEO Shay Banon, “because they can just go and pick and choose, and we integrate with the marketplace.”
Elastic Inc.
Enterprise search technology company Elastic this afternoon reported fiscal Q1 revenue that topped analysts’ expectations, and a surprise profit where analysts had expected a loss, and raised its forecast for revenue. The report sent Elastic shares up almost 4% in late trading. “Our cloud revenue grew 89%, year over year, we’re very proud of that,” CEO and founder Shay Banon told ZDNet in an interview via Zoom. “Next year, we expect to breach the $1 billion barrier,” added Banon. “We’ve very excited about our growth.Elastic’s total revenue in the three months ended in July rose 50%, year over year, to $193.1 million, yielding a net profit of 4 cents a share, excluding some costs.Analysts had been modeling $173.2 million and a 10-cent net loss per share.Total cloud revenue of $61.5 million made up a third of total revenue.

Elastic’s progress in cloud is being helped by the ability to have search function across different clouds where customers have workloads, Banon told ZDNet. Customers can deploy Elastic’s Elasticsearch software on Amazon AWS and also GCP, and search across the two, for example. Elastic “move the search, we don’t move the data,” meaning that customers information stays where it is hosted. “That’s pretty unique,” said Banon. The ability to span clouds can save money in terms of cost of data hosting, claimed Banon.”We have almost made the decision around which cloud meaningless to our customers,” said Banon, “because they can just go and pick and choose, and we integrate with the marketplace.” That integration has “required substantial investment on our part,” said Banon. “I’m happy to start to see it panning out.”In a separate release, Elastic announced it has agreed to acquire five-year-old security startup Cmdwatch Security, Inc., of Vancouver, British Columbia, also known simply as Cmd, for undisclosed terms. The startup will bring runtime security capabilities to Elastic’s observability and event management tools, with particular emphasis on protecting assets in cloud environments, including things such as Kubernetes installations.Banon said observability tools such as application management and DevOps are on course to merge with security tools. “There is another phase of consolidation that is going to happen in the next five years in the market, which is that observability and security are going to start to merge together,” said Banon. “Because while you observe, why not protect?”For the current quarter, the company sees revenue of $193 million to $195 million, and net loss per share in a range of 15 cents to 19 cents. That compares to consensus for $188.7 million and a 14-cent loss per share.For the full year, the company raised its outlook for revenue from a prior rang of $782 million to $708 million to a new range of $808 million to $814 million. That compares to consensus of $789 million. The company also lowered its outlook for profitability, forecasting a net loss of 57 cents to 67 cents a share, excluding some costs, below the prior outlook of 51 cents to 50 cents a share.

Tech Earnings More