Information Technology

If you’re just catching up on this story, here’s the quick recap: University of Minnesota researchers deliberately submitted patches that would have put the Use-After-Free (UAF) vulnerability into the Linux kernel. When it appeared they were trying once more to put garbage patches into the kernel, Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, banned UMN developers from submitting to the kernel and pulled existing suspicious UMN patches. The Linux Foundation followed up with a list of requests for the UMN to comply with if they wanted to work with the Linux kernel again. Now, ZDNet has obtained a copy of UMN’s response to the Linux community. 

Open Source

According to Mats Heimdahl, UMN Professor and Department Head of the Department of Computer Science and Engineering, the school appreciates the Linux Foundation’s requests and they look forward to reaching “a mutually satisfactory resolution” and that re-engaging with each other “is the way to go.” Specifically, Heimdahl continued:  We currently are considering your requests, and are moving as quickly as we can to produce a substantive response that addresses them. In particular, the research group is preparing a letter to the Linux community and we are currently attempting to secure consent to release all information about the code submissions from the group. Once we have had an opportunity to look into the remaining issues, we would appreciate the opportunity to meet with you to discuss and move forward.This is in response to Mike Dolan, the Linux Foundation’s senior VP and general manager of projects, top request:Please provide to the public, in an expedited manner, all information necessary to identify all proposals of known-vulnerable code from any U of MN experiment. The information should include the name of each targeted software, the commit information, purported name of the proposer, email address, date/time, subject, and/or code so that all software developers can quickly identify such proposals and potentially take remedial action for such experiments.Finding the questionable code and associated documentation is difficult. The UMN researchers did a poor job of tracking their own research. As senior Linux kernel developer, Al Viro, commented: “The lack of data is a part of what’s blowing the whole thing out of proportion — if they bothered to attach the list (or link to such) of SHA1 of commits that had come out of their experiment, or, better yet, maintained and provided the list of message-ids of all submissions, successful and not, this mess with blanket revert requests, etc. would’ve been far smaller (if happened at all).”Dolan also asked on behalf of the Linux developer community that the paper coming from this research, “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits,” be withdrawn because the researchers, Qiushi Wu and Aditya Pakki, and their graduate advisor, Kangjie Lu, an assistant professor in the UMN Computer Science & Engineering Department, experimented on Linux kernel maintainers without their permission. Therefore, the paper should be withdrawn “from formal publication and formal presentation all research work based on this or similar research where people appear to have been experimented on without their prior consent. Leaving archival information posted on the Internet is fine, as they are mostly already public, but there should be no research credit for such works.” While Heimdahl didn’t address this point, the paper has been withdrawn. In a public note, Wu and Lu, but not Pakki, wrote: “We wish to withdraw our paper “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits” from publication in the 42nd IEEE Symposium on Security and Privacy.” The paper had already been accepted by this high-level conference.

They’re withdrawing it for two reasons: First, we made a mistake by not engaging in collaboration with the Linux kernel community before conducting our study. We now understand that it was inappropriate and hurtful to the community to make it a subject of our research and to waste its effort reviewing these patches without its knowledge or permission. Instead, we now realize that the appropriate way to do this sort of work is to engage with community leaders beforehand so that they are aware of the work, approve its goals and methods, and can support the methods and results once the work is completed and published. Therefore, we are withdrawing the paper so that we do not benefit from an improperly conducted study.  Second, given the flaws in our methods, we do not want this paper to stand as a model for how research can be done in this community. On the contrary, we hope this episode will be a learning moment for our community, and that the resulting discussion and recommendations can serve as a guide for proper research in the future. Therefore, we are withdrawing the paper to prevent our misguided research method from being seen as a model for how to conduct studies in the future. We sincerely apologize for any harm our research group did to the Linux kernel community, to the reputation of the IEEE Symposium on Security and Privacy, our Department and University, and our community as a whole.Between Heimdahl’s note and this public letter, it appears that the UMN has acceded to the Linux Foundation’s main requests. There are still fine details to be worked out, but it now appears that the UMN, the Linux Foundation, and the Linux kernel developer community should be able to quickly come to peace with each other. That done, the UMN can get back to doing research and the maintainers can return to doing their real work of improving the kernel rather than chasing down potentially bogus patches.Related Stories: More

Eileen Brown
MeWe seems to be breaking the mould for social media platforms – and increasing its user base as people turn away from ad-riddled social media platforms. The social media platform says it does not control your newsfeed, or fill your feed with third-party ads or content, and has grown almost 18 million members. The platform has raised over $23 million from high-net-worth investors including Kelly Slater (top surfer), Rick Smith (former NFL executive), Verdine White (Grammy Award winner, Earth Wind and Fire bassist), Mark Britto (founder of Boku), Marci Shimoff (NYT author), Rachel Roy (fashion designer), and Jack Canfield (founder of Chicken Soup for the Soul). MeWe’s membership grew by a whopping 36% in Q1 2021 and by an average of 173% per year for the last three years. The platform boasts that 50% of its traffic is outside of North America. Of course some of this US growth probably came from Amazon web hosting service dropping social network Parler as a customer in January along with Apple and Google bans of the app. MeWe is available in 20 languages and was recently the #1 downloaded social app in Hong Kong. In Hong Kong users started to migrate to the platform from Facebook after concerns about the way Facebook operates in China. Vice reckons that Hong Kong has become a testing ground for an Anti-Facebook movement.

MeWe says that it is for ‘authentic, real-life sharing’. Groups are a big thing on the platform — although it can seem overwhelming if you subscribe to too many common interest groups. You see your content in the correct timeline-ordered newsfeed meaning that you theoretically never miss a post from your groups and pages. Any member can join and create communities based on their interests, and the content appears as it is intended to be. Members have control of their newsfeeds and can decide what kind of content they want to see.Earlier this month, the company announced that it had appointed Hollywood/Tech exec Jeffrey Edell as its new CEO and joins its Board of Directors. Edell succeeds MeWe founder Mark Weinstein whose new role is Chief Evangelist. Edell previously held Chairman, CEO, and other C-level roles at Intermix Media (NASDAQ), the parent of MySpace; Soundelux Entertainment Group/Liberty Media; Cinedigm (NASDAQ); and DIC Entertainment. He helped lead the sale of MySpace to NewsCorp for about $600 million. Edell says: “People worldwide are migrating from Facebook, Instagram, and other major platforms to MeWe because it is the social network that respects its members as customers to serve and delight, not data to share, target, or manipulate. “MeWe has achieved remarkable growth with zero paid marketing or member acquisition costs. I am thrilled to lead the company as we position for rapid growth by expanding our marketing efforts and product offerings, bringing on the world’s most compelling content creators, and growing our team to welcome millions of new members in the months ahead.” Although MeWe offers a “free forever,” or freemium business model, members can upgrade to MeWe Premium for $4.99 per month to get features such as video journals, voice/video calling, cloud storage custom themes, and custom emoji and sticker packs.I reckon that more and more people are attracted to MeWe for brand pages because their content gets to all of their followers regardless of how often they post. On Facebook or Instagram content is throttled depending on how popular the user is. A brand like Samsung with 48 million users on Facebook reaches a tiny fraction of these users with every post. Savvy brands like Slashdot, controversial influencers like osteopathic physician Dr. Joseph Mercola, and Fox News’ Sean Hannity already use the MeWe platform. Perhaps the growth in users will tail off as the platform reaches saturation but MeWe user growth shows no sign of slowing down right now. I like MeWe’s simplicity, and lack of ads. My feed can appear a little crowded sometimes if I haven’t logged on for a few days, but pruning my feed for a while sorts that out. I will certainly be watching MeWe with interest to see if it continues to grow. More

Russian hackers are still launching offensive cyber attacks against the US and its allies in efforts to steal information or lay the foundations for future operations, a joint alert by security and intelligence agencies has warned.The advisory from the FBI, Department of Homeland Security and CISA warns that the Russian Foreign Intelligence Service (SVR) – also known by cybersecurity researchers as APT 29, the Dukes and CozyBear – continues to target organisations in efforts to gather intelligence.US agencies – along with the UK’s National Cyber Security Centre (NCSC) – recently blamed the SVR for the SolarWinds supply chain attack, which saw hackers gain access to tens of thousands of organisations around the world – including several government agencies after compromising the company’s software updates process. And now organisations are being warned that Russian cyber attacks show no signs of slowing down, especially when it comes to targeting the networks of organisations involved with government, think tanks and information technology.Cloud services including email and Microsoft Office 365 are being particularly targeted in attacks.”Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,” warned the agency alert.SEE: Can Russian hackers be stopped? Here’s why it might take 20 years

The alert details common techniques used in SVR operations, including password spraying, leveraging zero-day vulnerabilities and deploying malware.Password spraying is when the attackers target weak passwords associated with admin accounts. These accounts are secured with common or weak passwords, including default usernames and passwords, providing cyber attackers with a relatively simple means of gaining access to poorly secured networks. In many cases, the attackers will break into as many accounts as they can, only thinking about how they can be exploited later.To defend against password spraying attacks, the FBI and DHS recommend the mandatory use of multi-factor authentication across the network and to where possible, enforce the use of strong passwords – particularly for administrator accounts. It’s also recommended that access to remote administrative functions from IP addresses not owned by the organisations is prohibited.Another common attack technique used by Kremlin-backed hackers is levering vulnerabilities in virtual private network (VPN) appliances which expose login credentials.The alert uses the example of attackers exploiting CVE-2019-19781 – a vulnerability in Citrix Application Delivery Controller and Gateway – but it’s one of several which have been exploited in cyber attacks in recent years, allowing attackers to secretly enter networks.In each of these cases, the affected vendor has released a critical security patch – and in some cases these have been available for years – but organisations which don’t apply the updates are still vulnerable to attacks. The FBI, DoH and CISA also warn about attacks using WellMess – a form of custom malware associated with APT 29, which has been used in attacks targeting Covid-19 vaccine research facilities. While stolen RDP credentials have been used to help install the malware, it’s also been known for attackers to attempt to distribute it via spear-phishing emails.The alert on Russian hacking techniques has been released in order to encourage organisations to examine their networks and gain a better understanding of how to secure against attacks.”The FBI and DHS are providing information on the SVR’s cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks,” said the alert.MORE ON CYBERSECURITY More

No one disputes that when things get back to normal, it’s going to be a whole new normal. For one thing, hybrid models are predicted to be the future for work and school. While it may be fun and exciting to work or take classes anywhere wifi is available, public wifi is notoriously insecure, so it is vital to get all the protection you can. Fortunately, Private Internet Access VPN provides everything you need to stay secure and more.

Protecting your data should always come first, and Private Internet Access will encrypt your data, as well as block malware, trackers, and ads with its new MACE feature. But this VPN will also allow you to browse online while remaining completely anonymous. The company’s no-logs policy is extremely strict, plus your IP address and location are always masked.In addition to privacy and security, an added perk to having Private Internet Access VPN is being able to access content from anywhere in the world, even though it is supposed to be restricted from the location where you happen to be. Of course, there are other VPNs who might advertise the same service, but Private Internet Access VPN excels at the way it executes those services.For instance, you don’t have to sacrifice internet speed for security, because Private Internet Access VPN has a lightning-fast global server network of over 35,000 servers in more than 77 countries, so you can access the content you want at the fastest possible speeds. The company also offers a simple, yet robust, intuitive user experience and 24/7 live customer support.It’s no wonder that Private Internet Access VPN has more than 30 million downloads, with 4.7 out of 5 stars on Apple’s App Store and 4.5 out of 5 stars on the Google Play Store. The service has also garnered numerous awards. It was named one of the Best VPN Services of 2021 by CNET, Editor’s Choice of PCMag.com and Tom’s Guide, and more.A two-year subscription to Private Internet Access VPN is currently being offered at a 72% discount off the regular price of $258, so you can get one today for only $69.95.

ZDNet Recommends More

The average ransom payment paid by victims of ransomware attacks has risen as cyber criminals exploit vulnerabilities in software and remote desktop protocol (RDP) services as common means of infiltrating networks.According to analysis by cybersecurity company Coveware’s Quarterly Ransomware Report, the average ransom payment in the first three months of this year was $220,298 – up from $154,108 in the final three months of 2020.

One of the reasons the cost of ransom payments has grown so significantly is a rise in activity by some of the most notorious ransom groups, which demand millions of dollars in Bitcoin from victims in exchange for the decryption key.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  This includes the Clop ransomware gang, which Coveware describes as “extremely active” in attacks targeting large victims and demanding very high ransom demands. It ranks at number four in the most common ransomware variants, accounting for 7% of all attacks even though it wasn’t in the top 10 at all during the previous quarter.The most common ransomware is Sodinokibi, which accounts for 14% of attacks, followed by Conti, which is behind 10% of ransomware attacks, and Lockbit, which is the third most common ransomware, with a 7.5% market share. Egregor is the fifth most common ransomware seen in the first quarter of 2020, accounting for 5.3% of attacks.Other ransomware variants commonly used in attacks at the moment include Avaddon, Ryuk, Darkside, Suncrypt, Netwalker, and Phobos.

One technique that is helping to make ransomware attacks more successful is for cyber criminals to publish data they’ve stolen while inside the network. The idea is that victims fear the consequences of potentially sensitive information being exposed online – so give in and pay the ransom. According to analysis by Coveware, 77% of ransomware attacks now involve a threat to leak exfiltrated data – up 10% compared with the final quarter of 2020.Almost half of ransomware attacks begin with cyber criminals compromising RDP services, either by using stolen credentials, guessing default or common passwords or by exploiting unpatched vulnerabilities. There’s also been a rise in software vulnerabilities being exploited as a means of infiltrating networks, particularly when it comes to those in VPN applications.SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to doAll of this has come together to result in an average of 23 days downtime following a ransomware attack – up by two days.Something that can help organisations successfully recover from a ransomware attack is regularly updating backups of the network – and storing them offline – so if the worst happens, restoring the network is possible without giving in to ransom demands, making the exercise a pointless waste of time for cyber criminals.But the best way to avoid damage from a ransomware attack is to avoid falling victim to one in the first place. Cybersecurity procedures that can help prevent this include avoiding the use of default usernames and passwords while also securing accounts with multi-factor authentication.Organisations should also ensure the latest security patches are applied to software across the network, preventing cyber criminals from being able to exploit known vulnerabilities to plant ransomware attacks. MORE ON CYBERSECURITY More

Adobe has released a “one-stop shop” project for data processing to the open source community. 

Adobe’s One-Stop Anomaly Shop (OSAS), now available on GitHub, has been developed to make the detection of abnormalities in datasets easier, as well as to improve the processing and format of security log data. According to Chris Parkerson, Adobe Corporate Security Team marketing lead, OSAS combines the vendor’s past security research and other open source projects to offer an ‘out of the box’ system for dataset experimentation, processing, and to allow developers to explore ways to “shorten the path to finding a balanced solution for detecting security threats.” This includes leveraging Hubble, an open source compliance monitoring tool. Security logs can be complicated and messy and may not fit well with machine learning (ML)-based analysis tools, creating data sparsity and problems in turning unstructured data into structured, usable sets.  The command-line interface (CLI) toolset applies two processes to datasets to try and make sense of security logs. The first is the tagging of raw data with field types such as “multinomial, text, and numeric values,” Parkerson says, and it is also possible to label content based on set rules.  During the second stage, the labels are used as input features for generic (unsupervised) or targeted (supervised) ML algorithms. At present there are three standard options, but more are planned for the future. 

Adobe has released the OSAS code in full and has also provided a Docker version.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

UnitingCare Queensland has confirmed it has fallen victim to a cyber incident, rendering some of its systems inaccessible.The organisation, which provides aged care, disability supports, health care, and crisis response services throughout the state, said the incident occurred on Sunday 25 April 2021.”As a result of this incident, some of the organisation’s digital and technology systems are currently inaccessible,” it said in a statement.”As soon as we became aware of the incident, we engaged the support of lead external technical and forensic advisors.”UnitingCare also notified the Australian Cyber Security Centre (ACSC) of the incident and said it was continuing to work with them to investigate the incident.It said where necessary, manual back-up processes are in place to ensure continuity of most of UnitingCare’s services. “Where manual processes cannot be implemented, services are being redirected or rescheduled accordingly,” it added.

The organisation said that given the incident only occurred this week, it isn’t currently possible to provide a resolution timeframe. It said, however, its digital and technology team are working to resolve things as swiftly as possible.”We are committed to keeping our people, patients, clients, and residents informed and safe as we work to resolve this incident, and will provide further relevant updates as new information comes to hand,” the statement continued.Last year, the ACSC issued an alert to aged care and healthcare providers, notifying them of recent ransomware campaigns targeting the sector. “Cybercriminals view the aged care and healthcare sectors as lucrative targets for ransomware attacks,” the ACSC wrote. “This is because of the sensitive personal and medical information they hold, and how critical this information is to maintaining operations and patient care. A significant ransomware attack against a hospital or aged care facility would have a major impact.”Last month, a “cyber incident” suffered by Eastern Health facilities in Victoria resulted in the cancellation of some surgeries across the state.Eastern Health operates the Angliss, Box Hill, Healesville, and Maroondah hospitals, and has many more facilities under management.At the time, Eastern Health took many of its systems offline as a precaution response to the incident. By April 15, it reported the majority of its IT systems were restored.Swinburne University of Technology in early April also confirmed personal information on staff, students, and external parties had inadvertently made its way into the wild; and Transport for New South Wales (TfNSW) confirmed in February it was impacted by a cyber attack on a file transfer system owned by Accellion.  Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaTELEHEALTH GETS BUDGET BOOSTElsewhere in the health sector, the Australian government on Monday confirmed telehealth services put in place as a response to COVID-19 would continue for another six months.As part of the 2021-22 Budget, the government said it would be investing more than AU$114 million to extend telehealth until the end of the year. The extension of telehealth includes services for general practitioners, medical practitioners, specialists, consultant physicians, nurse practitioners, participating midwives, allied health providers, and dental practitioners.”The extension will ensure that Australians can continue to see their GP, renew scripts, and seek mental health support from the safety of their own home,” Health Minister Greg Hunt said. “This allows vulnerable Australians to feel protected and supported during these unprecedented times.”From 13 March 2020 to 21 April 2021, Hunt said over 56 million COVID-19 Medicare Benefits Scheme telehealth services have been delivered to 13.6 million patients, with AU$2.9 billion in Medicare benefits paid. More than 83,540 providers have used telehealth services.Although content with the extension, Labor has asked for further permanency. “Greg Hunt said last November that telehealth will become a permanent feature of our Medicare system yet all he does is on a six month by six month basis is extend the uncertainty,” Shadow Minister for Health Mark Butler said.”It is time for the government finally to make a decision about what the permanent telehealth arrangements are going to be for Medicare.”RELATED COVERAGE More

Image: Getty Images/iStockphoto
Proofpoint has entered into an agreement with Thoma Bravo that will see the cybersecurity company become a wholly owned entity of the private equity firm.Thoma Bravo has agreed to spend around $12.3 billion on the acquisition.Under the terms of the all-cash agreement, Proofpoint shareholders will receive $176 per share. The company said this represents a premium of approximately 34% over Proofpoint’s closing share price on 23 April 2021.”Upon completion of the transaction, Proofpoint will become a private company with the flexibility and resources to continue providing the most effective cybersecurity and compliance solutions to protect people and organisations around the world,” the company said in a statement. “Additionally, Proofpoint will benefit from the operating capabilities, capital support, and deep sector expertise of Thoma Bravo — one of the most experienced and successful software investors in the world.”Thoma Bravo is no stranger to the tech market. The firm has acquired a sizable portfolio of technology brands, including Qlik, Flexera, Riverbed, Blue Coat, and Barracuda Networks. Thoma Bravo has also built a portfolio of security brands with the acquisitions of Sophos, Veracode, ConnectWise, and Imperva, as well as automotive software company Autodata. Last month, Thoma Bravo announced it was adding data integration provider Talend for $2.4 billion. Talend, which went public in 2016, said the deal will position the company for long-term growth and provide the necessary capital and resources to execute its market strategy. 

In 2020, Proofpoint generated more than $1 billion in annual revenue, a milestone the company’s chairman and CEO Gary Steele said made it the first SaaS-based cybersecurity and compliance company to do so.”We believe that as a private company, we can be even more agile with greater flexibility to continue investing in innovation, building on our leadership position, and staying ahead of threat actors,” Steele said. See also: Proofpoint sues Facebook to get permission to use lookalike domains for phishing testsProofpoint’s board of directors unanimously approved the agreement.The agreement includes a 45-day “go-shop” period expiring on 9 June 2021, which allows the board and its advisors to actively initiate, solicit, and consider alternative acquisition proposals from third parties, Proofpoint said. The transaction is expected to close in the third quarter of 2021, subject to customary closing conditions, including approval by Proofpoint shareholders and receipt of regulatory approvals. Proofpoint will also continue to be headquartered in Sunnyvale, California.The announcement was made on the same day the company’s first quarter results were released.Net loss for the three months to March 31 was $45.3 million. Total revenue for the first quarter of 2021 was $287.8 million, an increase of 15%, compared to the $249.8 million reported for the first quarter of 2020.GAAP gross profit for the first quarter of 2021 was $214.3 million, up from the $180.8 million reported a year prior. Non-GAAP gross profit was $232 million.  More