Information Technology

Image: Brett Jordan
On Friday afternoon, many Australian Twitter users were asking whether to trust an email asking people to confirm their accounts. The online consensus was fast coming to the conclusion it was all a scam — a very good recreation of legitimate emails from Twitter — when the social media network fessed up that it was responsible. “Some of you may have recently received an email to “confirm your Twitter account” that you weren’t expecting. These were sent by mistake and we’re sorry it happened,” the company said on its support account “If you received one of these emails, you don’t need to confirm your account and you can disregard the message.” Last month, the Australian Competition and Consumer Commission said Australian businesses reported losing more than AU$14 million due to payment redirection or business email compromise scams to Scamwatch, with losses in 2021 set to be five times higher. In 2019, 25,000 phishing scams were reported to Scamwatch, with only 513 reported as resulting in financial loss, valued at AU$1.5 million. Nevertheless, phishing was the most popular scam method. Related Coverage More

Image: Getty Images
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) in December kicked off an inquiry into extremist movements and radicalism in Australia, considering, among other things, the role of social media, encrypted communications platforms, and the dark web in allowing such activity.The New South Wales Police Force told the committee that online propaganda continues to instruct, recruit, inspire, cause fear, and encourage attacks. It said this remains a significant driver for global terrorism and the targeting of crowded places in Western countries.”Extremist groups, across all ideologies … have consistently demonstrated a willingness to harness new technologies to amplify their messages, reach new audiences, and coordinate activities,” NSW Police said [PDF]. “Digital platforms, including social media, encrypted messaging applications, live-streaming platforms, and the dark web are able to be used effectively by extremist groups. These innovations have allowed new types of communities to emerge, where ideological affinity overcomes a lack of physical proximity. “Internet-enabled technologies have provided an accessible, low-cost means to establish, engage and empower like-minded groups across divides.”It said that where platforms associated with extremist groups and implicated in terror attacks have been taken down by their hosts, rather than resulting in the demise of these platforms it has simply displaced them, emerging in altered forms and with new hosts. “Pushing extremists to the fringes of the internet, away from mainstream users, could be a positive but it presents a different set of challenges for law enforcement and intelligence agencies,” NSW Police added.

Also providing a submission [PDF] to the inquiry, Facebook said the existence of terrorist or extremist groups within society inevitably leads to terrorist or extremist activity online. The social media giant detailed its work in removing terrorist or extremist activity, but told the PJCIS it must consider not just how to prevent the violent manifestations of extremism, but also how to combat hate, labelling it the root cause for extremism.On encrypted communications, Facebook said end-to-end encryption is the best security tool available to protect Australians from cybercriminals and hackers, but it also poses a legitimate policy question: “How to ensure the safety of Australians if no one can see the content of messages except the sender and the receiver?””The solution is for law enforcement and security agencies to collaborate with industry on developing even more safety mitigations and integrity tools for end-to-end encrypted services, especially when combined with the existing longstanding detection methods available to law enforcement,” it wrote. “We already take action against a significant number of accounts on WhatsApp (a fully end-to-end encrypted messaging service) for terrorism reasons, and we believe this number could increase with greater collaboration from law enforcement and security agencies.”See also: Home Affairs concerned with Facebook’s plans to create world’s ‘biggest dark web’It said it’s committed to working with law enforcement, policymakers, experts, and civil society organisations to develop ways of detecting bad actors without needing access to the content of encrypted messages.It added the creation of backdoors is not the way forward.Similarly detailing its approach to removing terrorist or extremist activity across its platforms to the PJCIS, Google said [PDF] it also engages in ongoing dialogue with law enforcement agencies to understand the threat landscape, and respond to threats that affect the safety of our users and the broader public.Google receives approximately 4,000 requests each year for user data from Australian law enforcement agencies. The search giant also said encryption is a “critically important tool in protecting users from a broad range of threats”.”Strong encryption doesn’t create a law free zone — companies can still deploy several anti-abuse protections using metadata, behavioural data, and new detection technologies — without seeing the content of messages encrypted in transit (thereby respecting user privacy),” it wrote.”While we are unable to provide to law enforcement the unencrypted content of messages encrypted in transit, we are still able to provide a wealth of data and signals that in some instances have proven richer than content data. Metadata such as call location, associated phone numbers, frequency and length of call/text are logged on our servers and can be shared with law enforcement/intelligence when provided with a valid court order.”Offering similar summaries of the work it does in countering terrorist or extremist activity on its platform, Twitter told the PJCIS its goal is to protect the health of the public conversation, and to take immediate action on those who seek to spread messages of terror and violent extremism.”However, no solution is perfect, and no technology is capable of detecting every potential threat or protecting societies and communities from extremism and violent threats on their own,” Twitter said [PDF]. “We know that the challenges we face are not static, nor are bad actors homogenous from one country to the next in how they evolve, behave, or the tactics they deploy to evade detection.”The Office of the Australian eSafety Commissioner told the committee that its research on young people and social cohesion showed 33% of young people have seen videos or images promoting terrorism online, and over 50% of young people had seen real violence that disturbed them, racist comments, and hateful comments about cultural or religious groups. It told the PJCIS it believes the best tactic to prevent terrorist or extremist activity is education.”Especially in the context of this inquiry, it is important to consider the structural, systemic, and social factors that may lead someone to be attracted to, and engage in, negative or dangerous activity online,” its submission [PDF] said. “A whole of community approach and systems approach is therefore needed to understand and address the underlying drivers of this behaviour, as well as provide diversion and alternative pathways to support and assistance.”Giving individuals the skills and strategies to prevent and respond to harmful experiences online and engage online in ways likely to promote safe and positive online experiences.”RELATED COVERAGE More

If you use a Windows PC, do you really need third-party antivirus software? For that matter, do you need to pay for the protection? The answer to that question was easy a decade ago. Today, the built-in security features in Windows 10, including the Microsoft Defender Antivirus engine, pass the “good enough” test, making the choice less clear-cut.

But for some picky PC users, replacing the basic built-in antivirus protection with software from an outside developer is just natural when setting up a new Windows PC. Even if the difference is small, it’s still an improvement. In a world where ransomware is an existential threat to businesses and banking-related Trojans and phishing attacks can drain your checking account in minutes, you want every edge.The best-known commercial antivirus programs for Windows typically require an annual paid subscription, but some perfectly respectable names also distribute free versions of their software, usually for noncommercial use only. Typically, these programs include the exact same scanning engines and malware definition files, minus most of the fancier features and, crucially, offering minimal support options. You can also expect frequent, occasionally annoying upsell offers as the developers try to convince you to upgrade to a paid plan.All of the programs we list here are completely free and are appropriate for use in a home setting by nontechnical users. We don’t recommend any of these programs for use by businesses, which need quick access to support lines and, in larger businesses, centralized management and monitoring dashboards. These are especially good choices if you’re the unofficial IT admin for friends and family members who can’t always spot a scam or a phishing attempt. 

Hope you like upsell offers

After nearly a quarter-century with its free product in the US market, AVG has developed a solid identity as the go-to name in free AV software. Indeed, the AVG brand remained even after AVG’s parent company was acquired by Avast Software in 2016. Today, both Avast and AVG have free antivirus offerings that use the same engine and are nearly identical in appearance, and everything we say about AVG’s free package applies to Avast Free Antivirus.Both products do well in independent testing, but they’re equally aggressive about monetizing their customers. When you install the free product, you sign up for a barrage of offers trying to convince you to upgrade to a paid plan. The installer even includes an offer to install Google Chrome, which results in a bounty from Google to Avast/AVG. We found the torrent of upsell techniques to be annoying and occasionally downright manipulative, so be warned.The basic virus-scanning tools in either product work exactly as advertised. If you can ignore the frequent upgrade offers, it’s a perfectly good choice.

View Now at AVG

Antivirus and much more (maybe too much)

Avira Free Security includes basic antivirus scanning, as expected, but it also includes a pair of extra modules intended to improve performance and safeguard privacy. The performance tab of the Avira console includes options for cleaning the registry, uninstalling outdated apps, and deleting unnecessary files. Options on the Privacy tab offer to turn off telemetry-related settings and adjust other settings.If you’re the sort of tech-savvy Windows user who approves of that sort of tweaking, go right ahead. On the other hand, we recommend caution if you’re setting up this software on a PC that belongs to a user who’s not technically sophisticated, because in our experience these sorts of modifications can have unintended consequences.

View Now at Avira

The minimalist antivirus alternative

Bitdefender, a privately held company based in Romania, has a solid reputation for its paid security products. Its free offering includes a minimalist interface, with no frills or extras, that’s refreshingly free of upsell offers.Bitdefender Antivirus Free promises “basic antivirus protection for Windows PCs,” and that’s exactly what you get. It takes over the malware scanning and removal functions normally assumed by Microsoft Defender Antivirus but doesn’t include additional features such as ransomware protection, system optimization, or a virtual private network, which are part of the company’s paid plans.If that basic level of protection is what you’re looking for, this is a perfect fit.

View Now at Bitdefender

From Russia, with a few extras

Eugene Kaspersky, who founded Kaspersky Lab, argues that offering free protection to its customers is part of its core mission. Yes, you will see upsell offers in Kaspersky products (including a can’t-miss red “Upgrade package” button on the Kaspersky management console), but they are, by and large, much kinder and gentler than those of their competitors. For the most part, installing the free Kaspersky product doesn’t change your daily experience.Kaspersky’s free product includes two of the more useful extras we’ve seen in this category: a free password manager and a VPN that offers 300 MB of daily use. If someone’s not already using a third-party password manager, this is a good option, and the VPN capabilities are valuable for anyone who wants casual access to a protected network without a lot of fuss.Like so many security software companies, Kaspersky’s headquarters are behind the old Iron Curtain. If that bothers you, good luck finding an alternative that doesn’t have a few Eastern European connections.

View Now at Kaspersky

Manage up to three PCs from the web

Although Sophos Home offers a free tier, you can’t install it directly. Instead, you get a free 30-day trial of Sophos Home Premium first (no credit card required). After 30 days, your installation is downgraded to the free edition and you lose the ransomware protection, exploit mitigation, privacy controls, and other features that are exclusive to the paid package.Using the web-based console means you can monitor activity and even launch a scan remotely. (The paid version allows you to keep track of 10 PCs, but the free version is limited to three devices.) That feature’s handy if you’re trying to keep tabs on PCs belonging to other family members who aren’t part of your immediate household. The free version also includes web filtering tools that allow you to provide warnings or block access to websites that fall into any of more than two dozen categories, with the option to enter exceptions in the case of false positives.

View Now at Sophos Home Free

Is the Microsoft Defender Antivirus included with Windows 10 good enough?

For most people, the built-in security features in Windows 10 are indeed good enough, That includes Microsoft Defender Antivirus, which is tuned on automatically and updates itself continuously. It also includes a built-in firewall (which is on by default) and Microsoft Defender SmartScreen technology, which blocks malicious or unknown apps and files form the web, even when they’re downloaded from a browser other than Microsoft Edge. If you choose to install third-party security software, Windows automatically disables the corresponding Microsoft Defender features.

Do independent antivirus test results matter?

Well, sort of.Security software makers pay for the privilege of participating in these tests, which use a mix of known malware samples, suspicious website behaviors, and other indicators to measure success. The difference between a 98.4% rating and a 100% rating is insignificant, especially considering how many other layers of security can prevent an executable file or script from landing on your desktop in the first place.In addition, a 100% rating means only that the software successfully passed all the challenges it faced in that month’s test cycle. It doesn’t mean you’ll be 100% protected from a malicious download or email attachment.

How much does effective antivirus software cost?

In researching the prices of commercial security software for use on home PCs, on thing we learned is that there’s no such thing as a fixed price. If you check out the price of a product and try to navigate away from the page, chances are you’ll be offered a lower price. You can also find coupons and “limited time” offers that dramatically cut the cost of a year’s subscription to one of these packages.The catch, of course, is that the discount is only good for the first year, and when renewal time comes around, those discounts are much harder to find.The overall prices vary dramatically, depending on which features are included and how many devices the subscription supports.

How we narrowed the fieldWe looked at currently available security software products for PCs running Windows 10, concentrating on those with a well-established reputation and a well-tested infrastructure for delivering updates. We did not consider software designed for use on other platforms, including MacOS and mobile devices.We installed each program in a virtual machine to get a feel for its user experience, but we didn’t do any further testing ourselves. We insisted, instead, on a solid record of test results from two leading software test labs: AV-Comparatives and AV-Test.org.Most importantly, as it says in the title, the software and accompanying services have to be completely free for long-term use, with no expiration date or hidden costs. That filter knocks some well-known, even iconic names in security software off the list, including McAfee, Norton, and Trend Micro.How to choose

Every security software package involves a trade-off between protection and convenience. The free packages we describe here add another layer to that equation, with varying degrees of advertising designed to convince you to upgrade your free program to a paid subscription. Each package also offers a mix of added features, which may or may not be of value to you.In terms of effectiveness against online threats, we don’t believe there’s a profound difference between these packages. That means the best way to choose is to install a package and try it out for long enough to decide whether the interface and the upsell offers are acceptable. If you find a package too intrusive, uninstall and move on to the next candidate on the list.

ZDNet Recommends More

A new analysis of the SolarWinds breach suggests that the attacker infrastructure behind the campaign is far larger than first believed. 

The catastrophic SolarWinds security incident involved the compromise of the vendor’s network and later the deployment of malicious SolarWinds Orion updates to clients that contained a backdoor called Sunburst. Sunspot, designed to monitor the SolarWinds build server for Orion assembly, was also found in January by CrowdStrike and is thought to be one of the preliminary tools used to pull off the attack.In total, an estimated 18,000 companies received the malicious update, with a smaller number of high-profile targets — including Microsoft, FireEye, and a number of federal government agencies — being selected for compromise over 2020.The White House, together with the UK government, has blamed the intrusion on state-backed Russian cybercriminals, APT29/Cozy Bear (campaign tracked as UNC2452). On Thursday, RiskIQ researchers published a report on the network infrastructure footprint of SolarWinds-linked cyberattackers, labeling it as “significantly larger than previously identified.”According to the cybersecurity company, the Sunburst/Solorigate backdoor was designed to “identify, avoid, or disable different security products,” with a particular focus on circumventing antivirus software developed by FireEye, CrowdStrike, Microsoft, ESET, and F-Secure in the first stage of infection. 

“For months, the Russians successfully compromised or blinded the very security companies and government agencies most likely to pursue them,” RiskIQ says. The second and third stages included custom droppers (Teardrop/Raindrop) and the deployment of additional malware alongside Cobalt Strike. Implants for persistence with components dubbed Goldmax/GoldFinder/Sibot, as well as Sunshuttle, have also been connected to these stages.  Now, RiskIQ’s Team Atlas has identified an additional 18 servers linked to the SolarWinds espionage campaign, a number the firm says represents a “56% increase in the size of the adversary’s known command-and-control footprint.” The new C2s were discovered by mapping the second stage of deployment; in particular, modified beacons associated with Cobalt Strike. While this pattern itself is not uncommon, the team correlated this online data — containing over 3,000 results — with SSL certificates recorded as in use by the SolarWinds hackers.  “[This] became highly unique when correlated with the SSL patterns,” RiskIQ says. “The result was the identification of a significant number of additional malicious servers.” RiskIQ added that the findings will “likely lead to newly identified targets.” US-CERT was made aware of RiskIQ’s findings prior to public disclosure. Last month, Swiss cybersecurity firm Prodaft published a report on SilverFish, a sophisticated threat group thought to be responsible for intrusions at over 4,700 organizations including Fortune 500 companies.  SilverFish was connected to SolarWinds attacks as “one of many” APTs jumping on the incident. The group’s digital infrastructure has also revealed potential links to campaigns involving TrickBot and WastedLocker. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

ServiceNow is rolling out a unified platform to collect diagnostic information across enterprise applications, cloud and on-premises infrastructure to better automate incidents and prevent disruptions. The company is launching Agent Client Collector, or ACC, to deliver visibility and allow service and operations teams to automate incident resolution. ACC is also designed to proactively identify and prevent service disruptions. ServiceNow’s approach with ACC is to unify agents into one platform. Traditional agents are often silo-ed and focused on specific hardware, software and cloud platforms. ACC will also use its data to optimize spending. Features of ACC include:Policy-driven monitoring of applications and endpoints. ServiceNow is looking to enable customers to cut spending on standalone monitoring tools. Real-time visibility of endpoint configuration and performance data within an agent’s workspace via a feature called Live Asset View. Automation playbooks for service and operation teams. The automation playbooks will cover hardware asset management, which collects asset attributes and performance data, and software asset management focused on inventory, usage and spending optimization.
ServiceNow
ACC can support ServiceNow products across IT Operations Management (ITOM), IT Service Management (ITSM), Hardware Asset Management (HAM), Software Asset Management (SAM) and Security Operations (SecOps). More

Theres’s been a huge uptick in the proportion of malware using TLS or the Transport Layer Security to communicate without being spotted, cybersecurity firm Sophos reports. While HTTPS helps prevent eavesdropping, man-in-the-middle attacks, and hijackers who try to impersonate a trusted website, the protocol has also offered cover for cybercriminals to privately share information between a website and a command and control server —  hidden from the view of malware hunters. “It should come as no surprise, then, that malware operators have also been adopting TLS … to prevent defenders from detecting and stopping deployment of malware and theft of data,” Sophos said.Malware communications fall into three main categories: downloading more malware, exfiltration of stolen data, or command and control. All these types of communications can take advantage of TLS encryption to evade detection by defenders, the security company said.According to Sophos, a year ago 24% of malware was using TLS to communicate but today that proportion has risen to 46%. Sophos said a large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS as unwitting storage for malware components, as destinations for stolen data, or even to send commands to botnets and other malware.It also said it has seen an increase in the use of TLS use in ransomware attacks over the past year, especially in manually-deployed ransomware—in part because of attackers’ use of modular offensive tools that leverage HTTPS. 

“But the vast majority of what we detect day-to-day in malicious TLS traffic is from initial-compromise malware: loaders, droppers and document-based installers reaching back to secured web pages to retrieve their installation packages,” it said.”We found that while TLS still makes up an average of just over two percent of the overall traffic Sophos classifies as “malware callhome” over a three-month period, 56 percent of the unique C2 servers (identified by DNS host names) that communicated with malware used HTTPS and TLS.”One dropper it highlights is the PowerShell-based LockBit ransomware, which remotely grabbed scripts from a Google Docs spreadsheet via TLS. But malware operators often use multiple web services for different functions. 
Sophos More

Cyber criminals are trying to use vulnerabilities in Microsoft Exchange servers to add to their botnet for mining cryptocurrency – but the level of access they’re gaining means they could use their access for other, much more dangerous cyberattacks.Detailed by cybersecurity researchers at Cybereason, the Prometei botnet is a widespread global campaign that is targeting organisations in a multi-stage attack.

The cyber criminals behind the botnet are exploiting vulnerabilities in Microsoft Exchange Server as a means of penetrating networks. There are existing security updates, which can be installed in order to protect against attacks, but Prometei is scanning the internet for organisations that have yet to apply the patch and using that to gain a foothold on networks.SEE: Network security policy (TechRepublic Premium)Prometei isn’t targeting an organisation in particular; the attackers are just looking for any vulnerable networks they can exploit. According to researchers, the botnet has claimed victims in multiple industries in regions including North America, South America, Europe and East Asia. The main objective of the attackers is to install cryptojacking malware to mine for Monero – allowing the criminals to secretly use the processing power of infected devices to line their pockets with cryptocurrency. Prometei uses the vulnerabilities in Microsoft Exchange servers to gain initial access to the network and attempts to infect as many endpoints as it can – using a variety of known attack techniques to move laterally around networks.

These include harvesting login credentials, exploiting RDP vulnerabilities and even using older exploits including EternalBlue and BlueKeep to move around networks, performing the reconnaissance required to compromise as many machines as possible.Like the Microsoft Exchange Server vulnerabilities, EternalBlue and BlueKeep have received patches – but the attackers are able to exploit organisations that haven’t applied them across their network. “Unfortunately, having a patch available does not equal rapid deployment of the patch, as we have seen repeatedly in the past. For example, years after the EternalBlue exploit leaked and patches were available, we still kept seeing attackers exploiting this vulnerability,” Assaf Dahan, head of threat research at Cybereason told ZDNet. Those behind Prometei appear to want to achieve long-term persistence on the network and they do that by using techniques associated with sophisticated cyber-criminal operations and even nation-state hacking groups. For now at least, Prometei is focused on mining for cryptocurrency.”The longer they can remain undetected on the network, the more cryptocurrency is being mined. Therefore, they improved the botnet’s resilience, added stealth features to the malware and used techniques and tools that are many times associated with Advanced Persistent Threats,” said Dahan. “If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints,” he added. Not much is known about the cyber-criminal operation behind Prometei, but according to Cybereason analysis of the group’s activity suggests it’s Russian speaking – and it appears as if the group actively looks to avoid infecting targets in Russia.SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to doThe name of the botnet “Prometei” is also the Russian word for Prometheus, the titan God for fire in Greek mythology.Prometei is still believed to be actively scanning for new targets to infect – and the best way to avoid falling victim is to apply the critical security updates for Microsoft Exchange Server.”First and foremost, organisations should strive to have a good patch management procedure and to patch potentially vulnerable systems,” said Dahan. “But most importantly, IT and security teams should be proactive and continuously hunt for known threats,” he concluded.MORE ON CYBERSECURITY More

The US Department of Justice (DoJ) is forming a new task force to deal with the “root causes” of ransomware.

In an internal memo, the DoJ outlines the creation of a new initiative that will bring together current efforts in federal government to “pursue and disrupt” ransomware operations.As noted by CNN, this could include the takedown of command-and-control (C2) servers used to manage ransomware campaigns, as well as the legal seizure of “ill-gotten gains” generated by such schemes.  Popular ransomware strains include Petya, Locky, Maze, and CryptoLocker. These forms of malware encrypt drives on infected machines and operators then demand a ransom payment in return for a decryption key. Depending on the victim’s worth, blackmail demands can reach millions of dollars.  Over the past year or so, double-extortion tactics have also been put into play more widely, in which sensitive data is stolen before encryption begins. If a victim refuses to pay up, they may be threatened with the leak of this information to the public.  Recent examples of these tactics include the REvil ransomware gang’s targeting of Acer and Apple supplier Quanta.  The memo added that the new task force will also reach out to private sector organizations to gain more intelligence on ransomware threats and trends. Links between ransomware operations and state-sponsored threat actors will also be examined. 

Furthermore, the federal government intends to pour more resources into training. In light of the SolarWinds breach and Microsoft Exchange Server disaster, President Biden’s administration appears to be taking cybersecurity seriously. Earlier this week, the White House revealed a 100-day plan to tackle threats to the US electricity grid.  Acting Deputy Attorney General John Carlin said 2020 was the “worst year” to date when it comes to ransomware and extortion attempts.  “If we don’t break the back of this cycle, a problem that’s already bad is going to get worse,” Carlin told the Wall Street Journal.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More