Information Technology

Following the July discovery of Windows 10 PrintNightmare bugs, Microsoft has released an update that changes the default behavior in the operating system and prevents some end-users from installing print drivers. The key change in this month’s Patch Tuesday update for the bug CVE-2021-34481 aka PrintNightmare is that users will need admin rights to install print drivers. The bug, stemming from a flaw in the Windows Print Spooler service, allows a local attacker to escalate privileges to the level of ‘system’ — an outcome that lets them install malware and create new accounts on Windows 10 machines. The patch arrived with Microsoft’s August 2021 Patch Tuesday update, which included a patch for CVE-2021-36936, a distinct Windows Print Spooler remote code execution vulnerability. But Microsoft has also provided more information about the impact of the patch.”The installation of this update with default settings will mitigate the publicly documented vulnerabilities in the Windows Print Spooler service,” the Microsoft Security Response Center (MSRC) said.   “This change will take effect with the installation of the security updates released on August 10, 2021 for all supported versions of Windows, and is documented as CVE-2021-34481.”The problem with the update is that it may affect organizations with networked printers, placing additional workloads on admins who previously could let end-users install printer driver updates from a remote server. Microsoft however believes security benefits outweigh the costs in time. 

“This change may impact Windows print clients in scenarios where non-elevated users were previously able to add or update printers. However, we strongly believe that the security risk justifies this change,” MSRC said. Microsoft has outlined a way to disable this mitigation with a registry key, but it has advised against doing so. It outlines the steps in the knowledge base article KB5005652 where it explains it changes the default behaviors, even in devices that don’t use Point and Print or print functionality. After installing the August 10 updates, users who don’t have admin privileges can’t install new printers using drivers on a remote computer or service, nor update existing printer drivers using drivers from a remote computer or server. “If you are not using Point and Print, you should not be affected by this change and will be protected by default after installing updates released August 10, 2021 or later,” Microsoft adds. Microsoft warns that changing the new default will expose the organization to publicly available threats. “Disabling this mitigation will expose your environment to the publicly known vulnerabilities in the Windows Print Spooler service and we recommend administrators assess their security needs before assuming this risk,” MSRC notes.  More

A hacker has apparently exploited a vulnerability to steal $600 million from a blockchain finance platform in what could be one of largest cryptocurrency thefts to date.  The makers of Poly Network, a “DeFi” or decentralized finance platform that works across blockchains, said on Tuesday that an attacker stole about $600 million in cryptocurrencies. 

The team behind Poly Network appealed to the hackers to “return the hacked assets”.  “The amount of money you hacked is the biggest one in defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursed. It is very unwise for you to do any further transactions. The money stole are from tens of thousands of crypto community members, hence the people. You should talk to us to work out a solution,” the Poly Network team said.  Also: The best crypto credit cards: Get your rewards in cryptocurrency Poly Network works across blockchains for Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo, and Huobi ECO Chain. Poly Network listed three addresses the assets were transferred to. 

“We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses,” the team pleaded.  And it appears that at least a small amount of the funds have been returned. Poly Network posted on Twitter “you are moving things to the right direction” and said that it had received more than $1m back.   A little later it posted again saying: “So far, we have received a total value of $4,772,297.675 assets returned by the hacker. ETH address: $2,654,946.051 BSC address: $1,107,870.815 Polygon address: $1,009,480.809.” According to Poly Network, “the hacker exploited a vulnerability between contract calls, exploit was not caused by the single keeper as rumored.” Per Wall Street Journal’s MarketWatch, the CTO of stablecoin company Tether, Paolo Ardoino, said the company froze $33 million of its tokens lost in the Poly Network attack.  The hackers stole about $267m of Ether, $252m of Binance coins, and $85 million in USDC tokens.  SEE: Attacks on critical infrastructure are dangerous. Soon they could turn deadly, warn analysts Changpeng Zhao “CZ”, chief of the giant Binance crypto-exchange, said on Twitter that it was aware of the Poly Network attack and noted that there was not much the company could do about it.  “While no one controls BSC (or ETH), we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can,” he wrote.  More

CQ implemented a quantum-safe security layer to LACChain that has made the system secure from future quantum computers.  
Image: Shutterstock
It might be only a matter of time before quantum computers crack the cryptography keys that support sensitive data and cryptocurrencies on blockchain networks. Now quantum software company Cambridge Quantum (CQ) says it has developed a “quantum-safe” method that could future-proof any blockchain by making the system invulnerable to quantum attacks. 

Quantum Computing

CQ partnered with the Inter-American Development Bank (IDB) and its innovation laboratory IDB Lab, which has been actively investing in blockchain technology to support social and economic applications in Latin America and the Caribbean.  Specifically, IDB Lab has developed LACChain, a blockchain platform leveraged by more than 50 organizations in the region for use cases ranging from cross-border e-money payments to exchanging data between different countries’ customs administrations. SEE: What is quantum computing? Everything you need to know about the strange world of quantum computersCQ implemented a quantum-safe security layer to LACChain that has made the system secure from future quantum computers.To do so, CQ deployed its own commercially available platform to protect against quantum threats, called IronBridge, to LACChain. Blockchain’s vulnerability to quantum computers comes from its extensive reliance on cryptography. 

The technology, also called a distributed ledger, is essentially a computational system in which information is securely logged, shared and synchronized among a network of participants. The system is dynamically updated through messages called transactions, and each participant can have a verified copy of the system’s current state and of its entire transaction history. For this type of decentralized data-sharing system to work requires strict security protocols – not only to protect the information and communications in the blockchain, which are often sensitive, but also to confirm the identity of participants, for example thanks to digital signatures. These protocols, for now, rely on classical cryptography keys, which transform information into an unreadable mush for anyone but the intended recipients. Cryptography keys are used to encrypt data – data that can in turn only be read by someone who owns the right key to decode the message. The strength of encryption, therefore, depends on how difficult it is for a malicious actor to decode the key; and to make life harder for hackers, security protocols currently rely on algorithms such as RSA or the digital signature algorithm to generate cryptography keys that are as complex as possible. Those keys, in principle, can only be cracked by crunching through huge amounts of numbers.  This is why most current cryptography protocols are too hard to decode – at least with a classical computer. But quantum computers, which are expected to one day possess exponential compute power, could eventually crack all of the security keys that are generated by the most established classical algorithms. Quantum computers are still an emergent technology, and they are nowhere near mature enough to reveal any secrets just yet. But scientists have already identified some quantum algorithms, namely Shor’s algorithm, which have the potential to eventually break existing security protocols. SEE: Supercomputers are becoming another cloud service. Here’s what it meansAlexander Lvovsky, professor at the department of physics at the University of Oxford, says that quantum computers, therefore, pose a threat to blockchain security processes like digital signatures. “By using Shor’s algorithm, a quantum attacker is able to calculate the private key of a user on the basis of their signed message, which is impossible to do with classical computers, and in this way, impersonate any party they want,” Lvovsky tells ZDNet.Quantum computers in the hands of a hacker could have dramatic consequences for the critical information that is currently stored. For example, hundreds of billions of dollars denominated in cryptocurrencies rely on blockchain ledgers, and the World Economic Forum estimates that 10% of GDP may be stored in blockchains by 2027. This could one day be at risk from quantum attacks. Recent analysis by Deloitte estimates that a quarter of all bitcoins could be stolen with a quantum attack, which currently represents over $40 billion.CQ and IDB, therefore, teamed up in an effort to deploy what is known as “post-quantum cryptography” to the blockchain – a form of cryptography that is adapted to a world in which quantum computers are no longer a thing of the future. There are various ways to address post-quantum cryptography, but all approaches essentially consist of making cryptography keys harder to crack, even for quantum computers. To do so requires an extra dose of randomness, or entropy. A key that is generated purely randomly, indeed, is much harder to decode than one that is the product of a mathematical operation – which can be reverse-engineered by a powerful computer. And while classical algorithms rely on mathematics, quantum computers can harness a special, non-deterministic property of quantum mechanics to generate this true randomness. CQ has leveraged this to create the IronBridge platform, which taps those quantum processes to create random numbers and make extra secure cryptography keys. 

IronBridge was successfully used in LACChain to protect communications as well as to secure digital signatures. “LACChain blockchain was an ideal target for keys generated by our IronBridge platform,” says Duncan Jones, head of quantum cybersecurity at CQ. “Only keys generated from certified quantum entropy can be resistant to the threat of quantum computing.” SEE: Bigger quantum computers, faster: This new idea could be the quickest route to real world appsCQ deployed IronBridge as a “layer-two” service, meaning that it comes on top of the original architecture of the LACChain blockchain and could, therefore, be adapted to other systems. Even if large-scale quantum computers are still some way off, the announcement is likely to address the concerns of blockchain users. Whether it is in five, 10 or 15 years, a quantum computer could crack the security protocols that are protecting information now – meaning that sensitive information that is currently being stored on the blockchain is still at risk from future hacking. “The security currently used in most blockchains is vulnerable to quantum attack,” Itan Barmes, quantum specialist at Deloitte, tells ZDNet. “No one knows when these attacks are going to become feasible. Estimates range between five and 30 years. On the other hand, migrating to a quantum-safe solution is also expected to take years, so ignoring the problem is taking an unnecessary risk.”Blockchain is not alone in helping to prepare for the future of cryptography. Governments around the world are also rushing to develop post-cryptography protocols, as concern mounts that information about defense and national security might one day be revealed by quantum computers. The UK’s National Cyber Security Centre has been saying for many years that reliance on classical cryptography needs to end, for example; while in the US, the National Security Agency is currently investigating a number of algorithms that could improve the resilience of cryptography keys.  More

With over 1.7 million packages stolen or lost every day in the US, it is not surprising that most of us are wary of leaving packages on the porch for more than a few minutes. Provo, UT-based home security systems company Vivint surveyed 1013 people about their experiences with purchases that have been sent to their homes. Porch piracy is a huge issue in the US, and getting refunds is difficult. Only 54% of porch prate victims were refunded when reporting a package as stolen.The survey showed that an average of 29% of Americans reported having had a package stolen from their porch, front door or mailbox. In urban areas, over two in five (41%) reported having a package stolen. One in five (20%) had packages stolen from their house, and 44% had packages stolen from their apartment. The most stolen items were clothing (33%), followed by books, toys and games (23%), and health or personal care products (22%). Monday was the most common day for package theft, with 34% of packages stolen on that day. Almost two in three packages (56%) were stolen in the afternoons.

Due to its dominance in the market, over 52% of packages stolen were Amazon Prime packages, followed by USPS (43%). These stolen packages tended to be high-value items, with an average value of $106 of packages left unattended in a typical month. So how do you protect your parcels? Well, the obvious answer seems to be — be at home when the package is dropped off. But as many delivery drivers seem to put the package at the front door, take a photo of the image to prove it was left there, and then get back into their van to get to their next drop off, how can you ensure you get the package you ordered?
Vivint
If you know when your package is scheduled to arrive, then you will stand a better chance of being around when the package is delivered. Around one-third of us subscribe to delivery alerts. Giving instructions on where to drop the package off or get the delivery driver to leave it in a safe place is the favoured option for 23% of respondents. Almost one in nine (13%) have the packages sent to their workplace, and one in five (22%) install an outdoor security camera or video doorbell. If you are not going to be around, get your package sent to an Amazon Hub locker, and collect your packages when it is convenient to you, or get a work-from-home friend to take the package n for you.Stopping boundary bandits from cruising the neighbourhood looking for packages to steal will benefit the vendors who try to fulfil your order and keep you satisfied with the goods you want arriving on time. Get a security camera, work from home if you can, and make sure your package is delivered to your safe location at a time you choose. It will cost you less in the long run. More

Census 2021 has been deemed a “success”, with the Australian Bureau of Statistics (ABS) confirming it received an estimate of 6.2 million Census forms by Wednesday 8am AEST.Of the total, ABS reported that 6.1 million forms were submitted online through the Census digital service and the remainder was via post.The peak period online was at 8.06pm when the ABS received about 141 submissions per second. No interruptions, excessive wait times, or security breaches were reported by the ABS, according to Assistant Treasurer Michael Sukkar.”I want to thank the millions of Australians who have played their part in making the 2021 Census a success so far, and we want to continue to see the numbers ticking up and the forms coming in,” he said.”It is also important to remind Australians that it is not too late to submit your Census form. The Australian Bureau of Statistics continues to collect Census forms. Please visit the Census website or contact by phone if you need any further information on how to complete your Census.”I also want to thank the work of the Australian Bureau of Statistics, the Australian Cyber Security Centre, the Digital Transformation Agency and all the government agencies and their employees involved in making the 2021 Census a seamless process.”The ABS has been focused on preparations for the 2021 Census to avoid an embarrassing repeat of what occurred during Census 2016, when the ABS experienced a series of small denial-of-service (DDoS) attacks, suffered a hardware router failure, and baulked at a false positive report of data being exfiltrated which resulted in the Census website being shut down and citizens unable to complete their online submissions.

The Census was run on on-premises infrastructure procured from tech giant IBM.The 2021 Census, however, was built using the Amazon Web Services cloud through a contract awarded to PwC Australia.In March, Deputy Australian statistician Teresa Dickinson told Senate Estimates that preparations for Census 2021 was well on-track, while confirming the agency was working over 50 suppliers and partners on the Census. “Census day is the 10th of August, and we are on track. In our metrics, where we measure progress against the Census, many of the sub programs of work are ‘green’, there are a few that remain ‘amber’, and the reason is that we still have some testing and defect remediation to do on our technical work,” Dickinson said at the time. “But we are on track to do that, by the time the form goes live.”In response to the omnishambles that was the 2016 Census, there have been three reviews that made 36 recommendations, 29 of which were directed at the ABS and agreed upon. There was also a report prepared by the Australian National Audit Office (ANAO).ANAO in November labelled the preparation for the 2021 Census by the ABS as “partly effective”.It said generally appropriate frameworks have been established to cover the Census IT systems and data handling, and the procurement of IT suppliers, but that the ABS has not put in place arrangements for ensuring improvements to its architecture framework, change management processes, and cybersecurity measures will be implemented ahead of the 2021 Census.”The ABS has been partly effective in addressing key Census risks, implementing past Census recommendations, and ensuring timely delivery of the 2021 Census,” the auditor added. “Further management attention is required on the implementation and assessment of risk controls.”LATEST FROM CANBERRA More

Image: Mozilla
Mozilla released Firefox 91 on Tuesday, with a pair of new privacy features and one offering increased Windows integration. When users use a private window in Firefox, the connection to the requested domain will now default to HTTPS even if a user manually enters the HTTP protocol. An HTTPS-first request will also be made if a user clicks on an HTTP link. The browser maker warned that HTTPS by default only allows to the page itself, and not necessarily all images, CSS, or JavaScript files loaded by the page. “However, loading a page over HTTPS will, in the majority of cases, also cause those in-page components to load over HTTPS,” Mozilla said. “We expect that HTTPS by Default will expand beyond Private Windows in the coming months.” In November with Firefox 83, Mozilla enabled users to switch on HTTPS-Only mode, which has the same functionality as HTTPS by default. The second privacy feature is dubbed enhanced cookie clearing. When a user asks Firefox to delete cookie data from a site, not only will Firefox remove cookies from that site, it will blast away any tracking cookies placed on the site as well.

The functionality is built on total cookie protection that appeared in Firefox in February, and separates cookies on a per website basis — meaning supercookies such as those placed by Facebook were restricted to one container. “When you decide to tell Firefox to forget about a website, Firefox will automatically throw away all cookies, supercookies and other data stored in that website’s ‘cookie jar’. This Enhanced Cookie Clearing makes it easy to delete all traces of a website in your browser without the possibility of sneaky third-party cookies sticking around,” Mozilla explained. “Before Enhanced Cookie Clearing, Firefox cleared data only for the domain that was specified by the user. That meant that if you were to clear storage for comfypants.com, Firefox deleted the storage of comfypants.com and left the storage of any sites embedded on it (facebook.com) behind. Keeping the embedded storage of facebook.com meant that it could identify and track you again the next time you visited comfypants.com.” Now when users head to settings to manage cookie data, users will see a listing of jars rather than domains. Users can also right-click on “Forget About This Site” in the history menu to remove cookies and cache related to the site, as well remove from the browser history and delete any data Firefox has stored about the site, such as permissions. In order to use enhanced cookie clearing, users needs to have strict tracking protection enabled. Firefox 91 also arrived with single sign-on integration with Windows for Microsoft, work, and school accounts. This feature can be enabled from the privacy and security section of Firefox settings. The browser also gained support for Scots locale in its latest release.
Image: Mozilla
Related Coverage More

Antivirus vendor NortonLifeLock this afternoon said it will merge with Britain’s Avast PLC in a transaction combining cash and stock in two different options, totaling between $8.1 billion and $8.6 billion in stock. That value is roughly equivalent to the value in U.S. dollars of Avast’s enterprise value, which takes into account its cash and debt, of £6.5 billion, based on the closing price of Avast stock tuesday of £5.68 on the London Stock Exchange.   NortonLifeLock shares rose 2.5% in late trading.The two companies said in the joint press release that their respective boards of directors see an opportunity to “create a new, industry-leading consumer Cyber Safety business, leveraging the established brands, technology and innovation of both groups to deliver substantial benefits to consumers, shareholders, and other stakeholders.”The two companies said the deal will bring together product lines that are broadly complementary, while giving the combined company a user base of over half a billion customers. The deal will broaden the geographic market coverage of the combined company. In addition, the two expect to realize “$280 million of annual gross cost synergies.”Under terms of the deal, “Avast shareholders will be entitled to receive a combination of cash consideration and newly issued shares in NortonLifeLock with alternative consideration elections available.”Based on NortonLifeLock’s closing share price of USD 27.20 on July 13, 2021 (being the last trading day for NortonLifeLock shares before market speculation began in relation to the merger on July 14, 2021, resulting in the commencement of the offer period), the merger values Avast’s entire issued and to be issued ordinary share capital between approximately USD 8.1B and USD 8.6B, depending on Avast shareholders’ elections.In a companion deck of slides, the two companies detail two options for shareholders. Option one is to receive 31% of the deal in cash and 69% in stock, option two is to receive 90% in cash and 10% in stock. 

NortonLifeLock CEO Vincent Pilette called the deal “a huge step forward for consumer Cyber Safety” that he said “will ultimately enable us to achieve our vision to protect and empower people to live their digital lives safely.” Added Pilette, “With this combination, we can strengthen our Cyber Safety platform and make it available to more than 500 million users. We will also have the ability to further accelerate innovation to transform Cyber Safety.” Also: NortonLifeLock fiscal Q4 tops expectations, sees double-digit long-term revenue growth Said Avast CEO Ondřej Vlček, “At a time when global cyber threats are growing, yet cyber safety penetration remains very low, together with NortonLifeLock, we will be able to accelerate our shared vision of providing holistic cyber protection for consumers around the globe.”  Added Vlček, “Our talented teams will have better opportunities to innovate and develop enhanced solutions and services, with improved capabilities from access to superior data insights. Through our well-established brands, greater geographic diversification and access to a larger global user base, the combined businesses will be poised to access the significant growth opportunity that exists worldwide.” Pilette, and NortonLifeLock’s CFO, Natalie Derse, will remain in those positions in the combined company. Avast CEO Vlček will join NortonLifeLock as President and will join the Board of Directors. Pavel Baudiš, a co-founder and current director of Avast, is expected to join the Board as an independent director, the companies said.NortonLifeLock, formerly the consumer security technology arm of Symantec, separated from Symantec when the enterprise security business was purchased by Broadcom in late 2019. Eleven-year-old Avast focuses on software for consumers and small and medium businesses. The take-out price represents a multiple of roughly 9.6 times projected revenue this year for Avast of £678 million, and a multiple of projected Ebitda profit of 17 times. More

Researchers with D3Lab have discovered the data of almost one million credit card holders being sold on an underground forum, according to a blog post released this week. In a sample of 980,930 files acquired by D3Lab analysts on Monday, the batch contained names, addresses, credit card numbers, expirations and CVVs. About 30,000 entries in the data set came from people living in Italy, based on identifications tied to the stolen cards. D3Lab analysts found the information on a carding database called All World Cards. 
D3Lab
All World Cards is a haven for online credit card thieves involved in things like magecart attacks, information stealing malware and point-of-sale attacks. D3Lab noted in their report that carding sites generally get most of their stolen credit cards from point-of-sale attacks at gas stations, supermarkets and some e-commerce sites. The report found that the people behind All World Cards have been marketing their site and services since June and may have purchased stolen credit card data and shared it for free “to entice other criminal actors to frequent their site.”The domain for allworld [.] Cards was created in May and the site now has 2,634,615 stolen credit cards, with more than 1 million coming from the US. 

After examining the data, D3Lab researchers sent the information to the banks represented in the leak so that the cards could be cancelled and users could be notified. Half of the cards in the batch are still operational, according to D3Lab. With the help of a BIN database, the researchers managed to verify the stolen records and figure out the companies, issuers and other data on the victims. Of the 980,930 stolen cards, 98% had a valid BIN associated with an emitter, according to D3Lab, while nearly every card came from either Visa or Mastercard.More than 75% of the cards were debit cards and 24% were Gold, Business or Titanium cards. India was the most represented country in the batch, with 20% of cards coming from the country followed by Mexico and the US with 9%. About 4% came from Italy as well. Javvad Malik, security awareness advocate at KnowBe4, told ZDNet that the cards were stolen between 2018 and 2019, making it difficult to determine where the data came from or if it came from multiple sources. Carding has become a lucrative avenue for cybercriminals, explained PerimeterX senior director Uriel Maimon. Attackers use bots to test lists of recently stolen credit card and debit card details on merchant sites. The carders then use the proven credit card details to directly retrieve funds from associated accounts or to purchase gift cards which can easily be converted into high-value goods, such as cell phones, televisions and computers, Maimon explained. “These goods are then resold — often via ecommerce sites offering a degree of anonymity — for a profit. As these cards were stolen between 2018-2019, it stands to reason that most are no longer valid, especially if they’re publicly dumped and multiple actors will jump on them at the same time.” In December 2020, the FBI and Interpol seized four domains operated by Joker’s Stash, the internet’s largest marketplace for buying and selling stolen card data. The site announced it was officially shutting down in February. BleepingComputer noted that cybersecurity company Cyble imported the stolen data into their AmIBreached service, so people can check if their credit card information was involved.  More