Information Technology

Security vulnerabilities in millions of Internet of Things devices (IoT) could allow cyber criminals to knock devices offline or take control of them remotely, in attacks that could be exploited to gain wider access to affected networks.The nine vulnerabilities affecting four TCP/IP stacks – communications protocols commonly used in IoT devices – relate to Domain Name System (DNS) implementations, which can lead to Denial of Service (DoS) or Remote Code Execution (RCE) by attackers. Over 100 million consumer, enterprise and industrial IoT devices are potentially affected.

Internet of Things

Uncovered and detailed by cybersecurity researchers at Forescout and JSOF, the vulnerabilities have been dubbed Name:Wreck after the way the parsing of domain names can break DNS implementations in TCP/IP stack, leading to potential attacks.SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)The report follows Forescout’s previous research into vulnerabilities in Internet of Things devices and forms part of Project Memoria, an initiative examining vulnerabilities in TCP/IP stacks and how to mitigate them. Vulnerabilities were uncovered on popular stacks including Nucleus NET, FreeBSD and NetX. While security patches are now available to fix the vulnerabilities, applying security updates to IoT devices can be difficult – if it’s even possible at all – meaning that many could remain vulnerable, potentially providing a means for cyber attackers to compromise networks and services.”This can be an entry point, a foothold into a network and from there you can decide, basically, what the attack is,” Daniel dos Santos, research manager at Forescout research labs, told ZDNet.

“One of the things that that you can do is just basically take devices offline by sending malicious packets that crash the device. Another thing is when you’re able to actually execute code on the device, that opens up the possibility of persistence on the network or moving laterally in the network to other kinds of our targets,” he explained. According to the report, organisations in healthcare could be among the most affected by the security flaws in the stacks, potentially enabling attackers to access medical devices and obtain private healthcare data, or even take devices offline to prevent patient care.The vulnerabilities could also help cyber attackers gain access to enterprise networks and steal sensitive information, and may have the potential to impact industrial environments by enabling attackers to tamper with — or disable — operational technology. It’s, therefore, recommended that organisations apply the necessary security patches as soon as possible to help protect their networks.”Complete protection against Name:Wreck requires patching devices running the vulnerable versions of the IP stacks and so we encourage all organisations to make sure they have the most up-to-date patches for any devices running across these affected IP Stacks,” said dos Santos.SEE: Security Awareness and Training policy (TechRepublic Premium)In some cases, it might not even be possible to apply patches to IoT devices. In these instances, there are additional steps organisations can take to help protect networks against exploitation.”Besides patching, which of course is the thing that everybody should try to do, there are other things that can be done, like segmentation and monitoring network traffic,” said dos Santos. It’s hoped that developers of TCP/IP stacks take heed of all of the Project Memoria reports in order to help build better security into devices in order to prevent similar security vulnerabilities being uncovered in future.”There is much work left to be done to understand the real dangers behind the foundations of IT/OT/IoT connectivity, and the more parties we can get involved in finding vulnerabilities, fixing them and providing higher-level solutions, the faster we can transition to a more secure world.” the research paper concludes.MORE ON CYBERSECURITY More

Facial recognition will increasingly be deployed to verify the identity of a user making a payment with their handset.  The next few years will see billions of users regularly using facial recognition technology to secure payments made through their smartphone, tablets or smartwatches, according to new analysis carried out by Juniper Research.Smartphone owners are already used to staring at their screens to safely unlock their devices without having to dial in a secret code; now, facial recognition will increasingly be deployed to verify the identity of a user making a payment with their handset, whether that’s via an app or directly in-store, in wallet mode.

Smartphones

In addition to facial features, Juniper Research’s analysts predict that a host of biometrics will be used to authenticate mobile payments, including fingerprint, iris and voice recognition. Biometric capabilities will reach 95% of smartphones globally by 2025, according to the researchers; by that time, users’ biological characteristics will be authenticating over $3 trillion-worth of payment transactions — up from $404 billion in 2020.  Mobile devices are increasingly used to replace credit cards, enabling users to leave their wallets at home even when visiting a shop, but also offering myriad new opportunities to make purchases online. From Instagram shopping to the Google Play store, the e-commerce ecosystem is growing rapidly — and at the same time, it’s opening many new avenues for fraudsters to exploit new vulnerabilities.Using rogue apps, malevolent actors can trick users into letting them handle financial payments, for example, while synthetic data and deepfakes can be used to commit synthetic identity payment fraud. This is why it’s vital to ensure that when a payment is made, the user spending money is who they say they are.That’s why biometrics are becoming critical to improving the security of mobile payments, with facial recognition, in particular, set to grow in popularity. But not all technologies are created equal: Juniper’s analysts effectively draw a line between software-based and hardware-based facial recognition tools.”All you need for software-based facial recognition is a front-facing camera on the device and accompanying software,” Nick Maynard, lead analyst at Juniper Research, tells ZDNet. “In a hardware-based system, there will be additional hardware layers that add additional security levels. It’s increasingly important to differentiate because hardware-based systems are the more secure of the two.” 

The leading example of hardware-based facial recognition technology is Apple’s Face ID, which can be used to authorize purchases from the iTunes Store, App Store and Apple Books, and to make payments with Apple Pay.Face ID is enabled by a camera system called TrueDepth, which is built by Apple, and which analyzes over 30,000 dots on users’ face to create a biometric map that’s coupled with an infrared shot and compared to the facial data previously enrolled by the user. The technology is precise enough to identify spoofing — for example, by distinguishing a real person from a 2D photograph or a mask.Driven by Apple’s technology, a growing number of vendors are now working to incorporate hardware-based facial recognition technology in their devices. Maynard’s research shows that between now and 2025, the number of handsets using hardware-based systems will grow by a dramatic 376% to reach 17% of smartphones.”Hardware-based systems obviously have additional costs per device,” says Maynard, “but the reason it is growing well is really that Apple has been driving it forward. They’ve made the technology a part of their high-end devices, and shown that hardware-based facial recognition technology can be done and can be very secure.”But despite the seeming popularity of hardware-based systems, Juniper’s researchers found that many vendors will first be opting for a software-based alternative. This will be the case of many Android phones, for example, where less control over the hardware can be exercised, making it tempting to deploy a technology that’s purely software-based.  To implement a software-based facial recognition system, all vendors need is the correct software development kit (SDK) installed on the device, as well as a decent-quality front-facing camera. With such low barriers to entry, Juniper expects the number of smartphone owners using the technology to secure payments to grow by 120% to 2025, to reach 1.4 billion devices — that is, roughly 27% of smartphones globally.As fraudsters refine their techniques and attacks become more sophisticated, Maynard expects hardware-based technologies to close the gap. Smartphone vendors will be deploying facial recognition on a software basis to start with, the analyst explains, before upgrading to hardware-based methods once they see how popular the technology is.”Fraudsters are always trying to evolve their tactics and develop new methods of fooling whatever security measures are in place,” says Maynard. “They experiment with photos, 3D-printed masks – you name it, it’s been tried. It’s essentially an arms race between fraudsters and security providers.””Software-based facial recognition is strong because it’s very easy to deploy,” Maynard continues, “but we are expecting a shift towards hardware-based systems as software becomes invalidated by fraudster approaches. Fraudster methods are always evolving, and the hardware needs to evolve with it.”Juniper’s research, in effect, recommends that vendors implement the strongest possible authentication tools, or risk losing the trust of users as spoofing attempts increase. This could take the form of a technology that encompasses several biometric features to secure payments, such as facial recognition, fingerprints, voice and behavioral indicators. The Juniper researchers expect that fingerprint sensors will feature on 93% of biometrically-equipped smartphones by 2025, and that voice recognition will grow to over 704 million users in the same period. That’s not to say that even state-of-the-art biometric technologies come without flaws. “The pandemic has shown that facial recognition doesn’t really work with face masks,” says Maynard. “I wear glasses — it’s even less useful because your glasses steam up and then the technology has no idea what it’s looking at.  “A lot of Apple Pay users have resorted to passcodes during the past few months, and that is problematic. So, we’ll also see more work on what vendors can do to improve the accuracy of the technology.”  More

PayPal is launching a new suite of fraud management features for mid-market and enterprise businesses that aims to help combat the rise in online payments fraud brought on by the pandemic.

The COVID-19 pandemic spurred unprecedented growth in online spending in 2020, with e-commerce penetration reaching an all-time high of 21.3% — the highest year-over-year jump for US retail sales ever recorded, according to estimates. But the spike in e-commerce and digital payments also led to an increase in online scams, sophisticated attempts at fraud by malicious actors and new operating risks for online businesses.  According to PayPal, its new Fraud Protection Advanced service uses device fingerprinting, machine learning and analytics to help businesses identify, investigate, resolve and mitigate fraudulent transactions.The technology allows for real-time data modeling to help businesses spot shifting fraud patterns, and enables high fraud decisioning performance that can lead to lower chargebacks and false declines. Additional improvements include the ability to customize filters and fields in an effort to reduce a merchant’s exposure to fraud and help them differentiate between legitimate and non-legitimate transactions. Overall, PayPal is pitching the improved service as a way for merchants to increase their authorization and conversion rates. “Fraud Protection Advanced builds on our existing Fraud Protection solution and is part of our larger suite of offerings for merchants in the PayPal Commerce Platform that help them to manage risk and payments,” PayPal wrote in a blog post. “As we build on these solutions, we will continue our commitment to democratizing access to critical tools and resources for all merchants that help better protect their businesses.”RELATED: More

Cyber criminals and nation-state cyber-espionage operations are actively scanning for unpatched vulnerabilities in Fortinet VPNs; organisations that use Fortigate firewalls on their network, and have yet to apply a critical security update released almost two years ago, should assume they’ve been compromised and act accordingly. The alert from the National Cyber Security Centre (NCSC) follows a report by Kaspersky detailing how cyber criminals are exploiting a Fortinet VPN vulnerability (CVE-2018-13379) to distribute ransomware by exploiting unpatched systems and remotely accessing usernames and passwords, allowing them to manually undertake activity on the network.

The NCSC – along with CISA and the FBI – has also warned that Advanced Persistent Threat (APT) nation-state hacking groups are still actively scanning for unpatched CVE-2018-13379 vulnerabilities as a means of gaining access to networks for cyber-espionage campaigns. SEE: The best free VPNs: Why they don’t exist  Fortinet issued a critical security update to counter the security vulnerability after it was discovered in 2019, but almost two years later a significant number of organisations have yet to apply the patch to their enterprise network, leaving them vulnerable to cyberattacks. Cyber criminals have published a list of almost 50,000 IP addresses relating to unpatched devices; the NCSC warns that 600 of these are in the UK and that the organisations running them are “at very high risk of exploitation”. In fact, the NCSC has warned that organisations using unpatched Fortinet VPN devices must assume they are now compromised, and should begin incident management procedures. That includes removing the device from service and returning it to factory settings, as well as investigating the network for suspicious or unexpected activity.

“This recent activity emphasises the importance of NCSC advice to install security updates as soon as is practicable following their release to ensure action is taken before exploitation is observed,” said the alert. The NCSC recommends that all Fortinet VPN users check weather the 2019 updates have been installed, and if they haven’t to apply them immediately to prevent cyber attackers from exploiting the vulnerability. SEE: Ransomware: Why we’re now facing a perfect storm “The security of our customers is our first priority. For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade,” a Fortinet spokesperson told ZDNet. “If customers have not done so, we urge them to immediately implement the upgrade and mitigations,” Fortinet added.

MORE ON CYBERSECURITY More

The smartphone is the ultimate convergence device. It takes a number of useful gadgets and combines them into a single, portable device. A smartphone can act as your portable computer, navigation device, camera, music player, and much more.It’s also a phone.And the phone is the most useless bit.Read more: Apple confirms iMessage locks users into iOS, and putting it on Android would hurt Apple
If you’re anything like me, you rarely, if ever, make a call. Instead, you send an email or a quick message. And as for calls you get in, a good 95 percent are junk, and the remainder could have been an email or a quick message.Calls are a wasteland. Pretty much every time I hit that green button on a call from someone who isn’t in my contacts, I end up regretting it. And folks on my contacts list know not to call me.

A quick look through my calls list for the past year shows little more than scams, timewasters, nonsense, and garbage. Perhaps one percent was useful, but again, could have been a message.The phone is a device from a different era. It’s a device that emits an annoying noise, demanding immediate attention. While the device itself has changed, it retains the worst of its original qualities — a device that emits an annoying noise and demands immediate attention.You could argue that text messages and emails are the same, and you’d be right. The difference is that these technologies have evolved a bit in order to try to remain relevant and useful. That said, I’d happily ditch text messaging too, because the signal to noise ratio is very poor there too.Maybe something could be done to make calls and texts a bit better. Visual voicemail on the iPhone has made this feature a tiny bit more bearable. Maybe something along the lines of Sign in with Apple ID, where I have the option of hiding my true phone number and use disposable ones that I can manage — and by manage, I mean block — down the line. Now, I’m not suggesting that Apple and Google rip the phone part out of their smartphones. Some of you still use the phone and text messaging. What I’m asking for is a way to kill both of them. I don’t know about you folks, but I could live without them. I’d even pay to have a smartphone that does everything a smartphone should do except be a phone.Let me know what you think in the comments below.

ZDNet Recommends More

Organisations continue to fall victim to ransomware, and yet progress on tackling these attacks, which now constitute one of the biggest security problems on the internet, remains slow.From small companies to councils, government agencies and big business, the number and range of organisations hit by ransomware is rising. One recent example; schools with 36,000 students have been hit, leaving pupils without access to email as attempts were made to get systems back online. That’s at least four chains of schools attacked in the last month.

Ransomware gangs are getting craftier, and nastier, in their relentless pursuit of profit. It’s not enough to break into computer systems and encrypt the data to render it useless. Now the crooks are stealing some of the data and threatening to reveal it. And it’s not just data such as customer records: the cyber criminals will look for anything that might be sensitive or embarrassing on the network, and use the threat of publishing it as leverage against victims. And in many cases it seems to work.SEE: Security Awareness and Training policy (TechRepublic Premium)So what can be done to stop these attacks? Organisations of all sizes need to understand the ransomware threat, and figure out how to improve their own security – even getting the basics right can go a long way towards deterring attacks. The software industry also needs to do a better job of building secure software. Is this going to happen? That’s unlikely, as there’s just too much pressure to ship software fast and generate profit. The multiple ways companies can customise and integrate software also means that even if it ships as perfectly secure, security holes will emerge as soon as it’s used in the real world. Worse, ransomware groups are adept at seizing on newly discovered flaws and utilising them as part of their attacks, with the ransom money providing funds to sustain longer and more complicated attacks. In the longer term, the general shift to cloud computing, which has so far proved more secure, might help. Tackling the perpetrators themselves is the next challenge, although here geography plays a big role. Many of these groups are located in Russia, which means that law enforcement has found it hard to pursue cases. It may be possible to disrupt the efforts of these groups in other ways: police have had some success in disrupting botnets and other online crime rings, so perhaps something similar is possible here, even if this disruption tends to be only temporary. Here again, there’s little chance of improvement in the short to medium term, unless there’s a significant thawing of international relations.To pay or not to pay?One of the trickiest decisions concerns ransom payment. It’s understandable that a company may feel it has no choice but to pay up to regain access to its data, given that the alternative is to go out of business. But every ransom paid rewards the cyber criminals and sends a signal to others that there’s profit to be made.

Making it illegal for companies to pay ransoms seems like a very big step to take. But this is increasingly being mentioned. A recent report from defence think tank RUSI (Royal United Services Institute) notes that “policymakers should carefully examine the feasibility and suitability of making ransom payment illegal in the UK, which could lead in turn to a ‘protective’ effect resulting from the discouragement of ransomware attacks against UK targets.”It’s a decision that could have some painful consequences. News of the change would take a while to filter through, so if any country were to ban ransom payment there would, at the very least, be a short to medium term situation where companies were still getting hit with ransomware.SEE: Ransomware: Why we’re now facing a perfect stormRansomware gangs are opportunists and may not realise that a company is based in the UK, and may encrypt the systems anyway. They’re unlikely to hand over the decryption key just because the victim can’t pay up.If companies can’t pay ransoms and don’t have any other way to restore their data, they will face huge costs and disruption – potentially enough to put them out of business. Even organisations with backups and the required technical know-how will be forced to spend time and money restoring their systems. That could put them at a significant disadvantage compared to ransomware victims based elsewhere.Ransomware gangs are certainly capable of avoiding certain territories when planning attacks (they tend to avoid Russia for example), so, in the longer term, a ban on paying ransoms may have the desired impact by making UK organisations less profitable targets. Still, there’s no sign that the government is currently planning on going down this route. But as the cost of ransomware attacks continues to rise, we need to find a way to counter them – and soon.ZDNET’S MONDAY MORNING OPENER The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.PREVIOUSLY ON MONDAY MORNING OPENER:   More

Businesses are increasingly coming under fire from nation-state backed hackers as governments around the world engage in attacks to steal secrets or lay the foundations for future attacks.Nation States, Cyberconflict and the Web of Profit, a study by cybersecuity researchers at HP and criminologists at the University of Surrey, warns that the number of significant nation-state attacks has risen significantly over the last three years – and that enterprises and businesses are increasingly being targeted.An analysis of nation-state cyber attacks between 2017 and 2020 reveals that just over a third of organisations targeted were businesses: cyber defence, media, government and critical infrastructure are all also common targets in these attacks, but enterprise has risen to the top of the list.”Irrespective of sector or size, business appears now to face comparable risks from nation states as it has done from traditional cybercriminals,” said the research paper.The main aim of these attacks is obtaining intellectual property or business intelligence, with technology firms and pharmaceutical companies at particular risk. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)The events of the last year have increased the risks because not only have nation states been conducting campaigns in an effort to gain access to research on Covid-19 vaccines, the way in which many people are working from home has left them – and their employers – at additional risk from phishing and other attacks.

“Nation states are devoting significant time and resources to achieving strategic cyber advantage to advance their national interests, intelligence gathering capabilities, and military strength through espionage, disruption and theft,” said Dr. Mike McGuire, senior lecturer in criminology at the University of Surrey.”Attempts to obtain IP data on vaccines and attacks against software supply chains demonstrate the lengths to which nation states are prepared to go to achieve their strategic goals.”Hackers are also willing to use techniques that could put many companies at risk in order to target a few.”There’s now a willingness to compromise thousands of networks and businesses, creating huge collateral damage, when in reality the true targets of those cyberattacks will have been much smaller,” said Ian Pratt, global head of security for personal systems at HP Inc.In order to protect networks against cyber attacks, the report recommends that organisations do everything possible to secure endpoints and to segment networks, so sensitive information isn’t stored in easy-to-reach areas if an attacker managers to gain entry to the network. It’s also recommended that organisations apply security patches in a timely manner, so they’re protected against known vulnerabilities when they emerge. “As the scope and sophistication of nation state attacks continues to increase, it’s vital that organizations invest in security that helps them to stay ahead of these constantly evolving threats,” said Pratt.MORE ON CYBERSECURITY More

People are using easy-to-guess passwords, including their pet’s name, family members’ names, significant dates, their favourite sports team – or even ‘Password’,  and that could be putting them at risk of their accounts being compromised by cyber criminals. Research by the National Cyber Security Centre (NCSC) suggests that 15% of people have used their pet’s name as their password at some point, while 14% have used the name of a family member.

A further 13% have used a significant date, such as a birthday or anniversary, while 6% have used the sports team they support as their password. While these passwords are easy for people to remember, it could be putting their accounts at risk of being broken into by criminals. Attackers could scrape information from public social media posts that could provide hints to things like pet names. They could then attempt to use this information to breach accounts. SEE: Security Awareness and Training policy (TechRepublic Premium) They could also use a brute force attack tool to attempt to crack accounts, which use simple one-word passwords with relative ease. The use of default credentials like ‘password’ also provides cyber criminals with an easy method of breaching accounts. By using a weak password, people could be putting personal information or financial details at risk – especially if that same password is used across multiple accounts.

They could even potentially put their employer at risk from cyberattacks, if the stolen password is also used to secure corporate accounts and cyber criminals attempt to see if the password they’ve taken from a personal account works. The NCSC is, therefore, urging people to follow their advice and make passwords three random words to help secure their accounts. The idea is that three words are relatively easy to remember, but by making them random, it’ll stop cyber criminals from being able to guess their way into accounts, even with the aid of brute force tools. “We may be a nation of animal lovers, but using your pet’s name as a password could make you an easy target for callous cyber criminals,” said Nicola Hudson, NCSC director for policy and communications. “I would urge everybody to visit cyberaware.gov.uk and follow our guidance on setting secure passwords, which recommends using passwords made up of three random words.”

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

The NCSC also recommends that users should make sure their email password is separate to any other password they have, because if an attacker does steal your email user name and password, it could provide them access to other sites that use your email address as the login name. SEE: Three billion phishing emails are sent every day. But one change could make life much harder for scammers In addition to this, the NCSC suggests that users should save passwords to their web browser. Not only does this allow users to easily login to websites, it also helps protect them against some cybercrime – for example, the password manager won’t work if the website is a fake version of the website designed to steal credentials. It’s also recommended that users should turn on two-factor authentication to provide an additional barrier to attacks.

MORE ON CYBERSECURITY More