Information Technology

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

IBM said it is adding tools to its FlashSystem portfolio of all-flash arrays to better recover from ransomware and cyberattacks. It’s no secret that ransomware is a huge scourge to multiple organizations. To that end, IBM launched IBM Safeguarded Copy for the IBM FlashSystem storage systems. Safeguarded Copy automatically creates data copies that are security isolated within the systems and cannot be accessed. These snapshots are available in the event of a data breach or cyberattack that disrupts operation. In theory, IBM’s approach can help companies and understaffed government groups to recover faster. Key items about IBM Safeguarded Copy, which is based on technology from IBM’s DS8000 storage portfolio:Storage admins can schedule automatic snapshots. Snapshots are put into safeguarded pools on the storage system. Data in this safeguarded pool is only actionable after it has been recovered. Safeguarded Copy can also be used to extract and restore data to diagnose production issues as well as validate copies. IBM Safeguarded Copy can be integrated with IBM Security QRadar platform for security monitoring. QRadar will be able to monitor for attacks and proactively trigger Safeguarded Copy to create backups.In addition, IBM said it will launch its IBM Storage as a Service for hybrid cloud storage with availability in North America and Europe in September. Customers will be able to scale up storage capacity with variable pricing. IBM Storage as a Service is part of Big Blue’s Flexible Infrastructure offerings.   More

With so many people working remotely these days, it’s more important than ever to have a powerful VPN installed on all of their devices, even on their home network. Lucky for you, not only is a 2-year subscription to the bulletproof NordVPN currently available at a 68% discount, but it also comes with a $10 credit off your next store purchase.

There are plenty of VPNs out there, but they are not all created equal and very few of them even come close to offering the level of protection that NordVPN provides. You get unrestricted, completely private access to the internet regardless of whether you are on a cellular network, using public WiFi, or anywhere else. All of your data is protected by double encryption and travels through private tunnels, so your identity remains anonymous and all of your most sensitive personal information is securely hidden.For maximum security, NordVPN will automatically disconnect you from the internet as soon as it no longer detects a connection to the company’s servers, so not a scrap of your data will ever be revealed. NordVPN maintains the strictest no-logging policy, so you can rest assured that absolutely none of your online activity is recorded anywhere.The platform offers almost 5,400 server locations around the world in almost 60 countries. That means you can also anonymously bypass geographical restrictions on content, to watch whatever you like, no matter where you happen to be. Best of all, you do not have to sacrifice speed for security, because your server connections are blazingly fast. So you’ll get instant videos with no buffering.There is no doubt whatsoever that NordVPN provides the ultimate protection, the service has gotten unbelievably impressive ratings from a wide range of sources. TechRadar gave it 4.5 out of 5 stars, while CNET, TrustPilot, and PCMag all gave it a perfect rating of 5 out of 5 stars.Don’t miss this chance to get two full years of powerful protection while it’s heavily discounted. Get your 2-year subscription to NordVPN and $10 store credit today for just $89, instead of the usual MSRP of $286.

ZDNet Recommends More

Google Could have unveiled a public preview of Cloud Armor’s Adaptive Protection — a machine learning-powered method of detecting and protecting enterprise applications and services from Layer 7 DDoS attacks. It’s the same technology that Google uses to provide Project Shield, a free service from Google parent Alphabet that protects human rights, government and media organizations against DDoS attacks.  

Google in the past has blocked mind-blowingly large DDoS attacks, including one in 2017 that clocked in at 2.56Tbps that is pinned on a Beijing-backed attacker.   SEE: Security Awareness and Training Policy (TechRepublic Premium)In November, Google unveiled Cloud Armor Adaptive Protection as part of its DDoS defense and web application firewall (WAF) service that provides customers with the same technology Google uses to protect itself. Its Adaptive Protection technology uses machine-learning models to analyze signals across web services to detect potential attacks. It can detect high volume application-layer DDoS attacks against web apps and services and accelerates mitigation by spotting abnormal traffic.The move to a public preview means that all Google Cloud customers can test out its functionality. 

“We have been building and maturing this technology with internal and external design partners and testers over the last few years. All Cloud Armor customers can try it at no extra charge during the preview period,” said Emil Kiner, a product manager for Google’s Cloud Armor. Google Cloud also released new preconfigured WAF rules and reference architecture to help customers eliminate OWASP web-app vulnerabilities. “Adaptive Protection quickly identifies and analyzes suspicious traffic patterns and provides customized, narrowly tailored rules that mitigate ongoing attacks in near-real-time,” Kiner explained. He noted that while Level 3 and Level 4 attacks can be halted on Google’s edge network, Level 7 attacks rely on “well-formed” and legitimate web requests.SEE: Google’s new cloud computing tool helps you pick the greenest data centersThese requests are generated automatically from hacked Windows, Mac and Linux devices, which make up a botnet and spew junk traffic in volumes that most websites can’t withstand. “Since attacks can come from millions of individual IPs, manual triage and analysis to generate and enforce blocking rules becomes time and resource-intensive, ultimately allowing high-volume attacks to impact applications,” Google noted. The Adaptive Protection service, which is aimed at security operations teams, provides early alerts about weird requests based on: how much backend services are used, constantly updated signatures that explain a suspected attack, and recommended custom WAF rules to block attack traffic. More

An apparent ransomware attack has resulted in hundreds of self-service ticket machines across the network being taken offline across the north of England. Customers who need to use the Northern rail company, which serves towns and cities across northern England, are urged to use the mobile app, website or ticket offices while the ticket machines remain disrupted. The attack comes just two months after 600 Northern-operated touchscreen ticket machines were installed at 420 stations across the region. “Last week we experienced technical difficulties with our self-service ticket machines, which meant all have had to be taken offline,” a spokesperson for Northern told ZDNet. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“This is the subject of an ongoing investigation with our supplier, but indications are that the ticket machine service has been subject to a ransomware cyberattack.” SEE: Network security policy (TechRepublic Premium)It hasn’t been detailed what form of ransomware Northern, which is government run, might have fallen victim to or how cyber criminals may have compromised the network, but the company says that “swift action” taken alongside payment and ticketing systems supplier Flowbird means the incident has only affected the servers that operate the ticket machines. “The issue was first identified through cyber-monitoring systems and our initial investigations indicated that the service may have been subject to a cyberattack,” a Flowbird spokesperson told ZDNet.

Both Northern and Flowbird say no customer information or payment data has been compromised by the attack.”We are working to restore normal operation to our ticket machines as soon as possible. We are sorry for any inconvenience this incident causes,” said the Northern spokesperson.  SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefThere’s currently no indication as to when the self-service ticket machines will be restored or if Northern or Flowbird have been contacted by the cyber criminals behind the ransomware attack, or if a ransom demand has been made. Ransomware attacks, where cyber criminals hack into networks, encrypt data and demand payment in exchange for the decryption key, have been a major cybersecurity problem during 2021. Such is the extent of the issue that world leaders discussed ransomware at last month’s G7 summit. MORE ON CYBERSECURITY More

HP has patched a severe vulnerability that has been hidden in a printer driver for 16 years. 

On Tuesday, SentinelLabs published an analysis of the vulnerability, tracked as CVE-2021-3438 and issued a CVSS score of 8.8.  The security issue is described as a “potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege.” According to the researchers, some HP, Xerox, and Samsung printer models contained vulnerable driver software, sold worldwide since 2005.  The driver in question, SSPORT.SYS, is automatically installed and activated, whether the model was wireless or cabled. The driver is also loaded automatically by Microsoft’s Windows operating system on PC boot.  “This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected,” the researchers say.  The vulnerable function in the driver is the acceptance of data without size parameter validation, allowing attackers to overrun the driver’s buffer theoretically. 

Local attackers could escalate their privileges to a SYSTEM account and run code in kernel mode in order to perform actions including tampering with a target machine. However, SentinelLabs says that the time was not invested in finding a way to weaponize it alone, and a successful exploit may need a chain of vulnerabilities.  SentinelLabs researcher Kasif Dekel reported the vulnerability to HP on February 18. The vendor issued a patch to resolve the security flaw on May 19. No exploits in the wild have been detected.  HP said impacted models include the HP LaserJet, Samsung CLP, Samsung MultiXpress, and Samsung Xpress series in a security advisory. The vendor has provided a patch and is asking customers to update their software. To do so, customers can visit the HP software portal, select their printer model, and apply the update.  Xerox has provided a separate security advisory (.PDF) naming Xerox B205/B210/B215, Phaser, and WorkCentre models as impacted by the bug.

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

ZDNet Recommends More

Microsoft has turned to the court system to take down domains designed to impersonate the firm in phishing attacks.

On Monday, Microsoft’s Digital Crimes Unit (DCU) said a judge in the Eastern District of Virginia issued a court order that requires domain registrars to disable websites “used to impersonate Microsoft customers and commit fraud.” The complaint (.PDF), filed to pursue a preliminary injunction and restraining order, has been issued against “John Does,” terminology used to describe anonymous or unknown plaintiffs facing legal action.  According to the DCU, Microsoft filed the case to try and clamp down on imposter domains, also known as homoglyph-based web addresses.  In homoglyph attacks, fraudsters will use similar words, phrases, letters, numbers, or symbols to masquerade as a legitimate organization, whether this is Microsoft, Google, Facebook, PayPal, or other well-known brands.  Attackers may send phishing emails, SMS messages, or social media notes containing links to an imposter domain that asks for account credentials or which may deploy exploit kits. If visitors fail to notice the small differences in a domain that reveal it is not a trusted source, they may be more likely to become a victim.    When it comes to Microsoft, homoglyph domain examples include switching “o” for a zero — such as “micr0soft.com,” or using a lowercase “l” instead of an “i” in “mlcrosoft.com.”

“We continue to see this technique used in business email compromise (BEC), nation-state activity, malware, and ransomware distribution, often combined with credential phishing and account compromise to deceive victims and infiltrate customer networks,” the company said. The court case stemmed from a customer who complained about a Microsoft-related BEC scam, resulting in the discovery of at least 17 imposter domains being used to siphon account credentials.  In this case, the attackers leveraged a legitimate email sent from a compromised Office 365 customer account asking a business for advice on processing payments. The group then sent a malicious email containing a link to a homoglyph domain, urging payment to be made as quickly as possible — but, of course, the account details for a “subsidiary account” belonged to the criminals.  Microsoft says that the attackers behind the BEC scam, who appear to originate from Africa, tend to target small businesses across the US. After using a malicious domain to grab employee credentials, the scam artists may infiltrate networks and then impersonate vendors, other members of staff, or customers to try and dupe the victim company into approving fraudulent payments and fake invoices.  Microsoft hopes that the court order will further disrupt the owners of the malicious domains and will prevent them from easily shifting their infrastructure to other third-party services.  The complaint follows 23 cases brought forward by the Redmon giant since 2010. Other legal actions include complaints against malware operators and state-sponsored hacking groups.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybercriminals are taking advantage of the latest round of IRS payments being sent out to families across the US by launching dozens of credential harvesting sites masquerading as American Rescue Plan Act signup sites, according to a new report from DomainTools.Last week, the IRS began sending out the first round of child tax credit payments that were part of the larger American Rescue Plan Act passed earlier this year. The payments will be sent automatically by the IRS and require no sign-up. But cybercriminals have created a maze of associated websites all aiming to trick people into entering their personal information by pretending to be associated with the child tax credit payments, DomainTools’ Chad Anderson explained. Anderson said that by analyzing historical WHOIS information and OSINT techniques, the cybersecurity company was able to tie this specific credential harvesting scam to GoldenWaves Innovations, a web development firm based in Nigeria. ZDNet called and emailed GoldenWaves for comment but received no response. The fake sites look exactly like government websites, explain the payments in detail and ask users to “apply now.” One site, with the name “reliefcarefunds[.]com,” asks for names, addresses, social security numbers, photos of drivers licenses and even your mother’s maiden name. The credential harvesting sites are meant to look exactly like government websites. 
DomainTools
That site was connected to “americaforgivenrelieffund[.]com” and both were registered and hosted through NameCheap. DomainTools was able to tie those two sites and 39 other domains to an email address: goldenwaves247@gmail[.]com.

Anderson said researchers found that many of the links associated with the email were also being sent out through Bitly link shortening links, which allowed the people behind the scam to name the link “Unemployment Insurance Relief During COVID-19 Outbreak | American Rescue Plan Act.”These links brought the researchers to other sites that were hosted on Garanntor and OVH, providing them with even more information about the creator and tying all of the sites to an email address registered in Ibadan, Nigeria.”The city of Ibadan is a small, rural town which makes the registration information stand out as almost always technical contacts for Nigerian domains are located in Lagos, the capital city and technology center,” Anderson wrote. “Additional searches reveal the same username participating in sales on cybercrime forums, Steam gaming, and other social media sites.”

Anderson added that it is with “medium confidence” that DomainTools’ researchers believe GoldenWaves Innovations — which is also registered in Ibadan — was a “legitimate web design firm in front of the identity document harvesting sites.”GoldenWaves Innovations has a working website with a CEO who has a full profile on LinkedIn. “Additionally, the historical WHOIS record unearths an address in New York, New York of 120 E 87th Street. This is an apartment building with condos ranging from $900,000 to $13,000,000 in the heart of Manhattan. While at first that seems strange for a company based in Nigeria, we can see from LinkedIn that one of the company’s developers claims to live in New York City,” Anderson said.”Looking at the CEO’s current contact information on LinkedIn we can see that GoldenWaves Innovations has a new website in goldenwaves[.]com[.]ng which is also tied to the same email address and registration information. This gives DomainTools researchers high confidence that all of these credential harvesting sites are linked to GoldenWaves Innovations in Nigeria. These sites along with any new ones that have cropped up were reported to Google Safe Browsing for blocking.”Anderson included a list of the domain names being used in the scam and told ZDNet that US law enforcement was informed about the sites. When asked why a seemingly legitimate business would tie itself to credential harvesting sites, Anderson said “it’s certainly sloppy” but added that this proved the usefulness of historical WHOIS data.Other cybersecurity experts, like Digital Shadows cyber threat intelligence analyst Stefano De Blasi, said that along with extracting credentials, impersonating domains are frequently leveraged to extract financial information, deploy malware on a victim’s machine, and distribute disinformation content. “Additionally, users may be tricked into opening these malicious pages via spear-phishing emails or SMS, as well as being redirected there from other illegitimate websites. In both cases, if an attacker knows enough of social engineering techniques to pressure a victim into opening the URL and inserting their credentials,” De Blasi told ZDNet. “Social engineering attacks remain a predominant initial attack vector for threat actors, thus certifying that they keep working on many people despite its rather simplistic approach. Registering these domains is a trivial task for most attackers, thanks to prepared phishing kits and tutorials that attackers can easily find in cybercriminal forums. However, when registering hundreds of malicious domains, a careless attacker may well leave some crucial pieces of evidence behind that can then be gathered and analyzed by security researchers to assess attribution.” More

Security automation technology firm Rapid7 this afternoon announced it will spend $335 million in cash and stock to buy New York-based, privately held IntSights to add “outside the wire” capabilities. In a press release announcing the deal, Rapid7 cited the phenomenon of digital transformation as having “exponentially” expanded the “perimeter” of networks.Rapid7 said it “will combine its community-infused threat intelligence and deep understanding of customer environments with IntSights’ external threat intelligence capabilities.”IntSights, known formally as IntSights CyberIntelligence, was founded in 2015 by veterans of Israel’s military intelligence units. The company has received $71 million in venture capital funding from parties including Gilot Capital Investments, Blackstone Private Equity, and Blumberg Capital.The company advertises its threat intelligence platform as detecting attacks before they reach the perimeter of a customer’s network. “Listen in on dark web chatter for up-to-the-minute details on what’s coming next for your organization,” are among the features touted by IntSights.  Boston-based Rapid7 was founded in 2000 and is based in Boston, Mass.In the same release, Rapid7 said its revenue and net income for the second quarter will come in higher than previously forecast. It also said its annualized recurring revenue rose 29%, year over year, to $489 million. 

Rapid7 expects to report full results on August 4th. 

Tech Earnings More