Information Technology

Uber and Lyft will share information on drivers that have been banned from their platforms for reasons including sexual and physical assault. 

The Industry Sharing Safety Program, announced on Thursday, will be managed by workforce solutions provider HireRight. 
If drivers are banned from working on one of the firms’ platforms for “serious” safety incidents, at present, they could theoretically move to the other and resume work either as passenger transport or for delivery services. 
However, the new US program may stop these transitions from going under the radar. 
According to Tony West, senior VP and chief legal officer at Uber, “safety should never be proprietary.”
“Tackling these tough safety issues is bigger than any one of us and this new Industry Sharing Safety Program demonstrates the value of working collaboratively with experts, advocates, and others to make a meaningful difference,” West commented. 
The platform will allow both Uber and Lyft to exchange data on drivers ‘deactivated’ for sexual assault, misconduct, and “physical assault fatalities.” HireRight will collect and manage driver data.

Uber and Lyft say the platform will “incorporates learnings from anti-sexual violence advocates over the past several years and prioritizes safety, privacy, and fairness for both drivers and survivors.”
The program will be opened to similar transport and delivery companies in the United States. 
In other Uber news, in February, a UK court ruled that Uber drivers in the UK could not be considered self-employed. The long-running legal battle, in which Uber argued its drivers were contractors and, therefore, not entitled to certain employment protection or a minimum wage, was lost as the Supreme court disagreed. 
For drivers, this means that they may be entitled to back pay and compensation. For Uber, this means the company’s entire business model — based on gig-economy workers — needs to be revised, at least in the UK. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Confidential computing, quantum safe cryptography, and fully homomorphic encryption are set to change the future of data privacy as they make their way from a hypothesis to viable commercial applications. 

On Thursday, IBM Research hosted an online program exploring each of these technologies and how they could impact how we securely manage, encrypt, store, and transfer information — with each solving a different challenge posed by future data privacy concerns.
Confidential computing
IBM has been working on confidential computing for roughly a decade. The concept behind the technology is to permit clients to retain full privacy and control over data and operational workloads through hardware-level security. 
This can include the implementation of “secure enclaves” — trusted execution environments — which can manage data and are only accessible through authorized programming code, keeping information away not only from cloud or infrastructure providers but also external threat actors. 
IBM likens the technology to a hotel room safe, in which keycards are required to access the room, but further authorization is required to open the lock to the safe. 
According to Hillery Hunter, VP and CTO at IBM Cloud, initial commercial applications of this technology are already embedded in financial services, telecoms, and healthcare offerings. Clients include Daimler and Apple for the CareKit SDK. 
In November, IBM and AMD announced a collaborative partnership to work on confidential computing and hybrid cloud deployments. 

Google Cloud, too, is investigating the technologies through virtual machines (VMs) which utilize confidential computing principles to secure data both at rest and in transit, and Intel’s third-generation Xeon Ice Lake chips have been developed in order to handle the processor demands of confidential computing. 
Quantum safe cryptography & standardization
Quantum safe cryptography aims to tackle the problems that will arrive with the day we have a working quantum machine. 
While quantum computing is being actively worked on by engineers worldwide, with Honeywell, for example, ramping up the capacity of its own System Model H1 to a quantum volume of 512, it is estimated that a full-capacity quantum computer could exist within the next 10 to 15 years. 
When that day arrives, however, the high computational power of these machines would render “virtually all electronic communication insecure,” according to IBM, as quantum computers are able to factor large numbers — a core precept of today’s cryptography.
To resolve this, standards based on lattice cryptography have been proposed. This hides data in complex algebraic structures and is considered to be an attractive option for future-proofing data privacy architectures. 
According to IBM cryptographer Vadim Lyubashevsky, adopting lattice frameworks is unlikely to impact end-users — and may actually improve computational performance. 
But why bother now, when full quantum machines do not exist? According to mathematician Dustin Moody from the National Institute of Standards and Technology (NIST), the enterprise should look at adopting lattice, “quantum safe” cryptography as soon as it is commercially viable to do so. 
Moody says that large-scale quantum computers could be used in attacks able to break cryptography used today — and so, all an attacker needs to do is harvest information now and store it for decryption in the future. 
“It’s important to make sure we can counter this threat now,” Moody added. “There will be a transition with these algorithms, and it won’t necessarily be easy. We are trying to prepare as much as we can and encourage others to do so.”
To this end, NIST has launched the post-quantum cryptography project (PQC), which has elicited proposed algorithms for post-quantum encryption. At present, seven applications are under review and a standard is expected to be selected between 2022 and 2023. 
See also: Quantum computing: Quantum annealing versus gate-based quantum computers | Quantum computing, networks, satellites, and lots more qubits: China reveals ambitious goals in five-year plan | A quantum computer just solved a decades-old problem three million times faster than a classical computer
Fully homomorphic encryption 
Fully homomorphic encryption (FHE) is sought after as a “Holy Grail” of encryption. FHE is a form of encryption that allows information to remain encrypted during computation and processing, regardless of the infrastructure or cloud technologies managing the data. 
For example, data could be transferred between different parties and the cloud, analyzed, and sent back without ever being viewed or being made available in plaintext. 
FHE utilizes different mathematical algorithms to the encryption we use today and has been in development over the past decade. 
While FHE could be transformational in the data privacy arena, the issue is the vast processing power and time is required to facilitate encrypted data processing — especially when it comes to large datasets used by the enterprise or in research. 
Scientists are working on ways to improve the efficiency of FHE algorithms and due to their efforts — as well as the development of hardware able to support FHE — early-stage use cases are now being explored. 
Enterprise firms are under pressure from increasing data protection regulations and the risk of penalties and fines if data is not adequately protected. At the same time, however, they also need to capitalize on data to create competitive differentiators and improve their operations, as well as to explore new business opportunities. 
According to Eric Maass, Director of Strategy & Emerging Technology at IBM, the challenge is “extracting the value of the data while preserving its privacy.”
In December, the firm launched the IBM Security Homomorphic Encryption Services, a platform designed to allow the enterprise to experiment with FHE in tandem with existing IT architecture, products, and data.
Intel is working with the US Defense Advanced Research Projects Agency (DARPA) on the Data Protection in Virtual Environments (DPRIVE) program, designed to bring down the cost and time of FHE implementations, and companies including Microsoft, Duality Technologies, Galois, and SRI International are also working toward the same goal. 
Maass believes that highly-regulated industries, such as healthcare or financial organizations, will be “early adopters in this space.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has issued an alert that hackers using a strain of ransomware known as DearCry are now targeting unpatched Exchange servers still exposed to four vulnerabilities that were being exploited by suspected Chinese government hackers.
Microsoft is warning Exchange customers once again to apply the emergency patches it released last week for critical flaws affecting on-premise Exchange email servers. 

More Coverage

Microsoft urged customers on March 2 to install the patches immediately due to the risk that more cybercriminals and state-backed hackers would exploit the flaws in coming weeks and months. 
SEE: Network security policy (TechRepublic Premium)
It said existing attacks were being carried out by a Chinese hacking group it calls Hafnium. However, security vendor ESET reported yesterday that at least 10 state-backed hacking groups were now attempting to exploit flaws in unpatched Exchange servers.   
And now cyber criminals are looking to feed off the Exchange bugs. Ransomware attackers spreading a strain called DearCry are attempting to install the malware after compromising Exchange servers, according to Microsoft. 
“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry,” Microsoft warned in a tweet. Ransom:Win32/DoejoCrypt.A is the name under which Microsoft’s Defender antivirus will detect the new threat.  

Microsoft added that customers using Microsoft Defender antivirus that use automatic updates don’t need to take additional action after patching the Exchange server. 
Microsoft appears to be treating this set of Exchange bugs as an urgent one to fix and last week provided further security updates to address the flaw in unsupported versions of Exchange. 
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) last week ordered federal agencies to patch the Exchange flaws or cut vulnerable servers off from the internet. 
CISA further said it is “aware of threat actors using open-source tools to search for vulnerable Microsoft Exchange Servers and advises entities to investigate for signs of a compromise from at least September 1, 2020.”
The bugs affect Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019, but not Exchange Online. 
The attackers were using the bugs to comprise Exchange servers and deploy web shells to steal data and maintain access to servers after initial compromise. Web shells are small scripts that provide a basic interface for remote access to a compromised system. 
Microsoft has released a script on its code-sharing site GitHub that admins can use to check for the presence of web shells on Exchange servers. 
That script could come in handy when kicking attackers off a previously compromised system. Microsoft security researcher Kevin Beaumont recommended organizations run the script after patching to ensure the web shells are removed. 
SEE: Cybercrime groups are selling their hacking skills. Some countries are buying
CISA has advised it “is aware of widespread domestic and international exploitation of these vulnerabilities” and urged Exchange admins to run Microsoft’s Test-ProxyLogon.ps1 script. 
Independent security researchers behind the MalwareHunterTeam account on Twitter say they’ve seen attacks on companies in Canada, Denmark, United States, Australia, Austria, with the first victims observed on March 9 — just seven days after Microsoft issued the patch and warned Exchange customers to patch immediately. 
CISA strongly recommends organizations run the Test-ProxyLogon.ps1 script as soon as possible to help determine whether their systems are compromised. More

Netflix is testing out ways to stop account holders from sharing their passwords — and access — with others who don’t own a subscription. 

The content streaming service, which now accounts for over 203 million subscribers worldwide, has become a heavyweight in the TV and film sector in recent years, and has, perhaps, become even more popular due to stay-at-home orders prompted by the COVID-19 pandemic. 
However, in the same way as other streaming services — including Disney+, Amazon Prime Video, and Hulu — the company faces the challenge of stopping subscribers from sharing their account credentials. 
Research conducted by ESET last year found that 60% of respondents share their streaming service account details with at least one other person and one in three share their account with two or more people. 
Normally, sharing online account details with anyone is not recommended. However, in the content streaming space, it has become accepted and commonplace. 
As reported by the Washington Post, however, Netflix is exploring ways to stop this practice. 
When accessing a Netflix account, some users have recently seen pop-up messages saying, “If you don’t live with the owner of this account, you need your own account to keep watching.”

Users are then asked to verify they have permission to use the account through a code sent via an email or text message.  
“This test is designed to help ensure that people using Netflix accounts are authorized to do so,” a Netflix spokesperson said. 
The trial has not been rolled out widely, as of yet, and the test does not mean that the company will impose additional checks in the future. However, password sharing is against Netflix’s terms of service and so the company would be within its rights to do so — but may run the risk of alienating subscribers. 
By using a verification option, at the least, this may stop unauthorized use in cases where accounts have been compromised or passwords have been shared without permission. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyberattackers are taking full advantage of slow patch or mitigation processes on Microsoft Exchange Server with attack rates doubling every few hours.  

According to Check Point Research (CPR), threat actors are actively exploiting four zero-day vulnerabilities tackled with emergency fixes issued by Microsoft on March 2 — and attack attempts continue to rise. 
In the past 24 hours, the team has observed “exploitation attempts on organizations doubling every two to three hours.”
The countries feeling the brunt of attack attempts are Turkey, the United States, and Italy, accounting for 19%, 18%, and 10% of all tracked exploit attempts, respectively. 
Government, military, manufacturing, and then financial services are currently the most targeted industries. 

Palo Alto estimates that at least 125,000 servers remain unpatched worldwide.
The critical vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) impact Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.

Microsoft issued emergency, out-of-band patches to tackle the security flaws — which can be exploited for data theft and server compromise — and has previously attributed active exploit to Chinese advanced persistent threat (APT) group Hafnium. 
Read on: Everything you need to know about the Microsoft Exchange Server hack
This week, ESET revealed at least 10 APT groups have been linked to current Microsoft Exchange Server exploit attempts. 
On March 12, Microsoft said that a form of ransomware, known as DearCry, is now utilizing the server vulnerabilities in attacks. The tech giant says that after the “initial compromise of unpatched on-premises Exchange Servers” ransomware is deployed on vulnerable systems, a situation reminiscent of the 2017 WannaCry outbreak. 
“Compromised servers could enable an unauthorized attacker to extract your corporate emails and execute malicious code inside your organization with high privileges,” commented Lotem Finkelsteen, Manager of Threat Intelligence at Check Point. “Organizations who are at risk should not only take preventive actions on their Exchange, but also scan their networks for live threats and assess all assets.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The higher education sector in Australia could soon find itself considered as “systems of national significance”, with the government ready to enforce an “enhanced framework to uplift security and resilience” upon universities via the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
The Group of Eight (Go8) — comprising eight Australian universities — believe the government has in fact not yet identified any critical infrastructure assets in the higher education and research sector and, therefore, does not feel higher education and research should be included as a critical infrastructure sector, given the regulatory ramifications.
“The Go8 considers the catch-all nature of the legislation as proposed for the higher education and research sector to be highlight disproportionate to the likely degree and extent of criticality of the sector,” it said last month.
The Australian National University (ANU) in late 2018 suffered a massive data breach that was discovered in May 2019, and revealed two weeks later in June.
The hackers had gained access to up to 19 years’ worth of data in the system that houses the university’s human resources, financial management, student administration, and “enterprise e-forms systems”.
Read more: ANU incident report on massive data breach is a must-read
Then there was Melbourne’s RMIT University, which last month responded to reports it fell victim to a phishing attack, saying progress was slowly being made in restoring its systems.

While no official attribution has been made regarding who is to blame for the ANU breach, the Australian Security Intelligence Organisation’s (ASIO) Director-General of Security Mike Burgess said he knows, which was enough to set the mind of Senator James Paterson, chair of the Parliamentary Joint Committee on Intelligence and Security (PJCIS), at ease.
“I do know who was behind it. But I would not say that publicly because I don’t believe that’s my role to do so,” Burgess said on Thursday, fronting the PJCIS as part of its inquiry into national security risks affecting the Australian higher education and research sector.
Regarding RMIT, however, the ASIO boss was in the dark.
“It’s not reached my level, not to say someone in my organisation isn’t working on the matter,” he said.
Both the ANU and RMIT incidents were a focus of the committee as it probed representatives from Home Affairs and Education. Paterson was hoping to find attribution, however.
“It has been referred to as an advanced threat actor, but it hasn’t come to the point of a specific deliberation or specification of the country involved, that information has not been identified,” Home Affairs deputy secretary of national resilience and cybersecurity Marc Ablong said.
The specifics of the RMIT incident, which Ablong paints as more of an attack than a systems outage, are still under investigation.
“We wouldn’t want to prejudice our ability to make any judgments about where that’s come from and who’s involved in it until such time, as we’ve got the forensic information to be able to determine exactly what has happened and when,” Ablong said. “But we are aware of the attack and there is investigations underway.”
Discussions around the two security incidents were used by the Home Affairs representative to justify the inclusion of higher education and research in the Critical Infrastructure Bill.
“The threat is very real. It is getting a lot realer and a lot harder, even for very sophisticated organisations,” Ablong said.
According to Ablong, what the higher education sector has failed to realise is that it hasn’t been deeply considering the cyber risk.
“That’s a shame … and more effective measures are needed,” he said.
Paterson, meanwhile, said he has observed that the universities are trying to “have it both ways”.
“They’re telling this committee and the public, ‘Don’t worry, we get it, we want to work with you, we want to fix it’, but also, ‘Please don’t subject us to any actual requirements, legislative or regulatory, that would require us to do anything about it’,” the Liberal Senator mused.
RELATED COVERAGE More

Brewing giant Molson Coors disclosed Thursday that it has experienced a “cybersecurity incident” that has disrupted operations and beer production. In a Form-8K filed with the SEC today, Miller Coors said it’s brining in an outside forensic IT firm to investigate the breach, but that delays in shipments were likely.

“The Company is working around the clock to get its systems back up as quickly as possible,” Miller Coors wrote in the filing. “Although the Company is actively managing this cybersecurity incident, it has caused and may continue to cause a delay or disruption to parts of the Company’s business, including its brewery operations, production, and shipments.”
Molson Coors operates a huge portfolio of beer brands, including the iconic Coors and Miller brands, as well as Molson Canadian, Blue Moon, Peroni, Grolsch, Killian’s, and Foster’s. 
The company has not provided additional details of the cyberattack, but some security experts are calling the incident a ransomware attack. In November, Campari Group, the famed Italian beverage vendor behind brands like Campari, Cinzano, and Appleton, was hit with a ransomware attack that took down a large part of its IT network. 
Campari was the second major beverage vendor after Arizona Beverages to be knocked offline because of a ransomware attack in just two years. 
Speaking of the Miller Coors incident, Niamh Muldoon, global data protection officer with OneLogin, said these attacks illustrate how cyber criminals are targeting high profile organizations to interrupt key business operations and manufacturing.
“Ransomware remains a global cybersecurity threat and is the one cybercrime that has a high direct return of investment associated with it, by holding the victims’ ransom for financial payment,” said Muldoon. “On a global scale, cybercriminals will continue to focus their efforts on this revenue-generating stream. This reinforces what we’ve said before that no industry is exempt from the ransomware threat and it requires constant focus, assessment and review to ensure that critical information assets remain safeguarded and protected against it.” More

A prolific cyber criminal hacking operation is distributing new malware which is written in a programming language rarely used to compile malicious code.
Dubbed NimzaLoader by cybersecurity researchers at Proofpoint, the malware is written in Nim – and it’s thought that those behind the malware have decided to develop it this way in the hopes that choosing an unexpected programming language will make it more difficult to detect and analyse.
NimzaLoader malware is designed to provide cyber attackers with access to Windows computers, and with the ability to execute commands – something which could give those controlling the malware the ability to control the machine, steal sensitive information, or potentially deploy additional malware.
The malware is thought to be the work of a cyber criminal hacking group which Proofpoint refers to as TA800, a hacking operation which targets a wide range of industries across North America.
The group is usually associated with BazarLoader, a form of trojan malware which creates a full backdoor onto compromised Windows machines and is known to be used to deliver ransomware attacks.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Like BazarLoader, NimzaLoader is distributed using phishing emails which link potential victims to a fake PDF downloader which, if run, will download the malware onto the machine. At least some of the phishing emails are tailored towards specific targets with customised references involving personal details like the recipient’s name and the company they work for.

The template of the messages and the way the attack attempts to deliver the payload is consistent with previous TA800 phishing campaigns, leading researchers to the conclusion that NimzaLoader is also the work of what was already a prolific hacking operation, which has now added another means of attack.
“TA800 has often leveraged different and unique malware, and developers may choose to use a rare programming language like Nim to avoid detection, as reverse engineers may not be familiar with Nim’s implementation or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyse samples of it,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint tols ZDNet.
Like BazarLoader before it, there’s the potential that NimzaLoader could be adopted as a tool that’s leased out to cyber criminals as a means of distributing their own malware attacks.
With phishing the key means of distributing NimzaLoader, it’s therefore recommended that organisations ensure that their network is secured with tools which help prevent malicious emails from arriving in inboxes in the first place.
It’s also recommended that organisations train staff on how to spot phishing emails, particularly when campaigns like this one attempt to exploit personal details as a means of encouraging victims to let their guard down.

MORE ON CYBERSECURITY More