Information Technology

Intel has signed an agreement with Defense Advanced Research Projects Agency (DARPA) to take part in its Data Protection in Virtual Environments (DPRIVE) program, which is aiming to develop an accelerator for fully homomorphic encryption (FHE).
“Fully homomorphic encryption remains the holy grail in the quest to keep data secure while in use,” Intel Labs principal engineer Rosario Cammarota said.
FHE is an approach to data security that delivers mathematical proof of encryption by using cryptographic means, which DARPA has touted could potentially provide a new level of certainty around how data is stored and manipulated.
“Today, traditional encryption protects data while stored or in transmission, but the information must be decrypted to perform a computation, analyse it, or employ it to train a machine learning model,” the agency explained.
“Decryption endangers the data, exposing it to compromise by savvy adversaries or even accidental leaks. FHE enables computation on encrypted information, allowing users to strike a balance between using sensitive data to its full extent and removing the risk of exposure.”
While FHE is positioned as a viable path forward, it requires a prohibitive amount of compute power and time.
“A computation that would take a millisecond to complete on a standard laptop would take weeks to compute on a conventional server running FHE today,” DARPA program manager Tom Rondeau said.

DARPA launched DPRIVE to reduce the processing time from weeks to seconds.
Microsoft is the key cloud ecosystem and homomorphic encryption partner leading the commercial adoption of the technology once developed by testing it in its cloud offerings, including Microsoft Azure and the Microsoft JEDI cloud with the US government.
Intel’s role will be to design an application-specific integrated circuit accelerator to reduce the performance overhead currently associated with fully homomorphic encryption.
“When fully realised, the accelerator could deliver a massive improvement in executing FHE workloads over existing CPU-driven systems, potentially reducing cryptograms’ processing time by five orders of magnitude,” the chip giant said.
Intel joins DPRIVE alongside Duality Technologies, Galois, and SRI International. The four companies will lead researchers to develop an FHE accelerator hardware and software stack that reduces the computational overhead required to make FHE calculations to a speed comparable to similar unencrypted data operations.
In addition, teams are exploring novel approaches to memory management, flexible data structures and programming models, and formal verification methods to ensure the FHE implementation is correct-by-design and provides confidence to the user, DARPA said.
“We currently estimate we are about a million times slower to compute in the FHE world then we are in the plaintext world. The goal of DPRIVE is to bring FHE down to the computational speeds we see in plaintext. If we are able to achieve this goal while positioning the technology to scale, DPRIVE will have a significant impact on our ability to protect and preserve data and user privacy,” Rondeau said.
HERE’S MORE More

Pros
✓Loud siren and strobe
✓Configurable alert zones
✓Well-constructed

Cons
✕Voice alert too quiet

The Ezviz C3X outdoor security camera is very cool for an outdoor security camera and it has some much-needed features for monitoring your home or office.
This is a well-constructed, solid, metal camera with a locking metal base to hold it firmly in place.
It is dust-proof, weather-proof, rated IP67, and is solid enough not to be blown by the wind when secured by its locking ring on the mount.
Eileen Brown
The C3X comes in two versions. You can buy either a Wi-Fi or PoE (Power over Ethernet) camera. I have the Wi-Fi version that can also be connected to the internet through a LAN cable to your router.
Inside the box, there is the camera, power adaptor, extension lead, and cable seal kit. There is also a paper drilling template and a screw kit.
The quick start guide has a QR code to enable you to download the full user guide and the app. The camera is also compatible with Alexa, and Google Home.
Top ZDNET Reviews

On the body of the camera, there is an LED indicator, which is blue to show the Wi-Fi connection status or whether a video is being viewed in the app. The LED flashes red if the Wi-Fi connection has failed.
The C3X is so simple to connect to the app — by far the easiest camera I have tried so far. It is simple to connect the app to the camera using 2.4GHz Wi-Fi and it is really simple to use.
The C3X will either use a micro SD card up to 256GB, or there is a free 7-day trial to the cloud services. The camera will record video using H.265 video compression to save storage space. Its a viewing angle of up to 89 degrees horizontal (106 degrees diagonal)
The night view has really good color — as opposed to the usual black and white view of other cameras I have reviewed.
Only on dark nights, before the moon has risen, does the camera switch to black and white. It does not use a spotlight to enhance the view.
You can program the C3X to emit a siren and bright strobe light when it detects any motion.
The camera siren will fire if it detects people or cars but not when it detects tree movement or dogs.

Eileen Brown
You can configure a voice alert to trigger instead when someone enters the zone or field of view.
However, the voice output from the camera is really quiet — even when all of the options in the settings are set to intense. It is far more effective to use the siren.
It was a little disappointing as I had hoped for a really loud bellow when someone crossed into the zone.
The camera itself has dual 2MP lenses. One lens records the brightness and the other captures color information. The two 1080p images are merged by the camera.
It also has dial infrared lights which can detect motion up to 100ft away.
You can select which parts of the image view will be used to detect motion by drawing a specific zone — or set a line to cross. The lines feature is sluggish to set so you need to be patient.
All in all, this camera has some great features. I particularly like the alert detection feature, the siren, and the strobe light.
For $149 the Ezviz C3X is a neat little camera that is super easy to configure and the motion detection feature is excellent — if only the voice alert was louder.

ZDNet Recommends More

McAfee announced Monday that it will sell its enterprise security business to a consortium led by Symphony Technology Group in a deal worth $4 billion. McAfee, which went public in October, said the deal is meant to bolster its efforts to become a pure-play consumer cybersecurity company. 

Since its split from Intel in early 2017, McAfee has pivoted to cloud services and worked to build out its platform with a focus on its enterprise product portfolio. However, the company is now narrowing focus and directing its resources to the consumer side of the business in a bid for long term growth.
“This transaction will allow McAfee to singularly focus on our consumer business and to accelerate our strategy to be a leader in personal security for consumers,” said McAfee chief executive Peter Leav, in a statement.
Intel bought McAfee in 2011 and rebranded as Intel Security in 2014. A year later, Intel Security adjusted its strategy to refocus the business on endpoint security, as well as threat intelligence, analytics, and orchestration. McAfee was spun out from Intel through a deal with TPG Capital, which owns 51 percent of McAfee.
When the deal closes, the McAfee brand name will be retained and used for the consumer business. The enterprise unit will get a new name and brand refresh in the coming months.
RELATED: More

A possible link to China has been noted by researchers examining the exploit of SolarWinds servers to deploy malware. 

On Monday, Secureworks’ counter threat unit (CTU) said that during late 2020, a compromised Internet-facing SolarWinds server was used as a springboard to deploy Supernova, a .NET web shell. 
Similar intrusions on the same network suggest that the Spiral threat group, suspected of a Chinese origin, is to blame for both cases.
According to the researchers, CVE-2020-10148 has been actively exploited by Spiral. This vulnerability is found in the SolarWinds Orion API and is described as an authentication bypass bug leading to the remote execution of API commands.
When vulnerable servers are detected and exploited, a script is deployed to write the Supernova web shell to disk using a PowerShell command.
Written in .NET, Supernova is described by Palo Alto Networks as an advanced web shell designed not only to maintain persistence on a compromised machine but one that is also able to compile “method, arguments and code data” in-memory, leaving little forensic trace. 
“The attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network,” Palo Alto says. “The attackers can then arbitrarily configure SolarWinds (and any local operating system feature on Windows exposed by the .NET SDK) with malicious C# code. The code is compiled on the fly during benign SolarWinds operation and is executed dynamically.”

In the case noted by SecureWorks, Supernova is used to perform reconnaissance, for domain mapping, and for both credential and information theft.
The past intrusion was performed on a ManageEngine ServiceDesk server, with access gained as early as 2018. In these examples, identical commands were used and the same servers were accessed — a domain controller and system containing sensitive business data — and a total of three compromised admin accounts were hijacked in both attacks.  
“CTU researchers have associated Chinese threat groups with network intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property,” the team notes.
It is not believed, however, that these cases are linked to the devastating SolarWinds supply chain attack that took place in December 2020. Cyberattackers compromised the chain and deployed a malicious Orion update, impacting upwards of 18,000 organizations. 
Microsoft estimates that it took the combined efforts of at least 1,000 engineers to pull off the attack and recently found three new malware components linked to the attack alongside Sunburst/Solorigate, Teardrop, and Sunspot. 
Update 18.22GMT: A SolarWinds spokesperson told ZDNet:

“This report references an incident where a network was first compromised in a way that was unrelated to SolarWinds. That breach enabled the attackers to add the malicious Supernova code to Orion software on the customer’s network. 
It is important to note that Supernova is not associated with the broad and sophisticated supply chain attack that targeted multiple software companies as vectors. Supernova was neither signed nor delivered by SolarWinds and the issue was addressed in Orion platform updates that were released in December.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-sponsored threat group from China and appear to have been adopted by other cyberattackers in widespread attacks.

More Coverage

While in no way believed to be connected to the SolarWinds supply chain attack that has impacted an estimated 18,000 organizations worldwide — so far — there is concern that lags in patching vulnerable servers could have a similar impact, or worse, on businesses. 
Also: Best VPNs • Best security keys  • Best antivirus
Here is everything you need to know about the security issues and our guide will be updated as the story develops. 
What happened?
On March 2, Microsoft released patches to tackle four severe vulnerabilities in Microsoft Exchange Server software. At the time, the company said that the bugs were being actively exploited in “limited, targeted attacks.”
Microsoft Exchange Server is an email inbox, calendar, and collaboration solution. Users range from enterprise giants to small and medium-sized businesses worldwide. 
While fixes have been issued, the scope of potential Exchange Server compromise depends on the speed and uptake of patches — and the number of estimated victims continues to grow. 
What are the vulnerabilities and why are they important?

The critical vulnerabilities impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected. 
CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths. 
CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths. 
If used in an attack chain, all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.
In summary, Microsoft says that attackers secure access to an Exchange Server either through these bugs or stolen credentials and they can then create a web shell to hijack the system and execute commands remotely. 
“These vulnerabilities are used as part of an attack chain,” Microsoft says. “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”
Who is responsible for known attacks?
Microsoft says that attacks using the zero-day flaws have been traced back to Hafnium. 
Hafnium is a state-sponsored advanced persistent threat (APT) group from China that is described by the company as a “highly skilled and sophisticated actor.” 
While Hafnium originates in China, the group uses a web of virtual private servers (VPS) located in the US to try and conceal its true location. Entities previously targeted by the group include think tanks, non-profits, defense contractors, and researchers. 
Is it just Hafnium? 
When zero-day vulnerabilities come to light and emergency security fixes are issued, if popular software is involved, the ramifications can be massive. Problems can often be traced back to awareness of new patches, slow uptake, or reasons why IT staff cannot apply a fix — whether this is because they are unaware that an organization is using software, third-party libraries, or components at risk, or potentially due to compatibility problems. 
According to Volexity, attacks using the four zero-days may have started as early as January 6, 2021. 

ZDNet Recommends

Mandiant says further attacks against US targets include local government bodies, a university, an engineering company, and retailers. The cyberforensics firm believes the vulnerabilities could be used for the purposes of ransomware deployment and data theft. 
Sources have told cybersecurity expert Brian Krebs that approximately 30,000 organizations in the US have been hacked so far. Bloomberg estimates put this figure closer to 60,000, as of March 8.
The European Banking Authority is one of the latest victims. Data may have been accessed from the agency’s email servers. 
The US Cybersecurity and Infrastructure Security Agency (CISA) says that the agency is “aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers.”
In an update on March 5, Microsoft said the company “continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond Hafnium.”
The Biden Administration is expected to form a task force to explore the reported links between Microsoft Exchange attacks and China, according to CNN. 
How can I check my servers and their vulnerability status? What do I do now?
Microsoft has urged IT administrators and customers to apply the security fixes immediately. However, just because fixes are applied now, this does not mean that servers have not already been backdoored or otherwise compromised.
Interim mitigation option guides are also available if patching immediately is not possible. 
The Redmond giant has also published a script on GitHub available to IT administrators to run that includes indicators of compromise (IOCs) linked to the four vulnerabilities. IoCs are listed separately here. 
CISA issued an emergency directive on March 3 that demanded federal agencies immediately analyze any servers running Microsoft Exchange and to apply the firm’s supplied fixes. 
If there are any indicators of suspicious behavior dating back as far as September 1, 2020, CISA requires agencies to disconnect them from the Internet to mitigate the risk of further damage. 
Microsoft continues to investigate and as more information comes to light we will update.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Four previously unknown or ‘zero-day’ vulnerabilities in Microsoft Exchange Server are now being used in widespread attacks against thousands of organisations with potentially tens of thousands of organisations affected, according to security researchers.
The bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Microsoft, which issued emergency patches for last week, attributed the attacks to a newly discovered hacking team it calls Hafnium, most likely a China-backed group. Microsoft said they were “limited targeted attacks” but warned they could be more widely exploited in the near future.   
Also: Check if your systems are vulnerable to Microsoft Exchange Server zero-days using this tool

ZDNet Recommends

Since then, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an order to agencies to apply the patches for on-premise Exchange systems or to simply disconnect vulnerable servers after seeing “active exploitation” of the vulnerabilities. In other words, patch now or cut off a vital communications tool. 
Microsoft urged Exchange customers, which range from large enterprise to small businesses, to apply the patches immediately because “nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”
CISA over the weekend warned that it was “aware of widespread domestic and international exploitation” of Microsoft Exchange Server vulnerabilities and urged the scanning of Exchange Server logs with Microsoft’s IOC detection tool to help determine compromise. 
History suggests many organizations do not update their software when vulnerabilities are found. Microsoft last year warned Exchange server customers to patch the critical flaw CVE-2020-0688 but found that months afterwards tens of thousands of Exchange servers remained unpatched, despite nation-state attackers exploiting the bug from the outset.

Chris Krebs, the former director of CISA, reckons government agencies and small businesses will be more affected by these attacks than large enterprise. 
He believes the Exchange bugs will disproportionately affect small businesses and organizations in the education sector as well as state and local governments. 
“Incident response teams are BURNED OUT & this is at a really bad time,” he wrote. 

This is a crazy huge hack. The numbers I’ve heard dwarf what’s reported here & by my brother from another mother (@briankrebs). Why, though? Is this a flex in the early days of the Biden admin to test their resolve? Is it an out of control cybercrime gang? Contractors gone wild? pic.twitter.com/cA4lkS4stg
— Chris Krebs (@C_C_Krebs) March 6, 2021

The Hafnium attackers deployed “web shells” on compromised Exchange servers for the purpose of stealing data and installing more malware. Web shells are small scripts that provide a basic interface for remote access to a compromised system. 
According to Brian Krebs, author of Krebsonsecurity, the Hafnium hackers have accelerated attacks on vulnerable Exchange servers since Microsoft released the patches. His sources told him that 30,000 organisations in the US have been hacked as part of this campaign. 
SEE: Phishing: These are the most common techniques used to attack your PC
“The intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers,” notes Krebs. 
Volexity, a Washington DC-based security firm, said the Hafnium attacks started as early as January 6, 2021. 

More Coverage More

Global aviation industry IT supplier SITA has confirmed it has fallen victim to a cyberattack, with hackers gaining access to personal information of airline passengers.
The information technology and communications company, which claims to serve around 90% of the world’s airlines, said that a cyberattack on February 24, 2021 led to “data security incident” involving passenger data that was stored on SITA Passenger Service System Inc. servers located at Atlanta, Georgia in the United States.

More on privacy

A statement by SITA describes the incident as a “highly sophisticated attack” and said that the company “acted swiftly” to contain the incident, which still remains under investigation by SITA’s Security Incident Response Team, alongside external cybersecurity experts.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
“We recognize that the COVID-19 pandemic has raised concerns about security threats, and, at the same time, cyber criminals have become more sophisticated and active,” said the SITA statement.
Star Alliance airlines including Singapore Airlines, New Zealand Air and Lufthansa have warned passengers about the SITA data breach, while some One World airlines including Malaysia Airlines, Finnair, Japan Airlines and Cathay Pacific have also informed passengers about the cyberattack. South Korean airline JeJu Air has emailed passengers about the incident
While SITA hasn’t confirmed the exact nature of the information that has been accessed by hackers, a spokesperson told ZDNet that “it does include some personal data of airline passengers”.

Some airlines have detailed what information was accessed in the attack, stating that frequent flyer data – such as name, tier status and membership number – has been stolen. An email sent to customers of New Zealand Air said that the data breach doesn’t contain information on passwords, credit card details, passport information or contact addresses.
An exact figure for the number of passengers affected by the breach remains unclear as SITA has yet to publicly comment on the matter, but a report by The Guardian claims that hundreds of thousands of passengers could have had their information stolen.
MORE ON CYBERSECURITY More

Linus Torvalds has issued a warning to open-source developers to avoid the first release candidate (RC) of the Linux kernel 5.12. 
Linux kernel 5.12 was released on time despite the snow storms that lashed Oregon and knocked out power to Torvalds’ home for the better part of a week. Torvalds and his thousands of contributors managed to get version 5.12 out on time, but he now says RC 5.12 is a “double ungood” that can have catastrophic consequences for a computer’s filesystem. 

“This merge window, we had a very innocuous code cleanup and simplification that raised no red flags at all, but had a subtle and very nasty bug in it: swap files stopped working right. And they stopped working in a particularly bad way: the offset of the start of the swap file was lost. Swapping still happened, but it happened to the wrong part of the filesystem, with the obvious catastrophic end results,” wrote Torvalds on the Linux kernel Mailing list.  
SEE: Hiring Kit: Computer Hardware Engineer (TechRepublic Premium)
Torvalds went on: “Yes, this is very unfortunate, but it really wasn’t a very obvious bug, and it didn’t even show up in normal testing, exactly because swapfiles just aren’t normal. So I’m not blaming the developers in question, and it also wasn’t due to the odd timing of the merge window, it was just simply an unusually nasty bug that did get caught and is fixed in the current tree.”
He said he wanted devs to be aware because if the bug strikes: “you can end up with a filesystem that is essentially overwritten by random swap data. This is what we in the industry call ‘double ungood’,” he writes, nodding to George Orwell’s newspeak language from the novel Nineteen Eighty-Four. 
It is, he cautions, an unusually bad bug – even for a first run of a release candidate that’s expected to have bugs. 

“Yes, rc1 tends to be buggier than later rc’s, we are all used to that, but honestly, most of the time the bugs are much smaller annoyances than this time,” warns Torvalds. 
He also had some advice about the assumptions people make in industry when a system proves reliably stable over time, which can impact the safety of systems in the future. 
In this case, the bug regards swap partitions but he’s also concerned that developers will assume because he’s remedied the bug in code for distribution – via the Git versioning system – that code that’s already been installed has been remedied too. He’s worried about downstream projects, which could accidentally leave this bug in a project.     
“One additional reason for this note is that I want to not just warn people to not run this if you have a swapfile – even if you are personally not impacted (like I am, and probably most people are – swap partitions all around) – I want to make sure that nobody starts new topic branches using that 5.12-rc1 tag,” wrote Torvalds.  
“I know a few developers tend to go “Ok, rc1 is out, I got all my development work into this merge window, I will now fast-forward to rc1 and use that as a base for the next release”. Don’t do it this time. It may work perfectly well for you because you have the common partition setup, but it can end up being a horrible base for anybody else that might end up bisecting into that area.”
SEE: Developer: Rust programming language is being used for bigger projects
Otherwise Linux 5.12 is basically a spring-cleaning effort from Torvalds who’s handled 10,982 non-merge commits from 1,500 people who contributed to this RC of the kernel. 
“Sorry for this mess,” wrote Torvalds.  More