Information Technology

(Image: file photo)Amazon Web Services is acquiring the encrypted messaging app Wickr, the company announced Friday. Financial terms of the deal were not disclosed.

Launched in 2012, Wickr’s end-to-end messaging service was one of the early pioneers of ephemeral communication, offering encrypted and disappearing messaging long before Signal took off and WhatsApp rolled out encryption of its own. Wickr gained traction among enterprises, public sector and government agencies for its advanced security features and zero trust platform design, with the US Department of Defense among its list of customers.”Today, public sector customers use Wickr for a diverse range of missions, from securely communicating with office-based employees to providing service members at the tactical edge with encrypted communications,” said AWS chief information security officer Stephen Schmidt, in a blog post. “Enterprise customers use Wickr to keep communications between employees and business partners private, while remaining compliant with regulatory requirements.”Schmidt said the need for Wickr’s style of secure communication is accelerating across sectors. In other words, AWS sees an opportunity to use Wickr to bolster its own portfolio of communication, collaboration and productivity services.Schmidt said Wickr’s services will be offered to AWS customers effective immediately, but notes that Wickr’s services will continue uninterrupted for new and existing users.  More

On Friday, Mozilla announced the release of a new data sharing platform called Rally that is designed to provide users with more control over how they share their data. The Firefox add-on allows people to donate their data to research studies that will focus on building new resources, tools, and “potentially even policies that empower people just like you to build a better internet and fight back against exploitative tech,” according to Mozilla. Rebecca Weiss, director of data science at Mozilla and inceptor of Rally, told ZDNet the platform sought to answer the question “What if — instead of companies taking your data without giving you a say — you could select who gets access to your data, and put it to work for public good?””Rally is built for the browser with privacy and transparency at its core, and empowers people to contribute their browsing data to crowdfund projects for a better internet and a better society. The researchers behind each project will have better quality data, with a clear understanding of the source, and confidence that it’s compliant with data privacy regulations,” Weiss explained. “At Mozilla, we work every day on building a better internet, one that puts people first, respects their privacy, and gives them power over their online experience. We’ve been a leader in privacy features that help you control your data by blocking trackers. But, being ‘data-empowered’ also requires the ability to choose who you want to access your data.”Mozilla called Rally a “first-of-its-kind” platform that addresses the thorny problem of data control. The organization has done surveys showing that many people in the US are frustrated by the lack of options they have when it comes to their data. Outside of using defensive tools to block all data collection or simply allowing all data to be used without user consent by online services, there are few options available for most users. Mozilla said it was trying to “flip the script on the surveillance economy’s data practices” by demonstrating that there is a case to be made for an equitable market for data.  

Users install the Mozilla Rally add-on that is available for Firefox and sign up before finding studies that they would like to contribute to. Researchers will provide detailed explanations of what each research study is focused on, how your data will be used and where it ends up. Users are in full control and can pull their information out whenever they would like. Weiss told ZDNet that Mozilla has been concerned about data ecosystem issues for years and has been interested in additional data ecosystem innovations. Weiss added that Mozilla started by extending and applying their internal tools and capabilities to new user problems. “We also wanted to collaborate with a wider community and started with public interest researchers. We worked with Jonathan Mayer’s group at Princeton to build tools to collect and manage user data. These tools are as accurate as researchers need, but don’t require collection of as much data from users,” Weiss said.”We let individuals choose how much data to share, to which organizations, and for what purpose. In return, they’ll not only contribute their data for public good, they’ll also understand how their data is being used and tracked overall.”Mozilla has already partnered with Princeton University for studies like “Political and COVID-19 News” — about misinformation about politics and COVID-19 — and Stanford University on upcoming projects like “Beyond the Paywall.””Cutting people out of decisions about their data is an inequity that harms individuals, society, and the internet. We believe that you should determine who benefits from your data. We are data optimists and want to change the way the data economy works for both people and day-to-day business,” Weiss said. “We are excited to see how Rally can help understand some of the biggest problems of the internet and make it better.” Researchers, like Princeton’s Mayer, will be able to invite people to participate in studies and crowdfunded scientific efforts. Mayer, head of the “Political and COVID-19 News” project, said that for years, academic researchers have been “stymied” when trying to experiment on online services. “Rally flips the script and enables a new ecosystem of technology policy research,” he noted.Shoshana Vasserman and Greg Martin of the Stanford University Graduate School of Business are working on the “Beyond the Paywall” project, and Vasserman said research is needed to “get answers to the hard questions that we face as a society in the information age.””But for that research to be credible and reliable, it needs to be transparent, considered, and treat every participant with respect. It sounds simple, but this takes a lot of work. It needs a standard bearer to make it the expectation in social science,” Vasserman said. “In working with Rally, we hope to be part of that transformation.”Mozilla added that it was also launching a new toolkit called WebScience that helps researchers build standardized browser-based studies on Rally. Weiss and others at Mozilla explained that their goal for Rally is to show “that there is a case for an equitable market for data, one where every party is treated fairly, and we welcome mission-aligned organizations that want to join us on this journey.” Rally is only available for Firefox users in the US over the age of 19 right now, but Mozilla said it plans to expand it globally in the future.  More

Three men have been jailed for violent crimes conducted against victims found through Grindr. 

Michael Atkinson, Pablo Ceniceros-Deleon, and Daryl Henry, 28, 21, and 24-years-old, respectively, deliberately targeted men believed to be homosexual in what the US Department of Justice (DoJ) calls “bias-motivated violence.”Grinder is a social networking and dating app for the LBTQI community. The trio, located in Texas, abused the app to find victims for crimes including kidnapping, carjacking, theft, and assault.  US prosecutors say that as many as nine men around the Dallas area have been targeted in this way since late 2017.  The crimes included luring innocent men to apartments and holding them at gunpoint — carjacking their vehicles, and using further threats of violence to force them to withdraw cash from ATMs. Some of the victims were also physically attacked, taunted with homophobic slurs, and at least one individual was sexually assaulted.  In 2019, Atkinson pleaded guilty to one count of conspiracy to commit hate crimes, kidnapping, carjacking, and one count of kidnapping; Ceniceros-Deleon admitted to hate crimes, carjacking, and the use of a firearm in a violent crime; and Henry pleaded guilty to one hate crime count, conspiracy to commit hate crimes, kidnapping, and carjacking. 

Atkinson has been sentenced to 11 years in prison. Ceniceros-Deleon will serve 22 years behind bars and Henry has been issued a prison term of 20 years. There was one more member of the group involved in these criminal activities. Daniel Jenkins, due to be sentenced in October, has also pleaded guilty to hate crimes, kidnapping, carjacking, and the use of a firearm in a criminal setting. Under a plea agreement, Jenkins faces a sentence of up to 26 years. The investigation into the crime spree was conducted by the FBI’s Dallas Field Office.  “These defendants brutalized multiple victims, singling them out due to their sexual orientation,” commented Acting US Attorney Prerak Shah for the Northern District of Texas. “We cannot allow this sort of violence to fester unchecked. The Department of Justice is committed to prosecuting hate crimes. In the meantime, we urge dating app users to remain vigilant. Unfortunately, predators often lurk online.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have discovered a strain of cryptocurrency-mining malware that abuses Windows Safe mode during attacks. 

The malware, dubbed Crackonosh by researchers at Avast, spreads through pirated and cracked software, often found through torrents, forums, and “warez” websites. After finding reports on Reddit of Avast antivirus users querying the sudden loss of the antivirus software from their system files, the team conducted an investigation into the situation, realizing it was due to a malware infection.  Crackonosh has been in circulation since at least June 2018. Once a victim executes a file they believe to be a cracked version of legitimate software, the malware is also deployed.  The infection chain begins with the drop of an installer and a script that modifies the Windows registry to allow the main malware executable to run in Safe mode. The infected system is set to boot in Safe Mode on its next startup.  “While the Windows system is in safe mode antivirus software doesn’t work,” the researchers say. “This can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct.” Crackonosh will scan for the existence of antivirus programs — including Avast, Kaspersky, McAfee’s scanner, Norton, and Bitdefender — and will attempt to disable or delete them. Log system files are then wiped to cover its tracks. 

In addition, Crackonosh will attempt to stop Windows Update and will replace Windows Security with a fake green tick tray icon.  The final step of the journey is the deployment of XMRig, a cryptocurrency miner that leverages system power and resources to mine the Monero (XMR) cryptocurrency. Overall, Avast says that Crackonosh has generated at least $2 million for its operators in Monero at today’s prices, with over 9000 XMR coins having been mined.  Approximately 1,000 devices are being hit each day and over 222,000 machines have been infected worldwide. In total, 30 variants of the malware have been identified, with the latest version being released in November 2020.  “As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers,” Avast says. “The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A “high-level” member of FIN7 has been sentenced to a seven-year term for his role in the cybercriminal group. 

On Thursday, the US Department of Justice (DoJ) named Andrii Kolpakov, a 33-year-old from Ukraine, as a past member of FIN7 who served as an attacker internally referenced as a penetration tester. According to US prosecutors, Kolpakov was involved in FIN7 from at least April 2016 until his arrest in June 2018, when he was picked up by law enforcement in Spain and extradited to the United States a year later.  The former hacker managed teams of attackers responsible for compromising the security of target systems, including businesses in the US.  FIN7, also sometimes referred to as Carbanak, specialized in the theft and sale of consumer records from Point-of-Sale (PoS) systems from companies. Malware used by the group would be used to harvest payment card details that were then used to conduct fraudulent transactions or were sold on.  One common attack method employed by FIN7 was Business Email Compromise (BEC), in which phishing emails were sent to employees of a target company containing a malicious file. This attachment contained a variant of the Carbanak malware. The DoJ estimates that in the US alone, over 6,500 PoS systems at more than 3,600 business locations were infiltrated by FIN7, leading to the theft of tens of millions of debit and credit cards, as well costs of over $1 billion that had to be shouldered by victims. 

Additionally, the threat actors have been connected to attacks against organizations in Australia, France, and the United Kingdom.  When it comes to Kolpakov’s earnings, prosecutors claim that his pay “far exceeded comparable legitimate employment in Ukraine.” “Moreover, FIN7 members, including Kolpakov, were aware of reported arrests of other FIN7 members, but nevertheless continued to attack US businesses,” the DoJ added.  In June 2020, Kolpakov pleaded guilty to one count of conspiracy to commit wire fraud and a further count of conspiracy to commit computer hacking. He has now been sentenced to seven years in prison and has been ordered to pay $2.5 million in restitution.  Europol and the DoJ have both been involved in multiple FIN7 arrests. In April, another Ukrainian national, Fedir Hladyr, was sentenced to 10 years behind bars for acting as a FIN7 systems administrator.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Zyxel, a manufacturer of enterprise routers and VPN devices, has issued an alert that attackers are targeting its devices and changing configurations to gain remote access to a network. In a new support note, the company said that a “sophisticated threat actor” was targeting Zyxel security appliances with remote management or SSL VPN enabled. 

see also

Best VPN services

Virtual private networks are essential to staying safe online, especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

The attacks affect organizations using Unified Security Gateway (USG), ZyWALL, the USG FLEX combined firewall and VPN gateway, Advanced Threat Protection (ATP) firewalls, and VPN series devices running its ZLD firmware.  SEE: Network security policy (TechRepublic Premium)”The threat actor attempts to access a device through WAN; if successful, they then bypass authentication and establish SSL VPN tunnels with unknown user accounts, such as”zyxel_sllvpn”, “zyxel_ts”, or “zyxel_vpn_test”, to manipulate the device’s configuration. We took action immediately after identifying the incident,” Zyxel noted. This seems to suggest that the attackers are using hardcoded accounts to access the devices remotely. Earlier this year, researchers found a hardcoded admin backdoor account in one of Zyxel’s firmware binaries, which left 100,000 internet-exposed firewalls and VPNs.

Zyxel notes that firewalls may be affected if users experience issues accessing the VPN, or routing, traffic and login issues. Other signs include unknown configuration parameters and password problems. Zyxel warns admins to delete all unknown admin and user accounts that have been created by the attackers. It also advises them to delete unknown firewall rules and routing policies. Via Ars Technica, a Zyxel customer posted its disclosure email on Twitter. “Based on our investigation so far, we believe maintaining a proper security policy for remote access is currently the most effective way to reduce the attack surface,” Zyxel said. It recommends disabling HTTP and HTTPS services from the WAN side. For those who need to manage devices from the WAN side, it recommends restricting access to trusted source internet address and enabling GeoIP filtering. It also emphasizes that admins need to change passwords and set up two-factor authentication. SEE: Ransomware: Now gangs are using virtual machines to disguise their attacksThe attacks on Zyxel devices follows a string of similar attacks on a range of VPN devices, which make a handy entry point to a corporate network for remote attackers to gain persistent access. The US Cybersecurity and Infrastructure Security Agency warned in April that attackers were targeting vulnerabilities in Pulse Secure Connect VPNs.    ZDNet has contacted Zyxel for comment and will update this story if it receives a response.  More

Image: Getty Images
A disturbing pair of attitudes continue to infect law enforcement agencies across Australia.One is that if data exists then the cops have a right to access it.The other is that as long as something isn’t specifically illegal then it’s OK for the government and its agencies to do it.Earlier this month it was revealed that the Western Australia Police Force accessed data collected by the COVID SafeWA app, the state’s QR code check-in app.WA Premier Mark McGowan said the app should only be used for contact tracing, but the cops disagreed.”We attempted to negotiate an agreement with the police. They advised that it was lawful, and they couldn’t not do things that are lawful,” McGowan told ABC Radio Perth.Well now the WA Parliament is introducing laws to block police access.

Meanwhile, Victoria Police tried to access check-in data three times last year. The health department refused. But acting police minister Danny Pearson said he was reluctant to follow WA’s lead and introduce a legislated ban.”Let’s suppose a check-in could convict a criminal, I think that the idea of introducing legislation to prevent that occurring would lead to a poor public policy outcome,” Pearson told a state Budget Estimates Committee.WA Police Commissioner Chris Dawson made much the same point, telling Perth radio station 6PR that the police has “a duty to investigate crime”.”The police has a duty to collect the best possible evidence and put that before a court… I would not do my job as Police Commissioner if I was directed by the Premier or the politician elected by the people as to how to run a murder investigation.”That’s the dilemma.As a society we want to fight crime, but at the same time we don’t want to give unlimited power to the crimefighters because they have guns and can deprive us of our liberty and even our lives, and things can go wrong.Eight years ago, in the wake of Edward Snowden’s revelations about the scale of global digital surveillance, I wrote that intelligence organisations’ burning need for all the data was an addiction.Now the cops need their fix too, but can they handle the powerful data drugs responsibly? The evidence would suggest not.The Australian National Audit Office (ANAO) recently reported [PDF] that the Australian Federal Police (AFP) doesn’t have an electronic data and records management system and “keeps more than 90% of its digital operational records in network drives”.”Records in network drives are not secure from unauthorised access, alteration or deletion,” ANAO wrote.Many officers choose not to use the AFP’s case management system, PROMIS, because they’re not obliged to. By its own assessment, AFP rates its information management maturity as 156th of 166 Australian government entities.”The AFP’s poor digital record keeping is a risk to the integrity of its operations,” ANAO wrote.This week the Commonwealth Ombudsman found that the AFP had “issues” with data destruction too, with numerous examples of poor processes and record-keeping.The AFP was even found to be conducting surveillance in foreign jurisdictions without lawful approval. At least they disclosed that little oopsie to the Ombudsman.Data destruction problems were also found at the South Australian Police and the Australian Criminal Intelligence Commission.None of this is “OMG police state!” hyperbole. Australia isn’t a police state, and it’s quite some way from becoming one. We’re all free to write critiques like this one, for example.But the police forces continually show that they don’t have systems capable of correctly handling the data they do have access to. Yet they always want more, and they tend to get everything their way when new laws are made.The WA Bill to block their access to SafeWA data is a rare exception.There’s nothing wrong with cops asking for new powers to make their jobs easier. Who doesn’t want to make their job easier? But the counterarguments need to be heard and, indeed, listened to.During a global pandemic, it feels like the cops are more than happy to hunt down people breaking quarantine rules. They seem less interested in the harm minimisation — in ensuring everyone is comfortable giving fine-grained details of their daily lives to “the government”.Politicians need some spine here. They need to get over their fear of appearing “soft on crime” — crime is at historical all-time lows anyway — and tell the cops, simply, “No you can’t do that”.After all, what’s worse? An abstract “poor public policy outcome”, or more people on ventilators struggling for their lives?RELATED COVERAGE More

Image: Asha Barbaschow/ZDNet
Newly appointed Minister for Home Affairs Karen Andrews has singled out cyber as a priority in her portfolio, using Australia’s Critical Infrastructure reforms as an example of how the government has worked to protect the nation.”I have elevated cyber to big priority in the portfolio,” Andrews said, speaking as part of the CEDA State of the Nation 2021 conference on Thursday. The reforms, by way of the Security Legislation Amendment (Critical Infrastructure) Bill 2020, would allow, among other things, the government to provide “assistance” to entities in response to significant cyber attacks on Australian systems. Tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with these “last resort” powers.  “The Critical Infrastructure legislation is particularly important to us, and I think that what it demonstrates is people’s perception of what is critical infrastructure, which is way beyond the physical bricks and mortar, is crucial to us,” Andrews said. The Bill brings in the likes of communications, financial services, data storage and processing, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage sectors to the definition of critical infrastructure.”We do know that there is an increasing threat of cyber attack here in Australia, ransomware, these are significant issues for us. It is also important that we recognise that many businesses who either have been subject to a ransomware attack or are likely to be subject to a ransomware attack are not necessarily going to be forthcoming in providing that information,” Andrews continued. “If we don’t have the information going through to the Australian Signals Directorate that enables them to come in and provide a level of support, then it means that we can’t assist in trying to re-establish some of the connections that are there to try and assist with recovering the data. It also means that we’re not getting the intelligence that we need that will lead to a more cybersecure environment for us here in Australia.”

Andrews said the legislation needs to “be progressed as a matter of urgency”.”That is what my plan is,” she added. “I think it actually provides significantly more protections than it does introduce risks.”Speaking alongside Andrews was Michelle Price, CEO of AustCyber, the organisation charged with growing a local cybersecurity ecosystem. She touted the legislation as “one piece of a very large patchwork of things” that need to be undertaken.”People are celebrating that this legislation is occurring, principally because it does level the playing field across industries,” she said. Of importance to Price, however, is that education on the Bill’s purpose and consequences should occur.”We need to make sure that that education spreads out, this is where the value chain comes into it, those trusted information-sharing networks that occur organically, as well as in an orchestrated way, to make sure that everyone is aware of this legislation,” she added.”I think that the government has done a good job of learning some lessons from the encryption legislation and has done extensive consultation of this legislation in spite of the comparatively short period of time that it has been running through, compared to other areas like the Telecommunication Sector Security Reforms and the Notifiable Data Breaches scheme … [that] have taken a lot longer than the critical infrastructure amendments.”The Senate this week passed two Bills that were not particularly given long consultation periods, either. The Online Safety Bill 2021 was waved through on Wednesday night with amendments. Among other things, the new Act extends the eSafety Commissioner’s cyber takedown function to adults, giving the power to issue takedown notices directly to the services hosting the content and end users responsible for the abusive content.The Bill was introduced to Parliament on February 24, eight business days after consultation on the draft legislation closed and before the 400-something submissions to the consultation were published. It was handed to a Senate committee on February 25 and after holding one public hearing, the committee scrutinising its contents handed down its report.Debating the Bill last week, Australian Greens co-deputy leader Senator Nick McKim said the government “[rammed] these Bills through this Parliament without adequate consideration and without adequate scrutiny”.He was unsuccessful with his request for the Bill to be repealed and re-written and upon receiving Royal Assent, eSafety will be nutting out the specifications of how the new scheme will be run six months thereafter.Also passed this week was the Telecommunications Legislation Amendment (International Production Orders) Bill 2020.The IPO Bill paves the way for Australia to share communications data with other countries. It allows Australia to obtain a proposed bilateral agreement with the United States, in the first instance, under its Clarifying Lawful Overseas Use of Data Act (CLOUD Act).The Bill passed both houses, incorporating amendments from recommendations made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) last month.The federal opposition on Monday introduced yet another security-related Bill to Parliament that, if passed, would require organisations to inform the Australian Cyber Security Centre (ACSC) before a payment is made to a criminal organisation in response to a ransomware attack. The Ransomware Payments Bill 2021 was introduced in the House of Representatives by Shadow Assistant Minister for Cyber Security Tim Watts, who took the opportunity to say the government’s current position of telling businesses to defend themselves by “locking their doors to cyber-criminal gangs” was “not good enough”.Responding to the proposed Bill, Andrews said she was open to exploring it.”From the government’s perspective, we actually would like businesses to reach out, particularly to ACSC, in the event that they have a ransomware attack or they have other threats,” she said.”[ACSC] is very well placed to be able to support them, but they rely on, in many instances, on businesses reporting or contacting them directly.”I’ve already had some discussions about mandatory reporting of ransomware attacks and my view at this stage is that there are a range of views about that — it’s very mixed in the response — what I want to do over the coming weeks is explore that much more fully.”Andrew said she wants the ACSC to be armed with the opportunity to support businesses that have been the subject of ransomware attacks, but that awareness was also important.”What I don’t want to do is end up with the cart before the horse effectively, and moving directly to the mandatory reporting of ransomware, where we haven’t gone through the process of raising awareness of cybersecurity, raising awareness of ransomware, making sure that we have in place all of the right mechanisms to support businesses,” she said.”So yes, I want to collect the intelligence, but I want to make sure that we’re doing this in a sensible and rational way.”But I’m open to exploring this. I am already exploring it.”RELATED COVERAGE More