Information Technology

Security software makers McAfee, which went public in October, this afternoon reported Q4 revenue that topped Wall Street’s expectations, while missing on the bottom line, and an outlook for revenue this quarter higher as well. 
The report initially sent McAfee shares up 7% in late trading. 
CEO Peter Leav called attention to what he referred to as McAfee’s “significant increases in revenue, subscribers, profitability and cash flow to close out the year,” in particular, “23% revenue growth in our consumer business, 14% growth in total net revenue, and strong growth in adjusted EBITDA in Q4.”
Added Leav, “We secure our customers’ ever increasing digital footprint as people are living more of their lives online.
“I am very pleased with our team’s execution, which is a testament to the dedication of McAfee employees worldwide,” said Leav.
McAfee’s CFO, Venkat Bhamidipati, commented that “across the business, results exceeded expectations driven by strong execution and increased demand for our security offerings.” 
Bhamidipati noted the company “saw robust demand in the large, critical, and growing personal protection market” while in the enterprise segment, the McAfee was able to increase both revenue and profit “by focusing on core enterprise and government customers while prioritizing our investment spending and rationalizing costs.”

Revenue in the three months ended in December rose 14%, year over year, to $777 million, yielding a net loss of 73 cents a share.
Analysts had been modeling $739 million and a 31-cent profit per share.
For the current quarter, the company sees revenue of $725 million to $735 million, compared to consensus for $724 million.
McAfee may sound familiar. It’s been bouncing around for awhile. You may recall its red software boxes on store shelves at CompUSA back in the day, if you remember what CompUSA was. McAfee was founded in 1987 and was acquired by Intel in 2011, and became the computer security unit of the chip maker. 
In 2016, Intel agreed to spin out McAfee as a joint venture between itself and private equity firm TPG Capital. Intel retained a 49% stake. That joint venture is what went public in October.

Tech Earnings More

Following the SolarWinds attack, it’s clear there needs to be more information sharing and better public-private sector coordination, lawmakers and tech leaders agreed in a Senate hearing Tuesday. The federal government should consider imposing reporting requirements on entities that fall victim to cyber intrusions, they said. 

ZDNet Recommends

Testifying at the Senate Intelligence Committee hearing, Microsoft President Brad Smith said it’s time to impose a “notification obligation on entities in the private sector.” 
It’s “not a typical step when somebody comes and says, ‘Place a new law on me,'” he told lawmakers. “I think it’s the only way we are going to protect the country.”  
Both Committee Chairman Mark Warner (D-Va.) and Vice Chairman Marco Rubio (R-Fla.) agreed that Congress should consider mandating certain types of reporting, potentially with some limited liability protection. 
“We must improve the information sharing,” Rubio said. One important question that “everyone has struggled with,” he said, is “who can see the whole field here on this.”
Warner floated the idea of establishing an investigative agency analogous to the National Transportation Safety Board, which could “immediately examine major breaches to see if we have a systemic problem.”
The lawmakers commended cybersecurity firm FireEye for first disclosing in December that they were the victims of a sophisticated, state-sponsored cyber attack. Democrats and Republicans on the committee also expressed their displeasure that Amazon Web Services declined to attend Tuesday’s hearing. 

The SolarWinds attack relied in part on AWS infrastructure, Rubio said, but “apparently they were too busy to discuss that with us today.” 
It would be “most helpful in the future if they actually attended these hearings,” Warner said of AWS. 
Sen. John Cornyn (R-Texas) said that he “shared concern” over AWS’s refusal to participate in the hearing. “I think that’s a big mistake,” he said, adding that it “denies us a more complete picture” of the incident.
The breach, likely the work of Russian hackers, targeted a wide swath of US entities — nine federal government agencies, including the Treasury Department and Department of Commerce, as well as 100 private sector organizations. The attackers infiltrated these organizations in part by inserting malware into the Orion IT monitoring platform, a SolarWinds product. 
In addition to hearing from Microsoft’s Smith, lawmakers on Tuesday heard from FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and CrowdStrike President and CEO George Kurtz.
Mandia said he supported the idea of mandatory cyber-intrusion reporting, so long as it remained confidential. 
“I like the idea of confidential threat intelligence sharing to whatever agency has the means to push that out,” he said.

SolarWinds Updates More

Although the Flash Player app formally reached its end of life on December 31, 2020, Adobe has allowed a local Chinese company to continue distributing Flash inside China, where the application still remains a large part of the local IT ecosystem and is broadly used across both the public and private sectors.
Currently, this Chinese version of the old Flash Player app is available only via flash.cn, a website managed by a company named Zhong Cheng Network, the only entity authorized by Adobe to distribute Flash inside China.
But in a report published earlier this month, security firm Minerva Labs said its security products picked up multiple security alerts linked to this Chinese Flash Player version.
During subsequent analysis, researchers found that the app was indeed installing a valid version of Flash but also downloading and running additional payloads.
More precisely, the app was downloading and running nt.dll, a file that was loaded inside the FlashHelperService.exe process and which proceed to open a new browser window at regular intervals, showing various ad- and popup-heavy sites.

Image: Minerva Labs
The spammy behavior obviously didn’t go unnoticed. Both regular users and other security firms noticed it as well.
Users complaining that Flash has now started showing popups have been spotted on the Adobe support forum, several local blogs, and in many other places.

Furthermore, besides Minerva Labs, other security firms have also started picking up suspicious activity related to the FlashHelperService.exe. Cisco Talos ranked this process as its most widely detected threat for the weeks ending on January 14 and January 21, and the file also ranked in its Top 10 on the weeks ending on January 7, February 11, and February 18.
This particular threat doesn’t impact western users since the Flash version they download from flash.cn won’t work on systems outside China, but in light of Minerva’s report, they shouldn’t even try to test it, as this may lead to installing adware and compromising the security of their systems/networks. More

Image: Google
Android users can now take advantage of the Password Checkup feature that Google first introduced in its Chrome web browser in late 2019, the OS maker announced today.

On Android, the Password Checkup feature is now part of the “Autofill with Google” mechanism, which the OS uses to select text from a cache and fill in forms.
The idea is that the Password Checkup feature will take passwords stored in the Android OS password manager and check them against a database containing billions of records from public data breaches and see if the password has been previously leaked online.
If it has, a warning is shown to the user.
Google says that users have nothing to fear when it comes to this password-checking mechanism, which does not share their credentials in cleartext over the network, and works as follows:
Only an encrypted hash of the credential leaves the device (the first two bytes of the hash are sent unencrypted to partition the database)
The server returns a list of encrypted hashes of known breached credentials that share the same prefix
The actual determination of whether the credential has been breached happens locally on the user’s device
The server (Google) does not have access to the unencrypted hash of the user’s password and the client (User) does not have access to the list of unencrypted hashes of potentially breached credentials.
The Password Checkup feature is rolling out today for all Android 9+ users. To enable Password Checkup, users should make sure Autofill with Google is activated on their devices by following the steps below:
Open your phone’s Settings app
Tap System  > Languages & input  > Advanced
Tap Autofill service
Tap Google to make sure the setting is enabled
A similar password-checkup feature is already present in iOS 14 since last summer. Most web browsers also have similar password-breach-checking features for years, such as the ones found in Firefox, Chrome, Safari, and Microsoft Edge. More

A growing class of cyber criminal is playing an important role on underground marketplaces by breaching corporate networks and selling access to the highest bidder to exploit however they please.
The buying and selling of stolen login credentials and other forms of remote access to networks has long been a part of the dark web ecosystem, but according to analysis by cybersecurity researchers at Digital Shadows, there’s been a notable increase in listings by ‘Initial Access Brokers’ over the course of the last year.
These brokers work to hack into networks but rather than making profit by conducting their own cyber campaigns, they’ll act as a middleman, selling entry to networks on to other criminals, making money from the sales.
Access via Remote Desktop Protocol (RDP) is the most sought after listings by cyber criminals. This can provide stealthy remote access to an entire corporate network because by allowing attackers to start from legitimate login credentials to remotely control a computer, so are much less likely to arise suspicion of nefarious activity.
This demand – and the potential access it offers – is reflected in the price of listings, with an average selling price for access via starting at $9,765. It’s likely that the higher the price, the higher the number of machines the buyer would be able to access – providing more opportunity for exploitation.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
This method of access is particularly popular among ransomware gangs, who can potentially make back what they pay for access many times over by issuing ransom demands of hundreds of thousands or even millions of dollars: $10,000 on initial access is almost nothing, if the target can be squeezed to pay a bitcoin ransom.

Expensive access listings are likely reflected in the quality of the target, Stefano De Blasi, threat researcher at Digital Shadows told ZDNet, “for example, RDP access with admin privileges and access to sensitive data.”
Selling RDP access isn’t a new trend, but the rise in remote working over the last year has seen enterprises suddenly switch to using much more RDP access, providing cyber criminals with additional avenues of attack.
Often, it’s relatively simple for the cyber criminals acting as access brokers to find insecure RDP connections with publicly available tools. And it’s still common for RDP to be set-up with easy-to-guess or default passwords. Ultimately, it’s easy money for the seller to take these details and pass them on.
Analysis of some of the most popular forums for selling RDP credentials found that education, healthcare, technology, industrial and telecommunications are the most popular targets. Organisations in any of these industries would be a potentially lucrative target for a ransomware attacker.
Cyber criminals will continue to exploit RDP as a means of breaching networks, so it’s important that organisations have a strategy to ensure the security of remote access when it’s required – that can be as simple as applying multi-factor authentication and avoiding the use of easily guessable passwords.
“In practice, the fundamentals of protecting information such as one-time complex passwords and IT monitoring practices can go a long way in thwarting most superficial attacks,” said Blasi.
MORE ON CYBERSECURITY More

The number of ransomware attacks targeting universities has doubled over the past year and the cost of ransomware demands is going up as information security teams struggle to fight off cyberattacks.
Analysis of ransomware campaigns against higher education found that attacks against universities during 2020 were up 100 percent compared to 2019, and that the average ransom demand now stands at $447,000.

More on privacy

The sharp rise in the number of ransomware attacks, combined with the six-figure sums ransomware gangs demand in exchange for the decryption key means ransomware represents the number one cybersecurity threat for universities, according to the research by tech company BlueVoyant.
SEE: Network security policy (TechRepublic Premium)
Ransomware is a problem across all sectors, but for higher education it currently represents a particular problem because the ongoing COVID-19 pandemic means that students are receiving their teaching online while many academics are also working from home.
Overstretched IT departments might not have the ability to fully address security, providing cyber criminals with an opening to exploit.
“Operating in the middle of the pandemic provides even greater opportunity for the adversary,” Austin Berglas, global head of professional services at BlueVoyant told ZDNet.

Berglas said IT staff are already busy ensuring students and staff have the necessary tools to conduct remote learning, from device configurations and the installation of new software and cameras to assisting end users that are having problems with the new technology. “These schools may not have the resources to properly secure the network,” he said.
That means that universities could be considered an easy target for cyber attackers – and the lack of IT resources, combined with students and staff being reliant on the network being available, means that many victims of ransomware attacks in higher education will consider paying a ransom demand of hundreds of thousands of dollars in Bitcoin in order to restore the network as quickly as possible.
Researchers suggest that in many cases, cyber criminals are specifically targeting universities because they perceive them to be a soft target, and one from which it is easier to extract a ransom payment than businesses in other areas, which might potentially provide more lucrative targets, but that require more effort from attackers.
According to the report, more than three-quarters of the universities studied had open remote desktop ports, and over 60% had open database ports – both of which provider cyber attackers with an entry point into networks and a means to eventually deliver and execute ransomware attacks.
SEE: Phishing: These are the most common techniques used to attack your PC
While cyberattacks and ransomware continue to pose a threat to universities – and will continue to do so even after in-person teaching resumes – there are things that can be done in order to improve cybersecurity and reduce the chances of falling victim to malicious hackers.
This includes applying multi-factor authentication across all email accounts, so if cyber criminals can breach login credentials, it’s much more difficult to exploit them for access around the network.
“Ensure multi-factor authentication using a single sign-on solution. Multi-factor authentication will prevent the majority of phishing attacks, which is one of the top ways ransomware is being deployed,” said Berglas.
It’s also recommended that universities monitor networks for abnormal behaviour, such as fast logins or logins to multiple accounts from the same location, as that could indicate suspicious activity.
MORE ON CYBERSECURITY More

Qualcomm has signed up Sophos to provide cybersecurity solutions for the next wave of 5G-enabled PCs. 

Announced on Tuesday, the US chipmaker said Sophos, a British endpoint security firm, will supply Intercept X endpoint protection software for 5G PCs. 
“The combination of Sophos Intercept X with Snapdragon compute platforms will provide users next-generation security through an always on, always connected PC environment,” the companies say. 
Sophos Intercept X is endpoint detection and threat response software, including the prevention of malicious code deployment such as ransomware. According to the firm, the Snapdragon processor series — used to power light, 5G-supportive PCs — will come in useful in combating security blackspots as the software will leverage connected standby functions. 
The cybersecurity firm says this will mean that “security investigations have fewer unknowns as data won’t be missed due to devices being offline.”
In addition, Qualcomm’s artificial intelligence (AI) engine, used to enhance connectivity, gaming, and photography, will be leveraged by Intercept X for optimization purposes. 
Security, too, should start at the hardware level. Sophos’ solution will be applied to root of trust systems in Snapdragon PCs to bolster “cryptographic integrity.”

“By working with Sophos, we are taking on-device security to a new level by enhancing their industry-leading endpoint protection with AI accelerated threat detection on our solutions,” commented Miguel Nunes, senior director of Product Management at Qualcomm. “We’re excited for Sophos to transform computing with next-generation enterprise-grade security on 5G powered Snapdragon compute platforms.”
Intercept X for Snapdragon platforms will be available in the second half of 2021.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

IBM has issued security patches designed to resolve high- and medium-severity bugs impacting the tech giant’s enterprise software solutions. 

This week, the tech giant published a set of security advisories laying out fixes for vulnerabilities that impact IBM Java Runtime, IBM Planning Analytics Workspace, and IBM Kenexa LMS On Premise. 
The first advisory addresses CVE-2020-14782 and CVE-2020-27221, two security flaws in IBM Runtime Environment Java 7 and 8 which are used by IBM Integration Designer — enterprise software used to integrate data and applications into existing business processes — in IBM’s Business Automation Workflow and Business Process Manager software suites. 
CVE-2020-14782 is a bug in Java SE’s library component that could allow attackers to compromise Java SE via multiple protocols, but this takes a sandbox environment to trigger and so is considered difficult to exploit. 
CVE-2020-27221, however, is of far more concern and has been issued a CVSS base score of 9.8, a critical rating. This stack-based buffer overflow vulnerability relates to Eclipse OpenJ9 and could be used by remote attackers to execute arbitrary code or cause an application crash. 
The second advisory focuses on IBM Planning Analytics Workspace, a component of Planning Analytics, the firm’s collaboration and management planning software. In total, five vulnerabilities that impact the software have been resolved, including a Node.js HTTP request smuggling issue (CVE-2020-8201), CVE-2020-8251 — a Node.js denial of service flaw — and a Node.js buffer overflow bug, CVE-2020-8252, that could be exploited by attackers to execute arbitrary code. 
Two further vulnerabilities, a data integrity weakness that can be triggered via XML external entity (XXE) attacks in FasterXML Jackson Databind (CVE-2020-25649), and CVE-2020-4953, a problem in Workspace that could allow remote — but authenticated — attackers to steal sensitive data exposed in HTTP responses — have also been tackled.

IBM also posted a security advisory describing vulnerabilities affecting IBM Kenexa LMS On Premise, an enterprise learning management system. In total, five low-impact bugs have been patched, all of which relate to the use of Java SE and could lead to problems including denial of service and potential data theft if combined with other attack vectors. 
Last week, IBM issued security bulletins for IBM Spectrum Symphony 7.3.1 and IBM Spectrum Conductor 2.5.0 and upgrades to third-party libraries that are susceptible to a wide range of vulnerabilities.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More