Information Technology

Are you a LastPass Free user? The company has announced that changes are coming your way.

Currently, free users can access their LastPass account across device types, mobile, and desktop.
Starting March 16th, 2021, free users will only be able to choose between having access on their mobile devices (including mobile phones, smartwatches, and tablets) or their computers (including all browsers running on desktops and laptops).
On this date, free users will get the chance to choose between mobile and computers and will get three opportunities to switch the active device type to explore what’s right for them.
LastPass explains the changes as follows:
Sarah is a Free user with Computers as her active device type. She can use LastPass on her laptop, desktop, and her dad’s laptop (anyone’s computer!), but she can’t use LastPass on her phone, tablet, or smartwatch unless she upgrades to LastPass Premium, which has unlimited device type access. 
Steve is a Free user with Mobile Devices as his active device type. He can use LastPass on his iPhone, Android work phone, tablet, and smartwatch, but he can’t use LastPass on his desktop or laptop unless he upgrades to LastPass Premium, which has unlimited device type access. 
Also, as of May 17th, 2021, email support will only be available for Premium and Families customers.
Don’t like this? You can either migrate your passwords to another service or tool or pay LastPass the $2.25 per month (billed annually) for LastPass Premium. I’ve been a long-time LastPass Premium user, and I find the service to be very good.  More

While ransomware is the cyberattack most feared by businesses, another form of cybercrime is slipping under the radar, one that is proving highly lucrative for internet fraudsters – and costly to business.
A business email compromise (BEC) attack sees cyber criminals use social engineering to trick an employee at a business into transferring a large sum of money to an account controlled by the crooks.

More on privacy

Often these messages pretend to be from someone the victim knows, such as their boss, a colleague or another known and trusted business contact. The attackers can steal hundreds of thousands of dollars just by sending a few emails – and by the time the victim has realised they’ve been duped by cyber criminals, it’s too late.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
And while ransomware is the most high profile form of cybercrime targeting businesses, it’s BEC scams that are the most financially damaging.
“When you look at some of the data that’s come out comparing business email compromise to things like ransomware, business email compromise by far comprises the most amount of financial loss for businesses, all over the world,” Crane Hassold, senior director of threat research at Agari, told ZDNet’s Security Update video series.
The FBI lists BEC as the cybercrime with the highest amount of reported losses, accounting for $1.77 billion in losses during 2019 alone. The losses as a result of ransomware over the same period account for a small amount in comparison $9 million dollars (although more recent ransomware numbers will be significantly higher).

“So while ransomware, gets all the news, it’s nothing compared to the amount of loss that’s caused by business email compromise,” said Hassold.
The lucrative nature of BEC scams is even pushing some cyber-criminal operations away from malware and ransomware attacks and towards wire-transfer fraud. One of these is a Russian-based hacking group that Agari identifies as Cosmic Lynx – they used to distribute malware attacks, but now they’re making much more money with phishing and email fraud.
“What we’ve seen over the past few years is that the cyber criminals have realized that their more technically sophisticated attacks have become less successful. And so what the cyber criminals have done is they’ve become less technically sophisticated in their attacks,” said Hassold.
“Thinking about this as a business from an overhead perspective, there’s not really much behind the scenes with a BEC attack, and so the amount of profit you’re able to make from those attacks is significantly higher,” he added.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
One of the reasons BEC is so successful is because the nature of doing business online means actions often need to be taken quickly – and with more people working remotely than ever before, checking to see if that email really came from your colleague is more difficult.
However, if an organisation sets up business processes that have to be followed and approval is needed from multiple people in order to send a wire transfer, it could go a long way to preventing BEC attacks.
“If there’s an established process for wire transfer and for wire-transfer requests, then a lot of BEC attacks would be stopped,” Hassold said.
MORE ON CYBERSECURITY More

Pure Storage is rolling out a new version of its Purity software for FlashBlade and FlashArray features designed ease recovery from ransomware attacks.
The Purity updates land as part of Pure Storage’s Evergreen program, which provides software updates for all of its gear and appliances.
For Purity for FlashBlade, Pure’s Unified Fast File and Object storage platform, the company is adding SMB support that accelerates Windows applications and features SafeMode Snapshots for rapid ransomware recovery. Purity for FlashBlade also includes replication, file system rollback and validation for SQL Server backup speeds higher than 1TB/min.
Purity for FlashBlade, available in the first quarter, also enhances security for AWS S3 and has unified APIs and software development kits. Purity for FlashBlade is designed to enable SMB workloads to scale.
According to Pure, Purity for FlashArray also includes tools for ransomware recovery. The system includes Purity SafeMode that combines snapshots and policy-based retention to ensure protected data is able to be recovered in seconds.
Ransomware is an ongoing problem for enterprises of all sizes. Recent headlines include:
Purity for FlashArray also includes ActiveCluster over Fibre Channel, which is integrated with Pure1Cloud Mediator, as well as NVMe support. Pure said it is also launching new entry-level FlashArray//C40 designed to compete with hybrid arrays. Purity for FlashArray is available immediately.

Here’s a look at Purity’s core features and services. 

The services included in Pure Storage’s Purity platform. Credit: Pure Storage,

×
purity-stack.png More

Addressing large enterprise and government agencies, the UK’s National Cyber Security Center (NCSC) has issued a warning that attacks on a software build pipeline “can have wide-reaching impact”.  
The compromise of SolarWinds’s updates, which the US says was “likely” carried out by Russian hackers as part of a broader campaign, has put the software supply chain and software development processes in the spotlight. It wasn’t the first software supply chain attack, but Microsoft has called it the “largest and most sophisticated attack the world has ever seen”. 

More on privacy

NCSC doesn’t mention SolarWinds, but notes that the software build process is often “overlooked” despite broad awareness of security for software developers. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
It says that the automation of software development through continuous integration and continuous delivery (CI/CD), a popular development approach with regular updates that has built-in security checks, can be a good way of securing the software pipeline.
“It’s crucial that the pipeline is well-defended, and that it protects each build from other builds in the pipeline,” says NCSC. 
The key message here is to ensure that different builds are sufficiently isolated from one another to ensure that if other systems are compromised, at least each build is shielded from the other. 

Organizations taking advantage of software development automation also need to ensure the processes can demonstrably enforce the security checks have taken place – or those checks won’t be worth much, it says. 
Attackers that compromise the software development pipeline can: add malicious code to the software that was built and deployed by that pipeline; access any secrets used by the pipeline; and potentially gain access to other source code repositories and environments.
“The pipeline needs to be defended against attack at least as effectively as the environments it deploys to,” NCSC notes. 
Its recommendations are broadly in line with Microsoft, Google, and the NSA. These include using multi-factor authentication, designing system access with the principle of least privilege, and using network security and monitoring for attacks. 
But NCSC also has advice on how organizations should select virtual machines for development work. 
“Performing each build in a single-use virtual machine will make it very hard for one build to attack another using shared hardware (like the CPU), whereas two builds sharing an OS kernel will have many more ways to interfere with each other,” NCSC notes. 
“If a build can access stored information on other builds (such as their source code or build artefacts), then it may be able to steal secrets or modify those builds.”
SEE: How do we stop cyber weapons from getting out of control?
As far as being able to prove the integrity of a software build, NCSC warns companies to ensure the use of in-transit encryption for code fetched from a code repository and when build artifacts are sent to the artifact repository, as well as when being deployed to the final environment. 
Finally, organizations should use cryptographic checksums to record the data processed by the pipeline.  More

For the past few weeks, macOS Big Sur has suffered from a bug that could cause serious data loss. The bug was introduced in Big Sur 11.2, and it made its way into the 11.3 data.

The bug comes down to the macOS Big Sur installer not checking if the Mac has the required free space available to carry out an upgrade. The upgrade runs into problems, and if that isn’t bad enough, if the user’s Mac was encrypted using FileVault, then the user is locked out of their data.
Pretty scary stuff.
Check this out: Apple: Please stop this nonsense
The bug has been explored extensively by Mr. Macintosh, outlining the problem, some possible solutions, along with a very informative and detailed video. The bug was narrowed down to an evil Goldilocks zone, where users had more than 13GB of free space, but less than 35.5GB.
The video is truly awesome work. Thank you Mr. Macintosh for your work!
[embedded content]
The good news is that Apple has finally released an updated macOS Big Sur 11.2.1 installer — (20D75) — that properly checks for the free space.

The fix has been confirmed by Mr. Macintosh.

macOS Big Sur 11.2.1 (20D75) full installer is now available for download.I’ve confirmed the new installer now checks for free space properly.This was a serious problem, and I’m glad users will no longer get caught by this issue. https://t.co/dYSuRjdd4p pic.twitter.com/ILxoKfhORn
— Mr. Macintosh (@ClassicII_MrMac) February 15, 2021

What’s the moral of this story?
Have a backup, and perhaps allow others — who are braver and more foolhardy — to go first. Also, check the system requirements and don’t rely on the installer to check everything.
Oh, also, don’t believe that whole “it just works” thing. More

Image: FTC
The current COVID-19 pandemic and the subsequent stay-at-home and social distancing directives might have played a major role in romance scams losses reaching record levels in 2020, the US Federal Trade Commission said in a report last week.

Total losses were estimated at a record $304 million, up about 50% from 2019, with the average loss last year being estimated at $2,500 per individual.
“From 2016 to 2020, reported total dollar losses increased more than fourfold, and the number of reports nearly tripled,” the agency said.
The FTC believes that the 50% spike in extra losses recorded in 2020 can be attributed to the COVID-19 pandemic, which has limited people’s ability to meet in person and has forced more users towards using online long-distance and impersonal communications, such as dating apps.
In most cases, the ruse of these scams is that the targets of a romance scam have to send money back to the crooks.
“Scammers claim to have sent money for a cooked-up reason, and then have a detailed story about why the money needs to be sent back to them or on to someone else. People think they’re helping someone they care about, but they may actually be laundering stolen funds,” the FTC said.
“In fact, many reported that the money they received and forwarded on turned out to be stolen unemployment benefits.”
Users targeted on social media too, not just dating apps

Furthermore, the FTC also warned that many romance scams don’t always start on dating apps but also on social media networks.
“These social media users aren’t always looking for love, and report that the scam often starts with an unexpected friend request or message,” the FTC said.
“Sooner or later, these scammers always ask for money. They might say it’s for a phone card to keep chatting. Or they might claim it’s for a medical emergency, with COVID-19 often sprinkled into their tales of woe. The stories are endless, and can create a sense of urgency that pushes people to send money over and over again.”
The most common forms of transferring money from victims were gift cards, which saw a 70% spike from 2019, followed by wire transfers.
And according to the FTC, all age groups are targeted last year, and not just the elderly. Victims aged 40 to 69 were targeted the most, victims aged above 70 reported the highest average losses (~$9,475), but other age groups also saw spikes in reports and average losses as well.
The US government agency urged users share its romance scam guide with vulnerable friends or family members as a way to reduce the efficacy of these scams going forward. More

Image: Getty Images/iStockphoto
Telstra has said it is now blocking approximately 6.5 million suspected scam calls a month, at times up to 500,000 a day, thanks to automating the former manual process that sat at around 1 million monthly scam calls.
The system that Telstra built in-house forms the third leg of its Cleaner Pipes program.
In May, the company kicked off with DNS filtering to fight against botnets, trojans, and other types of malware, and extended to blocking phishing text messages purporting to be from myGov or Centrelink before they hit the phones of customers.
“Scam calls are not only annoying, they also have a real financial impact on Australians and are estimated to have cost ordinary Australians nearly AU$48 million last year,” CEO Andy Penn wrote in a blog post.
“If you think you are receiving a scam call, our simple advice is: Hang up.”
Penn said the company would only call customers between 9am to 8pm on weekdays, and 10am to 3pm on Saturdays, and never on a Sunday.
“The exception to this is if you have an unpaid account or a customer-initiated inquiry with respect to an order, fault or complaint, someone from Telstra may call you outside of these hours,” he added. “We’ll respect your wishes and terminate the call if you say no thanks and we won’t call repeatedly if you don’t answer — these are all hallmarks of scam calls.”

The CEO said any customers that believe they have been scammed should contact the telco.
“We see a future where scam calls of this type are effectively ring-fenced and eliminated from our network,” Penn said.
“It will take more investment and innovation, and continued support from government but we have an ambition to make these kinds of changes to continue to improve the level of trust that Australians have in their phones, their emails and the websites they visit, and to encourage the rapid expansion of our country’s digital economy however we can.”
Last week, Telstra reported a challenging first half of its fiscal year as it saw double-digit drops in revenue and earnings before interest, income tax expense, depreciation, and amortisation (EBITDA) and, consequently, it has revised its guidance downwards.
For the half year to December 31, the company saw revenue fall 10% to AU$12 billion, while EBITDA dropped 14.7% to AU$4 billion, and EBIT took a 20% hit to decline to AU$1.64 billion. Thanks to a substantially lower level of income tax, down 60% to AU$209 million, net profit fell only 2.2% to AU$1.13 billion.
Related Coverage More

Researchers have recommended the Australian government abandon its existing digital identity system and start again from scratch, highlighting again security flaws in two of the systems already accredited.
Professor Vanessa Teague and Ben Frengley last year disclosed to the Australian Taxation Office (ATO) a weakness in its myGovID system. They found myGovID is subject to an easily implemented code proxying attack, which allows a malicious website to proxy a person’s myGovID login and re-use their authentication to log in to the victim’s account on any website of their choice.
The pair said the ATO, in response, informed them of having no intentions to fix the flaw.
The Digital Transformation Agency (DTA) is responsible for the Trusted Digital Identity Framework (TDIF), which is a high-level design for a federated authentication system.
“The primary security goal of an authentication mechanism is to prevent malicious parties from logging in fraudulently to others’ accounts. A secondary security goal is to maintain the privacy of the identity proof documents and biometric data used to establish identity,” the researchers wrote [PDF].
“Neither the TDIF’s high-level design, nor its implementation by the ATO (myGovID) meet their intended security goals.”
myGovID is an accredited digital ID provider, as is Australia Post’s equivalent identity service. Teague and Frengley have identified flaws in the postal service’s system, too.

The Identity Exchange (IdX), the researchers said, acts as a single point of failure for both privacy and authentication, resulting in an “extremely brittle architecture that would allow for large-scale identity fraud if that one component came under the control of a malicious party”.
They said the IdX is intended to hide the identity of the relying party from the identity provider, but fails to do this in the ATO’s implementation. Of concern to both is that the implementation of the TDIF in Australia Post’s Digital iD does not even appear to use an IdX at all, which is the fundamental component of the TDIF’s design.
“Although we have not examined Australia Post’s implementation in detail, it seems to diverge substantially from the TDIF specification, but has apparently been accredited anyway,” they added.
“The TDIF as currently designed and implemented does not meet its own guiding principles — it is not immediately obvious that a brokered model without technical means to preserve privacy even can meet them.”
As a result, the researchers have recommended a “careful re-evaluation of the priorities of the TDIF”, and a consideration of other options which may meet its goals.
Alternatives the pair have offered up include the use of a public key infrastructure-based system or the use of a simple, standard, pairwise OpenID Connect protocol instead of a “complex brokered model with poor privacy and security properties”.
“The system should be abandoned and redesigned from scratch by people with some understanding of secure protocol design and some concern for protecting their fellow citizens from identity theft,” they wrote.
“Legislating to make it secure by fiat will not stop organised crime, foreign governments, or ordinary criminals, from taking advantages of its design flaws. A public key infrastructure is much more likely to succeed.”
The researchers were also concerned with a paragraph in the DTA’s consultation paper that states the resulting digital ID legislation will include additional mechanisms, including penalties for protecting information used in the system, such as biometric information.
These mechanisms could include criminal offence provisions and civil penalty provisions.
“There are numerous Australian laws that do effectively penalise protecting information, but this is the first time we have seen the objective stated explicitly without invoking terrorists or paedophiles,” Teague and Frengley wrote.
“We hope this is a typo, and strongly suggest penalising the inappropriate sharing or negligent leaking of information instead.
“It is important not to criminalise security research aimed at improving the system’s security by openly examining its (numerous, serious) weaknesses.”
HERE’S MORE More