Information Technology

Cisco Meraki and Openpath have teamed up to provide a combined security platform designed for smart cameras and buildings access control. 

On Wednesday, the companies said that by merging Cisco Meraki’s cloud security and smart camera technology together with Openpath’s access control and workplace safety automation portfolio, clients can take advantage of “cloud-first, security technology that can be managed from any location in real-time.”
The Video Management System (VMS) partnership integration of these portfolios links access activity with smart camera systems and an integrated dashboard can be used by security staff to better monitor access in and out of facilities. 
In addition, the cloud-based solution can be managed remotely, including report submission and access, the remote locking and unlocking of doors, and entry input. Multiple sites can be managed under one account. 
Real-time event alerts can be enabled for staff to be made aware of when particular doors are accessed, and a “find and follow” system allows security staff to track the movements of a visitor when security events are triggered. 
“This capability allows for rapid resolution in real-time of security situations and enhances audit and compliance reviews with easy to access and accurate tracking,” the companies say. 
Research facilities at the University of Virginia’s Biocomplexity Institute have signed up to use the new solution.

“It is more important than ever that organizations have flexible and agile platforms that can be quickly adapted to meet the security needs of today and tomorrow,” commented Alex Kazerani, Openpath CEO. “We’re thrilled to partner with Cisco Meraki […] to make the most integrated security platform available for the enterprise and look forward to continuing to build on these innovations to safeguard our joint customers.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image provided to ZDNet by a reader
Microsoft Defender Advanced Threat Protection (ATP), the commercial version of the ubiquitous Defender antivirus and Microsoft’s top enterprise security solution, is currently having a bad day and labeling yesterday’s Google Chrome browser update as a backdoor trojan.

ZDNet Recommends

The detections, as can be seen in a screenshot above shared with ZDNet by one of our readers, are for Google Chrome 88.0.4324.146, the latest version of the Chrome browser, which Google released last night.
As per the screenshot above, but also based on reports shared on Twitter by other dismayed system administrators, Defender ATP is currently detecting multiple files part of the Chrome v88.0.4324.146 update package as containing a generic backdoor trojan named “PHP/Funvalget.A.”
The alerts have caused quite a stir in enterprise environments in light of recent multiple software supply chain attacks that have hit companies across the world over the past few months.
System administrators are currently awaiting a formal statement from Microsoft to confirm that the detection is a “false possitive” and not an actual threat.

ATP is triggering on C:Program Files (x86)GoogleChromeApplication88.0.4324.146Localessk.pak
— Dark Defender (@ShadyDefender) February 3, 2021

Hey @msftsecresponse – Seeing lots of Defender ATP alerts this morning on C:Program Files (x86)GoogleChromeApplication88.0.4324.104Localessl.pak detected as PHP/Funvalget.A. Can you confirm this is a false positive? SHA256 in reply.
— W. David Winslow (@wdwinslow) February 3, 2021

Defender detected sl.pak as ‘Backdoor:PHP/Funvalget.A’C:Program FilesGoogleChromeApplication88.0.4324.146Localessl.pakDefender detected chrome.7z as ‘Backdoor:PHP/Funvalget.A’C:Program FilesGoogleChromeApplication88.0.4324.146Installerchrome.7z
— itquartz (@itquartz) February 3, 2021

ZDNet has contacted a Microsoft spokesperson before this article publication, seeking a formal statement on the ATP detections.
Chances are that this is indeed an erroneous detection, but until a formal announcement, administrators are advised to wait before taking other actions.

The free version of the Microsoft Defender antivirus, the one that ships with all recent Windows versions, has not detected the recent Chrome update as malicious, according to multiple ZDNet tests.
Updated at 15:55 ET to add that Microsoft has confirmed that today’s Funvalget detections for Chrome files were false positive detections due to “an automation error.” More

SolarWinds customers are being urged to apply newly released security patches after the discovery of three previously undisclosed severe vulnerabilities which could allow attackers to abuse the enterprise IT administration tools take control of Windows systems.
The disclosure of the two vulnerabilities in SolarWinds Orion and one in SolarWinds Serv-U FTP comes following December’s discovery that SolarWinds had been hacked – likely by a Russian operation – and its software updates compromised in order to distribute malware to 18,000 Orion customers.
The hack was part of a wider campaign against other tech vendors that represents one of the biggest cyber incidents in recent years and it led to cybersecurity researchers at Trustwave to further examine SolarWinds products for further vulnerabilities – and they found three.
The most severe vulnerability (CVE-2021-25275) could allow attackers to exploit a vulnerability in how Orion works with Microsoft Message Queue (MSMQ) to gain access to secured credentials in the backend and gain complete control over the entire Windows sever. This could be used to steal information or add new admin-level users to Orion.
A second vulnerability (CVE-2021-25274) could allow remote, unauthenticated users to run code in a way that allows the complete control of the underlying Windows operating system. This again could lead to unauthorised access to sensitive systems and servers.
The third vulnerability (CVE-2021-25276) related to SolarWinds Serv-U FTP and allows anyone who can login locally– or remotely via RDP – to add an admin account and all the privileges that brings when it comes to access to the network and servers, potentially providing an attacker with access to sensitive information.
“All of these vulnerabilities have the potential of completely compromising the Windows server running valuable software,” Karl Sigler, threat intelligence manager at Trustwave told ZDNet.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
“Orion isn’t like an Office suite, it’s used by your network administrator and other people with a lot of privileges and access to valuable data on the network,” Sigler said.
Trustwave disclosed their findings to SolarWinds and security patches have been released to close the vulnerabilities and prevent them being exploited.
“Vulnerabilities of varying degrees are common in all software products, but we understand that there is heightened scrutiny on SolarWinds right now. The vulnerabilities announced by Trustwave concerning Orion 2020.2.4 have been addressed via a fix released on Jan 25, 2021. The vulnerabilities concerning Serv-U 115.2.2 will be addressed via a fix released on Feb 3, 2021,” a SolarWinds spokesperson told ZDNet.
“We have always been committed to working with our customers and other organizations to identify and remediate any vulnerabilities across our product portfolio in a responsible way. Today’s announcement aligns with this process,” they added.
There’s currently no evidence that cyber attackers have successfully used these vulnerabilities.
“We can never one hundred percent say these haven’t been exploited in the wild – but I think we’ve beaten the bad guys to the punch here. I think we were able to find them before they did and hopefully put patches in place before they learn how to exploit them,” said Sigler.
It’s therefore recommended that organisations have a strategy to apply the security patches required to protect against the three newly disclosed vulnerabilities as soon as possible.

MORE ON CYBERSECURITY More

The vast majority of consumers have a poor understanding of data privacy issues yet think they are proactive in protecting themselves, according to a survey of US and UK residents.

More than 83% of 1,000 people surveyed said they were proactive in maintaining their data privacy however, they did not take basic precautions to protect their data — showing a lack of education without a corresponding drop in confidence. 
The survey from Entrust, a US Identity management and data privacy company, also found that 64% are willing to share personal data if it makes it easier to access key services. 
And a whopping 83% say they are comfortable storing their biometric data with apps or third-party identity verification systems such as those at airports.
Consumers exhibited a split personality in that they had high confidence in their abilities to protect their personal data but 79% also said they were somewhat or highly concerned about their data. 
About one third (34%) of consumers were very pessimistic saying that they believed they had little control over their data and nearly one-quarter said the issues were too complex to understand and 30% did not know where to begin.
A key difference between countries: UK consumers had a significantly higher trust in their employers, banks and government agencies to hold their personal data secure. 

Major Internet platforms have come under fire for their use and misuse of consumer personal data. In 2021 US and UK lawmakers are looking at potential regulations to control the use of personal data. This will have huge consequences on multi-billion dollar online advertising markets and data sellers. 
The Entrust survey shows that voters will need to become better educated to be able to understand and support upcoming data privacy regulations. 
More survey findings are here.

More on privacy More

Singapore has passed new legislation detailing the scope of local law enforcement’s access to COVID-19 contact tracing data. It does so amidst questions whether the bill offers sufficient clarity and if police access should be excluded in the interest of public health. 
The COVID-19 (Temporary Measures) (Amendment) Bill was debated, and eventually passed, in parliament Tuesday under a Certificate of Urgency, which allows the government to more swiftly introduce new legislation deemed urgent. The move comes weeks after it was revealed the police could access the country’s TraceTogether contact tracing data for criminal investigations, contradicting previous assertions that this information would only be used when the individual tested positive for the coronavirus. 
It sparked a public outcry and prompted the government to announce plans for a new bill that would limit police access to seven categories of “serious offences”, during which contact tracing data could be used for criminal probes, inquiries, or court proceedings. These included cases involving terrorism, use or possession of dangerous weapons, kidnapping, and serious sexual offences.

The new legislation also encompasses data collected through other digital contact tracing apps, such as location visitor log SafeEntry and BluePass tokens, which are issued to migrant and local workers living or working in dormitories as well as those in construction, marine shipyard, and process sectors. BluePass data is interoperable with the TraceTogether platform. 
Introduced last March, TraceTogether taps Bluetooth signals to detect other participating mobile devices — within 2 metres of each other for more than 30 minutes — to allow them to identify those who have been in close contact when needed. Data collected is encrypted and stored for 25 days, before it is automatically deleted from the app or token. 
There currently are more than 4.2 million TraceTogether users, or about 80% of the local population. 
The new bill does not cover aggregated or anonymised data and supersedes existing laws. Public officers or contractors engaged by government agencies who are found guilty of unauthorised use or disclosure of contact tracing data face fines of up to SG$20,000 or imprisonment of up to two years, or both. 

TraceTogether and SafeEntry systems would cease once the pandemic is declared over — a timeframe that must be specified by the government. Public sector agencies then must stop collecting such data and remove collected personal contact tracing data “as soon as practicable”. 
This means the police can no longer access data unless it has been previously retained and used in criminal investigations and court proceedings. 
In debating the bill during parliament Tuesday, members raised questions on whether details laid out were overly vague and whether it was necessary in the first place to provide police access at the risk of public health.
Calls to limit TraceTogether to original contact tracing purpose
Lead of the opposition Workers’ Party, Pitram Singh, noted that the missteps leading up to the revelation that police could access TraceTogether data had bred scepticism and eroded public trust. The perceived lack of empathy towards personal privacy on the government’s part had prompted some to circumvent the app’s tracing ability, such as turning off Bluetooth after checking into a location, he said. 
Singh said the Workers’ Party believed anything that compromised the use of TraceTogether should take a backseat and its use should be limited to contact tracing, which also then would align with the government’s original assurance. 
“I am of the view that such an approach would also engender greater confidence, given that a public conversation on privacy has hitherto not been ventilated in a significant way in Singapore,” he said. 

The police, too, already had an abundance of tools that was sufficient to aid in their criminal investigations, including access to CCTVs, forensic examinations of mobile phones, and old-fashion police work such as the use of informants and collecting physical evidence. 
That said, however, he said the opposition party would lend its support to the bill since Singaporeans’ right to privacy could be better protected with it, rather than without. 
Singh’s colleague Sylvia Lim, who is also a Member of Parliament, called for further clarifications to be made regarding the definition of the seven categories of serious offences, which she said were broad and could lead to ambiguity in their application. She suggested that specific examples of what could constitute, or not, as serious offences under these categories would provide a clearer guideline. 
In further supporting her party’s stance that TraceTogether should exclude police access, Lim noted that the Australian government was amongst countries that had opted to prohibit such access to contact tracing data. 
Singh also asked if the government could detect if an individual had deactivated Bluetooth upon gaining entry to a venue and whether such circumvention indicated a need for the government to review the effectiveness of TraceTogether and, hence, use by the police. 
Minister-in-Charge of the Smart Nation Initiative and Foreign Affairs, Vivian Balakrishnan, some 58% of individuals used the contact tracing app at least once daily and this figure had remained largely the same even after it was revealed police had access to the data. 
There were, however, no details on how many turned off the app or Bluetooth connectivity because the platform was designed specifically with privacy concerns in mind, he said. 
Balakrishnan explained that the app, when activated, would query a central server to determine if the individual had been in the same vicinity and at the same time as a COVID-19 patient. If there was such an overlap, an alert would be pushed to the individual so they would know to monitor their health for any potential symptoms. They would be contacted directly by health officials if they were a close contact. 
He acknowledged that some individuals were “gaming” the contact tracing system and urged them against doing so in order to better protect themselves against the pandemic. 
According to the minister, 350 people had requested their TraceTogether data to be deleted from the central server over the past month. 
He stressed that TraceTogether, by design, was created for contact tracing purposes and not intended for police use. Data collected was stored locally on the user’s device or token and uploaded to the central server only when the user entered a pin, which would be provided if they were identified as a close contact, or when the token was physically handed over to health authorities. 
“GovTech took great pains to create an app that was fundamentally privacy-protecting at its core, by design,” the minister said, adding that the platform collected only proximity data and did not capture GPS or movement data. The token also did not have cellular connectivity. “These were conscious design decisions made at conception.”
Based on these considerations, he said it would be reasonable to argue that for most cases, TraceTogether data would not prove very useful for police use. However, law enforcers also should not be unnecessarily hindered in investing any possible leads that could help in their criminal investigations, he added. 
Noting that the new bill was not established to set a precedence, Balakrishnan said the government had taken “this exceptional step” to encourage public participation of TraceTogether whilst maintaining public confidence in the contact tracing programme. 
RELATED COVERAGE More

Image: Mozilla, ZDNet, Jason Leung
Mozilla is expected to expand its virtual private network (VPN) offering in Germany and France by the end of Q1 2021, marking the service’s first expansion inside the EU.

The move comes after the browser maker formally launched the Mozilla VPN service last summer in the US, the UK, Canada, New Zealand, Singapore, and Malaysia.
The Mozilla VPN service, which initially launched as a Firefox extension named Firefox Private Network, has currently expanded into a full-device VPN client, available for Windows 10, macOS, Linux, Android, and iOS devices.
The service, which is built around the WireGuard protocol, uses servers provided by Mullvad and is currently priced at $5/month.
Mozilla says the VPN service currently runs on top of more than 280 servers across more than 30 countries across the globe, with “no logging” and “no bandwidth restriction” policies.
Since its informal announcement in 2019 and after its official launch in 2020, the VPN service has been one of the most highly-anticipated VPN offerings on the market, primarily due to Mozilla’s privacy-first reputation.
The browser maker is currently running a waitlist where users can sign up and be notified when the VPN service launches in their country.

The VPN service is also Mozilla’s first fully commercial product as part of a new business strategy the browser maker adopted last year. In August 2020, Mozilla fired more than 250 employees and moved away from several open-source and non-revenue-generating products to focus on developing its own revenue streams, as an alternative to its Google search deal that has usually accounted for most of the organization’s budget in the previous decade. More

Image: Will Dormann
A British security researcher has discovered today that a recent security flaw in the Sudo app also impacts the macOS operating system, and not just Linux and BSD, as initially believed.

The vulnerability, disclosed last week as CVE-2021-3156 (aka Baron Samedit) by security researchers from Qualys, impacts Sudo, an app that allows admins to delegate limited root access to other users.
Qualys researchers discovered that they could trigger a “heap overflow” bug in the Sudo app to change the current user’s low-privileged access to root-level commands, granting the attacker access to the whole system.
The only condition to exploit this bug was that an attacker gain access to a system, which researchers said could be done by either planting malware on a device or brute-forcing a low-privileged service account.
In their report last week, Qualys researchers said they only tested the issue on Ubuntu, Debian, and Fedora. They said that are UNIX-like operating systems are also impacted, but most security researchers thought the bug might impact BSD, another major OS that also ships with the Sudo app.
Latest macOS version also impacted
But as Matthew Hickey, the co-founder of Hacker House, pointed out on Twitter today, the recent version of macOS also ships with the Sudo app.
Hickey said he tested the CVE-2021-3156 vulnerability and found that with a few modifications, the security bug could be used to grant attackers access to macOS root accounts as well.

CVE-2021-3156 also impacts @apple MacOS Big Sur (unpatched at present), you can enable exploitation of the issue by symlinking sudo to sudoedit and then triggering the heap overflow to escalate one’s privileges to 1337 uid=0. Fun for @p0sixninja pic.twitter.com/tyXFB3odxE
— Hacker Fantastic 📡 (@hackerfantastic) February 2, 2021

“To trigger it, you just have to overwrite argv[0] or create a symlink, which therefore exposes the OS to the same local root vulnerability that has plagued Linux users the last week or so,” Hickey told ZDNet today, prior to sharing a video of the bug in question.
His findings were also privately and independently verified and confirmed to ZDNet by Patrick Wardle, one of today’s leading macOS security experts, and publicly by Will Dormann, a vulnerability analyst at the Carnegie Mellon University’s CERT Coordination Center.

Hickey told ZDNet the bug could be exploited in the recent version of macOS, even after applying the recent security patches Apple released on Monday.
The researcher said he notified Apple of the issue earlier today. Apple declined to comment as it investigates the report; however, even without an official confirmation from the Cupertino-based tech giant, a patch is most likely expected for such a serious issue.
In addition, other researchers found that the bug could also be exploited on IBM AIX systems. More

Do you think about what routines, sub-programs, libraries, and routines go into the software you use? You should. The Solarwinds security disaster, which will be causing trouble from now until the end of 2021, happened because the company fouled up its software supply chain. This, in turn, screwed millions of users. Open source can help prevent such disasters, but open-source methods need more supply chain improvements too. Now, Tidelift, an open-source management company has a way to help manage the open-source software supply chain’s health and security with Tidelift catalogs.  

SolarWinds Updates

With catalogs, part of the Tidelift Subscription, companies get a comprehensive approach to curating, tracking, and managing their open-source components. This works whether you’re using other group’s open-source programs or your own “inner-source” code. Here’s how:

A paved path: Organizations can accelerate development and reduce security and licensing-related risk by defining and curating catalogs of known-good, proactively maintained open source components. Developers can draw from them safely without fear of late-breaking deployment blockers.

Clear policies: Organizations can set and automatically enforce standards early in the development lifecycle, such as an organization’s license policies.

Integrated experience: The Tidelift Subscription integrates with existing source code and repository management tools so developers don’t need to change their workflow. They can pull approved components and submit new ones for approval directly from the command line.

Don’t think that’s important to your company because you “don’t use open source”? Oh please! A recent Tidelift study showed that 92% of enterprise software projects contain open-source dependencies and, in those projects, as much as 70% or more of the code was open source. I live and breathe software development; I think those numbers are on the low side. 
Donald Fischer, Tidelift’s CEO and co-founder, explained,  “As software supply chain security makes frontpage news in 2021, it’s more important than ever that application development teams employ a comprehensive approach to managing the open-source components that make up their applications. With the addition of catalogs to the Tidelift Subscription, organizations can be confident that they are using open source safely without slowing down development.”
That’s easy to say, but can you prove it? Tidelift thinks it can by introducing its first set of Tidelift-managed catalogs.  With these, your developers can pull from Tidelift-managed catalogs of known-good, proactively maintained components that cover common language frameworks such as JavaScript, Python, Java, Ruby, PHP, .NET, and Rust, backed by Tidelift and its partnered maintainers
These can give your business a head start on building approved components for your development teams. Your programmers will soon let you know if these catalogs really are enterprise-ready and meet their needs for clearly defined security, maintenance, and licensing programs.
This isn’t just for your programmers though. The company claims that with catalogs in place, the Tidelift Subscription can help people throughout your business. Specifically:

For managers: Increase development velocity while ensuring development teams are building with safe, approved, and compliant components from the start.

For developers: Move fast and avoid rework, eliminating late-breaking surprises that slow down development by using pre-approved, known-good components.

For information security: Get a single place to define, review, and enforce policies around security vulnerabilities in open-source components.

For legal: Get a single place to define, review, and enforce license policies and get indemnification to protect against licensing-related risk.

Tidelift’s not wrong. If they can deliver the goods with their catalogs, your company will benefit. 
As Al Gillen, IDC’s Group VP of Software Development and Open Source, said in a statement: “Recent software supply chain security compromises remind the industry how important it is to know where your software components come from, and to be able to trust those components. Open-source software is not immune to potential vulnerabilities, so it makes great sense to give your software development staff easy access to the components they need that meet enterprise standards. Tidelift’s expansion of the Tidelift Subscription to include catalogs of known-good open source addresses this need by collecting in one location a full suite of key open-source components that an organization relies on.”
If I were developing open-source software today, I’d be sure to kick Tidelift’s wheels. It might just be what we need until the day comes when we have what David A Wheeler, the Linux Foundation’s director of Open Source Supply Chain Security, has called Verified reproducible builds. These are source code builds which, “always produces the same outputs given the same inputs so that the build results can be verified. A verified reproducible build is a process where independent organizations produce a build from source code and verify that the built results come from the claimed source code”.
We won’t be there for a while yet, so in the meantime, approaches such as the one Tidelift approach makes perfect sense.
Related Stories: More