Information Technology

I’m usually a bit cautious when it comes to recommending that people smash that update button the instant a new version of iOS is released.
I do it, but there are times that I’ve ended up regretting that decision.
But if you’ve not yet got around to installing iOS 14.4, then it’s time to do it.
DO IT NOW!
Must read: You’re using your Android and Mac’s fingerprint reader all wrong

On the face of it, the update seems like one of those take-it-or-leave-it updates. There are lots of mentions of the iPhone 12 in the release notes, and that might make owners of other iPhones give it a pass.

iOS 14.4 release notes
iOS 14.4 includes the following improvements for your iPhone:
Smaller QR codes can be recognized by Camera
Option to classify Bluetooth device type in Settings for correct identification of headphones for audio notifications
Notifications for when the camera on your iPhone is unable to be verified as a new, genuine Apple camera in iPhone 12, iPhone 12 mini, iPhone 12 Pro and iPhone 12 Pro Max
This release also fixes the following issues:
Image artifacts could appear in HDR photos taken with iPhone 12 Pro
Fitness widget may not display updated Activity data
Typing may be delayed and word suggestions may not appear in the keyboard
The keyboard may not come up in the correct language in Messages
Audio stories from the News app in CarPlay may not resume after being paused for spoken directions or Siri
Enabling Switch Control in Accessibility may prevent phone calls from being answered from the Lock Screen

But the update also contains fixes for three zero-day vulnerabilities that are actively being exploited in the wild.

That’s a big deal.
As to other fixes, I’m hearing from some users that notifications are still broken. It will also spot non-genuine cameras fitted as repairs, which may come as a shock to some.
Beyond that, I’ve not come across any show-stopping bugs related to battery life, connectivity, or stability.
So, install iOS 14.4.
Now. More

Image: BigNox, ZDNet
A mysterious hacking group has compromised the server infrastructure of a popular Android emulator and has delivered malware to a handful of victims across Asia in a highly-targeted supply chain attack.
The attack was discovered by Slovak security firm ESET on January 25, last week, and targeted BigNox, a company that makes NoxPlayer, a software client for emulating Android apps on Windows or macOS desktops.
ESET says that based on evidence its researchers gathered, a threat actor compromised one of the company’s official API (api.bignox.com) and file-hosting servers (res06.bignox.com).
Using this access, hackers tampered with the download URL of NoxPlayer updates in the API server in order to deliver malware to NoxPlayer users.
“Three different malware families were spotted being distributed from tailored malicious updates toselected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities,” ESET said in a report shared today with ZDNet.
Despite evidence implying that attackers had access to BigNox servers since at least September 2020, ESET said the threat actor didn’t target all of the company’s users but instead focused on specific machines, suggesting this was a highly-targeted attack looking to infect only a certain class of users.
Until today, and based on its own telemetry, ESET said it spotted malware-laced NoxPlayer updates being delivered to only five victims, located in Taiwan, Hong Kong, and Sri Lanka.

Image: ESET

ESET has released today a report with technical details for NoxPlayers to determine if they received a malware-laced update and how to remove the malware.
A BigNox spokesperson did not return a request for comment. ESET said BigNox denied having been hacked.
“We discard the possibility that this operation is the product of some financially motivated group,” an ESET spokesperson told ZDNet today via email.
“We are still investigating, but we have found tangible correlations to a group we internally call Stellera, which we will be reporting about in the near future.”
These correlations referred to the three malware strains deployed via malicious NoxPlayer updates, which ESET said contained “similarities” to other malware strains used in a Myanmar presidential office website supply-chain compromise in 2018 and in early 2020 in an intrusion into a Hong Kong university.
This incident is also the third supply chain attack discovered by ESET over the past two months. The first is the case of Able Desktop, software used by many Mongolian government agencies. The second is the case of the VGCA, the official certificate authority of the Vietnamese government.
Updated at 3:30pm ET with comments from ESET. More

The developers of Libgcrypt have issued an urgent update to tackle a critical vulnerability reported in a recent version of the software. 

Libgcrypt is an open source cryptographic library and GNU Privacy Guard (GnuPG) module. While the code can be used independently, Libgcrypt relies on the library GnuPG ‘libgpg-error’.
Version 1.9.0 of the software was released on January 19. On Thursday, Google Project Zero researcher Tavis Ormandy publicly disclosed the existence of a “heap buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code.”
“Just decrypting some data can overflow a heap buffer with attacker-controlled data, no verification or signature is validated before the vulnerability occurs,” Ormandy said. “I believe this is easily exploitable.”
The researcher passed on his findings to libgcrypt developers. As soon as the report was received, the team published an immediate notice for users, “[Announce] [urgent] Stop using Libgcrypt 1.9.0!”.
In the advisory, principal GnuPG developer Werner Koch asked users to stop using version 1.9.0, which as a new release had begun to be adopted by projects including Fedora 34 and Gentoo. 
A new version of libgcrypt, version 1.9.1, was released in a matter of hours that addressed the severe vulnerability, of which a CVE number is yet to be assigned. 

In an analysis of the vulnerability, cryptographer Filippo Valsorda suggested that the bug was caused by memory safety issues in C and may be related to efforts to defend against timing side-channel attacks. 
Users that upgraded to libgcrypt 1.9.0 are urged to download the patched version as quickly as possible. 
“Exploiting this bug is simple and thus immediate action for 1.9.0 users is required,” the developers say. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Myanmar is experiencing internet and phone service disruptions amidst reports it faces a possible military coup. Data reveals these disruptions are impacting several local and international service providers including Myanma Posts and Telecommunications (MPT) and Telenor. 
Spotty online connectivity was first identified at 3am Monday, with national connectivity dipping to 50% by 8am, according to data from NetBlocks Internet Observatory, a UK-based internet monitoring group focused on digital rights, cybersecurity, and internet governance. It maps a country’s IP address space in real-time to indicate internet connectivity levels and outages. 
Disruptions to phone and internet services followed reports that National League for Democracy’s leader Aung San Suu Kyi and other senior political leaders had been detained in an early-morning raid conducted Monday by the military. TV and radio channels also were down. 

Numerous posts on Twitter appeared to confirm either poor or lack of online and phone connectivity, with several living overseas saying they were unable to reach their family and friends in Myanmar. 
Military-owned TV network Myawaddy News reported that the military was taking control of the country for a year, during which a state of emergency had been declared. It pointed to a section of the constitution, drafted by the military, which outlined the army’s powers to assume control in during a national emergency. 
The TV report pointed to claims Suu Kyi’s government had failed to act on the military’s allegations of voter fraud during last November’s election as well as refusal to postpone the election due to the COVID-19 pandemic. Election votes had returned her party to power and parliament had been scheduled to kick off its session Monday. 
The military last week had threatened a potential coup of its claims of voter fraud were not addressed. 

India over the weekend also suspended mobile online services in some areas around Delhi, where farmers had gathered to stage a one-day hunger strike in protest of the government’s new agriculture laws. The hunger strike was held to coincide with the death anniversary of Indian independence leader Mahatma Gandhi.
RELATED COVERAGE More

UK Research and Innovation (UKRI) has disclosed a ransomware attack that has disrupted services and may have led to data theft. 

The cyberattack, made public last week, has impacted two of the group’s services: a portal used by the Brussels-based UK Research Office (UKRO) and an extranet, known as the BBSRC extranet, which is utilized by UKRI councils. 
Launched in 2018, UKRI is a public body supported by the Department for Business, Energy and Industrial Strategy (BEIS). Nine councils come together under the brand to manage research grants and to support innovative businesses and opportunities in the United Kingdom.
UKRI said that the IT incident has resulted in “data being encrypted by a third-party,” which implies that ransomware at fault. 
Ransomware is a type of malware that is now often a culprit in attacks against the enterprise. Once ransomware has landed on a compromised system, it will usually encrypt data and files and may also spread throughout a network to take out backups and other resources. 
When data encryption is complete, users are locked out and ransomware operators will demand a payment in return for a decryption key. This blackmail demand is often required in cryptocurrencies such as Bitcoin (BTC). 
UKRI is yet to disclose concrete details concerning the ransomware and is still dealing with disruption to its services. 

The UKRO portal is used to provide information to subscribers — of which there are roughly 13,000 — and the extranet is the infrastructure used for peer review processing. Both services are currently suspended.
“At this stage, we cannot confirm whether any of that data was extracted from our systems whilst investigations continue,” UKRI says. “We take incidents of this nature extremely seriously and apologize to all those affected.”
If data has been stolen, this may include grant applications and review information contained in the portals, as well as expense claims. However, the agency does not yet know if financial information has been taken. 
“We are working to securely reinstate impacted services as well as conducting forensic analysis to ascertain if any data was taken, including the potential loss of personal, financial or other sensitive data,” the group says. “If we do identify individuals whose data has been taken we will contact them further as soon as possible.”
The ransomware attack has been reported to the UK’s National Crime Agency (NCA), the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO). 
According to DLA Piper, £142.7 million ($193.4 million) in fines have been issued over the past year for breaches of the EU’s General Data Protection Regulation (GDPR), close to a 40% increase in comparison to the previous 20 months. 
While the UK is no longer part of the EU, there is little material change as the data protection legislation has been incorporated into UK laws, in what is now known as UK GDPR. Any company found to have breached UK GDPR may be subject to fines by the ICO. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber-security firm the NCC Group said on Sunday that it detected active exploitation attempts against a zero-day vulnerability in SonicWall networking devices.
Details about the nature of the vulnerability have not been made public to prevent other threat actors from studying it and launching their own attacks.
NCC researchers said they notified SonicWall of the bug and the attacks over the weekend.
The researchers believe they identified the same zero-day vulnerability that a mysterious threat actor used to gain access to SonicWall’s own internal network in a security breach the company disclosed on January 23.
The January 23 zero-day impacted Secure Mobile Access (SMA) gateways, a type of networking device that is used inside government and enterprise networks to provide access to resources on intranets to remote employees. SonicWall listed SMA 100 Series devices as impacted by the January 23 zero-day.
A SonicWall spokesperson did not return a request for comment to confirm if NCC researchers discovered the same zero-day or a new one.

Per the @SonicWall advisory – https://t.co/teeOvpwFMD – we’ve identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall – we’ve also seen indication of indiscriminate use of an exploit in the wild – check logs
— NCC Group Research & Technology (@NCCGroupInfosec) January 31, 2021

Responding on Twitter to requests to share more details on the attack so security experts could protect their customers, the NCC team recommended that device owners restrict which IP addresses are allowed to access the management interface of SonicWall devices to only IPs of authorized personnel.

They also recommended enabling multi-factor authentication (MFA) support for SonicWall device accounts.

Yes. It wouldn’t prevent the vulnerability being exploited but would limit post-exploitation. In addition to MFA as SonicWall have recommended
— Rich Warren (@buffaloverflow) January 31, 2021 More

A software installed on students’ devices in Singapore captures only the user’s online activities as a safeguard against access to “objectionable material” and does not track personal data, such as location and passwords. This assertion from the government comes after an online petition surfaced, urging support to block the implementation of the application. 
Posted last week, the petition took issue with the Ministry of Education’s (MOE) device management application (DMA) that must be installed on personal learning devices issued to students. 
Singapore last March said all Secondary 1 students would each own personal learning devices, distributed by their schools, by 2024 as part of the country’s national digital literacy scheme. Remaining secondary school students would be issued such devices by 2028. 

According to the online petition, launched by “Jing-Yu Lye”, the DMA would enable teachers to “control and monitor” the use of the device deemed necessary to “improve student management and deliver effective teaching”. It also noted that the software facilitated remote deployment of teaching and learning applications, which meant schools could install applications on a student’s device, whether the software carried security loopholes or otherwise.
In addition, teachers could control how much time students spent on the device as well as the applications they could run, with users “having no real control over how they can do it”. 
The petition stated: “We students are unhappy that the MOE requires such a program to be installed on our personal learning devices, be it our personal ones or ones purchased from the school, due to how little control, freedom, and privacy we have. This may also put many students information and data at risk to hackers, as they can easily access the data if such program is breached.”
It urged the public to support efforts to “get the power we need to defend our privacy”, noting that while schools needed some control, students should not be forced to install the DMA. To date, the petition has garnered more than 6,370 signatures.

MOE, however, said the software did not monitor personal data such as passwords, identification numbers, and user location. Instead, the application gathered information on students’ online activities including their online search history to “restrict access to objectionable material”, the ministry said in a report by local TV network CNA. The software also captured device data such as operating system to assist in troubleshooting. 
All data collected were stored in servers managed by authorised DMA vendors “with stringent access controls” that were in accordance with the government’s own personal data rules and policies.
MOE’s divisional director of educational technology, Aaron Loh, said in the report that the device management software had been installed during a trial held in 2019, during which parents and teachers “affirmed the benefits and need” for the DMA. The software, he said, would ensure teachers had “appropriate controls” to manage device use in classrooms.
Parents, too, said the DMA could resolve their concerns about access to undesirable online content such as pornography and gambling as well as worries over excessive screen time, Loh said.
Such feedback prompted the nationwide deployment of the software on personal learning devices, he added, noting that security was enhanced since these devices were connected to the school’s IT infrastructure.
Existing home devices used by students would have to meet “necessary school specifications” and the DMA installed, which would be provided for free, he said. Personal learning devices purchased via the ministry’s bulk tender would have the software pre-installed before they were distributed to students. Schools would uninstall the software from these devices when students graduated.
Local schools last April temporarily suspended the use of Zoom following incidents of Zoom-bombing within virtual classrooms, including one breach when male strangers hijacked a lesson to broadcast obscene images and asked female students to expose themselves.
MOE later allowed use of the videoconferencing tool to resume, after modifications were made to integrate additional security controls and turn off some features. 
RELATED COVERAGE More

Xiaomi has filed a legal action against the US Defense and Treasury departments that seeks to remove itself from the country’s official list of Communist Chinese military companies (CCMC).
The Department of Defense added Xiaomi onto the list in mid-January after it accused the company of “appearing to be [a] civilian entity” in order to procure advanced technologies in support of the modernisation goals of the Chinese military. 
In the legal complaint [PDF], Xiaomi said it filed the lawsuit as the CCMC designation would cause “immediate and irreparable harm to Xiaomi”, including by cutting off Xiaomi’s access to US capital markets. 
It added that the restrictions would interfere with the company’s business relationships and ability to conduct and expand its business, as well as harm its reputation and goodwill among business partners and consumers, both in the United States and around the world. 
Companies placed on the CCMC list are subject to a Donald Trump executive order that came into force in November last year. The executive order prohibits US persons from trading and investing in any of the listed companies and bans trading in any new companies once the US has placed the CCMC label on them.
As a result, people in the US will no longer be able to purchase publicly traded Xiaomi securities or derivatives of those securities from March 15 onwards and must divest any holdings by January 14 next year. 
Xiaomi in the complaint also accused the US departments of designating the company as a CCMC without providing reasoned explanations. 

“Xiaomi would not be subject to these harms but for Defendants’ unlawful designation of Xiaomi as a CCMC, and the resulting restrictions under Executive Order 13959,”  the company said. 
It explained that more than 75% of the voting rights in the company are held by co-founders Lei Jun and Bin Lin and that various Xiaomi shareholders were US companies, such as BlackRock and The Vanguard Group.
The lawsuit follows Xiaomi releasing a statement last month proclaiming it had no ties with the Chinese military.
“The company confirms that it is not owned, controlled, or affiliated with the Chinese military, and is not a ‘Communist Chinese military company’ defined under the NDAA,” the company said.
In recent weeks, US entities, such as the New York Stock Exchange, have struggled to handle the consequences and interpretation of the CCMC list. Across the month of January, the exchange said it would delist a trio of Chinese telcos, before changing its mind, and then it reverted to its original decision.
Other Chinese companies currently on the list include Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation.
As Xiaomi prepares to enter into a legal stoush with the US government, the company has simultaneously launched a new form of charging that it touted can remotely charge electronic devices without any cables or wireless charging stands. 
Image: Xiaomi
Labelled as Mi Air Charge, the technology is a “charging pile” that uses 144 antennas to transmit millimetre-wide waves to charge smartphones. These waves can only be transmitted by smartphones that have a built-in “beacon antenna”, however, which is what allows for devices to receive the charging waves.
The remote charging technology can provide 5-watt charging for various devices at the same time within a radius of several metres, Xiaomi said. Currently, devices like the OnePlus 8T can provide up to 65-watt charging through cables.
Related Coverage
Xiaomi denies any ties with Chinese military
The device maker has released a statement saying that it is not a Communist Chinese military company.
Xiaomi added to US list of alleged Communist Chinese military companies
Device maker joins a list that includes Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation.
Xiaomi to invest $7.2 billion in 5G, AI, and IoT over five years
Xiaomi is facing stiff competition in its core smartphone business as other Chinese Android-makers, especially Huawei, continue to erode the market shares of smaller players.
Trade war restrictions force Huawei to sell off Honor business
Chinese giant cites ‘persistent unavailability of technical elements’ as the reason for selling its Honor sub-brand.
The NYSE ban on three Chinese telcos is back
Latest reversal comes after the exchange received ‘guidance’ from the US Treasury. More