Information Technology

The healthiest way to approach keeping people safe from online threats is to talk about misjudgements and errors – and to do so in a way that lets them understand that almost everyone has made a cybersecurity mistake at some point.Encouraging discussion around the threats people have faced can go a long way to helping others becoming more aware of what to look out for – and to avoid falling victim to cyber criminals themselves.

Even the most seasoned information security professional will have made mistakes at some point, so it isn’t right that everyone else should be chastised or even punished if they click on a phishing link, whether for real or during a company phishing test.SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)”One of my favourite things I like to ask big groups of people in information security is ‘Can anyone in here guarantee that they’ve never clicked the bad link?’ In a room of hundreds of people, no one will raise their hand,” Margaret Cunningham, principal research scientist at Forcepoint, told ZDNet Security Update. “And to me that says no matter what your expertise, no matter how long you’ve been thinking about security, links, phishing social engineering, whatever – you can still be the person who makes the mistake.”It’s not unusual for companies to attempt to run cybersecurity awareness campaigns around shame and fear by punishing or embarrassing employees who fail a phishing test – but according to Cunningham, this attitude doesn’t help people get to grips with what, for many, is a subject that’s still difficult to understand.

“Helping people understand the risk and also communicating about that risk is difficult, especially if your organistional culture is sort of punitive – like ‘you make a mistake, see you later’ – that’s not actually going to help you very much,” she said. If anything, people should be encouraged to talk about the online security mistakes they’ve made, because not only could it help others be more aware of potential cyber threats, it demonstrates how everyone can make mistakes and that there’s nothing for people to be ashamed of if they do fall victim to phishing, social engineering or other forms of attack.SEE: Ransomware just got very real. And it’s likely to get worse”There’s a huge organisational value to talking about dumb things that we’ve done – things that we’ve fallen for, the mistakes that we’ve made,” Cunningham explained.”It makes a big difference to talk about it, even if people give you the eye roll and an ‘I know,’ well, let’s just remind ourselves,” she added. MORE ON CYBERSECURITY More

Cybersecurity researchers with Flashpoint, Digital Shadows’ Photon Research Team and other firms have confirmed that XSS, a popular cybercriminal forum, has outright banned ransomware sales, ransomware rental, and ransomware affiliate programs on their platform, according to a announcement released in Russian. The move comes after global scrutiny of ransomware groups increased following a damaging attack on Colonial Pipeline that left parts of the United States with gas shortages for days. Flashpoint reported that on Thursday evening, an administrator of XSS said the decision to outlaw the ransomware activities of active groups like REvil, Babuk, Darkside, LockBit, Nefilim, and Netwalker was due to “ideological differences” as well as the increased media attention resulting from latest high profile attacks. The statement said the “critical mass of nonsense, hype, and noise” was leading to concerns among the forum’s members about law enforcement. They cited a recent comment from Dmitry Peskov, press secretary for Russian President Vladimir Putin, that said the Russian state was not involved in the attack on Colonial Pipeline.”Peskov is forced to make excuses in front of our overseas ‘friends’ – this is a bit too much,” the statement said, according to Flashpoint’s translation. The company noted that by 7 am on Friday, all of DarkSide’s posts in the forum had been removed. DarkSide is allegedly feeling the pressure in other ways, according to Flashpoint, with the group sending out a statement on another cybercriminal forum, Exploit, claiming to have had some of their tools disrupted. In a now deleted post, DarkSide representatives wrote that the group had “lost access to the public part of our infrastructure,” which included the group’s blog, their payment server and DOS servers.

The group claimed that “funds from the payment server (ours and clients’) were withdrawn to an unknown address.” Some security analysts questioned whether the claims were real and wondered whether the message was simply a ruse to reduce the government scrutiny of their actions. DarkSide’s situation was also having an effect on other ransomware gangs like REvil, which released a new set of “guidelines” urging its members to stay away from healthcare and educational institutions as well as government organizations. The new rules demand that all new targets must be agreed upon by the leaders of the group, according to the message found by Flashpoint. Representatives for the Avaddon ransomware released similar guidelines on Exploit, according to Digital Shadows. In the last week, both the FBI and the Australian Cyber Security Centre have released notices specifically about Avaddon. “After the closure of DarkSide, the ransomware landscape is dominated by four major collectives: REvil, LockBit, Avaddon, and Conti. Flashpoint assesses with moderate confidence that well-established ransomware collectives—including REvil, LockBit, Avaddon, and Conti—will continue to operate in private mode,” the Flashpoint report added.”Additionally, ransomware collectives will likely begin to advertise recruitment for new affiliates via their own leak sites since many cybercriminal forums, like XSS, and other similar platforms used for ransomware advertisements will now likely refuse to host their activities.”Digital Shadows noted that DarkSide still has a recruitment thread on Exploit, although it has not been updated since April. Roger Grimes, data driven defense evangelist at KnowBe4, said the fear among security researchers is that much of this is window dressing so that major powers involved can say something was done.He noted that one of the main problems with ransomware — that the people behind it cannot be arrested — is still a major issue that will lead to more attacks. “On top of that, many countries are absolutely cybercrime safe havens. Many countries have no problem with cyber criminals originating from their country as long as the criminals don’t attack their own countries and tacitly agree to do favors for the government, if asked,” Grimes explained, adding that some nations use stolen money to help fund government services.  “It funds it directly because the perpetrators are paying expensive local and political bribes to stay in business, and indirectly because they spend the money on goods and services in the country. In many countries cybercriminals are almost celebrated by the officials.” Due to the unwanted attention brought by attacking a critical pipeline like Colonial’s, Grimes said some of those involved in DarkSide may get punished or arrested but countries will not stop serving as cybercrime havens because of how lucrative it is. “The only lesson learned in this case is that a new boundary has been set. Don’t do something that causes energy shortages that gets the other nation’s government upset,” Grimes said. “But will it stop them from stealing tens of billions of dollars from tens of thousands of businesses and individuals? No.” He added that drastic action needed to be taken on a global scale to stop countries from protecting ransomware gangs who operated with impunity, noting that the UN has already started an effort to get countries to sign something akin to a “digital Geneva Convention,” although it is unlikely to get very far, Grimes said. KnowBe4 security awareness advocate Erich Kron said XSS sent a strong signal by banning these players from their forum but noted that until countries band together to do something about ransomware, little will change. “Between the pipeline issue, attacks on hospitals that closed trauma centers and emergency departments, and the loss of life suffered when a German hospital was taken down, it is no wonder the heat is on these cyber criminals,” Kron said. “It has become painfully obvious that ransomware poses a serious threat to life and to the welfare of individuals, even outside the organizations that are ransomed. Ultimately, to take a bite out of these gangs, governments across the globe need to band together and shut down the illicit infrastructures and arrest the players. We must make the risk higher than the reward if we want to put an end to this dangerous trend.” More

Anyone who thought computer security problems were some abstract trouble that had little to do with their daily life was rudely awakened recently. The Colonial Pipeline ransomware attack saw gas and oil deliveries shut down throughout the southeast. Cybersecurity failures had already become a major problem with the SolarWinds software supply chain attack and the FBI having to step in to fix broken Microsoft Exchange servers. So, on May 12th President Joe Biden signed an executive order to boost the federal government cyber defense and to warn all of America that technology security must be job one now. The Linux Foundation and its related organizations are stepping up to better Linux and open-source security.

ZDNet Recommends

The executive order recognized the vital importance of open-source software. It reads in part: “Within 90 days of publication of the preliminary guidelines … shall issue guidance identifying practices that enhance the security of the software supply chain.” Open-source software is specifically named. The government must ensure “to the extent practicable, to the integrity and provenance of open-source software used within any portion of a product.”  Specifically, it must try to provide a Software Bill of Materials (SBOM). “This is a formal record containing the details and supply chain relationships of various components used in building software.” It’s an especially important issue with open-source software because:   Software developers and vendors often create products by assembling existing open source and commercial software components.  The SBOM enumerates these components in a product.  It is analogous to a list of ingredients on food packaging.  An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software.  Developers often use available open-source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities.  Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.  Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability.   A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration.  The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems.  So how much code is this anyway? The managed open-source company Tidelift has found that 92% of applications contain open source components. Indeed, the average modern software application may be made up of as much as 70% open-source software. Tidelift offers a service for providing open-source SBOMs. The open-source community itself has long been addressing this issue. In particular, the Software Package Data Exchange (SPDX) project has been working for the last ten years to enable software transparency and SBOM. SPDX is in the final stages of review to be the ISO/IEC International Standard 5962, and is supported by global companies with massive supply chains, and has a large open and closed source tooling support ecosystem.  SPDX 2.2 already supports the National Telecommunications and Information Administration (NTIA) current guidance minimum SBOM elements. In short, if your open-source software provides an SPDX SBOM it already meets the executive order’s requirements. For examples of SPDX see:  An NTIA “plugfest” demonstrated ten different producers generating SPDX. SPDX supports acquiring data from different sources (e.g., source code analysis, executables from producers, and analysis from third parties).  A corpus of some LF projects with SPDX source SBOMs is available.  Various LF projects are working to generate binary SBOMs as part of their builds, including Yocto and Zephyr.  To assist with further SPDX adoption, the Linux Foundation is paying to write SPDX plugins for major package managers. Of course, many programs don’t support SPDX… yet. They will. It’s the only way to make certain you know what’s really in your open-source programs and that’s become a matter of national importance.

This is not just a problem, of course, with open-source software. With open-source software, you can actually see the code so it’s easier to make an SBOM. Proprietary programs, like the recently, massively exploited Microsoft Exchange disaster, are black boxes. There’s no way to really know what’s in Apple or Microsoft software.  Indeed, the biggest supply-chain security disaster so far, the Solarwinds catastrophic failure to secure its software supply chain, was because of proprietary software chain failures.  Besides SPDX, the Linux Foundation recently announced a new open-source software signing service: The sigstore project. Sigstore seeks to improve software supply chain security by enabling the easy adoption of cryptographic software signing backed by transparency log technologies. Developers are empowered to securely sign software artifacts such as release files, container images, and binaries. These signing records are then kept in a tamper-proof public log. This service will be free for all developers and software providers to use. The sigstore code and operation tooling that will make this work is still being developed.  Before sigstore, the Linux Foundation’s earlier Core Infrastructure Initiative (CII) and its current Open Source Security Foundation (OpenSSF) have been working to secure open-source software, both in general and its components. The OpenSSF, in particular, is a broad industry coalition “collaborating to secure the open-source ecosystem.” To further ensure the integrity of supply chains, the executive order demands that agencies employ “automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code.”  The Linux Foundation oversees multiple projects to help with this besides sigstore. The LF has many projects that support SC integrity, in particular: in-toto is a framework specifically designed to secure the integrity of software supply chains.The Update Framework (TUF) helps developers maintain the security of software update systems, and is used in production by various tech companies and open source organizations.  Uptane is a variant of TUF; it’s an open and secure software update system design that protects software delivered over the air to the computerized units of automobiles.OpenChain (ISO 5230) is the International Standard for open source license compliance. Application of OpenChain requires identification of OSS components. While OpenChain by itself focuses more on licenses, that identification is easily reused to analyze other aspects of those components once they’re identified (for example, to look for known vulnerabilities). The executive order also asks: The Secretary of Commerce [acting through NIST] shall solicit input from the Federal Government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria [including] criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices [and guidelines] for enhancing software supply chain security.To address this, the OpenSSF’s CII Best Practices badge project specifically identifies open-source software best practices. This focuses on security. It includes criteria to evaluate the security practices of developers and suppliers. Today, it has over 3,800 participating projects. The Linux Foundation is also working with Supply-chain Levels for Software Artifacts (SLSA) to further deal with supply chain issues. The Executive Order also requires agencies to adopt “encryption for data at rest and in transit.” Encryption in transit is already implemented on the web using the Transport Layer Security (TLS) protocol. The Internet Security Research Group (ISRG) open Let’s Encrypt project is the world’s largest certificate authority for TLS certificates. In addition, the LF Confidential Computing Consortium is dedicated to defining and accelerating the adoption of confidential computing. Confidential computing protects data in use, at rest, and in transit by testing them in a hardware-based Trusted Execution Environment. These secure and isolated environments prevent unauthorized access or modification of applications and data. Of course, there always will be bugs. To address these the CII Best Practices badge passing criteria requires that OSS projects specifically identify how to report vulnerabilities to them. More broadly, the OpenSSF Vulnerability Disclosures Working Group is working to help “mature and advocate well-managed vulnerability reporting and communication” for OSS.  For example, while most widely used Linux distributions, especially Red Hat, have a robust security response team, not everyone does. The Alpine Linux distribution, which is widely used in container-based systems, until recently didn’t have one. The Linux Foundation and Google funded various improvements to Alpine Linux, including a security response team. Biden’s executive order also called on everyone to focus on “critical software.” The Linux Foundation has been doing this for some time. The Linux Foundation and the Laboratory for Innovation Science at Harvard (LISH) recently released the Vulnerabilities in the Core, a Preliminary Report and Census II of Open Source Software. This, like the name says, analyzed critical and vulnerable open-source software. This report is being updated.  The CII also identified many important projects and assisted them in becoming more secure. These include small but vital projects — aka the all-important program supported by one person working out of their farmhouse in Nebraska including OpenSSL (after Heartbleed), OpenSSH, GnuPG, Frama-C, and the OWASP Zed Attack Proxy (ZAP). The OpenSSF Securing Critical Projects Working Group has been working to better identify critical OSS projects and to focus resources on critical OSS projects that need help. There is already a first-cut list of such projects, along with efforts to fund such aid. Thinking of security jokes, the executive order recognizes that most Internet of Things (IoT) device security bugs are never fixed. As the joke goes the “S in IoT is for security.” The responsibility for that lies with IoT vendors who sometimes don’t even provide options to update their software, never mind actually issuing security patches. While the Linux Foundation can’t do that, Linux Foundation members can and do supply secure software and operating systems. These include: The Linux kernel itself, which is used by many IoT devices.  The Yocto project, which creates custom Linux-based systems for IoT and embedded systems. Yocto supports full reproducible builds.  EdgeX Foundry, which is a flexible open-source software framework that facilitates interoperability between devices and applications at the IoT edge, and has been downloaded millions of times.  The Zephyr project, which provides a real-time operating system (RTOS) used by many for resource-constrained IoT devices and is able to generate SBOM’s automatically during build. Zephyr is one of the few open-source projects that is a CVE Numbering Authority. The seL4 microkernel, which is the most assured operating system kernel in the world; it’s notable for its comprehensive formal verification. Finally, the Linux Foundation is already addressing the call for a consumer software labeling program [that reflects] a baseline level of security practices with several projects. Besides the aforementioned OpenSSF’s CII Best Practices badge project, these are: Put it all together, and the Linux and open-source community are already well on their way to meeting the demands of this new security order. Much more needs to be done, but at least the framework is in place.  This is essential work. The Linux Foundation would welcome your help with it.  As David A. Wheeler, the Linux Foundation’s Director of Open Source Supply Chain Security, said, “We couldn’t do this without the many contributions of time, money, and other resources from numerous companies and individuals; we gratefully thank them all.  We are always delighted to work with anyone to improve the development and deployment of open-source software.” As the events of recent months have shown–indeed recent hours with the ransomware attack on Ireland’s health system–security must become job number one not just for the federal government, but for everyone. Related Stories: More

Organisations should use major cyber incidents as a way to think through the core of their security strategy in order to prevent or recover better from similar attacks.”A significant cyber incident is really an opportunity; because it’s an opportunity to focus on the core issues that lead to these cyber incidents,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology at the White House, speaking at the UK National Cyber Security Centre’s (NCSC) CYBERUK 21 virtual conference.Neuberger said that whether it’s something like the SolarWinds sophisticated supply chain attack, or the Colonial Pipeline ransomware incident, “we know that vulnerabilities across software and hardware can bring on larger concerns”, but that looking at the core issues can help everyone improve their security.”As we look at those issues, we look at them in the frame of them – the entities conducting the cyber hacks – and us, what we need to do to build the reliance, to be able to prevent or rapidly recover from these incidents”.SEE: Network security policy (TechRepublic Premium)Cyber criminals and other malicious hackers look for vulnerabilities to exploit to infiltrate networks, so questions need to be asked to ensure that networks are as resilient as possible against attacks.”So we turn to us – which is what we need to do about it. First and above all, shifting our thinking from incident response to how do we prevent, how do we build more reliance, how do we build more secure software?” Neuberger explained.

“How do we ensure, for example, that the systems that we use to build software have best practices like multi-factor authentication, that we’ve rolled out encryption across our government systems, so that even if an adversary steals significant information, it’s difficult for them to use that information”.What much of it comes down to, is to “ensure that technology is both secure and easier to use”, she said.”But also shift our thinking to where it needs to be, which is how do we drive prevention and more security so that we have greater resilience to these hacks,” Neuberger added.Neuberger’s comments came shortly before President Joe Biden signed an executive order in an effort to boost cybersecurity of federal government agencies in the aftermath of the Colonial pipeline ransomware attack, the SolarWinds attack and zero-days in Microsoft Exchange leaving many vulnerable to cyber attacks.It mandates that agencies have 180 days to implement multi-factor authentication, as well as encrypt data – and agencies which can’t meet the deadline will have to explain why they can’t in writing.MORE ON CYBERSECURITY More

Hacking isn’t necessarily about just having an in-depth knowledge of code: It’s about enjoying a challenge and problem-solving. While understanding the bare bones of computing and networking before working your way up are critical components of having a successful career in cybersecurity, the work opportunities vary based on your interests and the path you wish to pursue. One path you can pursue is that of ethical hacking: Learning how to think like an attacker in order to find and remediate vulnerabilities before threat actors are able to exploit gaps in enterprise systems for illicit financial gain, cyberespionage, or to cause damage. One aspect of these courses is that they focus more on offense rather than defense, and topics covered often include penetration testings, malware analysis, exploit creation, and a study of today’s modern hacking tools. Below, ZDNet has compiled a list of recommended courses to explore in the ethical hacking field.

Globally recognized

The first recommendation, and perhaps the most well-known option today, is the EC-Council’s Certified Ethical Hacker (CEH) qualification. CEHv11 teaches students about today’s modern hacking techniques, exploits, emerging cybersecurity trends and attack vectors, and how to use commercial-grade tools to effectively break into systems. Modules also include cyberattack case studies, malware analysis, and hands-on hacking challenges. Learners can also pick up a bolt-on of 24 hacking challenges over 18 attack vectors such as bash exploits, server-side request forgery (SSRF), file tampering, and blind SQL.This certification would suit a range of roles including security analysts, pen testers, network engineers, and consultants. 

$1,199 at EC-Council

Think offense, not defense

Offensive Security’s Penetration Testing with Kali Linux (PEN-200) is the organization’s foundation course in using the Kali Linux OS for ethical hacking. The vendor’s focus is hands-on learning rather than just lectures and academic study, and encourages both critical thinking and problem solving with the”Try Harder” slogan. You will need a solid grounding in network principles and an understanding of Windows, Linux, and Bash/Python will help. If you’re serious about pursuing a career in ethical hacking but are looking for somewhere to start, the OSCP will give you a qualification well-received in the cybersecurity industry. 

$999 at Offensive Security

Advanced exploitation

Another ethical hacking certification you should consider is the PEN 300 (OSEP). The course builds upon PEN 200 and offers more in-depth, advanced penetration testing training, field work instruction, and studies in perimeter attack and defense. Topics include antivirus evasion, post-exploits, how to bypass network defenses and filters, and Microsoft SQL attacks. You are awarded the OSEP once you have passed the 48-hour exam. 

$1,299 at Offensive Security

Reconnaissance and infiltration

The SANS Institute also offers courses that are likely to be of interest to anyone pursuing a career in ethical hacking. One such course is SEC560, a journey into how to perform reconnaissance as an attacker and exploit target systems to obtain initial access. SANS teaches learners about typical and less well-known methods to infiltrate systems through hands-on exercises and lab sessions. The course is affiliated to SANS partner GIAC’s Penetration Tester (GPEN) and ends with a Capture The Flag exercise to test your new skills.

$7,270 at SANS

Exploiting web apps for the enterprise

Another option to consider from the SANS Institute is SEC542, which focuses on the ethical hacking and testing of enterprise web applications.SEC542 focuses on teaching participants how to spot vulnerabilities in web explications, how to exploit them, and what tools and techniques attackers may use to compromise these types of software. The course includes hands-on exercises and instructor guidance based on a four-step process in web application penetration testing. 

$7,270 at SANS

Defined exam paths to certified status

CREST is a course provider also of note as an organization that offers professional development qualifications in information security. CREST’s certifications, accredited globally, are organized into three levels: practitioner, registered, and certified. You can take exams in subjects including cybersecurity analysis, penetration testing, web applications, threat intelligence, and incident response to reach the certified level. Prices vary. 

View Now at CREST

What roles can an ethical hacking qualification benefit?

Recruitment paths vary country-to-country, but ethical hacking courses can be of use to those who want to become penetration testers, security analysts — an umbrella term common in the field — cyberforensics, consultants, and members of red teams. 

Which is the right certification for you?

If you’re looking at a certified ethical hacking course, you should consider what course is right for you in terms of career development. Cybersecurity professionals are in high demand and while the career can be a lucrative one, you should have researched whether or not specific qualification swill benefit you in the future, whether at your current job or in a future role. 

How did we choose these certifications?

Our recommendations are based on courses that offer learners instruction in different areas of ethical hacking: whether focused on offensive security, pen testing, or the aftermath of incidents and the means to effectively investigate as a member of a cyberforensics team. 

ZDNet Recommends More

A Toshiba unit has become the latest victim of a DarkSide ransomware attack. 

more coverage

On Friday, Toshiba Tec Corp said it was struck by a cyberattack that has impacted some regions in Europe. Toshiba Tec Corp manufactures products including barcode scanners, Point-of-Sale (PoS) systems, printers, and other electrical equipment. The unit’s French subsidiary appears to have been targeted.After discovering the attack, Toshiba Tec shut down networks between Japan, Europe, and its subsidiaries to “prevent the spread of damage” while recovery protocols and data backups were implemented. The company says that an investigation has been launched into the extent of the damage and a third-party cyberforensics specialist has been pulled in to assist.  “We have not yet confirmed that customer-related information was leaked externally,” Toshiba’s unit says. However, the company did acknowledge that “it is possible that some information and data may have been leaked by [a] criminal gang.”

This group is DarkSide, cybercriminals that hit the headlines this week following the Colonial Pipeline cyberattack. DarkSide is a ransomware-as-a-service (RaaS) outfit that provides ransomware to affiliates within its network in return for a cut of any profits made by extorting victim organizations.  DarkSide affiliates employ a double-extortion tactic, in which companies first receive a demand for payment in return for a decryption key to unlock systems infected with DarkSide ransomware. If they refuse, they are then threatened with the public release of confidential data and records stolen during initial access on a leak site.  At the time of writing, DarkSide’s leak site is not accessible. The Toshiba subsidiary said that only a “minimal amount of work data had been lost,” reports Reuters.However, a cached version of the leak post, accessed by ZDNet via Kela’s Darkbeast search engine, appears to show stolen passport scans alongside project documents and work presentations.  The leak record, posted May 13, claims that over 740GB of data was stolen from Toshiba.  The ransomware operators are responsible for the attack on Colonial Pipeline last Friday. Colonial Pipeline, a company that provides roughly 45% of East Coast fuel supplies, was forced to close down its operations for close to a week following the encryption of its IT systems. The FBI and US Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert and advisory on DarkSide and broader RaaS criminal operations.  Read on: Colonial Pipeline attack: Everything you need to knowZDNet has reached out to Toshiba Tec Corp and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ireland’s health service has taken all of its IT systems offline as a precaution after what the organisation describes as a “significant” ransomware attack.The Health Service Executive (HSE), which is responsible for healthcare and social services across all of Ireland, said it had shut down all IT systems as a “precaution” in order to protect the network from a ransomware attack.

“There is a significant ransomware attack on the HSE IT systems. We have taken the precaution of shutting down all our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners,” HSE said on Twitter.”We apologise for inconvenience caused to patients and to the public and will give further information as it becomes available.”SEE: Network security policy (TechRepublic Premium)HSE said Ireland’s COVID-19 vaccination programme is not affected by the ransomware incident and the National Ambulance Service is operating as normal.Some outpatient appointments are being cancelled because of the cyberattack – Rotunda Hospital Dublin, which provides maternity, neonatal and gynaecology care, said that unless women are 36 weeks pregnant or later, “Due to a serious IT issue all outpatient visits are cancelled today”.

Ransomware is a form of malware that cyber criminals use to encrypt networks then demand a payment – often in Bitcoin – in exchange for the decryption key. Ransom demands can reach millions of dollars.It’s currently not known what variant of ransomware has attacked HSE or how it infiltrated the network, but Paul Reid, chief executive of the HSE, has said the health service is working with the defence forces, the gardaí – the Irish police – and third-party cybersecurity experts in response to the attack.SEE: Ransomware just got very real. And it’s likely to get worseAccording to The Irish Times, Reid told RTÉ’s Morning Ireland that the attack was “significant” and “human operated”, but that no ransom demand had yet to be received. “There has been no ransom demand at this stage. The key thing is to contain the issue,” he said.The ransomware attack against HSE comes in the same week that a ransomware gang walked away with almost $5m in Bitcoin after a successful ransomware attack targeting Colonial Pipeline, one of the largest pipeline operators in the United States.MORE ON CYBERSECURITY More

Cloudflare is testing out the possibility of security keys replacing one of the most irritating aspects of web browsing: the CAPTCHA. 

CAPTCHAs are used to catch out bots that are trawling websites and are often implemented to prevent online services from being abused. These irritating tests, which require you to look at images and pick out objects such as cars, bridges, or bicycles, take up time, frustrate us, and disrupt our browsing activities. You’re also more likely to see them when you are using a virtual private network (VPN).  “CAPTCHAs are effectively businesses putting friction in front of their users, and as anyone who has managed a high-performing online business will tell you, it’s not something you want to do unless you have no choice,” Cloudflare says. To highlight the amount of time lost to these tests, Cloudflare said that based on calculations of an average of 32 seconds to complete a CAPTCHA, one test being performed every 10 days, and 4.6 billion internet users worldwide, roughly “500 human years [are] wasted every single day — just for us to prove our humanity.” On Thursday, Cloudflare research engineer Thibault Meunier said in a blog post that the company was “launching an experiment to end this madness” and get rid of CAPTCHAs completely.  The means to do so? Using security keys as a way to prove we are human. 

Read on: Best security key in 2021 According to Meunier, Cloudflare is going to start with trusted security keys — such as the YubiKey range, HyperFIDO keys, and Thetis FIDO U2F keys — and use these physical authentication devices as a “cryptographic attestation of personhood.” This is how it works: A user is challenged on a website, the user clicks a button along the lines of “I am human,” and is then prompted to use a security device to prove themselves. A hardware security key is then plugged into their PC or tapped on a mobile device to provide a signature — using wireless NFC in the latter example — and a cryptographic attestation is then sent to the challenging website.  Cloudflare says the test takes no more than three clicks and an average of five seconds — potentially a vast improvement on the CAPTCHA’s average of 32 seconds.  “More importantly, this challenge protects users’ privacy since the attestation is not uniquely linked to the user device,” Cloudflare notes. “All device manufacturers trusted by Cloudflare are part of the FIDO Alliance. As such, each hardware key shares its identifier with other keys manufactured in the same batch. From Cloudflare’s perspective, your key looks like all other keys in the batch.” The personhood test relies on the Web Authentication (WebAuthn) Attestation API. All browsers on Ubuntu, macOS, Windows, and iOS 14.5, as well as Chrome on Android v.10+, are compatible.  You can access cloudflarechallenge.com to try out the system. As the rollout is still in its experimental phase, Cloudflare says it is currently in the process of integration with existing challenges — but we will likely spot it more often over time.  “We want to know that you’re human,” Meunier says. “But we’re not interested in which human you are.” In related news this week, GitHub announced security key support for SSH Git operations. The code repository platform said that it eventually hopes to move away from passwords altogether and supporting security keys is a necessary step in the journey — as well as one that can help protect developers now against accidental exposure, account compromise, and malware.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More