Information Technology

Colonial Pipeline, which accounts for 45% of the East Coast’s fuel, said it has shut down its operations due to a cyberattack.The attack highlights how ransomware and other cyberattacks are increasingly a threat to real-world infrastructure. The company delivers refined petroleum products such as gasoline, diesel, jet fuel, home heating oil and fuel for the U.S. Military. What is cyber insurance? Everything you need to know about what it covers and how it works | Best cyber insurance 2021In a statement, Colonial Pipeline said:On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems. Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have already launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies. Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.Cybersecurity: Let’s get tactical | A Winning Strategy for Cybersecurity | Cyberwar and the Future of Cybersecurity Here’s a look at the Colonial Pipeline system affected by the cyberattack.Colonial Pipeline’s shutdown should it continue may lead to supply shortages since it covers so much territory in the US. More

Russian cyber attacks are being deployed with new techniques – including exploiting vulnerabilities like the recent Microsoft Exchange zero-days – as its hackers continue to target governments, organisations and energy providers around the world.A joint advisory by, the US Department for Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA), FBI and the National Security Agency (NSA),as well as the UK National Cyber Security Centre looks to warn organisations about updated Tactics, Techniques and Procedures (TTPs) used by Russia’s foreign intelligence service, the SVR – a group also known by cybersecurity researchers as APT29, Cozy Bear, and The Dukes. It comes after cybersecurity agencies in the US and the UK attributed the SolarWinds attack to Russia’s civilian foreign intelligence service, as well as several campaigns targeting Covid-19 vaccine developers. “The SVR is a technologically sophisticated and highly capable cyber actor. It has developed capabilities to target organisations globally, including in the UK, US, Europe, NATO member states and Russia’s neighbours,” said the alert.The advisory warns that Russian cyber attackers have updated their techniques and procedures in an effort to infiltrate networks and avoid detection, especially when some organisations have attempted to adjust their defences after previous alerts about cyber threats.This includes the attackers using open source tool Sliver as a means of maintaining access to compromised networks and making use of numerous vulnerabilities, including vulnerabilities in Microsoft Exchange.Sliver is an open source red team tool, a tool used by penetration testers when legally and legitimately testing network security, but in this case is being abused to consolidate access to networks compromised with WellMess and WellMail, custom malware associated with SVR attacks.

SEE: Network security policy (TechRepublic Premium)Although the paper warns that this isn’t necessarily a full list, other vulnerabilities – all of which have security patches available – used by Russian attackers, include: CVE-2018-13379 FortiGateCVE-2019-1653 Cisco router CVE-2019-2725 Oracle WebLogic Server CVE-2019-9670 Zimbra CVE-2019-11510 Pulse Secure CVE-2019-19781 Citrix CVE-2019-7609 Kibana CVE-2020-4006 VMWare CVE-2020-5902 F5 Big-IP CVE-2020-14882 Oracle WebLogic CVE-2021-21972 VMWare vSphere The attackers are also targeting mail servers as part of their attacks as they’re useful staging posts to acquire administrator rights and the ability to further network information and access, be it for gaining a better understanding of the network, or a direct effort to steal information.But despite the often advanced nature of the attacks, the paper by US and UK cybersecurity authorities says that “following basic cyber security principles will make it harder for even sophisticated actors to compromise target networks”.This includes applying security patches promptly so no cyber attackers – cyber criminal or nation-state backed operative – can exploit known vulnerabilities as a means of entering or maintaining persistence on the network. Guidance by the NCSC also suggests using multi-factor authentication to help protect the network from attack, particularly if passwords have been compromised.MORE ON CYBERSECURITY More

Good people need encryption too.
Getty Images/iStockphoto
How do you tell your best friend that her boyfriend has all the charm of a malevolent vole?How do you explain to your doctor that you’ve just contracted a minor ailment after a night of major Pinot-fueled enthusiasm?And how do you reveal to your boss that, after two years of his dread ful direction, you’ve decided to enter a monastery?

more Technically Incorrect

May I suggest the answer to all of the above is: privately.This logic, however, may not be embraced by, say, every millennial. It’s definitely not embraced by many government agencies.Take, for example, the Australian Criminal Intelligence Commission. I’ll tell you where you should take it privately. Here, though, as my colleague Asha Barbaschow reported, are the public thoughts of the commission: If you use encryption, you’re likely a crook. Which may surprise one or two iMessage and WhatsApp users.

The commission’s actual words about encrypted communication services were: “These platforms are used almost exclusively by SOC [serious and organised crime] groups and are developed specifically to obscure the identities of the involved criminal entities and enable avoidance of detection by law enforcement.”I do understand that there are many bad people in the world. I fear I have done business with some. A few may have even become my friends for a short while.But to suggest — with a straight face and a public voice — that encryption is almost exclusive to the evil seems like the sort of exaggeration that only a politician would embrace. Publicly.Of course one should have sympathy with law enforcement in its quest to eliminate the truly bad. Of course it’s frustrating that the gentle and law-abiding use some of the same technological tools as the rancid and law-flouting. And governments far and wide have been exerting pressure — public and private — on tech companies to find some liberty-loving way around this dilemma. The governments insist it must be possible. Tech companies tend to follow the example set by Apple CEO Tim Cook when the company refused to hack into the San Bernardino terrorist’s iPhone: creating a backdoor for law enforcement creates a backdoor for bad actors too. And it’s not as if governments are just sitting there, playing by the supposed rules. Why, the MIT Review just revealed how the Chinese government took advantage of a hack that won a contest in Canada to spy on China’s Muslim Uyghurs.Moreover, who wouldn’t be suspicious that, given a backdoor, their government might be tempted to peek into the private lives of the law-abiding too? (Oh, you think they already do it?)There are still one or two things that humans want to communicate privately and securely to friends, family, lovers and even strangers they’ve just met on Tinder, rather than just post them on Facebook or Twitter.Even if there’s often the suspicion that nothing is private anymore, humans still cling to the belief that they can confide in one another, that they have to confide in one another.If nothing is private, what are we? A never-ending cabal of Instagram influencers? How dull that would be. More

Voice ID was introduced in 2016 to increase the security of bank transactions carried out over the phone.   
Francesco Carta Fotografo / Getty Images
British banking giant HSBC protected almost £249 million ($346 million) of customers’ money from fraudsters just in the past year, thanks to a voice recognition technology that does a better job of identifying a user during a telephone call. The voice system, called Voice ID, was introduced in 2016 to increase the security of bank transactions carried out over the phone. So far, the results seem promising: the rate of attempted telephone fraud this year was down 50% compared to the previous one. 

Since 2016, Voice ID has identified 43,000 fraudulent telephone calls and prevented £981 million ($1.3 billion) of customers’ money from falling into the hands of malicious hackers, said HSBC. “Scammers are sophisticated and it’s a constant challenge to keep ahead of them but this is promising,” said Kerri-Anne Mills, head of customer service at HSBC UK. “We’ve seen a 50% drop in reported telephone banking fraud year-on-year.” Telephone banking enables HSBC customers to carry out various sensitive operations, ranging from checking their balance to making payments and transferring money. Voice ID was introduced to replace the requirement to provide complex security numbers made of random digits, or to answer security questions which some users might struggle to remember.  Customers sign up to the service by registering their voiceprint. When, at a later stage, they phone their bank for a particular operation, they will first be asked to say a short phrase, which is analyzed by Voice ID against the original record to make sure that the voices match and that the caller is genuine. 

In addition to making the process more convenient, HSBC argues that the technology is more secure: while hackers can steal or guess personal codes or passwords to pass security checks, it is much harder to replicate someone’s voice.  To identify a customer, Voice ID checks over 100 behavioral and physical voice traits, including how fast the speaker talks or how they emphasize words, according to HSBC. The bank maintains that the technology is sensitive enough to detect if someone is impersonating the speaker or playing a recording – while also being capable of correctly identifying a voice even if the caller has cold or a sore throat. The bank has seen a recent increase in customers signing up to Voice ID, and the technology has now been adopted by 2.8 million users. According to Mills, 14,000 customers currently enroll in Voice ID each week. This is because, partly driven by the fast digitization of services caused by the COVID-19 pandemic, customers are turning to new channels to manage their finances, which don’t require physically going into a bank. “We’ve seen unprecedented challenges as the pandemic and lockdown restrictions transformed our lives significantly and, unsurprisingly, more people have turned to online and mobile banking to take control of their finances, utilizing other channels for very particular interactions,” said Mills. But although Voice ID has been praised for its security benefits, it is easy to see why things might become thorny if hackers manage to find a way around the voice recognition technology. To demonstrate the potential shortcomings of HSBC’s feature, in fact, in 2017 a BBC reporter and his twin brother successfully fooled the technology. One of the brothers managed to gain access to their twin’s account via telephone, and was able to see balances and recent transactions. The issue is not restricted to voice recognition. As more and more services are carried out digitally, biometrics of all sorts are projected to be used to authorize sensitive processes. A recent report from Juniper Research, for example, estimates that digital payments made with a handset will increasingly be based on biometric identification such as facial, voice or iris recognition, as well as fingerprints. Biometric capabilities such as Apple’s Face ID will reach 95% of smartphones globally by 2025, according to Juniper; and by that time, users’ biological characteristics will be authenticating over $3 trillion-worth of payment transactions. While the security advantages of using biometrics to prove identity are evident, those technologies are a double-edged sword. On top of the risk that a malicious actor might imitate a user’s biological characteristics to gain access to critical services, there are also concerns to do with the opportunities to hack stored biometric data. “The risk with biometrics in general is that you can’t change biometric characteristics,” Nick Maynard, lead analyst at Juniper Research, tells ZDNet. “You can’t change a fingerprint or your face.” “So if somebody comprises that data, you can’t change it, and that information becomes very risky,” he continues. “That means that vendors have to adopt very strong security principles around how they handle that data.”  More

Unknown threat actors have been employing a Windows rootkit for years to stealthily install backdoors on vulnerable machines.

In a campaign dubbed Operation TunnelSnake by Kaspersky researchers, the team said on Thursday that an advanced persistent threat (APT) group, origin unknown but suspected of being Chinese-speaking, has used the rootkit to quietly take control of networks belonging to organizations. Rootkits are packages of tools that are designed to stay under the radar by hiding themselves in deep levels of system code. Rootkits can range from malware designed to attack the kernel to firmware, or memory, and will often operate with high levels of privilege.  According to Kaspersky, the newly-discovered rootkit, named Moriya, is used to deploy passive backdoors on public-facing servers. The backdoors are then used to establish a connection — quietly — with a command-and-control (C2) server controlled by the threat actors for malicious purposes.  The backdoor allows attackers to monitor all traffic, incoming and outgoing, that passes through an infected machine and filter out packets sent for the malware. The packet inspection occurs in kernel mode with the help of a Windows driver. The rootkit also waits for incoming traffic in order to bury communication with the C2 and eradicate the need to reach out directly to the C2, which would potentially leave a malicious footprint that could be detected by security products. “This forms a covert channel over which attackers are able to issue shell commands and receive back their outputs,” Kaspersky says. “Since Moriya is a passive backdoor intended to be deployed on a server accessible from the internet, it contains no hardcoded C2 address and relies solely on the driver to provide it with packets filtered from the machine’s overall incoming traffic.”

Kaspersky suspects the APT is Chinese-speaking, supported by the use of post-exploit tools previously linked to Chinese threat groups including China Chopper, Bounder, Termite, and Earthworm. Malicious activities include host scanning, lateral movement across networks, and file exfiltration.  Victims of the APT have been found in Asia and Africa. The researchers say that “prominent” diplomatic organizations in these regions have been targeted. While the rootkit was detected in October 2019 and May 2020, the team suspects that based on timestamps related to the post-exploit of another victim in South Asia, the APT may have been in operation since 2018, or earlier.  However, it appears that attacks are extremely focused — with less than 10 victims worldwide recorded by Kaspersky telemetry. At least, so far.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Internet-connected technology that’s used to power smart cities makes a very tempting target for cyberattacks and local authorities need to be aware of the risks that they – and their citizens – could face if malicious hackers are able to tamper with infrastructure or services.Urban infrastructure, including emergency services, transport, traffic light management, CCTV and more, is increasingly using sensors and becoming connected to the Internet of Things in an effort to collect data and provide better, more efficient services.

However, the UK’s National Cyber Security Centre (NCSC) – the cyber arm of intelligence agency GCHQ – has warned that cyber-physical systems in smart cities could be compromised by cyber attackers if they are not secured properly.SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)The huge volume of sensitive data being collected and stored by IoT-connected smart cities, plus the ability to disrupt, “makes these systems an attractive target for a range of threat actors,” the NCSC’s new guidance for securing smart cities warns.”These connected physical environments are just emerging in the UK, so now is the time to make sure we’re designing and building them properly. Because as these ‘connected places’ become increasingly joined up, the ubiquity of the services they provide will likely make them a target for malicious actors,” said Ian Levy, technical director at the NCSC. To help guide local authorities and protect infrastructure, organisations and people from the threat of cyberattacks that could target smart cities, the NCSC has published a series of principles that should be adhered to in order to provide these networks with the highest possible level of cybersecurity.

To start with, local authorities should understand the role of their connected place. By determining who is responsible for the connected place, what the IoT network will look like, what data will be collected, processed, stored, and shared and what operational technology is in place already, authorities can begin connecting smart cities with security in mind from the start.Authorities are also urged to understand the potential risks to the connected place. These risks range from knowing exactly what devices and software is being used to connect the place up – ensuring that it’s from a trusted, reputable vendor – to ensuring those devices are sufficiently secured when it comes to authentication. For example, a city shouldn’t be rolling out IoT devices across the network if those products still have a default username and password, as that would make them an easy target for cyber attackers, particularly if data is “collected or processed in a dumb way,” said Levy.SEE: Wi-Fi hotspots, pollution meters, gunshot locators: How lampposts are making cities smarterSmart cities are supposed to help improve services for people, but being irresponsible with data storage could result in privacy violations and poorly implemented security could allow cyber attackers to interfere with services and systems people need.”We hope these principles will help designers, owners and managers of connected place systems to make well-informed cybersecurity choices,” said Levy. While the NCSC guidance doesn’t refer to any particular potential cyber-threat actor, the director of GCHQ recently warned that the emergence of China as technology producer means that the UK and other countries could face challenges if organisations – or local authorities – become reliant on devices and software made in the country.”States that do not share our values build their own illiberal values into the standards and technology upon which we may become reliant. If that happens, and it turns out to be insecure or broken or undemocratic, everyone is going to be facing a very difficult future,” said Jeremy Fleming. MORE ON CYBERSECURITY More

The Internal Revenue Service (IRS) has secured an order to obtain records from Kraken on customers performing cryptocurrency trades. 

In the latest crackdown centered on cryptocurrency trading which is not reported for tax and income purposes, the IRS has been granted permission by a federal court in the Northern District of California to issue a “John Doe” summons on Payward Ventures Inc. and Kraken, its US-facing arm. The US Department of Justice (DoJ) said this week that the IRS is seeking information on US taxpayers who have conducted at least $20,000 — or the equivalent — in cryptocurrency trades on the platform between 2016 and 2020.   It is important to note, however, that the summons does not imply wrongdoing on the San Francisco-based cryptocurrency exchange’s part.  The summon seeks records on US taxpayers from Kraken, counted among its customers, who may have not complied with internal revenue laws and tax requirements — such as trading in cryptocurrency but failing to record taxable profits. A John Doe order is issued in circumstances when individuals have not been identified.  According to IRS guidance (.PDF), “convertible” cryptocurrency — able to be exchanged for fiat currency, such as Bitcoin (BTC) — may have tax liabilities in the United States. Virtual currency taxes have to be determined based on “fair market values” at the time of trading or purchase. Mining, too, might be taxable.  

Court documents state that the information request “is part of an ongoing, extensive investigation involving substantial IRS resources that is producing real results — millions of dollars in previously unreported and unpaid taxes recovered for the treasury to date.” “There is no excuse for taxpayers continuing to fail to report the income earned and taxes due from virtual currency transactions,” commented IRS Commissioner Chuck Rettig. “This John Doe summons is part of our effort to uncover those who are trying to skirt reporting and avoid paying their fair share.” A similar summons was previously issued to Circle, a blockchain-based payments platform headquartered in Boston.  Coinbase, too, is also subject to scrutiny by the IRS and law enforcement agencies as a popular cryptocurrency exchange. In the firm’s latest transparency report, Coinbase revealed 4,227 requests in 2020, with 90% made from the US, UK, and Germany. In total, under 5% were civil or administrative requests, whereas the rest stemmed from criminal investigations.  Update 14.40 BST: A Kraken spokesperson told ZDNet:”One of Kraken’s guiding principles is maintaining the security and privacy of its client accounts. We understand that the court has expressed concern over the scope of the proposed IRS Summons. Though the posture of this case has not given Kraken an opportunity to weigh in, we share similar concerns.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has joined Stop Scams and outlined new measures to try and clamp down on financial fraud in the United Kingdom. 

On Friday, Vice President and MD of Google UK & Ireland, Ronan Harris, said that Google is the first major tech giant to partner with Stop Scams UK, an industry-led group that aims to tackle scams at the “source” by sharing threat data and creating scam-busting initiatives for organizations to roll out. Members include Lloyds, Barclays, NatWest Group, and Vodafone. Ofcom and the Financial Conduct Authority (FCA) have also provided their support.  UK Finance estimates that £1.26 billion ($1.75bn) was lost last year alone to scams in the UK. Phishing messages, fake emails pretending to be from banks and insurers, spoof phone calls, and social engineering are all common but due to the COVID-19 pandemic and stay-at-home orders, other forms of scam have pushed to the forefront.  These include delivery-based text messages, fake vaccination appointment ‘reminders’ and charges, romance scams, investment ‘opportunities,’ and the fraudulent use of photos of trusted financial experts — including Martin Lewis — across social media to tout dubious cryptocurrency schemes in a time where many of us have lost work and may be worried about our financial future.  Action Fraud estimated that £2 million was lost to coronavirus-themed scams between the start of the pandemic and April 2020 alone.Scammers may use standard letters sent in the post, text messages, email, phone calls, or social media platforms to lure in their victims. Now, while working with the FCA, Google has pledged $5 million (£3.5m) in advertising credits to give organizations a wider scope to launch public awareness campaigns. 

In addition, Google says that the company is going to spend the next few months developing and rolling out further restrictions for financial services in the United Kingdom that advertise through the firm’s platform in order to tout fraudulent ‘opportunities’ to invest, to start a pension, and more.  “Over the past year, we introduced several verification processes to learn more about the advertisers and their business operations,” Harris commented. “During the verification period, we pause advertiser accounts if their advertising or business practices are suspected of causing harm. We are currently requiring all UK financial services advertisers to complete these programs in order to run ads.” Over 4,000 websites were added to the FCA’s warning list in 2020 for potentially running scam operations and Google has updated existing advertising policies to prevent the use of terms that make unrealistic promises when it comes to financial returns.  “Our teams are working hard on this issue because we all want UK consumers to feel safe and protected when they are managing their finances,” Google says. “Even as attempts by scammers evolve, we will continue to take strong action and work in partnership with others to help keep consumers safe.” In related news this week, Google announced an upcoming, automatic enrollment of more users into two-step verification (2SV). As passwords are not considered enough to protect our accounts, two-factor authentication can help by creating an additional layer of security. Another option is using hardware-based verification, such as the Google Titan key fob.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More