Information Technology

Image: ZDNet
Joker’s Stash, the internet’s largest marketplace for buying & selling stolen card data, announced today that it was shutting down within a month, on February 15, 2021.
The news was announced earlier today by the site’s administrator via messages posted on various underground cybercrime forums where the site usually advertised its services.
The site had repeated problems this past fall
“Joker’s Stash’s fall comes after a very turbulent close to 2020,” threat intelligence firm Intel 471 said in a blog post today, documenting the site’s demise.
“In October, the actor who allegedly runs the site announced he had contracted COVID-19, spending a week in the hospital. The condition impacted the site’s forums, inventory replenishments, and other operations,” the company said.
“Intel 471 also observed the site’s clients complaining that the shop’s payment card data quality was increasingly poor.”
On top of this, in December 2020, the FBI and Interpol also seized four domains operated by the marketplace.
At the time, the site’s administrators said the law enforcement crackdown had a limited impact on the site, as the domains were only used as proxies to reroute customers from landing pages to the actual marketplace, and that authorities did not seize any servers containing card or user data.

But while the seizure had a limited impact, the domain seizure affected the site’s reputation, showing customers that the once-untouchable Joker’s Stash was now in open season with law enforcement agencies.
Site estimated to have made hundreds of millions of US dollars
While the Joker’s Stash admin did not go into the details that led them to decide to shut down the site, it may be possible that they saw the writing on the wall and decided to call it quits before a more successful law enforcement takedown.
Nonetheless, this doesn’t mean the site administrator is now immune to prosecution. US authorities have often indicted cybercriminals even years after the crimes took place.
Before it announced its “retirement” today, the Joker’s Stash was considered one of the most profitable cybercrime operations today.
“The shop is estimated to have made hundreds of millions of dollars in illicit profits, although this money also goes to the vendors themselves,” Christopher Thomas, Intelligence Production Analyst at Gemini Advisory, told ZDNet in an interview last month.
In 2020 alone, the site posted for sale more than 35 million CP (card present) records and over 8 million CNP (card not present) records.
“In 2020, its major breaches have included BIGBADABOOM-III (which compromised Wawa), NIRVANA (which compromised both Islands Fine Burgers & Drinks and Champagne French Bakery Cafe), and BLAZINGSUN (which compromised Dickey’s Barbecue Pit),” Thomas said.
Joker’s Stash has been operating since October 7, 2014. The site’s administrator said they intend to wipe all servers and backups when they shutter operations next month. More

What do IT leaders believe the future of the profession will be, and what kind of threats will be most pervasive down the line?
Dallas, TX-based cloud security firm Trend Micro recently carried out new research which reveals that over two-fifths (41%) of IT leaders believe that AI will replace their role by 2030.

Its predictions report, Turning the Tide, forecasts that remote and cloud-based systems will be ruthlessly targeted in 2021.
The research was compiled from interviews with 500 IT directors and managers, CIOs and CTOs and does not look good for their career prospects.
Only 9% of respondents were confident that AI would definitely not replace their job within the next decade. In fact, nearly a third (32%) said they thought the technology would eventually work to completely automate all cybersecurity, with little need for human intervention.
Almost one in five (19%) believe that attackers using AI to enhance their arsenal will be commonplace by 2025
Around a quarter (24%) of IT leaders polled also claimed that by 2030, data access will be tied to biometric or DNA data, making unauthorised access impossible.

In the shorter term, respondents also predicted the following outcomes would happen by 2025. They predict that most organisations will have significantly reduced investment in property as remote working becomes the norm (22%)
Nationwide 5G will have entirely transformed network and security infrastructure (21%), and security will be self-managing and automated using AI (15%).
However, attackers using AI to enhance their arsenal will be commonplace (19%)
Bharat Mistry, Technical Director, Trend Micro. “We need to be realistic about the future. While AI is a useful tool in helping us to defend against threats, its value can only be harnessed in combination with human expertise.”
Cybercriminals will continue to go where the money is — seeking the greatest financial returns on their attacks. Organizations and security teams must remain nimble and vigilant to stay ahead of criminals.
So how can businesses mitigate the current threats? Trend Micro recommends that companies double down on best practice security and patch management programs and augment threat detection with round-the-clock security expertise to protect cloud workloads, emails, endpoints, networks, and servers. 
It also recommends user education and training to extend corporate security best practices to the home, including advice against the use of personal devices whilst maintaining strict access controls for both corporate networks and the home office, including zero trust.
Although tech bosses believe automation will do away with many roles within a decade, they should not spend time worrying about jobs becoming obsolete for a while.
IT will adapt to accommodate the new ways or working and companies will evolve to use automation to ease the challenges caused by skills shortages. More

The Linux Mint project has patched this week a security flaw that could have allowed a threat actor to bypass the OS screensaver and its password and access locked desktops.

This particularly nasty security flaw was discovered by two kids playing on their dad’s computer, according to a bug report on GitHub.
Also: Best VPNs • Best security keys
“A few weeks ago, my kids wanted to hack my Linux desktop, so they typed and clicked everywhere while I was standing behind them looking at them play,” wrote a user identifying themselves as robo2bobo.
According to the bug report, the two kids pressed random keys on both the physical and on-screen keyboards, which eventually led to a crash of the Linux Mint screensaver, allowing the two access to the desktop.
“I thought it was a unique incident, but they managed to do it a second time,” the user added.
Bug source: Pressing the ē key on the OSK
According to Linux Mint lead developer Clement Lefebvre, the issue was eventually tracked down to libcaribou, the on-screen keyboard (OSK) component that ships with Cinnamon, the desktop interface used by Linux Mint.

More specifically, the bug occurs when users press the “ē” key on the on-screen keyboard.
But while in most scenarios, the bug crashes the Cinnamon desktop process, if the on-screen keyboard is opened from the screensaver, the bug crashes the screensaver instead, allowing users to access the underlying desktop.
Lefebvre said the bug was introduced in the Linux Mint OS when the project patched another vulnerability last October, tracked as CVE-2020-25712.
Since then, all Linux Mint distributions using a Cinnamon version of 4.2 and later are vulnerable to this bypass. Cinnamon 4.2 is where the on-screen keyboard was added to the screensaver page.
A patch was released this week, on Wednesday, that addresses the bug and prevents future crashes.
Lefebvre said the Linux Mint project is now working on adding a setting that will let users disable the on-screen keyboard, which would make mitigating future bugs in this component easier until patches are generally available. More

Almost half of all data breaches in hospitals and the wider healthcare sector are as a result of ransomware attacks according to new research.
Ransomware gangs are increasingly adding an extra layer of extortion to attacks by not only encrypting networks and demanding hundreds of thousands or even millions of dollars in bitcoin to restore them, but also stealing sensitive information and threatening to publish it if the ransom isn’t paid.

More on privacy

This double extortion technique is intended as extra leverage to force victims of ransomware attacks to give in and pay the ransom rather than taking the time to restore the network themselves. For healthcare, the prospect of data being leaked on the internet is particularly disturbing as it can involve sensitive private medical data alongside other forms of identifiable personal information of patients.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
Some organisations will, therefore, opt to pay the ransom to prevent this happening while others won’t give into extortion demands. As a result, ransomware is now responsible for 46% of healthcare data breaches, according to analysis by cybersecurity researchers at Tenable. More than 35% of all breaches are linked to ransomware attacks, resulting in an often tremendous financial cost.
One of the key methods for ransomware gangs gaining access to hospital networks is via a pair of VPN vulnerabilities found in the Citrix ADC controller, affecting Gateway hosts (CVE-2019-19781) and Pulse Connect Secure (CVE-2019-11510).
Both of these vulnerabilities had received security patches to stop hackers from exploiting them by the beginning of 2020, but despite this, large numbers of organisations have yet to apply the update.

That’s allowed ransomware groups – and even nation-state-linked hacking operations – to exploit unpatched vulnerabilities to gain a foothold on networks and they’ll continue to do so as long as networks haven’t received the required security patches.
“As the attack surface expands, vulnerability management has a central role to play in modern cybersecurity strategies. Unpatched vulnerabilities leave sensitive data and critical business systems exposed, and represent lucrative opportunities for ransomware actors,” said Renaud Deraison, co-founder and chief technology officer at Tenable.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
The key way to protect networks falling victim to ransomware and other cyberattacks is to apply patches when they’re released, particularly those designed to fix critical vulnerabilities. And if there’s applications that your organisation uses that no longer receives security updates, researchers recommend replacing this software with an alternative that’s still supported.
“If the software solutions used by your organization are no longer receiving security updates, upgrading to one with an active support contract is vital,” the report says.
“It is imperative that organizations identify assets within their environments that are vulnerable to months- and years-old flaws and apply relevant patches immediately,” it said.
MORE ON CYBERSECURITY More

Toyota has agreed to pay $180 million to settle claims that the company failed to comply with the US Clean Air Act for a decade.

The settlement was announced by the US Department of Justice (DoJ) on Thursday. According to the complaint, the civil lawsuit — filed by the US government — has now been laid to rest in return for the penalty payment. 
The DoJ says that Toyota conducted “systematic, longstanding violations of Clean Air Act emission-related defect reporting requirements, which require manufacturers to report potential defects and recalls affecting vehicle components designed to control emissions.”
In the US, the Clean Air Act stipulates permissible levels of pollution such as nitrogen oxide (NOx) produced by vehicles sold in the country. Automakers are required to notify the Environmental Protection Agency (EPA) when 25 or more vehicles, or engines, in a given year have a defect related to emissions standards. 
Manufacturers must file an Emissions Defect Information Report (EDIR), as well as update the agency on progress in fixing problems, which the DoJ says Toyota failed to do so. 
“These mandatory reporting requirements are critical to the Clean Air Act’s purpose of protecting human health and the environment from harmful air pollutants: They encourage manufacturers to investigate and voluntarily address defects that may result in excess emissions of harmful air pollutants,” prosecutors say. 
The complaint, filed in Manhattan federal court, alleges that from roughly 2005 to 2015, Toyota “failed to comply” with reporting requirements, delaying at least 78 EDIRs — some of which eight years overdue — alongside reports relating to fixes for emissions-based issues in its vehicles. 

Prosecutors estimate the reports were linked to “millions of vehicles with the potential to exhibit emission-related defects.”
The civil penalty is the largest issued to date for meeting EPA reporting standards but is subject to a period of time for public comment and final court approval.  
“Toyota shut its eyes to the noncompliance, failing to provide proper training, attention, and oversight to its Clean Air Act reporting obligations,” commented Audrey Strauss, Acting US Attorney for the Southern District of New York. “Toyota’s actions undermined EPA’s self-disclosure system and likely led to delayed or avoided emission-related recalls, resulting in financial benefit to Toyota and excess emissions of air pollutants. Today, Toyota pays the price for its misconduct with a $180 million civil penalty and agreement to injunctive relief to ensure that its violations will not be repeated.”
The lawsuit is one of the latest emissions-related issues that the US government has tackled in recent years. In September 2020, Daimler AG settled a $1.5 billion court case related to Mercedes-Benz diesel vehicles sold in the United States with defeat devices, a core element of the Volkswagen emissions scandal. 
Both Volkswagen and Daimler were involved in the 2016 scandal, in which the automakers sold vehicles containing devices that tampered with NOx readings in order to fraudulently adhere to the US Clean Air Act.
Volkswagen’s role in the plot has also cost the company dearly. In March, the automaker said the scandal has so far cost $34.69 billion in fines and settlements. 
ZDNet has reached out to Toyota and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Melbourne, Australia – May 23, 2016: Close-up view of Google Play Store on Android smartphone and Apple’s App Store on iPhone. Both stores allow users to download app, music, movies and TV shows.
/ Getty Images
Google has removed 164 Android applications from the official Play Store after security researchers caught the apps bombarding users with out-of-context ads last year.

Out-of-context ads, or out-of-app ads, is a relatively new technical term that refers to mobile ads that are shown inside a popup or on the entire screen, separate from the original app.
These types of ads have been banned on the Play Store since February 2020, when Google ruled that these ads make it impossible for users to determine the app from where the ad originated, opening a loophole on Android devices for silent ad spam.
However, while the original ban on out-of-context ads brought bans for 600 Android apps, this didn’t mean that app developers stopped abusing this mechanism.
Both in June and October 2020, Google was forced to intervene again and ban a wave of 38 and 240 apps, respectively, that continued to abuse this mechanism.
Both app clusters were discovered by White Ops; a security firm specialized in detecting bot and advertising fraud.
But this week, White Ops said that it recently discovered another app cluster that also abused out-of-context ads, a cluster that managed to stay undetected more than the others, for more than two years.

Most of these 164 apps mimicked more popular applications, copying both functionality and names from more established apps in order to garner quick downloads.
In total, White Ops said the apps achieved their goal and were downloaded more than 10 million times before they were discovered and reported to Google’s security team.
The names of all the 164 Android apps are too long to include in this news article, but users can find a complete list in White Ops’ report.
According to Google Play Store rules, the apps were removed from the store and disabled on users’ devices, but users still need to manually remove them from their phones. More

Chinese hardware manufacturer Xiaomi has been added to a list of alleged Communist Chinese military companies by the United States Department of Defense.
“The Department is determined to highlight and counter the People’s Republic of China’s (PRC) Military-Civil Fusion development strategy, which supports the modernisation goals of the People’s Liberation Army by ensuring its access to advanced technologies and expertise acquired and developed by even those PRC companies, universities, and research programs that appear to be civilian entities,” the department said in a statement.
The new list [PDF] contains eight other companies which are Advanced Micro-Fabrication Equipment, Luokong Technology, Beijing Zhongguancun Development Investment Center, Gowin Semiconductor, Grand China Aie, Global Tone Communication, China National Aviation Holding company, and Commercial Aircraft Corporation of China.
Already on the list are companies that include Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation.
In recent weeks, the New York Stock Exchange has struggled to handle the consequences and interpretation of the listings, saying it said would delist a trio of Chinese telcos, before changing its mind, and then reverting to its original decision.
The delisting of China Telecom, China Mobile, and China Unicom Hong Kong was taken to comply with a 12 November 2020 executive order from outgoing and twice-impeached US president Donald Trump. The executive order forbids trading and investing in any of the listed companies, and bans trading in any new companies 60 days after the US places such a Communist Chinese military company label on them.
In the executive order, Trump said China was “exploiting United States capital” to boost and update its military, which he claimed would allow Beijing to threaten the US and its overseas forces, as well as develop “advanced conventional weapons and malicious cyber-enabled actions against the United States and its people”.

“Through the national strategy of Military-Civil Fusion, the PRC increases the size of the country’s military-industrial complex by compelling civilian Chinese companies to support its military and intelligence activities,” Trump said.
“Those companies, though remaining ostensibly private and civilian, directly support the PRC’s military, intelligence, and security apparatuses and aid in their development and modernisation.”
Trump also said the PRC “exploits United States investors” to finance its military.
Last week, Trump signed an executive order to ban eight Chinese apps — Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office — citing national security concerns.
Related Coverage More

Image: ZDNet
The US National Security Agency has published today a guide on the benefits and risks of encrypted DNS protocols, such as DNS-over-HTTPS (DoH), which have become widely used over the past two years.

The US cybersecurity agency warns that while technologies like DoH can encrypt and hide user DNS queries from network observers, they also have downsides when used inside corporate networks.
“DoH is not a panacea,” the NSA said in a security advisory [PDF] published today, claiming that the use of the protocol gives companies a false sense of security, echoing many of the arguments presented in a ZDNet feature on DoH in October 2019.
The NSA said that DoH does not fully prevent threat actors from seeing a user’s traffic and that when deployed inside networks, it can be used to bypass many security tools that rely on sniffing classic (plaintext) DNS traffic to detect threats.
Furthermore, the NSA argues that many of today’s DoH-capable DNS resolver servers are also externally hosted, outside of the company’s control and ability to audit.
NSA: Use your own DoH resolvers, not from third-parties
The NSA urges companies to avoid using encrypted DNS technologies inside their own networks, or at least use a DoH-capable DNS resolver server that is hosted internally and under their control.
Moreover, the NSA argues that this same advice should also be applied to classic DNS servers, not just encrypted/DoH ones.

“NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver,” the agency said.
“This ensures proper use of essential enterprise security controls, facilitates access to local network resources, and protects internal network information.
“All other DNS resolvers should be disabled and blocked,” the security agency said.
CISA issued a similar warning last year
But the NSA is not alone in its cry for caution about encrypted DNS, such as DoH, but also its counterpart, DoT (DNS-over-TLS).
In April last year, the Cybersecurity and Infrastructure Security Agency also issued a directive asking all US federal agencies to disable DoH and DoT inside their networks due to security risks.
CISA told agencies to wait until its engineers would be able to provide an official government-hosted DoH/DoT resolver, which would mitigate any threats of sending government DoH/DoT traffic to third-party DNS providers.
The NSA advisory also comes after Iranian cyberspies have been seen using DoH to exfiltrate data from hacked networks without getting detected.
Further, free tools released on GitHub have also made it trivial to hijack encrypted DoH connections to hide stolen data and bypass classic DNS-based defensive software. More