Information Technology

Xiaomi has released a statement saying it has no ties with the Chinese military, following allegations by the US government that it does.
“The company confirms that it is not owned, controlled, or affiliated with the Chinese military, and is not a ‘Communist Chinese military company’ defined under the NDAA,” the company said in a statement on Friday.
The company further added that the company has been “operating in compliance with the relevant laws and regulations of jurisdictions where it conducts its business”.
“The company reiterates that it provides products and services for civilian and commercial use,” the statement said.
It comes after the United States Department of Defense added the Chinese hardware manufacturer to a list of alleged Communist Chinese military companies.
Alongside Xiaomi, Advanced Micro-Fabrication Equipment, Luokong Technology, Beijing Zhongguancun Development Investment Center, Gowin Semiconductor, Grand China Aie, Global Tone Communication, China National Aviation Holding company, and Commercial Aircraft Corporation of China were also added additions to the list.
Other Chinese companies that were already on the list included Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation.

Outgoing and twice-impeached US President Donald Trump signed an executive order on 12 November 2020 that forbids trading and investing in any of the listed companies, and bans trading in any new companies 60 days after the US places such a Communist Chinese military company label on them.
The New York Stock Exchange struggled to handle the consequences and interpretation of the listings, saying it said would delist a trio of Chinese telcos — China Telecom, China Mobile, and China Unicom Hong Kong — before changing its mind, and then reverting to its original decision.  
In the executive order, Trump said China was “exploiting United States capital” to boost and update its military, which he claimed would allow Beijing to threaten the US and its overseas forces, as well as develop “advanced conventional weapons and malicious cyber-enabled actions against the United States and its people”.
“Through the national strategy of Military-Civil Fusion, the PRC increases the size of the country’s military-industrial complex by compelling civilian Chinese companies to support its military and intelligence activities,” Trump said.
“Those companies, though remaining ostensibly private and civilian, directly support the PRC’s military, intelligence, and security apparatuses and aid in their development and modernisation.”
Trump also recently signed an executive order to ban eight Chinese apps — Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office — citing national security concerns.
RELATED COVERAGE More

Image: WhatsApp
WhatsApp has announced that it will delay enforcing its new privacy terms from February 8 to May 15.
With little fanfare, in recent weeks, WhatsApp has presented users with a prompt to accept its new privacy terms by February 8, or risk not being able to use the app. In the wording used, WhatsApp says the new privacy policy will change how it partners with Facebook to “offer integrations”, and that businesses can use Facebook services to manage WhatsApp chats.
After some online consternation about what Facebook could access, WhatsApp clarified last week that its changes were focused on how businesses used the app.
“We want to be clear that the policy update does not affect the privacy of your messages with friends or family in any way,” the company said. “Instead, this update includes changes related to messaging a business on WhatsApp, which is optional, and provides further transparency about how we collect and use data.”
See also: India puts WhatsApp’s impending payments service on ice due to data localisation fracas
By the end of the week though, the company decided to delay the changes until May, saying there was a “lot of misinformation” flying around.
“We’re now moving back the date on which people will be asked to review and accept the terms. No one will have their account suspended or deleted on February 8,” it said.

“We’re also going to do a lot more to clear up the misinformation around how privacy and security works on WhatsApp. We’ll then go to people gradually to review the policy at their own pace before new business options are available on May 15.”
One of the benefactors of WhatsApp’s changes has been Signal, which has seen so many users sign up to its service that its infrastructure fell over at the weekend.
See also: Switching to Signal? Turn on these settings now for greater privacy and security
“We have been adding new servers and extra capacity at a record pace every single day this week nonstop, but today exceeded even our most optimistic projections,” the company tweeted. “Millions upon millions of new users are sending a message that privacy matters.”
Over a day later, the company said the service had resumed, however, some users have been seeing a “bad encrypted message” warning that requires users to reset the session. Signal said its next update will automatically fix this issue.
Related Coverage More

Ransomware continues to cause damage across the world. Rarely a week goes by without another company, or city, or hospital, falling prey to the gangs who will encrypt the data across PCs and networks and demand thousands or millions in exchange for setting it free.
These aren’t victimless crimes; every successful attack means a company faces huge costs and risks being pushed out of business, or public services disrupted just when we need them, or medical services put in jeopardy in the middle of a crisis.

More on privacy

And yet it seems impossible to stop the attacks or catch the gangs. That’s because the ongoing success of ransomware reflects many of the real-world failings of technology that we often forget or gloss over.
SEE: Network security policy (TechRepublic Premium)
There are obvious, fundamental weaknesses that ransomware exploits. In some cases these are problems that have existed for years, that the tech industry has failed to address; others are issues that are, right now, beyond the skills of the smartest entrepreneurs who want to tackle cybersecurity challenges.
A few examples spring to mind. Hackers would be unable to gain even their first foothold if companies took security seriously. That means applying patches to vulnerable software when they are issued, not months or years later (or never). Equally, companies wouldn’t be on the tedious treadmill of applying constant security updates if the tech industry shipped software code that was secure in the first place.
And while we tend to think of the borderless world of the internet, the real world of geopolitics looms large when it comes to ransomware as many of these gangs operate from countries that have no interest in catching such crooks or handing them over to police in other jurisdictions. In some cases that’s because the ransomware gangs are bringing in much needed funds for the country; in other cases so long as the gangs aren’t going after local victims, the authorities are quietly happy for them to create havoc elsewhere.

It’s not all doom and gloom; the fight back against ransomware is advancing on a few fronts.
Intel has showcased some new hardware-level technologies that it says will be able to detect a ransomware attack that antivirus alone might miss.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
A group of tech companies including Microsoft, Citrix and FireEye are working on a three-month project to come up with options that they promise will “significantly mitigate” the ransomware threat by identifying different ways of stopping such attacks. And more political pressure should be put on the nation states that are happy to let ransomware gangs flourish within their borders.
There is also a need to put more pressure on governments to look at whether, and in what circumstances, it should be acceptable to pay the ransom at all. Profit is the only reason that ransomware exists; if it is possible to stop the gangs from making their big payday, then the problem goes away almost immediately.
Everyone seems to agree that ransomware is a menace that can no longer be ignored. Now we need to see some tangible progress before these attacks create more chaos.
PREVIOUSLY ON MONDAY MORNING OPENER:   More

Image: DuckDuckGo
Privacy-focused search engine DuckDuckGo reached a major milestone in its 12-year-old history this week when it recorded on Monday its first-ever day with more than 100 million user search queries.
The achievement comes after a period of sustained growth the company has been seeing for the past two years, and especially since August 2020, when the search engine began seeing more than 2 billion search queries a month on a regular basis.
DuckDuckGo’s popularity comes after the search engine has expanded beyond its own site and now currently offers mobile apps for Android and iOS, but also a dedicated Chrome extension.
More than 4 million users installed these apps and extension, the company said in a tweet in September 2020.

But the search engine’s rising popularity is also due to its stated goal of not collecting user data and providing the same search results to all users.
As it highlighted last year, this lack of granular data sometimes makes it hard for the company to even estimate the size of its own userbase.
But this dedication to privacy has also helped the company gain a following among the privacy-conscious crowd. DuckDuckGo has been selected as the default search engine in the Tor Browser and is often the default search engine in the private browsing modes of several other browsers.
Historic week for privacy apps

DuckDuckGo’s historical milestone comes in a week when both Signal and Telegram, two other privacy-centric apps, also announced major periods of growth.
Telegram announced on Monday that it reached 500 million registered users, while Signal’s servers went down on Friday after seeing “millions upon millions of new users” in a sudden influx the company said exceeded even its most optimistic projections.

We have been adding new servers and extra capacity at a record pace every single day this week nonstop, but today exceeded even our most optimistic projections. Millions upon millions of new users are sending a message that privacy matters. We appreciate your patience.
— Signal (@signalapp) January 15, 2021

Both spikes in new users for Signal and Telegram are a direct result of a major public relations snafu at Facebook after the company announced last week it would be blocking access to WhatsApp accounts unless users agreed to a new privacy policy that granted Facebook access to more WhatsApp user data.
Yesterday, on Friday, Facebook delayed the new privacy policy by three months, but by that point, the damage had been done, and hundreds of millions of users were reminded of their right to privacy, flocking to Signal and Telegram — but it wouldn’t be a stretch to think that many users were reminded to use DuckDuckGo instead of Google either. More

Image: ZDNet
BugTraq, one of the cybersecurity industry’s first mailing lists dedicated to publicly disclosing security flaws, announced today it was shutting down at the end of the month, on January 31, 2021.

The site played a crucial role in shaping the cybersecurity industry in its early, fledgling days.
Established by Scott Chasin on November 5, 1993, BugTraq provided the first centralized portal where security researchers could expose vulnerabilities after vendors refused to release patches.
The portal existed for many years in a legal gray zone. Discussions on the site about the legality of “disclosing” security flaws when vendors refused to patch are what shaped most of today’s vulnerability disclosure guidelines, the axioms on which most bug hunters operate today.
Today, it sounds reasonable for a security researcher to release details about a patched or unpatched bug, but back then, such details were often controversial, sometimes resulting in many legal threats.

But as time went by, BugTraq’s popularity and principles won the day. The portal became the first place where many major vulnerabilities were announced in an era where researchers couldn’t easily host personal sites and blogs.
Similar bug disclosure lists were released following BugTraq’s original model, and many security firms founded across the years often ended up scraping the site’s content as a base for their own vulnerability databases.
BugTraq’s demise

BugTraq itself also exchanged hands several times, from Chasin to Brown University, then to SecurityFocus, which was acquired by Symantec.
The portal’s demise started in 2019 when Broadcom acquired Symantec. Three months later, in February 2020, the site stopped adding new content, remaining mostly an empty shell.
Today, the site’s last maintainers confirmed the portal’s current state of affairs and formalized BugTraq’s passing into infosec lore.
“At this time, resources for the BugTraq mailing list have not been prioritized, and this will be the last message to the list,” the message read.
Although many saw it coming, the site’s announcement triggered a wave of nostalgia from today’s cybersecurity veterans, many of which either started or were active on the mailing list since its launch.

I was an early 1980s Internet hacker. Let me explain why “Bugtraq” is probably the most important achievement in the world of cybersecurity. https://t.co/Eh1ySWdNJU
— Robᵉʳᵗ Graham😷, provocateur (@ErrataRob) January 16, 2021

“I’d liken it impact to the impact Twitter currently has on the way we communicate today,” said Ryan Naraine, former director of security strategy at Intel, and one of the cybersecurity industry’s veterans.
“Except that it was mandatory to be on there [on BugTraq] to get advisories and live commentary from what wasn’t yet a fully formed security industry.
“So many big stories were originally announced in BugTraq and FullDisclosure [another similar mailing list],” Naraine added.
“It’s the place the Litchfields made their name in the early days. I remember David Litchfield consistently dropping Oracle hacking tools and research.
“It was the watercooler that connected what was emerging as a security industry.” More

Image: ZDNet
Joker’s Stash, the internet’s largest marketplace for buying & selling stolen card data, announced today that it was shutting down within a month, on February 15, 2021.
The news was announced earlier today by the site’s administrator via messages posted on various underground cybercrime forums where the site usually advertised its services.
The site had repeated problems this past fall
“Joker’s Stash’s fall comes after a very turbulent close to 2020,” threat intelligence firm Intel 471 said in a blog post today, documenting the site’s demise.
“In October, the actor who allegedly runs the site announced he had contracted COVID-19, spending a week in the hospital. The condition impacted the site’s forums, inventory replenishments, and other operations,” the company said.
“Intel 471 also observed the site’s clients complaining that the shop’s payment card data quality was increasingly poor.”
On top of this, in December 2020, the FBI and Interpol also seized four domains operated by the marketplace.
At the time, the site’s administrators said the law enforcement crackdown had a limited impact on the site, as the domains were only used as proxies to reroute customers from landing pages to the actual marketplace, and that authorities did not seize any servers containing card or user data.

But while the seizure had a limited impact, the domain seizure affected the site’s reputation, showing customers that the once-untouchable Joker’s Stash was now in open season with law enforcement agencies.
Site estimated to have made hundreds of millions of US dollars
While the Joker’s Stash admin did not go into the details that led them to decide to shut down the site, it may be possible that they saw the writing on the wall and decided to call it quits before a more successful law enforcement takedown.
Nonetheless, this doesn’t mean the site administrator is now immune to prosecution. US authorities have often indicted cybercriminals even years after the crimes took place.
Before it announced its “retirement” today, the Joker’s Stash was considered one of the most profitable cybercrime operations today.
“The shop is estimated to have made hundreds of millions of dollars in illicit profits, although this money also goes to the vendors themselves,” Christopher Thomas, Intelligence Production Analyst at Gemini Advisory, told ZDNet in an interview last month.
In 2020 alone, the site posted for sale more than 35 million CP (card present) records and over 8 million CNP (card not present) records.
“In 2020, its major breaches have included BIGBADABOOM-III (which compromised Wawa), NIRVANA (which compromised both Islands Fine Burgers & Drinks and Champagne French Bakery Cafe), and BLAZINGSUN (which compromised Dickey’s Barbecue Pit),” Thomas said.
Joker’s Stash has been operating since October 7, 2014. The site’s administrator said they intend to wipe all servers and backups when they shutter operations next month. More

What do IT leaders believe the future of the profession will be, and what kind of threats will be most pervasive down the line?
Dallas, TX-based cloud security firm Trend Micro recently carried out new research which reveals that over two-fifths (41%) of IT leaders believe that AI will replace their role by 2030.

Its predictions report, Turning the Tide, forecasts that remote and cloud-based systems will be ruthlessly targeted in 2021.
The research was compiled from interviews with 500 IT directors and managers, CIOs and CTOs and does not look good for their career prospects.
Only 9% of respondents were confident that AI would definitely not replace their job within the next decade. In fact, nearly a third (32%) said they thought the technology would eventually work to completely automate all cybersecurity, with little need for human intervention.
Almost one in five (19%) believe that attackers using AI to enhance their arsenal will be commonplace by 2025
Around a quarter (24%) of IT leaders polled also claimed that by 2030, data access will be tied to biometric or DNA data, making unauthorised access impossible.

In the shorter term, respondents also predicted the following outcomes would happen by 2025. They predict that most organisations will have significantly reduced investment in property as remote working becomes the norm (22%)
Nationwide 5G will have entirely transformed network and security infrastructure (21%), and security will be self-managing and automated using AI (15%).
However, attackers using AI to enhance their arsenal will be commonplace (19%)
Bharat Mistry, Technical Director, Trend Micro. “We need to be realistic about the future. While AI is a useful tool in helping us to defend against threats, its value can only be harnessed in combination with human expertise.”
Cybercriminals will continue to go where the money is — seeking the greatest financial returns on their attacks. Organizations and security teams must remain nimble and vigilant to stay ahead of criminals.
So how can businesses mitigate the current threats? Trend Micro recommends that companies double down on best practice security and patch management programs and augment threat detection with round-the-clock security expertise to protect cloud workloads, emails, endpoints, networks, and servers. 
It also recommends user education and training to extend corporate security best practices to the home, including advice against the use of personal devices whilst maintaining strict access controls for both corporate networks and the home office, including zero trust.
Although tech bosses believe automation will do away with many roles within a decade, they should not spend time worrying about jobs becoming obsolete for a while.
IT will adapt to accommodate the new ways or working and companies will evolve to use automation to ease the challenges caused by skills shortages. More

The Linux Mint project has patched this week a security flaw that could have allowed a threat actor to bypass the OS screensaver and its password and access locked desktops.

This particularly nasty security flaw was discovered by two kids playing on their dad’s computer, according to a bug report on GitHub.
Also: Best VPNs • Best security keys
“A few weeks ago, my kids wanted to hack my Linux desktop, so they typed and clicked everywhere while I was standing behind them looking at them play,” wrote a user identifying themselves as robo2bobo.
According to the bug report, the two kids pressed random keys on both the physical and on-screen keyboards, which eventually led to a crash of the Linux Mint screensaver, allowing the two access to the desktop.
“I thought it was a unique incident, but they managed to do it a second time,” the user added.
Bug source: Pressing the ē key on the OSK
According to Linux Mint lead developer Clement Lefebvre, the issue was eventually tracked down to libcaribou, the on-screen keyboard (OSK) component that ships with Cinnamon, the desktop interface used by Linux Mint.

More specifically, the bug occurs when users press the “ē” key on the on-screen keyboard.
But while in most scenarios, the bug crashes the Cinnamon desktop process, if the on-screen keyboard is opened from the screensaver, the bug crashes the screensaver instead, allowing users to access the underlying desktop.
Lefebvre said the bug was introduced in the Linux Mint OS when the project patched another vulnerability last October, tracked as CVE-2020-25712.
Since then, all Linux Mint distributions using a Cinnamon version of 4.2 and later are vulnerable to this bypass. Cinnamon 4.2 is where the on-screen keyboard was added to the screensaver page.
A patch was released this week, on Wednesday, that addresses the bug and prevents future crashes.
Lefebvre said the Linux Mint project is now working on adding a setting that will let users disable the on-screen keyboard, which would make mitigating future bugs in this component easier until patches are generally available. More