Information Technology

Ransomware continues to cause damage across the world. Rarely a week goes by without another company, or city, or hospital, falling prey to the gangs who will encrypt the data across PCs and networks and demand thousands or millions in exchange for setting it free.
These aren’t victimless crimes; every successful attack means a company faces huge costs and risks being pushed out of business, or public services disrupted just when we need them, or medical services put in jeopardy in the middle of a crisis.

More on privacy

And yet it seems impossible to stop the attacks or catch the gangs. That’s because the ongoing success of ransomware reflects many of the real-world failings of technology that we often forget or gloss over.
SEE: Network security policy (TechRepublic Premium)
There are obvious, fundamental weaknesses that ransomware exploits. In some cases these are problems that have existed for years, that the tech industry has failed to address; others are issues that are, right now, beyond the skills of the smartest entrepreneurs who want to tackle cybersecurity challenges.
A few examples spring to mind. Hackers would be unable to gain even their first foothold if companies took security seriously. That means applying patches to vulnerable software when they are issued, not months or years later (or never). Equally, companies wouldn’t be on the tedious treadmill of applying constant security updates if the tech industry shipped software code that was secure in the first place.
And while we tend to think of the borderless world of the internet, the real world of geopolitics looms large when it comes to ransomware as many of these gangs operate from countries that have no interest in catching such crooks or handing them over to police in other jurisdictions. In some cases that’s because the ransomware gangs are bringing in much needed funds for the country; in other cases so long as the gangs aren’t going after local victims, the authorities are quietly happy for them to create havoc elsewhere.

It’s not all doom and gloom; the fight back against ransomware is advancing on a few fronts.
Intel has showcased some new hardware-level technologies that it says will be able to detect a ransomware attack that antivirus alone might miss.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
A group of tech companies including Microsoft, Citrix and FireEye are working on a three-month project to come up with options that they promise will “significantly mitigate” the ransomware threat by identifying different ways of stopping such attacks. And more political pressure should be put on the nation states that are happy to let ransomware gangs flourish within their borders.
There is also a need to put more pressure on governments to look at whether, and in what circumstances, it should be acceptable to pay the ransom at all. Profit is the only reason that ransomware exists; if it is possible to stop the gangs from making their big payday, then the problem goes away almost immediately.
Everyone seems to agree that ransomware is a menace that can no longer be ignored. Now we need to see some tangible progress before these attacks create more chaos.
PREVIOUSLY ON MONDAY MORNING OPENER:   More

Image: DuckDuckGo
Privacy-focused search engine DuckDuckGo reached a major milestone in its 12-year-old history this week when it recorded on Monday its first-ever day with more than 100 million user search queries.
The achievement comes after a period of sustained growth the company has been seeing for the past two years, and especially since August 2020, when the search engine began seeing more than 2 billion search queries a month on a regular basis.
DuckDuckGo’s popularity comes after the search engine has expanded beyond its own site and now currently offers mobile apps for Android and iOS, but also a dedicated Chrome extension.
More than 4 million users installed these apps and extension, the company said in a tweet in September 2020.

But the search engine’s rising popularity is also due to its stated goal of not collecting user data and providing the same search results to all users.
As it highlighted last year, this lack of granular data sometimes makes it hard for the company to even estimate the size of its own userbase.
But this dedication to privacy has also helped the company gain a following among the privacy-conscious crowd. DuckDuckGo has been selected as the default search engine in the Tor Browser and is often the default search engine in the private browsing modes of several other browsers.
Historic week for privacy apps

DuckDuckGo’s historical milestone comes in a week when both Signal and Telegram, two other privacy-centric apps, also announced major periods of growth.
Telegram announced on Monday that it reached 500 million registered users, while Signal’s servers went down on Friday after seeing “millions upon millions of new users” in a sudden influx the company said exceeded even its most optimistic projections.

We have been adding new servers and extra capacity at a record pace every single day this week nonstop, but today exceeded even our most optimistic projections. Millions upon millions of new users are sending a message that privacy matters. We appreciate your patience.
— Signal (@signalapp) January 15, 2021

Both spikes in new users for Signal and Telegram are a direct result of a major public relations snafu at Facebook after the company announced last week it would be blocking access to WhatsApp accounts unless users agreed to a new privacy policy that granted Facebook access to more WhatsApp user data.
Yesterday, on Friday, Facebook delayed the new privacy policy by three months, but by that point, the damage had been done, and hundreds of millions of users were reminded of their right to privacy, flocking to Signal and Telegram — but it wouldn’t be a stretch to think that many users were reminded to use DuckDuckGo instead of Google either. More

Image: ZDNet
BugTraq, one of the cybersecurity industry’s first mailing lists dedicated to publicly disclosing security flaws, announced today it was shutting down at the end of the month, on January 31, 2021.

The site played a crucial role in shaping the cybersecurity industry in its early, fledgling days.
Established by Scott Chasin on November 5, 1993, BugTraq provided the first centralized portal where security researchers could expose vulnerabilities after vendors refused to release patches.
The portal existed for many years in a legal gray zone. Discussions on the site about the legality of “disclosing” security flaws when vendors refused to patch are what shaped most of today’s vulnerability disclosure guidelines, the axioms on which most bug hunters operate today.
Today, it sounds reasonable for a security researcher to release details about a patched or unpatched bug, but back then, such details were often controversial, sometimes resulting in many legal threats.

But as time went by, BugTraq’s popularity and principles won the day. The portal became the first place where many major vulnerabilities were announced in an era where researchers couldn’t easily host personal sites and blogs.
Similar bug disclosure lists were released following BugTraq’s original model, and many security firms founded across the years often ended up scraping the site’s content as a base for their own vulnerability databases.
BugTraq’s demise

BugTraq itself also exchanged hands several times, from Chasin to Brown University, then to SecurityFocus, which was acquired by Symantec.
The portal’s demise started in 2019 when Broadcom acquired Symantec. Three months later, in February 2020, the site stopped adding new content, remaining mostly an empty shell.
Today, the site’s last maintainers confirmed the portal’s current state of affairs and formalized BugTraq’s passing into infosec lore.
“At this time, resources for the BugTraq mailing list have not been prioritized, and this will be the last message to the list,” the message read.
Although many saw it coming, the site’s announcement triggered a wave of nostalgia from today’s cybersecurity veterans, many of which either started or were active on the mailing list since its launch.

I was an early 1980s Internet hacker. Let me explain why “Bugtraq” is probably the most important achievement in the world of cybersecurity. https://t.co/Eh1ySWdNJU
— Robᵉʳᵗ Graham😷, provocateur (@ErrataRob) January 16, 2021

“I’d liken it impact to the impact Twitter currently has on the way we communicate today,” said Ryan Naraine, former director of security strategy at Intel, and one of the cybersecurity industry’s veterans.
“Except that it was mandatory to be on there [on BugTraq] to get advisories and live commentary from what wasn’t yet a fully formed security industry.
“So many big stories were originally announced in BugTraq and FullDisclosure [another similar mailing list],” Naraine added.
“It’s the place the Litchfields made their name in the early days. I remember David Litchfield consistently dropping Oracle hacking tools and research.
“It was the watercooler that connected what was emerging as a security industry.” More

Image: ZDNet
Joker’s Stash, the internet’s largest marketplace for buying & selling stolen card data, announced today that it was shutting down within a month, on February 15, 2021.
The news was announced earlier today by the site’s administrator via messages posted on various underground cybercrime forums where the site usually advertised its services.
The site had repeated problems this past fall
“Joker’s Stash’s fall comes after a very turbulent close to 2020,” threat intelligence firm Intel 471 said in a blog post today, documenting the site’s demise.
“In October, the actor who allegedly runs the site announced he had contracted COVID-19, spending a week in the hospital. The condition impacted the site’s forums, inventory replenishments, and other operations,” the company said.
“Intel 471 also observed the site’s clients complaining that the shop’s payment card data quality was increasingly poor.”
On top of this, in December 2020, the FBI and Interpol also seized four domains operated by the marketplace.
At the time, the site’s administrators said the law enforcement crackdown had a limited impact on the site, as the domains were only used as proxies to reroute customers from landing pages to the actual marketplace, and that authorities did not seize any servers containing card or user data.

But while the seizure had a limited impact, the domain seizure affected the site’s reputation, showing customers that the once-untouchable Joker’s Stash was now in open season with law enforcement agencies.
Site estimated to have made hundreds of millions of US dollars
While the Joker’s Stash admin did not go into the details that led them to decide to shut down the site, it may be possible that they saw the writing on the wall and decided to call it quits before a more successful law enforcement takedown.
Nonetheless, this doesn’t mean the site administrator is now immune to prosecution. US authorities have often indicted cybercriminals even years after the crimes took place.
Before it announced its “retirement” today, the Joker’s Stash was considered one of the most profitable cybercrime operations today.
“The shop is estimated to have made hundreds of millions of dollars in illicit profits, although this money also goes to the vendors themselves,” Christopher Thomas, Intelligence Production Analyst at Gemini Advisory, told ZDNet in an interview last month.
In 2020 alone, the site posted for sale more than 35 million CP (card present) records and over 8 million CNP (card not present) records.
“In 2020, its major breaches have included BIGBADABOOM-III (which compromised Wawa), NIRVANA (which compromised both Islands Fine Burgers & Drinks and Champagne French Bakery Cafe), and BLAZINGSUN (which compromised Dickey’s Barbecue Pit),” Thomas said.
Joker’s Stash has been operating since October 7, 2014. The site’s administrator said they intend to wipe all servers and backups when they shutter operations next month. More

What do IT leaders believe the future of the profession will be, and what kind of threats will be most pervasive down the line?
Dallas, TX-based cloud security firm Trend Micro recently carried out new research which reveals that over two-fifths (41%) of IT leaders believe that AI will replace their role by 2030.

Its predictions report, Turning the Tide, forecasts that remote and cloud-based systems will be ruthlessly targeted in 2021.
The research was compiled from interviews with 500 IT directors and managers, CIOs and CTOs and does not look good for their career prospects.
Only 9% of respondents were confident that AI would definitely not replace their job within the next decade. In fact, nearly a third (32%) said they thought the technology would eventually work to completely automate all cybersecurity, with little need for human intervention.
Almost one in five (19%) believe that attackers using AI to enhance their arsenal will be commonplace by 2025
Around a quarter (24%) of IT leaders polled also claimed that by 2030, data access will be tied to biometric or DNA data, making unauthorised access impossible.

In the shorter term, respondents also predicted the following outcomes would happen by 2025. They predict that most organisations will have significantly reduced investment in property as remote working becomes the norm (22%)
Nationwide 5G will have entirely transformed network and security infrastructure (21%), and security will be self-managing and automated using AI (15%).
However, attackers using AI to enhance their arsenal will be commonplace (19%)
Bharat Mistry, Technical Director, Trend Micro. “We need to be realistic about the future. While AI is a useful tool in helping us to defend against threats, its value can only be harnessed in combination with human expertise.”
Cybercriminals will continue to go where the money is — seeking the greatest financial returns on their attacks. Organizations and security teams must remain nimble and vigilant to stay ahead of criminals.
So how can businesses mitigate the current threats? Trend Micro recommends that companies double down on best practice security and patch management programs and augment threat detection with round-the-clock security expertise to protect cloud workloads, emails, endpoints, networks, and servers. 
It also recommends user education and training to extend corporate security best practices to the home, including advice against the use of personal devices whilst maintaining strict access controls for both corporate networks and the home office, including zero trust.
Although tech bosses believe automation will do away with many roles within a decade, they should not spend time worrying about jobs becoming obsolete for a while.
IT will adapt to accommodate the new ways or working and companies will evolve to use automation to ease the challenges caused by skills shortages. More

The Linux Mint project has patched this week a security flaw that could have allowed a threat actor to bypass the OS screensaver and its password and access locked desktops.

This particularly nasty security flaw was discovered by two kids playing on their dad’s computer, according to a bug report on GitHub.
Also: Best VPNs • Best security keys
“A few weeks ago, my kids wanted to hack my Linux desktop, so they typed and clicked everywhere while I was standing behind them looking at them play,” wrote a user identifying themselves as robo2bobo.
According to the bug report, the two kids pressed random keys on both the physical and on-screen keyboards, which eventually led to a crash of the Linux Mint screensaver, allowing the two access to the desktop.
“I thought it was a unique incident, but they managed to do it a second time,” the user added.
Bug source: Pressing the ē key on the OSK
According to Linux Mint lead developer Clement Lefebvre, the issue was eventually tracked down to libcaribou, the on-screen keyboard (OSK) component that ships with Cinnamon, the desktop interface used by Linux Mint.

More specifically, the bug occurs when users press the “ē” key on the on-screen keyboard.
But while in most scenarios, the bug crashes the Cinnamon desktop process, if the on-screen keyboard is opened from the screensaver, the bug crashes the screensaver instead, allowing users to access the underlying desktop.
Lefebvre said the bug was introduced in the Linux Mint OS when the project patched another vulnerability last October, tracked as CVE-2020-25712.
Since then, all Linux Mint distributions using a Cinnamon version of 4.2 and later are vulnerable to this bypass. Cinnamon 4.2 is where the on-screen keyboard was added to the screensaver page.
A patch was released this week, on Wednesday, that addresses the bug and prevents future crashes.
Lefebvre said the Linux Mint project is now working on adding a setting that will let users disable the on-screen keyboard, which would make mitigating future bugs in this component easier until patches are generally available. More

Almost half of all data breaches in hospitals and the wider healthcare sector are as a result of ransomware attacks according to new research.
Ransomware gangs are increasingly adding an extra layer of extortion to attacks by not only encrypting networks and demanding hundreds of thousands or even millions of dollars in bitcoin to restore them, but also stealing sensitive information and threatening to publish it if the ransom isn’t paid.

More on privacy

This double extortion technique is intended as extra leverage to force victims of ransomware attacks to give in and pay the ransom rather than taking the time to restore the network themselves. For healthcare, the prospect of data being leaked on the internet is particularly disturbing as it can involve sensitive private medical data alongside other forms of identifiable personal information of patients.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
Some organisations will, therefore, opt to pay the ransom to prevent this happening while others won’t give into extortion demands. As a result, ransomware is now responsible for 46% of healthcare data breaches, according to analysis by cybersecurity researchers at Tenable. More than 35% of all breaches are linked to ransomware attacks, resulting in an often tremendous financial cost.
One of the key methods for ransomware gangs gaining access to hospital networks is via a pair of VPN vulnerabilities found in the Citrix ADC controller, affecting Gateway hosts (CVE-2019-19781) and Pulse Connect Secure (CVE-2019-11510).
Both of these vulnerabilities had received security patches to stop hackers from exploiting them by the beginning of 2020, but despite this, large numbers of organisations have yet to apply the update.

That’s allowed ransomware groups – and even nation-state-linked hacking operations – to exploit unpatched vulnerabilities to gain a foothold on networks and they’ll continue to do so as long as networks haven’t received the required security patches.
“As the attack surface expands, vulnerability management has a central role to play in modern cybersecurity strategies. Unpatched vulnerabilities leave sensitive data and critical business systems exposed, and represent lucrative opportunities for ransomware actors,” said Renaud Deraison, co-founder and chief technology officer at Tenable.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
The key way to protect networks falling victim to ransomware and other cyberattacks is to apply patches when they’re released, particularly those designed to fix critical vulnerabilities. And if there’s applications that your organisation uses that no longer receives security updates, researchers recommend replacing this software with an alternative that’s still supported.
“If the software solutions used by your organization are no longer receiving security updates, upgrading to one with an active support contract is vital,” the report says.
“It is imperative that organizations identify assets within their environments that are vulnerable to months- and years-old flaws and apply relevant patches immediately,” it said.
MORE ON CYBERSECURITY More

Toyota has agreed to pay $180 million to settle claims that the company failed to comply with the US Clean Air Act for a decade.

The settlement was announced by the US Department of Justice (DoJ) on Thursday. According to the complaint, the civil lawsuit — filed by the US government — has now been laid to rest in return for the penalty payment. 
The DoJ says that Toyota conducted “systematic, longstanding violations of Clean Air Act emission-related defect reporting requirements, which require manufacturers to report potential defects and recalls affecting vehicle components designed to control emissions.”
In the US, the Clean Air Act stipulates permissible levels of pollution such as nitrogen oxide (NOx) produced by vehicles sold in the country. Automakers are required to notify the Environmental Protection Agency (EPA) when 25 or more vehicles, or engines, in a given year have a defect related to emissions standards. 
Manufacturers must file an Emissions Defect Information Report (EDIR), as well as update the agency on progress in fixing problems, which the DoJ says Toyota failed to do so. 
“These mandatory reporting requirements are critical to the Clean Air Act’s purpose of protecting human health and the environment from harmful air pollutants: They encourage manufacturers to investigate and voluntarily address defects that may result in excess emissions of harmful air pollutants,” prosecutors say. 
The complaint, filed in Manhattan federal court, alleges that from roughly 2005 to 2015, Toyota “failed to comply” with reporting requirements, delaying at least 78 EDIRs — some of which eight years overdue — alongside reports relating to fixes for emissions-based issues in its vehicles. 

Prosecutors estimate the reports were linked to “millions of vehicles with the potential to exhibit emission-related defects.”
The civil penalty is the largest issued to date for meeting EPA reporting standards but is subject to a period of time for public comment and final court approval.  
“Toyota shut its eyes to the noncompliance, failing to provide proper training, attention, and oversight to its Clean Air Act reporting obligations,” commented Audrey Strauss, Acting US Attorney for the Southern District of New York. “Toyota’s actions undermined EPA’s self-disclosure system and likely led to delayed or avoided emission-related recalls, resulting in financial benefit to Toyota and excess emissions of air pollutants. Today, Toyota pays the price for its misconduct with a $180 million civil penalty and agreement to injunctive relief to ensure that its violations will not be repeated.”
The lawsuit is one of the latest emissions-related issues that the US government has tackled in recent years. In September 2020, Daimler AG settled a $1.5 billion court case related to Mercedes-Benz diesel vehicles sold in the United States with defeat devices, a core element of the Volkswagen emissions scandal. 
Both Volkswagen and Daimler were involved in the 2016 scandal, in which the automakers sold vehicles containing devices that tampered with NOx readings in order to fraudulently adhere to the US Clean Air Act.
Volkswagen’s role in the plot has also cost the company dearly. In March, the automaker said the scandal has so far cost $34.69 billion in fines and settlements. 
ZDNet has reached out to Toyota and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More