Information Technology

In an effort to reduce memory safety bugs, Google has announced that the open source version of Android will have support for parts of the operating system to be built in Rust. While apps on Android can be written with managed languages such as Java and Kotlin, these languages do not have the “control and predictability” of lower level languages such as C and C++ used to build the Android operating system. “They are light on resources and have more predictable performance characteristics. For C and C++, the developer is responsible for managing memory lifetime. Unfortunately, it’s easy to make mistakes when doing this, especially in complex and multithreaded codebases,” the Android team wrote in a blog post. “Rust provides memory safety guarantees by using a combination of compile-time checks to enforce object lifetime/ownership and runtime checks to ensure that memory accesses are valid. This safety is achieved while providing equivalent performance to C and C++.” As it currently stands in Android, if a process written in C/C++ is processing untrustworthy input, it runs in a sandbox, which Google said is expensive and still allows for the possibility of attackers chaining security vulnerabilities together to exploit systems. Additionally, Google found half of its memory bugs were in code from under a year old, and hence it made sense to target Rust at new code, rather than rewriting the OS in Rust. “Even if we redirected the efforts of every software engineer on the Android team, rewriting tens of millions of lines of code is simply not feasible,” the team said.

“The comparative rarity of older memory bugs may come as a surprise to some, but we’ve found that old code is not where we most urgently need improvement. Software bugs are found and fixed over time, so we would expect the number of bugs in code that is being maintained but not actively developed to go down over time.” One such system to get the Rust treatment is Gabeldorsche, which is billed as the successor to Bluetooth. The Android team also touched on the issue of trying to detect and replicate memory bugs to be able to fix them. “For complex C/C++ code bases, often there are only a handful of people capable of developing and reviewing the fix, and even with a high amount of effort spent on fixing bugs, sometimes the fixes are incorrect,” they wrote. “Bug detection is most effective when bugs are relatively rare and dangerous bugs can be given the urgency and priority that they merit. Our ability to reap the benefits of improvements in bug detection require that we prioritize preventing the introduction of new bugs.” One of the benefits of using Rust is the additional constraints and checking inherent in the language, such as forcing the initialization of variables, which could prevent the root cause of up to 5% of security vulnerabilities in Android, Google said. “Adding a new language to the Android platform is a large undertaking. There are toolchains and dependencies that need to be maintained, test infrastructure and tooling that must be updated, and developers that need to be trained,” the team said. “For the past 18 months we have been adding Rust support to the Android Open Source Project, and we have a few early adopter projects that we will be sharing in the coming months.” Earlier this year, Rust moved out of Mozilla and into its own foundation. Mozilla has used Rust to build its Servo browser engine and replace 160,000 lines of C++ with 85,000 lines of Rust. Mozilla recently ran ThreadSanitizer across Firefox to flush out any data races in the C/C++ left in the browser’s codebase. With the mixed codebase, Mozilla was concerned about races being obfuscated when passing through Rust code, but nevertheless picked up a pair of pure Rust races. “Overall Rust appears to be fulfilling one of its original design goals: Allowing us to write more concurrent code safely,” it said.”Both WebRender and Stylo are very large and pervasively multi-threaded, but have had minimal threading issues. What issues we did find were mistakes in the implementations of low-level and explicitly unsafe multithreading abstractions — and those mistakes were simple to fix. “This is in contrast to many of our C++ races, which often involved things being randomly accessed on different threads with unclear semantics, necessitating non-trivial refactorings of the code.” Unsurprisingly, Mozilla recommended any new projects be built in Rust rather than C or C++. Related Coverage More

Authentication and identity platform Okta is releasing a revamped developer experience that features improved documentation, new integrations and support for up to 15,000 monthly active users on a free plan. For context, Okta’s existing free plan caps monthly active users at 1,000, making this new release significantly more useful for small business applications. 

Okta, which is holding its Oktane21 virtual developer conference this week, is pitching the new developer experience as a toolkit that makes it easier for developers to embed the company’s authentication, access management and customer identity products across software supply chains in hybrid, cloud-native, or multi-cloud environments.The Okta Starter Developer Edition includes a redesigned console that the company said delivers full application development lifecycle support, as well as new integrations with DevOps, SecOps, and API security tooling. New integrations include Heroku to automate identity across CI/CD pipelines, Kong to protect APIs, and an updated Okta Terraform provider to replicate Okta configuration across environments.”Okta’s vision is to enable everyone to safely use any technology,” said Diya Jolly, Okta’s chief product officer. “Developers are foundational to bringing that vision to life, and it’s our goal to make every piece of the development process easier with Okta. Developers can ramp up at no cost with the Starter Developer Edition, and our reimagined developer experience delivers tools that seamlessly work with developers’ toolchains across whatever hybrid, cloud, or multi-cloud environment they’re building on.”Last month, Okta announced plans to acquire customer identity and access vendor Auth0 for $6.5 billion. In addition to expanding Okta’s total addressable market with Auth0’s identity and access management portfolio, the deal also gives Okta a way to reach developers and extend its platform. Auth0 has a free plan and then developer versions for the B2C and B2B markets. The new Okta Starter Developer Edition and integrations are generally available starting today.RELATED: More

If you dabble in bitcoin or other cryptocurrencies, then you may be able to get away with storing your private keys in a software wallet. But if you are serious about crypto, are mining your own bitcoins, or have serious cash invested in crypto, then a hardware wallet is something that you need to seriously consider.

A cutting-edge hardware wallet

Here we have a compact hardware wallet that not only holds your cryptocurrency private keys but can also a device that can be used to store passwords and even be used as a U2F hardware token.The Trezor Model T is easy to use thanks to its touchscreen display. Another nice feature of the Model T is that it is quick and easy to set up; you can be up and running after going through three simple setup steps.

$179 at Amazon

Everything is protected by a PIN code

This is a hardware bitcoin wallet that looks like a USB flash drive. The Ledger Nano S supports more than 30 different cryptocurrencies (including Bitcoin, Ethereum, XRP, Bitcoin Cash, EOS, Stellar, Dogecoin, and many more), and all ERC20 tokens, and everything is protected by an 8-digit PIN code.

$51 at Amazon

For those who want high security

This is the hardware wallet for those who are ultra-paranoid or who want high security. The ColdCard Mk3 device is a high-security device that is built around high-security hardware and open-source software. It also features a brilliant OLED display and a full-sized numeric keypad.You can augment the ColdCard with a range of accessories, including an adapter that allows you to power the ColdCard from a 9V PP3 battery, protecting you from attacks that might make use of a compromised USB charger.

$120 at Coinkite

Fireproof, waterproof, shockproof, and hacker-proof

Made from indestructible 316-marine grade stainless steel, this is a cold storage cryptocurrency wallet that’s designed and built to be fireproof, waterproof, shockproof, and hacker-proof. This is the perfect tool for keeping your seed phrases secure, which would allow you to recover your private keys in the event that you lose or break your electronic hardware wallet.

$106 at Amazon

What is a bitcoin wallet?

A bitcoin wallet is a device that stores and manages the private keys you hold for your cryptocurrency. They act much like how you keep money in your wallet or purse, or how your bank details are stored on your credit or debit cards.

What are the different kinds of cryptocurrency wallets?

There are two kinds of wallets: Hardware and software. A software wallet is an app that lives on your computer or smartphone, or even on the web, while a hardware wallet is a separate physical device (much like a wallet or purse). This hardware wallet is connected to a PC or mobile device to carry out transactions.Software wallets range in price from free to, well, not free, so they are great for those starting out. Since hardware wallets cost you money, there’s a financial investment that you have to make right from the beginning.

Why do you need a hardware wallet?

It’s important to note that you don’t need a hardware wallet to buy, store, or send bitcoins or any other cryptocurrency. Some people hold many thousands of dollars in bitcoin or other cryptocurrencies and don’t use a hardware wallet.However, where hardware wallets shine is the improved security that they offer compared to an app that lives on a smartphone, computer, or in the cloud. Having a device that puts an air gap between your private keys and other apps, the internet, and the bad guys offers vastly improved security from hackers and viruses.Hardware bitcoin wallets put you in complete and total control over your private keys.

What are the pros and cons of hardware crypto wallets?

ProsImproved security: Total air gap between your private keys and everything else.Better control: You hold your keys and can keep them separate from all your other devices.Easy transportation: Bitcoin hardware wallets are small and easily transported. But they can also be stored securely in a safe or safety deposit box.No reliance on a third-party app or web service: Apps and services come and go.ConsCost: Hardware bitcoin wallet solutions aren’t free.Extra complexity: There’s always a learning curve with hardware, and some bitcoin wallets have quite advanced features that will have you reaching for the manual.Loss, destruction, theft: Hardware can break, be lost, be stolen, become obsolete, or succumb to all sorts of mishaps.Another thing to take care of: If you need to make a transaction, you’ll need your wallet!

What should you consider when buying a cryptocurrency hardware wallet?

Yes, a hardware bitcoin wallet offers greater security, but you still need to make sure that you are buying a decent device from a reputable source.You also need to decide how much security you need. For some, having the air gap of a separate wallet is good enough, while others will feel the need to beef up security, and have a device that offers higher levels of security, biometrics, and even isolating the device from possible sources of attack, such as USB chargers.You also need a backup, just in case. Maybe this is another hardware wallet, or maybe you’re going to go for a “cold storage” solution that might include having your private keys printed on paper, or even engraved, stamped, or etched into metal.Another consideration is price. Unless you’re planning to hold huge cryptocurrency investments, then it might sting a bit to spend over $100 on a wallet.

How did we choose these cryptocurrency hardware wallets?

There are a number of factors to consider here.Price: Not everyone wants to spend $200 on a wallet.Durability: A broken hardware wallet can leave you hating life (not to mention down the cost of the hardware), so choosing something that will last is a good investment.Reputable manufacturer: You could be trusting thousands of dollars of cryptocurrency to a hardware wallet, so you want to know that your wallet has been made by a reputable company with a track record in delivering secure and reliable products. Ease of use: Setting up a hardware wallet can be daunting enough, but it can be made all the more difficult if the documentation is poor (or non-existent) or the device itself is quirky and unpredictable.

ZDNet Recommends More

Researchers have warned that critical vulnerabilities in unpatched SAP applications are being widely exploited by cyberattackers worldwide. 

On Tuesday, SAP and Onapsis jointly released a report on the activities, in which security flaws with CVSS severity scores of up to 10, the highest possible, are being weaponized.  SAP applications are used by an estimated 400,000 enterprise organizations worldwide. While SAP is not aware of any direct customer-related breaches due to these activities, both the vendor and Onapsis say that there were at least 1,500 SAP application-related attack attempts tracked between June 2020 and March 2021, and at least 300 were successful.  The joint report says that enterprise resource planning, customer relationship management software, and supply chain systems — among others — are being targeted.  SAP issues security fixes for its products on a monthly basis, alongside organizations including Microsoft and Adobe.  However, the companies say that the critical issues being exploited are not being fixed by customers — and in some cases, vulnerable, internet-facing SAP applications are laden with bugs that remained unpatched for months, or even years.  Six vulnerabilities, in particular, are noted in the report as being actively exploited: CVE-2020-6287: CVSS: 10 

Also known as RECON, this remotely exploitable bug in SAP NetWeaver/Java was caused by a failed authentication check. No privileges are required and upon exploit, this vulnerability leads to the creation of admin accounts and full system hijacking.  A patch was issued on July 14, 2020, but Onapsis says attack activity utilizing this bug continues today.  CVE-2020-6207: CVSS 10 Impacting SAP Solution Manager (SolMan) version 7.2, this critical flaw permits attackers to obtain full administrative control over the hub of an organization’s SAP setup.  Proof-of-Concept (PoC) code was released for the security flaw following a patch issued by SAP on March 10, 2020. Exploit attempts have “increased significantly” since the release of the working PoC exploit code.CVE-2018-2380: CVSS 6.6This older vulnerability impacts the vendor’s SAP NetWeaver-based CRM solution and can be triggered to perform privilege escalation and to execute commands, eventually allowing for lateral movement through a corporate network. A patch was released on March 1, 2018.  CVE-2016-9563: CVSS 6.4Patched in August 2016, this vulnerability impacts a component in SAP NetWeaver/JAVA version 7.5, leading to remote — but low-privilege — authenticated attacks. CVE-2016-3976: CVSS 7.5Also found in SAP NetWeaver/JAVA, this security flaw, patched in March 2016, permits remote attackers to read arbitrary files via directory traversal sequences, leading to information leaks and potentially privilege escalation if they are able to access the right resources.CVE-2010-5326: CVSS 10A critical vulnerability caused by an authentication failure in the Invoker Servlet within SAP NetWeaver Application Server/JAVA platforms. The security flaw allows attackers to gain full control of SAP business processes. In 2016, the US Department of Homeland Security (DHS) issued an alert on the active exploit of this bug, which continues to this day. In addition, the report says that the window for patching is “significantly smaller than previously thought,” with some SAP vulnerabilities becoming weaponized in less than 72 hours after public disclosure.  “Observed exploitation could lead in many cases to full control of the unsecured SAP application, bypassing common security and compliance controls, and enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations,” the companies say. “These threats may also have regulatory compliance implications for organizations that have not properly secured their SAP applications processing regulated data.” CISA has also issued an alert on these activities.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Industries and organizations critical to the fight against COVID-19 have faced a surge in cyberattacks due to their rapid transition to cloud platforms in light of the pandemic.

When the world first began to take notice of the global spread of COVID-19, organizations across the globe suddenly found themselves unable to maintain typical working practices. Offices were shut, stay-at-home orders imposed, and consumer demands could often only be met through deliveries, virtual services, and e-commerce platforms.  As a result, the wider enterprise and SMBs alike began making quick transitions from on-prem and legacy systems to the cloud, in order to facilitate remote working models and to pursue new business opportunities. Enterprise cloud spending is estimated to have increased by 28% in Q2 2020 alone, year-over-year. However, according to Palo Alto Networks’ latest cloud threat report, published on Tuesday, shifting workloads so quickly to the cloud has also meant that businesses are struggling, months later, to manage and automate cloud security — and have created chasms in company security that can be exploited. Industries critical to COVID-19 management have suffered a particular uptick in cloud security incidents. According to the report, retail, manufacturing, and government entities have been struck hardest with attack attempts increasing by 402%, 230%, and 205% respectively during the pandemic. Chemical manufacturing and science/research organizations, unsurprisingly, became key targets for cyberattackers due to COVID-19. Notable examples include attacks on vaccine manufacturers and the European Medicines Agency (EMA).

According to Unit 42 data and scans, the most common security issues present in COVID-19-related industries are:”This trend is not surprising; these same industries were among those facing the greatest pressures to adapt and scale in the face of the pandemic — retailers for basic necessities, and manufacturing and government for COVID-19 supplies and aid,” Unit 42 says. “[..] Although the cloud allows businesses to quickly expand their remote work capabilities, automated security controls around DevOps and continuous integration/continuous delivery (CI/CD) pipelines often lag behind this rapid movement.”However, not every industry is equal, and some are doing better than others in attempts to secure their cloud workloads. Access logging controls, access key rotation, and version control in cloud storage containers — a way to keep track of changes, implement them, and perform maintenance across cloud systems — are some of the methods that can be employed to increase cloud security.  The team did find, however, that publicly exposed cloud systems, which may leak personally identifiable information (PII) belonging to clients or employees — as well as sensitive corporate data — continues to be a problem. The numbers are high: an estimated 30% of organizations that utilize cloud hosting services are believed to be leaking some type of private content online, with access control issues blamed for such widespread exposure. Unit 42 recommends that businesses focus on gaining visibility into their cloud workloads, keeping an eye on storage configurations, and both adopting and enforcing security standards in DevOps can all mitigate the threat of attack or accidental data leaks.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A banking Trojan striking corporate targets across Brazil has been unmasked by researchers. 

On Tuesday, ESET published an advisory on the malware, which has been in development since 2018.Dubbed Janeleiro, the Trojan appears to be focused on Brazil as a hunting ground and has been used in cyberattacks against corporate players in sectors including healthcare, engineering, retail, finance, and manufacturing. Operators have also attempted to use the malware when infiltrating government systems.  According to the researchers, the Trojan is similar to others currently operating across the country — such as Casbaneiro, Grandoreiro, and Mekotio — but is the first detected that is written in .NET, rather than Delphi, which is usually favored.  Phishing emails, sent in small batches, are sent to corporate targets pretending to relate to unpaid invoices. These messages contain links to compromised servers and to the download of a .zip archive hosted in the cloud. If the victim unzips this archive file, a Windows-based MSI installer then loads the main Trojan DLL.  “In some cases, these URLs have distributed both Janeleiro and other Delphi bankers at different times,” ESET says. “This suggests that either the various criminal groups share the same provider for sending spam emails and for hosting their malware, or that they are the same group. We have not yet determined which hypothesis is correct.” The Trojan will first check the geolocation of the target system’s IP address. If the country code is other than Brazil, the malware will exit. However, if the check is passed, the malware will then collect a variety of operating system data and will grab the address of its command-and-control (C2) server from a dedicated GitHub page.  

Janeleiro is used to create fake pop-up windows “on-demand,” such as when banking-related keywords are detected on a compromised machine. These pop-ups are designed to appear to be from some of the largest banks across Brazil and they request the input of sensitive and banking details from victims.  The malware’s command list includes options for controlling windows, killing existing browser sessions — such as those launched in Google Chrome — capturing screens, keylogging, and hijacking clipboard data, among other functions.  The operator of the Trojan appears to prefer a hands-on approach and may control the windows remotely, in real-time.  Most malware operators at least make a token attempt to conceal their activities. In this case, code obfuscation is light but there is no attempt to circumvent existing security software and no custom encryption.The operator uses GitHub, a code repository, to host files containing C2 server lists to manage Trojan infections. These repositories are updated on a daily basis.  As of March, four variants of Janeleiro have been detected in the wild, although two share the same internal version number. Some samples have been packaged together with a password stealer in attacks, which suggests “the group behind Janeleiro has other tools in their arsenal,” according to the team. ESET says that GitHub has been made aware of the threat actor’s account and abuse of the platform. The page has now been disabled and the owner suspended.”GitHub values the contributions of our security research community and is committed to investigating reported security issues,” a GitHub spokesperson told ZDNet. “We disabled the page in accordance with our Acceptable Use Policies, following the report that it was using our platform maliciously.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

US agencies have warned that advanced persistent threat (APT) groups are exploiting Fortinet FortiOS vulnerabilities to compromise systems belonging to government and commercial entities.

Last week, the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert (.PDF) warning that cyberattackers are actively scanning for systems that have not had patches applied to resolve three severe vulnerabilities. Fortinet FortiOS, an operating system underpinning Fortinet Security Fabric, is a solution designed to improve enterprise security, covering endpoints, cloud deployments, and centralized networks.  The agencies say that CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 are being exploited. Each of these vulnerabilities is known and patches have been issued by the vendor, but unless IT administrators apply the fixes, Fortinet FortiOS builds remain open to compromise.  CVE-2018-13379: Issued a CVSS severity score of 9.8, this path traversal vulnerability impacts the FortiOS SSL VPN portal and can permit unauthenticated attackers to download system files through malicious HTTP requests. FortiOS versions 5.4 – 5.4.6 to 5.4.12, 5.6 – 5.6.3 to 5.6.7, and 6.0 – 6.0.0 to 6.0.4 are affected.  CVE-2020-12812: This improper authentication issue, also found in FortiOS SSL VPN, has earned a CVSS score of 9.8 as it permits users to be able to log in without being prompted for second-factor authentication if they change the case of their username. FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below contain this bug.  CVE-2019-5591: With a CVSS score of 7.5, this vulnerability is a default configuration problem in FortiOS 6.2.0 and below that can allow unauthenticated attackers — on the same subnet — to intercept sensitive data by impersonating a LDAP server. 

According to the advisory, APTs are scanning with a particular focus on open, vulnerable systems belonging to government, technology, and commercial services.  “The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” the agencies say. “APT actors may use other CVEs or common exploitation techniques — such as spear phishing — to gain access to critical infrastructure networks to pre-position for follow-on attacks.” CVE-2018-13379 was resolved in May 2019, followed by CVE-2019-5591 in July of the same year. A patch was issued for CVE-2020-12812 in July 2020.  “The security of our customers is our first priority,” Fortinet said in a statement. “[…] If customers have not done so, we urge them to immediately implement the upgrade and mitigations.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Personal details of 30,000 individuals in Singapore may have been illegally accessed, following a security breach that targeted a third-party vendor of job-matching organisation, Employment and Employability Institute (e2i). It was notified of the incident three weeks ago on March 12.  It added that the relevant authorities had been notified of the breach, including the police, Personal Data Protection Commission (PDPC), and Cyber Security Agency’s Singapore Computer Emergency Response Team. E2i’s platform brings together employers and workers, offering various services that include job-matching, skills training, and career guidance. The institute is an initiative of the National Trades Union Congress (NTUC), the country’s only trade union confederation that comprises, amongst others, 59 unions and five associations. NTUC’s core committee includes Members of Parliament Koh Poh Koon and Heng Chee How. 

Users affected by the breach had participated in events organised by e2i or used its services between November 2018 and 12 March 2021, including job fairs, employability workshops or career coaching. Their personal data were shared with appointed vendors for “relevant employability services purposes”, the institute said.  E2i did not elaborate on why it took more than three weeks to announce the breach, but said in its statement Monday that it had “taken time” to make an impact assessment given the “complexity” of investigations into the incident.  It noted that a malware had infected the email account of an employee at the third-party vendor, i-vic International, leading to the unauthorised access of the mailbox, which had personal data of the affected 30,000 individuals. These details included names, identification number, contact information, educational qualifications, and employment history. Affected individuals would be notified via email, SMS, or phone, it added. E2i said it had worked with i-vic to determine the extent and nature of the data breach, and deployed “mitigation measures” to beef up the security of the latter’s email and network systems. E2i added that “constant checks” would be carried out on both its system as well as the third-party vendor’s to identify any further potential vulnerabilities. 

“Although the malware did not target at e2i directly, cybersecurity threats are real and the protection of personal data is of top priority to us,” the institute’s CEO Gilbert Tan said in the statement.  It added that it would review the “cybersecurity standards of our vendors” to prevent further breaches. The latest incident was one of several third-party breaches to have impacted local organisations this year, compromising personal data of 580,000 Singapore Airlines’ frequent flyer members and 129,000 Singtel customers.  RELATED COVERAGE More