Information Technology

Image: Google Project Zero
Google published a six-part report today detailing a sophisticated hacking operation that the company detected in early 2020 and which targeted owners of both Android and Windows devices.

The attacks were carried out via two exploit servers delivering different exploit chains via watering hole attacks, Google said.
Also: Best VPNs
“One server targeted Windows users, the other targeted Android,” Project Zero, one of Google’s security teams, said in the first of six blog posts.
Google said that both exploit servers used Google Chrome vulnerabilities to gain an initial foothold on victim devices. Once an initial entry point was established in the user’s browsers, attackers deployed an OS-level exploit to gain more control of the victim’s devices.
The exploit chains included a combination of both zero-day and n-day vulnerabilities, where zero-day refers to bugs unknown to the software makers, and n-day refers to bugs that have been patched but are still being exploited in the wild.
All in all, Google said the exploit servers contained:
Four “renderer” bugs in Google Chrome, one of which was still a 0-day at the time of its discovery.
Two sandbox escape exploits abusing three 0-day vulnerabilities in the Windows OS.
And a “privilege escalation kit” composed of publicly known n-day exploits for older versions of the Android OS.

The four zero-days, all of which were patched in the spring of 2020, were as follows:
Google said that while they did not find any evidence of Android zero-day exploits hosted on the exploit servers, its security researchers believe that the threat actor most likely had access to Android zero-days as well, but most likely weren’t hosting them on the servers when its researchers discovered it.
Google: Exploit chains were complex and well-engineered
Overall, Google described the exploit chains as “designed for efficiency & flexibility through their modularity.”
“They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks,” Google said.
“We believe that teams of experts have designed and developed these exploit chains,” but Google stopped short of providing any other details about the attackers or the type of victims they targeted.

(I mean, TBH you can probably make a pretty intelligent guess about who would do that. You can probably count the number of actors in the world who would go to the trouble of using all those aspects of professionalism on one hand. With fingers left over.)
— Brian in Pittsburgh (@arekfurt) January 12, 2021

Together with its introductory blog post, Google has also published reports detailing a Chrome “infinity bug” used in the attacks, the Chrome exploit chains, the Android exploit chains, post-exploitation steps on Android devices, and the Windows exploit chains.
The provided details should allow other security vendors to identify attacks on their customers and track down victims and other similar attacks carried out by the same threat actor.
Article title updated shortly after publication, changing the term “massive” to “sophisticated” as there is no information on the scale of this operation to support the initial wording. More

Microsoft has started rolling out earlier today it’s monthly set of security patches known in the industry as Patch Tuesday.
In this month’s updates, the Redmond-based company has patched a total of 83 vulnerabilities across a wide range of products, including its Windows operating system, cloud-based products, developer tools, and enterprise servers.
Microsoft Defender zero-day
But of all the bugs patched today, the most important one is a zero-day vulnerability in the Microsoft Defender antivirus, which Microsoft said was exploited before today’s patches were released.
Tracked as CVE-2021-1647, the vulnerability was described as a remote code execution (RCE) bug that allowed threat actors to execute code on vulnerable devices by tricking a user into opening a malicious document on a system where Defender is installed.
Microsoft said that despite exploitation being detected in the wild, the technique is not functional in all situations, and is still considered to be at a proof-of-concept level. However, the code could evolve for more reliable attacks.
To counteract future attacks, Microsoft has released patches for the Microsoft Malware Protection Engine, which won’t require any user interaction and will be installed automatically — unless specifically blocked by system administrators.
Microsoft also fixes publicly disclosed Windows EoP bug
In addition to the Defender zero-day, Microsoft has also fixed a security flaw in the Windows splwow64 service that could be abused to elevate the privileges of an attacker’s code.

Details about this bug, tracked as CVE-2021-1648, were made public last month, on December 15, by Trend Micro’s Zero-Day Initiative project.
However, despite the details being publicly available, this bug wasn’t exploited in the wild, Microsoft said.
Nonetheless, system administrators are advised to revise and apply today’s patches and avoid future headaches in case any of these vulnerabilities get weaponized and added to attackers’ arsenals.
Below are additional details about today’s Microsoft Patch Tuesday and security updates released by other tech companies:
Microsoft’s official Security Update Guide portal lists all security updates in a filterable table.
ZDNet has published this file listing all this month’s security advisories on one single page.
Adobe’s security updates are detailed here.
SAP security updates are available here.
Intel security updates are available here.
VMWare security updates are available here.
Chrome 87 security updates are detailed here.
Android security updates are available here.
Tag
CVE ID
CVE Title
.NET Repository
CVE-2021-1725
Bot Framework SDK Information Disclosure Vulnerability
ASP.NET core & .NET core
CVE-2021-1723
ASP.NET Core and Visual Studio Denial of Service Vulnerability
Azure Active Directory Pod Identity
CVE-2021-1677
Azure Active Directory Pod Identity Spoofing Vulnerability
Microsoft Bluetooth Driver
CVE-2021-1683
Windows Bluetooth Security Feature Bypass Vulnerability
Microsoft Bluetooth Driver
CVE-2021-1638
Windows Bluetooth Security Feature Bypass Vulnerability
Microsoft Bluetooth Driver
CVE-2021-1684
Windows Bluetooth Security Feature Bypass Vulnerability
Microsoft DTV-DVD Video Decoder
CVE-2021-1668
Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability
Microsoft Edge (HTML-based)
CVE-2021-1705
Microsoft Edge (HTML-based) Memory Corruption Vulnerability
Microsoft Graphics Component
CVE-2021-1709
Windows Win32k Elevation of Privilege Vulnerability
Microsoft Graphics Component
CVE-2021-1696
Windows Graphics Component Information Disclosure Vulnerability
Microsoft Graphics Component
CVE-2021-1665
GDI+ Remote Code Execution Vulnerability
Microsoft Graphics Component
CVE-2021-1708
Windows GDI+ Information Disclosure Vulnerability
Microsoft Malware Protection Engine
CVE-2021-1647
Microsoft Defender Remote Code Execution Vulnerability
Microsoft Office
CVE-2021-1713
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2021-1714
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2021-1711
Microsoft Office Remote Code Execution Vulnerability
Microsoft Office
CVE-2021-1715
Microsoft Word Remote Code Execution Vulnerability
Microsoft Office
CVE-2021-1716
Microsoft Word Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2021-1712
Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft Office SharePoint
CVE-2021-1707
Microsoft SharePoint Server Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2021-1718
Microsoft SharePoint Server Tampering Vulnerability
Microsoft Office SharePoint
CVE-2021-1717
Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePoint
CVE-2021-1719
Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft Office SharePoint
CVE-2021-1641
Microsoft SharePoint Spoofing Vulnerability
Microsoft RPC
CVE-2021-1702
Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2021-1649
Active Template Library Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2021-1676
Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability
Microsoft Windows
CVE-2021-1689
Windows Multipoint Management Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2021-1657
Windows Fax Compose Form Remote Code Execution Vulnerability
Microsoft Windows
CVE-2021-1646
Windows WLAN Service Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2021-1650
Windows Runtime C++ Template Library Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2021-1706
Windows LUAFV Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2021-1699
Windows (modem.sys) Information Disclosure Vulnerability
Microsoft Windows Codecs Library
CVE-2021-1644
HEVC Video Extensions Remote Code Execution Vulnerability
Microsoft Windows Codecs Library
CVE-2021-1643
HEVC Video Extensions Remote Code Execution Vulnerability
Microsoft Windows DNS
CVE-2021-1637
Windows DNS Query Information Disclosure Vulnerability
SQL Server
CVE-2021-1636
Microsoft SQL Elevation of Privilege Vulnerability
Visual Studio
CVE-2020-26870
Visual Studio Remote Code Execution Vulnerability
Windows AppX Deployment Extensions
CVE-2021-1642
Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
Windows AppX Deployment Extensions
CVE-2021-1685
Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
Windows CryptoAPI
CVE-2021-1679
Windows CryptoAPI Denial of Service Vulnerability
Windows CSC Service
CVE-2021-1652
Windows CSC Service Elevation of Privilege Vulnerability
Windows CSC Service
CVE-2021-1654
Windows CSC Service Elevation of Privilege Vulnerability
Windows CSC Service
CVE-2021-1659
Windows CSC Service Elevation of Privilege Vulnerability
Windows CSC Service
CVE-2021-1653
Windows CSC Service Elevation of Privilege Vulnerability
Windows CSC Service
CVE-2021-1655
Windows CSC Service Elevation of Privilege Vulnerability
Windows CSC Service
CVE-2021-1693
Windows CSC Service Elevation of Privilege Vulnerability
Windows CSC Service
CVE-2021-1688
Windows CSC Service Elevation of Privilege Vulnerability
Windows Diagnostic Hub
CVE-2021-1680
Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
Windows Diagnostic Hub
CVE-2021-1651
Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
Windows DP API
CVE-2021-1645
Windows Docker Information Disclosure Vulnerability
Windows Event Logging Service
CVE-2021-1703
Windows Event Logging Service Elevation of Privilege Vulnerability
Windows Event Tracing
CVE-2021-1662
Windows Event Tracing Elevation of Privilege Vulnerability
Windows Hyper-V
CVE-2021-1691
Hyper-V Denial of Service Vulnerability
Windows Hyper-V
CVE-2021-1704
Windows Hyper-V Elevation of Privilege Vulnerability
Windows Hyper-V
CVE-2021-1692
Hyper-V Denial of Service Vulnerability
Windows Installer
CVE-2021-1661
Windows Installer Elevation of Privilege Vulnerability
Windows Installer
CVE-2021-1697
Windows InstallService Elevation of Privilege Vulnerability
Windows Kernel
CVE-2021-1682
Windows Kernel Elevation of Privilege Vulnerability
Windows Media
CVE-2021-1710
Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Windows NTLM
CVE-2021-1678
NTLM Security Feature Bypass Vulnerability
Windows Print Spooler Components
CVE-2021-1695
Windows Print Spooler Elevation of Privilege Vulnerability
Windows Projected File System Filter Driver
CVE-2021-1663
Windows Projected File System FS Filter Driver Information Disclosure Vulnerability
Windows Projected File System Filter Driver
CVE-2021-1672
Windows Projected File System FS Filter Driver Information Disclosure Vulnerability
Windows Projected File System Filter Driver
CVE-2021-1670
Windows Projected File System FS Filter Driver Information Disclosure Vulnerability
Windows Remote Desktop
CVE-2021-1674
Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability
Windows Remote Desktop
CVE-2021-1669
Windows Remote Desktop Security Feature Bypass Vulnerability
Windows Remote Procedure Call Runtime
CVE-2021-1701
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows Remote Procedure Call Runtime
CVE-2021-1700
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows Remote Procedure Call Runtime
CVE-2021-1666
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows Remote Procedure Call Runtime
CVE-2021-1664
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows Remote Procedure Call Runtime
CVE-2021-1671
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows Remote Procedure Call Runtime
CVE-2021-1673
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows Remote Procedure Call Runtime
CVE-2021-1658
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows Remote Procedure Call Runtime
CVE-2021-1667
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows Remote Procedure Call Runtime
CVE-2021-1660
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows splwow64
CVE-2021-1648
Microsoft splwow64 Elevation of Privilege Vulnerability
Windows TPM Device Driver
CVE-2021-1656
TPM Device Driver Information Disclosure Vulnerability
Windows Update Stack
CVE-2021-1694
Windows Update Stack Elevation of Privilege Vulnerability
Windows WalletService
CVE-2021-1686
Windows WalletService Elevation of Privilege Vulnerability
Windows WalletService
CVE-2021-1681
Windows WalletService Elevation of Privilege Vulnerability
Windows WalletService
CVE-2021-1690
Windows WalletService Elevation of Privilege Vulnerability
Windows WalletService
CVE-2021-1687
Windows WalletService Elevation of Privilege Vulnerability More

Image: Mimecast, Romain Morel
Mimecast, a company that makes cloud email management software, disclosed a security incident today, alerting customers that “a sophisticated threat actor” has obtained one of its digital certificates and abused it to gain access to some of its clients’ Microsoft 365 accounts.

The London-based email software company said the certificate in question was used by several of its products to connect to Microsoft infrastructure.
The products that used this certificate include Mimecast Sync and Recover, Continuity Monitor, and IEP products, the company said in a message posted on its website earlier today.
Mimecast said that around 10% of all its customers used the affected products with this particular certificate; however, the “sophisticated threat actor” abused the stolen certificate to gain access to only a handful of these customers’ Microsoft 365 accounts.
The email software provider put this number at under 10, describing it as a “low single digit number,” and said that it already contacted all the affected customers.
To prevent future abuse, the company is now asking all other customers to “immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate [they] ‘ve made available.”
Mimecast said it’s now working with a third-party forensics expert, Microsoft, and law enforcement to investigate how the certificate was compromised and its aftermath.

The London-based company said it learned of the incident from Microsoft after the tech giant detected unauthorized access to some accounts.
A Mimecast spokesperson would not comment if the security incident was somehow related to the recent SolarWinds supply chain attack. More

Image: Bundo Kim
For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs.

Named OSAMiner, the malware has been distributed in the wild since at least 2015 disguised in pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac, security firm SentinelOne said in a report published this week.
“OSAMiner has been active for a long time and has evolved in recent months,” a SentinelOne spokesperson told ZDNet in an email interview on Monday.
“From what data we have it appears to be mostly targeted at Chineses/Asia-Pacific communities,” the spokesperson added.
Nested run-only AppleScripts, for the win!
But the cryptominer did not go entirely unnoticed. SentinelOne said that two Chinese security firms spotted and analyzed older versions of the OSAMiner in August and September 2018, respectively.
But their reports only scratched the surface of what OSAMiner was capable of, SentinelOne macOS malware researcher Phil Stokes said yesterday.
The primary reason was that security researchers weren’t able to retrieve the malware’s entire code at the time, which used nested run-only AppleScript files to retrieve its malicious code across different stages.

As users installed the pirated software, the boobytrapped installers would download and run a run-only AppleScript, which would download and run a second run-only AppleScript, and then another final third run-only AppleScript.
Since “run-only” AppleScript come in a compiled state where the source code isn’t human-readable, this made analysis harder for security researchers.
Yesterday, Stokes published the full-chain of this attack, along with indicators of compromise (IOCs) of past and newer OSAMiner campaigns. Stokes and the SentinelOne team hope that by finally cracking the mystery surrounding this campaign and by publishing IOCs, other macOS security software providers would now be able to detect OSAMiner attacks and help protect macOS users.
“Run-only AppleScripts are surprisingly rare in the macOS malware world, but both the longevity of and the lack of attention to the macOS.OSAMiner campaign, which has likely been running for at least 5 years, shows exactly how powerful run-only AppleScripts can be for evasion and anti-analysis,” Stokes concluded in his report yesterday.
“In this case, we have not seen the actor use any of the more powerful features of AppleScript that we’ve discussed elsewhere [1, 2], but that is an attack vector that remains wide open and which many defensive tools are not equipped to handle.”
The IOCs are available in the SentinelOne OSAMiner report, here. More

After months in the making, Microsoft Defender for Endpoint on Linux server now has endpoint detection and response (EDR) abilities. I know. It’s still startling but Microsoft now produces Linux security programs. Will miracles never cease?

Now, this is not Microsoft Defender for the Linux desktop. Some miracles haven’t happened yet. In this version of Defender, its No. 1 job is to protect Linux servers from server and network threats. If you want protection for your standalone Linux desktop, use such programs as ClamAV or Sophos Antivirus for Linux. With the new EDR features, you can also use it to protect PCs running macOS, Windows 8.1, and Windows 10. 
With these new EDR capabilities, Linux Defender users can detect advanced attacks that involve Macs and Windows desktops, Linux servers, utilize rich experiences, and quickly remediate threats. This builds on the existing preventative antivirus capabilities and centralized reporting available via the Microsoft Defender Security Center.
Specifically, it includes:
Rich investigation experience, including machine timeline, process creation, file creation, network connections, login events, and advanced hunting.
Optimized performance-enhanced CPU utilization in compilation procedures and large software deployments.
In-context AV detections, just like with Windows, you’ll get insight into where a threat came from and how the malicious process or activity was created.
It also comes with custom detections on top of its other threat-hunting capabilities.
To run the updated program, you’ll need one of the following Linux servers: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian 9 or newer; or Oracle Linux 7.2 or higher.
To run Microsoft Defender for Endpoint on Linux, you’ll need a Servers license. If you’re already testing the public preview, update the agent to a released version 101.18.53 or higher. If you are already running it in production, your devices will seamlessly receive the new EDR capability as soon as you update the agent to version 101.18.53 or higher.
Microsoft thinks well of this latest program. “The release is an amazing milestone providing us a 360 view on all our platforms for our threat hunting strategy,” said Guy Fridman, Microsoft head of Security Operation and Response.  If you want to see if it’s right, you can sign up for a free trial of Microsoft Defender for Endpoint Linux today.
Related Stories: More

Cybersecurity teams are facing new challenges to how they work as the Covid-19 pandemic has forced many security operation centres (SOC) to work remotely while also having to deal with new threats – all of which is leading to higher workloads and an increase in burnout for staff.
Research by the Ponenon institute and Respond Software surveyed information security staff and found that the coronavirus pandemic is increasing hours and workloads of staff in a profession which often was already a high intensity environment for people to work in.
The events of 2020 saw many office-based teams shift to working remotely and that was the same for a significant number of cybersecurity personnel. More than one third of SOC environments shifted to working remotely as a result of the pandemic and while this has understandably happened to protect people from the virus, over half of those now working remotely say it’s had an impact on operations.
That comes at a time when not only are security teams having to deal with a range of threats including phishing, malware and ransomware – and defending against them has become even more challenge as businesses have adapted to entire workforces working from home.
The switch to working remotely has provided cyber criminals and malicious hackers with additional avenues to potentially enter corporate networks as employees connect to work systems from their home internet connections and even their personal computers.
SEE: Coronavirus: Business and technology in a pandemic (ZDNet Special Feature)
This has created additional challenges to securing endpoints when it was already challenging within a corporate environment – while security teams are also trying to balance work with the additional pressures of working from home.

“Working remotely is subject to distractions that you would not typically have in a physical SOC, such as family, friends, pets, roommates or even not having a good home setup such as working from the couch versus your typical desk,” Chris Triolo, vice president of Respond Software told ZDNet.
“This can make it hard for the analyst to stay productive and focus on defending against bad actors as they should, creating additional stress for the SOC analyst.”
According to the survey, the additional pressure of working in cybersecurity while also working from home has lowered morale of SOC staff, with three quarters stating that they’ve experienced burnout as a result.
Such is the extent of burnout that some security analysts are leaving their roles while organisations are attempting to attract – and retain – employees by offering higher salaries than ever before. According to the research paper, the average salary of a security analyst stands at $111,000, up from $102,000 a year ago.
“The SOC operates best when it is in-person and most industry professionals would likely agree with that sentiment. However, it is safe to say that some organizations may prefer to keep the SOC remote due to various factors including lowering rent costs of office space,” said Triolo.
Whatever happens, organisations need to learn how to manage cybersecurity when staff can’t work from the office – and be more prepared if another event forces a similar pattern of remote working in future.
“Regardless of if the SOC goes back to becoming an in-person entity or not, organizations have now learned that disaster and emergency plans need to go beyond just a physical disaster like a fire or a flood. We need to start thinking about situations like a pandemic where security analysts may be physically displaced and unable to safely be in the same room together at work,” Triolo said.
READ MORE ON CYBERSECURITY More

Back in 2017, just barely a week after Donald Trump took office as the 45th President of the United States, I recommended the following to the nascent Trump Administration:

I strongly recommend supporting President Trump’s use of Twitter. We’ve never had the opportunity for a president to speak, unfiltered, to the American people at will, and this could be an amazing experiment in democracy (and a source of never-ending good material for us pundits).

We had no idea.
From March 18, 2009, the day Donald Trump starting tweeting (and way before he was president), until January 8, 2021, the day President Trump’s account was suspended by Twitter, he tweeted 59,553 times. Wikipedia reports that he posted more than 34,000 tweets since he declared his candidacy in June of 2015.
Also: Capitol attack’s cybersecurity fallout: Stolen laptops, lost data and possible espionage
If you divide the 34,000 tweet number by the 66 months since June 2015, we find he fired off an average of 515 tweets per month, or about 17 tweets each day.
The man has had a lot to say and, according to Twitter, not all of it good.
Twitter ban
As stated previously, Twitter cut off President Trump last week. The company listed five primary factors that led to the account suspension, which you can read in our article on the ban. Citing perceived violations of the company’s Glorification of Violence policy in light of the Capitol Building attacks, the company pulled the plug on one of its greatest draws and controversial users.

This was a huge blow to Trump’s ability to reach out directly to his base. He had roughly 88 million followers on Twitter. Think about that for a second. What other leader in human history has been able to dash off a stream-of-consciousness opinion or comment and have it instantly reach 88 million people at no cost and with no gatekeepers?
Twitter wasn’t alone in their attempt to muzzle the president. Facebook, Instagram, Snapchat, and Twitch all took action against President Trump’s social media accounts. But, without a doubt, it’s Twitter that provided the mind meld between the president’s psyche and the public.
The importance of presidential records
As a citizen and politics nerd, I’ve been watching all the events of this election season with a mix of horror and fascination. But as a presidential scholar, I’ve had a deeper concern: what happens to the president’s tweets if his account is disabled?
I’ve done a lot of thinking and writing about presidential records for many years now, ever since I wrote the book Where Have All The Emails Gone?, which took a forensic look at the issue of presidential records and digital communication through the lens of the George W. Bush administration’s missing email scandal. 
I also did a deep dive into Hillary Clinton’s email server scandal in a series of articles for ZDNet. It has always been my belief that it is necessary to take an analytical, evidence-based, non-partisan approach when it comes to the preservation of presidential records.
It is important to think of this as a historical issue and not a political one. Electronic records are still rather new to our history as a nation, couldn’t even have been conceived of by our founders, and aren’t represented fully in many of our older but still-active laws. But now that digital messages are so relevant to our lives, and have become the chief way we communicate, we need to make sure we don’t delete them, allow them to conveniently slip through loopholes, or let them be consumed by bit rot.
The proper preservation and curation of presidential records is of critical concern to historians and those who will want to look back at the second half of the 21st century’s first decade. President Trump’s tweets are a modern-day equivalent of the Jefferson/Adams letters. While those letters were mostly written after both presidents’ terms of office, the cache of historical documents provided invaluable insight into the beliefs, concerns, prejudices, decision-making methodology, and personalities of two of America’s founders.
President Trump’s tweets
President Trump’s tweets may provide historians with an even deeper insight. These were the in-the-moment representations of the 45th president’s internal thoughts. As time goes on, the heat of the moment will dissipate, but historians will still want to understand motivations and character. Those tweets will, at least in part, provide those insights.
Fortunately, it appears those tweets will be preserved. The National Archives, on Sunday January 10, disclosed (through a tweet, naturally) that they will archive President Trump’s social media content. This makes sense, because the NARA (National Archives and Records Administration) is tasked with curating presidential records.

The gotcha, of course, is whether tweets constitute presidential records. According to Press Secretary Sean Spicer back at the beginning of Trump’s term, tweets did constitute presidential records.
Back in 2017, Spicer didn’t specify whether @realDonaldTrump, in addition to @POTUS, was considered official records. But now, in 2021, NARA has explicitly included @realDonaldTrump in the accounts it’s planning to archive.
The second issue is the nature of official presidential records. Let’s say the president makes a list of McDonald’s treats he wants for lunch, and writes that list on a note which is handed to an aide. That paper note, if it contains no other information, is not considered a presidential record and need not be archived. On the other hand, if he makes a similar note about senators he wants to call about a piece of legislation, that piece of paper is considered a presidential record and must be presented to the Archives.
My question (and I sent a request into NARA, but haven’t heard back) is whether all of Trump’s tweets will be archived, or only those that fit the somewhat narrow definition of Presidential Records Act records.
To that end, I’m openly reaching out to David S. Ferriero, Tenth Archivist of the United States, with my strong recommendation that all tweets, Facebook posts, and other social media posts by Donald Trump be archived in perpetuity for the benefit of future historians and researchers.
Stay tuned. I’ll update this article if I get an official answer from Ferriero or a NARA spokesperson.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

A new combination of two older types of malware, which provides hackers with access to almost everything a user does on an Android smartphone, is up for sale on underground forums for as little as $29.99 – providing even low-level cyber criminals with the ability to steal sensitive personal data.
The ‘Rogue’ remote administration tool (RAT) infects victims with a keylogger, allowing attackers to easily monitor the use of websites and apps in order to steal usernames and passwords, as well as financial data. The low cost of the malware reflects the increasing sophistication of the criminal ecosystem that is making it possible for wannabe crooks with limited technical skills to acquire the tools to stage attacks.

More on privacy

The malware threatens full-scale espionage on the device by monitoring the GPS location of the target, taking screenshots, using the camera to take pictures, secretly recording audio from calls and more. It does all this while staying completely hidden from victims – and all attackers need is their own smartphone in order to issue commands.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
Rogue has been detailed by cybersecurity researchers at Check Point, who say it isn’t a fully new form of malware, but rather a combination of two previous families of Android RATs – Cosmos and Hawkshaw – and demonstrates the evolution of malware development on the dark web.
There’s no single way in which hackers install Rogue because part of the way it works is they get to choose the method of infection, either by phishing, malicious apps or something else.
After being downloaded onto a smartphone, Rogue asks for the permissions that it needs for the hacker to remotely access the device – although the download obviously doesn’t mention that this is the reason why they’re needed. If the permissions are not granted, it will repeatedly ask the user to grant them until they do.

Once the permissions have been gained, Rogue registers itself as the device administrator and hides its icon from the home screen. If the user tries to revoke these administrator credentials, a message asks “Are you sure to wipe all the data?”, something that could scare many people off attempting to remove the installation, fearing they’ll wipe their entire device.
The malware gets around being detected as malicious by exploiting Google’s Firebase service for apps in order to masquerade as a legitimate app on the device and help it remain embedded and active.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
Once successfully embedded on a device, the malware installs its own notification service, allowing the malicious operator to examine what notification and pop-up the victim receives, enabling them opportunities to examine what data is available on the device. 
One of the best ways for users to avoid falling victim to mobile malware is to install security updates, something that prevents cyber criminals from exploiting known vulnerabilities to help deliver malware. In addition to this, users should be wary of apps that appear to ask for an excessive number of permissions to run on the device and should ideally only download apps with a trusted source of origin from the official app store.
MORE ON CYBERSECURITY More