Information Technology

Image: US Department of State
Secretary of State Mike Pompeo announced on Thursday the creation of a new bureau inside the US Department of State dedicated to addressing cybersecurity as part of the US’ foreign policy and diplomatic efforts.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The new bureau will be named the Bureau of Cyberspace Security and Emerging Technologies (CSET).
“The CSET bureau will lead US government diplomatic efforts on a wide range of international cyberspace security and emerging technology policy issues that affect US foreign policy and national security, including securing cyberspace and critical technologies, reducing the likelihood of cyber conflict, and prevailing in strategic cyber competition,” the State Department said yesterday.
Efforts to get the bureau on its feet began in June 2019, as a replacement for a previous office tasked with addressing cyber-security policies as part of US foreign diplomatic efforts had been shuttered as part of a reorganization in the summer of 2017, under Secretary of State Rex Tillerson.
“The need to reorganize and resource America’s cyberspace and emerging technology security diplomacy through the creation of CSET is critical, as the challenges to US national security presented by China, Russia, Iran, North Korea, and other cyber and emerging technology competitors and adversaries have only increased since the Department notified Congress in June 2019 of its intent to create CSET,” the State Department said yesterday.
State Department facing criticism
However, the move has not been well met by former State Department cybersecurity coordinator Christopher Painter, who criticized the bureau’s creation on Twitter.
“Laughable that this is done @ the 11th hr [during the Trump administration] when this was not adequately resourced or prioritized for 4 yrs,” Painter said.

At this point the new administration should decide how best to structure this issue and where it should be placed. Both Solarium Comm & Cyber Diplomacy Act called for a broader and more integrated scope and a higher level in the Department.
— Chris Painter (@C_Painter) January 7, 2021

The former US official cited the recent Cyberspace Solarium Commission report and the Cyber Diplomacy Act, both of which call for any cybersecurity-related efforts to be integrated at a higher level inside the State Department’s foreign policy, coordinated with other US federal agencies, and not related to an office or bureau.
The initial attempt to set up the CSET in 2019 was also stopped on the same ground, with former Rep. Eliot Engel (D-N.Y.), the chairman of the House Foreign Affairs Committee at the time, claiming that cybersecurity should have a broader role in the US foreign policy, controlled by higher-ranking officials inside the State Department, and not by a bureau.
“This move flies in the face of repeated warnings from Congress and outside experts that our approach to cyber issues needs to elevate engagement on economic interests and internet freedoms together with security,” Rep. Engel said at the time.
“While Congress has pursued comprehensive, bipartisan legislation, the State Department has plowed ahead in its plan to create a bureau with a much narrower mission focused only on cybersecurity.”
The US Government Accountability Office (GAO) also confirmed this in a September 2020 report, writing that the State Department had not involved or even informed other government agencies about its plan to establish CEST.
As Painter pointed out on Twitter, “at this point the new administration should decide how best to structure this issue and where it should be placed.” More

Days after it was revealed Singapore’s law enforcement can access COVID-19 contact tracing data for criminal probes, the government now says it will pass legislation to specify when such access will be permitted. It is doing so to “formalise” its assurance that access to the data will be restricted to serious offences. 
The new law would outline seven categories during which personal data, collected for the purpose of contact tracing, could be used by the police for investigations, inquiries, or court proceedings, according to the Smart Nation and Digital Government Office, which is parked under the Prime Minister’s Office. 
These seven categories would comprise:
Offences involving the use or possession of corrosive substances or dangerous weapons, such as possession of firearms
Terrorism-related offences detailed under the country’s terrorism laws
Crimes in which the victim is seriously hurt or killed such as murder or voluntarily causing grievous hurt
Drug trafficking offences that involve the death penalty
Escape from legal custody where the suspect may cause imminent harm to others
Kidnapping
Serious sexual offences

COVID-19 contact tracing data would not be used for police investigations, inquiries, or court proceedings outside of these seven categories, the Smart Nation Office said in a statement Friday. 
It added that the legislation would be introduced at the next parliament session in February. 
This move comes days after the government’s revelation that data gathered by the country’s contact tracing platform, TraceTogether, can be used for police investigations. The news contradicted previous assertions that the data would only be be accessed if the user tests positive for the virus and months after the contact tracing app was launched last March.
To date, more than 4.2 million residents or 78% of the local population have adopted the TraceTogether app and wearable token, with a recent spike in adoption likely fuelled by the government’s announcement that use of the app or token would be mandatory for entry into public venues in early-2021.

TraceTogether taps Bluetooth signals to detect other participating mobile devices — within 2 metres of each other for more than 30 minutes — to allow them to identify those who have been in close contact when needed.
In defending its decision to allow the police access to the data, the Singapore government said this was necessary to safeguard public safety and interest. It  also revealed that the data already had been tapped at least once to assist in a homicide investigation. 
In its statement Friday, the Smart Nation Office acknowledged it had made an “error” in not stating that data from TraceTogether would not be exempt from the country’s Criminal Procedure Code, which empowered the police to obtain any data for its investigations. 
It said the new legislation would “formalise” the government’s assurances that the use of contact tracing data outside of its primary purpose would be restricted to serious offences.
Minister for Law and Home Affairs K. Shanmugam had said earlier this week that police access to TraceTogether data was restricted to “very serious offences”, given the “national importance” of the contact tracing platform in dealing with the COVID-19 pandemic. “While that requirement is not in the legislation, it will be carefully considered within the police and discretion will be exercised in seeking this information,” Shanmugam said. 
Minister-in-Charge of the Smart Nation Initiative and Minister for Foreign Affairs, Vivian Balakrishnan, also pledged that once the pandemic was over and contact tracing data deemed unnecessary, the TraceTogether programme would be stood down. 
RELATED COVERAGE More

Hardware security keys, such as the Google Titan, have become a cornerstone of enterprise security, adding a much-needed layer of protection on top of the password. But researchers have now shown that it is possible to clone keys — given the key, a few hours, and thousands of dollars.
Researchers from security firm NinjaLab have managed to make a clone of a Google Titan 2FA security key. The process makes use of a side-channel vulnerability in the NXP A700X chip.
Must read: Best security keys in 2021: Hardware-based two-factor authentication for online protection

I’ll let you read up on this, but basically, the process requires having physical access to the key, take hours, involves trashing the casing to get at the chip, thousands of dollars of equipment, custom software, and a lot of know-how.
Oh, and the attacker also needs the target’s account password.
The idea is that after the cloning process, the original key is put back into a new shell and given back to the rightful owner.
This will, as you might expect, be worrying for organizations that rely on 2FA keys. That said, the amount of information, along with free time an attacker needs to accomplish this is high. I mean, needing both the key and the password are themselves high hurdles.

On top of that, getting at the key involves trashing the casing of the original. This means that the replacement needs to be convincing, and in my experience keys take on a distinctive battering after very little use.

So, what can you do to mitigate this attack?
Have strong passwords.
Treat your 2FA keys the same way you’d treat your car or house keys — keep them with you at all times.
Make your keys distinctive — I know someone who puts a spot of glittery nail polish on their key, leaves it to dry, and takes a photo of the unique glittery blob.
If you believe that your key has been compromised, inform your IT department (or, if that’s you, remove the offending key from your accounts).
Google can detect cloned keys using its FIDO U2F counters feature.
I expect that this will result in better, more tamper-resistant keys in the future. I use 2FA keys, and I am surprised how little tamper-resistance Google’s Titan Bluetooth key has — the shell snaps off easily to expose the innards.

Still, the ingenuity of this attack should be applauded. It’s a very impressive hack. More

The software company targeted by Russian hackers as part of one of the most wide-ranging cyber espionage in recent years has the hired former US government cybersecurity chief Chris Krebs to help recover and learn lessons from the incident.
Hackers breached the network of SolarWinds before planting Sunburst malware into its Orion software update packages. As a result of this supply chain attack, hackers had access to the networks of around 18,000 SolarWinds customers around the world, including the US government.
Agencies targeted included the Department of State; Department of Homeland Security; National Institutes of Health; the Pentagon; Department of the Treasury; Department of Commerce; and the Department of Energy, including the National Nuclear Security Administration.
Cybersecurity company FireEye was also targeted as part of the espionage campaign as what they described a state-sponsored hackers looked for information on government customers.
The US government has formally blamed Russia for being behind the massive supply chain attack, the full consequences of which may still not be known.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Now SolarWinds has brought in Chris Krebs, who served as Director of the Cybersecurity and Infrastructure Security Agency (CISA) until November last year when he was fired by Donald Trump. Krebs was fired by Trump via Twitter for debunking the outgoing President’s dubious claims about election fraud following his loss to Joe Biden.

Krebs has been hired by SolarWinds as an independent consultant after forming a new business with Stanford University professor and ex-Facebook chief security officer Alex Stamos. The pair will be working with SolarWinds to repair the damage of the attack and improve the company’s security.
“Armed with what we have learned of this attack, we are also reflecting on our own security practices and seeking opportunities to enhance our posture and policies,” a SolarWinds spokesperson told ZDNet by email.
“We have brought in the expertise of Chris Krebs and Alex Stamos to assist in this review and provide best-in-class guidance on our journey to evolve into an industry leading secure software development company”.
The hiring of Krebs and Stamos comes as SolarWinds president and CEO Sudhakar Ramakrishna – who himself only joined the company this week – outlined plans to learn from the cyber attack.
“We have engaged several leading cybersecurity experts to assist us in this journey and I commit to being transparent with our customers, our government partners, and the general public in both the near-term and long-term about our security enhancements to ensure we maintain what’s most important to us – your trust,” he wrote in a blog post.
READ MORE ON CYBERSECURITY More

Analysts from security firm Trend Micro said in a report today that they’ve spotted a malware botnet that collects and steals Docker and AWS credentials.

Researchers have linked the botnet to a cybercrime operation known as TeamTNT; a group first spotted over the 2020 summer installing cryptocurrency-mining malware on misconfigured container platforms.
Initial reports at the time said that TeamTNT was breaching container platforms by looking for Docker systems that were exposing their management API port online without a password.
Researchers said the TeamTNT group would access exposed Docker containers, install a crypto-mining malware, but also steal credentials for Amazon Web Services (AWS) servers in order to pivot to a company’s other IT systems to infect even more servers and deploy more crypto-miners.
At the time, researchers said that TeamTNT was the first crypto-mining botnet that implemented a feature dedicated to collecting and stealing AWS credentials.
TeamTNT gets more refined
But in a report today, Trend Micro researchers said that the TeamTNT gang’s malware code had received considerable updates since it was first spotted last summer.
“Compared to past similar attacks, the development technique was much more refined for this script,” said Alfredo Oliveira, a senior security researcher at Trend Micro.

“There were no more endless lines of code, and the samples were well-written and organized by function with descriptive names.”
Furthermore, Oliveira says TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code.
This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature.
Oliveira points out that with the addition of this feature, “implementing [Docker] API authentication is not enough” and that companies should make sure Docker management APIs aren’t exposed online in the first place, even when using strong passwords.
But in case the API ports have to be enabled, the Trend Micro researcher recommends that companies deploy firewalls to limit who can access the port using allow-lists. More

Telehealth (virtual care) usage has skyrocketed during the pandemic. 

When you roll back the tape a few months, healthcare providers were able to (very quickly) stand up virtual care capabilities without having to go through the intensive HIPAA compliance protocols required in the healthcare industry. Some healthcare providers have been able to tap nontraditional technologies such as Apple’s FaceTime as a stopgap measure for virtual care. The accelerated innovation in delivering virtual care to the population was and is a good thing, but when speed takes precedence over security, there will be inevitable challenges. In fact, virtual care platforms have been susceptible to cyberattacks, with evidence indicating attacks on such platforms increased by 30% this year. 
Make no mistake: Virtual care is becoming a core component of patient care moving forward, but healthcare organizations (HCOs) need to prioritize security and privacy as: 
Virtual care platforms are more connected and highly distributed than other healthcare technology systems, which makes them a prime target for attackers. 
Weak patient authentication into healthcare networks and vulnerabilities found in the hardware and software used by providers have offered attackers more direct avenues to critical assets where protected health information could be stolen or ransomware could be deployed. 
The Office for Civil Rights will strengthen its enforcement of HIPAA requirements as the pandemic starts to get under control. Providers will scramble to implement new security protocols, and at worst, organizations will be looking for a new virtual care platform that is more robust. Security practitioners need to plan for these changes now to avoid being caught off guard. 
HCOs Need To Play The Long Game For Virtual Care By Making Preparations Now 
Long-term success for virtual care deployments hinges on balancing ease of use and security and privacy. Providers are already hampered by a significant administrative burden and diverging workflows. There are many steps HCOs can take now to achieve this balance. 
For starters, security professionals must: 
Evaluate their existing vendors’ abilities to scale, integrate, and resolve security issues quickly. 
Look past the “cool” features vendors offer and ensure the core capabilities they actually use can be scaled to meet current and future needs while keeping patients’ data safe. There will always be time to implement additional “nice to have” functions once the foundation is secure. 
The scalability of the technology and the vendor are just two of several factors healthcare providers will need to consider as they transition their virtual care deployments from the pandemic to a long-term viable care model.  
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here.

This post was written by Senior Analyst Arielle Trzcinski together with a group of Forrester analysts, and it originally appeared here. 

Coronavirus More

A spam campaign which targeted over 100,000 users a day over Christmas and New Year has seen Emotet secure its spot as the most prolific malware threat.
Analysis by cybersecurity company Check Point suggests that Emotet was used to target seven percent of organisations around the world during December.
Emotet has been active since 2014 and is regularly updated by its authors in order to maintain its effectiveness. The malware started life as a banking trojan but has evolved to become much more than that, providing a complete backdoor onto compromised machines which can then be sold on to other cyber criminals to infect victims with additional malware – including ransomware.
While Emotet has worm-like capabilities which allows it to move onto other machines on the same network as the initial victim, it also spreads via the use of phishing emails. But no matter how it arrives, Emotet is excellent at maintaining persistence while also avoiding detection, meaning victims will often have no idea they’ve been compromised until it’s far too late.
“Emotet was originally developed as banking malware which sneaked on to users’ computers to steal private and sensitive information. However, it has evolved over time and is now seen as one of the most costly and destructive malware variants,” said Maya Horowitz, director of threat intelligence and research at Check Point.
“It’s imperative that organizations are aware of the threat Emotet poses and that they have robust security systems in place to prevent a significant breach of their data. They should also provide comprehensive training for employees, so they are able to identify the types of malicious emails which spread Emotet,” she added.
Banking trojan Trickbot is the second most dominant form of malware as we enter 2021. Like Emotet, it’s constantly updated with new capabilities and features, including the ability to customise the malware which allows it to be used in all manner of cyber intrusion campaigns. Like Emotet, Trickbot has become more than a banking trojan and is often installed on systems as a means of providing a gateway to install ransomware.

Credential harvesting malware Formbook was the third most detected malware threat over the reporting period. Formbook is sold on dark web forums at relatively low cost but provides cyber criminal users with everything they need for a powerful information stealing campaign; it harvests usernames and passwords from browsers, collects screenshots, monitors and logs keystrokes and more.
According to Check Point, Trickbot and Formbook campaigns were detected attempting to infiltrate the networks of four percent of organisations around the world each.
Other prominent malware during December included Dridex trojan, XMRig cryptocurrency mining malware and Hiddad Android malware.
One of the best ways for businesses to help prevent falling victim to malware attacks is to ensure the latest security patches are applied across the network as this will prevent cyber attackers from being able to take advantage the known vulnerabilities which cyber criminals exploit to deliver malware.

READ MORE ON CYBERSECURITY More

Nvidia has released a round of security fixes tackling high-severity issues in the Nvidia GPU display driver and vGPU software. 

Released on Thursday, the technology giant said the patches deal with issues that “may lead to denial of service, escalation of privileges, data tampering, or information disclosure.”
In total, Nvidia has resolved 16 vulnerabilities linked to the Nvidia GPU display driver used to support graphics processing units, as well in vGPU software for virtual workstations, servers, apps, and PCs. 
The most severe vulnerability dealt with in Nvidia’s latest security round is CVE‑2021‑1051. Issued a CVSS score of 8.4, the problem impacts the kernel mode layer for the Windows GPU display driver. If exploited, this flaw can lead to denial of service or privilege escalation. 
CVE‑2021‑1052 is the second highest-severity vulnerability in the driver, but this bug impacts both Windows and Linux. The security flaw, awarded a severity score of 7.8, is also found in the kernel mode layer and permits user-mode clients access to legacy, privileged APIs. As a result, an exploit leveraging this vulnerability could lead to denial of service, privileges escalation, and information leaks. 
Nvidia has also resolved CVE‑2021‑1053, a display driver bug for Windows and Linux machines with a CVSS score of 6.6, indicating this vulnerability is considered a moderate/important issue. Improper validation of a user pointer targeted at the same kernel mode layer can lead to denial of service. 
Two other problems impact Windows machines specifically, in the same kernel mode layer, which are tracked as CVE‑2021‑1054 and CVE‑2021‑1055 with severity scores of 6.5 and 5.3, respectively. These vulnerabilities involve failures to perform authorization checks and improper access controls, and are exploitable to cause denial of service. CVE‑2021‑1055 may also lead to data leaks. 

The last vulnerability impacts Linux PCs only. Tracked as CVE‑2021‑1056 and issued a CVSS score of 5.3, this bug has been caused by operating system file system permissions errors, prompting information disclosure and denial of service. 
In total, 10 of the vulnerabilities reported impact Nvidia vGPU, eight of which relate to the vGPU manager.
With the exception of CVE‑2021‑1066, a moderate CVSS 5.5 input validation issue in vGPU manager leading to resource overload and denial of service, each vulnerability has been issued a severity score of 7.8. 
Nvidia has patched eight vGPU manager and plugin vulnerabilities ranging from input data validation errors to race conditions and untrusted source values. These security flaws could lead to information disclosure, integrity and confidentiality loss, and data tampering. 
Two input index validation vulnerabilities, CVE‑2021‑1058 and CVE‑2021‑1060, impact the guest kernel mode driver and vGPU plugin. The first can be triggered to cause an integer overflow, allowing data tampering, data leaks, and denial of service, whereas the second can be exploited for service denial and data manipulation.
In order to stay protected, Nvidia has recommended that users accept automatic security updates, or download them directly. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More