Information Technology

Cybersecurity experts have always recommended the use of VPNs whenever you go online. And while no one can contest their efficacy when it comes to protecting your data and rendering you anonymous on the internet, there’s no denying that VPNs cost a pretty penny. An annual subscription to a well-known VPN service can already set you back a hundred dollars.

If you want to take cybersecurity into your own hands, you always have the option to go beyond a VPN subscription. The Deeper Connect Nano is a decentralized VPN and firewall device that eliminates the need to pay monthly fees for VPN services. An ultra-portable tool, you can bring it anywhere you go and still remain protected when you go online.
Unlike a VPN that reroutes your connection to various servers, this device serves as client and server, and your IP address automatically changes based on routing rules. There’s no middle man that manages your network for you. It’s serverless and distributed, so none of your data be logged, leaked, hacked, or even subpoenaed. It also blocks ads, trackers, and malware across the entire network, as well as lets you browse and stream online without bottlenecks.
Here’s a closer look at how it works:
[embedded content]
Since it’s primarily designed to protect your data, it’s worth noting that it has a 7-layer firewall that secures your entire home or business network. It even filters NSFW and NSFC on all internet devices, making it ideal for use in the workplace and at home. Set up is pretty straightforward, too. With a plug-and-play design, you can get immediate access to free, secure, and private internet wherever you go.
The Deeper Connect Nano was so impressive that it managed to garner $1 million in contributions on IndieGogo. Now, you can also be a proud owner of this cybersecurity marvel for 33% off. For a limited time, you can get it on sale for $199.99.
Prices subject to change.

ZDNet Recommends More

Microsoft has expanded advanced features in the AccountGuard service ahead of upcoming elections. 

AccountGuard is a selective program for individuals and organizations that may face a higher risk of attack or account compromise due to their involvement in politics. 
The service includes cybersecurity guidance, access to webinars and workshops, notifications when a threat or “compromise by a known nation-state actor” against an Office 365 account linked to a member occurs, alerts relating to Hotmail and Outlook accounts, and damage control recommendations if a cyberattack is successful.  
Participants also have a point of contact in the Microsoft Defending Democracy Program team. 
This week, Microsoft expanded the offering to all AccountGuard members in 31 democracies to include identity and access management protections at no further cost. 
“The addition of new features to AccountGuard provides new ways to protect online accounts for political parties, candidates and their staff, health care workers, human rights defenders, journalists and certain other customers who are at greatest risk from nation-state hackers,” Microsoft says. 
The company’s expansion includes multi-factor authentication, single sign-on services for cloud apps, conditional access policy implementation, and privileged identity management (PIM) — the creation of time and approval-based access policies for sensitive and important resources. 

Microsoft’s access options were made available to political parties ahead of the US 2020 elections, and with similar events coming up in countries including the Netherlands, Finland, and Germany, the firm’s rollout is intended to stop “hack and leak” attempts before they have a chance to begin. 
In addition, the Redmond giant has announced the expansion of an existing partnership with Yubico. Yubico manufactures YubiKey, a physical dongle for multi-factor authentication designed to reduce the risk of phishing attempts and account takeovers. 
As of now, up to 25,000 YubiKeys will be offered to AccountGuard members. Depending on the size of the organization applying, a number of free keys may be on offer. 
In April last year, Microsoft made the service available for healthcare entities and human rights groups, saying that these organizations would maintain access during the COVID-19 pandemic.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

OVHcloud has suffered a disastrous fire that has engulfed some of the firm’s data centers. 

On March 10, OVHcloud founder and chairman Octave Klaba started a Twitter thread updating customers on the situation, which has claimed at least one data center. 
OVHcloud is a global cloud, dedicated server, and managed bare metal services provider catering to over 1.5 million customers. 
The company manages 27 data centers in countries including the US, UK, France, and Australia. 
As data centers manage vast quantities of data for customers, providers have to be stringent when it comes to security. OVHcloud restricts physical access to employees only and security personnel are always on-site — but this has not stopped a fire from breaking out. 
“We have a major incident on SBG2,” Klaba said. “The fire declared in the building. Firefighters were immediately on the scene but could not control the fire in SBG2. The whole site has been isolated which impacts all services in SGB1-4.”
The impacted data centers, located in Strasbourg, France, includes SBG2, which has been completely destroyed. Part of SBG1 has been destroyed, too, but firefighters were able to protect SBG3. SBG4 has not been impacted by the fire. Klaba says that “everyone is safe.”

Images shared on social media appear to show the extent of the fire.
“Firefighters continue to cool the buildings with the water,” the executive said. “We don’t have the access to the site. That is why SBG1, SBG3, SBG4 won’t be restarted today.”
The fire has now been quelled but an assessment of the overall damage caused to OVHcloud’s data centers may take some time. Impacted clients have been urged to turn to backups to minimize downtime and disruption.
“We recommend [you] activate your Disaster Recovery Plan,” Klaba added. 
At the time of writing, Klaba is on-site. In an update, the executive said:

“We finished to shutdown the UPS in SBG3. Now they are off. We are looking to enter into SBG3 and check the servers. The goal is to create a plan to restart , at least SBG3/SBG4, maybe SBG1. To do so, we need to check the network rooms too.”

Update 10.19 am GMT: According to Klaba, “all servers in SBG3” are okay, while still non-operational, and the company is working on a way to restart them. Work on verifying SBG1 is now underway. 
ZDNet has reached out to OVHcloud and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Following reports that live feeds from over 150,000 of its security cameras were exposed, including those situated in prisons, hospitals, schools, police stations, and Tesla factories, Verkada has disabled accounts to prevent further access.
According to Bloomberg, a group of hackers accessed the data collected by the Silicon Valley startup. The hackers are reported as saying they also have access to the full video archive of all Verkada customers.
Bloomberg claims to have sighted footage validating the details of the breach.
Verkada has described itself as bringing “the ease of use that consumer security solutions provide, to the levels of scale and protection that businesses and organisations require”.
Commentary provided to Bloomberg from the hackers claiming responsibility for the incident said the breach intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into.
“We have disabled all internal administrator accounts to prevent any unauthorised access,” a Verkada spokesperson told ZDNet.
 “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”

The startup claims over 5,200 customers, including Cloudflare, Equinox, the Salvation Army, and Tesla. It is understood customers of the startup have been made aware of the issue.
LATEST SECURITY NEWS More

Human Rights Law Centre and the Law Council of Australia have asked that the federal government redraft the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, calling its contents “particularly egregious” and “so broad”.
The Bill, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new computer warrants for dealing with online crime.
“Sweeping state surveillance capacity stands in stark contrast to the core values that liberal democracies like Australia hold dear,” Human Rights Law Centre senior lawyer Kieran Pender declared to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Wednesday.
“In the past two decades, the surveillance capabilities of Australian law enforcement and intelligence have rapidly expanded, every increase in state surveillance imposes a democratic cost.”
According to Pender, each time further surveillance powers are contemplated, three questions should be asked: Are the proposed powers strictly necessary, carefully contained, and fully justified.
“We believe that the Bill in its present shape does not satisfy those criteria,” he said.
“While many of the expansions made to surveillance powers in this country in recent years have been troubling, this Bill stands out as particularly egregious because its scope encompasses any and every Australian.”

The first of the warrants is a data disruption one, which according to the Bill’s explanatory memorandum, is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”.
The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant.
The last warrant is an account takeover warrant that would allow the agencies to take control of an account for the purposes of locking a person out of the account.
“The powers offered by the Bill are extraordinarily intrusive, the explanatory memorandum and commentary by the minister indicate that powers are intended to only be used in cases of the most severe wrongdoing, yet the Bill does not reflect that,” Pender said.
He believes the Bill’s relevant offence threshold of three years imprisonment is too low and should be increased; and that the definitions provided by the network activity warrants are so expansive as to be practically unlimited in scope.
“We would urge the committee to recommend that these warrants be redrafted to prevent their application to individuals that have no involvement whatsoever in the relevant offence, otherwise, every single Australian is at risk of having their online activities monitored by the Federal Police even where they’re not suspected of having done anything wrong,” he said.
As noted in its submission on the Bill, the OAIC believes the Bill’s definition of a criminal network of individuals has the potential to include a significant number of individuals, including third parties not the subject or subjects of the warrant who are only incidentally connected to the subject or subjects of the warrant.
David Neal from the Australian Law Council further expanded on the risk posed to those peripheral to the individual/s that are the subject of a warrant.
“[The definition is] so broad that as soon as one individual suspected of a relevant offence, users, for example of WhatsApp, in theory, this Bill will allow warrant in regards to anyone who uses WhatsApp because they’re then an electronically linked group of individuals with that one person,” he said.
“Now, you know, someone defending the Bill might say, Well, you know, there are sort of all these other criteria that go to that, and we accept that to an extent, although I think those criteria needs to be more robust.”
Representatives from both organisations agreed the broad definitions within the Bill could exacerbate the risk of abuse and misuse.
“There’s all of these channels that are totally going to be sort of swept pass potentially under this under this Bill, and give rise to concerns about abuse,” Neal said.
In its submission to the PJCIS, the Law Council made a total of 57 recommendations on how to make the Bill more fit for purpose.
“The appropriate course of action we respectfully submit is for the committee to recommend that the government substantially redraft this bill before it returns to Parliament,” Pender declared.
MORE ON THE BILL More

A few months ago, if you’d asked someone what their biggest concern was about IT security, you would have received lots of different answers. Then Solarwinds catastrophically failed to secure its software supply chain, leading to what’s been called IT’s Pearl Harbor. So it is today that locking down your software supply chain has become job number one for all CSO and CISOs who take their jobs seriously. To answer this call for open source, the Linux Foundation, along with Red Hat, Google, and Purdue University have created the sigstore project. 

SolarWinds Updates

The just-announced sigstore aims to improve the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies. It will do this by empowering developers to securely sign software artifacts such as release files, container images, and binaries. These signing records will then be kept in a tamper-proof public log. This service will be free for all developers and software providers to use. The sigstore code and operation tooling that will be used to make this work is still being developed by the sigstore community.
With this, as David A Wheeler, the Linux Foundation’s director of Open Source Supply Chain Security, observed earlier, we’ll be on our way to creating verified reproducible builds. Wheeler explained, “A reproducible build is one “that always produces the same outputs given the same inputs so that the build results can be verified. A verified reproducible build is a process where independent organizations produce a build from source code and verify that the built results come from the claimed source code.”
This, in turn, could be used to create a software bill of materials (SBOM). With an SBOM you’ll know exactly what code you’re using in any given project. This is another argument for open source. Orion, Solarwinds hacked program, for example, like all proprietary software, is a black box. No one except its builders knows what’s in it. And as we now know, Solarwinds didn’t know what was inside it until outside companies spotted its corruption. 
Sigstore will avoid this, Luke Hinds, Red Hat’s Security Engineering lead in the office of the CTO, explained as it will enable “all open-source communities to sign their software and combine provenance, integrity, and discoverability to create a transparent and auditable software supply chain.” This isn’t easy. While there are some open-source digital signing tools available today, few developers use them. Many programmers, even now, don’t see the point of taking the extra steps needed to “sign” their software. 
Besides, as Matt Sicker, Apache Software Foundation member and CloudBees’ senior security engineer, said, “Applications commonly used for signing software typically have confusing UIs and require learning basic cryptography concepts in order to properly use them. Without some sort of code signing policy in place for a larger open source project, many developers are simply unaware of the benefits of signing their software.”
Because of that, what tools there are for confirming the origin and authenticity of software relies on an often disparate set of approaches and data formats. The solutions that do exist, often rely on digests that are stored on insecure systems that are susceptible to tampering. 

Newer, better signing tools are on their way. For example, Tidelift-managed catalogs track well known-good, proactively maintained components that cover common language frameworks such as JavaScript, Python, Java, Ruby, PHP, .NET, and Rust.
Even so, very few open-source projects currently cryptographically sign their software releases. That’s largely because of the challenges software maintainers face on secure key management, key compromise/revocation. and the distribution of public keys and artifact digests. Users are all too often left to fend for themselves to find out which keys to trust and how to validate signing. That is not a job for ordinary IT people. 
But, wait, there’s more. The ways we currently distribute digests and public keys is, in a word, bad. All too often they’re stored on hackable websites or a README file on a public git repository. That’s just asking to be hacked. Sigstore seeks to solve these issues by utilization of short-lived ephemeral keys with a trust root leveraged from an open and auditable public transparency log.
In other words, as Alex Karasulu, also an ASF member and OptDyn CEO, observed, “The problem isn’t that open-source developers are lazy or reluctant. It is that a standard mechanism for two-factor authentication (2FA) specifically around code signing does not exist. Some techniques exist to achieve this: Git revisions can be signed and the process loosely protected with mandated 2FA accounts at GitHub, or GPG code signing keys can be stored on devices requiring a second factor to digitally sign anything including code and release checksums. There are many ways to skin this cat — but there is no standard making the process consistent. It’s essentially discretionary.”
Without standardization, securing the software supply chain will be almost impossible. It’s sigstore backers’ hope that they can fix these issues. The goal is worth the effort. As Josh Aas, executive director of the Internet Security Research Group (ISRG) and Let’s Encrypt, said “Securing a software deployment ought to start with making sure we’re running the software we think we are. Sigstore represents a great opportunity to bring more confidence and transparency to the open-source software supply chain.”
There is, after all, as Santiago Torres-Arias, Purdue assistant professor of Electrical and Computer Engineering and project founder, pointed out, “The software ecosystem is in dire need of something like it to report the state of the supply chain. I envision that, with sigstore answering all the questions about software sources and ownership, we can start asking the questions regarding software destinations, consumers, compliance (legal and otherwise), to identify criminal networks and secure critical software infrastructure.”
We really need sigstore. Even now, we still haven’t really grasped how bad the Solarwinds disaster was. Without a truly secure open-source supply chain, we can be certain we’ll see even worse disasters.
Related Stories: More

The auditor-general of Western Australia has found four business applications used by state government entities contain control weaknesses, mostly around poor information security and policies and procedures.
In her latest audit, the auditor-general probed the Teacher Registration System, handled by the Department of Education, Teacher Registration Board of Western Australia; the Forest Products Commission’s Deliveries and Billing System; the Housing Management System (Habitat) from the Department of Communities; and the TAFE Student Management System, which is under the watch of the Department of Training and Workforce Development.
The testing was performed during 2019-20. The report [PDF] declared all four applications had control weaknesses. Auditor-General Caroline Spencer reported 75 findings across the four applications — nine findings were rated as significant, 57 moderate, and another nine were considered minor.
The first project probed was the Department of Education’s Teacher Registration System, which it inherited in 2017.
The system is a combination of internally developed and commercial software applications, hosted on public cloud infrastructure and maintained by department staff and contractors.
“There are a number of significant weaknesses in the system which prevent the [Teacher Registration Board of Western Australia] and the department from efficiently managing public resources and effectively managing information security risks relating to sensitive teacher information,” the report said.
The audit determined basic governance and controls, including limiting access and segregation of duties for system changes, were not implemented.

“There is also a risk that insufficient disaster recovery planning and ongoing system failures could result in an outage that impacts teacher registration services,” it added.
IT governance, security, and risk management were poor, with the report saying there is currently no IT strategy; limited oversight; and no risk management, change management, project management, incident and problem management, cloud management, or continuity management.
Roles and responsibilities for managing the cloud environment have also not been defined, the report said, with there being 33 subscription owners that can manage and have full access to the cloud resources.
It also found 119 resources were allocated to data centres outside Australia, including in Southeast Asia and the United States.
The department’s Teacher Registration Directorate also spent approximately AU$240,000 between July 2019 and February 2020 on contracted services that the department could provide. The audit also found a conflict of interest risk, as the same contractor proposed and undertook projects — that contractor pulled in approximately AU$500,000 in a six-month period.
The next application probed was the Forest Products Commission’s Deliveries and Billing System (DAB), which enables it to generate revenue and payment information from the harvest and sale of timber products.
The audit determined security weaknesses in the DAB database and the commission’s network may expose it to malicious attacks and unauthorised access. In addition, weaknesses in controls, including the review of information entered into the DAB and monitoring of compliance with regulations, creates risks of incorrect revenue or payments and non-compliance.
The 2019 DAB implementation project encountered delays and cost overruns — it overspent by approximately AU$720,000 — and the auditor-general said the commission could not demonstrate that an effective project governance framework was in place.
The Department of Communities’ Housing Authority, meanwhile, was found to not have assessed the information security risks for its Habitat program. In addition, the auditor-general said the authority had not implemented adequate processes that provide oversight of Habitat controls, nor was there a disaster recovery plan in place.
The report said the auditor-general identified 178 database user accounts with easy to guess passwords and 1,195 accounts where the password had not been changed for five years. These included accounts with high privileges.
The authority’s IT staff also used and shared a highly privileged account to administer the Habitat database.
Lastly, the Student Management System used by Western Australian TAFE colleges was found to open sensitive student information to risk due to inadequate monitoring of user activity and poor user access management.
The auditor-general said application governance was not fully established, there was inadequate contract management, and service level arrangements were not defined.
In addition, sensitive information was not protected in the database, data was found to be not de-identified, user access management could be improved, 2FA was not adopted, and data files were not appropriately restricted.  
“Application controls need to be considered in conjunction with existing organisational processes and IT controls. A holistic approach towards governance, risk management and security is critical for secure and effective operations,” Spencer said.
“Public facing applications are prone to cyber threats. It is therefore essential to manage system vulnerabilities and other weaknesses that could expose entities to compromise. We found that all audited entities could improve their controls around user access, vulnerability management, and situational awareness to address cyber risks.”
RELATED COVERAGE More

Adobe has released fixes for critical security problems impacting Framemaker, Creative Cloud, and Connect. 

In the tech giant’s standard security update, published on a monthly basis, a single vulnerability has been resolved in the document processor Framemaker. 
The bug, tracked as CVE-2021-21056, is a critical out-of-bounds read problem which leads to the execution of arbitrary code if exploited. 
A total of three critical vulnerabilities in Adobe Creative Cloud have also been resolved. The first, CVE-2021-21068, is an arbitrary file overwrite issue, whereas CVE-2021-21078 is an OS command injection security flaw. While these bugs lead to the execution of arbitrary code, the third — tracked as CVE-2021-21069 — is an improper input validation problem that can be exploited for privilege escalation. 
Adobe’s Connect software, a remote conferencing tool, has received a fix for a single, critical bug caused by improper input validation. The security flaw, tracked as CVE-2021-21085, can lead to the execution of arbitrary code. 
In addition, Adobe has patched three reflected cross-site scripting (XSS) flaws in Connect. Deemed important, the vulnerabilities — CVE-2021-21079, CVE-2021-21080, and CVE-2021-21081 — can be weaponized for the execution of arbitrary JavaScript in a browser session. 
Adobe thanked Francis Provencher and Rookuu, working with Trend Micro’s Zero Day Initiative, Sebastian Fuchs from Star Finanz, and four independent researchers for reporting the security issues.

In February, Adobe patched critical issues in software including Acrobat, Reader, Magento, and Illustrator, including buffer overflow vulnerabilities, Insecure Direct Object Reference (IDOR) security flaws, and out-of-bounds write/read bugs. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More