Information Technology

Image: Jim Reardan
In attempts to put pressure on victims, some ransomware gangs are now cold-calling victims on their phones if they suspect that a hacked company might try to restore from backups and avoid paying ransom demands.

“We’ve seen this trend since at least August-September,” Evgueni Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident Response, told ZDNet on Friday.
Ransomware groups that have been seen calling victims in the past include Sekhmet (now defunct), Maze (now defunct), Conti, and Ryuk, a spokesperson for cyber-security firm Emsisoft told ZDNet on Thursday.
“We think it’s the same outsourced call center group that is working for all the [ransomware gangs] as the templates and scripts are basically the same across the variants,” Bill Siegel, CEO and co-founder of cyber-security firm Coveware, told ZDNet in an email.
Arete IR and Emsisoft said they’ve also seen scripted templates in phone calls received by their customers.
According to a recorded call made on behalf of the Maze ransomware gang, and shared with ZDNet, the callers had a heavy accent, suggesting they were not native English speakers.
Below is a redacted transcript of a call, provided by one of the security firms as an example, with victim names removed:

“We are aware of a 3rd party IT company working on your network. We continue to monitor and know that you are installing SentinelOne antivirus on all your computers. But you should know that it will not help. If you want to stop wasting your time and recover your data this week, we recommend that you discuss this situation with us in the chat or the problems with your network will never end.”
Another escalation in ransomware extortion tactics
The use of phone calls is another escalation in the tactics used by ransomware gangs to put pressure on victims to pay ransom demands after they’ve encrypted corporate networks.
Previous tactics included the use of ransom demands that double in value if victims don’t pay during an allotted time, threats to notify journalists about the victim company’s breach, or threats to leak sensitive documents on so-called “leak sites” if companies don’t pay.
However, while this is the first time ransomware gangs have called victims to harass them into paying, this isn’t the first time that ransomware gangs have called victims.
In April 2017, the UK’s Action Fraud group warned schools and universities that ransomware gangs were calling their offices, pretending to be government workers, and trying to trick school employees into opening malicious files that led to ransomware infections. More

[embedded content]
Marene Allison, the Chief Information Security Officer at Johnson & Johnson, one of the companies involved in the research and development of a COVID-19 vaccine, said this week that healthcare organizations like her employer are seeing cyber-attacks from nation-state threat actors “every single minute of every single day.”

Allison’s comments come after on Wednesday, the Wall Street Journal reported that Johnson & Johnson was one of six COVID-19 research companies that have been targeted by North Korean hackers seeking vaccine information.
“Healthcare companies literally have seen an onslaught [of cyberattacks] since March 2010,” Allison said on Thursday in an online panel at the Aspen Cyber Summit.
“That is the day that the Chinese actually started a hard knock of most of the healthcare in the United States.”
“Meredith and I, and in all CISOs and healthcare [organizations], are seeing attempted penetrations by nation-state actors, not just North Korea, every single minute of every single day,” Allison said, referring to Meredith Harper, CISO at Eli Lilly, another pharmaceutical company involved in the COVID-19 response, also present on the online panel.
The Johnson and Johnson CEO said that “with the vaccine in development,” her company is now “on a grander stage.”
Allison also said that her company doesn’t “have the resources to know where [an attack] came from,” or what attackers are actually going after, but instead has been working and relying on H-ISAC and CISA to identify and classify cyber-attacks.

All in all, Allison said Johnson & Johnson saw a 30% uptick in cyber-attacks targeting the company, but that they couldn’t tell how much was COVID-19-related.
“There’s only going to be so many people who could get information and turn it into a vaccine,” she said. “Then we’re going to have the
group of people who just decide that ‘well I don’t want the world to have a vaccine’.
“For us, inside, it’s really not much of a difference,” Allison said. More

The National Cyber Security Centre (NCSC) is urging people to be careful when shopping online in the run up to Christmas as cyber criminals step up campaigns to steal money, credit card information and more during the busiest time of year for retailers.
Last year’s Christmas shopping period, from November 2019 to January 2020, saw cyber criminals make off with a total of £13.5 million as a result of online shopping fraud – averaging out at £775 per incident across 17,405 cases reported by the National Fraud Intelligence Bureau.

More on privacy

And with even more people expected to be doing their Christmas shopping online this year because of ongoing coronavirus restrictions, the NCSC, alongside the Home Office, the Cabinet Office and the Department for Digital, Culture, Media and Sport (DCMS), has launched a ‘Cyber Aware’ campaign.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
The campaign lists six things to help protect shoppers against phishing emails, malware and other malicious cyber activity – and provides information on how to set up these additional protections: 
Use a strong and separate password for your email
Create strong passwords using three random words
Save your passwords in your browser
Turn on two-factor authentication (2FA)
Update your devices and apps
Back up your data
By following this advice, people can not only better protect themselves from falling victim to cyberattacks, additional security on their devices can also provide better protection against cyber criminals attempting to exploit the phones and laptops people use while working from home to gain access to a corporate network.
Organisations can also play a role in helping their employees stay safe online by providing services including two-factor authentication and cloud-based backups.

“Technology will play an essential role over the festive period, with more people shopping online than ever before. Scammers stole millions from internet shoppers last Christmas – but by following our advice, you can protect yourself from the majority of their crimes,” said Lindy Cameron, chief executive of the NCSC.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
The Cyber Aware campaign is being supported by organisations including Microsoft, Vodafone, BT, ASOS, Barclays and Citizens Advice.
“If you are shopping online this year, spend the time you would have spent wrapping up warm to head out to the shops on checking your online security. If it feels suspicious or unusual it may well be,” said Sian John, chief security adviser at Microsoft UK.
MORE ON CYBERSECURITY More

[embedded content]
A ransomware attack has crippled the operations of TransLink, the public transportation agency for the city of Vancouver, Canada.
The attack took place this week, on December 1, and has left Vancouver residents unable to use their Compass metro cards or pay for new tickets via the agency’s Compass ticketing kiosks.
TransLink initially passed the incident as a prolonged technical issue before reporters from local news outlet CITY NEWS 1130 learned of the true nature of the incident and forced the agency to come clean.

Working with my colleague @pjimmyradio, we can confirm for @NEWS1130 that @TransLink has been hacked. Our information comes from multiple sources within the transit authority, who have shared the ransom letter with us. Listen in for more details throughout the afternoon.
— Martin MacMahon (@martinmacmahon) December 3, 2020

“We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure,” TransLink CEO Kevin Desmond said in a statement released last night, after the CITY NEWS 1130 report.

While Desmond did not reveal the name of the ransomware strain/gang that breached TransLink’s network, he confirmed that the attackers had sent the ransom note to be printed by the agency’s printers.
A copy of this ransom note was published online by another local reporter.

Based on the ransom’s note, TransLink had its systems infected with a version of the Egregor ransomware.

At least one affiliate part of the Egregor Ransomware-as-a-Service is known to employ the tactic of sending a copy of the ransom note to local printers.
A previous case was reported in South America after the same Egregor affiliate group also hit Cencosud, a major retail store chain, and had its printers spew its ransom note in full view of store employees and customers.

In the meantime, TransLink says it has restored access to its Compass kiosks so customers can resume using its Tap to Pay feature to pass through fare gates.
TransLink said the incident did not affect any of its transit routes.
The Egregor gang is also known for stealing data from hacked networks before encrypting their files. Desmond said TransLink is still in the middle of a forensic investigation, so they can’t confirm what was taken. Nonetheless, the CEO said payment details were not in danger as the company doesn’t store this type of data to begin with. More

A review into Australia’s intelligence community has recommended comprehensive reform of electronic surveillance laws, one that would repeal existing powers and combine them to avoid duplication, contradictory definitions, and any further ad hoc amendments to the existing three Acts.
Electronic surveillance powers enable agencies to use electronic or technical means, which would otherwise be unlawful, to covertly listen to a person’s conversations, access a person’s electronic data, observe certain aspects of a person’s behaviour, and track a person’s movements. Currently, these powers are contained within the Telecommunications (Interception and Access) Act 1979 (TIA Act), the Surveillance Devices Act 2004 (SD Act), and the Australian Security Intelligence Organisation Act 1979 (ASIO Act).
Parts of the Telecommunications Act 1997 and the Criminal Code Act 1995 are also directly relevant when considering these powers.
Each Act requires agencies to meet thresholds before accessing these powers and requires external authorities, such as judges, Administrative Appeals Tribunal (AAT) members, or the Attorney-General as is the case of ASIO, to approve the use of powers.
In 2017-18, Commonwealth, state, and territory law enforcement agencies obtained 3,524 interception warrants, 828 stored communications warrants, 802 surveillance device warrants, 23,947 prospective data authorisations, and 301,113 historic data authorisations. ASIO likewise obtained interception, surveillance device, and computer access warrants.
“In short, we conclude that the legislative framework governing electronic surveillance in Australia is no longer fit for purpose,” the review said. “The SD Act was enacted 15 years ago; the ASIO Act and TIA Act are 40 years old; and the foundations of the surveillance framework date back to decisions made by Prime Minister Chifley in 1949.”
It said that after 40 years of continued amendments, problems with the framework have accumulated.

“The framework contains a range of highly intrusive powers that are functionally equivalent, but controls and regulates their use in a highly inconsistent fashion. It is based on outdated technological assumptions that cause challenges for agencies applying the framework to modern technologies,” the review said. 
There are more than 35 different warrants and authorisations for electronic surveillance activities. These warrants have different tests, thresholds, safeguards, and administrative requirements.
Similarly, the review said, there are significant differences between the limits and controls that apply to agencies’ use of their electronic surveillance powers in respect of third parties who are not, themselves, under investigation. Additionally, the ASIO Act, SD Act, and TIA Act contain 10 different arrangements for “emergency authorisations” to exercise their electronic surveillance powers in various urgent circumstances.
It also said ad hoc amendments often introduce as many problems as they solve and many of the core definitions in the Acts date back to the 1970s and 1980s and do not reflect the current telecommunications environment.
The review labelled the TIA Act as a “case study of complexity”, saying the complexity was both unnecessary and harmful.
The review considered the following fixes: Continuing to progress ad hoc amendments to deal with problems as they arise; repealing and rewriting the TIA Act alone; comprehensively reforming the entire electronic surveillance framework — repealing and rewriting the TIA Act, SD Act, and relevant parts of the ASIO Act; or developing a common legislative framework, which would be a broader consolidation of core legislation governing the National Intelligence Community (NIC).
“We recommend that the SD Act and TIA Act, and relevant parts of the ASIO Act governing the use of computer access and surveillance devices powers should be repealed and replaced with a new Act,” it declared.
Under a new Act, it said agencies should continue to be required to obtain separate warrants to authorise covert access to communications, computer access, or the use of a listening or optical surveillance device under a new Act. It added the Act should not introduce a “single warrant” capable of authorising all electronic surveillance powers.
As part of the development of a new electronic surveillance Act, the review said, the Australian Transaction Reports and Analysis Centre (Austrac) should be able to access telecommunications data in its own right under arrangements consistent with other Commonwealth, state, and territory law enforcement agencies presently authorised to access telecommunications data.
It also recommended for corrective services authorities to be granted with the power to access telecommunications data if the relevant state or territory government considered it to be necessary.
A further recommendation is that as part of the development of a new Act, electronic surveillance powers should be vested in the Australian Border Force (ABF), not the Department of Home Affairs, and the ABF should also be granted the power to use tracking devices under warrant and authorisation for the purpose of serious criminal investigations.
The new Act would amalgamate bits from the existing Acts, but unify them. As one example, the Attorney-General would be permitted to issue warrants authorising ASIO to intercept telecommunications, access stored communications, access computers, and use optical and listening devices under the new Act if they were satisfied that a person was engaged in, or was reasonably suspected of being engaged in or of being likely to engage in, activities relevant to security, and the exercise of powers under the warrant in respect of the person is likely to substantially assist ASIO in obtaining intelligence in respect of a matter that is important in relation to security.
Under a new electronic surveillance Act, the review added that surveillance device powers should continue to be available for the purposes of integrity operations. But the use of tracking devices should be regulated separately from other electronic surveillance powers in a new electronic surveillance Act, it noted.
Under a new Act, ASIO’s tracking device warrants should be subject to the same test as ASIO’s other electronic surveillance warrants. The review also asked for another review once 5G rollouts are complete to determine whether access to network data has become functionally equivalent to using a tracking device.
A new electronic surveillance Act would require an issuing authority issue law enforcement warrants in writing wherever possible, and record keeping was highlighted as a must by the review.
Under its plan, the Attorney-General can approve variations to warrants while agencies themselves would be granted authority to make minor modifications to warrants.
The review said the development and testing framework that is presently contained in Part 2-4 of the TIA Act should be extended to enable the Attorney-General to authorise the testing and development of electronic surveillance and cyber capabilities, as part of a new electronic surveillance Act.
To summarise, the core definitions in a new electronic surveillance Act should: Provide clarity to agencies, oversight bodies, and the public about the scope of agencies’ powers; ensure that there are no gaps in the types of information that agencies may intercept, access, or obtain under warrants and authorisations; and be capable of applying to new technologies over time.
A new electronic surveillance Act should not require carriers, carriage service providers, or other regulated companies to develop and maintain attribute-based interception capabilities, the review said, noting these companies should continue to be required to develop and maintain the capability to intercept communications sent and received by specified services and devices
Under a new electronic surveillance Act, the Attorney-General should be given the power to require a company to develop and maintain a specified attribute-based interception capability. If such a capability has been developed, agencies should be able to obtain attribute-based interception warrants in cases where it will be practicable for the warrant to be executed.
ASIO and law enforcement agencies should be permitted to use their own attribute-based interception capabilities, in conjunction with service providers, under warrant, the review said. 
Interception warrants issued under a new electronic surveillance Act should be capable of authorising the interception of communications by reference to one or more services or devices that the person — or group — who is the subject of the warrant uses, or is likely to use.
It would ideally also retain specific secrecy offences for the use and disclosure of, and other dealings with, information obtained by, and relating to, electronic surveillance and continue to prohibit the use and disclosure of, and other dealings with, information obtained as a result of unlawful surveillance activities.
Existing use and disclosure provisions in the SD Act and the TIA Act should be replaced with simple, principles-based rules that “maintain strict limitations on the use and disclosure of information obtained by electronic surveillance”. It should also permit the use and disclosure of, and other dealings with, surveillance information for the purpose for which the information was originally and lawfully obtained.
The review added the new electronic surveillance Act should permit agencies to use, disclose, and otherwise deal with surveillance information for a defined range of secondary purposes, and require ASIO, law enforcement agencies, and Commonwealth, state, and territory agencies to destroy records of information obtained by electronic surveillance, as soon as reasonably practicable.
However, the review recommended that ASIO conduct under a new electronic surveillance Act should continue to be overseen by the IGIS and the Commonwealth Ombudsman should have oversight responsibility for the use of Commonwealth electronic surveillance powers by all agencies other than ASIO. The Ombudsman should oversee the compliance of all agencies, again excluding ASIO, with a new electronic surveillance Act.
LOCAL POWERS FOR ASIO
The review’s report was broken down into four volumes totalling 1,317 pages, making 203 recommendations that affect the nation’s intelligence community and its operations.
Among the recommendations was giving ASIO the ability to seek a warrant for the collection of intelligence on an Australian, providing they’re acting on behalf of a foreign power.
This would require, if the request for repeals is not adopted, amendments to the TIA Act and the ASIO Act to enable the Director-General of Security, on a request from the Foreign Minister or Defence Minister, to seek a warrant from the Attorney-General for the collection of foreign intelligence on an Australian person who is acting for, or on behalf of, a foreign power.
Currently, the ASIO Act does not apply an Australian/non-Australian distinction for ASIO’s security intelligence activities. It does, however, restrict ASIO’s ability to obtain foreign intelligence on Australians.
“Preventing some forms of collection when the Australian target is onshore, but enabling it when the target is offshore, seems a disproportionate restriction that costs Australia a significant intelligence dividend,” the review noted.
Those preparing the review claimed this restriction has cost Australia valuable intelligence where an Australian is acting for, or on behalf of, a foreign power, and that it would continue to do so unless the rules are changed.
Delivered earlier this week was the Advisory Report on the Australian Security Intelligence Organisation Amendment Bill 2020, which was prepared by the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
The PJCIS report [PDF] made eight recommendations, with the last being for the Bill to be passed by Parliament, following the implementation of the previous seven requests it made, which included prohibiting ASIO from using a tracking device without an internal authorisation.
RELATED COVERAGE More

NSA whistleblower Edward Snowden took to Twitter today to ask US President Donald Trump to pardon Wikileaks founder Julian Assange during his last days in office.

“Mr. President, if you grant only one act of clemency during your time in office, please: free Julian Assange. You alone can save his life,” Snowden tweeted.
Assange, who has gained international fame for founding the WikiLeaks portal, is currently in custody in London, UK.
He was arrested in April 2019 for breaking pre-trial release conditions in a 2012 UK case.
At the time, Assange absconded and requested political asylum in the Ecuador embassy in London, where he lived until his arrest in 2019 when Ecuadorian officials withdrew the WikiLeaks founder’s asylum status.
US authorities formally charged Assange for conspiring to leak US classified materials a month after his arrest. The indictment was updated a month later to include accusations that Assange tried to recruit famous hacker groups like Anonymous and LulzSec to carry out hacks on his behalf and steal sensitive files to publish on WikiLeaks.
The WikiLeaks founder has been fighting the extradition case ever since his arrest, but a first ruling is expected on January 4, 2021.

Assange has repeatedly threatened to commit suicide if extradited to the US, threats that his lawyers have been using as the central piece of their defense case — and the reason why Snowden mentioned that a pardon from Trump would save Assange’s life.
Trump previously also considered pardoning both Snowden and Assange.
Last week, Tulsi Gabbard, a House representative for the state of Hawaii, also asked Trump to pardon both Assange and Snowden. In October, Gabbard also introduced a bill to have the 2013 legal case against Edward Snowden dropped and allow the former NSA threat analyst to return to the US.
However, the pardon requests may come at a bad time for Trump, recently embroiled in a bribery-for-pardon scheme. More

Image: Dell
PC maker powerhouse Dell announced today a flurry of new enterprise security solutions for the company’s line of enterprise products.

The new services can be grouped into two categories, with (1) new solutions meant to protect the supply chain of Dell products while in transit to their customers and (2) new features meant to improve the security of Dell products while in use.
Physical supply-chain security
While Dell has previously invested in securing its customers’ supply chains, the company has announced today three new services.
The first is named SafeSupply Chain Tamper Evident Services and, as its name implies, involves Dell adding anti-tampering seals to its devices, transport boxes, and even entire pallets before they leave Dell factories.
The anti-tampering seals will allow buyers of Dell equipment to determine if any intermediary agents or transporters have opened boxes or devices to alter physical components.
The second supply chain security offering, named the Dell SafeSupply Chain Data Sanitization Services, is meant for tampering made at the storage level.
“With a NIST-compliant hard drive wipe, Dell Technologies helps businesses ensure their device has a clean slate before they add their company image,” Dell said today about this new service.

Further, Dell is also adding a new security feature named Secured Component Verification for its line of PowerEdge custom-ordered servers.
Dell says that with the help of an embedded cryptographically-signed certificate, companies would be able to verify that their PowerEdge servers arrive as they were ordered and built after the server is sealed and shipped from the factory.
According to Dell, the new Secured Component Verification will help by:
verifying that changes are not made to system components (e.g., memory or hard drive swap, I/O changes, etc.);
protecting against cybersecurity risks by meeting supply chain security standards across highly regulated industries such as financial and healthcare;
allowing customers to validate and deploy multiple servers efficiently, without having to audit each component in part.
New security features for in-use products
But Dell also rolled out updates to existing solutions to make managing the security of its devices much easier. One of these is an update to the Dell EMC Data Sanitization for Enterprise and Data Destruction for Enterprise service that allows bulk management of Dell gear, which now supports the entire Dell Technologies infrastructure portfolio and third-party products, and not just a select list of products.
In addition, Dell will also launch next year a new security offering named Dell EMC Keep Your Hard Drive for Enterprise and Keep Your Component for Enterprise.
While it’s a mouthful of a product name, this service allows companies to keep sensitive data stored on their devices and under their control while sensitive hardware parts are being replaced — a crucial privacy regulation that many companies must abide by while servicing their outdated enterprise infrastructure.
In addition, Dell is also rolling out the ability to customize the boot process of PowerEdge servers via its new PowerEdge UEFI Secure Boot Customization, which also comes with advanced mitigation for industry-wide bootloader vulnerabilities.
The same PowerEdge servers are also getting an update to their integrated Dell Remote Access Controller (iDRAC) service.
The new update will allow system administrators to lock down Dell systems by cutting off their network access without having to reboot systems.
Other security features included in the iDRAC updates include the ability to use multi-factor authentication when accessing iDRAC accounts and more scripting capabilities via the Redfish API.
And last but not least, iDRAC will also add support for Dell EMC OpenManage Ansible Modules so that system administrators can automate some PowerEdge security workflows such as user privilege configuration and data storage encryption.
Availability for the new services:
Dell SafeSupply Chain is currently available in the US for commercial PCs.
Dell Technologies Secured Component Verification on PowerEdge Servers will be available by the end of the calendar year 2020.
Dell EMC Data Sanitization for Enterprise and Data Destruction for Enterprise Services are currently available.
Dell EMC Keep Your Hard Drive for Enterprise and Keep Your Component for Enterprise Services are currently available.
Dell Technologies PowerEdge UEFI Secure Boot Customization is currently available.
iDRAC security updates will be available by the end of the calendar year 2020.
Dell EMC OpenManage Ansible Modules will be available beginning January 31, 2021. More

The job of a USB condom is simple: Turn any USB port into a charge-only port by blocking all the data lines, thereby reducing the attack surface for hackers, pranksters, and vandals to cause damage and mayhem.
And they’re cheap. If you use random USB ports for charging devices when out and about, I recommend you get one because they’re a little insurance in an increasingly chaotic world.
USB condoms have limitations. But you can build your own super USB condom.
Must read: Paying money to make Google Chrome faster and use less RAM

The other day I came across USBCondom.org, and on that site are plans for three different types of USB condom, from a basic data blocker to a more sophisticated one that allows for switching between charge to data transfer modes to a really smart one that features anti-USB-killer features to prevent your device being fried by high voltage.
And you can grab everything you need, from the files to get the circuit boards printed (either do it yourself the old fashioned way — expect a lot of hit and miss initially — or have a company make them). There’s even a full component list of everything you need (which really isn’t much, even for the most complicated one!).
Of you can just buy some basic ones that just isolate the data lines from the charge lines. These won’t protect you from attacks such as Juice Jacking or having your equipment nuked by a USB killer, but if you are that worried, stop using random USB charging ports and carry around a power bank with you instead. More