Information Technology

Pure Storage is rolling out a new version of its Purity software for FlashBlade and FlashArray features designed ease recovery from ransomware attacks.
The Purity updates land as part of Pure Storage’s Evergreen program, which provides software updates for all of its gear and appliances.
For Purity for FlashBlade, Pure’s Unified Fast File and Object storage platform, the company is adding SMB support that accelerates Windows applications and features SafeMode Snapshots for rapid ransomware recovery. Purity for FlashBlade also includes replication, file system rollback and validation for SQL Server backup speeds higher than 1TB/min.
Purity for FlashBlade, available in the first quarter, also enhances security for AWS S3 and has unified APIs and software development kits. Purity for FlashBlade is designed to enable SMB workloads to scale.
According to Pure, Purity for FlashArray also includes tools for ransomware recovery. The system includes Purity SafeMode that combines snapshots and policy-based retention to ensure protected data is able to be recovered in seconds.
Ransomware is an ongoing problem for enterprises of all sizes. Recent headlines include:
Purity for FlashArray also includes ActiveCluster over Fibre Channel, which is integrated with Pure1Cloud Mediator, as well as NVMe support. Pure said it is also launching new entry-level FlashArray//C40 designed to compete with hybrid arrays. Purity for FlashArray is available immediately.

Here’s a look at Purity’s core features and services. 

The services included in Pure Storage’s Purity platform. Credit: Pure Storage,

×
purity-stack.png More

Addressing large enterprise and government agencies, the UK’s National Cyber Security Center (NCSC) has issued a warning that attacks on a software build pipeline “can have wide-reaching impact”.  
The compromise of SolarWinds’s updates, which the US says was “likely” carried out by Russian hackers as part of a broader campaign, has put the software supply chain and software development processes in the spotlight. It wasn’t the first software supply chain attack, but Microsoft has called it the “largest and most sophisticated attack the world has ever seen”. 

More on privacy

NCSC doesn’t mention SolarWinds, but notes that the software build process is often “overlooked” despite broad awareness of security for software developers. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
It says that the automation of software development through continuous integration and continuous delivery (CI/CD), a popular development approach with regular updates that has built-in security checks, can be a good way of securing the software pipeline.
“It’s crucial that the pipeline is well-defended, and that it protects each build from other builds in the pipeline,” says NCSC. 
The key message here is to ensure that different builds are sufficiently isolated from one another to ensure that if other systems are compromised, at least each build is shielded from the other. 

Organizations taking advantage of software development automation also need to ensure the processes can demonstrably enforce the security checks have taken place – or those checks won’t be worth much, it says. 
Attackers that compromise the software development pipeline can: add malicious code to the software that was built and deployed by that pipeline; access any secrets used by the pipeline; and potentially gain access to other source code repositories and environments.
“The pipeline needs to be defended against attack at least as effectively as the environments it deploys to,” NCSC notes. 
Its recommendations are broadly in line with Microsoft, Google, and the NSA. These include using multi-factor authentication, designing system access with the principle of least privilege, and using network security and monitoring for attacks. 
But NCSC also has advice on how organizations should select virtual machines for development work. 
“Performing each build in a single-use virtual machine will make it very hard for one build to attack another using shared hardware (like the CPU), whereas two builds sharing an OS kernel will have many more ways to interfere with each other,” NCSC notes. 
“If a build can access stored information on other builds (such as their source code or build artefacts), then it may be able to steal secrets or modify those builds.”
SEE: How do we stop cyber weapons from getting out of control?
As far as being able to prove the integrity of a software build, NCSC warns companies to ensure the use of in-transit encryption for code fetched from a code repository and when build artifacts are sent to the artifact repository, as well as when being deployed to the final environment. 
Finally, organizations should use cryptographic checksums to record the data processed by the pipeline.  More

For the past few weeks, macOS Big Sur has suffered from a bug that could cause serious data loss. The bug was introduced in Big Sur 11.2, and it made its way into the 11.3 data.

The bug comes down to the macOS Big Sur installer not checking if the Mac has the required free space available to carry out an upgrade. The upgrade runs into problems, and if that isn’t bad enough, if the user’s Mac was encrypted using FileVault, then the user is locked out of their data.
Pretty scary stuff.
Check this out: Apple: Please stop this nonsense
The bug has been explored extensively by Mr. Macintosh, outlining the problem, some possible solutions, along with a very informative and detailed video. The bug was narrowed down to an evil Goldilocks zone, where users had more than 13GB of free space, but less than 35.5GB.
The video is truly awesome work. Thank you Mr. Macintosh for your work!
[embedded content]
The good news is that Apple has finally released an updated macOS Big Sur 11.2.1 installer — (20D75) — that properly checks for the free space.

The fix has been confirmed by Mr. Macintosh.

macOS Big Sur 11.2.1 (20D75) full installer is now available for download.I’ve confirmed the new installer now checks for free space properly.This was a serious problem, and I’m glad users will no longer get caught by this issue. https://t.co/dYSuRjdd4p pic.twitter.com/ILxoKfhORn
— Mr. Macintosh (@ClassicII_MrMac) February 15, 2021

What’s the moral of this story?
Have a backup, and perhaps allow others — who are braver and more foolhardy — to go first. Also, check the system requirements and don’t rely on the installer to check everything.
Oh, also, don’t believe that whole “it just works” thing. More

Image: FTC
The current COVID-19 pandemic and the subsequent stay-at-home and social distancing directives might have played a major role in romance scams losses reaching record levels in 2020, the US Federal Trade Commission said in a report last week.

Total losses were estimated at a record $304 million, up about 50% from 2019, with the average loss last year being estimated at $2,500 per individual.
“From 2016 to 2020, reported total dollar losses increased more than fourfold, and the number of reports nearly tripled,” the agency said.
The FTC believes that the 50% spike in extra losses recorded in 2020 can be attributed to the COVID-19 pandemic, which has limited people’s ability to meet in person and has forced more users towards using online long-distance and impersonal communications, such as dating apps.
In most cases, the ruse of these scams is that the targets of a romance scam have to send money back to the crooks.
“Scammers claim to have sent money for a cooked-up reason, and then have a detailed story about why the money needs to be sent back to them or on to someone else. People think they’re helping someone they care about, but they may actually be laundering stolen funds,” the FTC said.
“In fact, many reported that the money they received and forwarded on turned out to be stolen unemployment benefits.”
Users targeted on social media too, not just dating apps

Furthermore, the FTC also warned that many romance scams don’t always start on dating apps but also on social media networks.
“These social media users aren’t always looking for love, and report that the scam often starts with an unexpected friend request or message,” the FTC said.
“Sooner or later, these scammers always ask for money. They might say it’s for a phone card to keep chatting. Or they might claim it’s for a medical emergency, with COVID-19 often sprinkled into their tales of woe. The stories are endless, and can create a sense of urgency that pushes people to send money over and over again.”
The most common forms of transferring money from victims were gift cards, which saw a 70% spike from 2019, followed by wire transfers.
And according to the FTC, all age groups are targeted last year, and not just the elderly. Victims aged 40 to 69 were targeted the most, victims aged above 70 reported the highest average losses (~$9,475), but other age groups also saw spikes in reports and average losses as well.
The US government agency urged users share its romance scam guide with vulnerable friends or family members as a way to reduce the efficacy of these scams going forward. More

Image: Getty Images/iStockphoto
Telstra has said it is now blocking approximately 6.5 million suspected scam calls a month, at times up to 500,000 a day, thanks to automating the former manual process that sat at around 1 million monthly scam calls.
The system that Telstra built in-house forms the third leg of its Cleaner Pipes program.
In May, the company kicked off with DNS filtering to fight against botnets, trojans, and other types of malware, and extended to blocking phishing text messages purporting to be from myGov or Centrelink before they hit the phones of customers.
“Scam calls are not only annoying, they also have a real financial impact on Australians and are estimated to have cost ordinary Australians nearly AU$48 million last year,” CEO Andy Penn wrote in a blog post.
“If you think you are receiving a scam call, our simple advice is: Hang up.”
Penn said the company would only call customers between 9am to 8pm on weekdays, and 10am to 3pm on Saturdays, and never on a Sunday.
“The exception to this is if you have an unpaid account or a customer-initiated inquiry with respect to an order, fault or complaint, someone from Telstra may call you outside of these hours,” he added. “We’ll respect your wishes and terminate the call if you say no thanks and we won’t call repeatedly if you don’t answer — these are all hallmarks of scam calls.”

The CEO said any customers that believe they have been scammed should contact the telco.
“We see a future where scam calls of this type are effectively ring-fenced and eliminated from our network,” Penn said.
“It will take more investment and innovation, and continued support from government but we have an ambition to make these kinds of changes to continue to improve the level of trust that Australians have in their phones, their emails and the websites they visit, and to encourage the rapid expansion of our country’s digital economy however we can.”
Last week, Telstra reported a challenging first half of its fiscal year as it saw double-digit drops in revenue and earnings before interest, income tax expense, depreciation, and amortisation (EBITDA) and, consequently, it has revised its guidance downwards.
For the half year to December 31, the company saw revenue fall 10% to AU$12 billion, while EBITDA dropped 14.7% to AU$4 billion, and EBIT took a 20% hit to decline to AU$1.64 billion. Thanks to a substantially lower level of income tax, down 60% to AU$209 million, net profit fell only 2.2% to AU$1.13 billion.
Related Coverage More

Researchers have recommended the Australian government abandon its existing digital identity system and start again from scratch, highlighting again security flaws in two of the systems already accredited.
Professor Vanessa Teague and Ben Frengley last year disclosed to the Australian Taxation Office (ATO) a weakness in its myGovID system. They found myGovID is subject to an easily implemented code proxying attack, which allows a malicious website to proxy a person’s myGovID login and re-use their authentication to log in to the victim’s account on any website of their choice.
The pair said the ATO, in response, informed them of having no intentions to fix the flaw.
The Digital Transformation Agency (DTA) is responsible for the Trusted Digital Identity Framework (TDIF), which is a high-level design for a federated authentication system.
“The primary security goal of an authentication mechanism is to prevent malicious parties from logging in fraudulently to others’ accounts. A secondary security goal is to maintain the privacy of the identity proof documents and biometric data used to establish identity,” the researchers wrote [PDF].
“Neither the TDIF’s high-level design, nor its implementation by the ATO (myGovID) meet their intended security goals.”
myGovID is an accredited digital ID provider, as is Australia Post’s equivalent identity service. Teague and Frengley have identified flaws in the postal service’s system, too.

The Identity Exchange (IdX), the researchers said, acts as a single point of failure for both privacy and authentication, resulting in an “extremely brittle architecture that would allow for large-scale identity fraud if that one component came under the control of a malicious party”.
They said the IdX is intended to hide the identity of the relying party from the identity provider, but fails to do this in the ATO’s implementation. Of concern to both is that the implementation of the TDIF in Australia Post’s Digital iD does not even appear to use an IdX at all, which is the fundamental component of the TDIF’s design.
“Although we have not examined Australia Post’s implementation in detail, it seems to diverge substantially from the TDIF specification, but has apparently been accredited anyway,” they added.
“The TDIF as currently designed and implemented does not meet its own guiding principles — it is not immediately obvious that a brokered model without technical means to preserve privacy even can meet them.”
As a result, the researchers have recommended a “careful re-evaluation of the priorities of the TDIF”, and a consideration of other options which may meet its goals.
Alternatives the pair have offered up include the use of a public key infrastructure-based system or the use of a simple, standard, pairwise OpenID Connect protocol instead of a “complex brokered model with poor privacy and security properties”.
“The system should be abandoned and redesigned from scratch by people with some understanding of secure protocol design and some concern for protecting their fellow citizens from identity theft,” they wrote.
“Legislating to make it secure by fiat will not stop organised crime, foreign governments, or ordinary criminals, from taking advantages of its design flaws. A public key infrastructure is much more likely to succeed.”
The researchers were also concerned with a paragraph in the DTA’s consultation paper that states the resulting digital ID legislation will include additional mechanisms, including penalties for protecting information used in the system, such as biometric information.
These mechanisms could include criminal offence provisions and civil penalty provisions.
“There are numerous Australian laws that do effectively penalise protecting information, but this is the first time we have seen the objective stated explicitly without invoking terrorists or paedophiles,” Teague and Frengley wrote.
“We hope this is a typo, and strongly suggest penalising the inappropriate sharing or negligent leaking of information instead.
“It is important not to criminalise security research aimed at improving the system’s security by openly examining its (numerous, serious) weaknesses.”
HERE’S MORE More

Getty Images/iStockphoto
An Android application downloaded more than one billion times contains unpatched vulnerabilities that the app maker has failed to fix for more than three months.

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

The vulnerabilities impact the Android version of SHAREit, a mobile app that allows users to share files with friends or between personal devices.
The bugs can be exploited to run malicious code on smartphones where the SHAREit app is installed, Echo Duan, a mobile threats analyst for security firm Trend Micro, said in a report on Monday.
The root cause of the security flaws is the lack of proper restrictions on who can tap into the application’s code.
Duan said that malicious apps installed on a user’s device, or attackers who perform a person-in-the-middle network attack, can send malicious commands to the SHAREit app and hijack its legitimate features to run custom code, overwrite the app’s local files, or install third-party apps without the user’s knowledge.
Furthermore, the app is also vulnerable to so-called Man-in-the-Disk attacks, a type of vulnerability first described by Check Point in 2018 that revolves around the insecure storage of sensitive app resources in a location of the phone’s storage space shared with other apps — where they can be deleted, edited, or replaced by attackers.
App maker did not respond for three months
“We reported these vulnerabilities to the vendor, who has not responded yet,” Duan said today.

“We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data,” he added, while also noting that any attacks would also be hard to detect from a defender’s perspective.
Contacted via email, a SHAREit spokesperson did not return a request for comment before this article’s publication.
Duan said he also shared his findings with Google but did not elaborate on the Play Store owner’s response.
On its website, SHAREit developers claim their apps are used by 1.8 billion users across more than 200 countries worldwide. The vulnerabilities do not impact the SHAREit iOS app, which run on a different codebase. More

Twitter has labelled one of the three proposed new computer warrants handing the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) new powers for data access as antithetical to democratic law.
Twitter’s remarks were made as part of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review into the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, which, if passed, would hand three new warrants for dealing with online crime to the two law enforcement bodies.  
The social media giant focused on the Account Takeover Warrant that would allow the agencies to take control of an account for the purposes of locking a person out of the account.
“As currently written, the Account Takeover Warrant would be divorced from standard due process requirements. It would be antithetical to core legal principles enshrined in democratic law and procedural fairness,” it wrote in a submission [PDF] to the PJCIS.
“Twitter is concerned that the proposed Bill will allow law enforcement direct access to data regardless of the location of the server, without requiring knowledge of such access being provided to the service provider, and in the case of Account Takeover Warrants, absent the agreement of an appropriate consenting official of the relevant foreign country where the warrant would be enforced.”
It highlighted that, as currently drafted, the Account Takeover Warrant could also apply extraterritorially, but it does not have the requirement to obtain the agreement of a consenting official in a foreign country, nor does it provide notice to the service provider who is offering the service.
“Therefore, the Account Takeover Warrant will apply extraterritorially with Australian law enforcement being authorised to take control of an online account regardless of where the account data is located and without consent from foreign governments or officials,” it said.

Twitter has labelled it a “covert warrant” that would allow the AFP or the ACIC to take exclusive control of online accounts without the safeguards afforded by other warrant processes. It added that the scope regarding what activities are ultimately authorised under an Account Takeover Warrant still remain unclear.   
The company also revealed in its submission that Australia has filed 259 information requests from the period spanning January 2012 through June 2020, relating to a total of 581 accounts. Of those requests, Twitter has reported 47.5% compliance.
This represents less than 1% of global information requests, from 93 countries, received by Twitter to date.
Twitter said it may disclose account information to law enforcement officials in response to a valid emergency request; it also accepts government requests to preserve account information.
See also: Facebook and Google refuse 1 in 5 Australian law enforcement data access requests
The Department of Home Affairs also provided a submission [PDF] to the PJCIS, saying the proposed Bill provides for an important boost in power for the two law enforcement bodies.
“Cyber-enabled crime, often enabled by the dark web and anonymising technologies, presents a direct challenge to community safety and the rule of law. On the dark web, criminals are able to carry out the most serious of crimes, including exchanging child abuse material, planning terrorist attacks, and buying and selling illegal drugs and weapons, with a significantly lower risk of identification and apprehension,” it wrote.
“The Bill contains the necessary safeguards, including oversight mechanisms and controls on the use of information to ensure that the AFP and the ACIC use the powers in a targeted and proportionate manner to minimise the potential impact on legitimate users of online platforms.”
READ MORE ABOUT THE BILL
AWS asks new Australian computer warrant provide immunity for account takeovers
The cloud giant is also asking the government for clarification on new legislation that it asked for nearly three years ago on previous Bills.
Surveillance Bill to hand AFP and ACIC a trio of new computer warrants
Refusal to assist authorities could land people with 10 years in jail. More