Information Technology

Google
Google has released today version 87 of its Chrome browser, a release that comes with a security fix for the NAT Slipstream attack technique and a broader deprecation of the FTP protocol.
Todays’ release is available for Windows, Mac, Linux, Chrome OS, Android, and iOS. Users can update to the new version via Chrome’s built-in update utility.
While in previous versions, Google has shipped some changes to Chrome settings and UI elements, almost all the major new Chrome 87 features are aimed at web developers.
In Chrome 87, we have new APIs and updates to Chrome’s built-in Developer Tools, such as:
Support for the new Cookie Store API;
New features to allow easier modification of web fonts via CSS;
A new feature to let websites enumerate all the locally installed fonts;
Support for pan, tilt, and zoom controls on webcam streams; and,
Support for debugging WebAuthn operations via the Chrome DevTools.
NAT Slipstream attack fixes
Chrome 87 also comes with a fix for a new attack disclosed at the end of October by Samy Kamkar, a famous security researcher and computer hacker.
Named NAT Slipstream, this technique allows attackers to bypass firewalls and make connections to internal networks by tricking users into accessing malicious sites — effectively turning Chrome into a proxy for attackers.

Image: Samy Kamkar
Chrome 87 will be the first browser to block NAT Slipstream attacks by blocking access to ports 5060 and 5061, which the attack uses to bypass firewalls and network address translation (NAT) schemes.

Similar efforts are also underway at Apple and Mozilla, with fixes planned for future versions of Safari and Firefox.
FTP deprecation
In addition, Google is also following through on its plans to remove FTP support from Chrome. This process started last year, and was initially planned for Chrome 81.
Google delayed its initial deprecation schedule due to the COVID-19 pandemic, fearing that the change might disrupt hospital networks or employees working from home needing to access resources stored on FTP servers.
The FTP deprecation was rescheduled for the fall and began last month with the release of Chrome 86 when Google removed support for FTP links for 1% of Chrome’s userbase.
With Chrome 87, Google will now remove FTP support for half of Chrome’s userbase, and the browser maker plans to disable support for FTP links altogether next year, in January, with the release of Chrome 88.
Mozilla has already removed support for FTP links in Firefox earlier this year in June, with the release of Firefox 77.
Tab throttling, occlusion tracking, and back-forward cache
Chrome 87 also comes with some performance improvements by the addition of tab throttling, occlusion tracking, and back-forward cache.
The first two features will work together. Occlusion tracking will allow Chrome to know which browser windows and tabs are visible to the user, and then enable the new tab throttling feature to put background tabs to sleep until they’re needed again.
Back-forward caching is an older feature that was first added in Chrome 79, but hidden under a Chrome flag. With Chrome 87, back-forward caching is now enabled by default for all users. Google says it expects to improve back-forward navigation events by roughly 20% once this new feature is enabled.
But we only touched on the major Chrome 87 features. Users who’d like to learn more about the other features added or removed in this new Chrome release can check out the following links for more information:
Chrome security updates are detailed here [not yet live].
Chromium open-source browser changes are detailed here.
Chrome developer API deprecations and feature removals are listed here.
Chrome for Android updates are detailed here [not yet live].
Chrome for iOS updates are detailed here.
Changes to Chrome V8 JavaScript engine are available here.
Changes to Chrome’s DevTools are listed here.
[embedded content]
[embedded content] More

A majority of businesses across the Asia-Pacific region are choosing to pay up after falling victim to ransomware attacks, with 88% in Australia and 78% in Singapore forking out the ransom in full or in part. And such attacks are expected to continue climbing amidst accelerated digital transform efforts and remote work, as organisations evolve to cope with the global pandemic. 
Some 45% of enterprises in Singapore would take between five and 10 days to recover fully from a ransomware attack, compared to 11% in India and 35% in China, according to Veritas’ 2020 Ransomware Resiliency Report released Tuesday night. Conducted by Wakefield Research in September, the global study polled 2,690 senior IT executives from companies with at least 1,000 employees, including 150 respondents each from six Asia-Pacific markets including Japan and South Korea.
And while 39% in India said they would need fewer than five days to fully recover from a ransomware attack, another 36% in the country said they needed more than a month to do so — the highest number across the region. Just 1% in Singapore said they would need more than a month to recover completely from such attacks, as did 2% in Australia and 8% in China. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

Furthermore, 1% in Australia as well as in South Korea said they would not be able to recover fully from a ransomware attack, along with 7% in China. Worldwide, 2% said they would be unable to do so. 
Upon experiencing a ransomware attack, 62% in China paid the ransom in full or in part, while 77% in India and 57% in Japan did likewise. Another 69% in South Korea paid the ransom in full or in part. 
The study also revealed that, across the board, companies managing greater complexity in their multi-cloud infrastructure were more likely to pay the ransom to reclaim their hijacked data, with the number that did so in full running a mean number of 17.11 cloud services. 
In addition, 20% of companies operating fewer than five cloud platforms paid a ransom in full, compared to 30% with more than 20 cloud platforms.

The complexity of having to operate cloud architectures also had significant impact on the organisation’s ability to recover following a ransomware attack, according to Veritas. Some 44% of businesses with fewer than five cloud providers in their infrastructure needing fewer than five days to recover, compared to 12% with more than 20 providers doing likewise. 
And while 49% of businesses with fewer than five cloud providers could restore 90% or more of their data, only 39% of their peers running more than 20 cloud services were able to do likewise. 
In Singapore, 49% said their security had kept pace with their IT complexity. Their counterparts in India, at 55% were most confident amongst other in the region about their security measures keeping pace with their IT complexity. Just 31% in China said likewise, along with 36% in Japan, 39% in South Korea, and 43% in Australia. 
Ransomware attacks on an upward trajectory
With ransomware attacks expected to continue climbing amidst accelerated digital transformation efforts and remote work practices, enterprises in the region will need to ensure they can detect and recover from such attacks. 
Andy Ng, Veritas’ Asia-Pacific vice president and managing director, underscored the security vendor’s recommended three-step layered approach to detect, protect, and recover.  
Speaking to ZDNet in a concall, Ng said: “We always advise companies not to pay because doing so leave them more open to being attacked again. The best step forward is to have a sound data protection and recovery strategy. It will mean every copy of data you have is backed up and protected, including keeping it offsite. If you have three copies of the data, and the ability to recover quickly, you won’t be held ransom because you’ll always have access to the data.”
He noted that the global pandemic had left companies more susceptible to cyber attacks, as they rushed to digitalise their operations and equip their employees to work remotely. Digital transformation efforts had been fast-tracked, from 18 months to three months, and companies were grappling with having to manage data across many diverse sources as they deployed multi-cloud hybrid IT infrastructures, he said. 
Pointing to the human as the most vulnerable component within an organisation, Ng said malicious hackers now could target a wider spread of end-point client devices. He revealed that a Veritas customer in the professional services sector had their network compromised after it embarked on a work-from-home model and rushed to distribute laptops and tablets to their employees, leaving some devices without proper data protection. 
He added that there had been an increase of ransomware attacks against manufacturing companies in the last two to three years and, more recently, professional services companies. 

While healthcare and financial services sectors were expected targets, he noted that these sectors typically were more heavily regulated and had to comply with strict guidelines laid out by their local authorities. As such, he was seeing fewer ransomware attacks involving these organisations here. 
Large enterprises, though, increasingly were hot targets because their deeper pockets meant ransom demands and returns could potentially be higher for hackers, he said.
ZDNet asked how efforts by governments such as Singapore to ease data access to facilitate business transactions could impact the ransomware landscape in Asia-Pacific. Ng noted the “fine balance” of having to drive digital transformation, under certain market pressures such as COVID-19, and securely manage data in the organisation’s own data centres as well as across its cloud providers’ platforms. 
“As companies digitalise, the resiliency gap will only get wider,” he said, adding that the Singapore government already was working to address this. “It’s not easy because the ransomware [challenge] is not going to go away.”
“The unique security challenges posed by increased multi-cloud adoption combined with an ever-changing threat landscape requires proactive measures put in place for prevention and mitigation,” Ng said in the report. “It is imperative for companies deploy corresponding data protection solutions to close that resiliency gap in order to protect increasingly valuable digital assets.”
Citing Veritas’ own research, he noted that 42% of companies had been hit by at least one ransomware in the last two years. 
According to the Ransomware Resiliency Report, 15% of Indian organisations had experienced more than five ransomware attacks while 31% saw between three and five such attacks. Some 13% in Singapore had experienced one ransomware attack, while 9% reported between three and five such attacks.
To help companies plug any gaps in their IT infrastructure, Ng suggested that governments could introduce similar regulations they had implemented for healthcare and financial services in other sectors such as manufacturing, which were increasingly under the targets of ransomware attacks. 
“That’s an area governments can play a more proactive role, in defining what’s bare minimum for companies in manufacturing, for instance,” he said. 
RELATED COVERAGE More

The latest open-source project to be hosted on the Linux Foundation is Servo, the experimental web engine developed at cash-strapped Mozilla.
Servo was hatched in 2012 at Firefox-maker Mozilla, which recently made significant headcount reductions that mostly affected developers working on Servo.      

Servo is written in the programming language Rust, giving it advantages in memory safety, speed and parallelism over other browser engines. 
It has the potential to be an alternative to Google’s Blink engine for Chrome and Chromium-based browsers, or WebKit, the open-source engine behind Apple’s Safari browser. 
Servo offers components that other projects can use to bring web content to other applications with support for HTML, CSS, JavaScript, WebSockets, WebVR, and WebGL. Mozilla used it for part of its overhauled Quantum Firefox browser. 
Futurewei, Let’s Encrypt, Mozilla, Samsung, and Three.js are among the organizations that are supporting Servo’s move to be hosted by the Linux Foundation.
“The Linux Foundation’s track record for hosting and supporting the world’s most ubiquitous open-source technologies makes it the natural home for growing the Servo community and increasing its platform support,” said Alan Jeffrey, technical chair of the Servo project.

“There’s a lot of development work and opportunities for our Servo Technical Steering Committee to consider, and we know this cross-industry open-source collaboration model will enable us to accelerate the highest priorities for web developers.” 
Mike Dolan, senior vice president, and general manager of projects at the Linux Foundation described Servo as “the most promising, modern, and open web engine” for building applications using web technologies. 
“That has a lot to do with the Rust programming language,” he said. “We’re excited to support and sustain this important work for decades to come.” 
Servo runs on Linux, macOS, and Windows. Samsung helped port it to Android phones, while there’s also support for headsets like Oculus, Magic Leap, and Microsoft HoloLens.
Servo is more efficient than most web engines because it takes advantage of low-power multi-core CPUs thanks to Rust. 
The Linux Foundation noted that Rust and Servo evolved together during their early days. Servo was initially the largest Rust program other than the Rust compiler itself. Rust’s memory-safety helps reduce Servo’s attack surface for common security vulnerabilities such as buffer overflow flaws. 
More on Rust and programming languages More

Microsoft has announced its Pluton processor, a forthcoming chip that lives apart from the main CPU and which will be available in future Windows 10 PCs.
The Microsoft Pluton processor is designed to improve protections against physical attacks and stop attackers stealing user credentials and encryption keys with malware. The chip should also help systems recover from software bugs. 

Windows 10

Essentially, the Pluton chip is a Trusted Platform Module (TPM) that’s isolated from the rest of the system to help protect encryption keys from attacks on the speculative execution process in CPUs. 
Microsoft promises Pluton will make it easier to keep system firmware up to date, for example, in cases when TPM firmware for separate security processors is required. 
In Intel’s case, the Pluton processor will ship with future chips but will be isolated from their cores. However, at present there’s no precise timeline for the appearance of the first Intel chips containing the Pluton security processor. 
Pluton will be integrated with the Windows Update process on Windows 10 PCs, according to Microsoft. The chip is an up-dateable platform for running firmware that implements end-to-end security that is authored, maintained, and updated by Microsoft.
The firmware updates will follow the same process that the Azure Sphere Security Service uses to connect to IoT devices.

Microsoft notes that the Pluton design was in fact introduced as part of the integrated hardware and OS security capabilities in its Xbox One game console with AMD chips released in 2013, and also within Azure Sphere.
“Our question was how could we build the most secure PC by taking advantage of the best hardware Intel and others have and integrating that into the operating system. This is really the next evolution,” David Weston, Microsoft’s partner director of enterprise and OS security, told ZDNet. 
Microsoft is also planning to release Pluton security processors with AMD and Qualcomm Technologies.  
“Microsoft has developed this security processor. We’re partnering with Intel to actually stick it into their CPUs. We all know how powerful and capable Intel CPUs are, as well as all the other security capabilities they have in the platform. But to us, this is cementing that the PC ecosystem has unmatched innovation,” Weston continued.  
“The Pluton processor is not bolted on. It’s right in there, and you get security as well because there’s very little attack surface around the processor.” 
Weston said Pluton represents a big change from the Secured-Core Windows 10 PCs that Microsoft announced last year, which have been available in higher-end laptops aimed at business users. 
Some of the more advanced physical attacks techniques available today can target the communication channel between the CPU and TPM, which is typically a bus interface, Microsoft explains. 
While this interface allows for information to be shared between the main CPU and security processor, attackers in possession of the device can steal or modify information in transit.
“Pluton is for the entire Windows PC ecosystem. We are putting this in Intel chips and it will be available to everybody as a security baseline,” said Weston. 
He notes that customers used to have to explicitly choose and then go buy a security processor, and then pick a different vendor. 
“We’re making that dead simple. You buy an Intel processor, you have this Intel-Microsoft security processor that is 10 years of evolution based on what we learned from the TPM,” said Weston.
“You’re getting better protection against physical attacks, you’re getting Microsoft verification of firmware to stop some of the new firmware attacks, and we’re going to update this thing every month just like it’s Patch Tuesday.” 
He added that Microsoft is collaborating on authoring the hardware and firmware. “You don’t have to think that much about how you’re going to manage or maintain it.” 
Weston argued that a lot of challenges in the ecosystem today arise from problems with keeping security processors up to date.
“You have different places you have to go and source [updates]. This makes it deadly simple. It’s my team that builds Windows BitLocker and Windows Hello and all the great technologies that take advantage of this security processor are also now we’re working with Intel to build it,” he said.
“So we have this deep integration that’s going to pay off in spades in terms of user experience and the security fundamentals.”

Microsoft says the Pluton processor will ship with future Intel chips but will be isolated from their cores.  
Image: Microsoft More

Researchers have outlined weak security points in Tesla Backup Gateway and the ways in which they can be exploited. 

On Tuesday, Rapid7 described the security risks associated with connecting Tesla Backup Gateway to the internet; in particular, ways that open connections can be used to violate user privacy and security. 
Tesla Backup Gateway (.PDF) is a platform designed by the automaker for managing solar and battery/Powerwall installations. The system is able to connect directly to the grid, monitor outages, and gives users the option to watch and control energy reserves via a connected mobile application. Connections can be established via wifi, Ethernet cable, or mobile. 
In order to access the gateway, users connect to the software’s wifi network, enter its serial number — which acts as a password — and access Tesla Backup Gateway from an internet browser. Each gateway uses a self-signed SSL certificate.
The first time a user logs in, their email and a password — the last five digits of the gateway password — are used. 
See also: Tesla’s April Fool joke turns into $250 tequila reality, sells out in hours
According to Rapid7 and past research conducted by Vince Loschiavo, the risk with this practice is that weak credentials can be exploited. 

At worst, five digits for first-time logins result in 60.4 million password combinations and the team says there does not appear to be restrictions in place to stop brute-force attempts. However, there are ways to circumvent the challenge of trying out millions of combinations, as a simple drive-by to record the wifi access point can reduce this volume. 
The access point SSID uses the last three characters of the serial number, leaving only two to guess. 
Rapid7 also notes that many counties publish household Tesla Solar and Powerwall install permits online, giving attackers direction toward potential targets. 
When the gateway is connected to a local area network, its hostname is broadcast using the full serial number. 
CNET: Rules for strong passwords don’t work, researchers find. Here’s what does
A number of Tesla Backup Gateway installations have also been found, open and available on the internet. The researchers have documented 379 exposed installations since January in the US and Europe, some of which are commercial-grade Tesla Powerpacks. 
The platform includes APIs documenting power usage, draw, and some ownership information — but there are also hidden APIs that can be leveraged for additional statistics.
“In theory, the voltage, cycle, and other settings of the energy managed by the Backup Gateway, and the batteries connected to it are configurable,” Rapid7 says. “It may be possible to do damage to a battery, or even the electrical grid, if these settings could be tampered with. Though placing a Tesla Backup Gateway or Tesla Powerpack on the internet may be tempting, we should remember that the internet is noisy by nature, with lots of unsolicited traffic being passed through various ports on a regular basis.”
TechRepublic: Hackers for hire target victims with cyber espionage campaign
Rapid7 reached out to Tesla prior to publication and the company said that upcoming security updates will feature hardening and mitigation of the issues mentioned. 
Furthermore, Tesla said, “predictable installer passwords have been fixed for some time on newly-commissioned Backup Gateway V1 devices, but some previously commissioned devices still had them, and all online Backup Gateway V1 devices have had their installer passwords randomized.” Backup Gateway V2 devices also now come with randomized passwords. 
ZDNet has reached out to Tesla and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Firefox 83, scheduled for release later today, will ship with a new security feature named “HTTPS-Only Mode” that will try to load all websites via HTTPS or show an error message on sites that only support the older and insecure HTTP protocol.
By default, the new feature is disabled, but users can enable it by going to the Firefox Options page, to the Privacy & Security section, and then searching for the HTTPS-Only Mode settings.
Image: Mozilla
According to Mozilla, the new feature works by attempting to find the HTTPS version of any website, even if the user has accessed the site by typing or clicking on an HTTP link.
If Firefox can’t auto-upgrade a site to an HTTPS connection, the browser will show an error to the user and ask them to click a button to confirm they want to access a website via an older HTTP connection.

Image: Mozilla
The new HTTPS-Only Mode feature can also be enabled or disabled by clicking the lock icon in the address bar and selecting it from the drop-down panel that appears.

Image: Mozilla
Today, the HTTP protocol is considered insecure because all traffic occurs via plaintext messages that can be intercepted and expose a user’s web traffic.
The HTTPS protocol is the natural evolution of the HTTP protocol, with the connection being established and taking place via an encrypted channel.

Mozilla said it fully expects that HTTPS will become the standard way to navigate the web. As more websites will migrate to HTTPS, Mozilla said it will soon be possible for browser makers to deprecate HTTP connections altogether, effectively making the HTTPS-Only Mode the default browsing state going forward. More

Akropolis has offered the hacker who stole $2 million in Dai cryptocurrency a “bug bounty” reward in return for the missing funds.

In an open letter published on Medium, the cryptocurrency “community economy” platform proposed a $200,000 “reward” for the threat actor’s cooperation. 
See also: Chinese city launches cryptocurrency lottery, gives away digital coins to promote adoption
Describing the bug bounty payment “as compensation for your exploit,” Akropolis said it “hope[s] that the hacker will take our offer into consideration and cooperate with the team to resolve the issue.”
The platform revealed the theft of cryptocurrency from its platform last week. As previously reported by ZDNet, transactions were temporarily paused to stop more Dai tokens from being stolen in what is known as a “flash loan” attack.
Flash loan attacks occur on decentralized finance (DeFi) platforms. An attacker loans funds but then exploits a security weakness — such as a vulnerability — to bypass loan mechanisms and walk away with the cryptocurrency they have ‘borrowed.’ 
CNET: The best DIY home security systems for 2020

Since the cyberattack, Akropolis has internally investigated the exploit and is currently fixing “contract-level” issues. The company has also launched an external analysis of the incident together with partners and investors. 
However, Akropolis has chosen not to go to law enforcement — yet — in the hope that the hacker will agree to the firm’s proposal. 
“We would like to propose that you return the funds of our community members within 48 hours and in return, we will offer a $200,000 bug bounty,” Akropolis said. “We will take measures to protect your identity as required. If you decide not to cooperate we will pursue criminal action and contact law enforcement.”
TechRepublic: How to secure your Zoom account with two-factor authentication
There is no word as of yet, over 48 hours later, if the hacker responsible has accepted this proposal — or what Akropolis’ next course of action may be. At the time of writing, the stolen Dai coins are still being held in a blacklisted, attacker-controlled wallet. 
In a project update on November 16, Akropolis said the threat actor was able to exploit the “flawed handling of the deposit logic in the SavingsModule smart contract.”
“The exploitation leads to a large number of pool tokens minted without being backed by valuable assets,” the company added. 
Checks for deposit tokens and whitelist functions have now been implemented. Akropolis is currently working on adding test coverage for staking pools, boosting security check-ups, and deciding on how to compensate users. The platform is also on the hunt for two new senior developers to join the team. 
ZDNet has reached out to Akropolis for additional comment and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Getty Images/iStockphoto
A new Chinese state-sponsored hacking group (also known as an APT) has infected more than 200 systems across Southeast Asia with malware over the past two years.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The malware infections are part of a widespread cyber-espionage campaign carried out by a group named FunnyDream, according to a new report published today by security firm Bitdefender.
The attacks have primarily targeted Southeast Asian governments. While Bitdefender has not named any victim countries, a report published earlier this spring by fellow security firm Kaspersky Lab has identified FunnyDream targets in Malaysia, Taiwan, and the Philippines, with the most victims being located in Vietnam.
Both Bitdefender and Kaspersky said the group is still active even today and appears to be primarily interested in cyber-espionage, concentrating on stealing sensitive documents from infected hosts, with a special focus on national security and industrial espionage.
Similar attacks dating back to 2018
Per Bitdefender, most of these attacks have followed a simple pattern and combined three malware payloads — Chinoxy, PCShare, and FunnyDream (malware after which the group was named).
Each of the three malware strains has a precise role. Chinoxy was deployed as the initial malware, acting as a simple backdoor for initial access.
PCShare, a known Chinese open-source remote access trojan, was deployed via Chinoxy and was used for exploring infected hosts.

FunnyDream was deployed with the help of PCShare, and was the most potent and feature-rich of the three, had more advanced persistence and communication capabilities, and was used for data gathering and exfiltration.

Image: Bitdefender
“Even looking at the tool usage timeline we can see that threat actors started by deploying a series of tools meant for quick and covert data exploration and exfiltration, and later decided to bring on a full toolkit, specifically the FunnyDream toolkit, for prolonged surveillance capabilities,” Liviu Arsene, Global Cybersecurity Researcher at Bitdefender, told ZDNet.
“We’ve seen government infrastructure compromise and years-old persistence, custom exfiltration tools, and the use of living-off-the-land tools, all of which point to an espionage campaign, potentially politically motivated,” Arsene added.
“Considering that Southeastern Asia has been under a lot of economic and trade issues related to shifting supply chains from China to Southeast Asia, as well as escalating US-China tariffs, this effort might be part of potential Chinese APT campaigns targeting South Eastern government institutions for potential espionage, aimed at figuring out how governments within the region plan to navigate these shifts.
“Some countries within the region have even gone through recent elections and governance changes, all of which could merit interest from potential Chinese APT groups in terms of how local regimes could align ideologically and politically to China’s interests,” the Bitdefender researcher told ZDNet. More