Information Technology

Amazon’s data practices are to become subject to UK scrutiny in a new antitrust probe planned by regulators. 

Amazon Business

According to sources speaking to the Financial Times, the UK’s Competition and Markets Authority (CMA), a business innovation and antitrust watchdog, intends to launch a formal investigation into the e-commerce giant’s data management and usage.  The FT says that the agency has been watching and analyzing Amazon’s business “for months,” and in particular, has focused on data collection and merchant ranking.  The investigation will seek to answer queries relating to merchant favoritism — and whether or not the platform pushes merchants up the rankings when they use Amazon’s logistics and delivery services.  The “buy box” white panel, critical for consumer purchases and used when there are multiple sellers for the same item, is reportedly of particular interest to the CMA — and whether any anti-competitive behavior exists in how Amazon decides which merchants have access to it.  Amazon describes the buy box as a ‘best-fit’ feature based on customer feedback and service.  “When there are multiple sellers for a product, we feature the best of those offers prominently on the product page, in what’s sometimes referred to as “the buy box,”” the company says. “All of the Amazon retail and independent sellers’ offers compete to be one of the featured offers based on the same criteria, such as low price (inclusive of delivery), fast delivery, a track record of good customer service, and reliability in meeting its delivery promises.”

The CMA is yet to announce a potential probe into Amazon. However, should it launch, it will follow investigations launched by the European Commission (EC) last year.  The EC said that as Amazon acts as both an online marketplace and retailer, it has access to third-party seller data — and may unfairly use this to its advantage, such as in strategic business decisions.  In addition, the commission opened a second investigation into the buy box and any preferential treatment for vendors that use logistics or delivery services provided by Amazon.  “While we can’t comment on any alleged investigation, we continue to work hard to deliver great value and low prices for customers and support the tens of thousands of UK small and medium-sized enterprises that account for more than half of everything we sell in our online store,” an Amazon spokesperson told ZDNet.  The CMA told us that it “cannot speculate as to which cases it may or may not investigate.” In May, the European Data Protection Supervisor (EDPS) announced an investigation into the use of technology vendor products by the bloc’s major agencies and how citizen data is managed, stored, and protected.  These products include Amazon AWS and Microsoft Azure cloud services. Separately, the agency is also analyzing data protection law compliance and the use of Microsoft Office 365 by European authorities. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Global meatpacker JBS USA has paid $11 million in Bitcoin to cyberattackers that encrypted its files and disrupted operations in the US and Australia with ransomware, the company has said. JBS USA chief Andre Nogueira confirmed the company had made the payment to the attackers.

ZDNet Recommends

While the FBI discourages ransomware victims to pay ransoms because it emboldens criminals, JBS said it made the decision to pay the attackers in consultation with third-party cybersecurity experts “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”SEE: Security Awareness and Training policy (TechRepublic Premium)”This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, CEO, JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.” Last week, the FBI pinned the JBS attack on the actors behind the REvil ransomware, who are believed to be based in Russia. JBS is the world’s largest meat supplier. REvil, also known as Sodonikibi, is known for targeting organizations, including hospitals, schools and charities, rather than individuals, and demanding ransoms as much as $50 million. 

JBS said it was able to quickly resolve the issues resulting from the attack because of its cybersecurity protocols, redundant systems and encrypted backup servers. It highlighted that it spends around $200 million annually on IT and employs more than 850 IT professionals globally.The REvil gang runs as a ransomware as a service (RaaS) business, selling its encryption software to other criminal groups. The JBS incident comes after the attack on Colonial Pipeline, the fuel distribution firm that brings oil from Texas to US states on the east coast. The firm provides roughly 45% of the east coast’s fuel, including gasoline, diesel, home-heating oil, jet fuel, and military supplies. SEE: This new ransomware group claims to have breached over 30 organisations so farColonial fell victim to attackers using Darkside RaaS and confirmed it paid $4 million to decrypt affected files. However, the FBI announced this week that it had recovered over half of the ransom paid to the attackers. The FBI and Justice Department used the Bitcoin public ledger to track the payments to an address that the FBI had a ‘private key’ for. Ransomware has plagued organizations for the past decade, but the scale and severity of attacks has transformed in the past three years. In 2017, the WannaCry and NotPetya ransomware attacks impacted hundreds of firms, but high-profile ransomware attacks more recently have targeted specific companies and have been accompanied by high ransoms. The Colonial attack raised national security concerns for the US, with many attacks levied by Russia-based criminal groups that are willing to target critical infrastructure operations. US President Joe Biden is expected to raise the issue of Russian criminal hacking with Russian President Vladimir Putin at a June 16 summit in Geneva. More

Image: ASD
The Australian Signals Directorate published a sobering The Commonwealth Cyber Security Posture in 2020 report on Thursday, with one of the bright spots being the use of scanning by the Australian Cyber Security Centre (ACSC). Under its Cyber Hygiene Improvement Programs (CHIPs), the ACSC was able to identify vulnerable, internet-exposed MobileIron systems across Commonwealth, state and territory, and local governments. “The ACSC notified all government entities operating vulnerable devices of the device details, the critical vulnerability and the urgent need to patch or otherwise mitigate the risk,” the report said. “This timely and actionable information from the ACSC allowed some government entities to pre-empt adversary exploitation of their MobileIron devices, in one case by hours.” The report said the 2020 MobileIron and Citrix vulnerabilities had some of the quickest turnarounds before exploitation attempts began to appear. “Reporting showed adversaries attempting to exploit these vulnerabilities within days of proof-of-concept codes being publicly released,” it said. “Organisations that cannot patch their internet-facing services in a very timely manner, especially legacy VPNs and websites, must improve their patching capability. Adopting software-as-a-service or platform-as-a-service cloud approaches to internet-facing services may assist.” This is bad
Image: ASD

Elsewhere, the report said while in absolute terms the cyber posture of Commonwealth entities was improving, the shift was glacial in 2020. For instance, the report said entities were improving application hardening, but only 12% of entities got better. Similarly, 10.5% were doing application control properly, and 9.5% more entities could say they were restricting admin privileges properly. The blame for the slow pace was placed with entities continuing to use obsolete and unsupported operating systems and applications, not embracing cloud services, organisations not having fast or flexible modernisation strategies, a cyber skills shortage, and organisations continuing to “misunderstand, misinterpret and inconsistently” the Essential Eight. In a government response tabled on Wednesday, the government is considering making the Essential Eight essential for its entities. This is very, very bad
Image: ASD
Restricting adherence to merely the Top Four of the Essential Eight showed 11% of organisations self-reported at the lowest level of compliance, followed by 55% at the second step of the four step system, with 33% at the third level, and only 1% being fully compliant. The policy with the lowest level of maturity was “safeguarding information from cyber threats”. On the plus side, CHIPs is now able to track “cyber hygiene indicators” across 71,300 active Commonwealth government domains, an improvement of 54,300 domains in the year from February 2020, and covers the sites of 187 entities. Across 2020, CHIPs gained the ability to scan for encrypted email use; whether government sites were running up-to-date software, displaying default websites or using expired certificates; scanning for critical vulnerabilities; and advising government entities at all levels on services they have open to the wider internet. During the year, ACSC created a Protective Domain Name System that blocks domains associated with malware, ransomware, phishing attacks, and other malicious content. “Under the pilot, the ACSC processed approximately 2 billion queries from eight Commonwealth entities over the period from April to December 2020 — and blocked 4683 unique malicious cyber threats, preventing over 150,000 threat events,” the report said. “In 2021–22, the capability will be offered to all Commonwealth entities.” Australia is so bad at cyber
Image: ASD
The report stated approximately one quarter of entities are now using DMARC to prevent email spoofing. Across the year, ACSC said it responded to 434 cyber incidents, of which 46% were self-reported and the remainder were found through “ACSC investigations, reporting from international partners and third parties, and analysis of a variety of classified and open-source material”. The next report will be handed to government in November 2022 and cover from January 2021 to June 2022. From 2023, the reports will focus on cyber posture across a single financial year. Related Coverage More

Legislation will enter Parliament later this year that will allow non-government entities to provide digital identification services to Australians.The Digital Transformation Agency (DTA) has been working on Australia’s digital identity system for a number of years, going live with myGovID — developed by the Australian Taxation Office — and accrediting an equivalent identity service from Australia Post in 2019.myGovID and the Australia Post Digital ID are essentially just forms of digital identification that then allow the user to access certain online services, such as the government’s online portal myGov.The digital identity system is touted by the government as a simple, safe, and secure way to verify identity online, as well as one allowing for better interaction with government services. But it also believes digital ID can “enable innovative digital sectors of the economy to flourish”.See also: More privacy conscious and not Australia Card 2.0: DTA defends digital identity playWhile the DTA has developed the Trusted Digital Identity Framework (TDIF), which sets out the operating model for digital identity, it is a set of rules that only Australian government entities can follow — it can’t be applied to states and territories, or to the private sector. This is why legislation is required.”It is important to note, today we’re using myGovID, but into the future, you’ll be able to use a choice of identity provider, there’ll be additional providers … it could be a bank, it could be a state and territory identity provider,” DTA CDO Peter Alexander said during Senate Estimates in October. “So individuals and businesses dealing with the Australian government and national services will be able to make a choice.”

Instead of listening to researchers recommending the Australian government abandon its existing digital identity system and start again from scratch, after highlighting again security flaws in two of the systems already accredited, the government has opened a second round of consultation, this time on the development of legislation.Highlighting eight “key” elements, the government wishes to discuss with those interested in the structure of the legislation, scope and interoperability of the system, governance, privacy and other consumer safeguards, trustmarks, liability and redress options, penalties and enforcement, and the administration of the scheme.The purpose of the legislation, the government states [PDF], is to allow for independent oversight of the system, by formalising the powers and governance arrangements of the oversight authority; enable expansion of the system to state and territory governments and the private sector; provide privacy protections, consumer safeguards, and security requirements to build trust in the system; provide for a legally enforceable set of rules that set the standards for participating in the Digital Identity system, including the TDIF rules; and allow for entities to be TDIF accredited for their activities whether they are on the system or not.It is expected the legislation will consist of primary legislation with privacy and consumer safeguards and rules and policies, including accreditation standards. The government believes the legislation will leverage existing laws, not duplicate them.The legislation, it said, will have a “clearly defined scope”.It said the legislation will not limit a person to having one digital identity with one provider, nor will it be intended to regulate all digital identities and digital identity systems. It said entities decide whether they will use the system or provide services on the system.The legislation will also require entities generating, transmitting, managing, using, and reusing digital identities to provide a “seamless user experience with the digital identity system”.Rules will be enforced by the oversight authority and Information Commissioner. The oversight authority will be extended powers to suspend or revoke accreditation and access to the system, and issue directions for remedial action to address a breach.On privacy and consumer safeguards, the legislation is hoping to “protect personal information” and “ensure accessibility” for all.It will prohibit the creation of a single identifier used across the system and all government services and create a voluntary system giving users the right to create and use a digital identity, including the right to deregister and not use a digital identity at any time.It will require individuals to expressly consent before their attributes are shared with a relying party.With the DTA flagging previously its biometric testing with regards to the digital ID, the legislation is expected to limit the system to one-to-one biometric matching only and prohibit anyone other than those involved in proofing or authentication from collecting or using biometric information. It will also aim to prevent biometric information being sent to third parties not required to perform or proofing or authenticate a person and require biometric information to be deleted once it has been used for its intended purpose. However, the legislation will contain a caveat to allow users to consent to their biometric information being accessed for fraud or security investigations.The government is hoping to also prevent “data profiling”.Must read: Human Rights Commission calls for a freeze on ‘high-risk’ facial recognition”Prohibit the collection, use, and disclosure of information about a user’s behaviour on the system except to verify their identity, assist them to receive a digital service, allow them to view their own behaviour (for example, a dashboard), or support identity fraud management,” the government writes.It will also enforce record-keeping of metadata and activity logs for a minimum seven years to maintain the system’s integrity, and to allow for fraud or criminal investigations. With talk around the digital ID’s use in verifying an individual is of age before accessing online services such as pornography, the legislation will set a minimum age of 15 years for the use of a digital identity.Meanwhile, a liability and redress framework will aim to ensure accredited participants are not liable for loss or damage suffered “provided they were acting in good faith, and complied with the legislative rules and requirements relating to the system”.It will also establish a mechanism available to users affected by a cybersecurity incident, identity theft, inappropriate disclosure of information, or system failure.Submissions to the consultation close 15 July 2021.Elsewhere in Canberra, the government has funded an additional 51 projects, totalling AU$27 million, in the latest round of the Regional Connectivity Program (RCP).The funding contributes to co-funding from the applicant, and from other levels of government, as well as industry and other organisations. The first tranche of the RCP funded, in theory, 81 projects.The program, previously pinned at AU$60 million available, formed part of the government’s response to the 2018 Regional Telecommunications Review.”The federal government’s total contribution of AU$117.4 million (GST inclusive) towards round 1 RCP projects will deliver total new investment of more than AU$232 million (GST inclusive) together with co-contributions from the funding recipients, state and territory governments and other third parties, including local governments, regional businesses, and community development organisations,” a statement from Minister for Communications, Urban Infrastructure, Cities and the Arts Paul Fletcher and Minister for Regional Health, Regional Communications and Local Government Mark Coulton said.HERE’S MORE ON DIGITAL IDResearchers want Australia’s digital ID system thrown out and redesigned from scratchResearchers find myGovID is subject to an easily-implemented code proxying attack, while the digital identity solution from Australia Post does not possess a fundamental requirement for accreditation.Minister says law enforcement to be denied access in new digital ID legislationAlso flags privately-owned PharmacyID and payments company Eftpos as eager to provide identity services once the Bill becomes law.Canberra considers its digital ID for use in verifying age before accessing pornThe Australian government has said the Digital Transformation Agency is well placed to explore extending the digital identity program to online age verification to access things such as pornography. More

Image: Getty Images
US President Joe Biden has revoked and replaced various executive orders made by former President Donald Trump that had sought to block apps like AliPay, TikTok, and WeChat from US app stores. When Trump made those orders, he had labelled the Chinese apps as national security threats with respect to  information and communications technology, and services supply chain. With the latest directive, AliPay, CamScanner, TikTok, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat, WeChat Pay, and WPS Office are no longer set to be banned. The Trump administration ordered for TikTok to be banned unless it was divested to a US company. After months of negotiations following the Trump order, TikTok had come to a preliminary deal to be sold to Oracle and Walmart. That deal was then shelved indefinitely, however, after Biden came into office, according to The Wall Street Journal.While TikTok is no longer set to be banned, the executive order does not address the potential sale of the app, which is currently being reviewed by the Committee on Foreign Investment in the United States. In addition to being a replacement of Trump’s executive orders, the new directive also sets new criteria that the Commerce Department must use to review whether apps tied to foreign adversaries pose an “unacceptable risk,” according to a White House fact sheet. The criteria for determining if an app poses an “unacceptable risk” is if it is owned, controlled, or managed by persons that support foreign adversary military or intelligence activities, or are involved in malicious cyber activities, or involve applications that collect sensitive personal data, the fact sheet said.

The executive order also directs the Commerce Department to work with other agencies to come up with recommendations to protect US consumer data from foreign adversaries, as well as make recommendations for additional executive and legislative actions to further address the risk associated with foreign adversary connected software applications. Related Coverage More

RSA Security is spinning out its Fraud & Risk Intelligence business into a new standalone company called Outseer. The new organization will be led by CEO Reed Taussig.

Outseer said it will continue to build out RSA’s anti-fraud and payments security portfolio, which includes fraud detection and management, and payments authentication services. All of the RSA-branded products are being renamed to match Outseer’s new corporate identity. Outseer said its product portfolio is supported by deep investments in data and science, including a global network of verified fraud and transaction data, and a risk engine that the company said delivers 95% fraud detection rates.  Payments fraud and risk tend to receive less public attention than topics such as ransomware and cybersecurity, but payment card schemes, issuing banks, and commerce providers have experienced a record number of fraudulent transactions and orchestrated attacks in payment networks during the pandemic.Outseer plans to work its portfolio toward the EMV 3-D Secure payment standard and incorporate new technology integrations across its payments and commerce ecosystem. EMV 3-D Secure is a messaging protocol that enables consumers to authenticate card-not-present (CNP) e-commerce transactions with their card issuer.”RSA’s Fraud & Risk Intelligence business provides Outseer with a solid foundation to address the urgent need to protect both the customers and the revenues of the digital economy,” said Taussig. “At Outseer, we want to liberate the world from digital transaction fraud and fill an apparent gap in the market by delivering science-driven solutions for 3-D Secure payment authentication and account monitoring. 3D Secure Card Not Present Authentication is a well-proven solution in Europe and in our view, will be the dominant solution to combat card not present fraud as we move into the future.”RSA announced in 2020 that it would operate as an independent company via acquisition by Symphony Technology Group, valuing the company at $2.1 billion. More

Entropy is a term used for the statistical uncertainty of a piece of data, one example of which are the randomly generated numbers that are used in cryptographic keys, and that are hard to crack to the extent that such strings are truly hard for a computer to predicts.  Arguing that today’s encryption isn’t unpredictable enough, New York-based startup Qrypt on Wednesday formally publicly announced its intent to offer “entropy-as-a-service,” or EaaS, to provide businesses as well as individuals with truly random number generation capabilities.  “Everyone has an inherent right to privacy; we believe that right is under attack by Russia, China, any bad actor you want to pick,” said founder and CEO Kevin Chalker in an interview with ZDNet via Zoom.  Qrypt’s main claim is that the current regime of cryptographic tools, based on things such as the RSA algorithm and the public-private key exchange, is already vulnerable because the pseudo-random number generation capabilities of such a network can be cracked with sufficient compute power.  Down the road, quantum computing should have sufficient power to routinely crack the pseudorandom code, a looming risk that has already been widely discussed as the extinction of conventional cryptographic tools. Also: Quantum computers could crack today’s encrypted messages. That’s a problem In cases where codes can’t be broken at the moment, malicious types who steal data will park that data in its encrypted form on disk, as a harvest awaiting the day when the quantum tools are available to decrypt the data.

The inspiration comes from the one-time pad cryptographic cipher generators used for covert operations. While full details of Qrypt’s approach are still somewhat limited, basically, Qrypt partners with a Barcelona-based, privately held company called Quside Technologies, for quantum-based random number generation.  Quside, which spun out of Barcelona’s Institute of Photonic Sciences, uses semiconductors lasers to generate interference patterns that can be sampled to produce a random number.  Sampling a real-world physical process in this way, such as the interference pattern of photons, is generally regarded as the most secure way to arrive at a truly random “seed” for a random-number generator. The quantum nature of such measurement is deemed more random than a roll of the die, which is a classical mechanical operation.  The Qrypt EaaS, using appliances connected together in a distributed fashion, take the Quside seed and use it to generate what’s called a source of entropy, raw randomness, that can then be used to generate a one-time pad at each communicating party’s computer on either end of an otherwise non-secure communications line. The service is an alternative to quantum key distribution, or QKD.  Where a QKD network has two key generator devices connected over a trusted communications line, Qrypt’s EaaS network distributes the raw random sources digitally to the users in a distributed fashion, and then runs a so-called BLAST algorithm that generates the one-time pads simultaneously on either end of the communication.  The BLAST algorithm was developed by Yevgeniy Dodis, the firm’s chief cryptographer, who is a fellow with the International Association for Cryptologic Research and who has numerous publications on techniques of things such as key exchange.  CEO Chalker previously was a CIA “operations officer,” a covert operative in the field within what’s called clandestine services, focused on Iran. Qrypt’s chief technical officer is Denis Mandich, also formerly with the CIA, also a covert operative, focused on Russia. Both individuals make the point that the Qrypt EaaS is designed to bring to the retail/consumer market the same level of cryptographic strength for secure messaging and other applications.  “We’re trying to democratize that same level of security that we relied on for all these years,” said Chalker.  “We can do it right now with commercial, off-the-shelf infrastructure, you don’t have to build anything new, completely digitally, from here to the other side of the world,” said Mandich. Existing encryption, notes Mandich, can be broken even without quantum, especially in cases of poor practices in the use of one-time pads. “If you re-use one-time pads, or your don’t have really random one-time pads, they become breakable.”  The Qrypt appliances are placed in data centers around the world, “geographically, politically distributed,” said Mandich.  Qrypt has been funded by Chalker out-of-pocket thus far. He declined to disclose that total funding amount.  Qrypt’s service is available for trial via a free account on the Web site that invites one to set up a free account.  In addition to Qrypt’s data sheet on its Web site, additional interesting material can be found in two U.S. patents issued to the firm in 2019. One, “End-to-end double-ratchet encryption with epoch key exchange,” credited to Mandich and Dodis, describes an algorithm for distributing to two communicating devices an asymmetric key-generation function.  A second patent, “Multi-source entropy and randomness aggregation and distribution network,” describes an as-a-service network for distributing entropy. 

Tech Earnings More

An emerging ransomware operation appears to have links to a veteran cyber criminal group in the space – while also attempting to piggyback on the reputation of one of the most notorious forms ransomware.Prometheus ransomware first emerged in February this year and not only do the criminals behind it encrypt networks and demand a ransom for the decryption key, they also use double extortion tactics and will threaten to leak stolen data if their demands for cryptocurrency aren’t met.Analysis by cybersecurity researchers at Palo Alto Networks details how, like many ransomware operations in 2021, the group runs like a professional enterprise, even going so far as to refer to victims of cyber attacks as “customers” and communicating with them via a ticketing system.The cyber criminals behind Prometheus claim to have hit over 30 victims around the world so far, including organisations in North America, Europe and Asia. Sectors Prometheus claims to have hit include government, financial services, manufacturing, logistics, consulting, agriculture, healthcare services, insurance agencies, energy and law. However, only four victims have paid to date, according to the group’s leak site which claims that a Peruvian agricultural company, a Brazilian healthcare services provider and transportation and logistics organizations in Austria and Singapore paid ransoms, Palo Alto said.One notable trait of Prometheus is that it uses the branding of another ransomware group across its infrastructure, claiming to be ‘Group of REvil’ on the ransom note and across its communication platforms.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

REvil is one of the most infamous and most successful ransomware operations, claiming a string of high profile victims. The FBI recently attributed the ransomware attack against meat processor JBS to the group, which is believed to work out of Russia.However, despite the use of REvil’s name, there doesn’t appear to be any link between the two operations – and it’s likely that Prometheus is attempting to use the name of an established criminal operation in order to increase their chance of receiving a ransom payment.”Since there is no solid connection other than the reference of the name, our running theory is that they are leveraging the REvil name to increase their chances of securing payment. If you search for REvil, the headlines are going to speak for themselves versus searching Prometheus ransomware where probably nothing major would’ve come up,” Doel Santos, threat intelligence analyst at Unit 42, Palo Alto Networks told ZDNet. Researchers note the operation does have strong links to Thanos ransomware.Thanos ransomware first emerged for sale on underground forums in the first half of 2020 but the behaviour and infrastructure of it is almost identical to Prometheus, which could suggest that Thanos and Prometheus are run by the same group of criminals.See: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upWhile researchers haven’t been able to identify the exact method Prometheus is delivered to victims, Thanos is known to be distributed with the aid of buying access to networks which have previously been compromised with malware, brute-force attacks against commonly used passwords and phishing attacks.After compromising victims with ransomware, Prometheus tailors the ransom depending on the target, with demands ranging from $6,000 to $100,000 – a figure that’s doubled if the victim doesn’t pay within a week. The ransom is demanded in Monero, rather than Bitcoin, a decision likely made because Monero transactions are more difficult to track than Bitcoin – so there’s less chance of the group being detected or their assets seized by law enforcement operations. It’s believed that the group is still active and will continue as long as attacks remain profitable.”As long as Prometheus keeps targeting vulnerable organizations, it will keep running campaigns,” said Santos. “Going forward we would expect this group to keep adding victims to their leak site, and change their techniques as needed,” he added.Given how Prometheus and other ransomware groups often rely on breaching user accounts to embed themselves on networks, one thing which organisations can do to help protect against ransomware attacks is use multi-factor authentication.Deploying this to all users provides an additional barrier to attacks, making it harder for cyber criminals to exploit stolen credentials as a starting point for ransomware campaigns.MORE ON CYBERSECURITY More