Information Technology

Content delivery network (CDN) Fastly has explained its major outage yesterday, which knocked out many of the world’s top websites, from Amazon to ZDNet.  The breadth of the outage demonstrated once again how CDNs, which bring content to end users from globally distributed points of presence (POPs), can also be a single point of failure. 

ZDNet Recommends

Fastly has POPs across the globe running on solid state drives (SSDs) that make up its “edge cloud” for delivering web content from data centers that are closer to end users. Instead of accessing a website’s servers directly, users access a cache of the site from cache storage maintained by the CDN.  SEE: Network security policy (TechRepublic Premium) Its global outage yesterday briefly prevented web users from accessing The Guardian, the Financial Times, The New York Times, ZDNet, Reddit, Twitch, Amazon, PayPal, and the UK government website gov.uk.  Nick Rockwell, Fastly’s senior vice president of engineering, said the hour-long outage happened because a customer pushed a configuration change that triggered the undiscovered software bug.  Rockwell doesn’t explain what exactly happened, other than saying that on May 12, the company deployed a software update that “introduced a bug that could be triggered by a specific customer configuration under specific circumstances.”

Then yesterday, June 8, a customer pushed a configuration change that met the conditions to trigger the bug, which caused 85% of its network to return errors. End users visiting affected sites saw the “Error 503 Service Unavailable” error message in browsers.  Fastly yesterday said that issue was causing customers to see an “increased origin load and lower Cache Hit Ratio (CHR)”. CHR is a measure of how many requests a cache can deliver compared to how many requests it receives. “Once the immediate effects were mitigated, we turned our attention to fixing the bug and communicating with our customers. We created a permanent fix for the bug and began deploying it at 17:25,” said Rockwell.  The disruption began at 9:47 UTC.  Fastly is the seventh largest CDN provider, following Google, Cloudflare, F5, Amazon CloudFront, and jsDelivr, according to Datanyze. SEE: GDPR: Fines increased by 40% last year, and they’re about to get a lot bigger The pitfall of CDNs is that when they go down, as Cloudflare did in 2019 – due to a buggy configuration change – users can’t access websites that rely on the CDN to deliver content.  Rockwell recognized that the company should have seen this bug before the customer accidentally triggered it. He also apologized to customers.  “Even though there were specific conditions that triggered this outage, we should have anticipated it. We provide mission-critical services, and we treat any action that can cause service issues with the utmost sensitivity and priority,” he wrote.   “We apologize to our customers and those who rely on them for the outage and sincerely thank the community for its support.” More

Apple has agreed to a multi-million dollar settlement to resolve a lawsuit with a woman whose explicit photos were leaked online by employees repairing her iPhone. 

The woman, a past student at the University of Oregon, handed over the mobile device in 2016 for repair for an unspecified issue at a Pegatron facility in California, as reported by The Telegraph. Pegatron has acted as a long-term supplier and partner with the iPhone and iPad maker. At the time, two employees of the firm allegedly accessed explicit images and video stored on the device. This content was then posted on the woman’s Facebook account, to appear as if she shared it.  The explicit material has been described as “photos of her in various stages of undress and a sex video.” The woman was only made aware of the technicians’ activities when a contact alerted her to the leak, and she was able to take the images and video down.  However, the damage was done and the student then launched a claim against Apple for privacy violations and the emotional distress caused. 

Apple reportedly settled for a multi-million dollar amount which was reimbursed by Pegatron. According to reports, the agreement includes a clause to prevent the woman from disclosing the value of the settlement.  The tech giant also apparently demanded confidentiality, but a legal battle between Pegatron and its insurer — which disputed the amount requested for reimbursement — resulted in Apple’s role being identified.  The technicians have been fired.  Apple said in a statement that upon learning of the incident and “egregious violation” of data privacy and security policies, “we took immediate action and have since continued to strengthen our vendor protocols.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers say zero-day vulnerabilities fixed in Microsoft’s recent Patch Tuesday round have been used in targeted attacks against the enterprise. 

According to Kaspersky, a wave of “highly targeted attacks” on several organizations was traced that utilized a chain of zero-day exploits in the Google Chrome browser and Microsoft Windows systems over April 14 and 15, 2021. The attackers have been named PuzzleMaker. The first exploit in the chain, while not confirmed, appears to be CVE-2021-21224, a V8 type confusion vulnerability in the Google Chrome browser prior to 90.0.4430.85.  Google issued a patch for the severe flaw on April 20, which if exploited, allowed remote attackers to execute arbitrary code inside a sandbox via a crafted HTML page. Sandboxes, by design, are intended for developer environments, tests, and protection, and so segregate activities away from a main system. For an exploit chain to work, a sandbox escape would then be a necessary next step.  According to the researchers, this escape was found in two Windows 10 vulnerabilities — both of which are zero-day bugs that were patched in Microsoft’s latest Patch Tuesday update.  The first, CVE-2021-31955, is a Windows Kernel information disclosure vulnerability in the file ntoskrnl.exe, used to expose the addresses of the Eprocess structure kernel for executed processes. The second, CVE-2021-31956, is a heap buffer overflow vulnerability in the Windows NTFS driver that can be exploited for privilege escalation.

Kaspersky says that when chained together, the vulnerabilities allowed the attacker to escape the sandbox and execute malicious code on a target machine.  Malware is then deployed which includes stager, dropper, service, and remote shell modules. The first module will first check that exploitation was a success, and if so, will grab the dropper module from a command-and-control (C2) server for execution.  Two executables then land on the target machine which masquerades as legitimate Windows files. The first is registered as a service and is used to launch the second executable, which contains remote shell capabilities.  This payload is able to download and exfiltrate files, as well as create system processes. The malware is also capable of putting itself to ‘sleep’ for a time or self-destruct.  It is recommended that organizations maintain frequent patch schedules and apply relevant fixes — more so if bugs are being actively exploited. As we saw with the Microsoft Exchange Server incident in March, attackers will quickly jump on security issues as soon as they are publicly known. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Huawei Technologies has kicked into PR overdrive, pledging its commitment to cybersecurity with the opening of its latest transparency centre in Dongguan, China. It also releases the “security baseline framework” that the Chinese tech vendor says is adopted for its products, outlining requirements for implementation and compliance of legal and regulatory requirements.The new Dongguang facility is amongst seven transparency centres Huawei operates worldwide, including in Belgium, Germany, Canada, and the UK, where its first was launched in 2010. These sites have hosted 700 customer exchange over the past decade. According to Huawei, the centres offer a platform on which its products and software can be tested and security verified by customers and governments. The facilities provide technical documents, testing tools and environments, as well as technical support. 

When asked, Huawei told ZDNet that customers and governments also would be able to view the source codes of its security framework. The spokesperson said independent third-party testing organisations would be able to perform “fair, objective, and independent security tests and verifications” based on “industry-recognised” cybersecurity standards and best practices.”[The centre] allows outsiders to remotely access Huawei’s source code, our ‘crown jewels’,” he noted. Along with the launch, Huawei unveiled the security baseline framework that it said was integrated into its product development process and developed to address legal and regulatory requirements. The framework comprised 54 requirements spanning 15 categories for product implementation, such as backdoor prevention, access channel control, encryption, application security, and secure compilation. The vendor added that this was the first time its security baseline was made available to the industry. 

Huawei also urged the need for a “unified approach” to cybersecurity, pointing to industry bodies such as GSMA and 3GPP that had pushed the adoption of standards such as NESAS (Network Equipment Security Assurance Scheme) and independent certifications. “At present, the industry still lacks a standards-based, coordinated approach, especially when it comes to governance, technical capabilities, certification, and collaboration,” the Chinese vendor said. NESAS is a voluntary initiative introduced to provide a security enhancement programme that focused on mobile network infrastructure equipment. It encompasses equipment designed to facilitate functions defined by 3GPP (3rd Generation Partnership Project), and deployed by mobile network operators on their networks. Specifically, it comprises security assessments of vendor development and product lifecycle processes as well as security evaluations of network products. The programme has been adopted by a handful of vendors, namely, Nokia, Ericsson, and ZTE.”These baselines have seen wide acceptance in the industry and will play an important role in the development and verification of secure networks,” Huawei said, adding that its 5G and LTE equipments had passed NESAS evaluation. Through its transparency centres, the vendor said it had conducted more than 200,000 training courses covering cybersecurity and privacy process development as well as verification and testing. Last year, it also carried out risk assessment and monitored more than 4,000 suppliers of various cybsersecurity services. It said the emergence of 5G networks and services also would increase security risks, further underscoring the need for collective efforts to combat such threats.Huawei said: “Industry digitalisation and new technologies like 5G and AI (artificial intelligence) have made cyberspace more complex, compounded by the fact that people have been spending a greater portion of their lives online throughout the COVID-19 pandemic. These trends have led to a rise in new cybersecurity risks.”It noted that digitalisation also blurred the physical boundaries of traditional networks, leading to more network threats as well as the consequences of vulnerabilities and attacks that were more serious. Huawei’s rotating chairman Ken Hu said: “Cybersecurity risk is a shared responsibility. Governments, standards organisations, and technology providers need to work closer together to develop a unified understanding of cybersecurity challenges. This must be an international effort.”The Chinese vendor said its research and development (R&D) spending on cybersecurity and privacy components accounted for 5% of its overall R&D budget, and its global headcount included more than 3,000 cybersecurity R&D professionals.Huawei last week launched HarmonyOS 2 across 100 of its devices in China, including smartphones, smart watches, and tablets, further driving its aim to have the mobile OS installed on more than 300 million devices.  It said in April that it would continue to diversify its product focus as it looked to buffer a decline in its smartphone sales, which were impacted by ongoing US export sanctions that blocked access to Google’s Android ecosystem. With HarmonyOS still unavailable outside of China, though, it remains to be seen if the mobile OS will be adopted as widely internationally as its distribution across multiple consumer device categories may further trigger security and privacy concerns.RELATED COVERAGE More

The Australian government has flagged its intention to mandate the Essential Eight mitigation strategies, despite many entities not fully wrapping their heads around the Top Four. Since 2013, non-corporate Commonwealth entities (NCCEs) have been required to undertake an annual self-assessment against the Top Four strategies, which are mandated by the Attorney-General’s Department (AGD) Protective Security Policy Framework (PSPF). Entities report their overall compliance with mandatory requirements to AGD.The Joint Committee of Public Accounts and Audit (JCPAA) last year reviewed a pair of reports from the Australian National Audit Office (ANAO). A report on this probe from the JCPAA in December asked AGD whether it was feasible to mandate the Essential Eight, a call the committee made in October 2017, as well as report back on why any entities have yet to implement the Top Four mandated in April 2013.See also: ASD Essential Eight cybersecurity controls not essential: CanberraIn its response [PDF] to the JCPAA, AGD said it remains committed to maintaining robust protective security standards to ensure the PSPF supports entities to manage their risks.”The department has carefully considered … and has held detailed discussions with the [Australian Cyber Security Centre] on the cybersecurity settings in the PSPF,” AGD wrote.”On this basis, the department will recommend an amendment to the PSPF to mandate the Essential Eight.

“This reflects the ACSC’s advice that entities should progress maturity across all eight strategies … rather than focusing efforts on a smaller subset like the Top Four, as this provides a greater level of protection.”AGD said such an approach has been endorsed by the Government Security Committee, which is an interdepartmental committee that provides strategic oversight of protective security policy.Although keen to make the Essential Eight essential, AGD said doing so would have an impact on the entities required to implement them.”As a result, the department has commenced consultation with the 98 NCCEs about the implications of this proposal,” it added. “The department expects responses from NCCEs by the end of June 2021.”It is also preparing draft amendments to the PSPF and said it is currently considering timeframes for implementation.Another one of the JCPAA’s recommendations was that AGD update the committee on its benchmarking process for Commonwealth entities’ reported compliance with cybersecurity requirements. See also: Labor wants to name and shame poor Commonwealth entity cyber postureANAO in March published findings of an investigation into the effectiveness of cybersecurity risk mitigation strategies implemented by seven government entities, and declared none have fully implemented all the mandatory benchmarks and that self-reporting was weak.AGD told the JCPAA it is “exploring options, including moderation, to further support entities to improve the accuracy of their self-assessments”.”In addition, the department is also reviewing the existing maturity model to ensure it is fit for purpose,” it said.HERE’S MORE More

The Australian Department of Health has asked for the government to provide more guidance on how to get de-identification right, hoping such advice will be provided when the Privacy Act 1988 receives a facelift.Health, in a submission [PDF] to a review of the Act underway by the Attorney-General’s Department, said the de-identification of data, given the risk of re-identification, is a complex area.”Particularly given the burgeoning demand for access to public sector data at very granular levels, and for linkage with other datasets,” it wrote. The department said that while the Office of the Australian Information Commissioner (OAIC) has published guidance materials on de-identification, data custodians may still need to seek specialist expertise in order to be satisfied that the likelihood of re-identification is low, “particularly in light of advances in data analytic technologies”.”The department is of the view that any changes in the Privacy Act that require additional protections in relation to de-identified, anonymised, and pseudonymised information … will need to be supported by appropriate guidance and expertise in order for implementation to be effective,” it said.See also: Nearly 12-months old COVIDSafe legislation cited as cause of Privacy Act review delaysThe department raised these concerns alongside the issue of genomic information.

“Genomic information will only fall within the scope of the Privacy Act if it meets the definition of personal information in s 6(1) of the Privacy Act, which can be challenging particularly in the context of data sharing and linkage activities necessary for genomics,” it explained.”There is uncertainty and inconsistency in the application of the current test as to whether genomic information is ‘about’ an individual who is ‘reasonably identifiable’, in which case it falls within scope of Privacy Act.”Health said it is therefore difficult to assess when genomic information may render a person reasonably identifiable, particularly as data moves between different collections with different data linkage possibilities.”Such lack of clarity is likely to present a barrier to the uptake of clinical genomic research and services, as individuals may be unwilling to share their genomic information,” it said.On the idea of balancing the provision of adequate information to individuals and minimising regulatory burden, Health noted there are currently up to 10 different requirements that could be included in Australian Privacy Principle (APP) 5 — APP 5 requires an APP entity that collects personal information about an individual to take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters.”The department would be broadly supportive of appropriate measures to simplify this process, including additional guidance about the scope of APP 5 notices, the role of overarching privacy notices in making individuals aware of APP 5 matters, and the development of a standard form of words to assist APP entities in complying with APP 5 obligations,” it wrote.”In addition, the department would further support any appropriate measures that assist in clarifying how the primary purpose of collection should be interpreted, particularly where there could be multiple purposes for which personal information is being collected.”The department said it would welcome any appropriate measures aimed at simplifying the notification process relevant to APP 5, in particular the development of a standardised framework of notice.It also said requirements to obtain more specific and explicit consent in relation to the purposes for which information is collected, used, or disclosed would provide the department with greater immediate clarity around obligations for the handling of personal information.”The ability to use or disclose personal information for secondary purposes unforeseen at the time of collection provides significant benefit to both government and the Australian public by, for example, facilitating continuous improvement and evaluation of policy implementation and reducing the risk of individuals being disadvantaged in service delivery by not having provided the appropriate consent,” it added. “The department is cognisant of the need to guard against function creep while at the same time offering some measure of flexibility with respect to unforeseen but beneficial secondary purpose uses or disclosures.”MORE FROM THE PRIVACY ACT REVIEW More

Crypto market capitalization reached nearly $2 trillion in March and there has never been more interest in cryptocurrency globally. But with the influx of investment has come a variety of cybersecurity risks to cryptocurrency wallets and evolving threats to exchanges. The most common attack methods dominating conversation in cybercriminal forums are reverse proxy phishing, cryptojacking, dusting and clipping, according to a new study from Digital Shadows. The company’s Photon Research Team scanned the dark web to sort out the most popular techniques used to either steal or mine for cryptocurrency. Many of the widely used tactics, like reverse proxy phishing, revolve around getting past two-factor authentication by effectively snooping in on traffic between two people. Cryptojacking has long been a popular scam leveraged by cybercriminals, allowing an attacker to use a victim’s device to mine cryptocurrency. Clipping is when attackers manage to steal cryptocurrency while it is being sent during a transaction and crypto dusting involves “deanonymizing your crypto wallet by sending tiny amounts of crypto ‘dust’ to multiple wallets,” the report described.All of the methods are riffs on brands of cyberattacks used in other contexts outside of cryptocurrency. Chris Morales, CISO for Netenrich said it was “the same game with a different name,” with attackers moving on from financial documents and bank accounts to digital wallets and crypto mining. “The method is still social engineering with phishing and malware for mining on your hardware. I see names like dusting and I think about credit card skimming,” Morales said. “I see clipping and I think of URL redirecting.”The study notes that even cybercriminals themselves deal with thefts from their own wallets. 

“We’ve recently seen a few forum threads where threat actors complain about having their virtual currency stolen,” the report said.  “One user even held an ‘ask me anything’ session after they lost ‘100k’ due to ‘being phished’ in May 2021. Another wrote, ‘I want my currency back, this is god damn bad,’ after their Etherium was stolen.”A report from Atlas VPN in January found that cybercriminals stole “nearly $3.78 billion” in cryptocurrency throughout 2020. Other data from Slowmist Hacked listed 122 attacks in 2020, with most targeting cryptocurrency exchanges, Bitcoin wallets, and decentralized apps running on the Ethereum platform. Coalfire director Karl Steinkamp noted that software wallets will only be as strong as their software and security development processes, as well as how the end user secures it. “I wouldn’t be surprised to see vulnerabilities in some of the software wallet providers over time that allows these wallets to be accessed before being patched or updated. The same is not generally true for hardware wallets as these tend to be purpose built and would require a more sophisticated skill set to compromise,” Steinkamp added. James McQuiggan, security awareness advocate at KnowBe4, explained to ZDNet that using phishing to steal cryptocurrency will be the easiest way for cybercriminals to get money from a victim.  “Clicking the link in a phishing email is like having a high-tech security system at home and leaving the door open when you click on the link or open the attachment from the phishing email. Unfortunately, if you are not monitoring your crypto wallet or computer, you might overlook the cyber criminal rooting around on your computer,” McQuiggan said. “Cryptojacking is another attack method that cyber criminals utilize to make money without doing a lot of work. But, again, phishing becomes the easiest way for cyber criminals to work their way through a network and find servers to run their cryptomining to generate the currency.” More

News emerged on Tuesday morning that iConstituent, a platform built to facilitate communication between politicians and local residents, has been dealing with a ransomware attack. iConstituent did not respond to requests for comment, but Punchbowl News reported that almost 60 members of Congress use the platform. Chief Administrative Officer of the House Catherine Szpindor told the news outlet that they were notified of a ransomware attack on iConstituent’s e-newsletter system, which House members buy access to. 

ZDNet Recommends

But Szpindor added that no data from the House had been taken or accessed and the network used by the House was not affected. Sophos’ Senior Security Advisor John Shier said the attack was yet another example of the way ransomware actors use supply chains as a way of gaining access to bigger targets. “Regardless of what you do, you’re in somebody’s supply chain, whether you’re providing services directly to another party or you’re part of a larger organization or mechanism that provides services or products to other people,” Shier said. The platform is also used widely across state governments in Nevada, Georgia, Hawaii and cities like Los Angeles. The New York State Assembly also has a contract with the company for services. The attack was revealed as the White House and law enforcement agencies take a more forceful stance on ransomware after devastating attacks on the country’s biggest meat processor and one of the country’s largest oil and gas providers. 

The tough rhetoric has done little to stop cybercriminals from levying a wide variety of attacks on institutions across state and city governments. The New York City Law Department was hacked on Sunday, forcing IT administrators to shut off access to certain systems for more than 1,000 employees. The organization handles all of the city’s legal matters and carries an enormous amount of personal information about the city’s employees, including Social Security numbers, addresses and more. Mayor Bill De Blasio appeared on television and said there has been no ransom request or compromise of city data, but investigators are still assessing the situation.Rajiv Pimplaskar, chief risk officer for Veridium, told ZDNet that New York has one of the nation’s top IT and cyber security infrastructure and organizations, demonstrating that no matter how good you are, no one is immune from breaches. Both Shier and Pimplaskar added that government agencies are ripe targets because of how much personal information they carry and because they are often using outdated systems and technology. “Departments that deal with sensitive information and customer data are prime targets for bad actors as they represent a honeypot of Personally Identifiable Information that can be a target in its own right or in turn be misused for social engineering and secondary attacks,” Pimplaskar said.  More