Information Technology

Image: Mozilla, ZDNet, Jason Leung
Mozilla is expected to expand its virtual private network (VPN) offering in Germany and France by the end of Q1 2021, marking the service’s first expansion inside the EU.

The move comes after the browser maker formally launched the Mozilla VPN service last summer in the US, the UK, Canada, New Zealand, Singapore, and Malaysia.
The Mozilla VPN service, which initially launched as a Firefox extension named Firefox Private Network, has currently expanded into a full-device VPN client, available for Windows 10, macOS, Linux, Android, and iOS devices.
The service, which is built around the WireGuard protocol, uses servers provided by Mullvad and is currently priced at $5/month.
Mozilla says the VPN service currently runs on top of more than 280 servers across more than 30 countries across the globe, with “no logging” and “no bandwidth restriction” policies.
Since its informal announcement in 2019 and after its official launch in 2020, the VPN service has been one of the most highly-anticipated VPN offerings on the market, primarily due to Mozilla’s privacy-first reputation.
The browser maker is currently running a waitlist where users can sign up and be notified when the VPN service launches in their country.

The VPN service is also Mozilla’s first fully commercial product as part of a new business strategy the browser maker adopted last year. In August 2020, Mozilla fired more than 250 employees and moved away from several open-source and non-revenue-generating products to focus on developing its own revenue streams, as an alternative to its Google search deal that has usually accounted for most of the organization’s budget in the previous decade. More

Image: Will Dormann
A British security researcher has discovered today that a recent security flaw in the Sudo app also impacts the macOS operating system, and not just Linux and BSD, as initially believed.

The vulnerability, disclosed last week as CVE-2021-3156 (aka Baron Samedit) by security researchers from Qualys, impacts Sudo, an app that allows admins to delegate limited root access to other users.
Qualys researchers discovered that they could trigger a “heap overflow” bug in the Sudo app to change the current user’s low-privileged access to root-level commands, granting the attacker access to the whole system.
The only condition to exploit this bug was that an attacker gain access to a system, which researchers said could be done by either planting malware on a device or brute-forcing a low-privileged service account.
In their report last week, Qualys researchers said they only tested the issue on Ubuntu, Debian, and Fedora. They said that are UNIX-like operating systems are also impacted, but most security researchers thought the bug might impact BSD, another major OS that also ships with the Sudo app.
Latest macOS version also impacted
But as Matthew Hickey, the co-founder of Hacker House, pointed out on Twitter today, the recent version of macOS also ships with the Sudo app.
Hickey said he tested the CVE-2021-3156 vulnerability and found that with a few modifications, the security bug could be used to grant attackers access to macOS root accounts as well.

CVE-2021-3156 also impacts @apple MacOS Big Sur (unpatched at present), you can enable exploitation of the issue by symlinking sudo to sudoedit and then triggering the heap overflow to escalate one’s privileges to 1337 uid=0. Fun for @p0sixninja pic.twitter.com/tyXFB3odxE
— Hacker Fantastic 📡 (@hackerfantastic) February 2, 2021

“To trigger it, you just have to overwrite argv[0] or create a symlink, which therefore exposes the OS to the same local root vulnerability that has plagued Linux users the last week or so,” Hickey told ZDNet today, prior to sharing a video of the bug in question.
His findings were also privately and independently verified and confirmed to ZDNet by Patrick Wardle, one of today’s leading macOS security experts, and publicly by Will Dormann, a vulnerability analyst at the Carnegie Mellon University’s CERT Coordination Center.

Hickey told ZDNet the bug could be exploited in the recent version of macOS, even after applying the recent security patches Apple released on Monday.
The researcher said he notified Apple of the issue earlier today. Apple declined to comment as it investigates the report; however, even without an official confirmation from the Cupertino-based tech giant, a patch is most likely expected for such a serious issue.
In addition, other researchers found that the bug could also be exploited on IBM AIX systems. More

Do you think about what routines, sub-programs, libraries, and routines go into the software you use? You should. The Solarwinds security disaster, which will be causing trouble from now until the end of 2021, happened because the company fouled up its software supply chain. This, in turn, screwed millions of users. Open source can help prevent such disasters, but open-source methods need more supply chain improvements too. Now, Tidelift, an open-source management company has a way to help manage the open-source software supply chain’s health and security with Tidelift catalogs.  

SolarWinds Updates

With catalogs, part of the Tidelift Subscription, companies get a comprehensive approach to curating, tracking, and managing their open-source components. This works whether you’re using other group’s open-source programs or your own “inner-source” code. Here’s how:

A paved path: Organizations can accelerate development and reduce security and licensing-related risk by defining and curating catalogs of known-good, proactively maintained open source components. Developers can draw from them safely without fear of late-breaking deployment blockers.

Clear policies: Organizations can set and automatically enforce standards early in the development lifecycle, such as an organization’s license policies.

Integrated experience: The Tidelift Subscription integrates with existing source code and repository management tools so developers don’t need to change their workflow. They can pull approved components and submit new ones for approval directly from the command line.

Don’t think that’s important to your company because you “don’t use open source”? Oh please! A recent Tidelift study showed that 92% of enterprise software projects contain open-source dependencies and, in those projects, as much as 70% or more of the code was open source. I live and breathe software development; I think those numbers are on the low side. 
Donald Fischer, Tidelift’s CEO and co-founder, explained,  “As software supply chain security makes frontpage news in 2021, it’s more important than ever that application development teams employ a comprehensive approach to managing the open-source components that make up their applications. With the addition of catalogs to the Tidelift Subscription, organizations can be confident that they are using open source safely without slowing down development.”
That’s easy to say, but can you prove it? Tidelift thinks it can by introducing its first set of Tidelift-managed catalogs.  With these, your developers can pull from Tidelift-managed catalogs of known-good, proactively maintained components that cover common language frameworks such as JavaScript, Python, Java, Ruby, PHP, .NET, and Rust, backed by Tidelift and its partnered maintainers
These can give your business a head start on building approved components for your development teams. Your programmers will soon let you know if these catalogs really are enterprise-ready and meet their needs for clearly defined security, maintenance, and licensing programs.
This isn’t just for your programmers though. The company claims that with catalogs in place, the Tidelift Subscription can help people throughout your business. Specifically:

For managers: Increase development velocity while ensuring development teams are building with safe, approved, and compliant components from the start.

For developers: Move fast and avoid rework, eliminating late-breaking surprises that slow down development by using pre-approved, known-good components.

For information security: Get a single place to define, review, and enforce policies around security vulnerabilities in open-source components.

For legal: Get a single place to define, review, and enforce license policies and get indemnification to protect against licensing-related risk.

Tidelift’s not wrong. If they can deliver the goods with their catalogs, your company will benefit. 
As Al Gillen, IDC’s Group VP of Software Development and Open Source, said in a statement: “Recent software supply chain security compromises remind the industry how important it is to know where your software components come from, and to be able to trust those components. Open-source software is not immune to potential vulnerabilities, so it makes great sense to give your software development staff easy access to the components they need that meet enterprise standards. Tidelift’s expansion of the Tidelift Subscription to include catalogs of known-good open source addresses this need by collecting in one location a full suite of key open-source components that an organization relies on.”
If I were developing open-source software today, I’d be sure to kick Tidelift’s wheels. It might just be what we need until the day comes when we have what David A Wheeler, the Linux Foundation’s director of Open Source Supply Chain Security, has called Verified reproducible builds. These are source code builds which, “always produces the same outputs given the same inputs so that the build results can be verified. A verified reproducible build is a process where independent organizations produce a build from source code and verify that the built results come from the claimed source code”.
We won’t be there for a while yet, so in the meantime, approaches such as the one Tidelift approach makes perfect sense.
Related Stories: More

Security firm FireEye on Tuesday reported record revenue for the fourth quarter and the full fiscal 2020. The strong results follow FireEye’s disclosure in December that it was the target of a massive international cyber espionage campaign. 
“We continue to transform our business and believe we are well-positioned as organizations shift to intelligence-led security focused on security effectiveness,” CEO Kevin Mandia said in a statement. 
Earnings for the quarter came to 12 cents on revenue of $248 million, an increase of 5 percent from the fourth quarter of 2019. 
Wall Street was expecting earnings of 10 cents per share on revenue of $240.01 million. 
“Our record fourth quarter and 2020 results demonstrated that we are gaining momentum in our Platform, Cloud Subscription, Managed Services and Professional services categories,” Mandia said. 
The combined revenue from those two categories accounted for 55 percent of total revenue in 2020. 
Annualized recurring revenue came to $638 million, an increase of 8 percent from Q4 2019. Platform, cloud subscription and managed services annualized recurring revenue totaled $340 million, an increase of 20 percent from Q4 2019. 

The company in Q4 introduced its Mandiant Advantage SaaS platform. 
“Our vision is to become a seamless extension of our customers’ security operations by delivering our threat intelligence and expertise gained on the frontlines through the Mandiant Advantage platform,” the CEO said. 
For the first quarter of fiscal 2021, FireEye expects non-GAAP net income between 5 cents and 7 cents. It gave a revenue outlook between $235 million and $238 million.

Tech Earnings More

Singapore has yet to see significant impact from the SolarWinds security breach on its critical information infrastructures (CIIs) or government systems, but has urged organisations to safeguard their systems against potential threat. It also is looking into concerns related to upcoming privacy policy changes on WhatsApp, which is amongst messaging platforms the government uses to push information to the local population. 
When news about the SolarWinds security breach broke, Singapore’s Cyber security Agency (CSA) had raised the national cyber threat alert level and with the country’s CII sectors to assess and monitor systems here, said Minister for Communications and Information S. Iswaran. 
Noting that the attack was sophisticated and evaded detection for months, he said the breach was particularly “noteworthy” since the SolarWinds software was part of the network control and management infrastructure and, hence, was trusted and had privileged access to internal networks.

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

“There is no indication, thus far, that Singapore’s CII and government systems have been adversely affected by the SolarWinds breach,” said Iswaran, who was responding to questions raised in parliament Tuesday. “The government is, nonetheless, adopting a cautious stance.”
He said CSA had issued public advisories on steps enterprises should take to safeguard their systems against potential threats, including having full visibility of their networks and detecting unusual activity in a timely manner. He added that the situation still was evolving as affected companies continued to investigate the breach. 
Hackers involved in the attack were believed to be acting for the Russian government and had deployed a malware-laced update for SolarWinds’ Orion software, infecting the networks and compromising sensitive data of several US government agencies and Fortune 500 companies, including the US Treasury Department, Microsoft, and FireEye.
Iswaran said the attack highlighted the need to move towards a Zero Trust security posture, where activities should not be trusted until they were verified and there was constant monitoring and vigilance for suspicious activities. This also encompasses compartmentalising and restricting access to various segments within the network, validating transactions across segments, reconciling any escalation of user privileges, and actively hunting for threats.

In addition, organisations should establish cyber incident response plans to deal with situations in which they were breached in an attack, he said. 
“The SolarWinds incident underscores the global and trans-border nature of cyber threats,” the minister said. “Though difficult to completely prevent, we need deliberate, targeted, and consistent efforts to strengthen our cyber defences against [such] sophisticated threats, which exploit the supply chain of trusted vendors and software.”
Government’s WhatsApp channel has 1.22M subscribers
Iswaran also responded to questions with regards to WhatsApp’s upcoming privacy policy changes, revealing that the government was “looking into concerns” raised by consumers. 
WhatsApp in recent weeks had begun pushing notifications to users about an update to its privacy statement, noting that they would have to accept the changes after February 8 in order to continue using the messaging platform or, otherwise, delete their account. Its previous policy had allowed users to opt out of most data-sharing with Facebook. 

The news prompted many to seek out alternatives, fuelling downloads in particular for Signal and Telegram. The public outcry was enough to convince WhatsApp to delay the policy change to May 18 and force Facebook to issue several clarifications about the update.
It said the policy changes were related to how organisations used the messaging app and would not affect the privacy of users’ messages. “This update includes changes related to messaging a business on WhatsApp, which is optional, and provides further transparency about how we collect and use data,” it said in an FAQ.
According to Iswaran, there currently were 1.22 million subscribers to Singapore’s Gov.sg WhatsApp channel, which was amongst several platforms it used to communicate with the public. These included Telegram, Twitter, as well as its own Gov.sg website, he said, adding that these platforms were tapped for broadcasts of “non-classified and publicly available information”. 
Noting that communication of classified data through commercial messaging platforms were prohibited, the minister said the Singapore government had rules on the use of such applications. These rules were independent of changes to the terms and privacy policies of messaging platforms, including WhatsApp, he added. 
“Private-sector organisations contracted by the government to perform data-related activities, including the processing and communication of personal data, are bound by contractual terms and conditions. These will determine whether organisations are permitted to share, for their own commercial purposes, the data that has been provided by, or collected on behalf of, the government,” he explained.
“Depending on the nature of the data involved, organisations may also have to comply with the data protection requirements in the Personal Data Protection Act and adhere to the Official Secrets Act,” he said. “Private-sector organisations that use WhatsApp as a business communications tool should be aware of the changes, and review their data protection policies and contracts with third parties to ensure they continue to align with the requirements under the PDPA.”
He said the Personal Data Protection Commission was “engaging” WhatsApp with regards to the latter’s updated privacy policy and sharing of personal data with Facebook. 
RELATED COVERAGE More

Logo: Apache Software Foundation // Composition: ZDNet
Google is funding a project at the Internet Security Research Group to port a crucial component of the Apache HTTP web server project from the bug-prone C programming language to a safer alternative called Rust.

techrepublic cheat sheet

The module in question is called mod_ssl and is the module responsible for supporting the cryptographic operations needed to establish HTTPS connections on an Apache web server.
The ISRG says it plans to develop a new module called mod_tls that will do the same thing but using the Rust programming language rather than C.
The module will be based on Rustls; a Rust open-source library developed as an alternative to the C-based OpenSSL project.
To lead this work, the ISRG management has contracted Stefan Eissing, the founder of software consultancy firm Greenbytes, and one of the Apache HTTP Server code committers, to lead the mod_tls project.
ISRG hopes that once their work is finished, the Apache HTTP web server team will adopt mod_tls as the default and replace the aging and more insecure mod_ssl component.
A quick way of securing billion of users
According to W3Techs, the Apache HTTP web server is today’s top web server technology, used today by 34.9% of all the websites whose web server technology is known.

“Apache httpd is still a critically important piece of infrastructure, 26 years after its inception,” said Brian Behlendorf, one of the Apache web server creators.
“As an original co-developer, I feel a serious revamp like this has the potential to protect a lot of people and keep httpd relevant far into the future.”
Over the past few years, Rust has become one of the most beloved programming languages around [1, 2].
Developed using a sponsorship from Mozilla, Rust was created to create a safer-to-use, low-level, multi-purpose programming language as an alternative to C and C++.
Unlike C and C++, Rust was designed as a memory-safe programming language that comes with protections against memory-management issues that often result in dangerous security flaws.
Memory-safety vulnerabilities have dominated the security field for the past decades and have often led to issues that can be exploited to take over entire systems, from desktops to web servers and from smartphones to IoT devices.
Microsoft said in 2019 that the percentage of memory safety issues patched in its software had hovered around 70% of all security bugs for the past 12 years.
In 2020, Google echoed the same number when the Chrome team said that 70% of the bugs patched in its web browser were also memory-related issues.
Both Google and Microsoft are currently running experiments with using Rust in both Chrome and Windows. Microsoft has even gone so far in its recent experiments as to create a whole new Rust-like derivate programming language called Verona, which it recently open-sourced on GitHub.
With such statistics from both Google and Microsoft, and with almost two-thirds of all entire websites now redirecting to HTTPS, porting Apache’s mod_ssl module to Rust is a simple and fast way of making sure billions of users are kept safe in the coming years. More

Ransomware gangs made at least $350 million in ransom payments last year, in 2020, blockchain analysis firm Chainalysis said in a report last week.
The figure was compiled by tracking transactions to blockchain addresses linked to ransomware attacks.
Although Chainalysis possesses one of the most complete sets of data on cryptocurrency-related cybercrime, the company said its estimate was only a lower bound of the true total due.
The company blamed this on the fact that not all victims disclosed their ransomware attacks and subsequent payments last year, with the real total being many times larger than what the company was able to view.
Ransomware was 7% of all cryptocurrency-based crime
But despite the low figure, Chainalysis says that ransomware was actually on the rise.
According to numbers released in a previous report, ransomware payments accounted for 7% of all funds received by “criminal” cryptocurrency addresses in 2020.
The number rose 311% compared to 2019, Chainalysis said, blaming this sudden increase on “a number of new strains taking in large sums from victims” and “a few pre-existing strains drastically increasing earnings.”

Image: Chainalysis

Based on the company’s data, among last year’s top earners, there were groups like Ryuk, Maze (now-defunct), Doppelpaymer, Netwalker (disrupted by authorities), Conti, and REvil (aka Sodinokibi).
Nonetheless, other strains like Snatch, Defray777 (RansomExx), and Dharma, also pulled profits estimated in the range of millions of US dollars.

Image: Chainalysis
Chainalysis said that based on how victims paid their ransoms, and how certain RaaS profits spiked and fell, there is also evidence to suggest that the ransomware scene is also formed of far fewer threat actors than initially believed, with many of these groups constantly switching from one RaaS (ransomware-as-a-service) to another as they’re lured by better deals.
Few exit points open the door for law enforcement disruption
Furthermore, Chainalysis said it also tracked how crooks moved the ransom payments through the blockchain.
Their findings weren’t too different from previous years, noting that criminals usually laundered funds through “Bitcoin mixing” services and then sent the funds to both legitimate and high-risk cryptocurrency exchange portals to convert the funds into fiat, real-world currency.
But the Chainalysis team also confirmed a report from Advance Intelligence published last month that found out that ransomware gangs often use these same funds to pay for other cybercrime services.
Chainalysis says it, too, saw payments being made to bulletproof hosting providers, exploit sellers, and penetration testing services (also known as initial access brokers), as ransomware operations dealt with their “suppliers.”
However, the primary finding of this report was that many of these cybercrime operations, and not only ransomware, often reused the same intermediary money laundering services.
“Instances of overlap in money laundering services is important information for law enforcement, as it suggests they can disrupt the activity of multiple strains — in particular, their ability to liquidate and spend the cryptocurrency — by taking one money laundering operation offline,” the Chainalysis team said.
Furthermore, the same tactic could be applied to crypto-exchanges, the points where most of the ransomed funds exit the blockchain.
Chainalysis said that a group of only five exchange portals received 82% of all ransomware funds in 2020, exchanges where law enforcement could apply pressure in the future to disrupt the crucial cash flow of ransomware operations. More

Pros
✓Small light and compact
✓VPN and Tor
✓Dual Band Wi-Fi

Cons
✕Some technical knowledge needed to set up securely

The GL.iNet Beryl (GL-MT1300) pocket-sized travel router has some great security features in its ultra-portable form factor.

This router is small at 118 x 85 x 30mm and weighs 184g. However inside, there are a lot of useful features that you might need when you are out and about.
Inside the router, a MediaTek MT621A dual-core processor is running at 880MHz. It has 256MB of DDR3L memory and 32MB flash memory.
It is powered by a USB Type-C power supply, has a USB 3.0 port and three gigabit Ethernet ports on the front of the router. Two side antennas fold down for ease of transportation.
The Beryl comes with dual-band Wi-Fi delivering up to 867mbps for 5GHz, and 400MBps for 2.4GHz Wi-Fi bands. It also supports Ipv6.
The router uses OpenWrt (19.07.4), which is an open-sourced operating system based on Linux. The root access allows users to customize and optimize devices and can install different applications within Beryl.
Top ZDNET Reviews

It has four ways of connecting to the internet: WAN cable; by using the Beryl router as a repeater; by plugging a USB modem into its USB 3.0 port; or by using the port and cable to tether it to your mobile phone.
If you use the repeater option, you can connect the router to an existing wireless network. For example, using free Wi-Fi in a hotel or cafe The router then creates its own subnet and acts as a firewall to protect you when you work on a public network.
If you have a USB Modem, insert your data SIM into the USB port of the router. it will then work as a USB 3G/4G modem. Alternatively, simply tether your mobile phone to the USB port.
Eileen Brown
The admin panel is simple to use and allows you to configure internet connection types, configure the Wi-Fi name and change the password from the default, manage and block clients, configure your firewall and applications, and use a VPN.
You can set up an OpenVPN client to connect to an OpenVPN server, add a certificate for an OpenVPN server, subscribe to a WireGuard server, or set up your own server.
Beryl supports 30+ OpenVPN and WireGuard VPN services with speeds up to 91Mbps on WireGuard and 21Mbps on OpenVPN.
The internet kill switch means that all connected clients can only access the internet through the client VPN on the router.

Users’ online identity and browsing data could be concealed from surveillance and traffic analysis by using the Tor service. Tor (derived from “The Onion Router”) software helps you to explore the internet anonymously.
Additionally, Cloudflare, helps to prevent eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The router also supports WPA3 encryption which is the next generation of Wi-Fi security.
There is a mode switch on the side of the router that does not seem to do anything initially. However, this switch is fully configurable in the admin panel to toggle VPN or Tor on or off.
I found the configuration of the GL.iNet Beryl far easier than any of my router repeaters at home, and I was quickly up and running using the router as a repeater. The GL.iNet documentation is comprehensive and easy to follow.
It took me slightly longer to tether my mobile device to the router — entirely because one of the cables I was using did not enable USB tethering on the phone.
A quick rummage in my cable boxes meant I found a cable that did work for data transfer and the USB tether became enabled.
For $69.99, the Beryl travel router is simple to configure and use, it is compact and light, and, once configured, will cope with a lot of simultaneously connected devices.
If you are out and about and need a secure or anonymous connection, the GL.iNet Beryl could be exactly the router you are looking for.

ZDNet Recommends More