Information Technology

Image via Thom
With the release of iOS 14 last fall, Apple has added a new security system to iPhones and iPads to protect users against attacks carried out via the iMessage instant messaging client.
Named BlastDoor, this new iOS security feature was discovered by Samuel Groß, a security researcher with Project Zero, a Google security team tasked with finding vulnerabilities in commonly-used software.
Groß said the new BlastDoor service is a basic sandbox, a type of security service that executes code separately from the rest of the operating system.
While iOS ships with multiple sandbox mechanisms, BlastDoor is a new addition that operates only at the level of the iMessage app.
Its role is to take incoming messages and unpack and process their content inside a secure and isolated environment, where any malicious code hidden inside a message can’t interact or harm the underlying operating system or retrieve with user data.

Image: Google Project Zero
The need for a service like BlastDoor had become obvious after several security researchers had pointed out in the past that the iMessage service was doing a poor job of sanitizing incoming user data.
Over the past three years, there had been multiple instances where security researchers or real-world attackers found iMessage remote code execution (RCE) bugs and abused these issues to develop exploits that allowed them to take control over an iPhone just by sending a simple text, photo, or video to someone’s device.

Don’t forget to see my #BHUSA talk on iMessage remotes! Tomorrow 2:40pm in Lagoon GHI
— Natalie Silvanovich (@natashenka) August 6, 2019

The latest of these attacks took place last year, over the summer, and were detailed in a report from Citizen Lab named “The Great iPwn,” which described a hacking campaign that targeted Al Jazeera staffers and journalists.
Groß said he was drawn to investigating iOS 14’s internals after reading in the Citizen Lab report that the attackers’ zero-days stopped working after the launch of iOS 14, which apparently included improved security defenses.
After probing around in the iOS 14 inner workings for a week, Groß said he believes that Apple finally listened to the security research community and improved iMessage’s handling of incoming content by adding the BlastDoor sandbox to iMessage’s source code.
“Overall, these changes are probably very close to the best that could’ve been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole,” Groß said in a blog post today.
“It’s great to see Apple putting aside the resources for these kinds of large refactorings to improve end users’ security.” More

A Hezbollah-affiliated threat actor known as Lebanese Cedar has been linked to intrusions at telco operators and internet service providers in the US, the UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the Palestinian Authority, and the UAE.

The year-long hacking campaign started in early 2020 and was discovered by Israeli cyber-security firm Clearsky.
In a report published today, the security firm said it identified at least 250 web servers that have been hacked by the Lebanese Cedar group.
“It seems that the attacks aimed to gather intelligence and steal the company’s databases, containing sensitive data,” ClearSky said today.
“In case of telecommunication companies, one can assume that databases containing call records and private data of clients were accessed as well,” the company added.
Attacks targeted outdated Atlassian and Oracle servers
Clearsky researchers said the attacks followed a simple pattern. Lebanese Cedar operators used open-source hacking tools to scan the internet for unpatched Atlassian and Oracle servers, after which they deployed exploits to gain access to the server and install a web shell for future access.
The Hezbollah-linked group then used these web shells for attacks on a company’s internal network, from where they exfiltrated private documents.

Image: Clearsky

For their attacks on internet-facing servers, Clearsky said the hackers used vulnerabilities such as:
CVE-2019-3396 in Atlassian Confluence 
CVE-2019-11581 in Atlassian Jira
CVE-2012-3152 in Oracle Fusion
Once they gained access to these systems, the attackers deployed web shells, such as ASPXSpy, Caterpillar 2, Mamad Warning, and an open-source tool named JSP file browser (which can also function as a web shell).
On internal networks, the attackers deployed a more powerful tool named the Explosive remote access trojan (RAT), a tool specialized in data exfiltration and which they also used in the past.
Clearsky said they were able to link the attacks to Hezbollah’s cyber unit because Explosive RAT was a tool that was until now exclusively used by the Lebanese Cedar group.
Some victim names made public
Furthermore, researchers also said that attackers made mistakes in their operation and often reused files between intrusions. This allowed Clearsky to track the attacks across the globe and link them to the group.
“The operation enabled us to fingerprint the targets of [the] Lebanese Cedar APT and categorize them based on sector and country of origin,” Clearsky said. “We identified 254 infected servers worldwide, 135 of them shared the same hash as the files we identified in [a] victim’ network during our [incident response] investigation.”
Based on these scans, below is a list of some of the group’s better-known victims, including the likes of Vodafone Egypt, Etisalat UAE, SaudiNet in Saudi Arabia, and Frontier Communications in the US.
For indicators of compromise and more technical details about the attacks, the ClearSky Lebanese Cedar report’s PDF contains additional data.

Image: Clearsky More

Cyber attacks where criminals threaten to overload a target’s network with Distributed Denial of Service (DDoS) attacks unless they’re paid off have more than doubled over the last year.
Analysis of cyber threats and criminal activity by security researchers at Neustar found that the number of ransom-related DDoS attacks (RDDoS) grew by 154 percent between 2019 and 2020. Financial services, telecommunications and government agencies are some of the sectors most targeted by the attackers.
One of the reasons ransom-related DDoS attacks are increasing in popularity is because they’re relatively simple to carry out, even for low-level cyber criminals.
Rather than having to rely on ransomware or other malware to hold a network hostage, DDoS attackers merely threaten their victims with the prospect of DDoS if the payment – usually demanded in bitcoin – isn’t received within a deadline. Criminals will often present a taster of what could come with a short-lived DDoS attack in an effort to coerce the victim into paying.
SEE: Network security policy (TechRepublic Premium)
All the RDDoS attacker needs is a botnet to overload the target systems with traffic – something which can be hired on underground forums for a relatively low cost – and the ability to threaten organisations with the prospect of an attack over email.
Some criminals behind DDoS ransom attacks will pretend to be notorious hacking groups such as Fancy Bear or other nation-state linked operations in their ransom notes in an effort to scare the victim into paying up – and many organisations are through fear of being taken offline even though there are many ways to mitigate such attacks.

However, despite the threats of being knocked offline, organisations are urged to not give into the demands of cyber criminals, so as to not encourage a further rise in ransom DDoS attacks.
“Organisations should avoid paying these ransoms. Instead, any attack should be reported to the nearest law enforcement field office, as the information may help identify the attackers and ultimately hold them accountable,” said Michael Kaczmarek, Vice President of Security Product Management at Neustar.
“Beyond this, organisations can prepare by setting up a robust DDoS mitigation strategy, including assessing the risks, evaluating available solutions, considering mitigation strategies and keeping their plan and provider up to date.”
MORE ON CYBERSECURITY More

Some applications of facial recognition that can lead to discrimination should be banned altogether, according to Europe’s human rights watchdog, following months of deliberation on how to best regulate the technology. 
The Council of Europe has published new guidelines to be followed by governments and private companies that are considering the deployment of facial recognition technologies. For example, workplaces that use digital tools to gauge worker engagement based on their facial expressions, or insurance companies using the technology to determine customers’ health or social status could all be affected by the new guidelines. 

More on privacy

The watchdog effectively advises that where the technology is used exclusively to determine an individual’s skin color, religious belief, sex, ethnic origin, age, health or social status, the use of facial recognition should be prohibited, unless it can be shown that its deployment is necessary and proportionate.  
Under the same conditions, the ban should also apply to some of the digital tools that can recognize emotions, detect personality traits or mental health conditions, and which can be used unfairly in hiring processes or to determine access to insurance and education. 
“At is best, facial recognition can be convenient, helping us to navigate obstacles in our everyday lives. At its worst, it threatens our essential human rights, including privacy, equal treatment and non-discrimination, empowering state authorities and others to monitor and control important aspects of our lives – often without our knowledge or consent,” said Council of Europe Secretary General Marija Pejčinović Burić.  
“But this can be stopped. These guidelines ensure the protection of people’s personal dignity, human rights and fundamental freedoms, including the security of their personal data.” 
In addition to a ban on specific applications, the organization also designed regulations to protect citizens’ privacy when facial recognition technology is deemed a suitable tool to use. 

For example, there should be strict parameters and criteria that law enforcement agencies should adhere to when they find it justifiable to use facial recognition tools; and where the use of the technology is covert, it should only be allowed to “prevent imminent and a substantial risk to public security.” The Council of Europe also called for a public debate to regulate the deployment of the technology in public places and schools, where it argued that less intrusive mechanisms exist. 
Private companies should not be allowed to use facial recognition in environments like shopping centers, be it for marketing or private security purposes. When they deploy the technology, they must get explicit consent from those who will be affected and offer them an alternative solution. 
The Council of Europe’s new guidelines were built on top of an agreement called the Convention 108+, which was first published in 1981 and constituted at the time the first legally binding document in the field of data protection. In 2018, the convention was modernized to adapt the agreement to the digital age, and now has 55 participating states. 
Despite the re-writing of the convention, experts have worried that European regulation is not suited to the age of AI and potentially leads to detrimental outcomes for citizens, especially in the case of technologies that can be problematic like facial recognition. 
Martin Ebers, the co-founder of the Robotics and AI Law Society (RAILS), told ZDNet: “We have regulatory frameworks that are not specifically tailored to AI systems, but are nevertheless applied to AI systems. For example, there are no specific rules at an EU level to deal with facial recognition systems.” 
The last few years have seen repeated attempts from various European institutions and activists to impose stricter regulation on AI systems, and particularly facial recognition tools. In a white paper published on artificial intelligence last year, the EU said it would consider banning the technology altogether, which was shortly followed by the European Data Protection Supervisor Wojciech Wiewiórowski arguing in favor of a moratorium on the use of facial recognition in public spaces. 
Although the guidelines are a set of reference measures rather than legally binding laws, the document provides the most extensive set of proposals so far to regulate facial recognition technology in Europe. The measures will go through the European Parliament before being passed as new laws. 
Fanny Hidvégi, Europe Policy Manager at Brussels-based thinktank AccessNow, told ZDNet: “We urge the Council of Europe to take the next step and support a ban for applications that are in inherent conflict with fundamental rights. No democratic debate, temporary pause or safeguards can mitigate individual and societal harms caused by such use of these technologies.” More

Stack Overflow, a popular site amongst developers, has revealed more about a week-long breach that it disclosed in May 2019. 
Stack Overflow said at the time the attackers accessed user account data, and now the company says that after consulting with law enforcement, it can reveal more about what happened and how a newly registered user came to have moderator- and developer-level access.
Last year, Stack Overflow said it had identified “privileged web requests that the attacker made that could have returned IP address, names, or emails for a very small number of Stack Exchange users.”
According to the brand’s latest update, the hacker accessed and stole source code but it says the breach only affected 184 users.
“A user that nobody recognised had gained moderator and developer level access across all of the sites in the Stack Exchange Network. Our immediate response was to revoke privileges and to suspend this account and then set in motion a process to identify and audit the actions that led to the event,” said Stack Overflow’s Dean Ward. 
Ward says the the escalation of privilege was “just the tip of the iceberg” and the company soon discovered a lot more including the exfiltration of source code. Additionally, the breach exposed 184 users’ email, real name, IP addresses details across the Stack Exchange Network. 
“Thankfully, none of the databases—neither public (read: Stack Exchange content) nor private (Teams, Talent, or Enterprise)—were exfiltrated. Additionally, there has been no evidence of any direct access to our internal network infrastructure, and at no time did the attacker ever have access to data in Teams, Talent, or Enterprise products.”

Ward provides an account of the attackers activities from April 30 — the date the attacker started probing its build and source code control systems — to May 22, the date Stack Overflow notified affected users of the data breach. The account describes compromise techniques and technical exploits carried out over several weeks in May. 
On May 1, someone posing as one of Stack Overflow’s enterprise customers submitted a request for a copy of source code for an audit. The company rejected that request because it doesn’t hand out its source code. 
The next day the attacker used a spoofed email address of a customer to raise a support ticket with Stack Overflow. This attack avenue was discovered after Stack Overflow sent an automated reply to the customer whose email was spoofed. 
By Friday May 3, the attacker started poking around Stack Overflow’s public facing infrastructure and by Sunday the attacker was able to successfully log in to the development tier. 
“Our dev tier was configured to allow impersonation of all users for testing purposes, and the attacker eventually finds a URL that allows them to elevate their privilege level to that of a Community Manager (CM). This level of access is a superset of the access available to site moderators,” explained Ward. 
After that, the attacker user the site’s account recovery feature to recover access to a developer’s account. The attacker couldn’t intercept the recovery email, but could use a feature on the dev tier that shows the email content to community managers. The attacker used this feature to get the link to reset credentials.    
“This is used and the attacker gains developer-level privileges in the dev environment. Here they are also able to access “site settings”—a central repository of settings (feature flags) that configure a lot of functionality within the site,” writes Ward. 
A positive note was that Stack Overflow’s login to its GitHub Enterprise instance was protected by two-factor authentication. But by Thursday May 9, the attacker pulled more repositories from Stack Overflow and then tried to use a virtual machine from Microsoft Azure to connect to the site’s VPN using previously acquired credentials. 
Then the attacker starts using Stack Overflow’s own knowledge base to learn how to build .NET applications and run SQL database scripts in Azure that would later be used to attack Stack Overflow. Eventually the attacker creates a method for using SQL to elevate permissions across the Stack Exchange Network. 
“After several attempts, they are able to craft a build that executes this as a SQL migration against the production databases housing data for the Stack Exchange Network,” notes Ward.  
“Shortly after execution of the SQL, we were notified of the odd activity by the community and our incident response team started investigating.”
Stack Exchange engineers didn’t know the extent of the attack but further investigation revealed a TeamCity account was compromised and was subsequently disabled. Eventually it took TeamCity offline entirely.
“Once we discovered that the escalation path involved dev and the use of site settings to acquire credentials, we committed code to remove those paths—notably, the tool used to view an account recovery email and the site settings used to compromise the TeamCity service account,” notes Ward.
StackOverflow’s analysis also includes a set of recommendations for others:
Log all your inbound traffic. “You can’t investigate what you don’t log.”
Use 2FA. “That remaining system that still uses legacy authentication can be your biggest vulnerability.”
Guard secrets better. “Educate engineers that ‘secrets aren’t just passwords.’ Protect SSH keys and database connection strings too. When in doubt, protect it.” 
Validate customer requests. “The more unusual a request from a customer, the more important it is to verify whether or not the request is legitimate.”
Take security reports seriously.  More

Image: ZDNet, WordPress
Pirated (aka nulled) themes and plugins were the most common source of malware infections on WordPress sites in 2020, according to Wordfence, a provider of website application firewall (WAF) solutions for WordPress sites.

The security firm said its malware scanner detected more than 70 million malicious files on more than 1.2 million WordPress sites in 2020.
“Overall, the Wordfence scanner found malware originating from a nulled plugin or theme on 206,000 sites, accounting for over 17% of all infected sites,” the company said on Wednesday.
Of these 206,000 sites, 154,928 were infected with a version of the WP-VCD malware, a WordPress malware strain known for its use of pirated/nulled themes for distribution.
Wordfence said this particular malware operation was so successful last year that it accounted for 13% of all infected sites in 2020.
Over 90 billion malicious login attempts
But WordPress sites also got infected with malware via other means beyond pirated themes. Legitimate sites also got attacked and infected. Other methods through which these sites got hacked included brute-force attacks against login forms and the use of exploit code that takes advantage of unpatched vulnerabilities.
All in all, 2020 was a massive year in terms of brute-force attacks. Wordfence reported seeing more than 90 billion malicious and automated login attempts.

These attacks came from 57 million different IP addresses —most likely part of attack botnets and proxy networks— and amounted to 2,800 malicious login attempts per second against Wordfence customers.
To mitigate these attacks, Wordfence recommended that site owners either deploy a WAF or enable a two-factor authentication solution for their accounts.
On the vulnerability exploitation front, things were just as bad, with Wordfence reporting more than 4.3 billion exploitation attempts over the past year.
The most common form of vulnerability that attackers exploited last year was “directory traversals,” a type of bug that threat actors try to abuse to read files from WordPress installations (such as wp-config.php) or upload malicious files on a WordPress site.
Other exploitation attempts also relied on SQL injection, remote code execution bugs, cross-site scripting issues, or authentication bypasses, Wordfence said.

Image: Wordfence More

TANSTAAFL. If you’ve read your Heinlein, you know it’s an acronym for “There ain’t no such thing as a free lunch.” That phrase has actually been around since the days of Old West saloons. If you bought a drink, the saloon would provide you with a free lunch. There was a catch, of course. The lunches were so salty that patrons wound up buying more and more drinks, to slake their thirst.

TANSTAAFL. There’s always a catch.
Which brings us to VPN services. To recap: VPN (aka Virtual Private Network) is a term used for services that allow you to encrypt your internet traffic between your computer and a destination computer on the VPN service. This is particularly necessary when using something like a hotel’s open Wi-Fi service, so that other guests can’t watch all your traffic and steal juicy bits, like credit card numbers and passwords.
If you don’t know which VPN service to use, I compared several commercial VPN providers in The Best VPN services of 2021, analyzing them against 20 different factors.
That directory was a study of commercial VPN services. I limited my analysis to commercial services for a reason: TANSTAAFL.
There are also many free VPN services, but I don’t trust them. You probably shouldn’t either.
Here’s the thing: Running a VPN service is expensive. You need either servers and data lines, or you’re paying a cloud vendor like Amazon for every bit received, sent, and stored. Either way, it costs money. So, think about this: If you’re running a free VPN service, how do you pay for all that expense?

You. In the back of the room. I see your hand up. “Ads,” you say. Yep, that’s a possibility. Some free VPN services plaster ads on your browser display and sell those to whomever will pay.
I see another hand. “Stolen data.” That’s a possibility, too. If you were a criminal organization or a terrorist ring, and you wanted to pick up a lot of credentials quickly, one easy way would be to open up a free VPN and wait for people to just hand you their secret information. As P.T. Barnum is said to have said, “There’s a sucker born every minute.”
TASBEM. In other words, TANSTAAFL.
OK, one more. “Lead in for upgrade sales.” Yeah, that works, too. Some vendors will offer a small amount of free access and when you eat up that bandwidth, they’ll ask you to upgrade. “Try before you buy” is a proven method for selling services; it’s perfectly legitimate; and it’s often good for both the vendor and the customer.
You may also see some universities, activists, and other well-meaning groups offer free VPNs, but the problem is that they are resource constrained. That means that you’re bound to see either slowdowns or stoppages because they can’t afford the resources needed to provide the service. Some of those groups might also harvest information as you use their services, for use sometime in the future to further whatever their agendas might be.
The bottom line, though, is this: It’s just not worth risking your personal and financial data on a free VPN service. The VPN services I rated range from about $6 to $12 per month, or about $40 to $120 per year. It’s usually a better deal to pay for the whole year at once.
The cost of identity theft keeps going up, both in out-of-pocket expenses and in the time and hassle to clean up the mess. When it comes to a service that’s designed to transfer your personal credentials and keep them safe, isn’t it worth spending just a few bucks to save potentially thousands of dollars, hundreds of hours, and an unmeasurable amount of stomach acid?
For me, it is. I’m using a commercial VPN right now, as I write this. For the peace of mind and digital protection, it’s a few bucks well spent.
See also:
*By the way, if you haven’t read Robert Heinlein’s The Moon is a Harsh Mistress, I recommend it highly. It’s a Hugo and Nebula-award winning novel. One word of warning: It’s quite political (1960s political). But it’s also brilliant science fiction — a must read for any serious student of the genre.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

The Woodland Trust has confirmed that it was hit with a cyberattack last month, describing the incident as “sophisticated” and “high level” – and it has taken many services offline.
The UK’s largest woodland conversation charity hasn’t detailed exactly what kind of cyber incident has taken place but said it is working with relevant authorities, including the police and the Information Commissioner’s Office (ICO), to determine if data has been compromised.

More on privacy

The Woodland Trust does say that it’s experiencing disruption as many systems are offline, affecting the ability to support “certain services” for members and supporters.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    
It’s believed the attack took place during the evening of 14 December 2020. The Woodland Trust hasn’t said when it discovered the attack, only that it “took immediate action” to mitigate it as soon as the organisation became aware of it, as well as bringing in third-party cybersecurity investigators.
“We understand this news will concern and worry our members and supporters. We would like to reassure you we are doing all we can to determine fully the nature and scope of the incident as quickly as possible, including as a priority what data, if any, may have been impacted.” the Woodland Trust said in a statement.
The charity added that if it’s found that personal information of members has been affected, it will notify them in accordance with GDPR.

IT systems have been disconnected to “avoid any further unauthorised access” and the Woodland Trust said it’s working with cybersecurity experts to resolve the situation.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
While the charity, which plants trees and protects woods and wildlife, isn’t currently aware of data about its half a million members being accessed by cyber criminals, it has urged them to be cautious in the event of attempts to exploit any potentially stolen data.
“We are encouraging all our supporters to be mindful of any suspicious activity, especially unexpected emails or phone calls from unknown sources or purporting to come from your bank.”
The Woodland Trust told ZDNet: “We have been working hard, alongside a number of third-party experts including forensic IT specialists, to determine the nature of the criminal activity. This investigation is ongoing, and therefore there are details which are yet to emerge.”
MORE ON CYBERSECURITY More