Information Technology

McAfee has launched a selection of new cybersecurity offerings including remote browser isolation tools to tackle attacks in real-time. 

On Thursday, the cybersecurity firm took to the stage at MPOWER Digital 2020 to introduce the latest capabilities of the McAfee MVISION Unified Cloud Edge (UCE) portfolio. 
The first release of note is the integration of remote browser isolation (RBI) technology with the UCE real-time protection stack. 
RBI technology, also known as browser isolation, moves a user’s activities to a remote server. Online content is rendered and sent to the user, rather than allowing direct access, which could help protect remote workers from potential attacks — including web-based phishing campaigns and malicious websites containing exploit payloads — as well as corporate networks as a whole. 
See also: Security firm McAfee files for IPO on enthusiasm for IT stocks
With the inclusion of new unified data loss prevention (DLP) and incident management upgrades across devices and networks, McAfee says that UCE now provides a “more comprehensive converged approach to security within the Secure Access Service Edge (SASE) framework.”
“The uncertainty of 2020 has forced enterprises to accelerate their cloud transformation projects to empower their remote workforces, resulting in a 50% increase in enterprise cloud use since the start of the year,” the company added. “However, this has exposed [..] significant security challenges.”
These problems include an increase in attacks against cloud services, brute-force attacks, and data flows going beyond traditional networks — potentially exposing companies to information leaks or attacks caused by shadow IT. 
In addition, McAfee has launched MVISION XDR, an extended detection and response platform. This cloud offering is designed to blanket full IT infrastructures to improve security operations center (SOC) efficiency while also reducing overall cost.
CNET: Best home security cameras for 2020: Arlo, Wyze and more
“MVISION XDR removes the complexity of fragmented tools and provides new levels of proactivity, prioritization, and orchestration to improve the SOC effectiveness,” the company says. 
McAfee also revealed the MVISION Cloud Native Application Protection Platform (CNAPP) at the event, a new solution intended for data protection, threat prevention, data governance, and compliance for cloud-native applications. 
TechRepublic: Why ransomware has become such a huge problem for businesses
CNAPP is suitable for public clouds, virtual machines (VMs), containers, and serverless functions, and includes resource discovery, vulnerability assessment, MITRE ATT&CK framework threat mapping, zero-trust access policy controls, and data governance mechanisms. 
In related news, McAfee filed for an Initial Public Offering (IPO) in September. The cybersecurity firm is expected to reach a valuation of at least $8 billion. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

If you’re a programmer and you’ve heard it once, you’ve heard it a thousand times. “Build security into your programs!” That’s easy to say, but how, exactly, do you do that? The Linux Foundation’s Open Source Security Foundation (OpenSSF) has an answer: A set of three free classes and a certification program to get your security skills up to speed. 
Also: Best online learning platforms in 2020

On the edX learning platform
The three free courses on how to develop secure software will be offered on the edX learning platform. These classes are intended for the full range of software developers, including DevOps professionals, software engineers, and web application developers. Indeed, anyone interested in learning how to develop secure software will find these courses useful. Besides teaching you how to develop secure software, they also deal with how to reduce damage when a bug is found. They will also help you learn how to quickly analyze and fix security holes when one is found.
The classes are:
The courses focus on practical developer steps you can use to counter the most common kinds of attacks. 
View Now at edX
Specifically, they dig into common risks and requirements, design principles, and evaluating code (such as packages) for reuse. They also focus on key implementation issues, including input validation, processing data securely, calling out to other programs, sending output, cryptography, error handling, and incident response. This is followed by a discussion on various kinds of verification issues, including security testing and penetration testing, and security tools. The classes conclude with a discussion on deployment and handling vulnerability reports.

On the edX learning platform
The OpenSSF training program includes a Professional Certificate program: Secure Software Development Fundamentals. Enrollment for the courses and certificate is open now. Course content and the Professional Certificate program tests will become available on Nov. 5. 
This is an online, self-paced program. The course work was created by the well known David A. Wheeler. The Linux Foundation’s Director of Open Source Supply Chain Security. OpenSSF and edX estimates it will take an hour or two a week for five months to master the coursework and be able to pass the certification test. While the classes are free, the certification program currently costs a discounted $537.30.
$537 at edX

Mike Dolan, The Linux Foundation’s Senior VP and GM of Projects, said: “We’re excited to offer the Secure Software Development Fundamentals professional certificate program to support an informed talent pool about open source security best practices.” You should be excited, too. As the recent 2020 Open Source Jobs Report showed, demand is higher than ever for open-source and Linux savvy employees and 52% of hiring managers are more likely to hire you if you have appropriate certification.
One final note, the OpenSSF is incorporating the Core Infrastructure Initiative (CII) projects. CII has been working on securing older, popular open-source programs, which were not receiving enough funding. These programs include the CII Census, a quantitative analysis to identify critical OSS projects; CII Best Practices badge project; and the CII FOSS Contributor Survey, a quantitative survey of OSS developers. Both will become part of the OpenSSF Securing Critical Projects working group. These efforts will continue to be implemented by the Laboratory for Innovation Science at Harvard (LISH). 
Related Stories: More

Singapore is turning to the eye and face as the main features to identify travellers at its immigration checkpoints. This is a move away from an individual’s fingerprint, previously tapped as the main biometric identifier, which has presented challenges due to ageing, scarring, and dryness. 
The Immigration & Checkpoints Authority (ICA) said it had begun rolling out iris and facial scanners since July at all automated and manual immigration points located at the passenger halls of Singapore’s land, sea, and air checkpoints. These included Changi Airport Terminal 4, Tanah Merah Ferry Terminal, and at the Tuas and Woodlands checkpoints that border Northern neighbour Malaysia. 
Deployed in collaboration with the Home Team Science & Technology Agency, the newly equipped systems meant travellers’ iris and facial data would replace fingerprints as the primary biometric identifiers for immigration clearance. 

Used as the main identifier since 2006, when enhanced-Immigration Automated Clearance System was introduced, fingerprints now would be used as a secondary option for those unsuccessful in their iris and facial scans. 
The move was necessary as deterioration of fingerprints, for example, due to ageing, scarring, or dryness had created issues with verification using this biometric data. Iris patterns also had a higher degree of variation and uniqueness compared to fingerprints and, hence, provided more reliable use for identification, said ICA, noting that an iris scan provided nearly 250 feature points for matching. In comparison, a fingerprint had just 100 feature points. 
Furthermore, specialised equipment was necessary to perform an iris scan, making it less susceptible to misuse, the government agency said, noting that it had begun registering iris images of Singapore citizens and permanent residents since January 2017
Singapore is targeting to fully implement the use of iris and facial scans, as part of its New Clearance Concept, at all checkpoints by 2022. Both biometrics identifiers would be used concurrently. 
The New Clearance Concept aimed to enable Singapore residents to clear immigration without the need to present their passport as well as to enable the majority of foreign visitors, including first-time visitors, to clear immigration without the need to first enrol their biometrics. Details on how these would be achieved would be announced at a later date, according to ICA. 
Apart from Singapore citizens and permanent residents, long-term pass holders and international travellers on Singapore’s Frequent Traveller Programme would be able to register their iris and facial biometrics and use these for immigration clearance. Children below the age of six would not be able to use either option because their physical features and associated biometrics still were developing and would not be reliable means of authentication. 
Singapore last month inked a deal with British vendor iProov to provide face verification technology used in the Asian country’s national digital identity system. Already launched as a pilot earlier this year, the feature allows SingPass users to access e-government services via a biometric, bypassing the need for passwords. 
iProov’s Genuine Presence Assurance technology is touted to have the ability to determine if an individual’s face is an actual person, and not a photograph, mask or digital spoof, and authenticate that it is not a deepfake or injected video. Its agreement with the Singapore government also is the first time the vendor’s cloud facial verification technology is used to secure a country’s national digital identity.  More

US healthcare providers, already under pressure from the COVID-19 pandemic, have been put on high alert over Trickbot malware and ransomware targeting the sector.   
The warning over an “imminent cybercrime threat to US hospitals and healthcare providers” comes from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services. 

The US healthcare sector is under threat from infection by Trickbot, one of the largest botnets in the world, against which Microsoft took US legal action earlier this month in an effort to gain control of its servers. Within a day of the seizure, Trickbot command-and-control servers and domains were replaced with new infrastructure. 
CISA flagged Anchor_DNS, a backdoor created by the eastern European hackers behind the multifunctional Trickbot malware. 
Trickbot emerged in 2016 as a banking trojan but evolved into a multi-purpose malware downloader that infected systems that were sold on to other criminal groups as a service. It was originally known as banking malware but has since been used to distribute malware that steals credentials, email, point-of-sale data, and spread file-encrypting ransomware such as Ryuk.  
Trickbot infected more than a million computers, according to Microsoft and its partners at Symantec, ESET, FS-ISAC, and Lumen.  
The US agencies warned the healthcare sector about Trickbot on Wednesday following a tip-off received by security firm Hold Security, according to krebsonsecurity.com. 
The company’s CEO Alex Holden said he saw the Ryuk ransomware group – a ruthless gang known for leaking the data of targets before encrypting their files – discussing plans to deploy the ransomware at over 400 US healthcare facilities.  
“As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling,” CISA said in the alert. 
DNS tunneling exploits the system that maps human-readable website names like google.com to the numeric internet protocol (IP) system that guides browsers to websites. 
The Anchor_DNS backdoor forces infected PCs to communicate with command-and-control servers over DNS to bypass network defense products and hide malicious communications with legitimate DNS traffic. 
“Anchor_DNS uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string Anchor_DNS can be found in the DNS request traffic,” CISA notes. 
Security firm Mandiant today released a set of indicators of compromise that suggest an infection by Ryuk ransomware. It refers to the group as UNC1878. 
Reuters reports that the FBI is investigating recent attacks against healthcare providers in Oregon, California and New York, with one facility reduced to paper processes for patient medical results. 
The US government has warned hospitals to back up systems, to disconnect systems from the internet where possible, and avoid using personal email accounts, according to Reuters. 
CISA has now listed several indicators of compromise that security teams should look for.  
It notes that the Trickbot malware for Windows copies itself as an executable file with a 12-character (includes .exe), randomly generated filename –  for example, mfjdieks.exe – and places this file the directories, C:Windows, C:WindowsSysWOW64, and C:Users[Username]AppDataRoaming. 
The UK’s National Cyber Security Center in June warned British businesses about Ryuk ransomware attacks. 
Ryuk often use commercial off-the-shelf products – such as Cobalt Strike and PowerShell Empire – to steal credentials, according to CISA. 
Earlier this month, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) warned Australian organizations about Emotet malware, which is used in conjunction with Trickbot.  
“Upon infection of a machine, Emotet is known to spread within a network by brute-forcing user credentials and writing to shared drives. Emotet often downloads secondary malware onto infected machines to achieve this, most frequently Trickbot,” the ACSC wrote in its alert. More

Microsoft says it has thwarted a series of cyberattacks by Iranian hacking group Phosphorus targeting attendees to two high-profile international conferences.

Microsoft’s Threat Intelligence Information Center (MSITC) says it’s detected and intercepted attempts by the nation-state group to harvest credentials of more than 100 “high-profile individuals” thought to be attending the upcoming Munich Security Conference, as well as the Think 20 (T20) Summit in Saudi Arabia.
According to Microsoft, the group posed as event organizers and sent spoofed invitations to the victims via email, with the intention of fooling them into giving up information.
SEE: Network security policy (TechRepublic Premium)
The emails were written in “near-perfect English” and were sent to former government officials, policy experts, academics and leaders from non-governmental organizations, Microsoft said.
It’s unclear whether any compromising information was given up to the group, although Microsoft said that event organizers had been made aware of the hacking attempt, who had in turn warned attendees.

Flow of a typical Phosphorus attack in the campaign targeting conference attendees.
Image: Microsoft
“We believe Phosphorus is engaging in these attacks for intelligence-collection purposes. The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries,” said Microsoft.
“We recommend people evaluate the authenticity of emails they receive about major conferences by ensuring that the sender address looks legitimate and that any embedded links redirect to the official conference domain.”
Microsoft has shared the indicators of compromise (IOCs) observed during these activities, to help IT teams to identify earlier campaigns and protect again future ones – see below.
INDICATOR  
TYPE  
DESCRIPTION  
t20saudiarabia[@]outlook.sa 
Email
Masquerading as the organizer of the Think 20 (T20) conference
t20saudiarabia[@]hotmail.com  
Email
Masquerading as the organizer of the Think 20 (T20) conference
t20saudiarabia[@]gmail.com 
Email
Masquerading as the organizer of the Think 20 (T20) conference
munichconference[@]outlook.com  
Email
Masquerading as the organizer of the Munich Security Conference
munichconference[@]outlook.de  
Email
Masquerading as the organizer of the Munich Security Conference
munichconference1962[@]gmail.com 
Email
Masquerading as the organizer of the Munich Security Conference
de-ma[.]online
Domain
Domain used for credential harvesting
g20saudi.000webhostapp[.]com
Subdomain
Subdomain used for credential harvesting
ksat20.000webhostapp[.]com
Subdomain
Subdomain used for credential harvesting
Basic IT security measures, like turning on multi-factor authentication and tightening email-forwarding rules, can help mitigate the dangers of phishing attacks and other such data-harvesting attacks.
As Microsoft noted in its recent Digital Defense Report, nation-state groups frequently target think tanks, policy groups and other governmental and non-governmental organizations deemed to hold valuable information.
SEE: Adware found in 21 Android apps with more than 7 million downloads
While the activity doesn’t seem to be tied to the upcoming 2020 US presidential election, it wouldn’t be the first time Phosphorus has attempted to interfere with the race to the White House.
Microsoft first detected attempts to hack members of the 2020 US presidential campaign back in October 2019. More recently, the software giant uncovered a series of attempts by state-sponsored groups in Chinese, Iranian, and Russian to breach email accounts belonging to people associated with the Biden and Trump election campaigns.
“Based on current analysis, we do not believe this activity is tied to the US elections in any way,” Microsoft said. More

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) handed down its report [PDF] of Australia’s metadata retention scheme on Wednesday, issuing 22 recommendations that tighten access to data, without introducing any large overhauls, such as needing a warrant.
In broad terms, thresholds are recommended to be increased by the committee in an effort to avoid a warrant regime, security and transparency on data held and passed across by telcos and authorised agencies would be boosted, while the period of time Australian telcos need to retain data collected on customers remains at two years.
“The committee is not satisfied that a warrant should be required for data held as part of the [mandatory data retention regime]. However, the committee considers that access should require a higher level of authorisation within each agency as well as more detailed reporting in relation to how, when, and for what reason that access is granted,” the report said.
“It is the committee’s view that there is a need for more information to be collated about the current functioning of the matter data retention regime. This would assist all relevant oversight and review bodies in undertaking their work as well as affording a higher degree of transparency which the committee believes will give the Parliament and the Australian community greater trust in the use of these powers.”
One area to gain a recommended exemption from the committee is the use of Internet of Things devices, which is set to be specifically omitted.
“If the government considers that there are clear benefits in requiring service providers to keep information for particular Internet of Things devices, and that those benefits outweigh the costs, the Telecommunication (Interception and Access) Act 1979 could be further amended to impose clear and specific requirements on providers to retain that information,” the report said.
The committee said it was “disconcerting” that there were thousands of authorised officers around the country that could approve access to retained data, and instead put forward reducing it only to officers in a “supervisory role in the functional command chain” as well as individuals with a specific appointment.
“The indiscriminate authorisation of entire classes/ranks of officers as ‘authorised officers’ is, in the committee’s view, inappropriate,” it said.
The committee also recommended cutting out the loopholes that have allowed agencies that are not deemed as enforcement agencies to use other powers in order to gain access to metadata. The Attorney-General’s Department was previously advising agencies to skirt the restrictions on metadata access.
“The committee has considerable concern around the use of section 313(3) and 280(1)(b) of the Telecommunications Act to allow for access to metadata,” the report said.
With 87 agencies found to be skirting the restrictions, the committee asked those agencies to tell it why they should be able to continue to do so.
“There were very few submitters that took this opportunity up. Those that did were unable to convince the committee of the need for this broad access to telecommunications data,” the report said.
“The committee is concerned to build on and retain confidence in the data retention regime and concludes that the number and type of agencies that can access a person’s telecommunications data via section 280 (1) (b) of the Telecommunications Act may undermine the social licence for ASIO and law enforcement agencies to access the information.”
Home Affairs was also called out for failing to assist the committee in finding a way to amend this particular section to remove the loophole.
In seeking to tighten access, the committee recommended the binning of provisions that allow an officer to “authorise the disclosure of historic telecommunications data if he or she is satisfied that the disclosure is reasonably necessary to find a missing person, or for the enforcement of the criminal law or any law imposing a pecuniary penalty (including, for example, a parking infringement)”. Instead, it wants access kept to voluntary disclosure, locating a missing person, or the investigation of a serious offence or an offence with a penalty of at least three years’ imprisonment.
The committee said the definition of serious offence could be found in the Telecommunications Interception Act, and that access for “pecuniary penalties or protection of the public revenue” be repealed.
“Access to existing information and documents granted for ‘enforcement of the criminal law’ (section 178) is drafted broadly and is subject to no limitations,” the report stated.
Despite concerns that location data kept is extremely private, the committee did not recommend for it not to be retained. Similarly, the committee said there are no “specific concerns” over agencies receiving URLs from telcos, but it did recommend an amendment for if such data is received, and the agency does not use it, and informs oversight agencies before destroying it with approval.
On the issue of oversight, PJCIS said it was difficult due to a lack of data about the operation of the scheme, and said it would be better if the Department of Home Affairs could create a report from each agency with access.
“This could be achieved by each agency adhering to an agreed format and method of recording prescribed information, which could be provided to Home Affairs, an oversight agency or a parliamentary committee on request for aggregation into a report,” the report said before the committee went meta and put forward the idea of a database to help oversee the scheme.
“If it were deemed to be more cost effective, a national database created and managed by Home Affairs could also be an option albeit this would require consideration regarding privacy, security and rules for access. Ideally, data entered as part of the request for authorisation could be recorded in the agreed fields to reduce duplication of effort,” the report said.
Similarly, the report also recommended telcos keep “detailed records of the kinds of information included in each disclosure”, which it also said would go some way to alleviating concerns over browsing histories being passed across by telcos.
The report also called for Home Affairs to develop national guidelines on how the regime would operate within 18 months; that agencies keep received metadata long enough for oversight from either the Inspector-General of Intelligence and Security and Commonwealth Ombudsman to be performed before it is subsequently deleted when no longer needed; and state criminal law-enforcement agencies be made to notify of any data breach involving received metadata.
It was also recommended that Home Affairs clearly define “content or substance of a communication”.
“In defining the term ‘content or substance of a communication’, Home Affairs should specifically consider whether some information that is currently treated as telecommunications data should now be regarded as content given what that information can reveal about an individual,” it said.
The committee also called for the explicit requirement that metadata is stored on servers within Australia, whereas currently, it could be stored anywhere in the world — as well as requiring agencies and carriers to meet minimum security standards.
In additional comments from the Labor party, opposition members laid out the case for warrants to be introduced from an independent issuing authority.
“Labor members are concerned that the power to access telecommunications data without a warrant may be used — and is, in fact, currently being used — to access the telecommunications data of individuals who are not themselves suspected of any wrongdoing.”
Enforcement agencies should not be able to access metadata of those not suspected unless that person consents, consent cannot be gained to the person being injured or killed, or seeking consent from the person could compromise an investigation, the Labor members said.
If an enforcement agency thinks an innocent person’s metadata could assist an investigation and they do not provide consent, at that point, the agency would need a warrant.
“Labor members note that significant intrusions into privacy by law enforcement agencies, such as a search of a person’s home, opening a person’s mail, installing a listening device or obtaining a saliva sample, generally require agencies to obtain a person’s consent or a warrant from an independent issuing authority,” the additional comments from Labor said.
“Given that context, we consider our proposal to be both modest and sensible.”
PJCIS recommended that the committee conduct another review of the scheme by June 2025.
Related Coverage More

Advance persistent threat (APT) hacker groups are often assumed to be state-supported organisations such as China’s APT10 aka Stone Panda, Russia’s APT28 aka Fancy Bear, or Vietnam’s APT32 aka Ocean Lotus.
However, these and other groups are often identified and named by cyber intelligence firms with strong links to their national government. FireEye and Crowdstrike in the US, for example, to name just two.
Sometimes naming and shaming nations-states for their hacking is part of a deliberate diplomatic strategy.
But authoritarian regimes don’t generally admit weaknesses, and those attacking those regimes might not want to admit to being just as aggressive — though with different aims.
Related Coverage More

Shares of cloud-based security provider FireEye are up over 6% in late trading after the company this afternoon reported Q3 revenue and profit that topped analysts’ expectations and forecast this quarter’s revenue is higher as well. 

FireEye’s CEO, Kevin Mandia, said the company’s results showed how much progress the company has made “transforming our business.”
Revenue in the three months ended in September rose almost 6%, year over year, to $238.6 million, yielding EPS of 11 cents. Analysts had been modeling, on average, $228 million and 7 cents per share. 
For the current quarter, the company sees revenue in a range of $237 million to $241 million and EPS in a range of 9 cents to 11 cents. That is, again, higher than consensus on the revenue line, at $237 million, and in line with profit consensus of 10 cents per share.
With the forecast, the company’s full-year outlook for 2020 now stands at $930 million to $934 million, up from a forecast offered in July of $905 million to $925 million.
The company said its annualized recurring revenue reached an all-time high of $612 million, up 6%, year over year. 
Said Mandian, “We released our cloud-native Mandiant Advantage platform in October, making our intelligence and expertise easily accessible and actionable to any security organization, regardless of the security controls they deploy.” The company “also announced a collaboration with Microsoft to provide cybersecurity services based on Microsoft security products.” added Mandia.
“Both announcements reflect the technology-agnostic approach of Mandiant Solutions and allow us to expand our addressable market beyond the installed base of current FireEye customers.”
FireEye, founded sixteen years ago in the Silicon Valley town of Milpitas, California, began by offering an appliance product to detect Web site threats, running inside of a virtual machine. 
The company expanded into its current form with the 2013 acquisition of privately held Mandiant, an incident response and forensics firm founded by Mandia.
FireEye stock rose almost 6% in late trading, to $14.90. 

Tech Earnings More