Information Technology

Is it too late?
I’m quite used to hearing that Microsoft has annoyed someone.

Usually, it’s a Windows user who’s angry about Redmond’s keenness to slip unwanted products onto their screens.
I was rather moved, then, to hear that Microsoft itself is enduring conniptions of the most fundamental kind.
You see, the company recently commissioned research company YouGov to ask 5,000 registered voters about their innermost feelings. One or two deeply felt highlights emerged.
90% of respondents admitted they’re worried every time they share their information online. 
70% privately pointed their fingers at the US government. They said it isn’t doing enough to protect their personal data.
A simliar 70% said they’d like to see the next administration enact privacy legislation.
How do I know this made Microsoft angry? Well, these details come from a bracingly seething blog post — published this week — from the company’s “Corporate Vice-President For Global Privacy and Regulatory Affairs and Chief Privacy Officer.”
Extraordinarily, we’re talking about just one person with all those titles, Julie Brill. She doesn’t think the US government is doing brilliantly.
Brill tried to rein in her irkdom. She began by talking about the importance of data in our new, more domestically confined world.
She said: “Data is critical not just in rebuilding our economy but in helping us understand societal inequalities that have contributed to dramatically higher rates of sickness and death among Black communities and other communities of color due to COVID-19. Data can also help us focus resources on rebuilding a more just, fair and equitable economy that benefits all.”
A fundamental problem, said Brill is the lack of trust in society today. In bold letters, she declared: “The United States has fallen far behind the rest of the world in privacy protection.”
I can’t imagine it’s fallen behind Russia, but how poetic if that was true.
Still, Brill really isn’t happy with our government: “In total, over 130 countries and jurisdictions have enacted privacy laws. Yet, one country has not done so yet: the United States.”
Brill worries our isolation isn’t too splendid. She mused: “In contrast to the role our country has traditionally played on global issues, the US is not leading, or even participating in, the discussion over common privacy norms.”
That’s like Microsoft not participating in the creation of excellent smartphones. It’s not too smart.
Brill fears other parts of the world will continue to lead in privacy, while the US continues to lead in inaction and chaos. It sounds like the whole company is mad as hell and isn’t going to take it anymore.
Yet it’s not as if Microsoft has truly spent the last 20 years championing privacy much more than most other big tech companies. In common with its west coast brethren, it’s been too busy making money.
Brill is undeterred. She tried to offer good news. Some states are taking the matter of privacy into their own jurisdictions. And then she offers words of hope that, to this reader at least, swim in baths of sarcasm: “There are also signs of real interest among some members of Congress.”
Real interest among members of Congress can often feel like real sincerity. You hope it’s there, but you suspect it’s not.
Yet I sense Brill doesn’t have too much hope in governmental action. So, spurred again by the company’s research, she turned to the corporate world.
“The YouGov study found that significantly more people believe companies bear the primary responsibility for protecting data privacy — not government,” she said.
Yet what do those companies do? They make privacy controls your responsibility, dear citizen. I dare say Microsoft has done that once or twice in its time.
“The large number of websites, devices and apps that people rely on to remain connected and engaged – a number that has grown even larger during this health crisis – makes it nearly impossible for individuals to navigate the privacy information overload and make informed decisions about how their data is used,” said Brill.
And then, in a perfectly chest-beating use of the plural, she added: “Too often, we deliver that information in notices difficult for lawyers and engineers to understand — much less consumers.”
Brill’s blog post is short on patience, but not short. It’s a withering exposition of what the tech world has wrought and how society has dissipated, especially during the last decade.
Just as there’s no trust in corporations’ protection of personal privacy, so there’s no trust in seemingly any facet of US society. Some might read Brill’s thoughts as if they’re in anticipation of — or even hoping for — a new administration that will embrace humanity more fully.
“Trust is essential,” concluded Brill. “It is time for government and business to work together to pass laws and reinvent practices to recognize the individual right to own and control personal data and to place the responsibility for protecting privacy where it belongs — on companies.”
I wanted to offer a grand hurrah. But then I was confronted by new research from the authors of “The Corporate Social Mind.”
The headline? “Germans trust companies more than Americans to address social issues.” More

CNIIHM, Moscow
Image: Google Maps
The US Treasury Department announced sanctions today against a Russian research institute for its role in developing Triton, a malware strain designed to attack industrial equipment.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Sanctions were levied today against the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (also known as CNIIHM or TsNIIKhM).
A FireEye report published in October 2018 identified CNIIHM as the possible author of the Triton malware.
The Triton malware, also known as Trisis or HatMan, is a piece of malware that was designed to specifically target a certain type of industrial control system (ICS) equipment — namely, Schneider Electric Triconex Safety Instrumented System (SIS) controllers.
According to technical reports from FireEye, Dragos, and Symantec, the malware was distributed via phishing campaigns. Once it infected a workstation, it would search for SIS controllers on a victim’s network, and then attempt to modify the controller’s settings.
Researchers said Triton contained instructions that could either shut down a production process or allow SIS-controlled machinery to work in an unsafe state, creating a risk of explosions and risk to human operators and their lives.
Triton almost caused an explosion at a Saudi petrochemical plant
The malware was first spotted after it was used successfully in 2017 during an intrusion at a Saudi petrochemical plant owned by Tasnee, a privately owned Saudi company, where it almost cause an explosion.
Since then, the malware has been deployed against other companies. Furthermore, the group behind the malware (known as TEMP.Veles or Xenotime) has also been seen “scanning and probing at least 20 electric utilities in the United States for vulnerabilities,” the US Treasury said today in a press release.
Today’s sanctions prohibit US entities from engaging with CNIIHM and also seize any of the research institute’s US-based assets.
“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Secretary Steven T. Mnuchin. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”

This style of sanctioning is significant and honestly entirely appropriate against those involved in the first ever cyber attack to intentionally try to kill people in civilian infrastructure. #TRISIS #TRITON https://t.co/dVzAn0kusq
— Robert M. Lee (@RobertMLee) October 23, 2020

Today’s Treasury sanctions end a week from hell for Russian state-sponsored hacking groups. On Monday, the US Department of Justice filed charges against six hackers part of the Sandworm group, believed to have created the NotPetya, KillDisk, BlackEnergy, and OlympicDestroyer malware.
On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) exposed a recent hacking campaign of a Russian hacking group known as Energetic Bear.
On the same day, the EU also imposed sanctions on two Russian intelligence officers for their role in the 2015 German Parliament hack.
But as several security researchers pointed out today on Twitter, shortly after the Treasury announcement, the US may not have the moral high-ground, mainly because the US pioneered attacks against industrial systems through its work and deployment of the Stuxnet malware against Iran’s nuclear program in 2010.

They… uh… the Treasury realizes that we don’t really have the high ground to stand on here… right?*cough* Stuxnet *cough*
— MikeTalonNYC (@MikeTalonNYC) October 23, 2020 More

Image: Maria Teneva
Malware authors have managed to pass malicious apps through the Apple app notarization process for the second time this year and the second time in the past six weeks.

App notarization is a recent security protection formally introduced by Apple earlier this year.
It is a process that requires Mac app developers to submit their apps to Apple for a series of automated security scans that check for malware or other malicious code patterns.
Apps that pass through the scans are “notarized,” meaning they are added to a whitelist inside the Apple GateKeeper security service.
Once added to the GateKeeper whitelist, notarized apps can be opened and installed with a simple click, without any warnings or popups.
App notarization has been mandatory for all apps that want to run on Apple’s newest macOS releases, like Catalina and Big Sur.
The notarization process has been warmly received by both app users and developers, as it removed some of the friction of installing apps on macOS.
First wave of notarized malware
However, similar to Bouncer, the automated security system that scans Android apps before they are uploaded on the Google Play Store, Apple’s app notarization process was never expected to be perfect.
The first malicious apps that managed to pass through the notarization process and get whitelisted on newer versions of macOS were discovered at the end of August[1, 2].
In total, 40 apps passed through, apps that were infected with the Shlayer trojan and the BundleCore adware.
Second wave of notarized malware
But in a report published this week, Joshua Long, Chief Security Analyst for Mac security software maker Intego, said his company discovered six new apps that passed through the notarization process.
The six notarized apps posed as Flash installers, Long told ZDNet today. Once installed, the apps would download and install the OSX/MacOffers adware.
“OSX/MacOffers is best know for modifying the search engine in the victim’s browser,” Long told ZDNet.
Long said the six apps have now been de-notarized.
“Apple revoked the developer certificate while the malware was under investigation, before we had a chance to report it to Apple,” Long told us.
“It’s unclear how Apple became aware of it; perhaps they might have gotten a report from another researcher investigating the malware, or perhaps from a Mac user who encountered it in the wild.”
With Adobe set to retire Flash at the end of the year, Long urged users to stop downloading and installing Flash installers. More

Microsoft and non-profit research organization MITRE have joined forces to accelerate the development of cyber-security’s next chapter: to protect applications that are based on machine learning and are at risk of new adversarial threats. 
The two organizations, in collaboration with academic institutions and other big tech players such as IBM and Nvidia, have released a new open-source tool called the Adversarial Machine Learning Threat Matrix. The framework is designed to organize and catalogue known techniques for attacks against machine learning systems, to inform security analysts and provide them with strategies to detect, respond and remediate against threats.

The matrix classifies attacks based on criteria related to various aspects of the threat, such as execution and exfiltration, but also initial access and impact. To curate the framework, Microsoft and MITRE’s teams analyzed real-world attacks carried out on existing applications, which they vetted to be effective against AI systems.
“If you just try to imagine the universe of potential challenges and vulnerabilities, you’ll never get anywhere,” said Mikel Rodriguez, who oversees MITRE’s decision science research programs. “Instead, with this threat matrix, security analysts will be able to work with threat models that are grounded in real-world incidents that emulate adversary behavior with machine learning,” 
With AI systems increasingly underpinning our everyday lives, the tool seems timely. From finance to healthcare, through defense and critical infrastructure, the applications of machine learning have multiplied in the past few years. But MITRE’s researchers argue that while eagerly accelerating the development of new algorithms, organizations have often failed to scrutinize the security of their systems.
Surveys increasingly point to the lack of understanding within industry of the importance of securing AI systems against adversarial threats. Companies like Google, Amazon, Microsoft and Tesla, in fact, have all seen their machine learning systems tricked in one way or the other in the past three years.
“Whether it’s just a failure of the system or because a malicious actor is causing it to behave in unexpected ways, AI can cause significant disruptions,” Charles Clancy, MITRE’s senior vice president, said. “Some fear that the systems we depend on, like critical infrastructure, will be under attack, hopelessly hobbled because of AI gone bad.”
Algorithms are prone to mistakes, therefore, and especially so when they are influenced by the malicious interventions of bad actors. In a separate study, a team of researchers recently ranked the potential criminal applications that AI will have in the next 15 years; among the list of highly-worrying prospects, was the opportunity for attack that AI systems constitute when algorithms are used in key applications like public safety or financial transactions.
As MITRE and Microsoft’s researchers note, attacks can come in many different shapes and forms. Threats go all the way from a sticker placed on a sign to make an automated system in a self-driving car make the wrong decision, to more sophisticated cybersecurity methods going by specialized names, like evasion, data poisoning, trojaning or backdooring.  
Centralizing the various aspects of all the methods that are known to effectively threaten machine learning applications in a single matrix, therefore, could go a long way in helping security experts prevent future attacks on their systems. 
“By giving a common language or taxonomy of the different vulnerabilities, the threat matrix will spur better communication and collaboration across organizations,” said Rodriguez.
MITRE’s researchers are hoping to gather more information from ethical hackers, thanks to a well-established cybersecurity method known as red teaming. The idea is to have teams of benevolent security experts finding ways to crack vulnerabilities ahead of bad actors, to feed into the existing database of attacks and expand overall knowledge of the possible threats.
Microsoft and MITRE both have their own Red Teams, and they have already demonstrated some of the attacks that were used to feed into the matrix as it is. They include, for example, evasion attacks on machine-learning models, which can modify the input data to induce targeted misclassification.  More

Image: Proofpoint
Days ahead of the US Presidential Election, spam groups are hurrying to strike the iron while it’s still hot and using voter registration-related lures to trick people into accessing fake government sites and give away their personal data, sometimes with the group being so bold to ask for banking and email passwords and even auto registration information.
These campaigns have been taking place since September and are still going on today, while the lures (email subject lines) are still relevant.
Spotted by email security firms KnowBe4 and Proofpoint, these campaigns are spoofing the identity of the US Election Assistance Commission (EAC), the US government agency responsible for managing voter registration guidelines.
Subject lines in this campaign are simple and play on the fear of US citizens that their voter registration request might have failed.
Using subject lines like “voter registration application details couldnt be confirmed” and “your county clerk couldnt confirm voter registration,” users are lured to web pages posing as government sites and asked to fill a voter registration form again.
According to Proofpoint, these sites are fake and are usually hosted on hacked WordPress sites. If users fail to notice the incorrect URL, they will eventually end up providing their personal details to a criminal group. Data usually collected via these forms includes:
Name
Date of birth
Mail address
Email address
Social Security Number (SSN)
Driver’s license information
Per KnowBe4 and Proofpoint, the spammers are using a basic template, and all of their emails usually lure users to a site that looks the same, like the one below.

Image: Proofpoint
But in a follow-up report published on Thursday, Proofpoint says it has seen this group modify its tactics in recent days.
With the pre-election window drawing to a close, the spam group has become bolder than in previous iterations of the same campaign. Besides asking for personally-identifiable information specific to voter registration forms, the group has now expanded its phishing site to include new fields that also ask for:
Bank name
Bank account number
Bank account routing number
Banking ID/username
Banking account password
Email account passwords
Vehicle Identification Number (VIN)
To allay fears, the spammers claim this extra information is needed so users can claim a “stimulus.”

Image: Proofpoint, ZDNet
Proofpoint says these spam and phishing campaigns are the work of a well-established group that has been involved in previous phishing campaigns this year. Previous campaigns used COVID-19 business grant-related lures.
It is unclear how successful these campaigns are, but the fact that they are still happening means that spam groups are getting the returns they’re seeking; otherwise, they wouldn’t bother. More

Nvidia has resolved a trio of vulnerabilities impacting the GeForce Experience suite. 

GeForce Experience is software designed by Nvidia with games and live streamers in mind, including driver update management, driver optimization for gaming and graphics cards, and both video & audio capture.  
On October 22, Nvidia said the firm’s latest security update tackles issues found in all versions of GeForce Experience prior to 3.20.5.70 on Windows machines. Nvidia says the issues could lead to “denial of service, escalation of privileges, code execution, or information disclosure.”
See also: Nvidia makes a clean sweep of MLPerf predictions benchmark for artificial intelligence
The first vulnerability, CVE‑2020‑5977, has been issued a CVSS v3.1 score of 8.2 and is described as a flaw in the Helper NodeJS Web Server module of the software. An “uncontrolled search path” is used to load a module, and it is this lack of restriction that can be exploited by attackers for the purposes of executing arbitrary code, denial of service, privilege escalation, and information leaks. 
CNET: Russian hackers infiltrated state and local government networks, officials say
The second security flaw, CVE‑2020‑5990, has been assigned a CVSS severity score of 7.3. Found in ShadowPlay, the live stream and broadcast facility in Nvidia’s software, a vulnerability can be abused to trigger code execution, denial of service, and information disclosure. The vulnerability may also be utilized to perform a privilege escalation attack — but this can only be performed locally.  
Finally, Nvidia has resolved CVE‑2020‑5978, a low-impact vulnerability with a CVSS v.3.1 score of 3.2. A security flaw within GeForce Experience’s nvcontainer.exe service, in which a folder is created under standard user login situations, can be abused for privilege escalation or denial of service attacks. However, the user account must already have local system privileges. 
It is recommended that users accept automatic updates to receive the patch as quickly as possible. The vulnerabilities have been fixed in GeForce Experience version 3.20.5.70.
TechRepublic: How to protect your privacy when selling your phone
In July, Nvidia resolved a bug in the service host component of the software. Application resources were not verified properly, allowing attackers to execute arbitrary code, compromise GeForce Experience itself, cause a denial of service, and leak data. 
A critical privilege escalation vulnerability in Jetson, found within the Nvidia JetPack SDK, was also resolved at the same time.  
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Hackney Council in London is continuing to try to restore services after a “serious and complex” cyberattack 10 days ago disrupted a number of its systems.
“I am incredibly angry that organised criminals have chosen to attack us in this way, and in the middle of dealing with a global pandemic. It is morally repugnant, and is making it harder for us to deliver the services you rely on,” said Hackney’s mayor, Philip Glanville.

More on privacy

He said that some council services may be significantly disrupted for some time. The attack has impacted the council’s legacy and non-cloud-based systems, including many that are needed for essential services such as taking or making payments, logging repairs, and approving licensing and planning applications.SEE: Security Awareness and Training policy (TechRepublic Premium)
Glanville said newer, cloud-based services were not affected and that systems important to combating coronavirus – such as local contact tracing – were operating.
“We’re quickly finding workarounds where we can, and some vital payments, including housing benefit payments, are now being made. We have also now put in place arrangements so that residents can report housing repairs to us and are working hard to put similar solutions in place for other services,” he said.It is still unclear exactly what sort of cyberattack took place. The mayor said the council, which provides services to 280,000 people in east London, wanted to say more about the nature of the attack and the impact it was having on services, but had to make sure it was not “inadvertently assisting the attackers by doing so”. 
“This is a serious and complex criminal attack on public services, and we’ll do everything we can to ensure these attackers face justice,” Glanville said.
The council said a number of services had been affected as a result of the attack. According to its service status page:
It is currently unable to accept some payments including: rents and service charges, council tax and business rates
Payments to some adult social care service users may not be paid
It cannot make some payments including: discretionary housing payments, and certain supplier payments
Non-emergency repairs may take longer than usual 
It is unable to accept new applications to join the housing waiting list, for housing benefit or for the council tax reduction scheme
It is unable to process licence applications, and applications for visitor parking vouchers are unavailable
Most planning services are unavailable, including planning applications and land searches
Residents are currently unable to report noise complaints but there may be a delay in responding to other reports and orders across the council More

Microsoft has re-released a newish Skype feature called Meet Now as a button in the latest version of Windows 10’s taskbar.   
The Meet Now button is aimed at taking on Zoom’s popularity and pushes the Skype fast meeting setup feature upfront into the notification area or system tray of the taskbar in Windows 10. It makes it easier for users to set up video meetings without requiring signups or downloads. 

Windows 10

“In the coming weeks you will be able to easily set up a video call and reach friends and family in an instant by clicking the Meet Now icon in the taskbar notification area. No sign-ups or downloads needed,” Microsoft explained of the feature.  
Microsoft first rolled out the feature to Windows Insiders on the Dev Channel in September and has now re-released it to Insiders on the Release Preview Channel in the Windows 10 20H2 Build 19042.608 (KB4580364). It’s also available in the Beta channel. 
It comes after Microsoft released Windows 10 20H2 to the general public earlier this week, opening it up to ‘seekers’ who manually opt to install the latest Windows 10 feature update. 
The Meet Now taskbar icon came to Windows 10 versions 1903 and 1909 via the KB4580386 cumulative earlier this week. 
However, the feature hasn’t yet made it to Windows 10 version 2004, the May 2020 update, but it should soon. Given that Windows 20H2, the October 2020 Update, is a minor feature update to version 2004, it should arrive at the same time for the newest version of Windows 10 as a common cumulative update, just as it did for versions 1903 and 1909.
The Meet Now button is the only new feature in this 20H2 preview, which otherwise brings a long list of fixes detailed in a blogpost. 
Among them is a solution to problems using Group Policy Preferences to configure the homepage in Internet Explorer. Microsoft has also given admins the ability to use a Group Policy to enable Save Target As for users in Microsoft Edge IE Mode.
Microsoft fixed an issue with users opening untrusted URL navigations from legacy Internet Explorer 11 by opening these URLs in the Windows 10 Defender Application Guard security feature using Microsoft’s Chromium-based Edge – the browser that ships with Windows 10 20H2.
Another Edge fix addresses problems when using the full suite of developer tools in Edge for remote debugging on a Windows 10 device.
There are also fixes for those using Remote Desktop Protocol (RDP) and Windows Virtual Desktop (WVD) on Windows 10. 
And there’s a fix for a bug preventing Windows Subsystem for Linux 2 (WSL2) from starting on Arm64 devices. The bug occurs after installing the October 13 cumulative update for Windows 10 version 2004 KB4579311. More