Information Technology

The variety of techniques used by the SolarWinds hackers was sophisticated yet in many ways also ordinary and preventable, according to Microsoft. 
To prevent future attacks of similar levels of sophistication, Microsoft is recommending organizations adopt a “zero trust mentality”, which disavows the assumption that everything inside an IT network is safe. That is, organizations should assume breach and explicitly verify the security of user accounts, endpoint devices, the network and other resources. 
Also: Best VPNs • Best security keys • Best antivirus 

As Microsoft’s director of identity security, Alex Weinert, notes in a blogpost, the three main attack vectors were compromised user accounts, compromised vendor accounts, and compromised vendor software.  
Thousands of companies were affected by the SolarWinds breach, disclosed in mid-December. The hackers, known as UNC2452/Dark Halo, targeted the build environment for SolarWinds’ Orion software, tampering with the process when a program is compiled from source code to a binary executable deployed by customers. 
US security vendor Malwarebytes yesterday disclosed it was affected by the same hackers but not via the tainted Orion updates. The hackers instead breached Malwarebytes by exploiting applications with privileged access to Office 365 and Azure infrastructure, giving the attackers “access to a limited subset” of Malwarebytes’ internal emails.
According to Weinert, the attackers exploited gaps in “explicit verification” in each of the main attack vectors. 

“Where user accounts were compromised, known techniques like password spray, phishing, or malware were used to compromise user credentials and gave the attacker critical access to the customer network,” Weinert writes.  
He argues cloud-based identity systems like Azure Active Directory (Azure AD) are more secure than on-premises identity systems because the latter lack cloud-powered protections like Azure AD’s password protection to weed out weak password, recent advances in password spray detection, and enhanced AI for account compromise prevention.
In cases where the actor succeeded, Weinert notes that highly privileged vendor accounts lacked additional protections such as multi factor authentication (MFA), IP range restrictions, device compliance, or access reviews. Microsoft has found that 99.9% of the compromised accounts it tracks every month don’t use MFA. 
MFA is an important control as compromised high privilege accounts could be used to forge SAML tokens  to access cloud resources. As the NSA noted in its warning after the SolarWinds hack was disclosed: “if the malicious cyber actors are unable to obtain a non-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.”
This attack technique could be thwarted too if there were stricter permissions on user accounts and devices. 
“Even in the worst case of SAML token forgery, excessive user permissions and missing device and network policy restrictions allowed the attacks to progress,” notes Weinert. 
“The first principle of Zero Trust is to verify explicitly—be sure you extend this verification to all access requests, even those from vendors and especially those from on-premises environments.” 
The Microsoft veteran finally offers a reminder why least privileged access is critical to minimizing an attackers opportunities for moving laterally once inside a network. This should help to compartmentalize attacks by restricting access to an environment from a user, device, or network that’s been compromised.
With Solorigate — the name Microsoft uses for the SolarWinds malware — the attackers “took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no permissions at all,” Weinert notes. 
Weinert admits the SolarWinds hack was a “truly significant and advanced attack” but the techniques they used can be significantly reduced in risk or mitigated with these best practices. More

While modern operating systems do an outstanding job of protecting against malware and viruses, the world of malicious software is a rapidly evolving one, and now random acts of destruction that were once the goal of viruses have been replaced with identity theft, phishing, ransomware, and intercepting internet traffic.
This fast-changing landscape is hard for OS makers to keep up with, as pushing patches for every malware attack — especially those that aren’t related to an underlying bug in the platform — is not really feasible. This is where antivirus software — which, these days, encompasses much more than real-time protection against viruses and adds features such as password management, VPN, firewall, parental controls, internet security, and protection against identity theft — comes into play.

Near-perfect malware detection score

There’s a lot to like about Kaspersky Total Security. Right at the top of the list is its near-perfect malware detection score along with a negligible effect on system performance. 
Kaspersky Total Security sits in the background discreetly until you need its help.
Then there’s the five-device license that you get with a yearly subscription that covers Windows, Mac, iPhone and iPad, and Android devices. This is great for people with multiple devices because they don’t need to spend extra money or go through a different learning curve for each platform.
Kaspersky Total Security is also fully-featured and comes with a huge range of features:
Blocks viruses, cryptolockers, and other threats
Protects payments
Secures passwords and images of personal documents
Encrypts data you send and receive online with a built-in VPN (300MB/day/device)
Stops webcam spies watching you in your home
Advanced parental controls
$49 at Kaspersky

A single license covers five devices

Bitdefender Total Security is a great package for people with a lot of devices to protect because a single license covers five devices, ranging from PCs and Macs to iOS and Android devices. 
For the price, this package represents excellent value for money, and it means less messing about with different solutions.
Bitdefender Total Security is also packed with features:
Top-level threat detection to stop sophisticated malware
Multi-layer ransomware protection 
Rescue Environment for removal of sophisticated malware such as rootkits
Secure VPN for online privacy, limited to 200MB/day/device
Battery Mode for reduced power consumption on laptops
Advanced parental controls
Minimal impact on your system performance
$39 at BitDefender

Real-time protection from malware for Macs

This is a software build for Macs by a company that understands the platform.
The package includes VirusBarrier X9. It comes with real-time protection from malware, as well as a scanner, and the NetBarrier X9 firewall, which protects against network and internet intrusion. 
A license covers a single Mac.
For an extra $10, you can add Windows protection (either for a separate PC or a BootCamp installation). 
Real-time protection
Fast scans with low-performance impact
Intelligent firewall
Hotspot network protection
$39 at Intego

Built-in VPN

Protection for your iPhone that goes much further than malware.
Avira Mobile Security protects your phone:
Web Protection blocks phishing, malware, spam, and fraud so you can browse freely and safely
Identity Safeguard which scans to find out if your email addresses have been hacked 
Built-in VPN to secure your connection to the internet
The anti-theft feature allows you to find, track, and recover your iPhone or iPad if it’s lost or stolen, lock apps to prevent unauthorized access, and, as a last resort, remotely wipe your device
Call Blocker allows you to build a blacklist and block spam and other unwanted calls and texts
Contacts Backup lets you backup and restore contacts to your email, Dropbox, or Google Drive
Network Scanner will let you find all the devices connected to your Wi-Fi
Avira Mobile Security for iOS is free with in-app purchases.
View Now at Apple Store

Tried-and-tested Android antivirus

With more than 100 million installs, Avast Mobile Security and Antivirus is a tried-and-tested app that delivers a whole raft of features specific to the Android platform:
Antivirus engine
App lock
Anti-theft
Photo vault
VPN
Power save
Privacy permissions
RAM boost
Junk cleaner
Web shield
Wi-Fi security
App insights
Virus cleaner
Wi-Fi speed test
Avast Antivirus for Android is free, but there are pro features that can be unlocked by in-app purchases.
View Now at Avast
Choosing the right antivirus product for you
Choosing the right antivirus software package for you means knowing your needs. For many, a simple free package that handles the basics is fine, while others benefit from more in-depth protection.  
Packages such as Kaspersky Total Security 2021 and Bitdefender Total Security are great for those with multiple devices running different platforms, and who want a one-stop-shop that covers everything with a single license. These packages do much more than offer protection against malware and add essential security features such as password managers, file shredders, ransomware protection, VPNs, parental controls, and much more.
The makers of these security suites offer a free trial, and it might be a good idea to make use of this, so you can see whether the software fits in with your workflow. Some people can find the way that certain packages deliver security information annoying, while others want it to be noisy and informing them of everything that happens.
This also allows you to discover for yourself what the performance hit of running the software is like.
For Windows users who don’t want to mess about with subscriptions or risk their protection running out at some point, I believe that Microsoft Windows Defender Antivirus is the perfect solution.

Whatever you choose, I recommend that you download from a reputable source — either the official website or an official download source such as Apple App Store or the Google Play Store. 
Shady third-party sites are the perfect place to catch malware!

ZDNet Recommends More

Some organisations which fall victim to ransomware attacks are paying ransoms to cyber criminal gangs despite being able to restore their own networks from backups, in order to prevent hackers publishing stolen data.
Over the course of the last year, many of the most successful ransomware gangs have added an additional technique in an effort to coerce victims into paying ransoms after compromising their networks – publishing stolen data if a payment isn’t received.
As 2020 started, only Maze ransomware gang was using this tactic but as it ended, an additional 17 ransomware crews had taken to publishing stolen data of victims if they didn’t receive payment.
However, according to cybersecurity company Emsisoft’s ‘State of Ransomware’ report, there are victims of ransomware attacks which are entirely capable of restoring their network from backups and have successfully done so – but are still paying a bitcoin ransom of hundreds of thousands or millions of dollars to cyber criminals in an effort to prevent cyber criminals from leaking stolen information.
“Like legitimate businesses, criminal enterprises adopt strategies that are proven to work, and data theft has indeed been proven to work. Some organisations which were able use backups to recover from attacks still paid the ransom simply to prevent their data being published,” said the report.
“This resulted in a greater percentage of attacks being monetized and, as a result, better ROI for the cybercriminals,” it added.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Ransomware attacks claimed thousands of victims during the last year, with hundreds of government agencies, healthcare facilities, schools and universities as well as private companies among those hit by cyber criminal attempts at extortion.
According to the report, public sector organisations in the US were particularly badly hit by ransomware attacks with at least 2,354 government, healthcare and educational institutions impacted.
They included 1,681 schools, colleges and universities, 560 healthcare facilities and 113  federal, state and municipal governments and agencies. Meanwhile, over 1,300 private companies were also hit by ransomware attacks.
While some organisations give into this ransom demand, paying out hundreds of thousands or even millions of dollars in bitcoin, perceiving it to be the quickest way to restore the network, others refuse and can spend weeks or months attempting to restore the network – while some restored from backups and also paid the ransom.
According to Emsisoft, the total cost of financial damage done by ransomware attacks is likely to be billions. And because it’s proving successful, it’s likely that even more ransomware groups will adopt the technique of stealing and publishing data, because put simply, it works and cyber criminals are making money from businesses who don’t want their data leaked.
However, while ransomware attacks continue to be damaging for a significant number of organisations, there are relatively simple steps which can be taken in an effort to protect against ransomware and other malware attacks.
SEE: Ransomware: 11 steps you should take to protect against disaster
Phishing remains one of the key methods of distributing ransomware – especially following the rise in remote working – so organisations should attempt to hammer home the importance of being careful when opening emails and attachments. If employees are suspicious about something, they should report it.
Organisations should also make sure that they have a good patching strategy and have the latest security updates applied. That prevents cyber criminals from taking advantage of known vulnerabilities to distribute malware.
Regularly updating backups should also be a priority, because if the worst happens and the organisation falls victim to a ransomware attack, the network can be restored without paying the ransom.
“2021 need not be a repeat of 2020. Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly,” said Fabian Wosar, CTO of Emsisoft.
MORE ON CYBERSECURITY More

You are one data breach away from having your entire online life turned upside down. The problem is passwords, which are hopelessly fragile ways to secure valuable resources.
Don’t be lulled into a false sense of security by the belief that creating a longer, more complex, harder-to-guess password will somehow make you safer online. You can create a password that is so long and complex it takes you five minutes to type, and it will do nothing to protect you if the service where you use that password stores it improperly and then has their server breached. It regularly happens.
Also: Best VPNs • Best security keys • Best antivirus 

And even with reasonable policies in place (complexity, changed regularly, not reused), people are still the weakest link in the security chain. Social engineering can convince even intelligent people to enter their credentials on a phishing site or give them up over the phone.
The solution is two-factor authentication, or 2FA. (Some services, being sticklers for detail, call it multi-factor authentication or two-step verification, but 2FA is the most widely used term, so that’s the nomenclature I’ve chosen to use here.)
A 2019 report from Microsoft concluded that 2FA works, blocking 99.9% of automated attacks. If a service provider supports multi-factor authentication, Microsoft recommends using it, even if it’s as simple as SMS-based one-time passwords. A separate 2019 report from Google offered similar conclusions.
In this article, I answer some of the most common questions people ask me about 2FA.
How does 2FA work?

Turning on 2FA for a service changes the security requirements, forcing you to provide at least two proofs of identity when accessing a secure service for the first time on an unknown device. Those two forms of authentication can come from any combination of at least two of the following elements:
“Something you know,” such as a password or PIN
“Something you are,” such as a fingerprint or other biometric ID
“Something you have,” such as a trusted smartphone that can generate or receive confirmation codes, or a hardware-based security device
For the most part, the two-factor authentication systems you see in place today use the first item (your password) and the last item (your smartphone). Smartphones have become ubiquitous, making them ideal security devices.
Your smartphone can assist with authentication by providing a unique code that you use along with your password to sign in. You can acquire that code in one of two ways: Sent as a text message from the service, or generated by an app installed on your phone.
Here, for example, is what I saw moments ago when I tried to sign in to my Gmail account from a browser I had never used before.

If someone tries to sign in to an account protected by 2FA, they’ll need a second proof, such as the code from an authenticator app
If this sign-in request were from someone who had stolen my Google account credentials, they’d be stopped dead in their tracks. Without that code, they can’t continue the sign-in process.
Most (but not all) services that support 2FA offer a choice of authentication methods. Google and Microsoft, for example, can both push notifications to a trusted device; you tap the notification to approve the sign-in. An increasing number of services support the use of hardware security keys (see: “YubiKey hands-on: Hardware-based 2FA is more secure, but watch out for these gotchas.”)
And, of course, most services offer the option to print out backup recovery codes, which you can store in a safe place and use in the event your usual secondary authentication method is unavailable. If your smartphone is lost, stolen, or damaged, you’ll need those codes.

Which authentication method is best?
The best authentication method is the one you’re most comfortable with. Just make sure you have at least two options, to avoid the risk of being locked out of your account.
I prefer the option to use an authenticator app rather than receiving codes via text message whenever possible, and so should you, for two good reasons. The first is a matter of simple logistics. There are times when you have access to the internet (via a wired connection or Wi-Fi) but can’t receive a text message, because your cellular signal is weak or nonexistent, or you’re using a different SIM while traveling. The second is the small but real chance that an attacker will social-engineer their way through your mobile carrier’s defenses to acquire a SIM card with your phone number, a process called “SIM-jacking.”
The most popular 2FA app is Google Authenticator, which is available on iOS and Android. But there are plenty of alternatives; because the process for generating secure tokens is based on open standards, anyone can write an authenticator app that performs the same function. In fact, you can use multiple authenticator apps. I use Microsoft Authenticator, which is capable of receiving push notifications from personal and business accounts on Microsoft’s platforms, as well as the third-party app Authy. (For details, see “Protect yourself: How to choose the right two-factor authenticator app.”) 
It’s worth noting that an authenticator app only requires a data connection during the initial setup process. After that, everything happens on your device. The process is governed by a well-accepted standard that uses the Time-based One-Time Password algorithm (TOTP). That algorithm uses the authenticator app as a sophisticated calculator that generates codes using the current time on your device and the shared secret. The online service uses the same secret and its own timestamp to generate codes that it compares against your entry. Both sides of the connection can adjust for timezones without problem, although your codes will fail if the time on your device is wrong.
How do I know which services support 2FA?
When I started writing about this technology a decade ago, 2FA support was relatively rare. Today, it’s commonplace.

Google accounts, including both consumer Gmail and business GSuite accounts, offer a wide range of two-step verification alternatives. All Microsoft accounts, including the free accounts used with Outlook.com, Xbox, Skype, and other consumer services, support a variety of authentication options, as do the Azure Active Directory accounts used with Microsoft’s business and enterprise services, including Microsoft 365 and Office 365.
2FA support is ubiquitous among social media services (Facebook, Twitter, Instagram, and so on). Every online storage service worth considering supports 2FA, as do most domain registrars and web hosting companies. If you’re unsure about a specific service, the best place to check is a superb open source information repository called the Two Factor Auth List. And if a high-value service you rely on doesn’t support 2FA, well, maybe you should consider switching to one that does. 
Which services should I protect first?
You probably have login credentials at dozens of online services that support 2FA, so the best strategy is to make a prioritized list and work your way through it. I suggest these priorities:
Password/identity managers. Using a password manager is perhaps the most important way to ensure that you have a strong, unique password for every service, but that also creates a single point of attack. Adding 2FA shores up that potential weakness. Note that for some password management software, 2FA support is a paid option.  
Microsoft and Google accounts. If you use services from either company, adding 2FA support is essential. Fortunately, it’s also easy.
Email accounts. If a bad actor can take over your email account, they can often wreak havoc, because email messages are a standard means of sending password reset links. Messages sent from a compromised email account can also be used to attack your friends and co-workers (by sending malware-laden attachments, for example). If you use Outlook.com, Exchange Online, Gmail, or G Suite, your email account uses the identity verification method associated with your Microsoft or Google account. If you use a different email service, you’ll need to set up 2FA separately.
Social media accounts. As with email, the biggest risk associated with a hacked Twitter or Facebook account is that it will be used against your friends and associates. Even if you’re a lurker who rarely posts anything on social media, you should protect these accounts.  
Banks and financial institutions. Most banks and credit card companies have made significant investments in back-end fraud detection programs, which is why 2FA options are typically limited compared with other categories. Nonetheless, it’s worth exploring these settings and tightening them as much as possible.  
Shopping and online commerce. Any site where you’ve saved a credit card number should be secured.
How do I set up 2FA?
Setting up additional security for most online services requires minimal technical skills. If you can use your smartphone’s camera, type a six-digit number, and tap OK in a dialog box, you have all the skills required. The most difficult part of the job is finding the page that has the relevant settings.
If you’re using SMS messages, all you need to do is associate a mobile phone number with your account. (You can also use a virtual phone line, such as a Google Voice number, that can receive SMS messages.) Configure the account to send a code to that number whenever you sign in on an untrusted device. For example, here’s what this option looks like when enabled on a Twitter account:

The simplest 2FA option is a code, sent via SMS message to a registered phone. This is the 2FA setup page for Twitter.
Setting up 2FA on a Twitter account requires you to first re-enter your password and then enter the phone number where you want to receive authentication codes. After you complete that process, you’ll receive a code on that device. Enter the code to confirm you received it, and the 2FA setup is complete. Helpfully, Twitter automatically generates a recovery code at the end of this setup process; print it out and file it in a safe place so you can recover in the event your primary 2FA method no longer works.
To get started with an authenticator app, you first need to install the app on the mobile device you want to use as your second authentication factor:
If you carry an iOS device, you can get the Google Authenticator app from the App Store. (It’s optimized for use on iPhones but should work on an iPad as well.) On Android devices, install the Google Authenticator app from the Google Play Store.
The Microsoft Authenticator app, which uses the same standard to create authentication tokens, is available for Android devices from the Google Play Store and for iOS devices from the App Store.
Authy is also available from the App Store and from the Google Play Store.
If you use the LastPass password manager, consider installing the LastPass Authenticator app, which is designed to work with the LastPass app on mobile devices and the desktop.
If you use 1Password as your password manager, 2FA support is built into the 1Password app on all platforms. For details on how to use the One-Time Password feature, see this 1Password support page.
After you install the app for your device, the next step is to set it up to work with each account where you have enabled 2FA. 
Also:  Make your cloud safer: How to enable two-factor authentication for the most popular cloud services.
The setup process typically requires that you enter a shared secret (a long text string) using the mobile app. All of the mobile apps I listed above support using a smartphone camera to take a picture of a QR code, which contains the shared secret for your account. That’s much easier than entering a complex alphanumeric string manually.
Here, for example, is the QR code you’ll see when setting up a Dropbox account:

In your smartphone app, choose the option to add a new account and then snap a picture of the bar code to automatically set up 2FA support.
In your authenticator app. choose the option to add a new account, choose the bar code option, aim the smartphone at the bar code on your computer screen, and wait for the app to fill in the necessary fields.
After you set up the account in the authenticator app, it begins generating codes based on the shared secret and the current time. To complete the setup process, enter the current code from the authenticator app.
The next time you try to sign in with a new device or web browser, you’ll need to enter the current code, as displayed by the authenticator app.
If you use older email apps that don’t support modern authentication with an account that’s protected by 2FA, your normal password won’t work anymore. You’ll need to generate special passwords for use exclusively with those apps. The security settings for your account should guide you through that process. (But really, if you are using an old app that requires an app password, maybe you should consider replacing it.)
As part of the 2FA setup process, you should also generate one or more recovery codes, which you can print out and store in a safe place. In the event your smartphone is lost or damaged, you can use those codes to regain access to your account.  
How do you transfer 2FA accounts to a new smartphone?
If you use SMS text messages as a second factor for authentication, transferring your number to the new phone will seamlessly transfer your 2FA setup too.
Some authenticator apps allow you to generate codes on multiple devices. 1Password and Authy both fall into this category. Set up the app on the new phone, install the app, sign in, and then check each account to confirm that the codes generated on the new phone work properly. Microsoft Authenticator allows you to back up codes to the cloud and restore them on a new device. For instructions, see “Back up and recover account credentials using the Microsoft Authenticator app.” 
For Google Authenticator and other no-frills apps, however, you’ll need to manually re-create each account on the new device. Install the authenticator app on your new device and repeat the setup process for each account you used with your old phone. Setting up an account on a new authenticator app automatically disables codes generated by the old device.
Two-factor authentication will stop most casual attacks dead in their tracks. It’s not perfect, though. A determined attacker who is directly targeting a specific account might be able to find ways to work around it, especially if he can hijack the email account used for recovery or redirect phone calls and SMS messages to a device he controls. But if someone is that determined to break into your account, you have a bigger problem.
Any questions? Send me a note or leave a comment below. More

The cyberattacks that targeted multiple US government agencies and companies in recent months have raised the alarm in developing Eastern European countries regarding their own cybersecurity capabilities.
During the past year, some of them, like North Macedonia, have already experienced breaches of their state IT systems: last summer, the country had its electoral process disrupted by massive DDoS attacks that happened on election night. Hackers targeted the website of the state electoral commission, which went down for a few days before the election results could finally be made available to the Macedonian public.

More on privacy

In 2019 in neighboring Bulgaria, more than five million people had their personal data stolen in a breach of the national tax agency. The hacked database was then also shared across various hacking forums, as ZDNet reported at the time.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Shorty after those attacks, Bulgarian officials acknowledged the need for further investments in cybersecurity. Bulgarian foreign minister Ekaterina Zaharieva said the country would aim to increase the number of IT specialists in the state administration. The country also signed a 10-year roadmap with the US, aimed at bolstering the modernization of its army and cybersecurity.
Bulgaria’s neighbor Romania also faced several cyberattacks the same year, as ransomware attacks targeted computer systems across hospitals in the country. Should this have happened during the current COVID-19 pandemic, the consequences for the health system in the country could have been dire.
The cybersecurity community, as well as experts and IT professionals across the Balkans, are sounding the alarm regarding the cybersecurity capacities of various state institutions in these countries.

The fragile state of cybersecurity in countries across the region could yet be exploited by hacker groups and malign actors. By targeting multiple state agencies or institutions, such attacks could also have consequences on their economies – for instance, an attack on the banking system could cause a major disruption. And most of these countries do not have the resources like their Western counterparts to invest in strengthening their cyberdefences, despite their desire to do so.
Even if they did, attacks such as those in the US show that there are no guarantees when it comes to the potential that various cyber threats can have.
When it comes to implementing an efficient cybersecurity strategy, many factors can play a critical role in this process, experts argue. In most cases, the human factor proves to be the weakest link that needs to be trained on how to defend from such attacks.
“The weakest link on the internet is the human factor – the human firewall,” says Berlin-based cybersecurity researcher Predrag Tasevski. “It requires a lot of time and resources to be able to develop policies, guidance and knowledge for how to deal with such threats.”
However, raising awareness about these issues also needs to run deeper and on more levels, Tasevski points out.
“We can’t just only focus on boosting the awareness on the national level, and on the end-user. We need to raise awareness among the political leaders too, and on the institutional level as well.”
One of the solutions for developing Balkan countries would be to introduce centralized protection systems that would cover various state agencies and ministries.
“A protection system should be built for all government e-services, including agencies, ministries, local governments and any legal entity or state body,” says Mane Piperevski, cybersecurity consultant based in Skopje, North Macedonia.
Investing in such projects should be a priority for most of these countries, experts agree. The recent example of Romanian capital Bucharest being chosen to host the EU’s new cybersecurity center could also offer a new perspective and encouragement for the region, when it comes to hardening its critical infrastructure.
Support from international organizations, as well as an enhanced regional cooperation, could be crucial in the fight against cybercrime that the region is facing. Most countries in the region, with the exception of Serbia and Bosnia & Herzegovina, are NATO members. In March 2020, North Macedonia became the Alliance’s newest member. Faced with the possibility of repeated cyberattacks, the tiny nation is now also putting its hopes on NATO’s assets and expertise.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
According to Bilyana Lilly, assistant policy researcher at Los Angeles-based thinktank RAND Corporation, it is well within NATO’s mandate to assist its Balkan members.
“In 2016, NATO formally recognized cyber as an operational domain and has made progress in developing centers and platforms that can facilitate the coordination and sharing of cyber capabilities among NATO members and even partner nations.” Lilly tells ZDNet.
One example is the NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE) in Tallinn, which was created not long after the major cyberattacks that Estonia suffered in 2007. The CCDCOE is responsible for identifying and coordinating education and training on cyber defense for all NATO institutions across the Alliance.
Well aware of what similar attacks could to do the smaller and more fragile Eastern European countries, NATO maintains that it has all of its capacities available for allies.
“Cybersecurity is a priority for NATO, and our networks are defended 24/7. Our cyber experts regularly offer support and share information, including through our Malware Information Sharing Platform.” a NATO official tells ZDNet in a statement.
“NATO also has cyber rapid reaction teams on standby to assist allies 24 hours a day, and our Cyberspace Operations Centre is operational. For NATO, cyber defence is a core part of our collective defence.” More

Interpol has warned of a new investment scam targeting users of mobile dating apps.

As COVID-19 continues to severely restrict our daily lives and in many places, makes social interaction and meeting new people in person impossible, dating apps have experienced a surge in users. 
As the only possible method of anything akin to dating at the current time, scam artists have decided to capitalize on this trend in order to push an investment-based scam that deprives victims of their cash. According to Arkose Labs research, four million online dating fraud & abuse-related attacks were recorded in 2020, with many taking place through fake account registrations. 
On Tuesday, the International Criminal Police Organization (Interpol) said the agency had issued a “purple notice” — the provision of data on criminal groups’ methods, objects, devices, and concealment methods — to 194 member countries. 
The notice describes a new modus operandi on dating applications, which Interpol says “takes advantage of people’s vulnerabilities as they look for potential matches, and lures them into a sophisticated fraud scheme.”
This is how the scam, documented globally, works: users sign up to a dating app such as Tinder, eHarmony, or Bumble, and unknowingly end up matching with a scammer. 
Once a level of trust has been established, the scam artist will then turn the conversation over to finance and potential investments, encouraging their ‘match’ to join them in a financial venture. 

To appear genuine, the scammer will give their victim investment “tips” and lure them to download a fake trading app, sign up for financial products, and “work their way up a so-called investment chain” — all under the supervision of their connection on the dating app. 
In order to encourage the victim to part with their cash, the fraudster will provide incentives, such as promising their victim can reach a premium “Gold” or “VIP” status under their tutelage. 
However, nothing is as it seems. 
“As is often the case with such fraud schemes, everything is made to look legitimate,” Interpol says. “Screenshots are provided, domain names are eerily similar to real websites, and customer service agents pretend to help victims choose the right products.”
Once the match has been milked for their cash, victims are locked out of their ‘investment’ accounts and the scam artist vanishes, cutting off all contact. 
“They’re left confused, hurt, and worried that they’ll never see their money again,” Interpol added. 
When feelings become involved, there may be more of a chance for someone to be persuaded to part with their money. This relates to phishing emails — many examples of which will pretend to be from a tax office, loan company, or bank — with panic and fear used as triggers. 
Dating app fraudsters prey upon the heart, and we’ve heard, time and time again, of lonely users being swindled out of their life savings by individuals who appeared to be genuine love interests. 
As many of us are using dating apps as an alternative to meeting in-person during the pandemic, it is even more important that we remain cautious. 
You should never part with any money to someone you don’t know and haven’t met in person — no matter what the apparent opportunity is or whatever claimed ’emergency’ situation someone is in — and when it comes to investment opportunities, research first. 
After all, if a financial investment appears to be too good to be true, it usually is. 
Earlier this week, UK police highlighted another form of scam that preys upon lonely hearts — the exploit of online video chats and remote dates. In a case documented by Thames Valley police, a video session between a man and a woman that turned intimate was recorded by the latter, who pretended to have a romantic interest in her victim in order to extort a blackmail payment in return for the footage not being shared with friends and family. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

After releasing Chrome 88 this week, Google has announced a host of new password protection features it will begin rolling out to Chrome 88 in coming weeks. 
Chrome 88 includes a new feature to quickly check for weak or compromised passwords and remediate the issue. After clicking on the profile avatar, there’s now a key icon that can be clicked to begin checking for weak passwords. 

More on privacy

Also in Chrome 88, users can manage and edit all passwords in Chrome Settings on the desktop and iOS. Google is planning to bring this feature to the Android Chrome app soon. The feature is meant to make it easier to update saved passwords in a central place, as opposed to relying only on Chrome prompts to update single passwords when logging into websites. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
Thanks to Chrome’s Safety Check that alerts users to any compromised credentials they have, Google says it’s seen a 37% reduction in comprised credentials stored in Chrome. Additionally, Safety Check is used 14 million times each week, according to Google. 
Google last year enabled iOS users to autofill passwords saved in Chrome into other apps and browsers. It’s now doing this for three million sign-ins across iOS apps every week.   
Last year, Google added biometric authentication for the autofill feature on iOS and it will soon be bringing this additional protection to Chrome on Android. Before autofilling, iOS users need to use Touch ID, Face ID, or the phone’s passcode before autofilling a saved password into another app or website.  

The password management features with Chrome 88 will be rolled out over the coming weeks, Google says. 
Chrome 88, released earlier the week, was the first version of Chrome in years to not include Adobe Flash Player in the browser. Flash reached end of life at the end of 2020, so Mozilla, Google, Apple and Microsoft have also dropped support for Flash in their respective browsers. 
SEE: Using Chrome on Windows 7? Google just gave you another six months of support
FTP support was also disabled in Chrome 88, which also now blocks HTTP file downloads from HTTPS web pages. 
Chrome 88 ships with an experimental feature for searching all tabs via a new popup window that can be accessed by clicking a downward arrow above the user avatar. To test tab search, users can go to chrome://flags/ and search for “Enable Tab Search”. 
Users can also test out a new “Force Dark Mode for Web Contents” feature in Chrome 88. Again, it’s an experimental feature in chrome://flags/ that can help ensure websites with white backgrounds have black backgrounds instead. More

Image: Hanson Lu
A suspected Chinese hacking group has been attacking the airline industry for the past few years with the goal of obtaining passenger data in order to track the movement of persons of interest.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The intrusions have been linked to a threat actor that the cyber-security has been tracking under the name of Chimera.
Believed to be operating in the interests of the Chinese state, the group’s activities were first described in a report [PDF] and Black Hat presentation [PDF] from CyCraft in 2020.
The initial report mentioned a series of coordinated attacks against the Taiwanese superconductor industry.
But in a new report published last week by NCC Group and its subsidiary Fox-IT, the two companies said the group’s intrusions are broader than initially thought, having also targeted the airline industry.
“NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020,” the two companies said.
These attacks targeted semiconductor and airline companies in different geographical areas, and not just Asia, NCC and Fox-IT said.

In the case of some victims, the hackers stayed hidden inside networks for up to three years before being discovered.
Hackers scraped user data from the RAM of flight booking servers
While the attacks orchestrated against the semiconductor industry were aimed towards the theft of intellectual property (IP), the attacks against the airline industry were focused instead on something else.
“The goal of targeting some victims appears to be to obtain Passenger Name Records (PNR),” the two companies said.
“How this PNR data is obtained likely differs per victim, but we observed the usage of several custom DLL files used to continuously retrieve PNR data from memory of systems where such data is typically processed, such as flight booking servers.”
A typical Chimera attack
The joint NCC and Fox-IT report also describes the Chimera group’s typical modus operandi, which usually begins with collecting user login credentials that leaked in the public domain after data breaches at other companies.
This data is used for credential stuffing or password spraying attacks against a target’s employee services, such as email accounts. Once in, the Chimera operators search for login details for corporate systems, such as Citrix systems and VPN appliances.
Once inside an internal network, the intruders usually deploy Cobalt Strike, a penetration-testing framework used for “adversary emulation,” which they use to move laterally to as many systems as possible, searching for IP and passenger details.
The two security firms said the hackers were patient and thorough and would search until they found ways to traverse across segmented networks to reach systems of interest.
Once they found and collected the data they were after; this information was regularly uploaded to public cloud services like OneDrive, Dropbox, or Google Drive, knowing that traffic to these services wouldn’t be inspected or blocked inside breached networks.
Tracking targets of interest
While the NCC and Fox-IT report didn’t speculate why the hackers targeted the airline industry and why they stole passenger data, this is pretty obvious.
In fact, it is very common for state-sponsored hacking groups to target airline companies, hotel chains, and telcos to obtain data they could use to track the movements and communications of persons of interest.
Past examples include Chinese group APT41, which targeted telcos with special malware capable of stealing SMS messages. The attacks were believed to be related to China’s efforts to track its Uyghur minority, with some of these efforts involving hacking telcos to track Uyghur travelers’ movements.
Another Chinese group that targeted telcos was APT10 (or Gallium), whose activities were detailed in Cybereason’s Operation Soft Cell report.
In addition, Chinese state-sponsored hackers were also linked to the Marriott hack, during which they stole troves of hotel reservation details going back years.
But China isn’t the only one engaging in these types of attacks.
Iranian group APT39 has also been linked to breaches at telecommunication providers and travel companies for the purpose of tracking Iranian dissidents, while another Iranian group, known as Greenbug, has been linked to hacks against multiple telecom providers across Southeast Asia.
Then there’s Operation Specialist, a UK GCHQ operation that targeted Belgian telco Belgacom between 2010 and 2013. More