Information Technology

The number of data breaches seems to increase year to year, and it doesn’t look like it’s going to slow down anytime soon. Luckily, that means the demand for cybersecurity professionals is at an all-time high, and without an adequate supply of skilled workers, pursuing a career in cybersecurity can earn you an excellent living. 

There’s no better time to enter the cybersecurity industry, but you won’t be able to land these roles without the proper certifications. On top of that, there are countless career paths cybersecurity professionals can take, such as security auditing or information risk management.  If you’re looking to take your IT career to the next level, this $49 6-course bundle is a great way to build your skillset and land the roles that will lead you towards a successful career in cybersecurity.
The Advanced Cyber Security Career Advancement Bundle features six courses to prepare you for industry-standard certifications that will lay the foundations for your career. The first course you should tackle is Introduction to Cyber Security, which provides a foundational look at the current cybersecurity landscape and the tools used to evaluate and manage security protocols.
You’ll want to earn a proper cert once you’re more experienced. A CISM Certification is highly recommended as it endorses your skills in enterprise information security, which is covered in this bundle’s fifth course. Alternatively, a CCSP Certification is an excellent option if you’re interested in cloud security, and this content is covered in the third course. 
There is no single cybersecurity career path that will apply to everyone. Once you have several years of experience on your resume, you’ll want to specialize in an area that you enjoy working in. Either way, your skills will be in demand, and companies are willing to pay handsomely for them. The Advanced Cyber Security Career Advancement Bundle costs $4,500 at list price, you can get all six courses for just $99 with this 98% off deal.

ZDNet Recommends More

Security researchers have discovered a new remote access trojan (RAT) being advertised on Russian-speaking underground hacking forums.

Named T-RAT, the malware is available for only $45, and its primary selling point is the ability to control infected systems via a Telegram channel, rather than a web-based administration panel.
It’s author claims this gives buyers faster and easier access to infected computers from any location, allowing threat actors to activate data-stealing features as soon as a victim is infected, before the RAT’s presence is discovered.
For this, the RAT’s Telegram channel supports 98 commands that, when typed inside the main chat window, allow the RAT owner to retrieve browser passwords and cookies, navigate the victim’s filesystem and search for sensitive data, deploy a keylogger, record audio via the microphone, take screenshots of the victim’s desktop, take pictures via webcam, and retrieve clipboard contents.
Furthermore, T-RAT owners can also deploy a clipboard hijacking mechanism that replaces strings that look like cryptocurrency and digital currency addresses with alternatives, allowing the attacker to hijack transactions for payment solutions like Qiwi, WMR, WMZ, WME, WMX, Yandex money, Payeer, CC, BTC, BTCG, Ripple, Dogecoin, and Tron.
In addition, the RAT can also run terminal commands (CMD and PowerShell), block access to certain websites (such as antivirus and tech support sites), kill processes (security and debug software), and even disable the taskbar and the task manager.
Secondary command and control systems are available via RDP or VNC, but the Telegram feature is the one advertised to buyers, mainly because of the ease of installation and use.

Telegram becoming popular as a malware C&C channel
Although many RATs are often inflated in their ads, T-RAT’s capabilities were confirmed in an analysis by G DATA security researcher Karsten Hahn.
Speaking to ZDNet, Hahn said T-RAT is just the latest in a string of recent malware families that come with a control-by-Telegram capability.

Image: G Data
The use of Telegram as a command and control system has been trending up in recent years, and T-RAT isn’t even the first RAT to implement such a model.
Previous ones include RATAttack (uploaded and removed from GitHub in 2017, targeted Windows), HeroRAT (used in the wild, targets Android), TeleRAT (used in the wild against Iranians, targets Android), IRRAT (used in the wild, targets Android), RAT-via-Telegram (available on GitHub, targets Windows), and Telegram-RAT (available on GitHub, targets Windows).
Distribution vector remains unknown
For now, the threat from T-RAT is relative low. It usually takes a few months before threat actors learn to trust a new commercial malware strain; however, Hahn believes the RAT is already gaining a following.
“There are regular uploads of new T-RAT samples to VirusTotal,” Hahn told ZDNet. “I would assume it is in distribution but have no further evidence of it.”
But T-RAT isn’t the only new RAT offered for sale these days. According to Recorded Future, there’s another new RAT advertised on hacking forums called Mandaryna. More

The US Securities and Exchange Commission (SEC) has issued a $5 million penalty against Kik for launching an illegal ICO and breaking securities laws. 

On Wednesday, the US regulator said that the US District Court for the Southern District of New York has entered a final judgment against Kik Interactive to lay a case to rest that has been in motion since 2019.
Last year, SEC alleged that the Canada-based messaging platform had conducted an illegal securities offering, selling “Kin” tokens, which must be registered if included in an Initial Coin Offering (ICO). 
ICOs are an alternative method to raise investment into projects and have, on the whole, become associated with the cryptocurrency and blockchain space. Rather than pouring traditional, fiat currency into a startup, ICOs offer virtual coins or assets to investors.
See also: The SEC is suing Kik over its $100m Kin token ICO
While many organizations conduct and register ICOs correctly and legitimately, regulators have clamped down on these events in light of countless exit scams that have left investors out of pocket. 
SEC has previously claimed that Kik did not register the Kin ICO before it took place in 2017, and furthermore, the Kik team apparently knew the company would run out of money in the same year. SEC says that over $55 million was raised through the coin offering, of which $100 million in securities were on offer. 
The Kin token is currently worth $0.000011. 
CNET: FBI: Iran, Russia obtained voter data to interfere with US elections
SEC said that the “court granted the SEC’s motion for summary judgment on September 30, 2020, finding that undisputed facts established that Kik’s sales of “Kin” tokens were sales of investment contracts, and therefore of securities, and that Kik violated the federal securities laws when it conducted an unregistered offering of securities that did not qualify for any exemption from registration requirements.”
To resolve the matter, the final judgment demands that Kik informs SEC of any future issuances of digital assets for the next three years and will pay a $5 million penalty. 
“This has been a long, expensive, and public battle between Kik and the SEC,” Kik said. “Although we respectfully disagree with Judge Hellerstein’s analysis in his ruling and were prepared to pursue an appeal, the SEC offered settlement terms that allow us to put this behind us and focus on our mission. We look forward to an exciting future for the Kin ecosystem and the millions of mainstream consumers who earn and spend Kin every month.”
TechRepublic: How to protect your privacy when selling your phone
Ted Livingstone, the founder of the Kik Foundation and Kik chief executive, said on Twitter that the judgment resolves all matters between SEC and Kik, adding: “there will be many more challenges ahead, but it is exciting to put this chapter behind us.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images/iStockphoto
Australian eSafety Commissioner Julie Inman-Grant has rejected the practicality of a know your customer-type regime for social media companies to verify the identities of their users.
Addressing Senate Estimates on Wednesday night, Inman-Grant said such a regime works in the banking industry as it has been heavily regulated for many years, particularly around anti-money laundering.
“It would be very challenging, I would think, for Facebook for example to re-identify — or identify — its 2.7 billion users,” she said. “How do they practically go back and do that and part of this has to do with how the internet is architected.”
See also: NZ Privacy Commissioner labels Facebook as ‘morally bankrupt pathological liars’
While she admitted it was not impossible, she said it would create a range of other issues and that removing the ability for anonymity or to use a pseudonym is unlikely to deter cyberbullying and the like.
“In a lot of the adult trolling that we see … [characteristics of a troll] is often high self-esteem, sadism, and masochism — there are a lot of trolls that aren’t interested in hiding their identity at all,” Inman-Grant explained. “Its not always going to be a deterrence.”
Similarly, she said, if the social media sites were to implement a “real names” policy, it wouldn’t be effective given the way the systems are set up.
“I would also suspect there would be huge civil libertarian pushback in the US,” she added.
“I think there are incremental steps we could make, I think totally getting rid of anonymity or even [the use of] pseudonyms on the internet is going to be a very hard thing to achieve.”
“I want to be pragmatic here about what’s in the realm of the possible, it would be great if everyone had a name tag online so they couldn’t do things without [consequence].”
What Inman-Grant said is hindering investigations from her department is not having access to information on the source of instances, such as cyberbullying.
“When we want to issue an infraction or an infringement notice — if we don’t know where we can [put] that notice to or who that person is on the other end, that’s challenging and at the moment, because most of the major social media sites are domiciled in the US, they will only allow law enforcement under warrant … we as a regulator are not entitled currently to that,” she said.
“If erasing anonymity is your goal, we also have to ask to what end, I don’t think it will end all online abuse on the internet but it might go some way,” she later added.
RELATED COVERAGE More

Image: Proofpoint
In a short press conference held today by the US Department of Justice, high-ranking officials with the US government claimed that Iran was behind a wave of emails sent to US voters earlier this week.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Spoofing the identity of violent extremist group Proud Boys, the emails threatened registered Democrat voters with repercussions if they didn’t vote for Donald Trump in the upcoming US Presidential Election.
The senders claimed to have “gained access into the entire [US] voting infrastructure,” but appeared to use public voter registration databases to target Democrat voters in Alaska, Arizona, and Florida.
Two waves of emails were sent this week, the first on Tuesday (October 20), and the second on Wednesday (October 21), according to a report from email security firm Proofpoint, which has been tracking the spam campaigns.
The second wave of emails, besides the original message threatening Democrat voters, also included a link to a video claiming to show an individual print out a voting ballot with another person’s information (a copy of the video is embedded in the Proofpoint report). The video was debunked by several US news media publications.
Responding to intense media coverage surrounding the emails, in a short press conference earlier today, FBI Director Christopher Wray and Director of National Intelligence John Ratcliffe attributed the spam campaigns to Iran.
Addressing the video shared in the emails, Ratcliffe added that “the information in the video is not true.”
Ratcliffe also added that besides Iran, Russia has also also “taken specific actions to influence public opinion relating to our election.”
“Although we have not seen the same actions from Russia, we are aware that they have obtained some voter registration information,” Ratcliffe added.
The two officials urged the US public to remain calm and not spread any similar messages they receive in the future.
Neither of the two officials presented any evidence during the press conference but only made short statements.
Spokespersons for several cyber-security firms could not confirm the Iranian attribution, when inquired by ZDNet today. However, they didn’t dismiss it either.
“Iranian information operations date back at least eight years and they have grown beyond fake news sites and social network activity to elaborate tactics, such as impersonating journalists to solicit video interviews and placing op-eds. They have even impersonated American politicians,” John Hultquist, Senior Director of Analysis, Mandiant Threat Intelligence, told ZDNet.
“The information operations we have seen from Iran to date have been about amplifying pro-Iranian messages and pushing a desired narrative out into the world that’s anti-Saudi or ant-Israeli or pro-JCPOA,” he added.
“This is different. This is deliberate interference in our democracy and it crosses a major red line. I think the Intel community scored a win here against Iran today,” Hultquist said.

This is assuming that Iran’s ultimate objective is to promote a candidate or a party. That’s not the case. Iran’s goal (much like Russia and China) is to sow chaos and undermine trust in democratic institutions and in our elections.
— Ariane Tabatabai (@ArianeTabatabai) October 22, 2020 More

Image: Mastercard
Mastercard has teamed up with identity solutions firm Idemia and Singapore-based fintech MatchMove to pilot a biometric fingerprint card to authorise in-store payment transactions in Asia.
The card, called F.Code Easy, is embedded with a sensor to allow customers to authorise a payment using their fingerprint, instead of a PIN number or signature. The fingerprint sensor will be powered by the energy from payment terminals.
The payments giant said all biometric credentials will be stored on the card chip, rather than a central database, touting it would “enhance security and safety of contactless payments”. 
“As people make a permanent move to contactless transactions, the biometric card promises more choice and greater security for consumers,” Mastercard Asia Pacific executive president Matthew Driver said.
“With Mastercard’s focus on digital commerce, this solution is a testament to the innovative partnerships Mastercard cultivates and its mission to provide fast, frictionless payment experiences that are protected at every point.”
The pilot biometric card will be developed by Idemia and issued by MatchMove in Q4 to employees of all three companies involved in the project. Mastercard said participating employees could then use their cards for transactions and live demonstrations for customers.  
Read also: Amazon One will let you pay for purchases with nothing but a palm scan (TechRepublic)
Mastercard debuted its fingerprint sensor-embedded credit card back in 2017. Trials were initially underway in South Africa at the time, with the payments giant touting it had planned for a global rollout by the end of that year.
Credit card chips and SIM cards maker Gemalto then followed in Mastercard’s footsteps the year after, launching a contactless credit card with a fingerprint reader to Bank of Cyprus customers. 
Meanwhile, over in Australia, Mastercard has partnered with EML Payments Ltd, the Commonwealth Bank of Australia, and Transport for New South Wales to trial the Opal digital card before the end of the year.
According to a Transport for NSW spokesperson, the trial will enable customers to access the Opal digital card via their digital wallet on their smartphone or watch, and use it to tap on and off each time they travel on the Opal transport network, in place of a physical Opal card.
As part of the trial, up to 10,000 Adult Opal customers will have access to the digital version of the Opal card.
“The Opal digital card will also have the ability to be used on private modes of transport, making it even easier for customers to use Opal for their transport needs,” the Transport for NSW spokesperson said.
“Mastercard demonstrated that with its global experience in developing digital payment technology, they are well-placed to offer the best solution and most competitive price to support Transport for NSW’s requirements.”  
In other banking news, Macquarie said it is now allowing customers to personalise their digital security settings, including choosing to approve or deny when a login attempt is being made to their account.
Available through the bank’s verification app, Macquarie Authenticator, the new security features allow customers to choose between three levels of digital banking authentication.
This includes standard security where additional verification is only required on changes to sensitive account details and certain financial transactions, enhanced security when verification is required on all attempted logins except trusted devices, and ultimate security where all attempted logins from trusted and unknown devices require additional verification.
“We’re empowering our customers to choose enhanced security options, giving them extra peace of mind with an intuitive push alert from the Macquarie Authenticator app, whenever a login is attempted to their accounts,” Macquarie’s banking and financial services group head of personal banking Ben Perham said.
Mastercard takes a stance against climate change
Earlier this week, Mastercard announced the launch of its Priceless Planet Coalition in Australia that is designed to bring together local organisations — together with forestry experts Conservation International (CI) and World Resources Institute (WRI) — to collectively plant 100 million trees over five years.
Members of the coalition include Barclays Bank US, Berkshire Bank, BMO Financial Group, Hawaiian Airlines, Scotiabank, to name a few, as well as Australia’s Archa and 1derful. 
Mastercard has named Australia, Brazil, and Kenya as the selected locations for its forest restoration project. Beyond these initial locations, the project portfolio will be expanded to include other locations that meet “established criteria”, the company said.
“In Australia, through the Priceless Planet Coalition, Mastercard is empowering its network of partners and consumers who share its commitment to being a force for good in the world to unite in action and create exponential impact for the environment. Mastercard welcomes all Australian organisations, big or small, to get involved,” Mastercard Australasia division president Richard Wormald said.  
Related Coverage
Adelaide trials contactless payment across tram network
It’s a partnership between Adelaide Metro, Conduent, Mastercard, and Visa.
Academics bypass PINs for Visa contactless payments
Researchers: “In other words, the PIN is useless in Visa contactless transactions.”
Mastercard keeping humans in the loop of AI fraud and risk-related decisions
The company’s APAC head of services has said humans will continue to play an integral role in keeping fraud and risk at a minimum.
Mastercard CEO explains why Facebook’s Libra project was abandoned
The lofty goals of the cryptocurrency scheme were not enough to convince financial giants of its potential. More

The WordPress security team has taken a rare step last week and used a lesser-known internal capability to forcibly push a security update for a popular plugin.

WordPress sites running the Loginizer plugin were forcibly updated this week to Loginizer version 1.6.4.
This version contained a security fix for a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the Loginizer plugin.
Loginizer is one of today’s most popular WordPress plugins, with an installbase of over one million sites.
The plugin provides security enhancements for the WordPress login page. According to its official description, Loginizer can blacklist or whitelist IP address from accessing the WordPress login page, can add support for two-factor authentication, or can add simple CAPTCHAs to block automated login attempts, among many other features.
SQL injection discovered in Loginizer
This week, security researcher Slavco Mihajloski disclosed a severe vulnerability in the Loginizer plugin.
According to a description provided by the WPScan WordPress vulnerability database, the security bug resides in Loginizer’s brute-force protection mechanism, enabled by default for all sites where Loginizer is installed.
To exploit this bug, an attacker can try to log into a WordPress site using a malformed WordPress username in which they can include SQL statements.
When the authentication fails, the Loginizer plugin will record this failed attempt in the WordPress site’s database, along with the failed username.
But as Slavco and WPScan explain, the plugin doesn’t sanitize the username and leaves the SQL statements intact, allowing remote attackers to run code against the WordPress database — in what security researchers refer to as an unauthenticated SQL injection attack.
“It allows any unauthenticated attacker to completely compromise a WordPress website,” Ryan Dewhurst, Founder & CEO of WPScan, told ZDNet in an email today.
Dewhurst also pointed out that Mihajloski provided a simple proof-of-concept script in a detailed write-up published earlier today.
“This allows anyone with some basic command-line skills to completely compromise a WordPress website,” Dewhurst said.
Forced plugin update receives public backlash
The bug is one of the worst security issues discovered in WordPress plugins in recent years, and it’s why the WordPress security team appears to have decided to forcibly push the Loginizer 1.6.4 patch to all affected sites.
Dewhurst told ZDNet that this “forced plugin update” feature has been present in the WordPress codebase since v3.7, released in 2013; however, it has used very rarely.
“A vulnerability I myself discovered in the popular Yoast SEO WordPress plugin back in 2015 was forcibly updated. Although, the one I discovered was not nearly as dangerous as the one discovered within the Loginizer WordPress plugin,” Dewhurst said.
“I’m not aware of any other [cases of forced plugin updates], but it is very likely that there have been others,” the WPScan founder added.
But there’s a reason why the WordPress security team doesn’t use this feature for all plugin vulnerabilities and uses this only for the bad bugs.
As soon as the Loginizer 1.6.4 patch started reaching WordPress sites last week, users started complaining on the plugin’s forum on the WordPress.org repository.
“Loginizer has been updated from 1.6.3 to 1.6.4 automatically although I had NOT activated this new WordPress option. How is it possible?,” asked one disgruntled user.
“I have the same question too. It has happened on 3 websites I look after of which none of them have been set to auto update,” said another.
Similar negative feedback was also seen back in 2015 when Dewhurst first saw the plugin forced update feature being deployed by the WordPress team.

The more I think about it, the more infuriating the auto-update of WP SEO gets.
— My name is Doug, I have just met you, & I LOVE YOU (@zamoose) March 12, 2015

Dewhurst believes the feature isn’t more broadly used because the WordPress team fears the “risks of pushing a broken patch to so many users.”
WordPress core developer Samuel Wood said this week the feature was used “many times” but did not provide details about other instances where it was used. In 2015, another WordPress developer said the plugin forced update feature was used only five times since it launched in 2013, confirming that this feature is only used for the critical bugs only, those impacting millions of sites, and not just any plugin vulnerability. More

Retailers face the potential threats of ransomware, malware, phishing attacks and more from cyber criminals and a new guide developed with the aid of the National Cyber Security Centre (NCSC) aims to stop retailers falling victim to attacks.
The Cyber Resilience Toolkit for Retail has been developed by the British Retail Consortium (BRC) and the NCSC and attempts to provide a ‘plain English’ guide to cybersecurity for management and boards of retailers.

More on privacy

The nature of retailers, and the way they deal with not only financial data but personal information, has always made them a tempting target for cyber criminals. During the course of 2020, the BRC says there’s been a rise in the number of online purchases, potentially providing cyber criminals with a richer spoils if they conduct a successful cyberattack against an e-commerce site.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
“We want to keep shoppers’ data, identity and privacy safe, and to ensure that the retail sector is well equipped to face the cyber challenges associated with an ever-more digital world,” said Dr Ian Levy, technical director at the NCSC.
“Cybersecurity need not be daunting. There are a number of straightforward best-practice measures you can put in place to ensure you are protecting yourself and your customers,” he added.
Those best-practice measures include using strong passwords, having good cybersecurity awareness training for staff and backing up data regularly, so if a successful ransomware attack occurs, the organisation is able to restore from backups.
It’s also recommended that management knows what procedures are in place and know what to do if a cyberattack happens – and who to call if they need help.
“Last year, retailers spent over £186 million on cybersecurity, but the growth in online selling means there is an increasing threat of new cyber breaches and sophisticated hacking techniques. As a result, retailers need to ensure their systems are watertight and up to date,” said Helen Dickinson, chief executive of the British Retail Consortium.
SEE: 10 tech predictions that could mean huge changes ahead
The toolkit also contains advice on areas that potential threats could come from that retailers might not have considered. These include people working from home, malicious insiders, the supply chain and legacy systems that have been forgotten about.
The guide also urges retailers to to take advantage of the NCSC’s Exercise in a Box – a free tool that allows organisations to test their cyber defences based on common hacking scenarios and real-life cyber incidents.
MORE ON CYBERSECURITY More