Information Technology

The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees increasingly use their own personal devices to access corporate data and services.
The “Everywhere Enterprise” – in which employees, IT infrastructures, and customers are everywhere – has led to employees not prioritizing security in their new world of work.
Mountain View,CA-based mobile security platform MobileIron has looked at the impact that lockdown has had on employees working habits. It polled polled 1,200 workers across the US, UK, France, Germany, Belgium, Netherlands, Australia, and New Zealand.
The COVID-19 lockdown may have signalled the end for office working as we know it, as businesses shift towards the new way of working.
The study showed that over four out of five (82%) of global participants agree they do not want to return to the office full-time, ever. This is despite despite one in three (30%) employees claiming that being isolated from their team was the biggest hindrance to productivity during lockdown.
The current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks.
These attacks range from basic to sophisticated and are likely to succeed, with many employees unaware of how to identify and avoid a phishing attack. Over two in five (43%) of employees are not even sure what a phishing attack is.
Mobileiron
Two in three (66%) agree their employers have the right solutions and technologies in place to allow them to work from home, and 72% of employees agree that their mobile device has been important to ensuring their productivity during lockdown
There are four types of people who are adapting to the working from home environment:
Hybrid workers split time equally between working at home and going into the office for face-to-face meetings. Although they like working from home, being isolated from teammates is the biggest hindrance to productivity.
They depend on a laptop and mobile device, along with secure access to email, CRM applications and video collaboration tools, to stay productive. They believe that IT security ensures productivity and enhances usability of devices, however, they are only somewhat aware of phishing attacks.
Mobile workers work constantly on the go using a range of mobile devices, such as tablets and phones, rely on public Wi-Fi networks, remote collaboration tools, and cloud suites for work. They view unreliable technology as the biggest hindrance to productivity as they rely on mobile devices.
They view IT security as a hindrance to productivity as it slows down the ability to get tasks done. They also believe that IT security compromises personal privacy. They are the most likely to click on a malicious link due to a heavy reliance on mobile devices.
Desktop workers find being away from teammates and working from home a hindrance to productivity and can’t wait to get back to the office. They prefer to work on a desktop computer from a fixed location than on mobile devices.
They rely heavily on productivity suites to communicate with colleagues in and out of the office, and view IT security as a low priority for the IT department to deal with. They are only somewhat aware of phishing attacks.
Frontline workers work from fixed and specific locations, such as hospitals or retail shops. They rely on purpose-built devices and applications, such as medical or courier devices and applications, and are not as dependent on personal mobile devices for productivity as others.
They realize that IT security is essential to enabling productivity, and can not afford to have any device or application down time, given the specialist nature of their work.
Brian Foster, SVP Product Management, MobileIron. “Hackers know that people are using their loosely secured mobile devices more than ever before to access corporate data, and increasingly targeting them with phishing attacks.
Every company needs to implement a mobile-centric security strategy that prioritizes user experience and enables employees to maintain maximum productivity on any device, anywhere, without compromising personal privacy.”
Mobile devices now play a more critical role than ever before in ensuring productivity, so securing mobile devices, apps, and users should be every CIO’s top priority. 
If only they had the time to focus on security instead of trying to keep their business going. More

Image: Rapid7, ZDNet
An “address bar spoofing” vulnerability refers to a bug in a web browser that allows a malicious website to modify its real URL and show a fake one instead — usually one for a legitimate site.
Address bar spoofing vulnerabilities have been around since the early days of the web, but they have never been so dangerous as they are today.
While on desktop browsers there are various signs and security features that could be used to detect when malicious code alters the address bar to display a bogus URL, this is not possible on mobile browsers where screen size is at a premium, and many of the security features found in desktop browsers are missing.
With the address bar being the only and last line of defense on mobile browsers, address bar spoofing vulnerabilities are many times more dangerous on smartphones and other mobile devices.
Ten address bar spoofing bugs found in seven mobile browsers
In a report published today by cyber-security firm Rapid7, the company said it worked with Pakistani security researcher Rafay Baloch to disclose ten new address bar spoofing vulnerabilities across seven mobile browser apps.
Impacted browsers include big names like Apple Safari, Opera Touch, and Opera Mini, but also niche apps like Bolt, RITS, UC Browser, and Yandex Browser.
The issues were discovered earlier this year and reported to browser makers in August. The big vendors patched the issues right away, while the smaller vendors didn’t even bother replying to the researchers, leaving their browsers vulnerable to attacks.

Image: Rapid7
“Exploitation all comes down to ‘JavaScript shenanigans’,” said Rapid7’s Research Director, Tod Beardsley.
The Rapid7 exec says that by messing with the timing between when the page loads and when the browser gets a chance to refresh the address bar URL, a malicious site could force the browser to show the wrong address.
A finer breakdown of the technical “shenanigans” of each bug is available here, as detailed by Baloch.
Exploiting any of these bugs requires (1) an outdated browser and (2) an attacker capable of luring users on malicious sites.
Beardsley believes that attacks are easy to mount and recommends that users update their browsers as soon as possible or move to browsers that are not affected by these bugs. More

The latest version of Linus Torvalds’ Git version-control system brings experimental support for the SHA-256 cryptographic hash, moving it away from its reliance on the less safe SHA-1. 
Google and other researchers in 2017 showed that the SHAttered SHA-1 collision attack made it cheaper than previously thought to cause a SHA-1 collision. That is, when two files, in that case two PDFs with different content, were represented by the same SHA-1 hash value. 

The researchers highlighted that Git “strongly relies on SHA-1” for checking the integrity of file objects and commits. They argued SHA-1 was a tampering risk because it was possible to create “two Git repositories with the same head commit hash and different contents, say, a benign source code and a backdoored one”.
Torvalds at the time said the SHA-1 collision attack did not mean the “sky is falling for Git”.  
“Git doesn’t actually just hash the data, it does prepend a type/length field to it”, wrote Torvalds. This made Git harder to attack than a PDF.
However, since then researchers from France and Singapore discovered the SHA-1 ‘chosen-prefix collision attack’, a cheaper version of the SHA-1 collision attack conducted by Google two years earlier.
GitHub, which uses Git, put detection mitigations in place at the time also. However, ever since SHAttered arrived, the Git project has been hardening its SHA-1 implementation and gradually enabling support for the safer SHA-256.   
With experimental SHA-256 in Git 2.29, developers can now write a repository’s objects using a SHA-256 hash of its contents rather than SHA-1. 
“Git (and providers that use it, like GitHub) checks each object it hashes to see if there is evidence that that object is part of a colliding pair,” explained GitHub’s Taylor Blau.  
“This prevents GitHub from accepting both the benign and malicious halves of the pair, since the mathematical tricks required to generate a collision in any reasonable amount of time can be detected and rejected by Git.”
He points out that nevertheless any weaknesses in a cryptographic hash are a bad sign. 
“Even though Git has implemented detections that prevent the known attacks from being carried out, there’s no guarantee that new attacks won’t be found and used in the future. So the Git project has been preparing a transition plan to begin using a new object format with no known attacks: SHA-256.”
With Git 2.29, Git can operate in full SHA-1 or full SHA-256 mode, but this means there is currently no interoperability between repositories using the different object formats, SHA-1 or SHA-256.
Interoperability will be enabled in future by way of a translation table, allowing SHA-256 repositories to interact with SHA-1 clients. Neither GitHub nor its rivals currently support hosting SHA-256-enabled repositories.

Open Source More

Image: ZDNet
A ransomware gang has donated a part of the ransom demands it extorted from victims to charity organizations.
Current recipients include Children International, a non-profit for sponsoring children in extreme poverty, and The Water Project, a non-profit aiming to provide access to clean and reliable water across sub-Saharan Africa.
Each organization received 0.88 bitcoin (~$10,000) last week, according to transactions on the Bitcoin blockchain [1, 2].
The sender was a ransomware group going by the name of Darkside.
Active since August 2020, the Darkside group is a classic “big game hunter,” meaning it specifically goes after large corporate networks, encrypts their data, and asks huge ransom demands in the realm of millions of US dollars.
If victims don’t pay, the Darkside group leaks their data online, on a portal they are operating on the dark web.
“As we said in the first press release – we are targeting only large profitable corporations,” the Darkside group wrote in a page on their dark web portal, published on Monday.
“We think it’s fair that some of the money they’ve paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped change someone’s life,” the group also added; before posting proof of their two donations.

Image: ZDNet
This “press release,” as the group calls it, comes after a similar one published online in August, where the group promised not to encrypt files belonging to hospitals, schools, universities, non-profits, and the government sector.
If they kept their promise is currently impossible to tell. Other ransomware gangs have also promised not to attack the healthcare sector at the start of the COVID-19 pandemic, but eventually went back on their word.
Further, the Darkside group isn’t the first cybercrime gang to donate money to charities and non-profits.
In 2016, a hacker group going by the name of Phineas Fisher claimed they hacked a bank and donated the money to the Rojava autonomous Syrian province.
In 2018, the GandCrab ransomware gang released free decryption keys for victims located in war-torn Syria.
The GandCrab gang also added an exemption into their code that would not encrypt files for victims located in this country. Ironically, this unconventional exemption for Syrian victims is what helped security researchers tie the group to the REvil ransomware when the GandCrab group shut down and attempted to start a new operation under a new name (REvil, or Sodinokibi). More

Image: CNET/CBS Interactive
Toyota Motor Corporation Australia (TMCA) announced on Tuesday it was partnering with Telstra to bring LTE connectivity to “select TMCA vehicles” in late 2020.
The connectivity will initially be used for “new safety and security services designed to provide customers with additional peace of mind”, the companies said.
Details on the functionality are otherwise scant, with the platform used being built by Toyota and Japanese telco KDDI.
At the start of last year, KDDI announced they would use AT&T to provide LTE connectivity to Toyota and Lexus vehicles in the US, which would allow for Wi-Fi hotspots within cars, remote start and climate control, diagnostics, safety connectivity, and the ability to download areas to navigation systems.
Earlier on Tuesday, Minister for Home Affairs Peter Dutton announced that Telstra CEO Andy Penn would chair the Industry Advisory Committee, a permanent committee that would advise the government on cyber matters, and the implementation of the 2020 Cyber Security Strategy.
Penn was the chair of the temporary industry advisory panel that provided 60 recommendations to feed into the strategy, which included the creation of the permanent committee.
Joining Penn will be deputy chair of the committee and chair of AUCloud Cathie Reid; CSO of NBN Darren Kane; CEO of Northtop Grumman Australia Chris Deeble; NextDC, Megaport, and Superloop founder Bevan Slattery; CEO of Cyber Security Cooperative Research Centre Rachael Falk; CEO of Macquire Telecom Group David Tudehope; trust and risk business leader at PwC Australia Corinne Best; NAB group executive for technology and enterprise operations Patrick Wright; and former Labor foreign minister and now chair of University of Western Australia Public Policy Institute Professor Stephen Smith.
Related Coverage More

Secretary of Australia’s Department of Home Affairs Mike Pezzullo has shared his concerns on Facebook’s plans to create a brand new online space for nefarious activity.

“We are particularly concerned about Facebook’s plans to go to end to end encryption of their entire platform to create, in effect, the world’s biggest dark web,” he told Senate Estimates on Tuesday.
Pezzullo joined members of the Australian Federal Police(AFP) at the Senate Estimates, who detailed that there had been an increase of child sex offenders exploiting “both the clear web and the dark web” during the COVID-19 pandemic.
See also: NZ Privacy Commissioner labels Facebook as ‘morally bankrupt pathological liars’
The secretary said the AFP and his department were very concerned with the amount of traffic that had flipped over to the dark web.
“Unlike the challenge that’s being dealt with by this Parliament in relation to encryption — at least with encryption you know where the devices are, you know where the server is, you can geolocate typically the administrator — the dark web … you start to lose the trace of where the devices are, where the IP addresses are, who is logging into these abhorrent sites, where the administrator is, where the server is,” Pezzullo said.
“At some point, we’ll be chasing so much ground that it will be almost impossible for the deputy commissioner and his colleagues to do anything other than, to use a colloquial phrase, whack-a-mole. All the operations that are currently conducted essentially to run in effect virtual controlled operations and undercover operations, you’ll have so many of them that the adversary will simply be moving from platform to platform, server to server, network to network.”
He pointed to the recently announced cybersecurity strategy, however, as a resource for providing his department and its law enforcement agencies with the mandate to “attack” the dark web.
“We’re working very closely with the AFP and other agencies [on] how do we attack the dark web, how do we strip back the legitimate anonymity that on occasions, through VPNs and the like, is entitled and is available for use in relation to your privacy. What you’re not entitled to is then to use that anonymisation to hide these abhorrent criminal networks such that they basically disappear off the grid,” he continued.
“The dark web is particularly pernicious and concerning from this point of view because it’s getting harder and harder to defeat the anonymisation capability and they can literally just disappear off the grid.
“It will almost get to a point where we don’t know where these people are.”
Pezzullo was asked if his department has thought of introducing a banking-style know your customer initiative where the burden would be on the tech giants to validate that a user is who they say they are.
In response, the secretary pointed to the Digital Platforms work underway by the Australian Competition and Consumer Commission and took the question on notice, highlighting again that his concern was with the activities conducted on encrypted platforms.
AFP Deputy Commissioner Brett Pointing also told the committee that there was currently work being done around protecting personnel from being exposed to the material they see to prosecute offenders.
“No one should have to see [it],” he said. “So we’re actually doing a lot of work in the IT space to try and develop classification systems that limit the amount of time that our police are exposed to it.”
RELATED COVERAGE More

Image: Kyle Dias
The UK government said today that Russian hackers were preparing cyber-attacks against the organizers of the Tokyo Olympics and Paralympic Games that were set to take place this summer in Japan before they were postponed to next year due to the ongoing COVID-19 pandemic.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Russian activity involved reconnaissance operations, according to a press release from the UK National Cyber Security Centre (NCSC).
Targets included the Games’ organizers, logistics services, and sponsors, the UK government said in a separate press release.
“The GRU’s actions against the Olympic and Paralympic Games are cynical and reckless,” said UK Foreign Secretary Dominic Raab.
“We condemn them in the strongest possible terms.”
UK authorities believe Russian hackers intended to sabotage the Olympic Games, similar to the cyber-attacks they carried out against the organizers of the 2018 Winter Olympic and Paralympic Games in Pyeongchang, South Korea.
In February 2018, Russian hackers deployed the OlympicDestroyer malware that crippled web servers during the opening ceremony of the 2018 Winter Olympics.
The attacks were carried out because the International Olympic Committee had banned Russian athletes from participating at the event under the Russian flag, citing a state-sponsored doping program.
The same ban, originally imposed for the Rio 2016 Summer Olympics, has also been extended to the Tokyo Olympics this year, with Russian athletes being banned from competing under the Russian flag again.
Now, UK officials say that Russia appears to have been preparing similar attacks to sabotage the 2020 Olympics as well.
UK officials said that responsible for these planned attacks was a Russian hacking group known as Sandworm, the same group behind the OlympicDestroyer destructive attacks at the Pyeongchang Olympics.
Sandworm hackers charged in the US
The UK government’s statement coincided with the announcement of formal charges against six Sandworm members by the US Department of Justice earlier today.
US officials charged Sandworm hackers for orchestrating not only the OlympicDestroyer attacks at the 2018 Pyeongchang Olympics but also a series of many other attacks, such as:
attempts to sabotage Ukraine’s power grid in 2015 and 2016 with the BlackEnergy and Industroyer malware
attempts to sabotage Ukrainian government networks with the KillDisk disk-wiping malware
creating the NotPetya ransomware that caused a global outbreak in June 2017
interfering in the French 2017 elections
arranging cyber-attacks against the organizations investigating the Novichok poisonings in the UK
mass-defacing thousands of Georgian sites in 2019
US officials blamed these attacks on Sandworm, a hacker group it said was composed of members of Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency part of the Russian Army. 
In its press release today, the UK government issued formal confirmation of the accusations put forward in the US indictments but also exposed and raised a sign of alarm about Sandworm’s impending attacks on Tokyo 2020 Olympics organizers. More

CyberCX, the group of security companies headed by two of Australia’s most experienced technology and cyber veterans, has continued its expansion, this time scooping up a pair of local cybersecurity firms from ASX-listed Vortiv Limited for AU$25 million.  
Identity management firm Decipher Works and cloud security specialists CloudTen will join the cybersecurity megamix, subject to shareholder and regulatory approvals.
CyberCX said both companies provide specialised solutions in the cybersecurity, identity, data analytics, and cloud services sector and have enterprise customer bases across financial services, education, government, transport, manufacturing, and services sectors.
“We are committed to delivering the market-leading cloud security and identity security capability,” CyberCX CEO John Paitaridis said. 
“Decipher Works and CloudTen bring expertise and synergies that complement our mature cybersecurity capabilities and which will deepen CyberCX’s identity and cloud security expertise.”
Paitaridis has touted that both businesses have impressive talent and capabilities.
See also: Former PM Turnbull suggests Australia boosts its cyber capability by buying local
CyberCX, backed by private equity firm BGH Capital, in October 2019 brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co, Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.
It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as Paitaridis, who was formerly Optus Business’ managing director.
Decipher Works and CloudTen join the growing list of companies now under the CyberCX umbrella, with two Melbourne-based startups, Basis Networks and Identity Solutions, being scooped up in July.
A month later, CyberCX pushed into the New Zealand market, adding its first Kiwi acquisition in Insomnia Security.
CyberCX has a workforce of over 600 cybersecurity professionals and a footprint of over 20 offices across Australia and New Zealand.
HERE’S MORE More