Information Technology

Hackers have gained access to government networks by combining VPN and Windows bugs, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) said in a joint security alert published on Friday.

Attacks have targeted federal and state, local, tribal, and territorial (SLTT) government networks. Attacks against non-government networks have also been detected, the two agencies said.
“CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised,” the security alert reads.
“Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” officials also added.
Attacks chained Fortinet VPN and Windows Zerologon bugs
According to the joint alert, the observed attacks combined two security flaws known as CVE-2018-13379 and CVE-2020-1472.
CVE-2018-13379 is a vulnerability in the Fortinet FortiOS Secure Socket Layer (SSL) VPN, an on-premise VPN server designed to be used as a secure gateway to access enterprise networks from remote locations.
The CVE-2018-13379, disclosed last year, allows attackers to upload malicious files on unpatched systems and take over Fortinet VPN servers.
CVE-2020-1472, also known as Zerologon, is a vulnerability in Netlogon, the protocol used by Windows workstations to authenticate against a Windows Server running as a domain controller.
The vulnerability allows attackers to take over domain controllers, servers users to manage entire internal/enterprise networks and usually contain the passwords for all connected workstations.
CISA and the FBI say attackers are combining these two vulnerabilities to hijack Fortinet servers and then pivot and take over internal networks using Zerologon.
“Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials,” the two agencies also added.
The joint alert didn’t provide details about the attackers except to describe them as “advanced persistent threat (APT) actors.”
The term is often used by cyber-security experts to describe state-sponsored hacking groups. Last week, Microsoft said it observed Iranian APT Mercury (MuddyWatter) exploiting the Zerologon bug in recent attacks, a threat actor known for targeting US government agencies in the past.
Danger of hackers chaining different VPN bugs
Both CISA and the FBI recommended that entities in both the private and public US sector update systems to patch the two bugs, for which patches have been available for months.
In addition, CISA and the FBI also warned that hackers could swap the Fortinet bug for any other vulnerability in VPN and gateway products that have been disclosed over the past few months and which provide similar access.
This includes vulnerabilities in:
Pulse Secure “Connect” enterprise VPNs (CVE-2019-11510)
Palo Alto Networks “Global Protect” VPN servers (CVE-2019-1579)
Citrix “ADC” servers and Citrix network gateways (CVE-2019-19781)
MobileIron mobile device management servers (CVE-2020-15505)
F5 BIG-IP network balancers (CVE-2020-5902)
All the vulnerabilities listed above provide “initial access” to servers often used on the edge of enterprise and government networks. These vulnerabilities can also be easily chained with the Zerologon Windows bug for similar attacks as the Fortinet+Zerologon intrusions observed by CISA. More

(Image: APH)
“We, the undersigned, support strong encryption, which plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets and cybersecurity,” wrote a bunch of nations on the weekend — the Five Eyes, India, and Japan.

As a statement of intent, it’s right up there with “Your privacy is very important to us”, “Of course I love you”, and “I’m not a racist but…”.
At one level, there’s not a lot new in this latest International statement: End-to-end encryption and public safety.
We like encryption, it says, but you can’t have it because bad people can use it too.
“Encryption is an existential anchor of trust in the digital world and we do not support counter-productive and dangerous approaches that would materially weaken or limit security systems,” the statement said.
“Particular implementations of encryption technology, however, pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children.”
The obviously important law enforcement task of tackling child sexual abuse framed the rest of the statement’s two substantive pages too.
End-to-end encryption should not come at the expense of children’s safety, it said. There was only a passing mention of “terrorists and other criminals”.
This statement, like all those that have come before it, tries, but of course, fails to square the circle: A system either is end-to-end encryption, or it isn’t.
According to renowned Australian cryptographer Dr Vanessa Teague, the main characteristic of this approach is “deceitfulness”.
She focuses on another phrase in the statement, where it complains about “end-to-end encryption [which] is implemented in a way that precludes all access to content”.
“That’s what end-to-end encryption is, gentlemen,” Teague tweeted.
“So either say you’re trying to break it, or say you support it, but not both at once.”
What’s interesting about this latest statement, though, is the way it shifts the blame further onto the tech companies for implementing encryption systems that create “severe risks to public safety”.
Those risks are “severely undermining a company’s own ability to identify and respond to violations of their terms of service”, and “precluding the ability of law enforcement agencies to access content in limited circumstances where necessary and proportionate to investigate serious crimes and protect national security, where there is lawful authority to do so”.
Note the way each party’s actions are described.
Law enforcement’s actions are reasonable, necessary, and proportionate. Their authorisation is “lawfully issued” in “limited circumstances”, and “subject to strong safeguards and oversight”. They’re “safeguarding the vulnerable”.
Tech companies are challenged to negotiate these issues “in a way that is substantive and genuinely influences design decisions”, implying that right now they’re not.
“We challenge the assertion that public safety cannot be protected without compromising privacy or cybersecurity,” the statement said.
The many solid arguments put forward explaining why introducing a back door for some actors introduces it for all, no they’re mere assertions.
“We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions.”
This too is an assertion, of course, but the word “belief” sounds so much better, doesn’t it.
The “war on mathematics” is a distraction
As your correspondent has previously noted, however, the fact that encryption is either end-to-end or not may be a distraction. There are ways to access communications without breaking encryption.
One obvious way is to access the endpoint devices instead. Messages can be intercepted before they’re encrypted and sent, or after they’ve been received and decrypted.
In Australia, for example, the controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act) can require communication producers to install software that a law enforcement or intelligence agency has given them.
Providers can also be made to substitute a service they provide with a different service. That could well include redirecting target devices to a different update server, so they receive the spyware as a legitimate vendor update.
Doubtless there are other possibilities, all of which avoid the war on mathematics framing that some of the legislation’s opponents have been relying on.
Australia is hasty to legislate but slow to review
While Australia’s Minister for Home Affairs Peter Dutton busies himself with signing onto yet another anti-encryption manifesto, progress on the oversight of his existing laws has been slow.
The review of the mandatory data retention regime, due to be completed by April 13 this year, has yet to be seen.
This is despite the Parliamentary Joint Committee on Intelligence and Security having set itself a submissions deadline of 1 July 2019, and holding its last public hearing on 28 February 2020.
The all-important review of the TOLA Act was due to report by September 30. Parliament has been in session since then, but the report didn’t appear.
A charitable explanation would be that the government was busy preparing the Budget. With only three parliament sitting days, and a backlog of legislation to consider, other matters had to wait.
A more cynical explanation might be that the longer it takes to review the TOLA Act, the longer it’ll be before recommended amendments can be made.
Those amendments might well include having to implement the independent oversight proposed by the Independent National Security Legislation Monitor.
Right now the law enforcement and intelligence agencies themselves can issue the TOLA Act’s Technical Assistance Notices and Technical Assistance Requests. One imagines they wouldn’t want to lose that power.
Meanwhile, the review of the International Production Orders legislation, a vital step on the way to Australian law being made compatible with the US CLOUD Act, doesn’t seem to have a deadline of any kind.
In this context, we should also remember the much-delayed and disappointing 2020 Cyber Security Strategy. That seems to have been a minimal-effort job as well.
For years now, on both sides of Australian politics, national security laws have been hasty to legislate but slow to be reviewed. The question is, is it planned this way? Or is it simply incompetence?
Related Coverage More

Five Eyes cyber panel at CYBERUK 19
Image: ZDNet/CBSi

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Members of the intelligence-sharing alliance Five Eyes, along with government representatives for Japan and India, have published a statement over the weekend calling on tech companies to come up with a solution for law enforcement to access end-to-end encrypted communications.
The statement is the alliance’s latest effort to get tech companies to agree to encryption backdoors.
The Five Eyes alliance, comprised of the US, the UK, Canada, Australia, and New Zealand, have made similar calls to tech giants in 2018 and 2019, respectively.
Just like before, government officials claim tech companies have put themselves in a corner by incorporating end-to-end encryption (E2EE) into their products.
If properly implemented, E2EE lets users have secure conversations — may them be chat, audio, or video — without sharing the encryption key with the tech companies.
Representatives from the seven governments argue that the way E2EE encryption is currently supported on today’s major tech platforms prohibits law enforcement from investigating crime rings, but also the tech platforms themselves from enforcing their own terms of service.
Signatories argue that “particular implementations of encryption technology” are currently posing challenges to law enforcement investigations, as the tech platforms themselves can’t access some communications and provide needed data to investigators.
This, in turn, allows a safe haven for criminal activity and puts the safety of “highly vulnerable members of our societies like sexually exploited children” in danger, officials argued.
“We call on technology companies to work with governments to take the following steps, focused on reasonable, technically feasible solutions,” the seven governments said in a press release.
“Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable;
“Enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and
“Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.”
Officials said they are committed to working with tech companies on developing a solution that allows users to continue using secure, encrypted communications, but also allows law enforcement and tech companies to crack down on criminal activity.
The seven governments called for encryption backdoors not only in encrypted instant messaging applications, but also for “device encryption, custom encrypted applications, and encryption across integrated platforms.”
In December 2018, Australia was the first major democratic country to introduce an encryption-busting law.
Similar efforts have also taken place in the US and Europe, but were less successful, primarily due to opposition from either tech companies, non-profits, or the general public.
However, pressure has been mounting in recent years as western governments seek to reach intelligence-gathering parity with China. More

In South Korea, a number of children have starved to death because their parents could not pull themselves away from playing online games. In one particularly upsetting example, an infant died because her parents were too busy raising a virtual child.
When parents suffer from a tech addiction, it’s their children who suffer. 
Antenna/fstop/Corbis
Information for children and parents was accessed by hackers over the summer, the Georgia Department of Human Services (DHS) said on Friday.

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

The security breach took place over the spring. Georgia DHS officials said that between May 3, 2020, and May 15, 2020, hackers managed to gain access to several employee email accounts.
Over the summer, officials said they learned that the intruders “had been able to retain” emails from the hacked accounts.
The emails contained personal and health information of children and adults involved in Child Protective S ervices (CPS) cases of the DHS Division of Family & Children Services (DFCS).
“The information that was compromised as part of the breach varies by person,” Georgia DHS officials said on Friday.
“Individuals affected may have had the following types of information disclosed: full name of children and household members, relationship to the child receiving services, county of residence, DFCS case number, DFCS identification numbers, date of birth, age, number of times contacted by DFCS, an identifier of whether face-to-face contact was medically appropriate, phone numbers, email addresses, social security number, Medicaid identification number, Medicaid medical insurance identification number, medical provider name and appointment dates.”
Further, for 12 individuals, psychological reports, counseling notes, medical diagnoses, and substance abuse information was also included.
Bank account information was not included, except for one individual, Georgia DHS official said.
The agency is currently in the process of notifying all affected individuals.
A phone number (1-888-304-102) was also provided for individuals to call and check if their info was exposed. More

[embedded content]
A team of academics from the University of Michigan has developed self-powered and self-erasing chips that they hope could be used as an anti-counterfeit or tamper-detection system.
The new chips have been built with the help of a new material that changes its color while it temporarily stores energy.
The material consists of a three-atom-thick layer of semiconductor laid on top of a film of azobenzene molecules.
The semiconductor is known as “beyond graphene,” and has a special property that it can emit light when its molecules vibrate at certain frequencies.
When the two are combined, the azobenzene molecules pull on the “beyond graphene” semiconductor, causing it to vibrate in its special frequency range and emit light.
This reaction effectively allows academics to “write” visible messages on the chip itself.
However, azobenzene molecules also naturally shrink when in contact with ultraviolet light, such as the one found in normal sunlight, meaning the chip can store its message in the dark but will be erased when exposed to the sun or artificial UV light.
This makes this new material ideal for creating anti-counterfeit seals that can be applied to products to verify their authenticity or as tamper-detection systems that can be installed inside sensitive systems.
For example, a barcode or QR code can be printed on chips installed inside commercial products or security systems. If the barcode is missing at an audit, the inspector can determine that a hardware product is a fake or that a secure system’s casing has been opened and the product was most likely tampered with.
Currently, this material’s only downside is that it can only store messages of up to seven days before the semiconductor and the azobenzene molecules stop interacting with each other and the chip self-clears.
The next step for the University of Michigan team is to extend the material’s lifetime beyond the current week to something in the range of months to years, where it could reliably stand to be incorporated into commercial systems. More

Image: Docsketch website
Electronic document-signing service Docsketch is notifying customers about a security breach that took place over the past summer.

In an email sent to customers and seen by ZDNet, the company said that an unauthorized third-party gained access to a copy of its database in early August this year.
The database file contained a snapshot of the Docsketch service dated July 9, 2020, the company said.
“This database contained contact information and form fields related to documents filled out by users and users’ recipients,” said Docsketch founder Ruben Gamez.
Gamez said the intruder(s) didn’t access the documents themselves, but they could read what information users filed inside the documents — such as names, signatures, personal data, and even payment card details, where required.
In addition, the database also contained login information and user contacts (persons asked to fill in documents).
Passwords were also included, but Docsketch said the password strings were salted and hashed. However, Gamez didn’t elaborate on the complexity and security of the salting and hashing mechanism, some of which can be cracked under certain conditions to reveal the original plaintext passwords.
Docsketch is now notifying customers who it believes were affected. In case users believe they entered personal or financial details inside Docsketch-hosted documents, the company has provided additional steps users can take to protect themselves.
Gamez said Docsketch has already secured its system and updated its infrastructure following the August intrusion.
“We’re still working out the details but rest assured this is our top priority and we’re going to continue making significant security and infrastructure updates,” Gamez said.
Docsketch is currently ranked in the Alexa Top 25,000 most popular websites on the internet. More

Image: Software AG
Software AG, one of the largest software companies in the world, has suffered a ransomware attack over the last weekend, and the company has not yet fully recovered from the incident.
A ransomware gang going by the name of “Clop” has breached the company’s internal network on Saturday, October 3, encrypted files, and asked for more than $20 million to provide the decryption key.
Earlier today, after negotiations failed, the Clop gang published screenshots of the company’s data on a website the hackers operate on the dark web (a so-called leak site).
The screenshots show employee passport and ID scans, employee emails, financial documents, and directories from the company’s internal network.

Image: ZDNet
Software AG disclosed the incident on Monday when it revealed it was facing disruptions on its internal network “due to [a] malware attack.”
The company said that services to customers, including its cloud-based services, remained unaffected and that it was not aware “of any customer information being accessed by the malware attack.” This statement was recanted in a later press release two days later, when Software AG admitted to finding evidence of data theft.
The message about the attack remained on its official website homepage all week, including today.
Software AG did not return phone calls today for additional details or comments about the incident.
A copy of the ransomware binary used against Software AG was discovered earlier this week by security researcher MalwareHunterTeam. The $20+ million ransom demand is one of the largest ransom demands ever requested in a ransomware attack.

Image: supplied
The ID provided in this ransom note allows security researchers to view the online chats between the Clop gang and Software AG on a web portal managed by the ransomware group. At the time of writing, there is no evidence the German company paid the ransom demand.

Image: supplied
Software AG is Germany’s second-largest company with more than 10,000 enterprise customers across 70 countries. Some of the company’s most recognizable customers include Fujitsu, Telefonica, Vodafone, DHL, and Airbus.
Its product line includes business infrastructure software such as database systems, enterprise service bus (ESB) frameworks, software architecture (SOA), and business process management systems (BPMS). More

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

Google has changed how a core component of the Chrome browser works in order to add additional privacy protections for its users.
Known as the HTTP Cache or the Shared Cache, this Chrome component works by saving copies of resources loaded on a web page, such as images, CSS files, and JavaScript files.
The idea is that when a user revisits the same site or visits another website where the same files are used, Chrome will load them from its internal cache, rather than waste time re-downloading each file all over again.
This component has been present not only inside Chrome but inside all web browsers since the early days of the internet, where it served as a bandwidth-saving feature.
In all browsers, the cache system usually works in the same way. Each image, CSS, or JS file saved in the cache receive a storage key that is usually the resource’s URL.
For example, the storage key for an image would be the image URL itself: https://x.example/doge.png.
When the browser loads a new page, it would search for the key (URL) inside its internal cache database and see if it needed to download the image or load it from the cache.
The old HTTP Cache system was open to abuse
Unfortunately, across the years, web advertising and analytics firms realized that this very same feature could also be abused to track users.
“This mechanism has been working well from a performance perspective for a long time,” said Eiji Kitamura, Developer Advocate at Google.
“However, the time a website takes to respond to HTTP requests can reveal that the browser has accessed the same resource in the past, which opens the browser to security and privacy attacks.”
These include the likes of:
Detect if a user has visited a specific site: An adversary can detect a user’s browsing history by checking if the cache has a resource that might be specific to a particular site or cohort of sites.
Cross-site search attack: An adversary can detect if an arbitrary string is in the user’s search results by checking whether a ‘no search results’ image used by a particular website is in the browser’s cache.
Cross-site tracking: The cache can be used to store cookie-like identifiers as a cross-site tracking mechanism.
Cache partitioning activated in Chrome 86
But with Chrome 86, released earlier this week, Google has rolled out important changes to this mechanism.
Known as “cache partitioning,” this feature works by changing how resources are saved in the HTTP cache based on two additional factors. From now on, a resource’s storage key will contain three items, instead of one:
The top-level site domain (http://a.example)
The resource’s current frame (http://c.example)
The resource’s URL (https://x.example/doge.png)

Image: Google, ZDNet
By adding additional keys to the cache pre-load checking process, Chrome has effectively blocked all the past attacks against its cache mechanism, as most website components will only have access to their own resources and won’t be able to check resources they have not created themselves.
There are, however, some scenarios where the cache might intersect, but the attack surface is far smaller than before. (See here for all the edge cases)
Coming to other browsers
Google has been testing cache partitioning since Chrome 77, released in September 2019, and said the new system wouldn’t have any impact on users or developers.
The only ones who will see a change are website owners who are most likely to observe an increase in network traffic by around 4%.
Cache partitioning is currently active only in Chrome but is also available to other browsers based on the Chromium open-source code, all of which are most likely to deploy it as well in the upcoming months. This includes the likes of Edge, Brave, Opera, Vivaldi, and others.
Mozilla has also announced similar plans to implement Chrome’s cache partitioning mechanism, but there’s no deadline when this will land in Firefox just yet.
Apple, the other major browser vendor, has been using a limited cache partitioning system since early 2019. However, Safari’s cache partitioning system only uses two checks (#1 and #3), instead of Chrome’s more thorough three checks.
“Cache partitioning is a good practice that most of the browsers created by major companies should be utilizing,” John Jackson, an Application Security Engineer at Shutterstock, told ZDNet today.
“It’s been repeatedly proven over the years that side-channel attacks occur as a result of a unified cache. Side-channel attacks have resulted in attackers acquiring tokens, email addresses, credit card numbers, phone numbers, browsing history, etc.
“It’s good to see that Google is getting the ball rolling on a security practice that should have already been implemented,” Jackson added. More