Information Technology

Microsoft has published today two out-of-band security updates to address security issues in the Windows Codecs library and the Visual Studio Code application.

The two updates come as late arrivals after the company released its monthly batch of security updates earlier this week, on Tuesday, patching 87 vulnerabilities this month.
Both new vulnerabilities are “remote code execution” flaws, allowing attackers to execute code on impacted systems.
Windows Codecs Library vulnerability
The first bug is tracked as CVE-2020-17022. Microsoft says that attackers can craft malicious images that, when processed by an app running on top of Windows, can allow the attacker to execute code on an unpatched Windows OS.
All Windows 10 versions are impacted.
Microsoft said an update for this library would be automatically installed on user systems via the Microsoft Store.
Not all users are impacted, but only those who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store.
HEVC is not available for offline distribution and is only available via the Microsoft Store. The library is also not supported on Windows Server.
To check and see if you’re using a vulnerable HEVC codec, users can go to Settings, Apps & Features, and select HEVC, Advanced Options. The secure versions are 1.0.32762.0, 1.0.32763.0, and later.
Visual Studio Code vulnerability
The second bug is tracked as CVE-2020-17023. Microsoft says attackers can craft malicious package.json files that, when loaded in Visual Studio Code, can execute malicious code.
Depending on the user’s permissions, an attacker’s code could execute with administrator privileges and allow them full control over an infected host.
Package.json files are regularly used with JavaScript libraries and projects. JavaScript, and especially its server-side Node.js technology, are one of today’s most popular technologies.
Visual Studio Code users are advised to update the app as soon as possible to the latest version. More

Image: Google Cloud
The Google Cloud team revealed today a previously undisclosed DDoS attack that targeted Google service back in September 2017 and which clocked at 2.54 Tbps, making it the largest DDoS attack recorded to date.

In a separate report published at the same time, the Google Threat Threat Analysis Group (TAG), the Google security team that analyzes high-end threat groups, said the attack was carried out by a state-sponsored threat actor.
TAG researchers said the attack came from China, having originated from within the network of four Chinese internet service providers (ASNs 4134, 4837, 58453, and 9394).
Damian Menscher, a Security Reliability Engineer for Google Cloud, said the 2.54 Tbps peak was “the culmination of a six-month campaign” that utilized multiple methods of attacks to hammer Google’s server infrastructure.
Menscher didn’t reveal which services were targeted.
“The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to us,” Menscher said.
“This demonstrates the volumes a well-resourced attacker can achieve: This was four times larger than the record-breaking 623 Gbps attack from the Mirai botnet a year earlier [in 2016].”
Furthermore, this attack is also larger than the 2.3 Tbps DDoS attack that targeted Amazon’s AWS infrastructure in February this year.
Despite keeping the attack secret for three years, Google disclosed the incident today for different reasons.
The Google TAG team wanted to raise awareness to an increasing trend of nation-state hacker groups abusing DDoS attacks to disrupt targets.
The Google Cloud team also wanted to raise awareness of the fact that DDoS attacks would intensify in the coming years, as internet bandwidth also increases.
In a report published on Wednesday, data center company Equinix predicted an increase of roughly 45% (~16,300+ Tbps) in global interconnection bandwidth by 2023. More

Singapore businesses looking to adopt artificial intelligence (AI) technologies responsibly now can access a reference document to help them do so. The AI Ethics & Governance Body of Knowledge (BoK) is touted to provide a reference guide for business leaders and IT professionals on the ethical aspects related to the development as well as deployment of AI technologies.
Launched by industry group Singapore Computer Society (SCS), the BoK was put together based on the expertise of more than 60 individuals from multi-disciplinary backgrounds, with the aim to aid in the “responsible, ethical, and human-centric” deployment of AI for competitive advantage. It encompasses use cases to outline the positive and negative outcomes of AI adoption, and looks at the technology’s potential to support a “safe” ecosystem when utilised properly.
The BoK was developed based on Singapore’s latest Model AI Governance Framework, which was updated in January 2020, and will be regularly updated as the local digital landscape evolved, said SCS during its launch Friday.

Founded in 1967, the industry group has more than 42,000 members and offers a range of services to support its members, including training and development and networking opportunities. SCS comprises 11 chapters including AI and robotics, cybersecurity, and Internet of Things, as well as five interest groups that include blockchain and data centre.
Noting that AI sought to inject intelligence into machines to mimic human action and thought, SCS President Chong Yoke Sin noted that rogue or misaligned AI algorithms with unintended bias could cause significant damage. This underscored the importance of ensuring AI was used ethically. 
“On the other hand, stifling innovation in the use of AI will be disastrous as the new economy will increasingly leverage AI,” Chong said, as she stressed the need for a balanced approach that prioritised human safety and interests. 
Speaking during SCS’ Tech3 Forum, Singapore’s Minister for Communications and Information S. Iswaran further underscored the need to build trust with the responsible use of AI in order to drive the adoption and extract the most benefits from the technology. 
“Responsible adoption of AI can boost companies’ efficiencies, facilitate decision-making, and help employees upskill into more enriching and meaningful jobs,” Iswaran said. “Above all, we want to build a progressive, safe, and trusted AI environment that benefits businesses and workers, and drives economic transformation.”
The launch of a reference guide would provide businesses access to a counsel of experts proficient in AI ethics and governance, so they could deploy the technology responsibly, the minister said. 
“[The BoK] will guide the development of curricula on AI ethics and governance. It will also form the basis of future training and certification for professionals — both in the ICT and non-ICT domains. These professionals will serve as advisors for businesses on the responsible implementation of AI solutions,” he said. 
Chong noted that the focal point was the individual using or affected by AI. 
“It is not merely the technology and methodologies, but the human that should be at the centre of our analysis and decision-making,: she said. “Around this core are secondary principles and values, such as auditability and robustness, that help us achieve this core set of putative global norms for ethical AI.”
Alongside the release of the reference guide, SCS also announced a partnership with Nanyang Technological University (NTU) to develop an AI ethics and governance certification course for professionals. 
Slated for launch next year, the course aimed to train and certify professionals to help and advise organisations on AI ethics and governance. It would be incorporated into NTU’s upcoming MiniMasters programme in AI and AI ethics, designed to guide participants in understanding and solving problems brought about by the adoption of AI. 
Singapore in May announced plans to develop a framework to ensure the “responsible” adoption of AI and data analytics in credit risk scoring and customer marketing. Two teams comprising banks and industry players were tasked to establish metrics to help financial institutions ensure the “fairness” of their AI and data analytics tools in these instances. A whitepaper detailing the metrics was scheduled to be published by year-end, along with an open source code to enable financial institutions to adopt the metrics. 
RELATED COVERAGE More

Getting hit with a ransomware attack damages an organisation in many ways – from stopping it being able to fully operate for weeks, to angry customers and potential reputational damage. But a ransomware attack also has a human cost, affecting the confidence of IT and information security teams and potentially for a long time after the initial attack.
A new research paper by cybersecurity company Sophos says the extent of this confidence hit is so significant that the culture at these companies is never the same again. That’s perhaps not surprising as there area some suggestions suffering a major attack can make your organisation more likely to be hit again because criminals will identify it as an company that could be easy target. 
According to the survey, nearly three times as many IT and information security staff in organisations which have been hit by a ransomware attack feel as if their organisation is ‘significantly behind’ when it comes to facing cyber threats, compared with those in organisations which haven’t suffered a ransomware attack.
That lack of confidence also extends to business leadership, where management of a company hit by ransomware will also perceive the company to be significantly behind on cyber threats, compared with companies which haven’t.
More than one third of ransomware victims said that recruiting and retaining skilled IT security professionals was their single biggest challenge when it comes to cybersecurity, compared with just 19% of those who hadn’t been hit.
Being hit with a ransomware attack also appears to have an impact on re-skilling and training employees, with the results of the survey suggesting that organisations which have fallen victim to a ransomware attack are more likely to implement ‘human-led’ threat hunting on their networks over those which haven’t been hit.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
The idea is that by having human eyes on the network, it could be easier to spot unusual activity which could be the hallmark of an incoming cyber attack.
This could prove to be important for organisations which have fallen victim to ransomware attacks which could also find themselves more vulnerable to additional cyber threats following an incident.
The report suggests that almost a third of organisations hit with ransomware have five or more third-party suppliers directly connected to their network.
Third-party suppliers have become a significant entry point for cyber attackers, so by having defenders monitor the supply chain, it could go a long way to preventing ransomware and other kinds of cyber attacks. Unfortunately, it seems that in some circumstances, falling victim to a ransomware attack is what’s required to shift attitudes to security.
“The difference in resource priorities could indicate that ransomware victims have more incidents to deal with overall,” said Chester Wisniewski, principal research scientist at Sophos.
“However, it could equally indicate that they are more alert to the complex, multi-stage nature of advanced attacks and therefore put greater resource into detecting and responding to the tell-tale signs that an attack is imminent,” he added.
However, despite the number of organisations which have fallen victim to cyber attacks, the report concludes that it’s “encouraging” how information security teams are evolving, especially when it comes to reacting to ever-evolving threats.

READ MORE ON CYBERSECURITY More

Image: Microsoft
Microsoft’s security solution for smart devices and industrial equipment —known as Azure Defender for IoT— has entered public preview this week.

Azure Defender for IoT (previously Azure Security Center for IoT) was announced earlier this month at the Microsoft Ignite 2020 developer conference.
The product is a security solution for companies that manage IoT (Internet of Things) or OT (Operational Technology, aka industrial equipment) networks.
Smart devices and industrial equipment usually don’t have the resources to run dedicated security software, or their firmware doesn’t allow add-on software to be installed.
Additionally, IoT and OT systems also run on specialized industrial protocols (Modbus, DNP3, BACnet, etc.), for which classic antivirus and security software isn’t designed to inspect.
Azure Defender for IoT is a solution for companies that have large fleets of IoT/OT gear and works by passively inspecting all the network traffic inside a company to discover, inventory, and then monitor IoT and OT devices.
“You can deploy these capabilities fully on-premises without sending any data to Azure,” said Phil Neray, Director of Azure IoT Security Strategy at Microsoft. “Or, you can deploy in Azure-connected environments using our new native connector to integrate IoT/OT alerts into Azure Sentinel, benefiting from the scalability and cost benefits of the industry’s first cloud-native SIEM/SOAR platform.”
For any threats detected on a network, Azure Defender for IoT will send an alert to a local on-premise dashboard or to a cloud-based Azure Sentinel instance.
Detection capabilities include the likes of:
Unauthorized device connected to the network
Unauthorized connection to the internet
Unauthorized remote access
Network scanning operation detected
Unauthorized PLC programming
Changes to firmware versions
“PLC Stop” and other potentially malicious commands
Device is suspected of being disconnected
Ethernet/IP CIP service request failure
BACnet operation failed
Illegal DNP3 operation
Master-slave authentication error
Known malware detected (e.g., WannaCry, EternalBlue)
Unauthorized SMB login

Azure Defender for IoT sample alert
Image: Microsoft
Microsoft says Azure Defender for IoT comes with out-of-the box integration with third-party IT security tools like Splunk, IBM QRadar, and ServiceNow.
It also can work out-of-the-box with existing OT environments using automation equipment from all major OT suppliers, such as Rockwell Automation, Schneider Electric, GE, Emerson, Siemens, Honeywell, ABB, and Yokogawa.
Neray said Azure Defender for IoT would be free of charge during public preview. More

British Airways has been fined £20 million for “unacceptable” failures that led to personal details of hundreds of thousands of customers’ data being being stolen by hackers in 2018.
The fine represents the largest financial penalty issued by the UK’s Information Commissioner’s Office (ICO) to date and is based on GDPR data protection regulation.

More on privacy

The incident started in summer 2018 and went undetected by the airline for over two months, before being finally publicly disclosed in September 2018.
SEE: IT pro’s guide to GDPR readiness (free PDF)
Over 400,000 British Airways customers who used the website during the summer of 2018 were redirected to a fraudulent website run by cyber criminals who harvested personal details including names, addresses and payment card information.
An investigation by the ICO concluded that British Airways should’ve been able to identify the cybersecurity weaknesses and resolved them with security measures available at the time.
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said Information Commissioner Elizabeth Denham.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”
The ICO’s investigation concluded that there were numerous measures British Airways could have taken to mitigate the attack that weren’t being used.
These include limiting access to applications to only those required to fulfil a user’s role, undertaking rigorous testing of cybersecurity, and protecting accounts with multi-factor authentication.
The ICO notes that none of these measures would have required “excessive cost or technical barriers” and some of these undeployed security measures were available but weren’t used.
The investigation also concluded that it’s “not clear” whether British Airways would have identified the attack themselves, having only been alerted to the incident by a third party. The ICO considers this a “severe failing” because of the number of people who had their data compromised by the attack.
SEE: Cybersecurity warning: Hackers are targeting your smartphone as way into the company network
However, in the years since the attack, the ICO notes that British Airways has made “considerable” improvements to information security procedures.
“We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations,” a British Airways spokesperson told ZDNet.
“We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”
The ICO initially issued BA with a notice of intent to fine in June last year and has come to the final figure of £20m based on regulatory processes – and the impact COVID-19 has had on the business.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security,” said Denham.
MORE ON CYBERSECURITY More

The billionaire chief executive of Ohio-based Reynolds and Reynolds Co, Robert Brockman, has been indicted on charges of tax evasion and wire fraud conducted over “decades.”

The scheme, in which roughly $2 billion was hidden away in offshore accounts and through money laundering, took place between 1999 and 2019, the US Department of Justice (DoJ) said on Thursday. 
See also: DoJ charges four brothers for defrauding Amazon in overshipping scheme
According to the indictment (.PDF), the resident of both Houston, Texas, and Pitkin County, Colorado allegedly used a “web” of offshore organizations in Bermuda and Nevis to hide the profits he made from investments in private equity funds. 
Brockman squirreled away his capital gains and also tampered with the evidence of his alleged activities, prosecutors say, by methods including backdating records and using “encrypted communications and code words” to communicate with co-conspirators, including the phrases “Permit,” “King,” and “Redfish.”
A ranch, luxury home, and yacht were among the purchases apparently made with non-taxed income. 
US prosecutors also say that between 2008 and 2010, Brockman used a third-party entity to purchase $67.8 million in debt securities from the software company. As CEO, the executive is not permitted to do so without full disclosure as it can have an impact on share prices and trading; however, Brockman allegedly did so without informing sellers. 
CNET: Your phone may help you fight off deepfakes before they’re even made
As a result, approximately $2 billion in income was kept hidden from the US Internal Revenue Service (IRS). In addition, US prosecutors allege that investors in the software firm’s debt securities were also defrauded. 
A federal grand jury in San Francisco, California has issued a 39-count indictment, including seven counts of tax evasion, 20 counts of wire fraud, money laundering, evidence tampering, and destruction of evidence. 
Prosecutors suggest the indictment of the software mogul should stand as a warning to others currently using offshore accounts and other means to conduct tax evasion. 
TechRepublic: Survey: 53% of young cybersecurity professionals fear replacement by automation
“As alleged, Mr. Brockman is responsible for carrying out an approximately two billion dollar tax evasion scheme,” commented Jim Lee, Chief of IRS Criminal Investigation. “IRS Criminal Investigation aggressively pursues tax cheats domestically and abroad. No scheme is too complex or sophisticated for our investigators. Those hiding income or assets offshore are encouraged to come forward and voluntarily disclose their holdings.”
Robert Smith has also been charged with tax fraud. The operator of Vista Equity Partners, ensnared in the same scheme, has agreed to pay $139 million to settle the matter and is cooperating in the investigation against Brockman. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Adobe has released a set of out-of-band security fixes to resolve serious issues in the Magento platform. 

Published on October 15, the security advisory is outside of the firm’s typical monthly patch cycle and resolves nine vulnerabilities, eight of which are considered either critical or important, as well as one moderate-severity flaw. 
The vulnerabilities impact Magento Commerce and Magento Open Source, versions 2.3.5-p1, 2.4.0, and earlier.
See also: Adobe Experience Manager, InDesign, Framemaker receive fixes for critical bugs in new update
Adobe Magento’s critical vulnerabilities, now resolved, are tracked as CVE-2020-24407 and CVE-2020-24400. The file upload allow list bypass and SQL injection bug can lead to the execution of arbitrary code or arbitrary read/write database access. However, neither security flaw is pre-auth and both require an attacker to have already obtained admin privileges. 
In addition, the software giant has tackled a vulnerability that allows attackers to manipulate and modify customer lists, CVE-2020-24402. 
A stored cross-site scripting (XSS) issue (CVE-2020-24408), a user session invalidation bug (CVE-2020-24401), a security flaw that allows Magento CMS pages to be modified without permission (CVE-2020-24404), and two restricted resource access bugs — CVE-2020-24405 and CVE-2020-24403 — have also been resolved. 
CNET: Your phone may help you fight off deepfakes before they’re even made
The least dangerous bug, CVE-2020-24406, is the unintended disclosure of a document root path that could lead to sensitive information disclosure. 
In Adobe’s standard monthly security update, the company patched a single, critical vulnerability in Flash for Windows, macOS, Linux, and Chrome OS. The vulnerability, CVE-2020-9746, is a null pointer dereference flaw that could be exploited to cause software crashes or arbitrary code execution. 
TechRepublic: Survey: 53% of young cybersecurity professionals fear replacement by automation
Microsoft, too, releases security fixes for its software every four weeks. In October, 87 security issues were resolved, including 21 remote code execution vulnerabilities impacting products including Excel, Outlook, and the Windows TCP/IP stack. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More