Information Technology

Millions of people have been ditching Facebook and switching to Mountain View, CA-based social media network MeWe, touted to be the ad-free future of social networking.
Advised by Sir Tim Berners-Lee (the inventor of the World Wide Web), MeWe has surged to 9 million users worldwide since its inception in 2013, and has zero paid marketing ads. 
MeWe CEO Mark Weinstein said in his recent TedX talk that although we check our phones 150 times per day out phones are more dependent on us than we are on them. He says that we are participating in the “greatest socio-economic event in human history” – ‘surveillance capitalism’.
The business model of Facebook and the other current social media giants is to track, analyse, and monetise our data.
Our personal information is shared and sold across data companies used to target and manipulate us through marketing from social media companies, advertisers and politicians. Weinstein says that true privacy is becoming a “relic of the past”.
The more time we spend using social media, the more revenue that these social media companies can earn from ad revenue.
Facebook has been developing a brain to computer interface – to enable hands free communication without us needing to say a word. Imagine how much data Facebook could collect  from users then.
China has a Social Credit System that tracks its individuals for ‘undesirable behaviours’ such as frivolous spending, waste sorting, not visiting elderly relatives often enugh, cheating in exams, traffic violations, or for making a reservation at a restaurant and not showing up.
The system manages the reward, or punishment of citizens based on their economic or personal behaviour. 
Violators could be placed on a list, preventing them from getting better jobs, or preventing their children from attending good schools. We share all of this information on Facebook and other social media tools. It would be easy to extract this information and sell it to the highest bidder.
MeWe says that it is leading the privacy revolution in social media. The social network has a Privacy Bill of Rights giving its users total control of their data and privacy.
There are no ads, no targeting, no facial recognition, no data mining, and no newsfeed manipulation.
Eileen brown
MeWe is available on iOS, Android and desktop in 19 languages.
It has features such as: newsfeeds for contacts and close friends, pages, private 1:1 and group chats, private and open groups, disappearing content, stories, a custom camera with GIF creation, live voice and video, voice messaging, personal cloud storage, custom group profiles, dual-camera and MeWe Journals.
MeWe was named a 2020 Most Innovative Social Media Company by Fast Company, a 2019 Best Entrepreneurial Company in America by Entrepreneur Magazine, and Start-Up of the Year Finalist at SXSW. 
So how does MeWe make money? The company has a “Freemium’ revenue model that gives users the basic social media experience for free, and offers optional enhancements they can purchase.
These enhancements include extra storage ($3.99 per month), live voice and video calling ($1.99 per month), and MeWe journals ($1.99 per month).
These subscriptions mean that MeWe can show each post to each fan, friend or follower, and not create algorithms to throttle posts. MeWe also has a MeWe Pro version which is intended to compete directly with Slack.
MeWe premium costs $4.99 per month, and users who want to create a page for their business pay $1.99 per month.
So will MeWe make any headway? I joined MeWe (Sgrouples) in 2013 and have been lurking there since. It has a nice look and feel, the groups are interesting, and the group chats are really engaging.
As it gains momentum, content quality is improving all the time. With 9 million members its a much better site than Facebook was at four years after its launch.
Our shift to preserve our privacy might mean that MeWe user numbers might continue to grow. More

Microsoft has rolled out today updates to the Edge browser’s extensions system.

Known as “Manifest V3” these are changes that have been announced in October 2018 by Google for the Chromium open-source browser engine, namely to the WebExtensions API.
The changes update how browser extensions interact with Chromium-based browsers, such as Chrome, Brave, Opera, Vivaldi, and, as of this year, Microsoft Edge.
At the time the changes were announced in 2018, Google said the main intent was to improve extension security, make extensions more performant, and give users greater control over what extensions do and with which sites they interact.
However, extension developers were also quick to point out that the “Manifest V3” updates also contained changes that crippled the ability of ad blockers, antivirus, parental control enforcement, and various privacy-enhancing extensions to properly do their job.
The announcement caused a huge backlash from both users, extension developers, and even other browser makers. Users, in particular, viewed the move as a dirty hit from Google —an advertising company— to sabotage the ad-blocking ecosystem.
Browsers like Opera, Brave, and Vivaldi were quick to distance themselves from the debacle and announced plans to ignore the Manifest V3 updates and allow users to keep using ad blockers.
Mozilla, which also implemented the WebExtensions API inside Firefox for compatibility reasons, also denounced Chrome’s plans and said it would not be following Google’s WebExtensions API update to the letter and that it would make some changes of its own to allow ad blockers to continue to work as intended.
In the face of all this criticism, Google backtracked on some of the Manifest V3 updates in March 2019 and backtracked on even more changes in June, following criticism that it was disingenuous in its plans.
Since then, the Manifest V3 changes have started rolling out in Chrome, with some of the grumbling having died down, although some ad blocker extension devs seem to have given up on their products’ ability to reliable block ads once these changes reach stable versions of Chrome.
Currently, Manifest V3 changes are being tested in Chrome.
These changes have now also reached Microsoft’s new Chromium-based Edge, where they are already live in beta and stable releases.
However, Microsoft said today that these changes wouldn’t cripple ad blockers, a fear that many users had.
“We recognize the value of content blocking extensions and appreciate the role they play in honoring user’s choice by blocking advertisements and enhancing privacy by blocking cookies and we want developers to continue to offer these capabilities,” the Microsoft Edge Team said today.
“After an extensive review of the concerns raised by content blockers and the community, we believe that a majority of those concerns have been resolved or will be resolved before Web Request API is deprecated.”
**The Web Request API is a function used by ad blockers that will be removed with Manifest V3. More

A group of Iranian hackers with a history of attacking academic institutions have come back to life to launch a new series of phishing campaigns, security firm Malwarebytes said today.

The new attacks were timed to coincide with the start of the new academic years when both students and university staff were expected to be active on university portals.
The attacks consisted of emails sent to victims. Known as “phishing emails,” they contained links to a website posing as the university portal or an associated app, such as the university library.
The websites were hosted on sites with lookalike domains, but in reality, collected the victim’s login credentials.
Attacks linked to Silent Librarian group
Malwarebytes says the attacks were all orchestrated by the same group, known in cyber-security circles under its codename of Silent Librarian.
The members of this group were indicted in the US in March 2018 for a long string of attacks against universities from all over the globe, dating back as far as 2013.
According to the US indictments, the hackers gained access to university portals from where they stole intellectual property or limited-release academic work, which they later re-sold on their own web portals (Megapaper.ir and Gigapaper.ir).
However, despite the US indictment, the hackers remained at large in Iran and mounted subsequent attacks.
These attacks usually took place each fall, right before the new school year. Their 2018 campaign was documented in a Secureworks report, while Proofpoint spotted last year’s campaign.
Group is now hosting attack servers in Iran
But compared to the past attacks, the 2020 campaign is different.
Malwarebytes said this time around, Silent Librarian hosted some of its phishing sites on Iranian servers.
“It may seem odd for an attacker to use infrastructure in their own country, possibly pointing a finger at them. However, here it simply becomes another bulletproof hosting option based on the lack of cooperation between US or European law enforcement and local police in Iran,” the US security firm said.
Below is a list of universities the group targeted, along with the phishing sites they used, in case students and university staff may want to review any past emails.
Phishing site
Legitimate site
Target
library.adelaide.crev.me
library.adelaide.edu.au
The University of Adelaide Library
signon.adelaide.edu.au.itlib.me
library.adelaide.edu.au
The University of Adelaide Library
blackboard.gcal.crev.me
blackboard.gcal.ac.uk
Glasgow Caledonian University
blackboard.stonybrook.ernn.me
blackboard.stonybrook.edu
Stony Brook University
blackboard.stonybrook.nrni.me
blackboard.stonybrook.edu
Stony Brook University
namidp.services.uu.nl.itlib.me
namidp.services.uu.nl
Universiteit Utrecht
uu.blackboard.rres.me
uu.blackboard.com
Universiteit Utrecht
librarysso.vu.cvrr.me
librarysso.vu.edu.au
Victoria University
ole.bris.crir.me
ole.bris.ac.uk
University of Bristol
idpz.utorauth.utoronto.ca.itlf.cf
idpz.utorauth.utoronto.ca
University of Toronto
raven.cam.ac.uk.iftl.tk
raven.cam.ac.uk
University of Cambridge
login.ki.se.iftl.tk
login.ki.se
Karolinska Medical Institutet
shib.york.ac.uk.iftl.tk
shib.york.ac.uk
University of York
sso.id.kent.ac.uk.iftl.tk
sso.id.kent.ac.uk
University of Kent
idp3.it.gu.se.itlf.cf
idp3.it.gu.se
Göteborg universitet
login.proxy1.lib.uwo.ca.sftt.cf
login.proxy1.lib.uwo.ca
Western University Canada
login.libproxy.kcl.ac.uk.itlt.tk
kcl.ac.uk
King’s College London
idcheck2.qmul.ac.uk.sftt.cf
qmul.ac.uk
Queen Mary University of London
lms.latrobe.aroe.me
lms.latrobe.edu.au
Melbourne Victoria Australia
ntulearn.ntu.ninu.me
ntulearn.ntu.edu.sg
Nanyang Technological University
adfs.lincoln.ac.uk.itlib.me
adfs.lincoln.ac.uk
University of Lincoln
cas.thm.de.itlib.me
cas.thm.de
TH Mittelhessen University of Applied Sciences
libproxy.library.unt.edu.itlib.me
library.unt.edu
University of North Texas
shibboleth.mcgill.ca.iftl.tk
shibboleth.mcgill.ca
McGill University
vle.cam.ac.uk.canm.me
vle.cam.ac.uk
University of Cambridge More

Photo: Tom Foremski
Northern California-based startup Accurics has raised $20m in seed and Series A funding, mostly from Intel Capital, for improving the security of cloud-native applications with a self-healing approach. 
Accurics ensures that the infrastructure code supporting developers creating cloud-native applications has no security risks and is able to actively plug future security threats.

“There is a big shift to cloud-native applications which risks outpacing the security measures needed. We can programmatically mitigate security risks in the Cloud through Infrastructure as Code — before provisioning, allowing developers to concentrate on app functionality,” said co-founder and CEO Sachin Aggarwal.
He said that raising money during the COVID-19 lockdown and pandemic wasn’t a problem but that everything had to be done via video with no face-to-face meetings. 
“Our investors appreciate that COVID-19 has sped up the move to cloud native applications as companies beef up their e-commerce operations and supporting apps,” said Aggarwal.
The rush to the cloud is outpacing the cyber-security needed for safe deployment — this is the gap that Accurics is targeting. 
Accurics’ team of about 25 people has been working from home-based offices and has been able to create the foundation of Accurics’ self-healing cloud technology in just six months.
A webinar “The Future of Cloud Native Security is Self-Healing” is planned for November 5 at 10am PST: https://bit.ly/3npypYV.

Tech Earnings More

Image: Zoom
Video conferencing platform Zoom announced today plans to roll out end-to-end encryption (E2EE) capabilities starting next week.
E2EE will allow Zoom users to generate individual encryption keys that will be used to encrypt voice or video calls between them and other conference participants.
These keys will be stored locally and will not be shared with Zoom servers, meaning the software company won’t be able to access or intercept any ongoing E2EE meetings.
Support for E2EE calls will first be part of Zoom clients to be released next week. To use the new feature, users must update theri clients next week and enable support for E2EE calls at the account level.
This green shield will contain a lock if E2EE is active. If the lock is absent, Zoom will use its default AES 256-bit GCM encryption scheme, which the company uses to secure current communications, but which the company can also intercept.

However, the feature won’t work if it’s not also enabled by conference hosts, which also have options at their disposal to limit calls only for users with E2EE enabled at their account level.
Once enabled, a green shield will be shown in the top-left corner of all Zoom conferences if E2EE is active.

Image: Zoom
Zoom said next week’s E2EE rollout is part of a four-stage rollout process that will complete in 2021.
“In Phase 1, all meeting participants must join from the Zoom desktop client, mobile app, or Zoom Rooms,” Zoom said today.
The company said E2EE calls would support up to 200 participants, and the feature will be made available to all users, for both paid and free accounts.
Zoom promised support for E2EE encrypted calls back in May when the company faced a rash of criticism because of its weak security posture. More

Emergency warning red and blue roof mounted police LED blinker light bar turned on
Getty Images/iStockphoto
German authorities have raided the offices of FinFisher, a German software company that makes surveillance tools, accused in the past of providing software to oppressive regimes.
The raids took place earlier this month, on October 6 and October 8, and were ordered by the Munich Public Prosecutor’s Office.
Raids took place at locations across Germany and Romania. This included 15 properties (business premises and private apartments) around Munich and a company connected to FinFisher located in Romania, according to a spokesperson from the Munich Public Prosecutor’s Office.
The raids are part of an investigation that began last year after a complaint [PDF] filed by Netzpolitik with Munich prosecutors in the summer of 2019. Other signatories on the complaint included advocacy groups such as the Society for Freedom Rights, Reporters Without Borders, and the European Center for Constitutional and Human Rights.
The signatories argued that FinFisher’s malware had been installed on the devices of activists, political dissidents, and regular citizens in countries with oppressive regimes, countries to which FinFisher would have been prohibited from selling its software.
FinFisher denied accusations and successfully sued the German blog, having it take down its original article; however, the criminal complaint had to run its course.
Today’s raids are part of this legal process where German authorities are gathering evidence in relation to the claims made in the complaint, the Munich Public Prosecutor’s Office told ZDNet.
FinFisher did not return an email seeking comment before this article’s publication.
The company’s products are usually detected as malware by most antivirus products, including major products like Windows Defender.
FinFisher surveillance tools are available for Windows, iOS, and Android. In the past, cyber-security firms have spotted FinFisher infections in more than 20 countries.
FinFisher markets its tools as meant for law enforcement investigations and intelligence agencies. Known customers include the German federal police and Berlin police. However, the company’s tools have also been found on the devices of government critics and journalists in countries like Ethiopia, Bahrain, Egypt, and Turkey — countries where surveillance tools exports are prohibited.
German news agency Tagesschau, which first reported the raids today, claims FinFisher had been using satellite companies in other countries to evade Germany’s stricter export restrictions on surveillance software. More

The number of ads on hacking forums selling access to compromised IT networks has tripled in September 2020, compared to the previous month.

In a report published today and shared with ZDNet, cyber-security firm KELA said it indexed 108 “network access” listings posted on popular hacking forums last month, collectively valued at a total asking price of around $505,000.
Of these, KELA said around a quarter of the listings were sold to other threat actors looking to attack the compromised companies.
The “initial access” market
These type of ads have been posted on hacking forums for years, but for the most part, they’ve been a niche in the “initial access” market, with most cybercrime groups opting to buy access to compromised networks via criminal marketplaces selling RDP access (called “RDP shops”) or from malware botnet operators (known as Malware-as-a-Service, or “bot installs”).
However, beginning with the summer of 2019, a large number of vulnerabilities in major networking products have been disclosed. This included vulnerabilities in Pulse Secure and Fortinet VPN servers, Citrix network gateways, Zoho computer fleet management systems, and many others.
Threat actors were quick to exploit these vulnerabilities, compromising devices en-masse. Many of these systems had to be monetized in some way or another.
While some “initial access brokers” partnered with ransomware gangs, many didn’t have the deep connections and the needed reputation in a closed cybercrime economy to establish these partnerships from the get-go. Instead, these brokers began selling their compromised networks on popular hacking forums like XSS, Exploit, RAID, and others.
But networking devices were only a part of the listings on these forums.
Many brokers also sold access to compromised RDP or VNC endpoints. Most of these systems are compromised via brute-force attacks launched with IoT botnets, while others are bought from classic RDP shops, have their access expanded from user to admin levels, and then resold on forums at higher prices.
Some networks sold for tens of thousands of US dollars
Over the past year, these ads have been steadily increasing in frequency and the price for access to hacked networks.
Based on its monitoring, KELA said that the average price for a compromised network sold on hacker forums is around $4,960, with the price range going from as low as $25 to as much as $102,000.
KELA product manager Raveed Laeb said the price for a “network access” ad usually varies depending on factors such as the company value and the level of privilege.
Obviously, networks with a compromised admin account are valued more than networks where the compromised account only has regular user privileges. However, this doesn’t seem to dissuade the seller, as some threat actors will only be looking for an initial foothold, having their own capabilities of escalating access.
In some cases, it’s the initial access brokers doing the privilege escalation, with the perfect example being a seller who doubled their listing’s price by gaining access to an admin account after posting an initial version of their ad.

Image: KELA
Another interesting observation is that initial access brokers tend to use the “value” of a company rather than the size of its network when deciding on the price, citing statistics like annual revenue rather than the number of endpoints.
This illustrates that initial access brokers are often tailoring their ads for ransomware gangs, where a victim’s annual revenue and profits are used to negotiate the ransom demand, rather than the size of the network, which is usually less significant as a well-placed ransomware attack can often cripple a company even without locking thousands of its computers.
KELA, which analyzed some of the highest-priced ads posted in September, said it found brokers peddling access to a major maritime and shipbuilding company (sold for $102,000), a Russian bank ($20,000), a Turkish aviation firm ($16,000), and a Canadian franchise company ($10,600), with access for this victim’s network being sold in just a few hours.
A larger “initial access” market is hidden in the shadows
However, KELA says that hacking forums like the ones it’s tracking only provide a summary view of the entire “initial access” market, which it’s much, much larger.
Initial access brokers also operate in closed circles, such as private RDP shops, via encrypted communications with selected clients, or via Malware-as-a-Service platforms, such as malware botnets.
Tracking sales and victims via these mediums is impossible, but the glimpse security firms are getting by observing sales on public hacking forums shows just how lucrative this market can be and how easily a hacked RDP or networking equipment can find its way from the hands of a low-level attacker running some publicly-shared exploit to professional malware gangs operating ransomware or POS malware. More

A widespread hacking operation that has been targeting organisations around the world in a phishing and malware campaign which has been active since 2016 has now switched to ransomware attacks, reflecting how successful ransomware has become a money-making tool for cyber criminals.
Dubbed FIN11, the campaign has been detailed by cybersecurity researchers at FireEye Mandiant, who describe the hackers as a ‘well-established financial crime group’ which has conducted some of the longest running hacking campaigns.
The group started by focusing attacks on banks, retailers and restaurants but has grown to indiscriminately target a wide range of sectors in different locations around the world, sending thousands of phishing emails out and simultaneously conducting attacks against several organisations at any one time.
For example, in just one week, Mandiant observed concurrent campaigns targeting pharmaceuticals, shipping and logistics industries in both North America and Europe.
But despite attacks targeting a wide variety of organisations around the world, many of the initial phishing campaigns are still customised on a target by target basis for the maximum possible chance of encouraging a victim to download a malicious Microsoft Office attachment which says macros must been enabled.
This starts an infection chain which creates multiple backdoors into compromised systems, as well as the ability to grab admin credentials and move laterally across networks.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
FIN11 campaigns initially revolved around embedding themselves into networks in order to steal data, with researchers noting that the hacking group commonly deployed BlueSteal, a tool used to steal banking information from Point-of-Sale (POS) terminals.
With finances being the focus of the group, it’s likely FIN11 sold this information to other cyber criminals on the dark web, or simply exploited the details for their own gain.
But now FIN11 is using its extensive network as means of delivering ransomware to compromised networks, with the attackers favouring Clop ransomware and demanding bitcoin to restore the network.
Put simply, this shift in tactics is all about making as much money as possible – and ransomware has become a quick and easy way for cyber criminals to make money from a wider variety of targets.
“FIN11 has likely shifted their primary monetization method to ransomware deployment because it is more profitable than traditional methods such as deploying POS malware,” Genevieve Stark, analyst at Mandiant Threat Intelligence told ZDNet.
“Ransomware also increases the potential victim pool since it can be deployed at nearly any organization while POS malware is only effective against certain targets,” she added.
In an effort to blackmail victims into paying the ransom, some ransomware gangs have taken to using their access to networks to steal sensitive or personal data and threaten to leak it if they don’t receive payment for the decryption key – and FIN11 have adopted this tactic, publishing data from victims who don’t pay.
“FIN11’s adoption of data-theft and extortion to increase leverage on victims is further evidence that their motivations are exclusively financial,” said Stark.
SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
Based on analysis of Russian language in FIN11’s files, researchers say that this purely financially motivated operation is likely operating out of one of the Commonwealth of Independent States – and it’s highly likely the ransomware attacks will continue.
“We anticipate that FIN11 will continue to conduct widespread phishing campaigns with consistently evolving delivery tactics for the foreseeable future,” said Stark.
“FIN11 will probably continue conducting ransomware and data theft extortion for the immediate future, given many organizations acquiesce to extortion demands,” she added.
The attacks have been prolific and successful, but organisations can avoid falling victim to campaigns by FIN11 and other financially motivated groups by following common security advice and applying patches to prevent attackers using known exploits to gain a foothold in networks.
And with FIN11 and other hackers exploiting on Microsoft Office macros to conceal malicious payloads, it’s recommended that macros are disabled to stop them being used as a starting point for attacks.
READ MORE ON CYBERSECURITY More