Information Technology

here

A coalition of tech companies has announced today a coordinated effort to take down the backend infrastructure of the TrickBot malware botnet.
Companies and organizations which participated in the takedown included Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec.
Preceding the takedown were investigations from all participants into TrickBot’s backend infrastructure of servers and malware modules.
Microsoft, ESET, Symantec, and partners spent months collecting more than 125,000 TrickBot malware samples, analyzing their content, and extracting and mapping information about the malware’s inner workings, including all the servers the botnet used to control infected computers and serve additional modules.
With this information in hand, Microsoft went to court this month and asked a judge to grant it control over TrickBot servers. Read a copy of the legal documents here.
“With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the TrickBot operators to purchase or lease additional servers,” Microsoft said in a press release today.
Efforts are now being taken together with internet service providers (ISPs) and computer emergency readiness teams (CERTs) around the world to notify all infected users.
TrickBot had infected more than one million computers
According to the coalition’s members, the TrickBot botnet had infected more than one million computers at the time of its takedown. Some of these infected systems also included Internet of Things (IoT) devices.
The TrickBot botnet was one of today’s biggest botnets.
The malware first started out in 2016 as a banking trojan before shifting into a multi-purpose malware downloader that infected systems and provided access to other criminal groups using a business model known as MaaS (Malware-as-a-Service).
Together with Emotet, the TrickBot botnet has been one of today’s most active MaaS platforms, often renting access to infected computers to ransomware gangs such as Ryuk and Conti.
However, the TrickBot gang also deployed banking trojans and infostealer trojans, and also provided access to corporate networks for BEC scammers, industrial espionage gangs, and even nation-state actors.
This is the second major malware botnet that has been taken down this year after Necurs in March.
The success of this takedown is, however, yet to be seen. Many other botnets have survived similar takedowns in the past. The best example of this is the Kelihos botnet, which survived three takedown attempts, rebuilding from scratch and continuing to operate. More

US President Trump has become subject to another fact-check warning on social media after claiming immunity to COVID-19.

In a tweet posted on Sunday, the US president claimed that physicians at the White House have given him a clean bill of health, and as a result, he is now “immune” to further infection by the novel coronavirus. 
Trump also claimed he is no longer contagious. 
See also: Twitter places public interest notice on President Trump’s tweet
“A total and complete sign off from White House Doctors yesterday,” the tweet reads. “That means I can’t get it (immune), and can’t give it. Very nice to know!!!”
After the message was published, Twitter slapped a warning label on the tweet. The microblogging platform says the tweet “violated the Twitter Rules about spreading misleading and potentially harmful information related to COVID-19.”

There are currently no concrete indicators that immunity from COVID-19 is assured following infection, and if resistance is built up due to the production of antibodies, it is not possible to know if an immune response is strong enough to fight off another case of the respiratory illness. 
In a statement on Saturday, White House physician Sean Conley said that Trump was no longer considered a “transmission risk to others,” but did not disclose if the president is now testing negative.
CNET: Huawei ban timeline: UK says there’s ‘clear evidence of collusion’ between Huawei and China
While Twitter may wipe out such messages and remove profiles entirely if they are spreading fake content surrounding the pandemic, as Trump is a significant political figure, the organization has chosen to keep the tweet accessible in the public interest. 
This is not the first time the US president has fallen afoul of Twitter’s rules. In May, a tweet posted by the US president was hidden with a warning due to the “glorification of violence.” Trump had commented on the riots and protests in the aftermath of George Floyd’s death, saying: “when the looting starts, the shooting starts.”
Trump has previously blasted Twitter for “interfering” with the US 2020 election due to the platform’s fact-checking policies. 
Facebook pulled a video from Trump’s Facebook page in August in which the president claimed children were “virtually immune” to COVID-19.
TechRepublic: How to secure your open source supply chain
The 74-year-old US official made his latest COVID-19 claims as he gears up to resume his campaign trail. With roughly three weeks to go before the US election and the final showdown with Democrat rival Joe Biden on November 3, Trump will first appear in Sanford, Florida, before attending planned rallies in Iowa and North Carolina this week. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Hackers have gained access to government networks by combining VPN and Windows bugs, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) said in a joint security alert published on Friday.

Attacks have targeted federal and state, local, tribal, and territorial (SLTT) government networks. Attacks against non-government networks have also been detected, the two agencies said.
“CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised,” the security alert reads.
“Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” officials also added.
Attacks chained Fortinet VPN and Windows Zerologon bugs
According to the joint alert, the observed attacks combined two security flaws known as CVE-2018-13379 and CVE-2020-1472.
CVE-2018-13379 is a vulnerability in the Fortinet FortiOS Secure Socket Layer (SSL) VPN, an on-premise VPN server designed to be used as a secure gateway to access enterprise networks from remote locations.
The CVE-2018-13379, disclosed last year, allows attackers to upload malicious files on unpatched systems and take over Fortinet VPN servers.
CVE-2020-1472, also known as Zerologon, is a vulnerability in Netlogon, the protocol used by Windows workstations to authenticate against a Windows Server running as a domain controller.
The vulnerability allows attackers to take over domain controllers, servers users to manage entire internal/enterprise networks and usually contain the passwords for all connected workstations.
CISA and the FBI say attackers are combining these two vulnerabilities to hijack Fortinet servers and then pivot and take over internal networks using Zerologon.
“Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials,” the two agencies also added.
The joint alert didn’t provide details about the attackers except to describe them as “advanced persistent threat (APT) actors.”
The term is often used by cyber-security experts to describe state-sponsored hacking groups. Last week, Microsoft said it observed Iranian APT Mercury (MuddyWatter) exploiting the Zerologon bug in recent attacks, a threat actor known for targeting US government agencies in the past.
Danger of hackers chaining different VPN bugs
Both CISA and the FBI recommended that entities in both the private and public US sector update systems to patch the two bugs, for which patches have been available for months.
In addition, CISA and the FBI also warned that hackers could swap the Fortinet bug for any other vulnerability in VPN and gateway products that have been disclosed over the past few months and which provide similar access.
This includes vulnerabilities in:
Pulse Secure “Connect” enterprise VPNs (CVE-2019-11510)
Palo Alto Networks “Global Protect” VPN servers (CVE-2019-1579)
Citrix “ADC” servers and Citrix network gateways (CVE-2019-19781)
MobileIron mobile device management servers (CVE-2020-15505)
F5 BIG-IP network balancers (CVE-2020-5902)
All the vulnerabilities listed above provide “initial access” to servers often used on the edge of enterprise and government networks. These vulnerabilities can also be easily chained with the Zerologon Windows bug for similar attacks as the Fortinet+Zerologon intrusions observed by CISA. More

(Image: APH)
“We, the undersigned, support strong encryption, which plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets and cybersecurity,” wrote a bunch of nations on the weekend — the Five Eyes, India, and Japan.

As a statement of intent, it’s right up there with “Your privacy is very important to us”, “Of course I love you”, and “I’m not a racist but…”.
At one level, there’s not a lot new in this latest International statement: End-to-end encryption and public safety.
We like encryption, it says, but you can’t have it because bad people can use it too.
“Encryption is an existential anchor of trust in the digital world and we do not support counter-productive and dangerous approaches that would materially weaken or limit security systems,” the statement said.
“Particular implementations of encryption technology, however, pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children.”
The obviously important law enforcement task of tackling child sexual abuse framed the rest of the statement’s two substantive pages too.
End-to-end encryption should not come at the expense of children’s safety, it said. There was only a passing mention of “terrorists and other criminals”.
This statement, like all those that have come before it, tries, but of course, fails to square the circle: A system either is end-to-end encryption, or it isn’t.
According to renowned Australian cryptographer Dr Vanessa Teague, the main characteristic of this approach is “deceitfulness”.
She focuses on another phrase in the statement, where it complains about “end-to-end encryption [which] is implemented in a way that precludes all access to content”.
“That’s what end-to-end encryption is, gentlemen,” Teague tweeted.
“So either say you’re trying to break it, or say you support it, but not both at once.”
What’s interesting about this latest statement, though, is the way it shifts the blame further onto the tech companies for implementing encryption systems that create “severe risks to public safety”.
Those risks are “severely undermining a company’s own ability to identify and respond to violations of their terms of service”, and “precluding the ability of law enforcement agencies to access content in limited circumstances where necessary and proportionate to investigate serious crimes and protect national security, where there is lawful authority to do so”.
Note the way each party’s actions are described.
Law enforcement’s actions are reasonable, necessary, and proportionate. Their authorisation is “lawfully issued” in “limited circumstances”, and “subject to strong safeguards and oversight”. They’re “safeguarding the vulnerable”.
Tech companies are challenged to negotiate these issues “in a way that is substantive and genuinely influences design decisions”, implying that right now they’re not.
“We challenge the assertion that public safety cannot be protected without compromising privacy or cybersecurity,” the statement said.
The many solid arguments put forward explaining why introducing a back door for some actors introduces it for all, no they’re mere assertions.
“We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions.”
This too is an assertion, of course, but the word “belief” sounds so much better, doesn’t it.
The “war on mathematics” is a distraction
As your correspondent has previously noted, however, the fact that encryption is either end-to-end or not may be a distraction. There are ways to access communications without breaking encryption.
One obvious way is to access the endpoint devices instead. Messages can be intercepted before they’re encrypted and sent, or after they’ve been received and decrypted.
In Australia, for example, the controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act) can require communication producers to install software that a law enforcement or intelligence agency has given them.
Providers can also be made to substitute a service they provide with a different service. That could well include redirecting target devices to a different update server, so they receive the spyware as a legitimate vendor update.
Doubtless there are other possibilities, all of which avoid the war on mathematics framing that some of the legislation’s opponents have been relying on.
Australia is hasty to legislate but slow to review
While Australia’s Minister for Home Affairs Peter Dutton busies himself with signing onto yet another anti-encryption manifesto, progress on the oversight of his existing laws has been slow.
The review of the mandatory data retention regime, due to be completed by April 13 this year, has yet to be seen.
This is despite the Parliamentary Joint Committee on Intelligence and Security having set itself a submissions deadline of 1 July 2019, and holding its last public hearing on 28 February 2020.
The all-important review of the TOLA Act was due to report by September 30. Parliament has been in session since then, but the report didn’t appear.
A charitable explanation would be that the government was busy preparing the Budget. With only three parliament sitting days, and a backlog of legislation to consider, other matters had to wait.
A more cynical explanation might be that the longer it takes to review the TOLA Act, the longer it’ll be before recommended amendments can be made.
Those amendments might well include having to implement the independent oversight proposed by the Independent National Security Legislation Monitor.
Right now the law enforcement and intelligence agencies themselves can issue the TOLA Act’s Technical Assistance Notices and Technical Assistance Requests. One imagines they wouldn’t want to lose that power.
Meanwhile, the review of the International Production Orders legislation, a vital step on the way to Australian law being made compatible with the US CLOUD Act, doesn’t seem to have a deadline of any kind.
In this context, we should also remember the much-delayed and disappointing 2020 Cyber Security Strategy. That seems to have been a minimal-effort job as well.
For years now, on both sides of Australian politics, national security laws have been hasty to legislate but slow to be reviewed. The question is, is it planned this way? Or is it simply incompetence?
Related Coverage More

Five Eyes cyber panel at CYBERUK 19
Image: ZDNet/CBSi

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Members of the intelligence-sharing alliance Five Eyes, along with government representatives for Japan and India, have published a statement over the weekend calling on tech companies to come up with a solution for law enforcement to access end-to-end encrypted communications.
The statement is the alliance’s latest effort to get tech companies to agree to encryption backdoors.
The Five Eyes alliance, comprised of the US, the UK, Canada, Australia, and New Zealand, have made similar calls to tech giants in 2018 and 2019, respectively.
Just like before, government officials claim tech companies have put themselves in a corner by incorporating end-to-end encryption (E2EE) into their products.
If properly implemented, E2EE lets users have secure conversations — may them be chat, audio, or video — without sharing the encryption key with the tech companies.
Representatives from the seven governments argue that the way E2EE encryption is currently supported on today’s major tech platforms prohibits law enforcement from investigating crime rings, but also the tech platforms themselves from enforcing their own terms of service.
Signatories argue that “particular implementations of encryption technology” are currently posing challenges to law enforcement investigations, as the tech platforms themselves can’t access some communications and provide needed data to investigators.
This, in turn, allows a safe haven for criminal activity and puts the safety of “highly vulnerable members of our societies like sexually exploited children” in danger, officials argued.
“We call on technology companies to work with governments to take the following steps, focused on reasonable, technically feasible solutions,” the seven governments said in a press release.
“Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable;
“Enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and
“Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.”
Officials said they are committed to working with tech companies on developing a solution that allows users to continue using secure, encrypted communications, but also allows law enforcement and tech companies to crack down on criminal activity.
The seven governments called for encryption backdoors not only in encrypted instant messaging applications, but also for “device encryption, custom encrypted applications, and encryption across integrated platforms.”
In December 2018, Australia was the first major democratic country to introduce an encryption-busting law.
Similar efforts have also taken place in the US and Europe, but were less successful, primarily due to opposition from either tech companies, non-profits, or the general public.
However, pressure has been mounting in recent years as western governments seek to reach intelligence-gathering parity with China. More

In South Korea, a number of children have starved to death because their parents could not pull themselves away from playing online games. In one particularly upsetting example, an infant died because her parents were too busy raising a virtual child.
When parents suffer from a tech addiction, it’s their children who suffer. 
Antenna/fstop/Corbis
Information for children and parents was accessed by hackers over the summer, the Georgia Department of Human Services (DHS) said on Friday.

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

The security breach took place over the spring. Georgia DHS officials said that between May 3, 2020, and May 15, 2020, hackers managed to gain access to several employee email accounts.
Over the summer, officials said they learned that the intruders “had been able to retain” emails from the hacked accounts.
The emails contained personal and health information of children and adults involved in Child Protective S ervices (CPS) cases of the DHS Division of Family & Children Services (DFCS).
“The information that was compromised as part of the breach varies by person,” Georgia DHS officials said on Friday.
“Individuals affected may have had the following types of information disclosed: full name of children and household members, relationship to the child receiving services, county of residence, DFCS case number, DFCS identification numbers, date of birth, age, number of times contacted by DFCS, an identifier of whether face-to-face contact was medically appropriate, phone numbers, email addresses, social security number, Medicaid identification number, Medicaid medical insurance identification number, medical provider name and appointment dates.”
Further, for 12 individuals, psychological reports, counseling notes, medical diagnoses, and substance abuse information was also included.
Bank account information was not included, except for one individual, Georgia DHS official said.
The agency is currently in the process of notifying all affected individuals.
A phone number (1-888-304-102) was also provided for individuals to call and check if their info was exposed. More

[embedded content]
A team of academics from the University of Michigan has developed self-powered and self-erasing chips that they hope could be used as an anti-counterfeit or tamper-detection system.
The new chips have been built with the help of a new material that changes its color while it temporarily stores energy.
The material consists of a three-atom-thick layer of semiconductor laid on top of a film of azobenzene molecules.
The semiconductor is known as “beyond graphene,” and has a special property that it can emit light when its molecules vibrate at certain frequencies.
When the two are combined, the azobenzene molecules pull on the “beyond graphene” semiconductor, causing it to vibrate in its special frequency range and emit light.
This reaction effectively allows academics to “write” visible messages on the chip itself.
However, azobenzene molecules also naturally shrink when in contact with ultraviolet light, such as the one found in normal sunlight, meaning the chip can store its message in the dark but will be erased when exposed to the sun or artificial UV light.
This makes this new material ideal for creating anti-counterfeit seals that can be applied to products to verify their authenticity or as tamper-detection systems that can be installed inside sensitive systems.
For example, a barcode or QR code can be printed on chips installed inside commercial products or security systems. If the barcode is missing at an audit, the inspector can determine that a hardware product is a fake or that a secure system’s casing has been opened and the product was most likely tampered with.
Currently, this material’s only downside is that it can only store messages of up to seven days before the semiconductor and the azobenzene molecules stop interacting with each other and the chip self-clears.
The next step for the University of Michigan team is to extend the material’s lifetime beyond the current week to something in the range of months to years, where it could reliably stand to be incorporated into commercial systems. More

Image: Docsketch website
Electronic document-signing service Docsketch is notifying customers about a security breach that took place over the past summer.

In an email sent to customers and seen by ZDNet, the company said that an unauthorized third-party gained access to a copy of its database in early August this year.
The database file contained a snapshot of the Docsketch service dated July 9, 2020, the company said.
“This database contained contact information and form fields related to documents filled out by users and users’ recipients,” said Docsketch founder Ruben Gamez.
Gamez said the intruder(s) didn’t access the documents themselves, but they could read what information users filed inside the documents — such as names, signatures, personal data, and even payment card details, where required.
In addition, the database also contained login information and user contacts (persons asked to fill in documents).
Passwords were also included, but Docsketch said the password strings were salted and hashed. However, Gamez didn’t elaborate on the complexity and security of the salting and hashing mechanism, some of which can be cracked under certain conditions to reveal the original plaintext passwords.
Docsketch is now notifying customers who it believes were affected. In case users believe they entered personal or financial details inside Docsketch-hosted documents, the company has provided additional steps users can take to protect themselves.
Gamez said Docsketch has already secured its system and updated its infrastructure following the August intrusion.
“We’re still working out the details but rest assured this is our top priority and we’re going to continue making significant security and infrastructure updates,” Gamez said.
Docsketch is currently ranked in the Alexa Top 25,000 most popular websites on the internet. More