Information Technology

Singapore is setting up a panel comprising global experts to offer advice on safeguarding its operational technology (OT) systems and has unveiled the country’s latest cybersecurity blueprint, focusing on digital infrastructures and cyber activities. It also is hoping to rope in other Asean nations to recognise a Cybersecurity Labelling Scheme (CLS) that rates the level of security for smart devices, such as home routers and smart home hubs. 
Singapore’s latest cybersecurity masterplan builds on its 2016 cybersecurity strategy and looks to boost the “general level of cybersecurity” for its population and businesses. It focuses on the need to secure the country’s core digital infrastructure and cyberspace activities, as well as drive the adoption of cyber hygiene practices amongst its connected citizens. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

Launched by Deputy Prime Minister Heng Swee Keat at this year’s Singapore International Cyber Week, held online, the new blueprint was essential in combating the high volume of day-to-day cyber threats faced by people and businesses. 
Heng said during his speech that COVID-19 had underscored the value of digital technology in economic and social activities, but also brought with it risks that must be addressed early. 
“As a relatively nascent frontier, we will need to address issues like the ethical use of technology, user privacy, and a growing digital divide,” he said. “As more people go online, crime and threats have also gone virtual. Cybersecurity will be critical as we become more digital. With the global order coming under pressure, we must avoid a ‘zero sum’ approach to technology.”
With cybercrime in Singapore climbing by more than 50% last year, and cybercrime accounting for more than a quarter of all crimes here, he underscored the need to sharpen the country’s cybersecurity capabilities. 
Part of its latest efforts to combat cyber risks focused on OT and Internet of Things (IoT), which it described as fast-evolving landscapes and could pose distinctive threats and risks. To address these, a new OT Cybersecurity Expert Panel comprising global experts was being set up to advise government agencies and other stakeholders on strategies the country needed to improve the resilience of its OT systems. 
Minister for Communications and Information and Minister-in-charge of Cybersecurity S. Iswaran explained that a successful cyber attack on an OT system could manifest as a severe disruption in the physical world. Such systems, including those in the energy, water, and transport sectors, were critical to deliver essential services and support the economy, he said.
Pointing to issues raised last year, Iswaran added that cybersecurity efforts often were focused on the ICT aspect, though, OT systems were equally important and deserved the attention Singapore now was placing on a national and regional level.
The minister further noted that IoT devices also posed a challenge to defend at scale as the proliferation of smart devices, as well as the emergence of 5G, would create a huge attack surface.
Here, the government hopes to help consumers make more informed purchases with the CLS, which was first announced in March. The scheme assesses and rates registered smart devices according to their level of cybersecurity provisions. 
Launched by the Cyber Security Agency (CSA), the initiative aimed to motivate manufacturers to develop more secure products, moving beyond designing such devices to optimise functionality and cost. 
The CLS initially would be used to assess Wi-Fi routers and smart home hubs, which CSA had prioritised due to the wide adoption of these devices and the impact a security compromise would have on users. 
The scheme is voluntary and comprises four levels of rating based on the number of asterisks, each indicating an additional tier of testing and assessment the product has gone through. 
Level 1, for instance, meant the product had met basic security requirements such as ensuring unique default passwords and providing software updates, while a Level 4 product had undergone structured penetration tests by approved third-party test labs and fulfilled Level 3 requirements.
According to Iswaran, CSA would work with Asean member states and other international partners to establish mutual recognition agreements. 
Deeper cooperation in this region was especially vital as countries moved to capitalise on the digital trajectory fuelled by the global pandemic, he said.
Stressing the need for “strong” international cooperation, Heng noted that cyberthreats transcended national boundaries and would need global collaboration to mitigate these risks. 
Need for rules-based international order
Singapore’s deputy prime minister said the world would be a poorer without multilateralism and globalisation, and this was why the country — alongside many other nations — were “redoubling our commitment” to a rules-based multilateral order. 

Acknowledging the growing tension between China and the US, he expressed hope that both countries eventually would reach a new model of constructive cooperation, as few countries would want to choose sides. 
He pointed to the digital economy as one area of collaboration as it remained one of the few growing sectors during the pandemic, and urged countries to better harness this potential by strengthening digital connectivity to enhance cross-border digital trade. 
In this aspect, Heng noted that Singapore strongly supported an open digital trade architecture and had been actively growing its network of digital economy agreements with like-minded countries. These had included nations such as New Zealand, Chile, and Australia.
And as digital economies grew, so too would the cyber threat attack surface, Iswaran said, during his speech at the 5th Asean Ministerial Conference on Cybersecurity, held Wednesday at the Singapore International Cyber Week. 
“Today, we face an unprecedented level of exposure to cyber threats,” he said. “A safe and secure digital infrastructure must undergird our digital economy ambitions for the region. It is more important than ever for Asean to tackle the challenge of cybersecurity together, in a sustained, holistic, and coordinated manner.”
This should encompass a rules-based international order to ensure a safe and accessible cyberspace, he noted, adding that regional resilience of critical infocomm infrastructures must be strengthened. 
Iswaran said: “[Maintaining a rules-based international order] will be increasingly challenging against the backdrop of a volatile and fractious global landscape, caused by growing geopolitical tensions as well as rising protectionism. Therefore, we have to double down on efforts to create robust rules and engender international collaboration for greater cyber resilience and stability.”
In particular, he noted, critical information infrastructures (CIIs) must be protected as they formed the backbone of each society’s vital services and activities. He added that many cities in Asean served as hubs for services that spanned banking and finance, telecommunications, maritime, and aviation. 
“Thus, the impact of a cyberattack on a national CII may not be confined to that country alone, but also felt in other parts of the region and even the world,” he said. “Beyond protecting national CIIs, Asean can do more to strengthen regional cyber resilience by safeguarding CIIs with cross-border impact, such as common cloud and banking systems. In fact, the significance of the cloud has been heightened because of the pandemic and the response from industry.”
“The need to secure these CIIs cannot be overstated. A cyberattack on any of these might cause wide-ranging disruptions to multiple states in essential services, including those related to international trade, transport, and communications,” the Singapore minister said. 
Asean Secretary-General Lim Jock Hoi concurred, noting that the COVID-19 pandemic had changed the way people lived and worked, with conversations and social interactions moved to the digital space. 
As the region’s reliance on digital technology grew, so too must efforts to ensure security measures were in place and infrastructures were protected, Lim said. 
Resiliency was increasingly important and fostering regional cooperation would be integral to ensure the development of Asean infrastructures that were inclusive and resilient. 
Noting that “we’re only as strong as the weakest link”, he stressed the need for all Asean member states to safeguard their cyberspace. 
RELATED COVERAGE More

Okta is launching a new software developer kit and application programming interface that will enable developers to build biometric and push notification sign-ins. 
The move is part of a broader effort for password-less sign-ins to reduce friction and boost security. With the Okta SDK and API, developers can build mobile apps with branded push notifications and biometrics like FaceID to authenticate users.
According to Okta, security and authentication services need to acknowledge mobile-first workflows and technologies.
Also:
Okta is leveraging its Okta Devices Platform Service to do the following:
Embed Okta Verify technology with push and biometrics in mobile applications.
Develop branded omnichannel multi-factor authentication with custom push messaging and action buttons.
Deploy more layers of protection in high-risk access attempts.
Allow end users to view and manage their Okta registered devices including self-service options if a device is lost or stolen.
The Okta Devices SDK will be available for iOS and Android in early access in the first quarter of 2021.
Also see: Data privacy and data security are not the same  
Separately, Okta outlined a partnership with Salesforce to integrate identity services in the Work.com suite.
Okta also updated its Okta Advanced Server Access to integrate with no-code automation through Okta Workflows and third-party providers to scale. The enhancements are aimed at scaling cloud-based identity infrastructure.
With the Okta Advanced Server Access. DevOps teams can provision resources across public clouds while keeping identity and access policies consistent, enforce role-based access controls and meet compliance requirements. More

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning over a huge surge in activity by the gang behind the Emotet trojan. 
Historically, the Emotet spam botnet has been linked to the distribution of banking trojans, but these days it spews malware-laden spam and then sells access to infected computers to any criminal group, including ransomware operators. 

Microsoft, Italy, and the Netherlands last month warned of a spike in Emotet malicious spam activity, which came a few weeks after France, Japan and New Zealand issued their alerts over Emotet.   
Emotet was quiet after February but came back with a vengeance in July. CISA describes Emotet as a “sophisticated trojan commonly functioning as a downloader or dropper of other malware” and “one of the most prevalent ongoing threats”. 
CISA’s assessment is understandable given that Emotet is considered to be currently the world’s largest malware botnet. 
Since August, CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have observed attackers targeting state and local governments with Emotet phishing emails. 
Emotet spreads with worm-like features via phishing email attachments or links that load a phishing attachment. After being opened, Emotet works to spread throughout a network by guessing admin credentials and using them to remotely write to shared drives using the SMB file-sharing protocol, which gives the attacker the ability to move laterally through a network.    
CISA says since July its Einstein in-house intrusion-detection system for federal and civilian executive branch networks has detected about 16,000 alerts related to Emotet activity.
Microsoft in September noticed Emotet was also using password-protected email ZIP attachments instead of Office documents to bypass email security gateways.  
The European Emotet warnings came after researchers saw the botnet dropping Trickbot to deliver ransomware and Qakbot Trojan to steal banking credentials. 
Another crafty ploy currently in use by Emotet is hijacking email threads. The Emotet group grabs an existing email chain from an infected host and answers the thread with an additional malicious document attached. More

If you were planning to swap working from home for working from a hotel in an attempt to get a bit of peace and quiet, the FBI wants you to be careful about connecting to Wi-Fi networks.
The FBI said it has noticed more people who had been working from home were now working from hotels instead, and that hotels in big cities have begun to advertise daytime room reservations for guests seeking a quiet, distraction-free work environment.

Networking

“While this option may be appealing, accessing sensitive information from hotel Wi-Fi poses an increased security risk over home Wi-Fi networks,” the agency warned in an alert. It said hackers can exploit lax hotel Wi-Fi security to steal work and personal data.
SEE: Network security policy (TechRepublic Premium)
Because guests are mostly unable to control the security of the Wi-Fi network they are using, criminals will try to monitor a victim’s web browsing or redirect victims to false login pages, which can steal passwords and other information. The FBI said criminals can also conduct an “evil twin attack” by creating their own network with a similar name to that of the hotel’s network, which guests might then log into by mistake, giving attackers direct access to their computer.
Smaller hotels will rarely change the password on their Wi-Fi, and even the most secure hotel Wi-Fi network is typically secured by a combination of room number and password. “If teleworking from a hotel, guests should not implicitly trust that the hotel has properly secured their network or is monitoring it for attacks,” the FBI said.
It’s not just poor passwords that are the problem with hotel networks – old and outdated network equipment is much more likely to possess known flaws that hackers can exploit. And the FBI notes that even if a hotel is using modern equipment, the guest has no way of knowing how frequently the hotel is updating the firmware, or whether default passwords have changed.
In many respects, the threats are not new: the FBI has previously warned of this, as well as the risk of using Wi-Fi in airports. Many of these security issues also apply to cafes and other open networks. While few us are likely to be flying soon, the idea of a change of scenery from the home office might tempt some workers into trying working from a hotel, rather than their now all-too-familiar home environment.
Getting hacked via hotel Wi-Fi might seem like a low risk to some, but the consequences can be far-reaching, from data theft, to cyber espionage and even ransomware attacks.

“Once the malicious actor gains access to the business network, they can steal proprietary data and upload malware, including ransomware,” the FBI said.
“Cyber criminals or nation-state actors can use stolen intellectual property to facilitate their own schemes or produce counterfeit versions of proprietary products. Cyber criminals can use information gathered from access to company data to trick business executives into transferring company funds to the criminal.”
The FBI also lists a number of ways to reduce the risk of being hacked while using hotel Wi-Fi
If possible, use a reputable Virtual Private Network (VPN).
If available, use your phone’s wireless hotspot instead of hotel Wi-Fi.
Ensure your laptop’s software is up-to-date and important data is backed up
Confirm with the hotel the name of their Wi-Fi network prior to connecting.
Do not connect to networks other than the hotel’s official Wi-Fi network.
Connect using the public Wi-Fi setting, and do not enable auto-reconnect while on a hotel network.
Always confirm an HTTPS connection when browsing the internet; this is identified by the lock icon near the address bar.
Avoid accessing sensitive websites, such as banking sites, or supplying personal data, such as social security numbers.
Make sure any device that connects to hotel Wi-Fi is not discoverable and has Bluetooth disabled when not in use.
If you must log into sensitive accounts, use multi-factor authentication.
Enable login notifications to receive alerts on suspicious account activity. More

The number of ransomware attacks has significantly grown over the past few months as cyber criminals look to cash in on security vulnerabilities opened up by the rise in remote working.
Researchers at cybersecurity company Check Point said the number of daily ransomware attacks across the globe has increased by half over the past three months – and that they’ve almost doubled in the US.

More on privacy

One of the reasons ransomware attacks are on the rise is because of the swift switch to remote working that has forced many people to work from home for the first time, something that could leave them vulnerable to phishing emails and malware attacks, especially on a home network that likely won’t be as secure as an enterprise environment.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Working from home also makes monitoring devices for malicious activity harder for information security teams than it would be if every user was under one roof, providing hackers with a better chance of going about their business unnoticed.
“The increase in ransomware attacks began with the advent of the coronavirus pandemic, as organizations scrambled to enact remote workforces, leaving significant gaps in their IT systems,” said Lotem Finkelstein, head of threat intelligence at Check Point.
Investigating and restoring the network following a ransomware attack takes weeks or months and when this is combined with employees working remotely, some organisations simply prefer to give into the ransom demands and pay hundreds of thousands or even millions of dollars in bitcoin in order to restore the network as quickly as possible.
Cyber criminals have also added a new tactic to encourage victims to pay up – threatening to leak confidential information or personal data if a payment isn’t received.
However, while some businesses might view paying ransoms as the best way to restore the network without causing additional damage, paying cyber criminals only encourages them to continue with ransomware attacks.
Check Point identified the Ryuk ransomware as one of the most prolific families of ransomware over the past few months, with the number of Ryuk attacks rising to around 20 a week. That might not sound like a lot, but each Ryuk attack is meticulously planned to inflict the most damage and disruption.
Ransomware preys on organisations that can’t afford to have their networks taken down by an attack – which is likely the reason why researchers point to a two-fold increase in the number of ransomware attacks against healthcare organisations over the past few months.
Hospitals and research facilities are already under pressure because of the coronavirus pandemic, meaning that systems remaining operational is vital – and that in some instances, healthcare institutions affected by a ransomware attack will just pay the ransom, viewing it as the least worst option for keeping patients safe.
“The last three months alone have shown alarming surges in ransomware attacks, and I suspect the ransomware threat to get far more worse as we approach the new year. I strongly urge organizations everywhere to be extra vigilant,” said Finkelstein.
SEE: Ransomware is your biggest problem on the web. This huge change could be the answer
However, it’s far from impossible to protect networks from ransomware attacks. Check Point researchers recommend security patching as a “critical” component of protecting against ransomware attacks, as many exploit known vulnerabilities to gain a foothold on the network.
It’s also important for organisations to continuously backup their data, because in the event of a ransomware attack or any other situation that corrupts files and data, the network can be restored from a recent point.
Businesses should also train users on how to identify and avoid potential ransomware attacks, especially if employees are going to be working remotely going forward.
MORE ON CYBERSECURITY More

A compulsory audit at the UK Department For Education (DFE) has exposed a quagmire of confusion and failures in managing and protecting data. 

When a government’s “world-beating” COVID-19 test-and-trace system seems to fall at each hurdle and Excel spreadsheets are blamed for the loss of close to 16,000 confirmed coronavirus case registrations, perhaps it should not be a surprise that other departments also have data management problems.
In 2019, the DFE was the subject of complaints stemming from the Against Borders for Children (ABC) group for apparently sharing information belonging to minors “secretly” with the Home Office. 
At the time, as reported by The Guardian, the UK Information Commissioner’s Office (ICO) said, “DFE is failing to comply fully with its data protection obligations, primarily in the areas of transparency and accountability, where there are far-reaching issues, impacting a huge number of individuals in a variety of ways.”
See also: ICO slams UK Met Police for failure to handle public data requests
The department was also accused of refusing to allow parents to see their child’s record in the National Pupil Database or correct any inaccurate data by DefendDigitalMe (.PDF). 
In light of data protection concerns and potential violations of the EU’s General Data Protection Regulation (GDPR), the ICO launched a compulsory audit into the department’s data practices. 
The results are in and it appears the DFE has a long way to go before coming close to complying with UK protection laws. In total, 139 recommendations for improvement have been made, with over 60% classified as “urgent” or “high priority.”
ICO
According to the audit (.PDF), completed in February and now made public, the DFE has “no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security […] along with a lack of formal documentation.”
CNET: DHS found disinformation efforts mirror Trump attacks on mail-in voting, senators say
This lack of structure means that the department cannot demonstrate GDPR compliance. In addition, the ICO notes a lack of “central oversight of data processing activities.”
The employees at the department have also come under fire, with “internal cultural barriers and attitudes” cited as reasons for a failure on the DFE’s part to implement an “effective system of information governance.”
There are no formal policy frameworks, the role of Data Protection Officer (DPO) has not been established properly, little training is available to employees in data protection laws, and what data itself is held by the DFE is murky — since there is no substantial record of data processing activity. 
Othe points of note include:
The DFE is not providing “sufficient privacy information to data subjects.”
The DFE and internal executive agencies have shown confusion over who, or what, is a data controller, joint controller, or data processor;
The department hasn’t shown any certainty of those who obtain data are controllers or processors — and so it is not clear on what information should be provided;
There is a lack of awareness among staff of data protection, potentially upping the risk of data breaches;
No experts are involved in the creation of data storage or retention record systems;
No Data protection impact assessments (DPIAs) are being carried out at the correct and early stages of cases;
The Privacy Assurance Team (PAT) are risk assessing projects they aren’t fully briefed on.
TechRepublic: How to boost the effectiveness of your cybersecurity operations
When it comes to sharing data with other organizations, the ICO notes that only 12 applications out of 400 were rejected due to an “over-reliance” on citing “public tasks” as the legal basis for the transfer of information. 
“The ICO’s primary responsibility is to ensure compliance with the law and its policy is to work alongside organizations committed to making the necessary changes to improve data protection practice,” the ICO said in a statement. “The department accepted all the audit recommendations and is making the necessary changes.”
“We treat the handling of personal data — particularly data relating to schools and other education settings — extremely seriously and we thank the ICO for its report which will help us further improve in this area,” a DFE spokesperson told ZDNet. “Since the ICO completed its audit, we’ve taken a number of steps to address the findings and recommendations, including a review of all processes for the use of personal data and significantly increasing the number of staff dedicated to the effective management of it.”
Furthermore, the department says that training plans have now been created for staff and internal vacancies related to data management have been “vastly increased” over the last year, the majority of which have now been filled. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new fileless attack technique that abuses the Microsoft Windows Error Reporting (WER) service is the work of a hacking group that is yet to be identified. 

According to Malwarebytes security researchers Hossein Jazi and Jérôme Segura, the attack vector relies on malware burying itself in WER-based executables to avoid arousing suspicion.
In a blog post on Tuesday, the duo said the new “Kraken” attack — albeit not a completely novel technique in itself — was detected on September 17. 
See also: Researchers track hacking ‘fingerprints,’ link Russian attackers to Windows exploit sellers
A lure phishing document found by the team was packaged up in a .ZIP file. Titled, “Compensation manual.doc,” the file claims to contain information relating to worker compensation rights, but when opened, is able to trigger a malicious macro. 
The macro uses a custom version of the CactusTorch VBA module to spring a fileless attack, made possible through shellcode. 
CactusTorch is able to load a .Net compiled binary called “Kraken.dll” into memory and execute it via VBScript. This payload injects an embedded shellcode into WerFault.exe, a process connected to the WER service and used by Microsoft to track and address operating system errors.
“That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens,” Malwarebytes says. “When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack.”
CNET: Amazon doubles down on Echo home security. What to know
This technique is also used by NetWire Remote Access Trojan (RAT) and the cryptocurrency-stealing Cerber ransomware. 
The shellcode is also commanded to make an HTTP request to a hard-coded domain, likely to download additional malware. 
Operators of Kraken follow up with several anti-analysis methods, including code obfuscation, forcing the DLL to operate in multiple threads, checking for sandbox or debugger environments, and scanning the registry to see if VMWare’s virtual machines or Oracle’s VirtualBox are running. The developers have programmed the malicious code to terminate if indicators are found of analysis activities. 
TechRepublic: How to boost the effectiveness of your cybersecurity operations
The Kraken attack has proven to be difficult to attribute, at present. The hard-coded target URL of the malware was taken down at the time of analysis, and without this, clear markers indicating one APT or another are not possible. 
However, Malwarebytes says there are some elements that reminded researchers of APT32, also known as OceanLotus, a Vietnamese APT believed to be responsible for attacks against BMW and Hyundai in 2019. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A bug bounty researcher has been awarded $3000 for disclosing a security issue in GitLab leading to the exposure of private groups. 

The report was made public on the HackerOne bug bounty platform on October 6. 
Submitted by researcher Riccardo “rpadovani” Padovani on November 29, 2019, the GitLab issue is described as a failure to remove code from Elasticsearch API search results when transferring a public group to a private group. 
Padovani said the medium-severity issue occurs when a project handler shifts a public group — with public projects — to private status. This should also mean that the code and wiki associated with the project should be locked down, but the security flaw ensured that this data could still be reached through search APIs. 
CNET: Amazon doubles down on Echo home security. What to know
The bug bounty hunter described a scenario in which the improper access issue could be triggered:

“Alice creates the public group “Example”, and a public project named “Example-project” inside the group. In the readme of the project, Alice writes “Example”.
Now, Alice creates a private group called “private”, and transfer all the “Example” group to the “private” group. If Bob (totally unrelated to Alice) searches for “Example” instance-wide, he will not find anything [… but if he] uses APIs, he will receive the results back with the information that should be private.”

This also happens with wiki_blobs functionality. However, it is worth noting that the problem only occurs when transferring groups, rather than single projects. 
TechRepublic: How to boost the effectiveness of your cybersecurity operations
GitLab triaged and accepted the report, awarding a bounty of $3000. A patch was issued in GitLab version 12.5.4. 
In April, the dev-ops platform awarded William Bowling $20,000 for disclosing a remote code execution (RCE) vulnerability. In March, the researcher made GitLab aware of critical validation issues in the Gitlab UploadsRewriter function which could be exploited to trigger a path traversal scenario, leading to RCE. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More