Information Technology

There are a lot of encrypted USB flash drives out there. You plug them in, and either there’s an on-screen popup that asks for your passcode, or some sort of physical keypad that is used to gain access.
But what about transferring the unlocking mechanism to another device — such as a smartphone, or your Apple Watch?
This is exactly what the iStorage datAshur BT hardware encrypted USB flash drive does.
Must read: iOS 14.0.1: The battery and connectivity woes continue

Visually, the iStorage datAshur BT looks like any other USB flash drive. A very high quality one — the exterior looks like it is made from polished obsidian. In reality, I think it is an epoxy. It’s tough, gives the drive a water- and dust-resistant rating of IP57 (protected against damage from dust ingress, and water resistant to 1 meter), and there’s a cap that protects the USB-A business end.
Inside, the datAshur BT is offered in capacities ranging from 16GB all the way to 128GB. This is great because it allows customers to buy the storage they need, and not have to overspend if their needs are modest.
But there’s more.
Data on the datAshur BT is fully encrypted using AES-XTS 256-bit hardware encryption, which is FIPS 140-2 Level 3 compliant design and technology. This means no GDPR, HIPAA, SOX, CCPA or similar regulatory headaches.
Brute force is defended against by a built-in data wipe if there are too many wrong attempts made.
Another twist is the decryption.
Everything is protected by a 7-15-character password or a biometric unlock such as Face ID/Facial recognition, Touch ID/Fingerprint or IRIS scanning from a smartphone or tablet. The comms between the device and drive is handled by a secure Bluetooth authentication communication using any smart phone/tablet (iOS/Android) or Apple Watch. The Bluetooth channel is secured by a FIPS validated encryption layer and is only used for connection purposes.
There is also support for 2FA using SMS, if that’s your thing.
The drive itself is completely host independent, so it will work with Windows, Mac, Linux, Chrome and so on, VDIs such as Citrix and VMWare, and also with embedded systems such as medical devices, TVs, drones, printers, scanners, or pretty much anything with a USB port.

Enterprise users will be pleased to know that the drive can be provisioned and remotely managed via the iStorage datAshur BT Remote Management Web Console (which is optional, and subject to an annual subscription).
The drive is also pretty swift for an encrypted drive. You get USB 3.2 Gen 1 data transfer top speeds of 170 MB/s for reads (and backward compatibility with older standards), and during tested I was easily getting an average of 155 MB/s.
I’ve been very impressed by this drive. I’ll be honest and say that initially I was a bit skeptical about using an app to access a storage drive, but it’s actually hugely convenient, and the FIPS validation gives me confidence that I’m not sacrificing security for expediency.
Prices for the iStorage datAshur BT range from $103 to $181 depending on the capacity required. 

All data stored on the drive is encrypted in real-time using AES-XTS 256-bit hardware encryption 
FIPS 140-2 Level 3 compliant design and technology
All critical components are covered by a layer of super tough epoxy resin
Access to the drive is protected using Bluetooth authentication (FIPS compliant) via any smartphone/tablet (iOS/Android) or Apple Watch
Authenticate using a 7-15-character password or Biometric unlock (Face ID/Facial recognition, Touch ID/Fingerprint and IRIS scanning)
IP57 Certified – Dust & Water resistant
View Now at Amazon More

Samsung 980 PRO

The
980
PRO
offers
sequential
read
and
write
speeds
of
up
to
7,000
MB/s
and
5,000
MB/s
respectively,
along
with
random
read
and
write
speeds
of
up
to
1,000K
IOP.
… More

Researchers have developed a new technique to “fingerprint” cybercriminals, including two prolific sellers of Windows exploits. 

On Friday, researchers from Check Point said the “fingerprinting” technique has been used to link Windows local privilege escalation (LPE) exploits to two different authors, believed to have sold their creations previously to Russian advanced persistent threat (APT) groups as well as other clients. 
In a blog post, the cybersecurity firm said that the technique was developed off the back of a customer response incident, in which a small 64-bit executable was found during an attack.
After analyzing the file, the team found unusual debug strings that pointed to an attempt to exploit a vulnerability on one of the target machines. The file contained a leftover PDB path — “…cve-2019-0859x64ReleaseCmdTest.pdb” — which indicated the use of a real-world exploit tool. 
Digging further, Check Point decided to try and “fingerprint” unique identifiers recognizable as the work of specific exploit developers by securing another 32-bit file which showed compilation at the same time, indicating the handiwork of the same individual. 
See also: This worm phishing campaign is a game-changer in password theft, account takeovers
Check Point explored unique artifacts in binary code, internal file names, PDB paths, hard-coded values such as crypto constants and garbage values, data tables, string usage, syscall wrappers, and code snippets. 
In addition, the team analyzed the author’s preferred leaking and elevation techniques, whether or not heap spraying was in use — and how — as well as the general “flow” of the exploits. Global calls, field offsets, and API use were also noted. 
It wasn’t long before two small binaries turned into a flow of new samples, all based on newly-established Check Point hunting rules. The team then analyzed the new samples and refined their technique, and before long, two exploit sellers were identified. 
Check Point tested the new method against 16 Windows LPE exploits, 15 of which dated from 2015 and 2019. The team traced their sale to two different authors, “Volodya” — previously known as “BuggiCorp,” and “PlayBit,” also known as “luxor2008.”
CNET: Browser privacy boost: Here are the settings to change in Chrome, Firefox, Safari, Edge and Brave
Volodya sells exploits for known vulnerabilities as well as zero-day security flaws — as and when they appear. Check Point linked 10 Windows LPE exploits to this threat actor, many of which were based on zero-days at the time of development. 
Clients include operators of Ursnif, GandCrab, Cerber, Magniber, and APT groups including Turla, APT28, and Buhtrap.
“The APT customers, Turla, APT28, and Buhtrap, are all commonly linked to Russia and it is interesting to find that even these advanced groups purchase exploits from exploit authors, instead of developing them in-house,” the researchers say.
The other exploit seller, PlayBit, focuses only on payloads suitable for known security issues. In total, Check Point found evidence of five different exploits sold by this developer — some of which have ended up in the hands of cybercriminals making use of REvil and Maze ransomware.
TechRepublic: Account takeover fraud rates skyrocketed 282% over last year
“Finding the vulnerability is just the beginning. They [cyberattackers] need to reliably exploit it on as many versions as possible, in order to monetize it to a customer’s satisfaction,” commented Itay Cohen, Check Point researcher. “We believe that this research methodology can be used to identify additional exploit writers. We recommend other researchers try our suggested technique and adopt it as an additional tool in their arsenal.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: ESET, ZDNet

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Slovak cyber-security firm ESET has discovered a new state-sponsored hacking group (also known as an APT). Named XDSpy, the group is a rarity in the cyber-security landscape as it managed to remain undetected for nearly nine years before its hacking spree was discovered earlier this year.
The group’s operations have been detailed for the first time today by ESET researchers in a talk at the Virus Bulletin 2020 security conference.
ESET says the group’s primary focus has been reconnaissance and document theft. Its targets have been government agencies and private companies in Eastern Europe and the Balkans.
Targeted countries included Belarus, Moldova, Russia, Serbia, and Ukraine, according to ESET telemetry data, but other XDSpy operations may still be undiscovered.
ESET says the group’s operations have now gone dark after one of its campaigns was detected and detailed in a security alert sent out by the CERT Belarus team.
Using this security alert as an initial clue, ESET says it was able to uncover past XDSpy operations. Matthieu Faou and Francis Labelle, the two ESET security researchers who spearheaded the investigation into XDSpy, said the group’s primary tool has been a malware toolkit they named XDDown.
The malware, described to ZDNet by Faou as “not state-of-the-art” was, however, more than enough to infect victims and help the group gather sensitive data from infected targets.
ESET described XDDown as a “downloader” used to infect a victim and then download secondary modules that would perform various specialized tasks.
This prevented security tools from detecting XDDown as malicious itself, but also allowed the malware to posses some very advanced features. XDDown modules include:
XDREcon – a module to scan an infected host, gather technical specs and OS details, and send the data back to the XDDown/XDSpy command-and-control server.
XDList – a module to search an infected computer for files with specific file extensions (Office-related files, PDFs, and address books).
XDMonitor – a module that monitored what kind of devices were connected to an infected host.
XDUpload – the module that took files indentified by XDList and uploaded them on the XDXpy server.
XDLoc – a module to gather information about nearby WiFi networks, information that is believed to have been used to track victim movements using maps of public WiFi networks.
XDPass – a module that extracted passwords from locally installed browsers.

Image: ESET
As for how victims got infected, XDSpy wasn’t particularly original about its operations, using the tried-and-tested technique of spear-phishing email campaigns.
In campaigns analyzed by ESET, the group used email subject lines with lures related to lost and found objects and the COVID-19 pandemic. These emails came with malicious attachments such as Powerpoint, JavaScript, ZIP, or shortcut (LNK) files. Downloading and running any of these files would usually infect the victim with malware.
Based on the malware’s features, its limited distribution, and targeting of government agencies, including militaries and Ministries of Foreign Affairs, ESET said the XDSpy group was an obvious APT —advanced persistent threat— a term used by the cyber-security industry to describe hacker groups carrying out operations on behalf of foreign governments, usually for espionage and intelligence gathering.
But which government, ESET did not say. The targeted countries are usually in the focus area of both Russian and NATO countries. However, ESET also noted that many XDSpy malware samples were compiled on Eastern European timezones.
There are certain details in the group’s malware to support its classification as an APT. This includes the fact that many of the plugins didn’t contain a persistence mechanism, meaning the main XDDown malware would have had to re-download each modules after computer reboots.
Furthermore, ESET said it also discovered that some XDDown plugins also came with time-based killswitches that removed them after a certain date.
These two features suggest XDSpy prioritized stealth over persistence in an effort to remain undetected and avoid exposing its tools, a common tactic and modus operandi employed by many state-sponsored groups.
“Thus, they were able to use the same code base for 9 years while being able to evade some security products by tweaking the obfuscation,” Faou told ZDNet in an email this week. More

BLACK HAT ASIA: Researchers have demonstrated how attackers can take advantage of a decades-old protocol to exploit 5G networks. 

The next-generation wireless technology is expected to account for 21% of all wireless infrastructure investments over 2020. Pilots and official rollouts are underway worldwide — despite the disruption caused by COVID-19 — and many vendors now offer 5G-supporting devices in preparation for transitions from 4G to 5G. 
See also: 5G: BT picks Nokia to power networks as UK starts to phase out Huawei
While investment is pouring into 5G from all areas, security appears to be an afterthought, as fragmented and bolted-on telecoms technologies, protocols, and standards leave gaping holes for cyberattackers to exploit. 
During a presentation at Black Hat Asia on Friday called “Back to the Future. Cross-Protocol Attacks in the Era of 5G,” Positive Technologies security expert Sergey Puzankov highlighted how outstanding issues in the SS7 protocol still plague the telecommunications industry. 
CNET: Not even the coronavirus can derail 5G’s global momentum
The Signaling System 7 (SS7) industry standard and set of protocols were developed in 1975 and hasn’t moved on much from this decade — and this includes its security posture. In 2014, the cybersecurity firm revealed exploitable security flaws in the protocol which could be used to conduct attacks ranging from intercepting phone calls to bypassing two-factor authentication (2FA).
Diameter and GTP are also commonly used in the telecoms industry for 3GPP, GSM, UMTS, and LTE networks. Mobile networks will often connect these protocols to provide a seamless experience for consumers when they shift between 3G, 4G, and 5G. 
“This mishmash of technologies, protocols, and standards in telecom has implications for security,” Puzankov says. “Intruders are attacking mobile networks from all possible angles, in part by leveraging multiple protocols in combined attacks.”
Vendors are aware of these problems and have implemented various security measures to try and protect their networks, including signaling firewalls, frequent security assessments and audits, as well as implementing signaling IDS and SMS home routing. However, this doesn’t always go far enough. 
TechRepublic: 5G mobile networks: A cheat sheet
In a set of scenarios explained by the researcher during the presentation, Puzankov outlined how cross-protocol attack vectors could be used to manipulate data streams on 4G and 5G networks; intercept SMS and voice calls on 2G, 3G, and 4G, and potentially commit widespread financial fraud by signing up subscribers to value-added services (VAS) without their consent — all from a signaling connection.
Each case has one thing in common: attacks begin with malicious action in one protocol that are continued in another, requiring specific combinations of actions and mixed-generation networks to succeed. Architecture flaws, misconfiguration, and software bugs exist that provide entryways for potential attacks. 
In the first scenario, when firewalls are not in place, voice call interception was found to be possible via Man-in-the-Middle (MiTM) attacks. For example, threat actors could spoof billing websites, make contact with a subscriber, and then lure them to input their account details into the fraudulent domain. By jumping from SS7 to Diameter, it may also be possible to circumvent existing security barriers.  
The second case outlined by Puzankov involves voice call interception on 4G and 5G networks by tampering with network packets. When a user is on a 4G or 5G network, signals are constantly sent in what the researcher calls an “always connected” mode, and if a threat actor jumps from Diameter to other protocols, they may be able to intercept subscriber profiles and data. If a victim is roaming, location requests can also be sent by attackers. 
Finally, subscription fraud can be achieved by sending “random” requests to subscribers via the SS7 / GTP protocols. By exploiting security issues, attackers may be able to assign victims unwanted subscriptions generated via stolen subscriber profile data.
All of these attack vectors have been tested in real-world scenarios and reported to relevant industry bodies. 
“It is still possible for attacks to take place on well-protected networks,” the researcher commented. “In most cases, operators can protect their networks better without [additional] cost. They just need to check if their security tools are effective when new vulnerabilities are reported.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australia’s Therapeutic Goods Administration (TGA) is getting a digital makeover, after the federal government announced on Friday it would invest AU$12 million over four years to make it happen.
As part of the revamp, TGA’s business systems and infrastructure will be digitised and cybersecurity measures will be bolstered.
Specifically, it will enable medical companies to use automatic data transfer to deliver drug reaction reports on patient safety from their own internal databases into the TGA Adverse Events Management System (AEMS) database, saving up to 15 minutes per report. This will be a change to the current process that requires reports that are submitted in PDF format, as well as other formats, to be manually entered into the database. 
See also: ADHA details My Health Record breach attempt
Minister for Health Greg Hunt touted the revamp would help cut red tape for more than 4,000 businesses that apply to register medicines and medical devices annually, saying it would result in earlier approvals of medical products.
“The TGA receives around 26,000 applications every year for medicines and medical devices to be listed or amended on the Australian Register of Therapeutic Goods (ARTG), which allows them to be imported, sold, and used in Australia,” he said.
“The digital changes will enable simpler and more secure interactions between government and industry to apply for, track, pay, and manage listings for regulated and subsidised health-related products and services.”
The program is being delivered as part of the federal government’s deregulation agenda, which has been designed to reduce the cost of doing business with government and performing regulatory compliance through targeted technology investment.
The agenda received just over AU$156 million when the Australian government handed down its 2019-20 Mid-Year Economic and Fiscal Outlook at the end of last year.
Earlier this week, the Morrison government announced as part of its AU$800 million Digital Business Package that cutting regulatory red tape will be one of its priorities. He added that the government has plans to dedicate AU$7 million in two blockchain pilots that aim to reduce business regulatory compliance costs and nearly AU$11.5 million for regtech commercialisation.
But red tape reduction is not only happening at the federal level. On Thursday, the New South Wales government launched its open-source rules-as-code platform to help industry and other government bodies digitise regulation for easier compliance.
The state government said through the platform, industry and other government bodies would be able to incorporate digital rules directly into their own IT systems and see any future rule changes be automatically applied.
The platform has launched with the digital version of the Community Gaming Regulation 2020, which identifies the conditions for running community games by charities, not-for-profits, and businesses.
Related Coverage
Australian government fronts up $19 million for digital health tech development
Elsewhere, RMIT Online and the Digital Health Cooperative Research Centre have announced a suite of digital health short courses.
Australian Medical Association calls for telehealth permanency
The measures put in place amid COVID-19 are ‘strongly’ supported by the AMA to become a lasting feature of Australia’s health system.
Electronic prescriptions in Australia to be available at end of May
The fast-tracked rollout is one of the measures announced by the federal government amid the COVID-19 outbreak.
AU$7.5m stumped up by Australian government for research into healthcare AI
The funding will dispersed via grants through the federal government’s Medical Research Future Fund.
Nearly 23 million Aussies have a My Health Record, but only 13 million are using it
The online medical file has around 1.8 billion documents in it. More

Image via Alex Haney
Facebook has filed a lawsuit today against two companies for creating and distributing malicious browser extensions that scraped user data without authorization from the Facebook and Instagram websites.
Named in the lawsuit are BrandTotal Ltd., an Israeli-based company with a Delaware subsidiary, and Unimania Inc., incorporated in Delaware.
The two companies are behind UpVoice and Ads Feed, two Chrome extensions available on the official Chrome Web Store since September and November 2019, where they racked up more than 5,000 and 10,000 installs, respectively.
“BrandTotal enticed users to install the UpVoice extension from the Google Chrome Store by offering payments in exchange for installs, in the form of online gift cards, and claiming that the users who installed the extension became ‘panelists . . . [who] impact the marketing decisions and brand strategies of multi-billion dollars (sic) corporations’,” Facebook said in court documents filed today.

UpVoice website
“Similarly, Unimania promoted its Ads Feed extension on the Google Chrome Store by claiming that the users became ‘a panel member of an elite community group that impacts the advertising decisions of multi-billion dollar corporations!’,” Facebook added.
But Facebook claims that despite their descriptions, both extensions were malicious and designed to scrape public and non-public data from users’ online accounts.
According to court documents, Facebook claims the UpVoice extension scraped data from user profiles at Facebook, Instagram, Amazon, Twitter, LinkedIn, Pinterest, and YouTube.
Similarly, Ads Feed collected data from users accessing their Facebook, Instagram, Amazon, Twitter, and YouTube profiles, respectively.
Scraped data usually included user profile information (name, user ID, gender, date of birth, relationship status, and location information), advertisements and advertising metrics (name of the advertiser, image and text of the advertisement, and user interaction and reaction metrics), and user Ad Preferences (user advertisement interest information) — none of which the company was authorized to possess.
The Menlo Park-based social media giant claims that data illegally acquired through the two extensions has been re-packaged and sold as “marketing intelligence” via BrandTotal’s website.
Facebook claims the two companies are the same
Facebook says both extensions used almost identical code to scrape data from users and sent the data back to the same remote servers. In fact, Facebook believes the two companies are the same.
“Defendants shared common employees and agents,” Facebook explained in its complaint.
“For example, BrandTotal’s Chief Product Officer and General Manager (Ex. 5), created Facebook accounts in the name of Unimania and the Ads Feed extension. BrandTotal’s Chief Technology Officer and co-founder (Ex. 5) also administered Unimania accounts on Facebook.”
Facebook is now seeking to put a stop to this schem. The social network has asked a judge to issue a permanent injunction against both companies to prevent them from accessing the Facebook and Instagram websites, block them from developing further extensions, and has asked for compensatory damages based on the two companies’ previous profits.
Both extensions are still available for download
Yet, in spite of the extensive data scraping behavior detected by Facebook, even against Google-owned services, the two extensions are still available on the Chrome Web Store.
Facebook said it tried numerous times to have them taken down, but Google has not responded to its requests.
Unimania, before developing the Ads Feed extension, was previously involved in another scandal in 2018 when AdGuard found four of the company’s Chrome extensions scraping Facebook user data.
Since early 2019, Facebook’s legal department has been filing lawsuits against several third-parties that have been abusing its platform. Previous lawsuits include: 
March 2019 – Facebook sues two Ukrainian browser extension makers (Gleb Sluchevsky and Andrey Gorbachov) for allegedly scraping user data.August 2019 – Facebook sues LionMobi and JediMobi, two Android app developers on allegations of advertising click fraud.October 2019 – Facebook sues Israeli surveillance vendor NSO Group for developing and selling a WhatsApp zero-day that was used in May 2019 to attack attorneys, journalists, human rights activists, political dissidents, diplomats, and government officials.December 2019 – Facebook sued ILikeAd and two Chinese nationals for using Facebook ads to trick users into downloading malware. February 2020 – Facebook sued OneAudience, an SDK maker that secretly collected data on Facebook users.March 2020 – Facebook sued Namecheap, one of the biggest domain name registrars on the internet, to unmask hackers who registered malicious domains through its service.April 2020 – Facebook sued LeadCloak for providing software to cloak deceptive ads related to COVID-19, pharmaceuticals, diet pills, and more.June 2020 –  Facebook sued to unmask and take over 12 domains containing Facebook brands and used to scam Facebook users.June 2020 – Facebook sued MGP25 Cyberint Services, a company that operated an online website that sold Instagram likes and comments.June 2020 – Facebook sued the owner of Massroot8.com, a website that stole Facebook users’ passwords.August 2020 – Facebook sued MobiBurn, the maker of an advertising SDK accused of scraping user data.August 2020 – Facebook sues the owner of Nakrutka, a website that sold Instagram likes, comments, and followers. More

The US Treasury Department has published guidelines today to be used in special circumstances where a ransomware payment may break US sanctions.
The guidelines apply to situations where an individual or company has had its data encrypted by a ransomware gang that is either sanctioned or has affiliations with a cybercrime group sanctioned by the US Treasury in years past.
The Treasury says that making a ransomware payment in this type of situation may violate Treasury sanctions and incur a legal investigation against the entities involved, which could be:
The victim;
The financial institutions which processed the ransom payment; and
Intermediaries such as cyber-insurance firms and companies involved in digital forensics and incident response.
US officials say that in these situations, victims should contact the Treasury’s Office of Foreign Assets Control (OFAC) before deciding on making the payment.
“OFAC encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus,” the agency said today.
Companies who contact law enforcement agencies when they get infected will also be looked favorably upon “in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”
According to the OFAC’s advisory, the following individuals/groups have been sanctioned, and ransomware payments to these groups, directly or to a nexus, are considered to be a sanctions violation:
The Treasury published this guideline today because of the aftermath of the ransomware attack on wearables maker Garmin. The attack was carried out with a ransomware strain named WastedLocker, believed to be the successor of the BitPaymer ransomware, and connected to the EvilCorp group.
Garmin is said to have paid the ransom demand.
ZDNet, along with reporters from the Wall Street Journal and other news outlets, reached out to the Treasury following the incident to inquire if Garmin had broken US sanctions by making a payment to an EvilCorp nexus.
Sources next to the Treasury, but not in the department, told ZDNet that the Treasury was aware that by fully blocking ransom payments might lead to situations where some companies might not be able to recover their data and would be forced to shut down or suffer considerable losses.
The Treasury declined to comment at the time but has released today an advisory detailing its stance on the matter.
But today’s document also doesn’t mean that victims and cyber-security firms have a clear path to break sanctions by notifying OFAC of a payment in advance.
The Treasury specifically said today that “license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial.” [Emphasis ours]
Those who do not abide by the new guidelines risk huge fines. More