Information Technology

Image: Adobe

The UK’s cyber-security agency warned on Wednesday of the dangers and complications that may arise from not removing Adobe Flash Player and continuing to use the software past its end-of-life (EoL) date of December 31, 2020.
Problematic scenarios include enterprise and other networks where legacy web apps and desktop software still use Flash to display multimedia content or support features like file uploads, file explorers, loading screens, and more.
The UK National Cyber Security Centre (NCSC) fears that some system administrators —with disregard for the security of their network— might make the wrong decision and disable update mechanisms in these applications or web browsers so employees can continue using these apps.
“Just to be clear: You should not disable browser and/or platform updates as a way of continuing to use Adobe Flash Player after 2020,” the agency said on Wednesday. [Emphasis by the NCSC]
“Instead, we encourage you to work alongside your suppliers to remove Flash dependencies. Any vendors that are unwilling, or unable, to do this should, themselves, be considered risky.”
Some software providers like SAS, Citrix, Articulate, and others have already released updates and customer guidelines in preparation for the Flash EOL. Others may have not, and system administrators may need to intervene and remove the software from their networks and find a Flash-free alternative.
But if there’s one thing that IT administrators can’t say is that they’ve been taken by surprise. Adobe gave companies a three-year start to prepare for the Flash EOL, having first announced it in 2017.
Browser makers like Apple, Google, Microsoft, and Mozilla have all announced they also planned to remove Flash from their products by the end of 2020 or late January 2021, making playing any Flash content inside their products impossible.
In a recent update to the Flash EOL page, Adobe itself has asked companies to be proactive about the EOL and remove the software even before the end of the year, even planning to manually prompt users to uninstall Fash later this year.
This is the second time that the NCSC has stepped forward to issue a warning to UK IT admins about a soon-to-be EOL software application. The agency published a similar alert in August 2019 to urge software developers to migrate their code to Python 3.x as the Python 2.x branch was nearing its scheduled EOL date of January 1, 2020. More

The Select Committee on Foreign Interference through Social Media has been tasked with probing the risk posed to the nation’s democracy by foreign interference through social media.
Twitter, Google, Tiktok, and Facebook have previously made submissions to the inquiry, with the plan for representatives from each of the social media platforms to eventually face the committee.
TikTok was probed on Friday, using its time to clarify data protection rules, its plans to prevent distressing videos from being viewed on its platform, and how it wasn’t asked to provide assistance to a government investigation, among other things. Facebook was due to appear alongside TikTok, but blamed a scheduling issue for pulling out.
The latest submission [PDF] to the committee as part of its inquiry comes from the Middle Kingdom, by way of popular chat app WeChat.
WeChat is owned and operated by WeChat International Pte Ltd, an entity incorporated in Singapore. WeChat International is a wholly owned subsidiary of Tencent Holdings Limited, which is a global technology giant incorporated in the Cayman Islands and listed on the Main Board of the Stock Exchange of Hong Kong.
Globally, WeChat boasts over 1.2 billion monthly active users. As at 21 September 2020, WeChat had approximately 690,000 daily active users in Australia.
US President Donald Trump in August claimed that apps developed in China are a threat to national security, making an executive order to ban WeChat alongside TikTok. Although that ban was later blocked by the US district court, WeChat has taken the opportunity in its submission to the Australian committee to explain how western users of the app are treated differently to those in mainland China.
Firstly, the specific app used is regional.
WeChat is operated by WeChat International, and is designed for users outside of mainland China. It said WeChat is not governed by PRC law.
Weixin is designed for users in the PRC, is operated by a PRC entity, and is governed by PRC law. In addition to different governing laws, Weixin and WeChat make use of different server architectures. WeChat servers are all located outside of mainland China.
How a user first registers an account determines whether they are a WeChat or Weixin user.
“For instance, users who register with a PRC mobile phone number will be a Weixin user, while users who register with an Australian mobile phone number will be a WeChat user,” it wrote.
“WeChat does allow users to access and use certain Weixin functions through the WeChat application. Where this occurs, the user is clearly informed that the access and use of these functions is subject to the relevant Weixin terms of service.”
When it comes to countering foreign interference and misinformation on its platform for Australian users, WeChat said it prohibits spam content; accounts that coordinate, spread, distribute, or participate in inauthentic behaviour, including in relation to false news, disinformation, or misinformation in relation to a topic or individual; the creation of fake accounts or accounts that misrepresent the identity of the user; content which breaches any applicable laws or regulations; and content which may constitute a genuine risk of harm or direct threat to public safety.
“For example, we prohibit the advertising and sale of COVID-19 home testing kits and have worked with relevant Australian authorities to enforce this in the past year,” it said.
It also said that it has previously met with and worked with the Department of Home Affairs and the Australian Electoral Commission in the context of the Australian Federal Election.
Similarly, it has discussed Australia’s Foreign Influence Transparency Scheme with the Attorney-General’s Department and is “committed” to working with Australian regulators and authorities in “respect of any complaint or request that may arise”.
MORE RELATED TO THE INQUIRY More

The Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Data61 has announced alongside the Monash Blockchain Technology Centre a blockchain protocol they claim is secure against quantum computers while also protecting the privacy of its users and their transactions.
The protocol, MatRiCT, is patented by CSIRO and now licensed to Australian cryptocurrency developer HCash.
Hcash will be incorporating the protocol into its own systems and transforming its existing cryptocurrency, HyperCash, into one that is claimed to be quantum safe and privacy protecting, but according to Data61, the technology could be applied to more than cryptocurrencies.
It highlighted potential applications such as digital health, banking, finance, and government services, as well as services which may require accountability to prevent illegal use.
Data61 researchers said blockchain-based cryptocurrencies like Bitcoin and Ethereum are vulnerable to attacks by quantum computers, as they are capable of performing complex calculations and processing substantial amounts of data to break blockchains.
“Quantum computing can compromise the signatures or keys used to authenticate transactions, as well as the integrity of blockchains themselves,” research fellow at Monash University and Data61’s Distributed Systems Security Group Dr Muhammed Esgin said.
“Once this occurs, the underlying cryptocurrency could be altered, leading to theft, double spend or forgery, and users’ privacy may be jeopardised.
“Existing cryptocurrencies tend to either be quantum-safe or privacy-preserving, but for the first time our new protocol achieves both in a practical and deployable way.” 
See also: How blockchain will disrupt business (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
MatRiCT is based on “hard lattice problems”, which are quantum secure, and introduces three features: The shortest quantum-secure ring signature scheme to date, which Data61 said authenticates activity and transactions using only the signature; a zero-knowledge proof method, which it said hides sensitive transaction information; and an auditability function, which is touted as helping prevent illegal cryptocurrency use.
“The protocol is designed to address the inefficiencies in previous blockchain protocols such as complex authentication procedures, thereby speeding up calculation efficiencies and using less energy to resolve, leading to significant cost savings,” Monash University quantum-safe cryptography expert Associate Professor Ron Steinfeld said.
“Our new protocol is significantly faster and more efficient, as the identity signatures and proof required when conducting transactions are the shortest to date, thereby requiring less data communication, speeding up the transaction processing time, and reducing the amount of energy required to complete transactions.”
RELATED COVERAGE
University of South Australia says blockchain at odds with privacy obligations
Asks for more work to be done to ensure the technology conforms to privacy rights and expectations.
Australia to focus on blockchain potential with new roadmap
Blockchain offers the nation jobs and growth, the government has said.
How the industry expects to secure information in a quantum world
With all of the good a quantum computer promises, one of the side effects is that it will be able to break the mechanisms currently used to secure information. But the industry is onto it, and Australia’s QuintessenceLabs is playing a key role.
Australia’s ambitious plan to win the quantum race
Professor Michelle Simmons thinks Australia has what it takes to be the first to the finish line in the international quantum computing race. More

Image via CBS News YouTube channel
Social networking giant Twitter said today that it removed around 130 Iranian Twitter accounts for attempting to disrupt the public conversation during last night’s first Presidential Debate for the US 2020 Presidential Election.
Twitter said it learned of the accounts following a tip from the US Federal Bureau of Investigations.
“We identified these accounts quickly, removed them from Twitter, and shared full details with our peers, as standard,” the social network said today.
“They [the accounts] had very low engagement and did not make an impact on the public conversation,” it added.

Image: Twitter
Twitter said it plans to publish details about the removed accounts and their tweets on its Transparency portal’s section for influence operations.
The social network said earlier this year it was expecting to see attempts to manipulate the public discussion about the upcoming US Presidential Election as November 3 drew nearer. In August, Twitter also removed user accounts for sharing the same message about planning to vote for Donald Trump using a technique the company described as copypasta.
The company also began to label tweets as misleading if they provided inaccurate information about voting and the electoral process. Twitter used this new feature to put warning labels on several of Donald Trumps tweets throughout the summer and the early autumn.
Today’s crackdown also marks the second time this month that Twitter has intervened to take down an influence operation on its website following an FBI tip. Twitter previously removed accounts tied to PeaceData, a news site that published misleading articles about world politics, which the FBI claimed was a Russian influence operation. More

Image: Llyass Seddoug

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

A hacker group previously associated with the North Korean regime has been spotted launching spear-phishing attacks to compromise officials part of the United Nations Security Council.
The attacks, disclosed in a UN report last month, have taken place this year and have targeted at least 28 UN officials, including at least 11 individuals representing six countries of the UN Security Council.
UN officials said they learned of the attacks after being alerted by an unnamed UN member state (country).
The attacks were attributed to a North Korean hacker group known in the cyber-security community by the codename of Kimsuky.
According to the UN report, Kimsuky operations took place across March and April this year and consisted of a series of spear-phishing campaigns aimed at the Gmail accounts of UN officials.
The emails were designed to look like UN security alerts or requests for interviews from reporters, both designed to convince officials to access phishing pages or run malware files on their systems.
The country which reported the Kimsuky attacks to the UN Security Council also said that similar campaigns were also carried out against members of its own government, with some of the attacks taking place via WhatsApp, and not just email.
Furthermore, the same country informed the UN that Kimsuky attacks have extremely persistent with the North Korean hacker group pursuing “certain individuals throughout the ‘lifetime’ of their [government] career.”

Similar Kimsuky attacks detailed in a previous UN report as well
The UN report, which tracks and details North Korea’s response to international sanctions, also noted that this campaign has been active for more than a year.
In a similar report published in March, the UN Security Council revealed two other Kimsuky campaigns against its sitting panel officials.
The first was a series of spear-phishing attacks against 38 email addresses associated with Security Council officials — all of whom were members of the Security Council at the time of the attack.
The second were the operations detailed in a report from the National Cybersecurity Agency of France [PDF]. Dating back to August 2019, these were spear-phishing attacks against officials from China, France, Belgium, Peru, and South Africa, all of whom were members of the UN Security Council at the time of the attacks.
Kimsuky has a long history of going after the UN
But these attacks did not stop in April, as stated in the most recent UN report on North Korea, and the Kimsuky group has continued to target the UN, as part of its broader efforts to spy on UN decision-making in regards to North Korean affairs and possible plans on imposing new sanctions.
“We are definitely still observing targeting of the United Nations – something that has been going on for quite some time and has been continuous in the past six months,” Sveva Vittoria Scenarelli, a senior analyst in PwC’s Threat Intelligence team, told ZDNet today.
“From our visibility, we are seeing Kimsuky particularly focused on the OHCHR (the UN’s Office of the High Commissioner for Human Rights). For example, we’re seeing domains pretending to be OHCHR intranets,” Scenarelli added.
The PwC analyst, who is an expert in Kimsuky operations, says most of the group’s operations are spear-phishing attacks aimed at obtaining a victim’s credentials for various online accounts. Other spear-phishing operations also aim to get the victims infected with malware.
“Sometimes both types of operations are conducted against the same target,” Scenarelli said.
Asked about the information put forward by the unnamed country that some Kimsuky operations had targeted select officials throughout the lifetime of their government careers, Scenarelli said this was typical of Kimsuky’s past campaigns.
“We have most definitely observed Kimsuky targeting specific individuals — in fact, up to the present moment — even going as far as registering Internet domains containing the individual targets’ names, the PwC analyst said.
“It’s not as much of an isolated case — rather, we assess that specific individuals are targeted because of their role and the information they have access to. So in this sense, this kind of targeting is highly likely to be driven by specific objectives, be these intelligence collection or something else,” Scenarelli added.
“As to whether the targeting continues for the entirety of targets’ career, this might depend on the individual target. Though we do not have direct visibility at this level of specificity, we’d assess it is likely that Kimsuky might continue to target that individual so long as they are presumed to have access to information of interest, and so long as Kimsuky’s strategic objectives require the threat actor to gain access to certain information.
“If all needed information is acquired, or if these strategic objectives change, then Kimsuky might focus its targeting somewhere else, which is a “pivot” that we’ve seen the threat actor make before.”
Scenarelli is set to hold a talk on Kimsuky operations today at the Virus Bulletin 2020 security conference. This article is unrelated to her presentation. More

The Windows XP and Windows Server 2003 source code that was leaked online last week on 4chan has been confirmed to be authentic after a YouTube user compiled the code into working operating systems.
Shortly after the leak occurred last week, ZDNet reached out to multiple current and former Microsoft software engineers to confirm the validity of the leaked files.
At the time, sources told ZDNet that from a summary review, the code appeared to be incomplete, but from the components they analyzed, the code appeared to be authentic.
NTDEV, a US-based IT technician behind the eponymous Twitter and YouTube accounts, was one of the millions of users who downloaded the code last week.
But rather than wait for an official statement from Microsoft that is likely to never come, NTDEV decided to compile the code and find out for themselves.
According to videos shared online, the amateur IT technician was successful in compiling the Windows XP code over the weekend, and Windows Server 2003 yesterday.
“Well, the reports were indeed true. It seems that there are some components missing, such as winlogon.exe and lots of drivers,” NTDEV told ZDNet in an interview today, describing his work on XP.
NTDEV says these missing components mean that the leaked XP code is not yet in a fully usable state, such as for a “full OS replacement,” but that the code is, nevertheless, authentic.
“Certain files, such as the kernel and the Explorer can be compiled easily. I have tried some programs from the compiled source of XP, and it seems that they are identical to the retail versions of Windows,” NTDEV said. 
Barring the missing components, NTDEV believes “the source can be used for compiling all the SKUs, as well as free (optimised) retail builds.”
[embedded content]
As for the leaked Windows Server 2003 source, the second major Windows OS version included in last week’s leak, NTDEV said this code was also similar to the XP leak.
“The leaked source of Server 2003 is actually more complete than the XP one, but it lacks, just as the XP one, the Winlogon source code,” they said.
“I presume this is due to the fact that it may contain the code to the activation process (just an assumption).
“However, unlike XP, I have managed to build a workable installation of [Server] 2003, but I had to substitute some files (Winlogon being the most important one, the rest of them being help files and drivers, mostly),” NTDEV said.
[embedded content]
Still, last week’s leak also included source code for several other Windows operating systems, such as Windows 2000, Embedded (CE 3, CE 4, CE 5, CE, 7), Windows NT (3.5 and 4), and MS-DOS (3.30 and 6.0).
NTDEV told ZDNet they already compiled the NT codebase earlier this year, when it first leaked online, and that they now plan to focus on compiling the MS-DOS 6.0 code next.

Windows 10 More

Image: GitHub
Code-hosting website GitHub is rolling out today a new security feature named Code Scanning for all users, on both paid and free accounts.
GitHub says the new Code Scanning feature “helps prevent vulnerabilities from reaching production by analyzing every pull request, commit, and merge—recognizing vulnerable code as soon as it’s created.”
Once vulnerabilities are detected, Code Scanning works by prompting the developer to revise their code.
Under the hood, Code Scanning works on top of CodeQL, a technology that GitHub integrated into its platform after it acquired code-analysis platform Semmle in September 2019.
CodeQL stands for code query language and is a generic language that allows developers to write rules to detect different versions of the same security flaw across large codebases.
To configure Code Scanning, users must visit the “Security” tab of each of the repositories they want the feature to be enabled.

Image: GitHub
Here, developers will be prompted to enable the CodeQL queries they want GitHub to use to scan their source code.
To get users started on using Code Scanning, Gitub said its security team has put together more than 2,000 predefined CodeQL queries that users can enable for their repositories and automatically check for the most basic security flaws when submitting new code.
In addition, Code Scanning can also be extended via custom CodeQL templates written by repository owners or by plugging in third-party open-source or commercial static application security testing (SAST) solutions.
Code Scanning has been available to GitHub beta testers since May after the feature was initially announced at the GitHub Satellite conference.
Since then, GitHub says the feature has been used to perform more than 1.4 million scans on more than 12,000 repositories and has identified over 20,000 vulnerabilities, including remote code execution (RCE), SQL injection, and cross-site scripting (XSS) vulnerabilities.
Developers also appear to have warmly received the new feature, and GitHub says it already received 132 community contributions to CodeQL’s open-sourced query sets since the feature launched in the spring. More

An adware family known primarily for distributing browser hijackers has been caught distributing full-blown malware, security researchers said today in a talk at the VirusBulletin 2020 security conference.
“What’s dangerous about Linkury is how it uses its adware front as a gateway to propagate malware,” said Arun Kumar Shunmuga Sundaram & Rajeshkumar Ravichandran, two malware analysts at Indian security firm K7 Computing.
“It walks a very fine line between typical adware and malware, and we have seen how it can switch sides based on geolocale,” the two said.
“It has tailored its operations to cloak its malicious techniques and flies under the guise of ‘legitimate, law abiding’ adware, giving it recourse to plausible deniability of any wrongdoing.”
While cyber-security companies like Malwarebytes, Microsoft, or Trend Micro are currently detecting Linkury operations as “adware,” Sundaram and Ravichandran argue that “the case for flagging it as malware is strong based on the evidence presented in [their] paper.”
What’s Linkury?
Prior to K7’s VirusBulletin presentation today, Linkury was primarily known as an adware operation.
Its main method of distribution is the SafeFinder widget, a browser extension ironically advertised as a way to perform safe searches on the internet.
The widget is usually bundled with other free apps as a secondary installer or is distributed via online ads that redirect internet users to SafeWidget download pages.
Installing the SafeFinder extension would usually changes a user’s default browser search and home tab settings but also install additional binaries, different based on the user’s country.
Image: K7 Computing
In most cases, these binaries would be other apps, for which developers paid a fee to be included in the SafeFinder installation process.
But K7 researchers say that in recent cases they analyzed, the SafeFinder widget has now also begun installing full-blown legitimate malware, such as the Socelars and Kpot infostealer trojans.

Image: K7 Computing
In other cases, the Linkury operation also dropped a version of the Opera browser on infected hosts, which they started silently in the operating system’s background to deliver pop-up ads and generate profit for the Linkury operators.
But the Linkury team also used the SafeFinder widget to force-install extensions on the user’s browsers. K7 reported Linkury force-installing extensions in Chrome and Firefox, for Windows users; and Safari, Chrome, and Firefox, for Mac users.
Furthermore, K7 researchers also noted that the SafeFinder installer also contained many features specific to malware, such as PowerShell scripts to disable Windows Defender, and functions to detect when the installer was executed inside virtual machines and sandboxes, environments usually used for malware analysis — which it obviously wanted to avoid.
And last but not least, Linkury’s SafeFinder widget had no intention of honoring user choices, with its installer specifically designed to install its payload even if the user tried to avoid the installation process, like pressing “No” as in the image below.

Image: K7 Computing More