Information Technology

The pandemic amplified trends that were already underway – and so 2020 has been a year of reckoning for distributed ledger technology (DLT; aka blockchain). More realistic and pragmatic approaches to blockchain initiatives have been the order of the day for some time, as, increasingly, budgets for pure R&D projects — run in isolation from the business — were becoming harder to obtain. 
Enter COVID-19, and the picture changed rapidly. Budgets for purely experimental and speculative projects have been cut this year. Long-term strategic projects, in particular those requiring changes to market structure or regulatory changes, are mostly working to extended timetables now. 

By contrast, projects with clear benefits are not only continuing but are doing so at a faster pace; there’s also been an uptick in the number of companies interested in participating in networks that help address some of the supply chain issues that the pandemic threw into sharp relief. 
The Forrester predictions on Blockchain in 2021: 

Globally, 30% of projects will make it into production. This number doesn’t just reflect the more realistic approach to projects that we noted and the increasing maturity of the technology but also the pandemic-induced acceleration and initiation of projects that bring measurable benefit within a short timescale. The majority of networks that transition from pilot to production will run on enterprise blockchain platforms.  

Permissioned blockchains will remain the order of the day. While many enterprise technology leaders have become increasingly open to exploring the role that public blockchains could have in an enterprise context in the long term, the headlines generated by decentralized finance (DeFi) during the summer have put the lid back on the discussion. The reassociation of public blockchains with the more Wild West aspects of crypto assets are scaring away compliance- and risk-aware business leaders, making it difficult for even the most ardent supporters on the tech side to maintain or pick up the topic.  

China will make the fastest progress. China’s “new infrastructure” national initiative makes blockchain an integral part of the country’s digital infrastructure. In 2021, the Chinese government will make investments in most provinces across all verticals, and we’ll see a steady stream of systems going into production. China’s ambitions to provide a global public infrastructure via its global Blockchain Service Network won’t advance far in the current geopolitical climate. The European Blockchain Services Infrastructure (EBSI) is equally bold in its mission. Convoluted procurement processes and conflicting interests, however, mean that EBSI will see some incremental progress in the form of pilot projects but no major breakthroughs. 

To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here.         
This post was written by Forrester VP & Principal Analyst Martha Bennett, and it originally appeared here.  More

Two Android applications belonging to Chinese tech giant Baidu have been removed from the official Google Play Store at the end of October after they’ve been caught collecting sensitive user details.

The two apps —Baidu Maps and Baidu Search Box— were removed after Google received a report from US cyber-security firm Palo Alto Networks. Both apps had more than 6 million downloads combined before being removed.
According to the US security firm, the two apps contained code that collected information about each user’s phone model, MAC address, carrier information, and IMSI (International Mobile Subscriber Identity) number.
The data collection code was found in the Baidu Push SDK, used to show real-time notifications inside both apps.
Palo Alto Networks security researchers Stefan Achleitner and Chengcheng Xu, who identified the data collection code, said that while some of the collected information is “rather harmless,” some data like the IMSI code “can be used to uniquely identify and track a user, even if that user switches to a different phone.”
The research team said that while the collection of personal user details is not specifically forbidden by Google’s policy for Android apps after they reported the issue to Google, the Play Store security team confirmed their findings and “identified [additional] unspecified violations” in the two Baidu apps, which eventually led to the two apps being removed from the official store on October 28.
At the time of writing, the Baidu Search Box app has been restored to the Play Store, but Palo Alto Networks said Baidu developers have removed the data collection code.

But in addition to the Baidu Push SDK, the Palo Alto Networks team said they also identified similar data collection code in the ShareSDK developed by Chinese ad tech giant MobTech.
Used by more than 37,500 apps, Achleitner and Xu say this SDK also allows app developers to collect data such as phone model information, screen resolution, MAC addresses, Android ID, Advertising ID, carrier info, and IMSI (International Mobile Subscriber Identity) and IMEI (International Mobile Equipment Identity) codes.
“Analysis of Android malware shows that SDKs, such as the Baidu Push SDK or ShareSDK, are frequently used by malicious applications to extract and transmit device data,” Achleitner and Xu said, suggesting that while the SDKs may have been developed for legitimate purposes, such as pushing notifications and sharing content on social media, they are often abused by the developers of malicious apps.
All in all, this is a regular problem not only for the Android ecosystem, but for the entire online app world, with many apps collecting sensitive user details without restriction in the absence of legislation that specifically prohibits such practices. More

Do you use a password manager? As far as I’m concerned, it’s the single most important security precaution you can take, regardless of which hardware platforms you favor. (If you want to read my full case for why everyone should adopt this security measure, see this explainer: “Forgot password? Five reasons why you need a password manager.”)
The biggest advantage of a good password manager is that it allows you to create and save a unique, impossible-to-guess password for every online service you use. That collection of passwords is stored in an encrypted database that only you can unlock, and with your permission that database can be synced, securely, to every Windows PC, Mac, and mobile device you own.
I’ve tried a lot of password managers over the years, and there are some worthy contenders in this category. (For a full list of options, see “The best password managers for business: 1Password, Keeper, LastPass, and more.”) My favorite, and the one I enthusiastically recommend to friends, family, and co-workers, is 1Password. I ignored this program for years because it catered mainly to Mac owners. That might have been true years ago, but today, this is hands down the best cross-platform password manager solution.

My favorite password manager has it all. It works on every desktop and mobile hardware platform. It has every feature you expect from this class of software, including a robust password generator that can create and save truly random, unguessable credentials, as well as support for two-factor authentication. And it offers sync options to satisfy even the most skeptical among us.
Pricing: 1Password is a subscription product that is sold in personal and business editions. The personal options cost $36/year for a single user (on as many devices as you want) or $60/year for a family plan that supports up to five people. Business plans include a $4/month Teams option and an $8/month Business option that includes additional security features and a free Family plan for every licensed user. Enterprise customers can call for a custom quote.
View Now at iPassword
Toronto-based 1Password was founded 15 years ago, in 2005, and has built up a steady, profitable business in that time. But that didn’t stop the company from taking $200 million of series A capital in 2019 to expand into new markets.
So far, that plan has been working out extremely well.
The number-one reason why I love this app is its dead-simple usability. It’s one of the first programs I install when I set up a new Windows 10 PC or a Mac. It’s also a must-install app on iOS and Android devices. (There’s even a command-line version, if you want to incorporate authentication into scripts.) Regardless of platform, 1Password is uncannily accurate at filling in saved passwords, especially on sites with multi-step authentication flows and two-factor authentication. That was a particularly annoying pain point with other password managers I’ve used through the years.
The other killer feature is the ability to create shared password databases (1Password calls them “vaults”). In my family, we have separate password vaults for personal accounts, but the saved credentials for shared subscriptions and shopping accounts go into a shared vault. When my wife wants to check up on the status of an order I placed online, she doesn’t need to ask me to log in and check for her. She can do it herself from her Windows 10 PC or her iPhone, using the saved password from our shared vault.

One of the most controversial aspects of any password manager program is the ability to sync from the cloud, a feature that neatly balances convenience and security.  If you choose the option to store your data on 1Password’s servers, you get some extremely robust security. All data is encrypted at rest and in transit, and connecting a new device requires that you enter your private 128-bit secret key plus a master password that only you know. If you’re still nervous, you can add two-factor authentication. (I’ve configured our family account to accept the Microsoft Authenticator app or one of two hardware keys as a second factor for authentication.)

You can configure 1Password to alert you when a site supports 2-factor authentication.
But if the word cloud makes you start to itch uncontrollably, that’s not a problem. For those who are nervous about storing an encrypted password cache on 1Password’s servers, you have options: You can choose to store the database using Dropbox or iCloud instead, protected by the security features of those platforms. If you prefer the no-cloud option, you’re covered. You can sync passwords between devices on your local network only. In that configuration, 1Password never has access to your encrypted password database, and it can’t be hacked from some obscure Eastern European location.
My favorite recent addition to the 1Password feature set is the ability to generate two-factor authentication (2FA) codes. Previously, I had to rely on a separate authenticator app to handle that chore. (For details, see “Protect yourself: How to choose the right two-factor authenticator app.”)
I can’t emphasize enough how easy 1Password is to use, especially on mobile devices. If you’re flummoxed by passwords, this could be your savior.
Alternatives
If you’re looking for an alternative to 1Password, I recommend these options:
Keeper In my tests, this service was incredibly close to 1Password in terms of usability, and their enterprise story is compelling. It has a full suite of superb cross-platform apps and technical support is first-rate. Put this one on your shortlist if you’re looking for a business-focused password manager.
LastPass  I used this app for years and left, reluctantly, after a security breach shattered my confidence in the company. They’ve since been purchased by the owners of LogMeIn, and the company seems none the worse for wear. More

Security researchers have detected a new strain of Android malware being currently distributed in the wild, primarily targeting users located in Southeast Asia.

Discovered by security firm Check Point, this new malware is named WAPDropper and is currently spread via malicious apps hosted on third-party app stores.
Check Point said that once the malware infects a user, it starts signing them up for premium phone numbers that charge large fees for various types of services.
The end result is that all infected users would receive large phone bills each month until they unsubscribed from the premium number or reported the issue to their mobile provider.
This type of tactic, known as “WAP fraud,” was very popular in the late 2000s and early 2010s, died out with the rise of smartphones, but made a comeback in the late 2010s as malware authors realized that many modern phones and telcos still supported the older WAP standard.
WAPDropper gang most likely based in SE Asia
Check Point says that based on the premium phone numbers used in this scheme, the malware authors are most likely based or collaborating with someone in Thailand or Malaysia.
“In this and similar schemes, the hackers and the owners of the premium rate numbers are either co-operating or could even be the same group of people,” the company said today in a report.

“It’s simply a numbers game: the more calls made using the premium-rate services, the more revenue is generated for those behind the services. Everybody wins, except the unfortunate victims of the scam.”
As for the malware itself, Check Point says WAPDropper operated using two different modules. The first was known as a dropper, while the second module was the component that performed the actual WAP fraud.
The first module was the only one packed inside the malicious apps, primarily to reduce the size and fingerprint of any malicious code inside them. Once the apps were downloaded and installed on a device, this module would download the second component and start defrauding victims.
But Check Point also wants to raise a sign of alarm about this particular piece of malware.
“Right now, this malware drops a premium dialer, but in the future this payload can change to drop whatever the attacker wants,” Aviran Hazum, Manager of Mobile Research at Check Point, told ZDNet.
“This type of multi-function ‘dropper,’ which stealthily installs onto a user’s phone and then downloads further malware, has been a key mobile infection trend we’ve seen in 2020. These ‘dropper’ trojans represented nearly half of all mobile malware attacks between January and July 2020, with combined infections in the hundreds of millions globally.
“I expect the trend to continue as we turn the new year,” Hazum added.
The Check Point researcher encouraged users to download apps only from the official Google Play Store.
The Check Point team also told ZDNet that for the time being, they found the WAPDropper malware inside apps named “af,” “dolok,” an email app called “Email,” and a kids game named “Awesome Polar Fishing.” Users who installed any of these apps from outside the Play Store are advised to remove them from their devices as soon as possible. More

The Federal Bureau of Investigation (FBI) is warning the public to avoid internet domains designed to look similar to its own main official website www.fbi.gov. 
The warning concerns dozens of websites that could be used to target people seeking information about the FBI’s activities or news announcements. 

More on privacy

“The FBI observed unattributed cyber actors registering numerous domains spoofing legitimate FBI websites, indicating the potential for future operational activity,” it said in the public service announcement (PSA) on Monday.   
SEE: Network security policy (TechRepublic Premium)
The FBI is concerned that the spoofed FBI-related domains could be used as part of future attacks aimed at stealing credentials or spreading disinformation to the public. 
It urged the public to “critically evaluate the websites they visit, and the messages sent to their personal and business email accounts, to seek out reliable and verifiable FBI information.” 
Hackers and criminals can use spoofed domains and email accounts to: disseminate false information; gather valid usernames, passwords, and email addresses; collect personally identifiable information; and spread malware, leading to further compromises and potential financial losses, the FBI notes. 

While the FBI has not attributed the spoofed FBI domains to any specific country or cyber actors, it has provided dozens of examples of recently registered domains that could be used to trick members of the public. 
“Cyber actors create spoofed domains with slightly altered characteristics of legitimate domains,” the FBI said. 
“A spoofed domain may feature an alternate spelling of a word, or use an alternative top-level domain, such as a “[.]com” version of a legitimate “[.]gov” website. Members of the public could unknowingly visit spoofed domains while seeking information regarding the FBI’s mission, services, or news coverage. Additionally, cyber actors may use seemingly legitimate email accounts to entice the public into clicking on malicious files or links.” More

The US Securities and Exchange Commission (SEC) has charged e-commerce startup Benja and its CEO for allegedly defrauding investors.

According to charges made public on Monday, the US agency believes the San Francisco-based firm — together with its co-founder and chief executive Andrew Chapin — fabricated an e-commerce empire by “misleading investors about purported contracts with well-known consumer brands.”
SEC’s complaint alleges that from 2018 to the present year, 32-year-old Chapin told investors that the startup had secured deals with popular clothing retailers and brands including Nike and Patagonia. To give these claims weight, the executive allegedly enlisted others to impersonate these ‘customers’ and their representatives.
“In reality, Benja never did business with the companies,” the agency says.  
One of the individuals involved in the scheme apparently also pretended to be a founder of a venture capital fund that made a “large” investment in the startup. 
See also: Former Amazon finance manager and family charged with $1.4m insider trading scheme
Investors were told that Benja “generated millions of dollars in revenue” from these sources, according to SEC. 

Forged contracts and bank statements that had been tampered with were also allegedly waved under venture capitalist investor noses to back up claims of $6.2 million in generated revenue in 2018 and $13.2 million in 2019.  
It has been alleged that misrepresentation extended to banks, too, in which a line of credit was secured — growing from $1 million to $5 million. 
“Bank records from 2018 to 2020 indicate that Benja was generating almost no revenue from its purported ad placement business and almost all the customers Chapin claimed Benja had were lies,” US regulators say. “Chapin used almost the full $5 million line of credit to pay off other creditors and investors, to pay Chapin’s credit cards and personal expenses, and to send funds to a personal cryptocurrency exchange account.”
CNET: Best Android VPNs for 2020
The complaint, filed in the US District Court for the Northern District of California, seeks permanent injunctions, civil penalties, and disgorgement. Investors were allegedly scammed out of at least $1 million in funding and $100,000 in purchased securities due to Benja’s misrepresentations. 
“We allege that Chapin violated the federal securities laws by deceiving investors about the most fundamental aspects of Benja’s business by falsely portraying it as a successful e-commerce technology company that in a short period of time had generated significant revenue from several high-profile clients,” said Erin Schneider, Director of the SEC’s San Francisco Regional Office. “We will continue to pursue companies and executives who mislead investors.”
TechRepublic: Malicious Google Play apps caught masquerading as Minecraft mods
Separately, the US Attorney’s Office for the Northern District of California has filed criminal charges against Benja’s CEO. The office is charging Chapin with bank fraud, wire fraud, and securities fraud. 
US Attorney Anderson said that tech financing cannot become a “lemon’s market,” and so charging figures like Chapin who allegedly defraud investors will ensure future investors will have “confidence in the truthfulness of startup representations.”
Chapin is due to appear in court on Tuesday before US Magistrate Judge Jacqueline Corley.
ZDNet has reached out to Benja and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A hacker has leaked this month the data of more than 4.2 million users registered on Peatix, an event organizing platform, currently ranked among the Alexa Top 3,500 most popular sites on the internet.

The site’s user data was made available through ads posted via Instagram stories, on Telegram channels, and on several different hacking forums.
According to samples of the Peatix data seen by ZDNet, the leaked information included full names, usernames, emails, and salted and hashed passwords.
Most of the leaked user data belonged to persons with Asian names, which is consistent with the evolution of the Peatix startup, which first launched in Japan in 2011 and later expanded to Singapore in 2013, before opening to the US and other parts of the world.
ZDNet notified Peatix of a possible breach earlier this month, but we never heard back from the company. Nonetheless, Peatix went public and admitted its breach this week through a message posted on its website [PDF, archived].
The company said it has investigated the reports, identified the point of entry, and blocked the intruders from re-accessing its systems.
Peatix reassured users that no financial data was involved as all payments were handled through third-party platforms, and nothing was stored inside its database.

“In addition, based on our investigation to date, we have no reason to believe that any historical data of events in which users participated, any data obtained through our questionnaire function or users’ addresses or phone numbers were accessed,” the company said.
ZDNet also reached out to the hacker who shared Peatix’s data online, on one of the multiple hacking forums. This individual told us that they are not the persons who breached the company but that they were only leaking the data to sabotage a rival data breach broker.

Image: ZDNet
Peatix is currently notifying all impacted users via email and requesting that they change account passwords. More

China has pledged to collaborate in global efforts to drive digital development and build a “shared cyberspace” community. It has underscored the importance of the internet and international cooperation, as economies worldwide look to battle the COVID-19 pandemic. 
Chinese President Xi Jinping said China was “ready to work with other countries” to tap the opportunities “presented by the information revolution” and drive growth through innovation as well as open up new grounds in digital cooperation. 
Efforts also would be made to create a new paradigm for cybersecurity and to build a community with a “shared future in cyberspace”, creating a brighter future for humanity, Xi said in a letter he sent and was read at the 2020 World Internet Conference in Wuzhen, China. 

Blocking China can lead to fragmented 5G market
With China-US trade relations still tense, efforts to cut out Chinese vendors such as Huawei from 5G implementations may create separate ecosystems and consumers could lose out on benefits from the wide adoption of global standards, as demonstrated with 4G.
Read More

Pointing to the role the internet played in driving economic recovery, he said telemedicine, e-learning, as well as online collaborative platforms and tools had been widely used when the COVID-19 outbreak surfaced, according to a report by state-run media China Daily.
Speaking via video link at the forum, United Nations’s Under-Secretary-General for Economic and Social Affairs Liu Zhenmin added that the need for global cooperation was especially critical now that the world had embraced digital transformation. 
China’s digital economy, alone, hit 35.8 trillion yuan ($5.45 trillion) in 2019, accounting for 36.2% of its total GDP, according to a report by the Chinese Academy of Cyberspace Studies, which was released at the conference this week.
The research said the digital economy played a key role in mitigating the impact of the COVID-19 outbreak and would help reshape the local economy. 

Pointing to the country’s network rollout, it noted that there were 5.44 million 4G base stations across China in 2019, with the local mobile population leading the world’s consumption at 122 billion GB in data traffic. More than 480,000 5G base stations also had been deployed in the county, as of September this year. 
Local e-commerce transactions climbed 6.7% year-on-year to clock 34.81 trillion yuan ($5.29 trillion) in 2019. 
At this year’s November 11 shopping festival, Alibaba Group raked in more than 372.3 billion yuan ($56.58 billion) in gross merchandise volume just 30 minutes into the start of the annual event, with the number of orders peaking at 583,000 orders per second. 
China has had tense relations with several nations over the past couple of years, including the US, India, and Australia, which have implemented bans on various Chinese apps and technologies. 
In its most recent move, the outgoing Trump administration in August expanded restrictions to further curb Huawei Technologies’ access to core components, barring the Chinese tech giant from purchasing chips made by foreign manufacturers using US technology. It also added another 38 affiliates of Huawei to the Entity List, including Huawei Cloud Singapore and Huawei Cloud France.  
RELATED COVERAGE More