Information Technology

In 2008, just a year after large-scale, state-sponsored cyberattacks on Estonia, NATO set up its Cooperative Cyber Defence Centre of Excellence in Estonia’s capital, Tallinn, to strengthen its capabilities and improve cooperation and information-sharing among its members and partners.
Among the contractors who helped build a military-class cyber range for NATO’s cyber exercises, were IT-infrastructure and security specialists Jaanus Kink, Margus Ernits, and Taavi Must. A few years later, they decided to found a startup based on the experiences they had gained.

“We saw how useful cyber exercises are for defense teams. Once we realized that this kind of learning experience could help cyber teams around the world, we started to build RangeForce – a platform for hands-on training of cyber defenders and running cyber exercises at scale,” RangeForce CEO Must tells ZDNet.
SEE: Security Awareness and Training policy (TechRepublic Premium)
RangeForce provides cybersecurity training for companies of varying sizes, combining cloud-based, hands-on training modules and cyber-siege challenges and exercises.
The company provides modules across three main areas, aimed at improving security, application, and DevOps teams. In each area, there are different learning paths, and it tracks how the most popular modules are used.
In recent years, RangeForce has moved its headquarters to Washington DC and now employs 75 people worldwide, with 35 of them in Estonia. In July, it announced a $16m series A round led by Energy Impact Partners, with Cisco Investments among the investors.
RangeForce’s primary customers are companies that are big enough to have a security operations center, or SOC.
“SOCs are terribly expensive to operate at an estimated $2.86m annually per enterprise, a third of which is employee cost. Training new analysts is a top priority, which can take up to a year per employee,” explains Must.
He says security is experiencing a bad skills gap, with 51% of companies unable to find the new cybersecurity talent they need.
“If you factor in that analysts typically leave after about two years and it takes, on average, eight months to find a new one, you can see why training and building skills are a top priority.”
Must explains that a typical customer for RangeForce is a large multinational organization, which has hundreds of security professionals.
The professionals can use RangeForce learning paths based on their roles with, for example, the SOC 1 analyst path covering 30 modules in topics like MS PowerShell.
“The company gets to track and see their progress in real time. This can’t happen when an employee is watching a teacher or a video,” says Must.
“They work hard towards goals. They practice them on their own and in sieges with their colleagues, and then they use them to rectify security flaws in real time. They make training part of their day-to-day work.”
Must says a company can then also train employees across disciplines to get more out of people.
“For example, even in a small company, people who deploy applications typically do not handle incidents. With our security vendor modules, they can take a 45-minute training module and learn how to use a new tool that expands their skillsets and makes them more valuable to the company.”
Must believes that in the cybersecurity field, the main problem lies in not being able to attract, train, and retain the talent necessary to protect the enterprise.
“We have plenty of technology but the capability to make them effective at using that technology is nascent,” he says.
“It’s ludicrous to think we can become effective cyber defenders without regularly practicing and testing the ability of a security team to work together under a high-stress environment.”
Must argues that no other companies combine cloud-based training and cyber-siege exercises. RangeForce has spent the past year building a content-development engine that includes coders, security experts, teachers, and writers.
Today the company delivers eight to 10 new training modules per week, ranging from beginner classes to advanced training. He says by the end of 2020, RangeForce will offer over 500 hours of training.
“Companies need content that expands into important security processes that are gaining favor like DevSecOps. They also need content that aligns with the latest security tools on the market like Cisco’s new SecureX integrated detection and response platform, and for the latest vulnerabilities and threats.”
SEE: Money laundering: This startup thinks its tech can prevent another banking scandal
Must reckons the future of security training involves a lot more integration.
“Gamified training lesson technology will be integrated with vendor security solutions from companies like Cisco, Carbon Black, Recorded Future, and others. The concept of training as a layer in the stack is brand new,” he says.
“Customers like it because it helps them get more out of their investments. It’s been said customers typically use around 25% of the capabilities of a security product. That’s one of the reasons why breaches still happen so regularly. It’s not just about more and better training, but making the best use of their tools and integrating their training products.” More

The US Department of Justice (DoJ) has indicted six individuals for allegedly issuing bribes to give Amazon Marketplace merchants competitive advantages. 

On Friday, US prosecutors named Ephraim Rosenberg, Joseph Nilsen, and Kristen Leccese, of New York; Georgia resident Hadis Nuhanovic, Rohit Kadimisetty, from California; and Nishad Kunji, based in Hyderabad, India, as suspects in the alleged fraud. 
According to the indictment, issued by a Grand Jury in the Western District of Washington, the six conspired to pay Amazon employees over $100,000 to secure an “unfair competitive advantage” on Amazon Marketplace. 
See also: CEO of cyber fraud startup NS8 arrested for defrauding investors in $123m scheme
The bribery bill is steep, but in return, the fraud carried a commercial worth and sales revenue of up to $100 million, the DoJ claims. 
Prosecutors allege that since at least 2017, the six acted as consultants to third-party sellers on Amazon, and two of the individuals also operated their own stores. At least 10 Amazon employees and contractors received kickbacks — including Kunji, who apparently began as a seller and then was later roped into the scheme as a consultant — to conduct fraudulent activities behind the scenes.
This included reinstating suspended merchant accounts and product listings, many of which had been removed due to safety complaints ranging from dietary supplements to faulty and flammable electronics.
“The fraudulently reinstated accounts included accounts that Amazon had suspended for manipulating product reviews to deceive consumers, making improper contact with consumers and other violations of Amazon’s seller policies and codes of conduct,” the DoJ added. 
CNET: Lawsuit accuses Instagram of peeping with iPhone camera
In addition, the “corrupt” employees facilitated attacks against competitors by sharing business intelligence, suspending other third-party consultant accounts, sharing confidential data relating to Amazon’s algorithms and procedures, and paving the way for the consultants to flood rival products with fake reviews.  
The six are being charged with wire fraud, conspiracy to commit wire fraud, conspiracy to use a communication facility to commit commercial bribery, and conspiracy to access a protected computer without authorization. 
Conspiracy to commit wire fraud and conducting wire fraud carry up to 20 years behind bars and a fine of $250,000, whereas the following two charges could result in a prison sentence of up to five years and a further $250,000 penalty. 
TechRepublic: CISOs top traits revealed in report: Improvement needed
“As the world moves increasingly to online commerce, we must ensure that the marketplace is not corrupted with unfair advantages obtained by bribes and kickbacks,” said US Attorney Brian Moran. “The ultimate victim from this criminal conduct is the buying public who get inferior or even dangerous goods that should have been removed from the marketplace.”
The FBI, IRS, and the DoJ’s Office of International Affairs are investigating the case. The defendants are due to appear in the US District Court in Seattle on October 15. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Dmitry Moraine
The Australian Federal Police (AFP) on Monday announced the sentencing of a 34-year old man from Sydney for using Commonwealth Scientific and Industrial Research Organisation (CSIRO) equipment to carry out cryptocurrency mining.
The North Shore man was hired as a contractor in January 2018 and had access to the servers and supercomputers he used for mining to perform his employed role in data archiving and software support.
The AFP said the man accessed servers and supercomputers meant for undertaking a range of official scientific research and modified data within those systems, without authorisation, to mine cryptocurrency for his personal gain.
It is estimated the man mined approximately AU$9,400 in cryptocurrency.
The AFP’s Cybercrime Operations unit launched an investigation after CSIRO detected a “serious impairment of its infrastructure” and immediately reported it to the AFP. The feds executed a search warrant at the man’s property in March 2018, seizing a laptop and mobile phone, among other items.
The man was charged in May 2019 with manipulating the computer programs of a federal governmental agency to mine cryptocurrency while being employed as a government IT contractor.
He pleaded guilty on 28 February 2020 to the charge of unauthorised modification of data to cause impairment, and on Friday was sentenced to a 15-month imprisonment term to be served by way of an intensive community order, which includes 300 hours of community service.
“Throughout the investigation it was calculated the minimum monetary impairment of the CSIRO supercomputers equated to at least AU$76,000,” the AFP said in a statement.
“This man’s activities diverted these supercomputer resources away from performing significant scientific research for the nation, including Pulsar Data Array Analysis, medical research, and climate modelling work to measure impacts to the environment from climate change,” AFP commander of Cybercrime Operations Chris Goldsmid added.
“The consequences are clear — this was a misuse of Australian taxpayers’ trust by a Commonwealth employee, motivated by personal gain and greed.”
MORE FROM THE FEDS
AFP used voluntary powers in Australia’s encryption laws three times in 2019-20
Australian Federal Police say carriers are more willing to assist under TOLA Act.
Commissioner touts reach of AFP’s ‘tentacles’ as he rejects calls for end-to-end encryption
Reece Kershaw has said Australians need to be better engaged when the inevitable debate arises with Facebook and other platforms when they move to end-to-end encryption.
‘Booyaaa’: Australian Federal Police use of Clearview AI detailed
One staff member used the application on her personal phone, while another touted the success of the Clearview AI tool for matching a mug shot.
AFP vows to damage tech giant reputations if found obstructing law enforcement
Commissioner Reece Kershaw said ‘all bets are off’ if digital giants are found to be obstructionist. More

In a submission to the Senate Select Committee and its inquiry into Foreign Interference Through Social Media, controversial video-sharing app TikTok has taken the opportunity to address what it has labelled misinformation in regards to itself.
TikTok, owned by China’s ByteDance Ltd, is currently offered in “all major markets” except China, where the company offers a different short-form video app called Douyin, and Hong Kong, following the introduction of its new security law.
It is currently banned in India and was previously on the US’ chopping block when President Donald Trump issued executive orders to ban the app. TikTok received approval to operate in the US, however, when the app’s US footprint was sold to Oracle and Walmart.
Read more: What TikTok’s big deal means for cloud, e-commerce: TikTok Global created with Oracle, Walmart owning 20%
The app was launched in May 2017 and its official launch in Australia occurred in May 2019.
TikTok said the personal data it collects from Australian users is stored on servers located in the United States and Singapore.
“We have strict controls around security and data access. As noted in our transparency reports, TikTok has never shared Australian user data with the Chinese government, nor censored Australian content at its request,” it wrote [PDF].
“We apply HTTPS encryption to user data transmitted to our data centres and we also apply key encryption to the most sensitive personal data elements. User data is only accessible by employees within the scope of their jobs and subject to internal policies and controls.”
The company said any legal requests from the Chinese government relating to Australian TikTok user data would need to go through the Mutual Legal Assistance Treaty (MLAT) process.
“The Chinese government or law enforcement would need to send the evidence disclosure request through the relevant MLAT process.”
If the data was stored in the United States, the US Department of Justice (DoJ) would be the appropriate body to consider the MLAT request.
“If the US DoJ approved the evidence request, the US DoJ would send the request on to us at TikTok. If the request from the US DoJ complied with our processes and legal requirements, we would provide the user data information to the US DoJ, who would in turn pass the data on to the Chinese government or law enforcement,” it said.
“To date, we have not received any MLAT requests in respect of Australian user data, nor have we received requests to censor Australian content from, the Chinese government.”
Prime Minister Scott Morrison in August said that he had a “good look” at TikTok and there was no evidence to suggest the misuse of any person’s data.
“We have had a look, a good look at this, and there is no evidence for us to suggest, having done that, that there is any misuse of any people’s data that has occurred, at least from an Australian perspective, in relation to these applications,” he told the Aspen Security Forum.
“You know, there’s plenty of things that are on TikTok which are embarrassing enough in public. So that’s sort of a social media device.”
Morrison said the same issues are present with other social media companies, such as Facebook.
“Enormous amounts of information is being provided that goes back into systems. Now, it is true that with applications like TikTok, those data, that data, that information can be accessed at a sovereign state level. That is not the case in relation to the applications that are coming out of the United States. But I think people should understand and there’s a sort of a buyer beware process,” the prime minister added.
“There’s nothing at this point that would suggest to us that security interests have been compromised or Australian citizens have been compromised because of what’s happening with those applications.”
TikTok said it understands that with “[its] success comes responsibility and accountability”.
“The entire industry has received scrutiny, and rightly so. Yet, we have received even more scrutiny due to the company’s origins,” it said.
“Whilst we don’t want TikTok to be a political football, we accept this scrutiny and embrace the challenge of giving peace of mind by providing even more transparency and accountability.”
See also: Countering foreign interference and social media misinformation in Australia
In its submission, TikTok outlined the steps it has taken in relation to COVID-19, such as removing content containing medical misinformation and also content that included false information that was “likely to stoke panic and consequently result in real world harm”.
The company added that it understood it has a responsibility to protect users from misleading information, educate on why it is inappropriate to post and spread misinformation, as well as encourage users to think twice about the information provided in any given post.  
TikTok said it has also limited the distribution of conspiratorial content that may allege COVID-19 was intentionally developed by a person, group, or institution for nefarious purposes, and also removed content that suggests a certain race, ethnicity, gender, or any member of a protected group is more susceptible to have and/or spread coronavirus.
“In light of the pandemic and the serious risk it poses to public health, we are erring on the side of caution when reviewing reports related to misinformation that could cause harm to our community or to the larger public. This may lead to the removal of some borderline content,” it wrote.
TikTok said it is also continuing to invest in efforts to actively identify misinformation and to prevent inauthentic behaviour. It boasts a TikTok Transparency and Accountability Centre in Los Angeles, with another being built in Washington DC.
The app’s community guidelines also state that TikTok is not the place to post, share, or promote: Harmful or dangerous content, graphic or shocking content, discrimination or hate speech, nudity or sexual activity, child safety infringement, harassment or cyberbullying, intellectual property infringements, or impersonation, spam, scams, or other misleading content.
“We continue to consult with a wide range of industry experts, academics and civil society organisations to seek guidance on improving our policies,” it said.
“We welcome collaboration with Australian industry players and regulators. This includes working with the Australian Communications and Media Authority (ACMA), towards the development of a draft industry code of conduct on misinformation, which is due for release later this year.”
TikTok is due to appear before the committee on Friday. Labor previously said it wanted to ask TikTok how it approaches Australian privacy laws.
SEE ALSO More

Image: Asha Barbaschow/ZDNet
Australia scored number eight out of 30 major nations for “cyber intent” in the National Cyber Power Index 2020 (NCPI) published earlier this month, but only number 16 for “cyber capability”.
That capability gap pulls Australia down to number 10 after, in order, the US at number one, China, UK, Russia, Netherlands, France, Germany, Canada, and Japan.
Looking at individual data points, Australia is way down in an unsurprising 24th place when it comes to fixed broadband speed, behind Ukraine and only just ahead of Vietnam.
It’s down at 16th place for internet freedom, scoring 72 out of a possible 100 points. The five leading nations in this category were Sweden, Netherlands, New Zealand, Switzerland, and Estonia.
Australia is in the bottom half of the 30 ranked countries in things such as patent applications per capita; the number of global top 100 firms in all three tracked categories of tech, cyber, and surveillance; its military strategy and centralised cyber command; and its total number of cyber military personnel.
Australia is number five in e-commerce per capita, however. It’s also number five for mobile data speeds, after South Korea, China, Canada, and the Netherlands.
The NCPI was compiled by the Belfer Center for Science and International Affairs at the Harvard Kennedy School as part of its China Cyber Policy Initiative.
The methodology detailed in the report is complex, and it makes some assumptions which cause your correspondent to have some doubts about the index’s effectiveness.
The key issue is that the report is based entirely on publicly-available information, which means that secretive nations may be misrepresented. The researchers acknowledge this, however.
“We recognise that countries deliberately choosing to be opaque will be vastly under-ranked in the index. We suspect that Israel falls into this category,” they wrote.
“We also strongly believe that ‘Amassing Wealth or Extracting Cryptocurrency’ is a top objective of some countries and that they employ cyber means to achieve it. Unfortunately, we were not able to collect sufficient data … to measure each country against this objective.”
Cyber power isn’t just about destroying infrastructure
Unlike previous attempts to rank nation-state cyber power, the Belfer Center has attempted to include “all aspects under the control of a government where possible”.
“Within the NCPI we measure government strategies, capabilities for defense and offense, resource allocation, the private sector, workforce, and innovation,” they wrote.
“Our assessment is both a measurement of proven power and potential, where the final score assumes that the government of that country can wield these capabilities effectively.”
The NCPI identified seven national objectives that countries might pursue using cyber means.
They’re listed as: Surveilling and monitoring domestic groups; strengthening and enhancing national cyber defences; controlling and manipulating the information environment; foreign intelligence collection for national security; commercial gain or enhancing domestic industry growth; destroying or disabling an adversary’s infrastructure and capabilities; and defining international cyber norms and technical standards.
“In contrast to the broadly held view that cyber power means destroying or disabling an adversary’s infrastructure (commonly referred to as offensive cyber operations), offense is only one of these seven objectives countries pursue using cyber means,” they wrote.
The Belfer Center reviewed more than 1,000 existing sources of data and developed 27 unique indicators to measure a state’s cyber capabilities.
Beyond the top 10 scorers already listed, the nations studied were ranked from Israel at number 11, down through Spain, Sweden, Estonia, New Zealand, South Korea, Switzerland, Singapore, Malaysia, Vietnam, India, Turkey, Iran, Brazil, Ukraine, Saudi Arabia, Lithuania, Italy, and finally to Egypt at number 29.
North Korea was not given a ranking in the charts.
Morrison government is more rhetoric than action: Labor
The Labor Party has attempted to generate political capital with the NCPI, noting that while Australia is now in 10th place overall, it scored a far more impressive third place in a 2011 index produced by the Economist Intelligence Unit and Booz Allen Hamilton.
“This is yet another example of the Morrison government’s approach of rhetoric over action while failing to prioritise cyber at both an industry and government level,” wrote Tim Watts, the Shadow Assistant Communications Minister and Shadow Assistant Cyber Security Minister, last week.
“The biggest gap between intent and capability is in our offence, with Australia placing 10th in intent yet only 24th in capability — particularly lagging in the capability of our domestic industry to realise high-tech export opportunities.”
The government’s much-delayed 2020 Cyber Security Strategy lacks any objectives or initiatives to support the Australian cyber security industry, Watts said, noting that Australia ranked eighth in intent for the commercialisation of its cybersecurity capability, but only 12th when it came to capability.
While your correspondent has noted that the government strategy is certainly disappointing, vague, and unambitious, Labor’s comparison with the 2011 ranking is a furphy.
As the NCPI notes, that 2011 index “does not measure offensive capabilities, and focuses largely on economic and resource indicators — which although are important to understanding the potential for developing cyber power does not provide the fullest picture of cyber capabilities”.
Labor also chose not to compare the NCPI ranking with the International Telecommunications Union’s Global Cybersecurity Index [PDF] of 2018, where Australia came in at number 11.
As a nation with a higher cyber intent but lower cyber capability, Australia is “actively signalling to other states that they intend to develop their cyber capabilities”, said the NCPI.
However, such nations have either not yet disclosed their capabilities, through stated or demonstrated means, or currently don’t have the capabilities at hand to achieve their cyber goals.
The bad guys: China, Iran, North Korea
According to the NCPI, some 29 countries are seen to be pursuing legal wealth generation via cyber means, such as developing their cybersecurity industries.
“Only one country was observed pursuing it via illegal means — DPRK [North Korea],” the researchers said.
“Only one country was assessed to have not demonstrated its wealth generation intent at all — Egypt.”
China tops the NCPI’s list for the objective “growing national cyber and technology competence”.
“Along with DPRK and Iran, China is one of only three countries assessed to be pursuing this objective through both legal and illegal means,” they said.
“[China] has been both observed conducting industrial espionage and sought to incentivise and grow its domestic cyber expertise through research and development, and public-private partnerships.”
Related Coverage More

A United States district court judge has issued a nationwide injunction against President Donald Trump’s executive order, thereby preventing the country’s WeChat ban from coming into effect. 
The ruling was in relation to a lawsuit filed by WeChat users that argued the ban undermines the free speech rights of US citizens.
The case’s presiding judge, Laurel Beeler, granted the injunction to halt the WeChat ban as the plaintiffs showed serious questions about whether the ban impinged on the US first amendment. She also acknowledged the ban would provide hardship for the plaintiffs as it would shut down the primary means of communication for the Chinese community.
Beeler added that she was not convinced the ban would address the national security concerns posed by Trump due to there being “scant little evidence”.
“Certainly the government’s overarching national security interest is significant. But on this record — while the government has established that China’s activities raise significant national security concerns — it has put in scant little evidence that its effective ban of WeChat for all US users addresses those concerns,” Beeler said in her judgment. 
“As the plaintiffs point out, there are obvious alternatives to a complete ban, such as barring WeChat from government devices, as Australia has done, or taking other steps to address data security.”
The ban, which would have come into effect on Sunday, was announced by the US Commerce Department late last week. It was the official instrument for enforcing the two executive orders signed by President Donald Trump in early August, which had addressed what he labelled as the national security threat posed by the pair of Chinese apps. 
The ban had sought to block TikTok and WeChat as well as remove them from the Apple and Google app stores. Additionally, updates to the existing apps would have also been banned. 
The ban would not have prevented existing users from using the apps, however, so long as the apps were already installed prior to the app store removals.
Meanwhile, the Commerce Department said the ban on TikTok would be pushed back to November 12 unless national security concerns posed by the app are resolved. The decision to push back TikTok’s ban follows Oracle and Walmart announcing they would acquire 20% of a newly formed TikTok Global and issue an IPO within 12 months, effectively saving TikTok’s US footprint.
Related Coverage More

The cruel march of ransomware has apparently reached a grim new milestone. In Germany, authorities are investigating the death of a patient during a ransomware attack on a hospital; according to reports, the woman, who needed urgent medical care, died after being re-routed to a hospital further away, as a nearer hospital was in the midst of dealing with a ransomware attack.
Elsewhere ransomware continues to create painful, if less tragic, disruptions. The UK’s cybersecurity agency has just warned that ransomware groups are launching ‘reprehensible’ attacks against universities as the new academic year starts. On a daily basis, companies large and small are finding their business disrupted when they can least afford to have computer systems failing.

More on privacy

And yet, there seems to be a sense in some quarters that ransomware is simply an inevitable consequence of our digital age. That it is something that we just have to learn to accept.
SEE: Security Awareness and Training policy (TechRepublic Premium)
In reality, ransomware exists because of a series of failures. While apparently unrelated, they combine to create the conditions under which ransomware can flourish and become one of the biggest menaces on the internet today. If we want to stop the next decade becoming the decade of ransomware, we need to make some significant changes.
Policing versus politics – Many of these gangs operate from countries where their behaviour is either not considered criminal, or over-looked by authorities (so long as they don’t attack local companies), or even actively welcomed as a source of new funds. That means treating ransomware as a simple law-enforcement issue is never likely to fix the problem: these states will never hand over these gangs to outside justice. This makes ransomware a political issue as much as a problem for police. Politicians should make clear to these governments that by allowing these gangs to flourish on their soil, they are part of the problem.
Increase the pressure – Intelligence agencies also need to make tackling ransomware a priority. While, understandably, they have focused on state-backed espionage and cyberwarfare, ransomware is now becoming such a problem that greater emphasis needs to be placed on identifying, tracking and disrupting these groups. Some efforts, like the NoMoreRansom project, which offers decryption keys, are a good start, but more effort is needed.
Make paying the ransom an absolute last resort – One of the fundamental issues that allows ransomware to flourish is that it remains lucrative for the gangs because victims will pay up. It’s entirely understandable that victims do pay up especially when the alternative is going out of business, or paying much more to restore data and computer systems. 
But there are two problems with paying up. Firstly, it normalises ransomware attacks, and turns them into another business expense. You can even buy insurance that will cover them. Turning these attacks into just another business cost means that they are taken less seriously. There is sense that if data is encrypted – but not stolen – then somehow the breach is less important, and that if the ransom is paid and the data unlocked, then it’s no big deal. This might even make it harder to justify spending money to protect against ransomware.
Worse, paying significant sums is a signal to crooks to move into ransomware, and also strengthens the gangs who can then take on more complicated targets. Paying the ransom makes everyone less safe.
Make security practical – Too much software is shipped with too many holes in it; knitting different systems together, which is one of the inevitabilities of any IT infrastructure, only multiplies those security gaps. Vendors need to fix software before shipping, not after. They need to make it much easier for flaws to be dealt with by their customers, for whom patching is a thankless and Sisyphean task. Equally, users of technology have to make sure they are doing everything they can to make their systems secure, which means spending more time, money and effort on security. In many cases, this effort means patching vulnerabilities and making staff aware of the risks to stop the hackers getting through.
None of these changes are easy; getting politicians to understand the internet is hard, making business execs take cybersecurity seriously is difficult, and persuading tech companies to change their development practices takes time. But it’s necessary if we don’t want the ransomware threat to continue to grow.
ZDNET’S MONDAY MORNING OPENER
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.
PREVIOUSLY ON MONDAY MORNING OPENER: More

The Department of Homeland Security’s cybersecurity division has ordered federal civilian agencies to install a security patch for Windows Servers, citing “unacceptable risk” posed by the vulnerability to federal networks.
The DHS order was issued via an emergency directive, a rarely-used legal mechanism through which US government officials can force federal agencies into taking various actions.
The target of the DHS’s latest emergency directive is CVE-2020-1472, a vulnerability also known as Zerologon.
The vulnerability is considered extremely dangerous, as it allows threat actors that have a foothold on an internal network to hijack Windows Servers running as domain controllers and effectively take over the entire network.
Microsoft included fixes for the Zerologon vulnerability in the August 2020 Microsoft Patch Tuesday, published on August 11; however, many system administrators did not know how bad the bug really was until this week, on Monday, when security researchers from Secura published a technical report explaining CVE-2020-1472 at the technical level.
This in-depth report was more than enough to allow white-hat and black-hat hackers to create weaponized proof-of-concept Zerologon exploits that went public within hours after the Secura report.
The creation of these exploits, the widespread use of Windows Servers as domain controllers in US government networks, the 10 out of 10 maximum severity rating that the Zerologon bug received, and the “grave impact” of a successful attack is what determined DHS officials to issue a rare emergency directive late Friday afternoon.
“CISA [Cybersecurity and Infrastructure Security Agency] has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” DHS CISA said in Emergency Directive 20-04.
System admins have until Monday to patch
DHS CISA officials gave federal system administrators until the end of day on Monday to patch all their Windows Servers configured as domain controllers (11:59 PM EDT, Monday, September 21, 2020).
Windows Servers that can’t be patched are to be taken offline and removed from the network, the DHS ordered.
The short deadline for applying security updates is primarily due to the ease of exploitation and severe consequences of a successful Zerologon attack.
Even if Zerologon is not one of those vulnerabilities that can’t be used as the tip of the spear in a cyber-attack and break into a network, the bug is an ideal secondary payload in the second stage of an attack, allowing hackers full control over an entire network if the domain controller was left unpatched.
This entire week, the entire cyber-security community has repeatedly warned about how dangerous this vulnerability really is, despite being a “second stage” exploit.
“You must prioritize patching over detection with this kind of bug,” Andrew Robbins, Adversary Resilience Lead at cyber-security firm SpecterOps, said earlier today on Twitter.
“Once an attacker owns your DC, their persistence options far exceed what even the most advanced organizations can hope to recover from,” Robbins added. “An ounce of patching is worth 10 tons of response.” More