Information Technology

The Internet of Secure Things Alliance, an IoT security certification body (a.k.a. ioXt), has launched a new security certification for mobile apps and VPNs.The new ioXt compliance program includes a ‘mobile application profile’ – a set of security-related criteria against which apps can be certified. The profile or mobile app assessment includes additional requirements for virtual private network (VPN) applications. 

Google and Amazon had a hand in shaping the criteria, along with number of certified labs such as NCC Group and Dekra, and mobile app security testing vendors such as NowSecure. Google’s VPN within the Google One service is one of the first to be certified against the criteria.SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)Mobile app makers can get their apps certified against a set of security and privacy requirements. The ioXt Alliance has a broad cross-section of members from the tech industry, with its board comprising execs from Amazon, Comcast, Facebook, Google, Legrand, Resideo, Schneider Electric, T-Mobile, the Zigbee Alliance, and the Z-Wave Alliance.About 20 industry figures helped write the requirements for the mobile app profile, including Amit Agrawal, a principal security architect at Amazon, and Brooke Davis from the Strategic Partnerships team at Google Play. Both are vice-chairs of the mobile app profile group.

The mobile app profile certification includes checks for insecure interfaces, automatic updates, secure password management, security by default, as well as an assessment of whether the software has been verified. It also considers vulnerability reporting programs and end-of-life policies. According to Davis, since the ioXt Alliance already does security checks for IoT devices, it was decided to expand coverage to apps that managed these devices.   “We’ve seen early interest from Internet of Things and virtual private network developers, however the standard is appropriate for any cloud-connected service such as social, messaging, fitness, or productivity apps,” said Davis. SEE: Google: Here’s how we’re toughening up Android securityConsumer VPNs that have been certified include Google One (which has a built-in VPN services), ExpressVPN, NordVPN, McAfee Innovations, OpenVPN for Android, Private Internet Access VPN, and VPN Private.The accreditation for VPN apps could be handy for Android owners, given that every now and then Google needs to pull malicious VPNs from the Google Play Store.   

ZDNet Recommends More

The University of Hertfordshire has suffered a devastating cyberattack that knocked out all of its IT systems, including Office 365, Teams and Zoom, local networks, Wi-Fi, email, data storage and VPN.The university reported the hit by attackers on Wednesday, resulting in the cancellation of all online classes on Thursday and Friday. 

“Shortly before 22:00 on Wednesday 14 April, the University experienced a cyber-attack which has impacted all of our systems, including those in the Cloud such as Canvas, MS Teams and Zoom,” it said in an update on its website. SEE: Network security policy (TechRepublic Premium)Due to pandemic restrictions on in-person classes, the university and most students still depend on online learning and video-conferencing apps like Zoom. The UK government has allowed some students to return to in-person teaching if they require specialist equipment, but has banned a full return until at least May 17.The university noted that the outage may impact students submitting assignments, but assured them that no student would be disadvantaged as a result.Students were allowed to attend the university so long as computer access wasn’t necessary. 

“You will not be able to access computer facilities in the LRCs, Labs or the University Wi-Fi. Remote access to specialist software and PCs is currently unavailable,” the university said.Hertfordshire’s system status page, last updated 17 hours ago, shows the extent of the disruption.SEE: Phishing: These are the most common techniques used to attack your PCIt’s not clear what kind of cyberattack the university experienced, but the National Cyber Security Centre (NCSC) last month warned of a surge in ransomware attacks on schools, colleges and universities.”In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing,” the agency said. More

Image: Mozilla
The handling of clicking on FTP links from within Firefox will soon be passed to other applications, as Mozilla will rip out Firefox’s FTP implementation. A year ago Mozilla announced its intention to shortly disable support for FTP, but it also said it would delay the move pending how the pandemic turned out. By February, FTP was disabled in Firefox’s nightly channel and it is currently also disabled in the Beta channel. For general release, FTP will be disabled in Firefox 88 released on April 19. At this point, when Firefox encounters an FTP link, it will attempt to pass it off to an external application. “Most places where an extension may pass ‘ftp’ such as filters for proxy or webRequest should not result in an error, but the APIs will no longer handle requests of those types,” Mozilla add-ons community manager Caitlin Neiman wrote in a blog post. “To help offset this removal, ftp has been added to the list of supported protocol_handlers for browser extensions. This means that extensions will be able to prompt users to launch a FTP application to handle certain links.” Two release cycles later in late June, Firefox 90 will have the FTP implementation removed altogether. This will also impact Firefox on Android.

“FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources,” Mozilla software engineer Michal Novotny said last year. “Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past.” Related Coverage More

Swinburne University of Technology has confirmed personal information on staff, students, and external parties had inadvertently made its way into the wild.It said it was advised last month that information of around 5,200 Swinburne staff and 100 Swinburne students was available on the internet.This data, Swinburne said, was event registration information from multiple events from 2013 onwards. The event registration webpage is no longer available.The information made available was name, email address, and, in some cases, a contact phone number.”We took immediate action to investigate and respond to this data breach, including removing the information and conducting an audit across other similar sites,” the university said in a statement on Friday.”We sincerely apologise to all those impacted by this data breach and for any concerns this has caused.”Swinburne said it is currently in the process of contacting all individuals whose information was made available to apologise to them and offer appropriate support.

“We are also contacting around 200 other individuals not connected to Swinburne who had registered for the event and whose information was also made available,” it said.The breach has been reported to the Office of the Australian Information Commissioner (OAIC), the Office of the Victorian Information Commissioner (OVIC), the Tertiary Education Quality and Standards Agency (TESQA), and the Victorian Education Department.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaThe higher education sector in Australia could soon find itself considered as systems of national significance, with the government ready to enforce an “enhanced framework to uplift security and resilience” upon universities via the Security Legislation Amendment (Critical Infrastructure) Bill 2020.The Group of Eight (Go8) — comprising eight Australian universities — believe the government has in fact not yet identified any critical infrastructure assets in the higher education and research sector and, therefore, does not feel higher education and research should be included as a critical infrastructure sector, given the regulatory ramifications.”The Go8 considers the catch-all nature of the legislation as proposed for the higher education and research sector to be highly disproportionate to the likely degree and extent of criticality of the sector,” it said in February.The Go8 comprises the University of Adelaide, the Australian National University, the University of Melbourne, Monash University, UNSW Sydney, the University of Queensland, the University of Sydney, and the University of Western Australia.Swinburne made its own views available to the committee probing the Bill, in February saying that the cost of positive security obligations and enhanced cybersecurity measures for assets deemed to be systems of national significance would be difficult for universities to absorb, given the current funding situation and decrease in income from international student enrolments.”Therefore, the Commonwealth must ensure that universities are adequately funded to meet their responsibility of providing quality education and respond to these new security requirements,” it wrote [PDF].”While security from foreign interference is of paramount importance, equally important is the economic security provided by having a robust tertiary sector. We recommend that the government work closely with the sector to ensure that the legislation has minimal impact on essential university operations.”The Australian National University (ANU) in late 2018 suffered a massive data breach that was discovered in May 2019, and revealed two weeks later in June.The hackers gained access to up to 19 years’ worth of data in the system that houses the university’s human resources, financial management, student administration, and “enterprise e-forms systems”.Then there was Melbourne’s RMIT University, which in February responded to reports it fell victim to a phishing attack, saying progress was slowly being made in restoring its systems.At a recent Parliamentary Joint Committee on Intelligence and Security (PJCIS) hearing on the national security risks affecting the Australian higher education and research sector, discussions around the two security incidents were used by Home Affairs representatives to justify the inclusion of higher education and research in the Critical Infrastructure Bill.AUSTRALIA ALSO BLAMES RUSSIA FOR SOLARWINDS HACKElsewhere, the Australian government has joined international partners in holding Russia to account for its cyber campaign against US software firm, SolarWinds.Hackers working for the Russian foreign intelligence service are behind the SolarWinds attack, cyber espionage campaigns targeting COVID-19 research facilities, and more, according to the United States and the United Kingdom.  The US accusation comes in a joint advisory by the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation, which also describes ongoing Russian Foreign Intelligence Service exploitation of five publicly known vulnerabilities in VPN services.The UK has also attributed the attacks to the Russian intelligence service.  “In consultation with our partners, the Australian government has determined that Russian state actors are actively exploiting SolarWinds and its supply chains,” a statement from Minister for Foreign Affairs Marise Payne, Minister for Defence Peter Dutton, and Minister for Home Affairs Karen Andrews said.”Over the past 12 months, Australia has witnessed Russia use malicious activity to undermine international stability, security, and public safety. Australia condemns such behaviour.”The supply chain attacks targeting IT management software company SolarWinds represented one of the biggest cybersecurity incidents in recent years, with hackers gaining access to the networks of tens of thousands of organisations around the world, including several US government agencies, as well as cybersecurity companies.”Russia’s campaign has affected thousands of computer systems worldwide. Australia acknowledges the high costs borne by the US private sector,” Australia’s statement continued.Updated 16 April 2021 at 3:20pm AEST: Added Australian attribution of SolarWinds breach to Russia.RELATED COVERAGE More

Image: Getty Images
Google Project Zero will be shifting from a fairly hard 90-day deadline to a new model that incorporates a new 30-day grace period to gives users time to install patches before technical details are revealed. The project is keeping its famous 90-day disclosure period intact for vulnerabilities that remain unpatched, however, if a patch appears within the disclosure period, the technical details will appear 30 days after the patch is released. For in-the-wild exploits, disclosure will occur a week after notification, along with technical details if unfixed. If a patch is released in the 7-day notification window, the technical details will appear 30 days later. Vendors will now be able to ask for a 3-day grace period In rare instances where Project Zero has granted vendors a fortnight’s grace on disclosure, or a new 3-day period for in-the-wild exploits, that period will use up part of the 30-day grace on technical details. Last year, Project Zero introduced a policy where it gave vendors a complete 90-day window before it disclosed exploits. That shift was also made in an effort to boost user patching, but it was far from successful. “The idea was if a vendor wanted more time for users to install a patch, they would prioritise shipping the fix earlier in the 90-day cycle rather than later,” Project Zero manager Tim Willis wrote.

“In practice, however, we didn’t observe a significant shift in patch development timelines, and we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch. In other words, the implied timeline for patch adoption wasn’t clearly understood.” Willis said the new 90+30-day system will start to be dialled down in the future, but the policy would need to start with deadlines that can be met by vendors. “Based on our current data tracking vulnerability patch times, it’s likely that we can move to a ’84+28′ model for 2022 (having deadlines evenly divisible by seven significantly reduces the chance our deadlines fall on a weekend),” he said. “Moving to a ’90+30′ model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks. “Disclosure policy is a complex topic with many trade-offs to be made, and this wasn’t an easy decision to make.” Related Coverage More

If you’re a pro Mac user, you’ll likely know the OWC name. OWC has been the go-to place to go for RAM and storage upgrades, or for docks and external storage devices.Today, OWC announced that it would make Acronis True Image OEM software available on OWC storage solutions that include SoftRAIDRead more: Who do I pay to get the ‘phone’ removed from my iPhone?
The addition of Acronis True Image OEM will make sure that when users make a backup of their system onto an OWC external storage system, a reliable copy of data is made ready in case it is needed for a speedy recovery.But making and maintaining a backup means making sure that malware doesn’t make it onto the system. “OWC has partnered with Acronis to bring the number one personal backup software to your workflow along with industry-leading antimalware protection,” said Larry O’Connor, CEO and Founder of OWC. “Adding Acronis True Image Technology to our OWC storage solutions is truly amazing. This partnership will tremendously add to our customers feeling their data is safe and protected for years to come.”You also want to make sure that your backup doesn’t fall victim to ransomware and cryptojacking. To combat this, Acronis True Image OEM features AI-enhanced anti-ransomware technology, called Acronis Active Protection, which uses behavioral heuristics to be on the lookout for ransomware and cryptojacking attacks in real-time.

The solution is battle-tested, stopping more than 600,000 ransomware attacks last year alone.Acronis True Image OEM will be shipped with OWC storage solutions on MacSales.com.

ZDNet Recommends More

Credit: Microsoft
Microsoft is rolling out its latest version of its new Edge browser to mainstream users today, April 15 — the same day Google is rolling out Chrome 90. Microsoft’s Edge 90 includes a number of new features, including new history-search options and Kids Mode, which have been in testing for the last few months. Password Monitor, which is meant to protect users’ passwords by notifying them if their credentials have been compromised, also is considered part of the Edge 90 rollout. Microsoft began rolling out Password Monitor in January 2021 as part of Edge 88, but as of Edge 90, it is now available to all usersOther new features that are part of Edge 90, according to Microsoft’s Edge “What’s Next” page,  include support for TLS token binding for policy-configured sites; a “current page” option for printing PDF documents; the ability to bulk-delete passwords; improvements to font rendering; and synced browser-history support for history search. As of version 90, Edge also now supports easier search terms so customers can search their browsing history in their own words with terms like “news articles from last week,” officials said. Kids Mode is a browsing mode designed specifically for kids ages five to eight and nine to 12. This new mode includes “guardrails” meant to steer kids away from inappropriate content via a built-in allow list and Bing SafeSearch and tracking prevention automatically set to Strict. Parents can review and make changes in the allowed content from their Edge Settings. More

Hackers working for the Russian foreign intelligence service are behind the SolarWinds attack, cyber espionage campaigns targeting Covid-19 research facilities and more, according to the United States and the United Kingdom. The US accusation comes in a joint advisory by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), which also describes ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities in VPN services. The UK has also attributed the attacks to the Russian intelligence service.   The supply chain attacks targeting IT management software company SolarWinds represented one of the biggest cybersecurity incidents in recent years, with hackers gaining access to the networks of tens of thousands of organisations around the world, including several US government agencies, as well as cybersecurity companies including FireEye and Mimecast. Now the US has publicly attributed the SolarWinds attacks to Russian Foreign Intelligence Service (SVR) actors — also known as APT29, Cozy Bear, and The Dukes by cybersecurity researchers — along with additional campaigns, including malware attacks targeting facilities behind Covid-19 vaccine development. The five vulnerabilities being targeted by cyber attackers are: Security patches are available to fix each of the vulnerabilities and organisations yet to apply them to their network are urged to do so as soon as possible in order to prevent further attacks.

SEE: The best free VPNs: Why they don’t exist  “NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” said the cybersecurity advisory. Sanctions The attribution of the SolarWinds attack comes as the Biden administration issued sanctions against Russia in response to what’s described as “harmful activities by the Government of the Russian Federation”. The financial sanctions specifically mention “malicious” cyber activities by Russian actors, including the SolarWinds cyber attack.   The UK has also called out the attacks targeting SolarWinds, and is urging organisations to take note, with the National Cyber Security Centre (NCSC)  assessing that it’s highly likely the SVR was responsible for gaining unauthorised access to SolarWinds ‘Orion’ software. “The UK and US are calling out Russia’s malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action,” said Foreign Secretary Dominic Raab.   A recent alert by the UK’s National Cyber Security Centre (NCSC) warned users who hadn’t yet applied the security patch to the Fortinet FortiGate vulnerability — which was released in 2019 —  to assume their network has been compromised by cyber attackers and to take the appropriate action necessary.

MORE ON CYBERSECURITY More