Information Technology

We still don’t know just how bad the SolarWinds security breach is. We do know over a hundred US government agencies and companies were cracked. Microsoft president Brad Smith said, with no exaggeration, that it’s “the largest and most sophisticated attack the world has ever seen,” with more than a thousand hackers behind it. But former SolarWinds CEO Kevin Thompson says it may have all started when an intern first set an important password to “‘solarwinds123.” Then, adding insult to injury, the intern shared the password on GitHub.

ZDNet Recommends

You can’t make this stuff up.
Also: Best password manager in 2021
Thompson told a joint US House of Representatives Oversight and Homeland Security Committees hearing that the password was “a mistake that an intern made. They violated our password policies and they posted that password on an internal, on their own private Github account. As soon as it was identified and brought to the attention of my security team, they took that down.”
Rep. Katie Porter, Democrat from California, rejoined, “I’ve got a stronger password than ‘solarwinds123′ to stop my kids from watching too much YouTube on their iPad.”
How long did it actually take SolarWinds to replace the lousy password? Too long. 
While SolarWinds executives said it was fixed within days of its discovery, current SolarWinds CEO Sudhakar Ramakrishna confessed that the password has been in use by 2017. Vinoth Kumar, the security researcher who discovered the leaked password had said SolarWinds didn’t fix the issue until November 2019. 

Almost two years is too long to leave an important password to go stale. You also have to wonder what an intern was doing setting a significant password in the first place.  
While SolarWinds isn’t sure that this password is the hole in the dyke that Russian hackers used to flood into American systems, it’s a safe bet that a security culture that enabled such a basic mistake couldn’t have helped.
Also: Better than the best password: How to use 2FA to improve your security
Looking ahead, Smith suggested to the US Senate that in the future the Federal government should impose a “notification obligation on entities in the private sector.” All too often no one knows about corporate security breaches until they’ve blown up the way SolarWinds’ failure did. Smith agreed that isn’t “a typical step when somebody comes and says, ‘Place a new law on me,'” but “I think it’s the only way we are going to protect the country.”   In the meantime, as security company FireEye CEO Kevin Mandia said at the House hearing, “The bottom line: We may never know the full range and extent of the damage, and we may never know the full range and extent as to how the stolen information is benefiting an adversary.”
That said, Mandia added, “I’m not convinced compliance in any standards regulation or legislation would stop Russian Foreign Intelligence Service from successfully breaching the organization.” 
Related Stories: More

Singapore is looking to expand its use of cameras and technology to better support law enforcers and first responders. These include plans to tap sensors, video analytics, artificial intelligence (AI), automation, and drones to ease manpower shortages and improve service efficiencies. 
As it is, the police have deployed almost 90,000 cameras in public locations such as carparks and residential estates across the island. And “many more” will be rolled out in the coming years, according to Minister for Home Affairs and Minister for Law K. Shanmugam, who was speaking in parliament Monday. 
Describing these cameras as “a game-changer” in deterring and investigating crimes, he said the devices had helped the police solve 4,900 cases as of December 2020. 

Singapore puts budget focus on transformation, innovation
After tilting last year’s budget towards ’emergency support’ in light of the global pandemic, Singapore’s government will spend SG$24 billion ($18.1 billion) over the next three years to help local businesses innovate and build capabilities needed to take them through the next phase of transformation.
Read More

Shanmugam noted that there were limits to resources and manpower, and his ministry had focused on transformation with increased use of technology to address the shortage. 
Neighbour police centres and police posts, for instance, had been redesigned to include automated self-help kiosks, so citizens could police services 24 by 7, he said. 
Some 300 next-generation Fast Response Cars also would hit the roads by 2023, equipped with cameras capable of providing a 360-degree view of their surroundings back to the Police Command Centre. This would enable agents at the command centre to assess the situation and deploy backups, he said. The vehicles also would be armed with video analytics technology to read number plates and automatically flag vehicles of interest. 
“So you will be surrounded by sensors, which make people feel safer and more confident,” the minister said. 

In addition, the police had been trialling beacon prototypes for a year, enabling the public to contact law enforcements directly during emergencies. Located across two residential estates, these beacons were equipped with various capabilities to “create deterrence and project presence”, he said, adding that they also had CCTV cameras to allow the police to assess the situation quickly. 
Beyond the law, efforts were underway to build “smart” fire stations that would make greater use of sensors and automation to facilitate operational response, decision making, and manpower management. Manual processes such as tracking the readiness of emergency supplies, vehicles, and personnel rostering would be automated, said Shanmugam. 
An AI-powered system also would send information during an emergency, such as a building’s floor plans and on-site live video feed, to officers before they arrived at the location. This would enable them to better assess the situation, develop a plan more quickly, and improve their response. 
Emergency first responders also would have smart wearables that were integrated with the smart fire station’s systems, enabling commanders to monitor their officers’ physical condition during operations and training. 
Moving to immigration control, Shanmugam said further enhancements would be made to verify travellers’ identities through iris and facial images at automated lanes, bypassing the use of passports and thumbprints. Trials were underway and showing promising results, he added.
He also pointed to the use of drones and robots to facilitate security operations at COVID-19 isolation facilities, which reduced the risk of exposure for frontline officers.
Robots also had been tapped to fight fire, including at an industrial fire last March where they tackled the most dangerous parts of the fire, fraught with immense heat and poor visibility, he noted.
RELATED COVERAGE More

A new light-based system could be used to generate the cryptography keys that secure highly sensitive data and transactions.  
Image: Kyungduk Kim/ University of Yale
Using a single, chip-scale laser, scientists have managed to generate streams of completely random numbers at about 100 times the speed of the fastest random-numbers generator systems that are currently in use.  
The new system, which is described as “massively parallel ultrafast random bit generation,” could be used to generate the cryptography keys that secure highly sensitive data and transactions, which are currently at risk of attack from hackers armed with ever-increasing computer power.  

Randomness has a fundamental role to play in cryptography: the more random a security key is, the harder it is to use logical mathematics to crack the code. This is why random numbers generators are used to encrypt data: the technology creates streams of bits that can in turn be used to produce very strong cryptography keys.  
There are many ways to generate random numbers, the most well-known of which can be traced back over thousands of years: for instance, a simple dice, or coin-flipping, provide unpredictable results. This is what modern cryptography is attempting to emulate. 
Of course, manual random number generation is incapable of keeping pace with the scale of demand for data security. To create large amounts of random numbers at scale, new technologies were developed to quickly translate into bits, or numbers, the unpredictable behavior of some natural phenomena.  
Lasers, for example, are made of tiny quantum photons that behave in a chaotic, unpredictable manner – and the random fluctuations of the particles that make up a laser beam can be detected by a computer, to be translated into sequences of numbers that are completely non-deterministic.  
Although the unpredictable properties of lasers have been used to generate random numbers before, those systems are limited. Laser-based systems aren’t capable of producing many numbers very fast, nor can they generate numbers simultaneously from a single beam. 

“Usually, those physical random number generators are not very fast – that’s one problem,” said Hui Cao, professor of applied physics at Yale University, who led the study. “Also, they are sequential – that is, they usually just generate one bitstream. They cannot generate many bitstreams simultaneously. And in each stream, the rate is relatively low, so that prevents it from generating a lot of random numbers very quickly.” 
At the same time, the need for a system that can produce random numbers at scale is fast increasing. As networks expand in an ever-connected way, it is becoming necessary to increase the generation rate of random numbers to keep pace with demand, and make sure that sensitive data is appropriately protected. 
To improve the output of laser-based random number generators, Cao and her team created a compact single laser, and tweaked the design of the laser cavity to make it resemble an hourglass. When the laser is shined, light waves ricochet between either end of the hourglass, simultaneously resonating in the device; the fluctuations in the intensity of the quantum particles of light are recorded by a fast camera, to be translated by a computer into random series of numbers.  
Thanks to the new design, therefore, the cavity acts as a resonator for the light waves, meaning that random bits can be generated in parallel, even with a single laser diode – a first, for light-based random number generators. 
The results are promising, both in speed and scale: using the new amplifying system, Cao and her team generated about 250 terabits, or 250,000 gigabits, or random bits per second, which is more than two orders of magnitude higher than the fastest current systems. The researchers said that the technology can also be scaled up “significantly”. 
“It really opens a new avenue on how to generate random numbers much faster, and we have not reached the limit yet,” said Cao. “As to how far it can go, I think there’s still a lot more to explore.” 
For the technology to be ready for practical use, however, it will be necessary to create a compact chip that incorporates both the laser and the photodetectors that could directly and rapidly send measurements to computers in real-time.  
With many companies looking at innovative ways to leverage light particles for random number generation, the field is likely to be busy in the next few years.  
UK-based quantum company Nu Quantum, for example, is working on a device that can emit and detect quantum particles of light, called single photons. In the long term, Nu Photon’s founders hope that the technology will be used to build large-scale quantum computers; for now, however, the start-up is working with the National Physical Laboratory to commercialize the device for quantum random number generation.  More

Small businesses can receive bespoke advice on how to improve their cybersecurity and protect their networks from malicious hackers and cyber crime via a new tool from the National Cyber Security Centre (NCSC).
The ‘Cyber Action Plan’ is a free online service designed to help small businesses protect themselves against cyber attacks.
While smaller businesses might not believe they’re a tempting target for cyber criminals, almost half have reported cybersecurity breaches or attacks over the last year. That figure is up from under a third of SMBs reporting incidents during the previous twelve months.
For cyber criminals, while targeting smaller businesses might not be as lucrative as campaigns targeting larger businesses, the potential lack of cybersecurity barriers could provide them with easy pickings. The attacker could always be targeting a small business as part of a supply chain attack against a larger target anyway.
SEE: What is cyber insurance? Everything you need to know about what it covers and how it works
The NCSC’s Cyber Action Plan tool aims to help small businesses improve their resilience to cyber attacks via the aid of a short questionnaire about their current cybersecurity strategy and provides customised advice on how the business could be better protected against cyber crime.
Some of the potential recommendations include building a backup strategy and regularly updating those backups, using a strong password and multi-factor authentication, as well as making sure that software updates and security updates are regularly applied.

SEE: Network security policy (TechRepublic Premium)
By applying relatively simple cybersecurity procedures like these, small businesses can go a long way towards protecting themselves from falling victim to data breaches, malware, ransomware and other cyber attacks.
“Small businesses are the lifeblood of this country, but we know they can be a target for cyber criminals, particularly as they move more operations online,” said Sarah Lyons, deputy director for economy and society at the NCSC.
“Our free Cyber Action Plan is here to help, offering bespoke, actionable information linked to the Cyber Aware behaviours. If you work for yourself, or run a small business, I would urge you to spend a few minutes on the questionnaire and follow the steps to help secure your business,” she added.
The action plan is the latest in a line of tools and initiatives by the NCSC designed to help protect businesses and individuals from falling victim to cyber attacks – or knowing what to do if they do become a victim of cyber crime.
The NCSC will be launching a version of the cyber action plan designed to help individuals and families protect themselves from cyber attacks at some point in the future.
MORE ON CYBERSECURITY More

Google is warning that bots are causing more problems for business — but many companies are only focused on the most obvious attacks.
At the outset of the COVID-19 pandemic Microsoft chief Satya Nadella said Microsoft had seen “two years’ worth of digital transformation in two months.” Google now sees that attackers have adapted to these changed conditions and are boosting attacks on newly online businesses, with bots high on the list of tools used. 
Bot attacks can cover anything from web scraping where bots are used to gather content or data, to bots that try to beat Captchas, to ad fraud, card fraud and inventory fraud. Of particular concern are distributed denial of service attacks (DDoS), where junk traffic is directed at an online service with the purpose of flooding it to the point of knocking it offline. 

ZDNet Recommends

According to the advertising giant, 71% of companies experienced an increase in the number of successful bot attacks, and 56% of companies reported seeing different types of attacks, but it said many companies are using the wrong mix of technology to protect themselves.
Google’s research has found that while 78% of organizations are using DDoS protection, such as web application firewalls, and content distribution networks (CDN), less than a fifth of them are using a “full bot management system”. 
“Bots attack an application’s business logic, and only a bot management solution can protect against that sort of threat,” says Google cloud platform’s Kelly Anderson, a product marketing manager. 
“To effectively safeguard web applications from bot attacks, organizations must use tools like DDoS protection, WAF, and/or CDNs, alongside a bot management solution.”

According to Anderson, there’s a missing link between application security and security operations teams and e-commerce, fraud, and network security pros, which allows for bots to pose a threat to business operations. 
“Effective bot management relies on collaboration between many teams within an organization, including security, customer experience, e-commerce, and marketing. But on average, only two teams are involved in bot management, usually the application security and security operations teams. Yet, it’s the e-commerce, fraud, and network security professionals that most commonly consume the data from bot management tools. This disconnect can lead to the commerce or fraud teams being left out of critical bot management decisions,” she explains. 
Because of this disconnection between security and anti-fraud teams, firms spend  53 working days — or nearly two months — across roles resolving attacks.
Anderson wants businesses to invest in a bot management system that can detect the most sophisticated bots. 
“Good automated traffic comes from approved partner applications and search engines, while bad traffic comes from malicious bot activity. Bots account for over half of all automated web traffic and nearly a quarter of all internet traffic in 2019, leaving professionals to thread the needle,” Google says in a research paper. 
Google commissioned the research to analyst firm Forrester Consulting, which looked at bot management approaches. The survey gained 425 respondents with responsibilities over fraud management, attack detection and response, and the protection of user data.
The company found that most organizations are only protecting themselves on card fraud, ad fraud, and influence fraud attacks. 
“Only 15% of businesses are currently protecting themselves against web scraping attacks, yet 73% face such an attack on a weekly basis,” Forrester Consulting says. 
Almost two-thirds of respondents said they lost between 1% and 10% of revenue to web scraping attacks alone. 
“Many businesses focus on the types of attacks that are mostly commonly in the news, rather than the attacks that can cause the most damage to their bottom lines,” the consulting firm says.  More

Cyberattackers have turned to search engine optimization (SEO) techniques to deploy malware payloads to as many victims as possible. 

ZDNet Recommends

According to Sophos, the so-called search engine “deoptimization” method includes both SEO tricks and the abuse of human psychology to push websites that have been compromised up Google’s rankings. 
SEO optimization is used by webmasters to legitimately increase their website’s exposure on search engines such as Google or Bing. However, Sophos says that threat actors are now tampering with the content management systems (CMS) of websites to serve financial malware, exploit tools, and ransomware. 
In a blog post on Monday, the cybersecurity team said the technique, dubbed “Gootloader,” involves deployment of the infection framework for the Gootkit Remote Access Trojan (RAT) which also delivers a variety of other malware payloads. 
The use of SEO as a technique to deploy Gootkit RAT is not a small operation. The researchers estimate that a network of servers — 400, if not more — must be maintained at any given time for success. 
While it isn’t known if a particular exploit is used to compromise these domains in the first place, the researchers say that CMSs running the backend of websites could have been hijacked via malware, stolen credentials, or brute-force attacks. 

Once the threat actors have obtained access, a few lines of code are inserted into the body of website content. Checks are performed to ascertain whether the victim is of interest as a target — such as based on their IP and location — and queries originating from Google search are most commonly accepted. 

Websites compromised by Gootloader are manipulated to answer specific search queries. Fake message boards are a constant theme in hacked websites observed by Sophos, in which “subtle” modifications are made to “rewrite how the contents of the website are presented to certain visitors.”
“If the right conditions are met (and there have been no previous visits to the website from the visitor’s IP address), the malicious code running server-side redraws the page to give the visitor the appearance that they have stumbled into a message board or blog comments area in which people are discussing precisely the same topic,” Sophos says.
If the attackers’ criteria aren’t met, the browser will display a seemingly-normal web page — that eventually dissolves into garbage text. 
A fake forum post will then be displayed containing an apparent answer to the query, as well as a direct download link. In one example discussed by the team, the website of a legitimate neonatal clinic was compromised to show fake answers to questions relating to real estate. 

Victims who click on the direct download links will receive a .zip archive file, named in relation to the search term, that contains a .js file. 
The .js file executes, runs in memory, and obfuscated code is then decrypted to call other payloads. 
According to Sophos, the technique is being used to spread the Gootkit banking Trojan, Kronos, Cobalt Strike, and REvil ransomware, among other malware variants, in South Korea, Germany, France, and the United States. 
“At several points, it’s possible for end-users to avoid the infection, if they recognize the signs,” the researchers say. “The problem is that, even trained people can easily be fooled by the chain of social engineering tricks Gootloader’s creators use. Script blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Tether has revealed a ransomware demand in which threat actors are allegedly demanding 500 Bitcoin ($24 million). 

Over the weekend, the blockchain and cryptocurrency organization said on Twitter that a demand for payment had been made, on pain of documents being leaked online that would “harm the Bitcoin ecosystem.” 
The wallet address associated with the demand, at the time of writing, has $72 in BTC stored. 
Tether said that the payment deadline is March 1, but added, “We are not paying.”
“It is unclear whether this is a basic extortion scheme like those directed at other crypto companies or people looking to undermine Tether and the crypto community as a whole,” Tether says. “Either way, those seeking to harm Tether are getting increasingly desperate.”
The company also used the same thread to claim that documents circling online, allegedly showing dubious communication between employees of Tether, Deltec Bank & Trust, and other parties, are “forged”.  
The unverified email screenshots appear to relate to Bahamas-based Deltec, which has a banking relationship with Tether, and a discussion over asset backing. Tether says the documents are “bogus.”

In a separate tweet, Tether and Bitfinex CTO Paolo Ardoino said the main goal of these alleged leaks “is to discredit #bitcoin and all #crypto.”
“While we believe this is a pretty sad attempt at a shakedown, we take it seriously,” Tether commented. “We have reported the forged communications and the associated ransom demand to law enforcement. As always, we will fully support law enforcement in an investigation of this extortion scheme.”
Update 14.37 GMT: Tether told ZDNet that the company does not know the identity of the individual making the ransom demand and is “not in a position” to provide a copy of the ransom note “at this time.”
In other Tether news, the organization has reached an $18.5 million settlement with the New York Attorney General’s Office to settle a case in which both Tether and Bitfinex were accused of covering up an $850 million loss.
Letitia James, NY attorney-general, accused the firms of “recklessly and unlawfully covered up massive financial losses to keep their scheme going and protect their bottom lines,” adding that “Tether’s claims that its virtual currency was fully backed by US dollars at all times was a lie.”
Tether admitted no wrongdoing but has agreed to settle, a gesture the firm says “should be viewed as a measure of our desire to put this matter behind us and focus on our business.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A $650 million settlement to close a class-action lawsuit alleging that Facebook violated user privacy has been approved. 

The case, a class-action lawsuit filed against the social media giant six years ago, alleged that Facebook violated the Illinois Biometric Information Privacy Act (BIPA), which prevents companies from gathering or using biometric information from users without consent. 
The lawsuit claimed that the Facebook Tag Suggestions feature, which used facial markers to suggest people in image tagging, violated BIPA by scanning, storing, and using user biometrics to create “face templates” without written permission.
On Friday, in California, US District Judge James Donato approved the $650 million settlement, an increase of $100 million from Facebook’s proposed $550 million in January 2020. 
The ruling has been described as a “landmark result.” 
In total, close to 1.6 million Facebook users in Illinois could receive as much as $345 each within months, on the assumption that no appeal is filed, as reported by the Chicago Tribune. 
However, only users that signed up for representation in the class-action suit before the November 23, 2020 deadline are eligible for compensation. 

The three plaintiffs who originally filed the suit will receive $5,000 each. 
“Overall, the settlement is a major win for consumers in the hotly contested area of digital privacy,” the order read. “Final approval of the class action settlement is granted. Attorneys’ fees and costs, and incentive awards to the named plaintiffs, are also granted.”
In a statement, Facebook said, “we are pleased to have reached a settlement so we can move past this matter, which is in the best interest of our community and our shareholders.”
In related news over the past week, video content-sharing platform TikTok has agreed to a $92 million settlement to resolve claims that the company harvested and shared data belonging to minors. 
The case, originating from 21 class-action lawsuits filed in California and Illinois, also included allegations of BIPA violations. 
TikTok has agreed to the settlement — despite denying any wrongdoing — in order to focus on “building a safe and joyful experience for the TikTok community.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More