Information Technology

(Image: file photo)

A South Carolina man was sentenced this week to two years in federal prison for taking government-owned networking equipment and selling it on eBay.
The man, Terry Shawn Petrill, 48, of Myrtle Beach, worked as the IT Security Director for Horry County in South Carolina, the Department of Justice said in a press release on Tuesday.
According to court documents, “beginning on June 11, 2015, through August 23, 2018, Petrill ordered forty-one Cisco 3850 switches that were to be installed on the Horry County network.”
US authorities said that through the years, when the switches would arrive, Petrill would take custody of the devices and tell fellow IT staffers that he would handle the installation alone.
However, investigators said that “Petrill did not install the switches on the network and instead sold them to third parties and kept the proceeds for himself.”
FBI agents who investigated the case said they tracked nine of the 41 missing Cisco switches to ads on eBay, while the location of the rest remains unknown.
Nonetheless, this was enough to file charges against Petrill, which authorities arrested and indicted in November 2019.
Officials said Petrill “confessed his activity in a manner to attempt to assist authorities” and “fully accepted responsibility for his actions.”
Besides prison time, Petrill was also ordered to pay restitution in the amount of $345,265.57 to the Horry County Government.
This marks the second legal case over the past week where Cisco was involved. Last week, a former Cisco engineer also pleaded guilty to accessing his former employer’s network and wiping 456 virtual machines, which eventually led to disruption to over 16,000 Webex Teams accounts. More

The Australian government has released a voluntary code of practice for securing the Internet of Things (IoT) in Australia.
The voluntary Code of Practice: Securing the Internet of Things for Consumers [PDF] is intended to provide industry with a best-practice guide on how to design IoT devices with cybersecurity features.
It will apply to all IoT devices that connect to the internet to send and receive data in Australia, including “everyday devices such as smart fridges, smart televisions, baby monitors, and security cameras”.
“Internet-connected devices are increasingly part of Australian homes and businesses and many of these devices have poor security features that expose owners to compromise,” Minister for Home Affairs Peter Dutton said.
“Manufacturers should be developing these devices with security built in by design.
“Australians should be considering security features when purchasing these devices to protect themselves against unsolicited access by cybercriminals.”
The voluntary code of practice is based on 13 principles.
These principles include not duplicating default or weak passwords as well as using multi-factor authentication; implementing a vulnerability disclosure policy that includes a public point of contact so security researchers and others can report on any cybersecurity issues; keeping software securely updated; and securely storing credentials by avoiding hard-coded credentials within devices and software.
The code also states manufacturers should ensure personal data is protected according to data protection laws such as the Privacy Act 1988 and Australian Privacy Principles; minimise exposed attack surfaces; ensure communication security; ensure software integrity by verifying the software on IoT devices and use secure boost mechanisms; make systems resilient to outages; and monitor system telemetry data for security anomalies.
Additionally, while voluntary, the code of practice also encourages that IoT manufacturers make it easy for consumers to delete personal data when they dispose of the device; make installation and maintenance of devices easy; and ensure any data received via user interfaces, API, and network interfaces are validated.
Read also: Aussie Parliament’s sad cyber espionage saga is a salient lesson for others   
Alongside the code of practice, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has released a guide to help manufacturers implement the IoT code of practice.
Additionally, the ACSC has released an IoT guide for consumers and small and medium-sized businesses on how to protect themselves against cyber threats when buying, using, and disposing of IoT devices.
“Boosting the security and integrity of internet-connected devices is critical to ensuring that the benefits and conveniences they provide can be enjoyed without falling victim to cybercriminals,” Minister for Defence Linda Reynolds said.
Publishing the code of practice on Thursday follows on from the Australian government’s release of the draft version last November, and a nation-wide consultation with industry across various sectors, including cybersecurity, government, not-for-profit advocacy groups, critical infrastructure providers, and domestic and international consumers.
The code of practice is also a key deliverable of the government’s 2020 Cyber Security Strategy.
In July last year, Australia co-signed a statement of intent regarding the security of IoT with the Five Eyes nations in London. The voluntary code of practice, according to the government, “aligns and builds upon” the guidance provided by the UK and is consistent with “other international standards”.  
A similar code [PDF] has also been developed by the European Union.
RELATED COVERAGE More

The Indian Ministry of Electronics and Information Technology handed down a ban on 118 apps on Tuesday, claiming they are “stealing and surreptitiously transmitting” data of users to servers outside of India, and thereby undermining the sovereignty and defence of the nation.
“The compilation of these data, its mining and profiling by elements hostile to national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India, is a matter of very deep and immediate concern which requires emergency measures,” the Ministry said in a statement.
Among the list of apps are a number of high-profile Chinese apps, including Baidu, WeChat, AliPay, PUBG, Sina News.
Tencent has had a number of its apps blocked — besides WeChat and PUBG, which it has an equity stake in — including its new VooV video conferencing tool, its Weiyun storage service, and its Watchlist app.
Earlier in the week, the Pakistan Telecommunication Authority (PTA) blocked access to five dating and live-streaming apps, namely Tinder, Tagged, Skout, Grindr, and SayHi.
“Keeping in view the negative effects of immoral/indecent content streaming through the above applications, PTA issued notices to the management of above mentioned platforms for the purpose of removing dating services and to moderate live streaming content in accordance with the local laws of Pakistan,” the Authority said in a statement.
“Since the platforms did not respond to the notices within the stipulated time therefore the Authority issued orders for blocking of the said applications.”
Since June, China and India have experienced rising tensions following a border clash between soldiers where they fought each other with rocks and clubs. The clash resulted in the death of 20 Indian soldiers, and more than 75 injured.
Also read: Despite brutal border clash between India and China, tech bonds will be very hard to break
Later that month, India banned 59 Chinese apps, including TikTok, UC Browser, Weibo, and WeChat.
On Tuesday the WeChat ban was extended to WeChat Work, WeChat reading, and Government WeChat.
The full list of 118 apps blocked by India are:
AFK Arena
Alipay
AlipayHK
Amour: video chat & call all over the world.
AppLock
AppLock Lite
APUS Flashlight: Free & Bright
APUS Launcher Pro: Theme, Live Wallpapers, Smart
APUS Launcher: Theme, Call Show, Wallpaper, HideApps
APUS Message Center: Intelligent management
APUS Security: Antivirus, Phone security, Cleaner
APUS Turbo Cleaner 2020: Junk Cleaner, Anti-Virus
Arena of Valor: 5v5 Arena Games
Art of Conquest: Dark Horizon
Baidu
Baidu Express Edition
Beauty Camera Plus: Sweet Camera & Face Selfie
Bike Racing: Moto Traffic Rider Bike Racing Games
Buy Cars: offer everything you need, special offers and low prices
CamCard: Business Card Reader
CamCard Business
CamCard for Salesforce
CamOCR
Carrom Friends: Carrom Board & Pool Game-
Chief Almighty: First Thunder BC
Chess Rush
Cleaner: Phone Booster
Creative Destruction NetEase Games
Crusaders of Light NetEase Games
Cut Cut: Cut Out & Photo Background Editor
Cyber Hunter
Cyber Hunter Lite
Dank Tanks
Dual Space: Multiple Accounts & App Cloner
Dawn of Isles
FaceU: Inspire your Beauty
Fighting Landlords: Free and happy Fighting Landlords
Gallery HD
Gallery Vault: Hide Pictures And Videos
Game of Sultans
GO SMS Pro: Messenger, Free Themes, Emoji
HD Camera: Beauty Cam with Filters & Panorama
HD Camera Pro & Selfie Camera
HD Camera Selfie Beauty Camera
Hide App: Hide Application Icon
Hi Meitu
HUYA LIVE: Game Live Stream
LifeAfter
InNote
iPick
Kitty Live: Live Streaming & Video Live Chat
Knives Out-No rules, just fight!
Lamour Love All Over The World
Learn Chinese AI-Super Chinese
Legend: Rising Empire NetEase Games
Little Q Album
LivU Meet new people & Video chat with strangers
Ludo All Star: Play Online Ludo Game & Board Games
Ludo World-Ludo Superstar
Mafia City Yotta Games
Malay Social Dating App to Date & Meet Singles
MARVEL Super War NetEase Games
Message Lock (SMS Lock)-Gallery Vault Developer Team
MICO Chat: New Friends Banaen aur Live Chat karen
Mobile Legends: Pocket
Mobile Taobao
Murderous Pursuits
Music: Mp3 Player
Music player: Audio Player
Music Player: Audio Player & 10 Bands Equalizer
Music Player: Bass Booster – Free Download
Music Player: MP3 Player & 10 Bands Equalizer
MV Master: Make Your Status Video & Community
MV Master: Best Video Maker & Photo Video Editor
Netease News
Onmyoji NetEase Games
Parallel Space Lite: Dual App
Penguin E-sports Live assistant
Penguin FM
Photo Gallery HD & Editor
Photo Gallery & Album
Pitu
PUBG MOBILE Nordic Map: Livik
PUBG MOBILE LITE
Rangers Of Oblivion: Online Action MMO RPG Game
Ride Out Heroes NetEase Games
Rise of Kingdoms: Lost Crusade
Road of Kings- Endless Glory
Rules of Survival
ShareSave by Xiaomi: Latest gadgets, amazing deals
Sina News
Small Q brush
Smart AppLock (App Protect)
Soul Hunters
Super Clean – Master of Cleaner, Phone Booster
Super Mecha Champions
Tantan – Date For Real
Tencent Watchlist (Tencent Technology)
Tencent Weiyun
Ulike – Define your selfie in trendy style
U-Dictionary: Oxford Dictionary Free Now Translate
Video Player All Format for Android
Video Player: All Format HD Video Player
VPN for TikTok
VPN for TikTok
VooV Meeting: Tencent Video Conferencing
Warpath
Web Browser: Fast, Privacy & Light Web Explorer
Web Browser: Secure Explorer
Web Browser & Fast Explorer
WeChat reading
Government WeChat
WeChat Work
Yimeng Jianghu-Chu Liuxiang has been fully upgraded
Youku
ZAKZAK Pro: Live chat & video chat online
ZAKZAK LIVE: live-streaming & video chat app
Z Camera: Photo Editor, Beauty Selfie, Collage
More from the subcontinent More

One of the images used to promote the malicious NEXTA LIVE app.

Google has removed this week an Android app from the Play Store that was used to collect personal information from Belarusians attending anti-government protests.
The app, named NEXTA LIVE (com.moonfair.wlkm), was available for almost three weeks on the official Android Play Store, and was downloaded thousands of times and received hundreds of reviews.
To get installs, NEXT LIVE claimed to be the official Android app for Nexta, an independent Belarusian news agency that gained popularity with anti-Lukashenko protesters after exposing abuses and police brutality during the country’s recent anti-government demonstrations.
However, in a statement published on Telegram last week, Nexta said the app was not associated with its service and was designed to collect data from users and de-anonymize protest-goers.

“Do not install under any circumstances. Warn your friends, maximum repost!,” Nexta staff wrote in their Telegram channel.
Nexta also asked users to immediately uninstall the app from their devices, give the app a bad rating and review, and then report it to Google staff.
App collected location data and device owner details
This mass-reporting strategy worked, and the app was removed earlier this week. However, for many users, the damage is already done.
According to a Belarusian security researcher — who we will call S. for his protection and privacy —, the app was designed for mass-harvesting purposes. In a summary analysis he shared with Nexta readers, S. said the app was designed to collect geolocation data, gather info on the device owner, and then upload the data to a remote server at regular intervals.
Android malware researcher Gabriel Cîrlig, who ZDNet asked earlier today to also look at NEXTA LIVE, said the app appears to communicate with a domain hosted on a Russian IP address, at arcpi.nextialive.roimaster[.]site (89.223.89[.]47).
Both the domain and IP address aren’t listed on any threat intelligence feeds, having no affiliations to previous malware campaigns, according to a search performed by ZDNet today.
However, the same IP address previously hosted other suspicious-looking domains (i.e., hackappnewcrmuzbekistan.roimaster[.]site), which suggests there is more to this server than meets the eye.
Nonetheless, a location-gathering feature has no place in a news-centered app, especially one that’s popular with anti-government protesters in a politically unstable country currently governed by an autocratic leader fighting to remain in power.
While there is no official link between the fake Nexta app and the Minsk government, this would hardly be the first time that a government would try to spy on its citizens in the midst of anti-government protests, in attempts to identify protest-goers.
Similar incidents happened in Venezuela and Iran in 2019, and even the US, earlier this year, during Black Lives Matter protests.
Further, Belarusians are right to be wary of the app and possible links to the local government after earlier this year Belarusian police raided the offices of ride-hailing companies Yandex and Uber, in what protesters described as an attempt to obtain ride location data in order to identify who participated in anti-government demonstrations. More

We love the personal service when shopping, but how much are we prepared to trade-off for that truly customized online experience? And which parts of our private data are we willing to share, and why?

San Francisco-based AI-powered personalization platform Formation.ai surveyed over 2,000 US customers in the first quarter of 2020 about their feelings toward brand loyalty.
Its report, Brand Loyalty: the Need for Hyper-Individualisation, shows that personalization is critical to earning consumer loyalty in today’s competitive market.
The majority of consumers only belong to between one and three loyalty programs, meaning a program must really deliver to make the cut for consumers.
Almost four out of five (79%) of consumers agree that the more personalization tactics a brand uses, the more loyal they are to that brand. But for 77% of consumers, businesses are not doing enough to earn that loyalty.
The report found that over four out of five (81%) of consumers are willing to share basic personal information for personalization and that 83% of consumers are more willing to share data if the brand is transparent about how it will be used.
But consumers want to receive something in return. And loyalty programs could be the key. These programs could be the key to unlocking greater data personalization and building long-term loyalty.
Four out of five (79%) consumers agree the more personalization tactics a brand uses, the more loyal they are to that brand.
Three out of four (73%) said they’re more likely to engage with a brand that offers a loyalty program compared to one that does not.
One out of five (20%) of consumers surveyed feels they receive marketing emails that “extremely frequently” feature content relevant to their specific lifestyle, interests, attitudes, or past purchases.
A similar percentage (18%) reported receiving marketing emails that contain content so unique to their needs that they feel it recognizes them as individuals “extremely frequently.”
But there is a trade-off between receiving hyper-personalized emails and privacy in some industries. In the healthcare sector, people are increasingly wary of losing their privacy.
San Francisco, CA-based marketing analytics platform W20’s Consumer Attitudes in Health Care Data Uses and Privacy surveyed over 1,000 consumers across the US before and during the COVID-19 pandemic. It wanted to understand if consumers were comfortable with certain types of data used in targeted advertising.
The study showed that consumers demand transparency and visibility on how their data is being used. Seven out of 10 (70%) of respondents said that health data should either not be shared, or shared only with their permission, and that they should have the ability to opt-out — not in.
W2O
Consumers also care most about the altruistic purposes of health data use. Half of those surveyed indicated that they would only want their health data shared if they knew it would be used to improve healthcare outcomes for others.
As a result, organizations should clearly outline how they are sharing and using health data, and how it can advance public health.
People are increasingly wary of losing their privacy and require more education on how their data is used.
Companies need to be more transparent with how they use your data — whatever it is — to avoid the ultra-targeted message that makes you convinced that you are being watched and targeted. More

Image: ZDNet
Google said today that Chrome for Android will soon support DNS-over-HTTPS (DoH), a protocol that encrypts and secures DNS queries to boos user privacy.
DoH support is already available for desktop versions of the Chrome browser since May, since the release of Chrome 83; however, the feature was never added to the Android and iOS versions.
In a short blog post today, Google said that it has now decided to enable the feature for Android users, where it will progressively enable DoH inside Chrome mobile browsers over the coming weeks.
All users who have updated to Chrome for Android 85 will, at one point or another, see a new option in their browser’s settings, titled “Secure DNS.”

Image: Google
The Secure DNS option will be enabled by default for all users, and once turned on, Chrome will attempt to make DNS queries in an encrypted form (via DoH), where supported, and use classic plaintext DNS as a fallback.
Under the hood, Google said the feature works identically to the desktop versions of Chrome, meaning that users don’t have to tinker with Android’s overall DNS settings.
Instead, Chrome will use an internal list of DoH-capable DNS servers, and if the user has one configured as the OS-wide DNS setting, Chrome will use that server’s DoH interface instead of the default one, and replace plaintext DNS queries with encrypted DoH queries on the fly.
In addition, for situations where users don’t want to change their Android device’s system-wide DNS server to one that supports DoH, Google also lets users customize Chrome’s DoH server just for their browser alone.
Chrome users can do this by using the second option in the screenshot above, named “Choose another provider,” and add the IP address of the DNS server they want to use. Since this option is configured inside Chrome’s settings, it only applies to Chrome for Android, and not to the entire Android OS.
Furthermore, Google says that Chrome for Android will also automatically disable DoH if it finds that the smartphone is part of a managed environment, such as those in corporate networks. On these types of networks, IT staff usually deploy enterprise-wide policies to control a company’s smartphone fleet for security reasons, and DoH might, sometime, open users to attacks, hence the reason Google won’t force the setting in such tightly-controlled environments.
Google didn’t say when DoH was coming to Chrome for iOS; however, this is very likely a long way away, as Apple has only recently added support for the DoH protocols to iOS and macOS. More

Image: MoFi

Canadian networking gear vendor MoFi Network has patched only six of ten vulnerabilities that security researchers have reported to the company earlier this year, in May.
Unpatched have remained a command injection vulnerability and three hard-coded undocumented backdoor mechanisms, all impacting the company’s line of MOFI4500-4GXeLTE routers.
These devices are very powerful business routers that MoFi describes as “high performance mission critical enterprise rugged metal router made for businesses or customers.”
MOFI4500-4GXeLTE routers provide high bandwidth connections to business users via LTE (4G) uplinks and are normally deployed by internet service providers or other companies that need to ensure internet access to remote business points where normal wired internet connections aren’t available.
Ten security flaws discovered in MOFI4500-4GXeLTE routers
In a report shared with ZDNet today, cyber-security firm CRITICALSTART says it discovered ten vulnerabilities in the firmware of MOFI4500-4GXeLTE routers earlier this year.
The ten vulnerabilities included a wide range of issues, one more serious than the other, all detailed in the table below.

Image: CRITICALSTART
CRITICALSTART said it notified the MoFi security staff of the vulnerabilities, but when the company issued a firmware update earlier this year, it only included patches for six of the ten bugs.
The four rows in yellow above represent the four vulnerabilities that MoFi has not (yet?) patched.
Asked to comment on this report and why it didn’t patch the last four bugs, MoFi did not return a contact request sent yesterday via the company’s website.
Exploitation is possible in some scenarios
Since the list of bugs contains quite a few backdoors, one would expect that these bugs are quite attractive for botnet operators — and indeed they are.
Exploiting the ten vulnerabilities only requires that an attacker have a direct line to the device’s web management interface, which CRITICALSTART says is accessible by default on all network interfaces — via both LAN (internal) and WAN (external).
However, CRITICALSTART says that since many MOFI4500-4GXeLTE routers are employed by ISPs, some of these devices have some sort of minimal protection in place, blocking attackers from easy hacks.
“Many Internet Service Providers (ISP) use Carrier Grade NAT which prevents direct access to the management interface from the Internet,” CRITICALSTART said.
“This does not limit an attacker with access to the LAN interface or to the internal ISP network. In some cases, the vulnerability can be triggered indirectly by a user clicking a link or visiting a malicious web site.”
For example, one such scenario of how these bugs could be exploited is via malicious code embedded inside ads. When an ISP employee or a customer on the ISP’s network accesses a website with one of these ads, the malicious code runs inside the browser (located in the ISP’s LAN) and hacks the MOFI4500-4GXeLTE router on behalf of the attackers.
This means that preventing access to the router’s management WAN interface may not be a full-proof solution in the long run, and, eventually, a firmware update needs to be applied to patch the rest of the bugs and prevent future attacks.
Because of the danger that these bugs pose, CRITICALSTART said it also notified US-CERT about its findings, and the organization appears to have worked behind the scenes on securing these devices.
CRITICALSTART reached this conclusion after observing the number of internet-accessible MoFi devices go down by more than 40% over the summer, from 14,000 devices on June 25, to around 8,200 devices on August 25.
“We suspect this is the result of US-CERT working with ISPs to restrict network access,” the CRITICALSTART research team said. More

Earlier this year, Linus Torvalds approved of adding drivers and other components in Rust to Linux. Last week, at the virtual Linux Plumbers Conference, developers gave serious thought to using the Rust language for new Linux inline code. And, now Amazon Web Services (AWS) has announced that its just-released Bottlerocket Linux for containers is largely written in Rust.

Open Source

Mozilla may have cut back on Rust’s funding, but with Linux embracing Rust, after almost 30-years of nothing but C, Rust’s future is assured.
Rust was chosen because it lends itself more easily to writing secure software. Samartha Chandrashekar, an AWS Product Manager, said it “helps ensure thread safety and prevent memory-related errors, such as buffer overflows that can lead to security vulnerabilities.” Many other developers agree with Chandrashekar.
Bottlerocket also improved its security by using Device-mapper’s verity target. This is a Linux kernel feature that provides integrity checking to help prevent attackers from overwriting core system software or other rootkit type attacks. It also includes the extended Berkeley Packet Filter (eBPF), In Linux, eBPF is used for safe and efficient kernel function monitoring.
This new Linux discourages administrative connections to production servers. The admin container runs Amazon Linux 2. It contains utilities for troubleshooting and debugging Bottlerocket and runs with elevated privileges. The goal is to make logging into an individual production Bottlerocket instance largely unnecessary except for advanced debugging and troubleshooting.
To make sure that Bottlerocket instances are as secure as possible they run with  Security-Enhanced Linux (SELinux) in enforcing mode. This increases the isolation between containers and the host operating system.
Normally when someone mentions SELinux, administrators fear they’ll have trouble running applications on it. AWS assures users that that’s not the case here. Besides security, Bottlerocket is also designed to be quick and easy to maintain.
It does this, like other container-oriented Linux distributions such as Flatcar Container Linux, Red Hat Enterprise Linux CoreOS (RHCOS), and RancherOS, by including the bare essentials needed to run containers. Many AWS partners already support their applications on Bottlerocket such as Datadog, Splunk, and Puppet.
To administer Bottlerock, initially, you’ll need to use Amazon Elastic Container Service (ECS) or Amazon Elastic Kubernetes Service (EKS)
Don’t think that Bottlerocket is just an AWS show. It’s not. Bottlerocket is an open-source project. GitHub hosts all its design documents, code, build tools, tests, and documentation. Besides its standard open-source elements, such as the Linux kernel and containerd container runtime, Bottlerocket’s own code is licensed under your choice of either the Apache 2.0 or the MIT license. If you modify Bottlerocket, you may use “Bottlerocket Remix” to refer to your builds in accordance with the policy guidelines.
For AWS users, the attraction is, of course, that it’s an easy-to-use, secure container Linux for their favorite public cloud. As someone’s who used Linux for decades, I find its use of Rust to be its most fascinating feature. For both cloud developers and Linux programmers, there are interesting times ahead.
Related Stories: More