Information Technology

NSA whistleblower Edward Snowden. (Image: file photo)
NSA whistleblower Edward Snowden received permanent residency rights from the Russian government, Snowden’s lawyer, Anatoly Kucherena, said on Thursday.
The 37-year-old former NSA analyst has been living in Russia on a temporary residency since June 2013.
According to Russian state news agency TASS, which first broke the story today, Snowden’s temporary residency permit had expired in April this year but was automatically extended throughout the summer due to delays in government bureaucracy caused by the COVID-19 pandemic.
Kucherena said that despite obtaining a permanent residency permit this week, Snowden does not plan to request Russian citizenship.
Snowden fled to Russia, via Hong Kong, in 2013, after exposing the NSA’s mass surveillance program with the help of US and UK reporters.
He was charged in the US on two charges of espionage.
President Trump floated a potential pardon this summer, saying in an interview that the former NSA analyst was “not being treated fairly” for his role in exposing the NSA’s surveillance program that targeted and spied on both Americans, foreigners, and world leaders alike.
However, despite President Trump’s remarks, the White House did not take any steps towards pardoning Snowden, who still remains a vilified figure in the US intelligence community.
If Snowden returns to the US without a pardon he risks up to 20 years in prison, if tried and found guilty. More

I love containers. You love containers. We all love containers. But our love for them blinds to us to the fact that we often don’t really know what’s running within them. In 2019, Snyk, an open-source security company, found that the “top 10 most popular Docker images each contain at least 30 vulnerabilities.”

Read this

What is Docker and why is it so darn popular?
Docker is hotter than hot because it makes it possible to get far more apps running on the same old servers and it also makes it very easy to package and ship programs. Here’s what you need to know about it.
Read More

Ouch. 
Snyk wasn’t talking about security problems with container technology itself. Those problems, like 2019’s runc security hole, the Docker and Kubernetes container runtime, do exist, and they’re serious. But far more common are insecure applications within containers.
Now, Snyk and Docker are partnering up to find and eliminate security problems in the Docker Official Images. 
The 166 Docker Official Images are wildly popular with users. These range from popular open-source databases, PostgreSQL; to key-value store, Redis; to operating systems, Ubuntu Linux. More than 25% of all images downloaded from the Docker Hub come from this curated collection of Docker container images. These popular containerized building blocks are designed to provide a common starting point for cloud-native based programs and services.  
Snyk adds security insight to Official Images. This makes vulnerability risk assessment part of the Official and Certified Images selection process. In short, you can now be reasonably sure that, when you download a containerized program from the Official Images collection, you’re getting software that’s free of any known security holes. 
Snyk scanning is also integrated into the Docker Desktop and Docker Hub. With this, you can incorporate vulnerability assessment along each step of your own container development and deployment process. This streamlines your efforts to deploy secure applications.   At Snyk’s virtual conference SnykCon 2020, Docker CEO Scott Johnston said: “Developers build from Docker’s Official Images because they want the assurance of knowing the images are up-to-date and are well maintained. With Snyk security insights for Docker Official Images, simplified workflows designed for developer-first security is now a foundational part of a developer’s toolbox to seamlessly create and ship more applications with confidence.”
Snyk CEO Peter McKay added: “While containers deliver scalability and agility, they create new security challenges that can’t be addressed with traditional solutions, especially ones that don’t naturally fit into the developer workflow. . . Recent Snyk research shows that only 41% of application development teams are scanning all of their containers for vulnerabilities. Embedding Snyk’s developer-first security into Docker images delivers robust, end-to-end security to millions of developers.”   
Related Stories: More

Image: Guillaume Périgois
The European Union has imposed sanctions today against Russia for its involvement in the 2015 German Parliament (Bundestag) hack.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Sanctions were levied against the GRU (Russian Main Intelligence Directorate), a military intelligence agency part of the Russian Army, and two of its officers.
The two GRU officers were identified as Dmitry Badin and Igor Kostyukov.
EU officials said Badin was part of a team of Russian military intelligence officers who hacked the Bundestag IT network between April and May 2015.
“This cyber-attack targeted the parliament’s information system and affected its operation for several days,” the EU said today. “A significant amount of data was stolen and the email accounts of several MPs as well as of Chancellor Angela Merkel were affected.”
Kostyukov was sanctioned for his role as First Deputy Head of the GRU.
EU officials said Kostyukov commands the 85th Main Centre for Special Services (GTsSS), also known as Military Unit 26165, but more commonly known in the cyber-security industry under the hacker codenames of APT28, Fancy Bear, Sofacy, or Strontium.
German authorities have been pushing for official EU sanctions against Russia for the 2015 hack since earlier this year when they filed official charges against Badin.
Russian authorities said Germany never provided any evidence in regards to the 2015 Bundestag hack and the Badin charges, accusing the Berlin government of chasing sanctions rather than actually wanting to get the GRU officer in a court of law.
Badin was also charged in the US for a long string of hacks while part of APT28, such as cyber-attacks against the World Anti-Doping Agency’s (WADA), the Organisation for the Prohibition of Chemical Weapons (OPCW), and involvement in US political disinformation efforts.
Today’s announcement is the second wave of sanctions imposed against Russian hackers by the EU this year.
Brussels officials sanctioned four GRU officers at the end of July for the attempted hack of the OPCW WiFi network. Sanctions were also levied against Chinese and North Korean hackers as well.
The sanctions consist of a travel ban and an asset freeze. EU citizens and businesses are prohibited from engaging in transactions with any sanctioned entities. More

Image: Mozilla
Site Isolation is a modern browser security feature that works by separating each web page and web iframes in their own operating system process in order to prevent sites from tampering or stealing with each other’s data.
The feature was first deployed with Google Chrome in mid-2018, with the release of Chrome 67.
Although initially, Site Isolation was meant to be deployed as a general improvement to Chrome’s security posture, the feature came just in time to serve as a protective measure against the Spectre vulnerability impacting modern CPUs.
Seeing the feature’s success, Mozilla also announced plans to support it with the Firefox browser in February 2019, as part of an internal project codenamed Fission.
For both Google and Mozilla, implementing Site Isolation was a time-consuming operation, requiring engineers to re-write large chunks of their browsers’ internal architecture.
The process took about two years for both Google and Mozilla.
While Site Isolation is now a stable feature inside Chrome, this work is now nearing its completion inside Firefox.
According to an update to the Project Fission wiki page, Site Isolation can now be enabled inside versions of Firefox Nightly, the Firefox version where new features are tested.
To enable it, Firefox users must:
Access the about:config page
Set the “fission.autostart” and “gfx.webrender.all” prefs to “true”.
DO NOT edit any other “fission.*” or “gfx.webrender.*” prefs.
Restart Firefox Nightly.

Image: ZDNet

Image: ZDNet
Once enabled, users can test if Site Isolation is active by hovering their mouse over a Firefox tab. If enabled, the tooltip will show the [F] indicator that Fission is active, along with the PID — the OS process ID for each Firefox tab.

Image: ZDNet
According to Mozilla, Site Isolation has been in testing since September and is expected to reach the stable branch in the first half o 2021, with the feature currently being tested by extension developers to ensure that Firefox add-ons aren’t affected by the upcoming changes.
According to the Fission wiki page, once activated for all users, Site Isolation will increase the amount of memory Firefox uses, but Firefox devs are currently working on reducing this memory footprint as much as possible, so Fission wouldn’t impact the browser’s overall performance. More

The number of data breaches seems to increase year to year, and it doesn’t look like it’s going to slow down anytime soon. Luckily, that means the demand for cybersecurity professionals is at an all-time high, and without an adequate supply of skilled workers, pursuing a career in cybersecurity can earn you an excellent living. 

There’s no better time to enter the cybersecurity industry, but you won’t be able to land these roles without the proper certifications. On top of that, there are countless career paths cybersecurity professionals can take, such as security auditing or information risk management.  If you’re looking to take your IT career to the next level, this $49 6-course bundle is a great way to build your skillset and land the roles that will lead you towards a successful career in cybersecurity.
The Advanced Cyber Security Career Advancement Bundle features six courses to prepare you for industry-standard certifications that will lay the foundations for your career. The first course you should tackle is Introduction to Cyber Security, which provides a foundational look at the current cybersecurity landscape and the tools used to evaluate and manage security protocols.
You’ll want to earn a proper cert once you’re more experienced. A CISM Certification is highly recommended as it endorses your skills in enterprise information security, which is covered in this bundle’s fifth course. Alternatively, a CCSP Certification is an excellent option if you’re interested in cloud security, and this content is covered in the third course. 
There is no single cybersecurity career path that will apply to everyone. Once you have several years of experience on your resume, you’ll want to specialize in an area that you enjoy working in. Either way, your skills will be in demand, and companies are willing to pay handsomely for them. The Advanced Cyber Security Career Advancement Bundle costs $4,500 at list price, you can get all six courses for just $99 with this 98% off deal.

ZDNet Recommends More

Security researchers have discovered a new remote access trojan (RAT) being advertised on Russian-speaking underground hacking forums.

Named T-RAT, the malware is available for only $45, and its primary selling point is the ability to control infected systems via a Telegram channel, rather than a web-based administration panel.
It’s author claims this gives buyers faster and easier access to infected computers from any location, allowing threat actors to activate data-stealing features as soon as a victim is infected, before the RAT’s presence is discovered.
For this, the RAT’s Telegram channel supports 98 commands that, when typed inside the main chat window, allow the RAT owner to retrieve browser passwords and cookies, navigate the victim’s filesystem and search for sensitive data, deploy a keylogger, record audio via the microphone, take screenshots of the victim’s desktop, take pictures via webcam, and retrieve clipboard contents.
Furthermore, T-RAT owners can also deploy a clipboard hijacking mechanism that replaces strings that look like cryptocurrency and digital currency addresses with alternatives, allowing the attacker to hijack transactions for payment solutions like Qiwi, WMR, WMZ, WME, WMX, Yandex money, Payeer, CC, BTC, BTCG, Ripple, Dogecoin, and Tron.
In addition, the RAT can also run terminal commands (CMD and PowerShell), block access to certain websites (such as antivirus and tech support sites), kill processes (security and debug software), and even disable the taskbar and the task manager.
Secondary command and control systems are available via RDP or VNC, but the Telegram feature is the one advertised to buyers, mainly because of the ease of installation and use.

Telegram becoming popular as a malware C&C channel
Although many RATs are often inflated in their ads, T-RAT’s capabilities were confirmed in an analysis by G DATA security researcher Karsten Hahn.
Speaking to ZDNet, Hahn said T-RAT is just the latest in a string of recent malware families that come with a control-by-Telegram capability.

Image: G Data
The use of Telegram as a command and control system has been trending up in recent years, and T-RAT isn’t even the first RAT to implement such a model.
Previous ones include RATAttack (uploaded and removed from GitHub in 2017, targeted Windows), HeroRAT (used in the wild, targets Android), TeleRAT (used in the wild against Iranians, targets Android), IRRAT (used in the wild, targets Android), RAT-via-Telegram (available on GitHub, targets Windows), and Telegram-RAT (available on GitHub, targets Windows).
Distribution vector remains unknown
For now, the threat from T-RAT is relative low. It usually takes a few months before threat actors learn to trust a new commercial malware strain; however, Hahn believes the RAT is already gaining a following.
“There are regular uploads of new T-RAT samples to VirusTotal,” Hahn told ZDNet. “I would assume it is in distribution but have no further evidence of it.”
But T-RAT isn’t the only new RAT offered for sale these days. According to Recorded Future, there’s another new RAT advertised on hacking forums called Mandaryna. More

The US Securities and Exchange Commission (SEC) has issued a $5 million penalty against Kik for launching an illegal ICO and breaking securities laws. 

On Wednesday, the US regulator said that the US District Court for the Southern District of New York has entered a final judgment against Kik Interactive to lay a case to rest that has been in motion since 2019.
Last year, SEC alleged that the Canada-based messaging platform had conducted an illegal securities offering, selling “Kin” tokens, which must be registered if included in an Initial Coin Offering (ICO). 
ICOs are an alternative method to raise investment into projects and have, on the whole, become associated with the cryptocurrency and blockchain space. Rather than pouring traditional, fiat currency into a startup, ICOs offer virtual coins or assets to investors.
See also: The SEC is suing Kik over its $100m Kin token ICO
While many organizations conduct and register ICOs correctly and legitimately, regulators have clamped down on these events in light of countless exit scams that have left investors out of pocket. 
SEC has previously claimed that Kik did not register the Kin ICO before it took place in 2017, and furthermore, the Kik team apparently knew the company would run out of money in the same year. SEC says that over $55 million was raised through the coin offering, of which $100 million in securities were on offer. 
The Kin token is currently worth $0.000011. 
CNET: FBI: Iran, Russia obtained voter data to interfere with US elections
SEC said that the “court granted the SEC’s motion for summary judgment on September 30, 2020, finding that undisputed facts established that Kik’s sales of “Kin” tokens were sales of investment contracts, and therefore of securities, and that Kik violated the federal securities laws when it conducted an unregistered offering of securities that did not qualify for any exemption from registration requirements.”
To resolve the matter, the final judgment demands that Kik informs SEC of any future issuances of digital assets for the next three years and will pay a $5 million penalty. 
“This has been a long, expensive, and public battle between Kik and the SEC,” Kik said. “Although we respectfully disagree with Judge Hellerstein’s analysis in his ruling and were prepared to pursue an appeal, the SEC offered settlement terms that allow us to put this behind us and focus on our mission. We look forward to an exciting future for the Kin ecosystem and the millions of mainstream consumers who earn and spend Kin every month.”
TechRepublic: How to protect your privacy when selling your phone
Ted Livingstone, the founder of the Kik Foundation and Kik chief executive, said on Twitter that the judgment resolves all matters between SEC and Kik, adding: “there will be many more challenges ahead, but it is exciting to put this chapter behind us.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images/iStockphoto
Australian eSafety Commissioner Julie Inman-Grant has rejected the practicality of a know your customer-type regime for social media companies to verify the identities of their users.
Addressing Senate Estimates on Wednesday night, Inman-Grant said such a regime works in the banking industry as it has been heavily regulated for many years, particularly around anti-money laundering.
“It would be very challenging, I would think, for Facebook for example to re-identify — or identify — its 2.7 billion users,” she said. “How do they practically go back and do that and part of this has to do with how the internet is architected.”
See also: NZ Privacy Commissioner labels Facebook as ‘morally bankrupt pathological liars’
While she admitted it was not impossible, she said it would create a range of other issues and that removing the ability for anonymity or to use a pseudonym is unlikely to deter cyberbullying and the like.
“In a lot of the adult trolling that we see … [characteristics of a troll] is often high self-esteem, sadism, and masochism — there are a lot of trolls that aren’t interested in hiding their identity at all,” Inman-Grant explained. “Its not always going to be a deterrence.”
Similarly, she said, if the social media sites were to implement a “real names” policy, it wouldn’t be effective given the way the systems are set up.
“I would also suspect there would be huge civil libertarian pushback in the US,” she added.
“I think there are incremental steps we could make, I think totally getting rid of anonymity or even [the use of] pseudonyms on the internet is going to be a very hard thing to achieve.”
“I want to be pragmatic here about what’s in the realm of the possible, it would be great if everyone had a name tag online so they couldn’t do things without [consequence].”
What Inman-Grant said is hindering investigations from her department is not having access to information on the source of instances, such as cyberbullying.
“When we want to issue an infraction or an infringement notice — if we don’t know where we can [put] that notice to or who that person is on the other end, that’s challenging and at the moment, because most of the major social media sites are domiciled in the US, they will only allow law enforcement under warrant … we as a regulator are not entitled currently to that,” she said.
“If erasing anonymity is your goal, we also have to ask to what end, I don’t think it will end all online abuse on the internet but it might go some way,” she later added.
RELATED COVERAGE More