Information Technology

Okta’s $6.5 billion purchase of Auth0 is based on the idea that there will be only a handful of clouds within companies in the years ahead. Identity will be one of those clouds joining functions like collaboration, CRM, infrastructure, HR and communication.
That vision hasn’t played out just yet, but if it does the all-stock transaction that makes Auth0 a unit of Okta will look like a value. Okta estimates that its core workforce identity market is worth $30 billion and Auth0’s customer identity market is $25 billion. With more integration, signals and data, Okta with Auth0 can create new use cases.
On a conference call, Okta CEO Todd McKinnon made the case that Auth0’s developer-first approach to identity rhymes with Twilio’s approach in communications and Stripe in payments. McKinnon said:
We view a world where cloud adoption continues to proliferate and that 5-plus years from now, there will be just a few primary clouds that really matter inside an organization. These clouds might be for collaboration, CRM, infrastructure and ERP, for example. We firmly believe that identity will be one of these primary clouds. Identity is the connected tissue to all of the other primary clouds as it facilitates choice and flexibility while enhancing security and reducing risk in all other technologies.
McKinnon added that Okta wants to be the standard in digital identity and Auth0 can accelerate that plan on many fronts.

Analysts questioned the purchase a good bit on Okta’s fourth quarter earnings conference call. Analysts asked about why run the two companies separate initially as well as the competition. McKinnon said building internal identity systems remained the biggest competitor. However, Gartner’s Magic Quadrant for access management also highlights why Okta bulked up.

There’s little question that Okta has thrived in the enterprise as it now has more than 10,000 customers, triple the tally from 4 years ago. And those customers are spending more money with Okta amid digital transformation, remote work and zero trust projects. But future growth for Okta required the parts to build out identity as a core cloud on its own. The concept is interesting considering Microsoft is a big rival to Okta but can bundle identity with other applications including Office 365.

So why do the deal now (other than Okta shares make a great currency after a nice run in 2020)? Here are some moving parts.
Access management tools are likely to face “cost optimization for IT spending” in 2021, according to Gartner. By acquiring Auth0, Okta creates a larger total addressable market since identity and access management touches everything from security to user experiences and interfaces.
Auth0 also gives Okta a way to reach developers and extend its platform. Auth0  has a free plan and then developer versions for the B2C and B2B markets.
Okta’s customer base is largely in the US, but Auth0’s revenue is 40% international.
Auth0 brings a specialization in customer identity and access management as well as multiple integrations.
Okta has expanded into identity and access analytics based on usage patterns. Auth0 will bring new patterns as well as signals to analyze.
Add it up and Okta and Auth0 make a promising pair, but like all mergers there’s what’s in the PowerPoint and then there’s the actual execution. The biggest question surrounding this deal is whether the tech ecosystem ultimately sees identity as an independent cloud.    More

The Maza cybercriminal forum has reportedly suffered a data breach leading to the leak of user information. 
On March 3, Flashpoint researchers detected the breach on Maza — once known as Mazafaka — which has been online since at least 2003. 
Maza is a closed and heavily-restricted forum for Russian-speaking threat actors. The community has been connected to carding — the trafficking of stolen financial data and payment card information — and the discussion of topics including malware, exploits, spam, money laundering, and more. 
Once the forum was compromised, the attackers who took the forum over posted a warning message claiming “Your data has been leaked / This forum has been hacked.”
Flashpoint
Information including user IDs, usernames, email addresses, messenger app links — including Skype, MSN, and Aim — and passwords, both hashed and obfuscated — were included in the data leak. 
Flashpoint told ZDNet roughly 2,000 accounts were exposed.
During discussions concerning the breach, some users say they are intending to find another forum, whereas others claim the database leaked is old or “incomplete,” according to the researchers.

Flashpoint does not know at this time who hijacked the forum, beyond the likelihood that an online translator may have been used to post the warning message — implying it may not have been a Russian-speaker unless mistakes were deliberate in an effort at misdirection. 
Maza was previously hacked in 2011. Reports suggested at the time that the forum was compromised by a rival group, DirectConnection, and data belonging to over 2,000 users was leaked. Shortly after, DirectConnection was attacked in its turn. 

Aleksei Burkov, who has been tied to the alias ‘Kopa,’ is thought to have served as an admin for both forums. Burkov was sentenced to nine years behind bars by US authorities in 2020 for operating the CardPlanet carding forum.
In January, Russian forum Verified was taken over without warning. The introduction of new domains, temporary open registration, and the silence of old moderators has raised suspicion among some users as to the intentions of the new owners. 
Users may be justified in such concerns, especially considering law enforcement is now posting ‘friendly’ warnings on hacking forums to discourage illegal activities. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Twitter and live streaming service Twitch have joined the mounting list of service providers, researchers, and civil liberties groups that take issue with Australia’s pending Online Safety Bill.
The Bill, labelled “rushed” in various ways by many providing submissions to the committee now probing its contents, contains six key priority areas: A cyberbullying scheme to remove material that is harmful to children; an adult cyber abuse scheme to remove material that seriously harms adults; an image-based abuse scheme to remove intimate images that have been shared without consent; basic online safety expectations for the eSafety Commissioner to hold services accountable; an online content scheme for the removal of “harmful” material through take-down powers; and an abhorrent violent material blocking scheme to block websites hosting abhorrent violent material.  
Of concern to both Twitter and Twitch is the absence of due regard to different types of business models and content types, specifically around the power given to the relevant minister to determine basic online safety expectations for social media services, relevant electronic services, and designated internet services.
“In order to continue to foster digital growth and innovation in the Australian economy, and to ensure reasonable and fair competition, it is critically important to avoid placing requirements across the digital ecosystem that only large, mature companies can reasonably comply with,” Twitter said [PDF].
Likewise, Twitch believes it is important to consider a sufficiently flexible approach that gives due regard to different types of business models and content types.
“As evidenced by Australia’s own ongoing content classification review, classification is difficult and fluid,” it wrote [PDF].
“Twitch is primarily focused on live, user-generated content, which is not submitted for classification. 

“It is our experience that an enforcement approach based on comprehensive Community Guidelines is most effective for such diverse, interactive, and ephemeral content.”
Twitter also took issue with the shortening of takedown times from 48 hours to 24 hours.
It said given the vast types of content covered under the Bill, there may be frequent factors that necessitate a longer review period.
“The shortened time frame will make it difficult to accommodate procedural checks on possible errors in reports, the removal of legitimate speech, and providing necessary user notices,” it said, commenting that if the idea is to protect the user, this should be understood by the government.
Pointing to the comment from the eSafety Commissioner that in the administration of current content schemes, her office already experiences prompt removal from online service providers when they are issued with a report, Twitter is confused why it is necessary to further reduce and codify the turnaround time from 48 to 24 hours.
“As currently drafted, the Bill essentially confers quasi-judicial and law enforcement powers to the eSafety Commissioner without any accompanying guidelines or guardrails around which cases would constitute grounds for the Commissioner to exercise these powers other than the very broad ‘serious harm’ definition,” Twitter noted.
“Thus, the expansion of the eSafety Commissioner’s powers that are currently proposed under the Bill should be coupled with concomitant levels of oversight.”
Also on the overreaching powers the eSafety Commissioner is set to get, Twitch said the Bill must be proportionate in the types of content for which notice non-compliance triggers upstream disruption.
“The app and link deletion powers are appropriately reserved for issues relating to class 1 content. This same proportionate threshold should be replicated in the Commissioner’s power to apply for a Federal Court order, which currently applies to the entire online content scheme (including class 2),” Twitch explained.
“The most substantial powers should be reserved for the worst content and limited to systemic non-compliance with class 1 notices.
“Regardless of what threshold is selected, any scheme that justifies mandating the complete removal of a service on the basis of its non-compliance with notices should also take considerable steps to establish confidence that the service is demonstrating actual noncompliance, before proceeding to upstream disruption powers.”
FACEBOOK WANTS PRIVATE MESSAGING OUT
Consultation on the draft Bill received 370 submissions, according to Minister Paul Fletcher, but the department has only just begun making them public.
In the first batch of submissions, hidden among the 52 marked as anonymous, Facebook provided its concern with three areas of the Bill, with one being the expansion of cyberbullying takedown schemes to private messaging.
It said [PDF] extending the scheme to the likes of its Messenger app is a disproportionate response to bullying and harassment, given the existing protections and tools already available
“The eSafety Commissioner and law enforcement already have powers around the worst risks to online safety that can arises in private messages … [most services] provide tools and features to give users control over their safety in private messaging, like the ability to delete unwanted messages and block unwanted contacts,” Facebook wrote.
“Despite the fact that existing laws allow the most serious abuses of private messaging to be addressed, the draft legislation extends regulatory oversight to private conversations between Australians. Whilst no form of bullying and harassment should be tolerated, we do not believe this type of scheme is suitable for private messaging.”
The social media giant said human relationships can be very complex and that private messaging could involve interactions that are highly nuanced, context-dependent, and could be misinterpreted as bullying, like a group of friends sharing an in-joke, or an argument between adults currently or formerly in a romantic relationship.
“It does not seem clear that government regulation of these types of conversations are warranted, given there are already measures to protect against when these conversations become abusive,” it said.
“Moreover, the policy rationale of the Australian government’s cyberbullying scheme for social media does not apply in the same way to private messaging. Bullying over private messaging cannot go viral in the same way as a piece of bullying content on a public social media platform; and regulators will rarely have the full context to determine whether a private conversation genuinely constitutes bullying.”
While Facebook’s submission to the inquiry is yet to be published, the company highlighted that what it prepared in its draft response echoed much of what it submitted at the start of the Bill’s initial consultation, as the draft was near identical to the original consultation paper.
The Bill before Parliament remains mostly unchanged, too.
MORE ON THE BILL More

Young and rising Linux security developer Alexander Popov of Russia’s Positive Technologies discovered and fixed a set of five security holes in the Linux kernel’s virtual socket implementation. An attacker could use these vulnerabilities (CVE-2021-26708) to gain root access and knock out servers in a Denial of Service (DoS) attack.

With a Common Vulnerability Scoring System (CVSS) v3 base score of 7.0, high severity, smart Linux administrators will patch their systems as soon as possible. 
While Popov discovered the bugs in Red Hat’s community Linux distribution Fedora 33 Server, it exists in the system using the Linux kernel from November 2019’s version 5.5 to the current mainline kernel version 5.11-rc6. 
These holes entered Linux when virtual socket multi-transport support was added. This networking transport facilitates communication between virtual machines (VM) and their host.  It’s commonly used by guest agents and hypervisor services that need a communications channel that is independent of the VM network configuration. As such, people who are running VMs on the cloud, which is pretty much everyone these days, are especially vulnerable.
The core problem is race conditions in the CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS kernel drivers. These are shipped as kernel modules in all major Linux distributions. The reason why this is such a serious problem is whenever an ordinary user creates an AF_VSOCK socket, the vulnerable modules are automatically loaded.  A race condition exists when a system’s substantive behavior depends on the sequence or timing of uncontrollable events. 
Popov said, “I successfully developed a prototype exploit for local privilege escalation on Fedora 33 Server, bypassing x86_64 platform protections such as SMEP and SMAP. This research will lead to new ideas on how to improve Linux kernel security.”
In the meantime, Popov also prepared the patch and revealed the vulnerabilities to the Linux kernel security team. Greg Kroah-Hartman, the stable Linux kernel chief maintainer, accepted the patches into Linux 5.10.13 on February 3. Since then the patch has been merged into mainline kernel version 5.11-rc7 and backported into affected stable trees.

The patch has also already been incorporated into such popular Linux distributions as Red Hat Enterprise Linux (RHEL) 8, Debian, Ubuntu, and SUSE.
This is far from the first time Popov discovered and fixed Linux kernel vulnerabilities. Previously, he’s found and repaired CVE-2019-18683 and CVE-2017-2636. Keep up the good work, Popov! 
Related Stories: More

The Ursnif Trojan has been traced back to attacks against at least 100 banks in Italy. 

According to Avast, the malware’s operators have a keen interest in Italian targets and attacks against these banking institutions have led to the loss of credentials and financial data.
The cybersecurity firm said on Tuesday that at least 100 banks have been targeted, based on information gathered by the researchers. 
In one case alone, an unnamed payment processor had over 1,700 sets of credentials stolen. 
Avast found usernames, passwords, credit card, banking, and payment information that appears to have been harvested by the malware. 
First discovered in 2007, Ursnif began its journey as a simple banking Trojan. The information stealer’s code was leaked on GitHub and has since evolved and has become more sophisticated, with its code being developed independently and also appearing as part of the Gozi banking malware. 
Ursnif is usually spread via phishing emails — such as invoice requests — and attempts to steal financial data and account credentials. 

Datktrace researchers documented a 2020 campaign in which the malware was used in an attack against a US bank. A phishing email was sent to an employee who unwittingly opened a malicious attachment and accidentally downloaded an executable file pretending to be a .cab extension. 
This file called out to command-and-control (C2) servers registered in Russia only a day prior to the launch of the campaign — and, therefore, the IPs were not blacklisted at the time of infection. A recent obfuscation technique noted in this attack was the use of User Agents imitating Zoom and Webex to try and hide in network traffic.
Darktrace has also tracked the malware in attacks against organizations in the US and Italy. 
Avast has shared its findings with the victim banks the company was able to identify, alongside CERTFin Italy, a financial services data exchange managed by the Bank of Italy and the Italian Banking Association (ABI).
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google is opening up its alternative ad-targeting tool for public tests, taking its next steps towards creating a “privacy-first” online world devoid of third-party cookies and with stronger controls over how personal data should be collected and used. It hopes the tests will offer deeper insights on how well the interest-based targeting tool will work in diverse regions such as Asia.
Fuelled by a goal to deliver more relevant ads to consumers, businesses worldwide had been collecting voluminous user data typically via third-party cookies. This had eroded consumer trust, David Temkin, Google’s director of product management for ads privacy and trust, said in a blog post Wednesday.
Also: Google patches actively exploited Chrome browser zero-day
Citing research from Pew Research Centre, Google said 72% of consumers believed almost everything they did online was tracked by advertisers, tech companies, and other organisations. Another 81% said potential risks they faced due to the data collection outweighed the benefits.
In fact, 40% would stop buying services from a company over privacy concerns and there had been a 50% spike year-on-year in searches for online privacy.
Temkin said: “If digital advertising doesn’t evolve to address the growing concerns people have about their privacy and how their personal identity is being used, we risk the future of the free and open web.”
This pushed the US tech giant to put together a two-year plan to phase out third-party cookies, which included working with industry players, publishers, and marketers on its Privacy Sandbox initiative to come up with tools that could strike a better balance between user privacy and ad revenue.

Excluded from such efforts was any attempts to build alternative identifiers to track users as they browsed the web, he said, stressing that Google had no plans to use these in its products. 
“Instead, our web products will be powered by privacy-preserving APIs that prevent individual tracking while still delivering results for advertisers and publishers,” he added. “People shouldn’t have to accept being tracked across the web in order to get the benefits of relevant advertising and advertisers don’t need to track individual consumers across the web to get the performance benefits of digital advertising.”
In particular, Google believes a technology it built offered a viable alternative to third-party cookies by grouping or “hiding” individuals amongst large crowds of people who shared similar interests.
Called Federated Learning of Cohorts (FLoC), the platform removed the need for individual identifiers whilst still enabling brands to reach people with relevant content and ads by targeting clusters of people with common interests. It would help keep an individual’s web history private.
Google said its tests so far indicated that FLoC yielded a conversion rate of at least 95% for every ad dollar, compared to cookie-based advertising. Results varied according to the clustering algorithm the FLoC used and types of audience targeted. 
Asked whether it would work as well in diverse markets such as Asia, Google told ZDNet that this was what it now hoped to determine by opening up the tool for pilots.
The US tech giant said it would release FLoC for developer trials later this month, before extending the tests to include advertisers on Google Ads next quarter.
In addition, it would introduce its first iteration of new user controls next month with simple “on/off” options in its Chrome 90 release, with plans to expand these controls in future releases.
Commenting on scepticism that these efforts simply were attempts to create a walled garden, Google noted that it, too, would be impacted by the change since several of its own products including Google Ads and Display & Video 360 tapped cookies.
It added that Chrome had a responsibility to protect the privacy of its users as they accessed content via the web browser and, at the same time, believed in an ad-supported ecosystem. It said both could be achieved by working with advertisers, brands, and industry players to roll out alternative technology that did not track individuals.
It acknowledged that some organisations could continue to circumvent efforts to do so, for example, by using fingerprinting and other tracking devices to identify individuals.
It urged brands to build on their first-party data as a way to improve their engagement with consumers. Citing its commissioned research with Boston Consulting Group, Google said brands in Asia that used first-party data to create personalised experiences achieved on average 11% higher incremental annual revenue and 18% more cost savings.
It added that organisations could still deliver personalised engagement through contextual-based ads, tapping anonymised and first-party data and without impacting user privacy. 
Temkin said: “Developing strong relationships with customers has always been critical for brands to build a successful business and this becomes even more vital in a privacy-first world. We will continue to support first-party relationships on our ad platforms for partners, in which they have direct connections with their own customers, and we’ll deepen our support for solutions that build on these direct relationships between consumers and the brands and publishers they engage with.”
He added that third-party cookies and any technology that tracked individuals should be eradicated to maintain an “open and accessible” internet in which user privacy was safeguarded.  
Temkin said: “There is no need to sacrifice relevant advertising and monetisation in order to deliver a private and secure experience.”
Google noted that cookies-based ad delivery would continue to be used on its platforms until next year, after its new tools were fully tested and ready for rollout.
RELATED COVERAGE More

Microsoft has awarded a bug bounty hunter $50,000 for disclosing a vulnerability leading to account hijacking. 

In a blog post on Tuesday, researcher Laxman Muthiyah said the security flaw could “have allowed anyone to take over any Microsoft account without consent [or] permission.” 
However, as noted in a discussion concerning the report, this may only apply to consumer accounts.
Muthiyah previously found an Instagram rate limiting bug that could lead to account takeover and applied the same tests to Microsoft’s account protections. 
In order to reset a password for a Microsoft account, the company requires an email address or phone number to be submitted through a “Forgotten Password” page. A seven-digit security code is then sent as a method of verification and needs to be provided in order to create a new password. 
Utilizing a brute-force attack to obtain the seven-digit code would lead to password resets without the account owner’s permission. However, to stop these attacks in their tracks, rate limits, encryption, and checks are imposed. 
After examining Microsoft’s defenses, Muthiyah was able to “work out” the company’s encryption and “automate the entire process from encrypting the code to sending multiple concurrent requests.”

An experiment involved 1000 code attempts being sent but only 122 were processed — whereas the others resulted in an error and further requests from the test account were blocked. 
By sending simultaneous requests, however, the bug bounty hunter was able to circumvent both encryption and the blocking mechanism — as long as there was no delay in requests, as even a few “milliseconds” was enough for requests to be detected and blacklisted, according to the researcher.
Muthiyah was able to tweak his attack by way of parallel processing, which sends all requests at the same time without any delay, and successfully obtain the correct code. 
However, in real-world scenarios, this attack vector is not a simple one. To bypass one seven-digit code would take heavy computing power, and if combined with the need to also break an accompanying 2FA code — when this feature is enabled on a target Microsoft account — this could require millions of requests in total. 
Muthiyah reported his findings and sent Microsoft a Proof-of-Concept (PoC) video as evidence. The bug bounty hunter said that the tech giant was “quick in acknowledging the issue” and a patch was issued in November 2020. 
The vulnerability was assigned a severity rating of “important” by Microsoft — due to the complexity of triggering exploits through the bug — and was described as an “elevation of privilege (including multi-factor authentication bypass),” according to an email screenshot shared by Muthiyah. 
The bug bounty award of $50,000 was issued on February 9 via the HackerOne bug bounty platform, a partner for distributing rewards. Microsoft offers between $1,500 and $100,000 for valid bug reports. 
“I would like to thank Dan, Jarek, and the entire MSRC Team for patiently listening to all my comments, providing updates, and patching the issue,” Muthiyah commented.
The Microsoft Security Response Center thanked the researcher for his findings. 
In related Microsoft news, the Redmond giant has recently issued emergency patches to address four zero-day vulnerabilities impacting Exchange Server. 
ZDNet has reached out to Microsoft for further comment and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has warned of reports that a zero-day vulnerability in the Chrome browser is being actively exploited in the wild.

The vulnerability, tracked as CVE-2021-21166, was reported by Alison Huffman from the Microsoft Browser Vulnerability Research team on February 11 and is described as an “object lifecycle issue in audio.” 
Google has labeled the vulnerability as a “high” severity security flaw and has fixed the issue in the latest Chrome release.  
Alongside CVE-2021-21166, Huffman also recently reported another high-severity bug, CVE-2021-21165, another object lifestyle issue in audio problem, and CVE-2021-21163, an insufficient data validation issue in Reader Mode. 
The tech giant has not revealed further details concerning how CVE-2021-21166 is being exploited, or by whom. 
Google’s announcement, published on Tuesday, also marked the release of Chrome 89 to the stable desktop channel for Windows, Mac, and Linux machines, which is currently rolling out. Users should upgrade to Chrome 89.0.4389.72 once available. 
The Chrome 89.0.4389.72 release also contains a swathe of other security fixes and browser improvements. In total, 47 bugs have been patched, including a high-severity heap buffer overflow in TabStrip (CVE-2021-21159), another heap buffer overflow in WebAudio (CVE-2021-21160), and a use-after-free issue in WebRTC (CVE-2021-21162). A total of eight vulnerabilities are considered high-severity.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
On February 4, Google pushed out a fix for CVE-2021-21148, a heap buffer overflow in the Chrome V8 JavaScript engine which is also being actively exploited. This high-severity security flaw was reported by Mattias Buelens on January 24. 
This week, Microsoft released urgent updates for four zero-day vulnerabilities in Exchange Server. Microsoft says the bugs are being exploited in “limited targeted attacks” and is urging users to update as quickly as possible. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More