Information Technology

Hackers have been exaggerated to the point of parody in action movies and pop media, but one thing depictions of hacking got right is how useful a skill it is. Cybersecurity is one of the largest growing industries, and as more and more businesses rely more heavily on online services, the need for experts in the field will only increase. For those who want to take the leap into the cybersecurity industry while it’s booming, there is The All-In-One 2021 Super-Sized Ethical Hacking Bundle, a comprehensive course on coding, ethical hacking, and programming for only $42.99. 

The All-In-One 2021 Super-Sized Ethical Hacking Bundle is your key to new, marketable expertise in an industry that is fast becoming essential. With this 18-course bundle, you’ll get access to over 100 hours of instruction on coding with Python, introductory and advanced ethical hacking practices, and marketable experience in cybersecurity. 
If you’re taking every opportunity to make yourself a competitive candidate in IT and cybersecurity, then this bundle is the ideal match for your skills and ambition. All lessons come with lifetime access and are taught by experts in the field like Aleksa Tamburkovski, a Penetration Tester with over 5 years of experience in Ethical Hacking and cybersecurity who has worked and discovered vulnerabilities for multiple companies and governments.
With this bundle, you will learn to code with Python, to hack systems and mobile devices, master server security, and useful Linux tips, tricks, and techniques that you can use to impress future employers or factor into your practice immediately. 
The All-In-One 2021 Super-Sized Ethical Hacking Bundle normally costs over $3,000 but is available now for $42.99, a discount of 98%. Never has there been a better time to enter an industry that is fast becoming a necessity for every major business in the world. 
Prices subject to change

ZDNet Recommends More

Wall Street’s acceptance of data breaches and investor “fatigue” has numbed the reaction of traders following a cybersecurity incident, new research suggests.

Over the past decade, the rush to harness data to improve business operations, management, and customer relationships did not occur in tandem with improving cybersecurity hygiene in order to protect this data — and organizations are still courting huge risks to their share prices to this day as a result. 
According to IBM’s latest Cost of a Data Breach report, the enterprise sector can expect an average bill of $3.86 million — but in the case of large security incidents involving consumer records, this may rise to up to $392 million — to remedy a breach. 
Some companies will hide their head in the sand when told of a data breach, whether caused by open buckets, intrusion, insider operations, or accidental information loss. 
However, for businesses trading on public stock market platforms, failing to recognize a data breach has occurred or trying to hide it can have real, long-term repercussions. 
This week, Comparitech published its annual report on how data breaches can impact share prices which revealed that cybersecurity incidents do not have the same ramifications for the stock market as they did close to a decade ago.
This year’s research has tracked 34 companies and 40 publicly disclosed data breaches. The companies were chosen based on data breaches involving at least one million records, subsequent public disclosure, and an active listing on the NYSE. 

There are some limitations of the study, including possible sample sizes based on Comparitech’s criteria, as well as the impact of financial reports and the issue of class-action settlements. 
“If a data breach leaks particularly damaging information that ultimately incurs financial damages to a company’s customers, and the company was shown not to have adequately protected the information leaked in that breach, then customers often sue [..],” the researchers note. “These usually result in settlements, in which the company forks out millions of dollars to reimburse customers for damages. This does not always happen and the amount paid out varies, so we simply don’t have enough data to fit a practical model that shows how these settlements affect stock prices.”
However, the study still reveals some interesting trends. The share price of a breached company now falls by an average of 3.5% within 14 days of disclosure and will hit its lowest point after roughly 110 market days. A prior analysis conducted in 2019 suggested that stock prices would drop by an average of 7.27%.
Underperformance on the Nasdaq is within the range of -3.5% on average, and 21 out of 40 breaches caused worse stock performance in the six months following a breach in comparison to six months prior. On average, share prices grew by 2.6% prior to a breach and dropped 3% afterward.
One notable trend is that “older breaches” were once met with a more immediate, negative reaction by Wall Street. Share prices fell more substantially and according to the research, stocks took an average of 109 days to recover when a breach occurred in 2012 and earlier. 
For data breaches occurring between 2013 and 2016, drops in share price were “less severe” than in the earlier category, and there was less than 1% difference in value between the sixth months prior to and after a security incident’s disclosure. 
When it comes to breaches reported in 2017 and after, it took roughly 100 days for prices to recover and general performance was only “slightly poorer” in the six months after a breach. 
In today’s marketplace, technology and financial services companies suffered the most after a data breach, whereas e-commerce and social media companies are “the least affected,” according to Comparitech. 
“Breaches that leak highly sensitive information like credit card and social security numbers see more immediate drops in share price performance on average than companies that leak less sensitive info, but in the long-term, they do not necessarily suffer more,” the researchers noted. 
Data breach impacts on company stock prices do, it seems, diminish over time as memory fades and there are many other factors that can also negatively influence an organization’s stock price — such as the disruption caused by COVID-19, unrelated lawsuits, and management changes.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Netgear BR200 small-business router

The
Netgear
BR200
Insight
Managed
Business
Router
has
been
designed
to
be
easy
to
set
up,
and
features
a
built-in
firewall,
VLAN
management,
and
remote
cloud
monitoring,
and
can
be
… More

ZDNet Recommends

There are a lot of security keys out there, but OnlyKey is the perfect choice for professionals.
It looks like a regular security key, but under epoxy are some really neat features.
The only downside — it takes some time to figure out how it works.
Must read: Better than the best password: How to use 2FA to improve your security

OK, so what is OnlyKey?
OnlyKey sort of looks like a regular USB-A security key. It’s small, has some gold-colored touchpads, has a lot of epoxy on it, and a connector on one end.
But a closer look uncovers some differences.

First off, there’s a 6-digit keypad. This is key — pardon the pun — to much of what makes the OnlyKey different.
That keypad allows OnlyKey to be protected by a PIN code, and for a second account to be set up, along with a self-destruct PIN code.
These PINs add an additional layer of security, preventing the key from being useful to someone who finds it.
In all, you can store up to 24 passwords, up to 24 usernames/URLs, and up to 24 OTP accounts on a single OnlyKey.
Beyond that, OnlyKey supports FIDO U2F and Yubikey OTP 2 factor authentication for an unlimited number of sites.
The OnlyKey is also open source, has upgradable firmware, and can also be backed up (in case you lose the key and need to restore the data onto another).
Your OnlyKey can be set up using either an app (Windows, Mac, and Linux), or you can choose an app-free quick setup.
There’s also very in-depth documentation that guides you through all the features.
Each key also comes with a removable black silicone protective sleeve.
$46 at Amazon

Now, there’s a lot to an OnlyKey. Far more than just plugging it in and using it, like you do with a YubiKey. This is both a pro and a con. For ease of use (and not having users wipe the key by using the self-destruct PIN instead of the access PIN), YubiKey has the edge. But for professionals who take security seriously, and don’t mind putting in the time into learning how to use it, this key comes highly recommended.

ZDNet Recommends More

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Guest editorial by Haroon Meer. Meer is the founder of Thinkst, the company behind the well regarded Thinkst Canary. Haroon has contributed to several books on information security and has published a number of papers and tools on various topics related to the field. Over the past decade (or two) he has delivered research, talks, and keynotes at conferences around the world.
The recent SolarWinds mega-hack has managed to grab mainstream media headlines around the world but the more I read, the more I think the press coverage has buried the lede. 
The incident gets called a “supply chain” attack which hints at war-time tactics and, I’m willing to bet, will launch a dozen VC-backed startups. People are (rightfully) worried about the knock-on effect since the SolarWinds attackers had access to several other development-houses and could have also poisoned those wells. 
Must read:
This is definitely scary but there’s a hard, sobering truth below that actually makes this a bit worse than you might think.
An abstracted, low resolution summary for those (very few) who haven’t paid attention to the incident:
SolarWinds make a network management product called Orion that is deployed on hundreds of thousands of networks worldwide;
Attackers broke into SolarWinds and made their way to the SolarWinds build environment;
They compromised the build pipelines, to inject malicious code into the SolarWinds update process;
Networks all over the world updated themselves with this poisoned update;
(Now-compromised) SolarWinds servers worldwide attacked internal networks of selected organizations;
Almost nobody discovered any of this for months until a security company discovered its own compromise.
Here are the four main reasons why it’s actually worse than we think.

The state of enterprise security: While we’ve made progress in some areas of information security (e.g. the degree of knowledge and skill required to exploit memory corruption bugs in modern operating systems) , enterprise security is still stuck pretty firmly in the early 2000s. An enterprise network consists of an untold number of disparate products, duct-taped together through poorly documented interfaces where often the standard for product integration is “this config works, don’t touch it!”. Any moderately skilled attacker will decimate an internal corporate network long before they are discovered, and the average time it takes to gain Domain Admin is measured in hours and days instead of weeks or months. 
Most organizations, sadly, don’t know this. They know they spend money on security and they know they see charts with red and green boxes and arrows tracking progress. Most have no clue they’re sitting ducks for average attackers of moderate skill, much less nation state-backed adversaries with unlimited resources.
Enterprise Products: Even ignoring the weakness that comes with cobbling together many products (security at the joints), most enterprise products won’t hold up very well to serious security testing. Heavyweight vendors like Adobe and Microsoft were publicly spanked into upping their game years ago, but it drops off pretty steeply after them. There’s an interesting carveout for online SaaS companies who have to build security competency since they run their own infrastructure and compromising their products is the same as compromising them. But for products installed into an Enterprise network the incentives are horribly misaligned. Owning, say, Symantec’s antivirus agent doesn’t compromise Symantec, it compromises you (who are running it) and this separation makes all the difference.
Enterprise networks have too many moving parts: The past few years have seen creative hackers exploit software in places that we never knew were running software. The Thunderstrike crew ran code on Apple VGA adaptors. Ang Cui has rwritten exploits for monitors, and office phones. Bunnie and xobs ran code on SD-cards and a number of people have now run Linux on hard drive controllers. This makes it clear that the average office network is connected to dozens and dozens of types of devices that wont ever make it into a regular audit, that are nonetheless capable of hiding attackers and injecting badness into your network. 
Third Party Risk Evaluations:  The joke going around after the incident was that SolarWinds had negatively impacted hundreds of enterprises, but definitely passed their third-party risk evaluations. It’s slightly unfair, but also true. We simply do not have a good way for most organizations to test software like this, and third-party questionnaires have always been a weak substitute. Even if we could tell whether a product was meeting a minimum security bar (using safe patterns, avoiding unsafe calls, using compile time safety nets, etc.) automatic-updates mean that tomorrow’s version of the product might not be the product you tested today. And if the vendor doesn’t know when they are compromised, then they probably won’t know when their update mechanism is used to convert their product into an attacker’s proxy.
I’m not saying that auto-updates are bad. We believe they solve important problems, but they do introduce a new set of variables that need to be considered.  
The current focus on “supply chain” security will no doubt see the VC-backed creation of next-gen start-ups claiming to solve the problem, but this part of the problem seems intractable. There’s the “easy” suite of software you know about: applications installed on your infrastructure and their dependencies.  But, for one, this ignores your vendor’s own vendors. In addition, what product is going to provide guidance on the provenance of the code running in your monitors (on processors we didn’t even know were there?). Will we examine the firmware on the microphone that people are now using for their Zoom calls? Will we re-examine it post-automatic-update? There are way too many connected pieces of code to tackle the problem from this angle.
If it takes just hours or days to successfully compromise an internal network, and if the average network has enough hiding places for skilled attackers to burrow deep, what do you think happens when attackers are allowed to move around undetected for months? 
A bunch of analysts looking at the SolarWinds incident point out (correctly) that compromised SolarWinds servers were installed on so many networks that the ripples of this attack could be crazily exponential. What this analysis misses is that the average enterprise runs dozens and dozens of SolarWinds-look-alikes everywhere.
Ransomware didn’t spring up overnight. Networks hit by ransomware were typically vulnerable for years and ran along blissfully unaware until attackers figured out a way to monetize those compromises. Most enterprises have been completely vulnerable to their vendors’ horrible insecurity too, the SolarWinds incident just published a blueprint for how to abuse it.
The situation is dire not because we are fighting some fundamental laws of physics, but because we’ve deluded ourselves for a long time. If there’s a silver lining out of this, it’s that customers will hopefully demand more from their vendors. Proof that they’ve gone through more than compliance checklists and proof that they’d have a shot at knowing when they were compromised. That more enterprises will ask “how would we fare if those boxes in the corner turned evil? Would we even know?”
Related stories: More

Vulnerabilities in the communications protocols used by millions of Internet of Things (IoT) and operational technology (OT) devices could allow cyber attackers to intercept and manipulate data.
The vulnerabilities in some TCP/IP stacks have been detailed by cybersecurity researchers at Forescout, who’ve dubbed the set of nine new vulnerabilities as ‘Number:Jack’.

Internet of Things

It forms ongoing research by the cybersecurity company as part of Project Memoria, an initiative examining vulnerabilities in TCP/IP stacks and how to mitigate them.
SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)
The latest disclosures are based around a fundamental aspect of TCP communication in embedded devices: Initial Sequence Number (ISN) generation. These ISNs are designed to ensure that every TCP between two computers or other internet-connected devices is unique and that third parties can’t interfere with or manipulate connections.
In order to ensure this, ISNs need to be randomly generated so an attacker can’t guess it, hijack it or spoof it. It’s a fundamental of computer security that was already known in the 90s – but when it comes to security of IoT devices, researchers found that this old vulnerability was present as numbers weren’t completely random, so the pattern of ISN numbers in these TCP communications could be predicted.
“This stuff has been mostly fixed in Windows and Linux and the typical IT world. But when you look into the IoT world, this stuff is happening again,” Daniel dos Santos, research manager at Forescout told ZDNet.

“It’s not difficult for us or an attacker to find this type of vulnerability because you can clearly see the way the numbers are generated by the stack is predictable,” he added.
By predicting an existing TCP connection, attackers could close it, essentially causing a denial-of-service attack by preventing the data from being transferred between devices. Alternatively, they could hijack it and inject their own data into the session, through which it’s possible to intercept unencrypted traffic, add file downloads to serve malware or use HTTP responses to direct the victim to a malicious website. It’s also possible for attackers to abuse TCP connections of the embedded devices to bypass authentication protocols, which potentially provide attackers with additional access to networks.
All of the vulnerabilities were discovered and disclosed to the relevant vendors and maintainers of affected TCP/IP stacks by October 2020.
TCP/IP stacks found to contain the vulnerabilities include several open-source stacks analysed in Forescout’s previous study, including uIP, FNET, picoTCP, Nut/Net, cycloneTCP and uC/TCP-IP. Vulnerabilities have also been discovered in Siemens’ Nucleus NET, Texas Instruments’ NDKTCPIP and Microchip’s MPLAB Net.
The majority of of the vendors have patched to protect devices against the vulnerabilities or are in the process of doing so, although researchers note that one hasn’t responded to the disclosure at all. ZDNet has attempted to contact each of the vendors detailed in the research paper for a response.
Forescout hasn’t publicly identified the exact devices that rely on the nine stacks found to have vulnerabilities in order to prevent them becoming potential victims of attacks. However, they do note that systems including medical devices, wind turbine monitoring systems and storage systems are all reliant on systems known to use the examined stacks.
SEE: What’s in your network? Shadow IT and shadow IoT challenge technology sensibilities
To help protect against attacks, Forescout Research Labs has released an open-source script to help identify stacks discovered to have vulnerabilities as part of Project Memoria.
It’s recommended that if these vulnerabilities are uncovered on the network that security patches are applied to prevent attackers from taking advantage. It’s also suggested that when it isn’t possible to patch IoT or OT devices, the affected products are segmented onto part of the network that will reduce the likelihood of compromise.
The research also serves as a reminder that, when it comes to security of IoT devices, there are security lessons to be learned from IT security that must be applied – especially when it comes to fundamentals that have been known about for decades.
“The foundations of IoT are vulnerable and not just for one vendor or specific device – it’s across several types of devices and the software components used in these devices. It’s often that they share similar types of vulnerabilities,” said dos Santos.
“The reason we’ve looked across TCP stacks is to show that history’s repeating again in several stacks. This provides proof that people should be looking at what has happened before and how that affects their operations – all down the IoT supply chain,” he added.
MORE ON CYBERSECURITY More

Adobe has patched numerous critical vulnerabilities in a range of software including Magento, Acrobat, Reader, and Photoshop.

On Tuesday, the tech giant published security advisories for each product included in this month’s standard patch round. 
The first notice relates to Adobe Acrobat and Reader 2020, Acrobat and Reader DC, and the 2017 versions of both Acrobat and Reader on Windows and macOS machines. 
Adobe has resolved 23 vulnerabilities in these software packages, 17 of which are deemed critical and the rest, important. The security issues reported to Adobe include buffer and integer overflows, improper access controls, and use-after-free flaws that can be weaponized for arbitrary code execution, privilege escalation, denial-of-service crashes, and information leaks. 
Magento, an open source e-commerce platform, has also received a slew of security fixes. Specifically, Magento Commerce and Magento Open Source on all platforms are subject to a total of 18 bugs, varying in severity from critical to moderate. 
The worst vulnerabilities, including Insecure Direct Object Reference (IDOR) bugs, file upload list bypasses, security and access control bypasses, and blind SQL injections, can be used by attackers to perform code execution, to deploy JavaScript in a browser, and to access restricted resources. 
In total, five critical vulnerabilities have been reported in Adobe Photoshop on Windows and macOS. The bugs are described as out-of-bounds read/write and buffer overflow issues which can be exploited for the execution of malicious code.  

Two critical vulnerabilities, tracked as CVE-2021-21053 and CVE-2021-21054, are now patched in both Windows and macOS versions of Adobe Illustrator. If exploited, the out-of-bounds write bugs can trigger arbitrary code execution. 
Adobe Animate was also the subject of a critical out-of-bounds write flaw, CVE-2021-21052, which could also be weaponized to deploy arbitrary code.
A single fix has also been issued for Adobe Dreamweaver, website design software developed by the tech giant. CVE-2021-21055 is an uncontrolled search path element issue potentially leading to information leaks. 
Adobe thanked a number of independent researchers, Decathlon, the Trend Micro Zero Day Initiative, FortiGuard Labs, and participants of the Tianfu Cup 2020 International Cybersecurity Contest for reporting the security issues. 
In January, Adobe’s first scheduled security update of the year resolved bugs in seven products, including Photoshop, Illustrator, Bridge, and Campaign Classic. Heap buffer overflow vulnerabilities and out-of-bounds write flaws were among those patched. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Indo-Pacific region’s tech sector is “ripe for investment”, according to Trisha Ray, an associate fellow with the Observer Research Foundation’s Technology and Media Initiative.
“Rare earths, which go into all our devices, computers, electric vehicles, and so on, alternatives to untrusted 5G vendors, even basic infrastructure investment in fibreisation of networks, all of these are ripe for investment,” Ray said on Tuesday.
“Most of the region, Southeast Asia [and] India especially, are major assembly hubs in global technology trade, but there needs to be more focus on core competencies and capacity building.”
One example is semiconductors. The region is home to plenty of pure-play chip foundries, but they generally don’t design the chips.
“Most of the value for semiconductors lies in the design, which is why Intel accounts for a quarter of global semiconductor value,” she said.
Ray was speaking at the launch of the Quad Tech Network (QTN), an initiative of the Australian government to “promote regional track two research and public dialogue on cyber and critical technology issues” between the four members of the Quadrilateral Security Dialogue or “Quad”: Australia, India, Japan, and the United States.
The QTN is managed by the National Security College at the Australian National University in Canberra.

Ray’s comments were based on the paper she co-authored, titled The Digital Indo-Pacific: Regional Connectivity and Resilience, which was one of four papers released at the launch.
Its recommendations included developing common standards for digital services, such as harmonising national and then regional standards for digital payments; interoperable cross-border digital IDs; and improving digital skills at all levels.
The report notes that Malaysia, India, and Australia’s research output “remains far below their potential”. While Malaysia has a “high level of digitally skilled workers”, and Indonesia and Cambodia “lack basic digital skills”.
And while Vietnam “needs to channel its tech talent better”, Australia “lacks advanced digital skills”.
“We also focus a lot on first order connectivity issues, including just basic electricity, access to reliable high-speed internet, digital literacy, all of these are important elements,” Ray said.
According to Martijn Rasser, co-author of the Center for a New American Security paper titled Networked: Techno-Democratic Statecraft for Australia and the Quad, the QTN is a logical expansion of the Quad’s remit.
“You have a large portion of the world’s GDP and population, shared interests and values, and a common understanding of what it will take to be economically competitive in coming decades, Rasser said.
“In the near term, there’s good opportunity to make important strides in areas including setting norms that promote a free and open cyberspace, addressing supply chain vulnerabilities such as for rare earths, and boosting technological innovation for 5G wireless infrastructure.”
Australia’s cyber diplomacy has already played a key role in setting international cyber norm, although its influence has declined under the Morrison government.
Where is Australia’s 40-year tech vision?
Rasser recommended that each of the Quad nations “craft a true national strategy for technology”.
“This requires a vision. Where do you want to be 20, 30, 40 years down the road?”, he said.
“In what tech areas do you want your country to be the world leader? Where should you be globally competitive? And where are the areas where you can afford to be a fast follower? Because you’re not going to be number one in everything, it’s just not affordable, it’s not achievable ultimately.”
Once more it’s worth noting that Australia’s 2020 Cyber Security Strategy was disappointingly drab and inward-looking, with little expansion on cyber industry development beyond the 2016 strategy.
There’s clearly room for improvement here and it’s clear to your correspondent that the Australian government will need to spark up its technological nous to meet the challenge.
“The ultimate goal of this strategy should be for a country to empower its citizens, compete economically, and secure your national interests, without having to compromise your values or your sovereignty,” Rasser said.
Trust, inclusivity, and governance systems are further issues, according to Professor Jolyon Ford from the ANU College of Law.
“How do you bring along your societies with you, and include them in the conversations about the possibilities and the problems of governance, and include them in in that process?”, Ford asked.
“[How do you] build trust, not just in the technologies, but in the frameworks governing those technologies?”
There are limits to state-based and state-led strategies, he said, especially in fields such as artificial intelligence (AI).
Big tech’s ‘disproportionate role’
“The private sector and big tech firms in particular play such an outsized or disproportionate role in shaping the whole narrative around these technologies and their good or otherwise, and shaping the possibilities of governance models around these technologies,” Ford said.
Ford co-authored the paper Embracing Difference: Governance of Critical Technologies in the Indo-Pacific, which examined human rights and ethical issues.
The perennial issue of the importance of sharing cyber threat intelligence was raised by Dr Kohei Takahashi, a researcher at Japan’s National Graduate Institute for Policy Studies.
“Australia and the United States are already working on the cyber threat intelligence in the Five Eyes framework. So it is important for the Quad countries to establish a new framework for sharing information on cyber threat effectively,” he said.
Takahashi also stressed the importance of establishing a fact-checking system.
“Influence operations in cyberspace using fake news, for example, have become a big issue. It is important for the Quad countries to establish a fact-checking system,” he said.
The paper Takahashi co-authored, Cyber Security, Critical Technology, and National Security, also recommended collaborative research on AI and joint cyber exercises.
“AI will be used in cyberspace in the future. It will be necessary for us to promote research and study in this field to enhance our interoperability capabilities,” he said.
“Each country has its own strengths and weaknesses. It is important to conduct joint exercises in order to run the strengths of the other potential allies and partners, and to improve their resilience.”
RELATED COVERAGE More