Information Technology

Singapore is in the midst of rolling out tools and measures to plug several “IT weaknesses” highlighted in a report, including weak controls and inadequate reviews of privileged user activities. The report also stresses the need to mitigate new risks and vulnerabilities brought about by the accelerated rate of digital transformation amidst the global pandemic. 
Efforts already were underway to address the IT loopholes over the past year, with automation tools taking centrestage, according to the latest report by the Public Accounts Committee. These measures had been planned since last year, when the committee had chided the public sector for recurring IT lapses In its 2020 report. It then had also pointed to a lack of good standard operating procedures in user access rights management, with the logging and review of privileged user activities carried out manually. 

The committee added that controls over third-party vendors and partners could be beefed up. “Given the increasing pace of digitalisation and outsourcing of IT operations in the public sector, IT-related risks such as data security and cybersecurity risks will remain key risks for the government,” it noted in its report released Monday.
Efforts to plug the gaps were led by the Smart Nation and Digital Government Group (SNDGG), which underscored the importance of human supervision, changes in processes, and the adherence of these new processes alongside the implementation of automation and technological tools. 
The government agency said it was developing a centralised tool that would include the automation of the removal of user accounts that were no longer in use, which currently still needed to be checked manually despite the implementation of a new application that alerted agencies of staff movement and role changes. This platform had been deployed across 38 agencies since October 2019. 
Development of the centralised tool was targeted for completion by end-2021, after which agencies would integrate all existing systems with the centralised platform over the next three years. This would be deployed across high-priority systems by December 2023 and all remaining systems by December 2024, according to the SNDGG.
Another tool to aid in the review of privileged users’ activities also was slated to be deployed on high-priority systems by December 2022, following a pilot — launched last April — involving 15 government agencies. SNDGG reported that it was “refining” detection rules to monitor different types of logs, including operating systems, databases, networks, applications, and security as well as logic to improve the efficiencies of the detection system. Implementation would be progressively scaled up to all agencies from January 2021. 

Steps also had been taken to beef up organisational structures processes, which aimed to facilitate greater ownership so IT lapses would be addressed. In the area of data and cybersecurity, for instance, an agency’s chief security officer and chief data officer were required to report major cybersecurity and data issues directly to the agency’s head. 
In addition, all government agencies would tap audit and incident data to predict potential governance risks to IT systems. An initial batch of agencies were expected to begin a pilot for this in the first quarter of 2021, with deployment across the sector targeted for the second quarter. 
According to the Public Accounts Committee, new processes also had been put in place across the public sector to facilitate a “more coordinated and effective response” to data incidents. These included the establishment of the Government Data Security Contact Centre last April as an avenue for members of the public to report data incidents involving public agencies. 
From March 2021, all public agencies also would be required to conduct annual cyber and data security incident exercises.
Moving forward, the Public Accounts Committee noted that the accelerated digital transformation brought about by the COVID-19 pandemic could introduce risks and vulnerabilities. It said the SNDGG was probed about such risks and how the agency was mitigating them. 
In response, the smart nation group said it currently was setting up a government-wide “ICT and Smart System” enterprise risk management system, which would comprise a central office, risk owners, and integration of the framework with each agency’s own enterprise risk management processes. 
The SNDGG had identified 10 potential risks, but noted that most had been or were in the process of being addressed with ongoing efforts, including strengthening of agencies’ management of data security and cybersecurity risks as well as managing human capital risk. 
The Singapore government in February 2020 said it would invest SG$1 billion to beef up its cyber and data security systems, noting that this was essential as its agencies increasingly adopted technologies such as artificial intelligence, cloud, and Internet of Things. To be spent over the next three years, the funds would go towards readying the country to deal with cyber threats as digitisation efforts intensified. 
RELATED COVERAGE More

Image: Microsoft
Microsoft is working on adding a new security alert to the dashboard of Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection) that will notify companies when their employees are being targeted by nation-state threat actors.

The feature was added on Saturday to the Microsoft 365 roadmap website.
The idea behind the feature is not new. Since 2016, Microsoft began tracking nation-state hacking groups and the attacks they orchestrate against Microsoft email accounts.
If a user is targeted or compromised in one of these attacks, Microsoft sends them an email about the attack, along with basic advice they need to take to re-secure their inbox and devices.
Microsoft said in 2019 that it usually notifies around 10,000 users per year of nation-state attacks.
But the problem with this notification procedure is that it relies on users reading their email and taking action, which doesn’t always happen. Users don’t read their emails daily, or it might sometimes take hours before the user reaches the notification in crowded inboxes, a time during which attackers could use to steal sensitive documents.
For organizations who are customers of Microsoft’s Office 365 service, the OS maker now plans to add these notifications inside the dashboard of Microsoft Defender for Office 365, the cloud-based security platform that scans a company’s Office 365 accounts for threats.

This way, the notification will also appear for system administrators and security teams, who can act on it right away by calling the affected employees personally, resetting email account passwords, resetting other internal passwords, or by initiating a broader security audit.
The OS maker expects to have this feature ready by the end of the month.
Besides Microsoft, which does this for Microsoft Outlook email accounts, similar alerts for nation-state attacks are also available for Yahoo accounts, public Gmail accounts, and G Suite accounts. Facebook also warns users of nation-state attacks against its social media accounts. More

Image: Joshua C. Greenberg, MD, Mahmoud R. Altawil, MD,Gurjit Singh, MD
The new magnetic circular array introduced in iPhone 12 smartphones last year to support the MagSafe charging technology can disrupt implantable cardioverter-defibrillator (ICD) medical devices.
The warning comes from three cardiac electrophysiology doctors from the Henry Ford Heart and Vascular Institute at the Henry Ford Hospital in Detroit, Michigan.
In a letter published in a medical journal [PDF] last month, doctors warned that the new iPhone magnets could potentially “inhibit lifesaving therapy in a patient, particularly when the phone is carried in an upper chest pocket.”
These magnets, arranged in a circle, play a role in aligning the iPhone with a MagSafe charger for wireless charging operations.
Research published in 2009 has previously shown that any type of magnet, radio, or electronic equipment that generates a magnetic field stronger than 10 gauss can trigger internal systems inside ICD devices and stop their operations.
The Henry Ford Hospital doctors said they carried out tests with the new iPhone 12, released last year, and found that the new magnets are strong enough to trigger these switches.
“Once the iPhone was brought close to the ICD over the left chest area, immediate suspension of ICD therapies was noted and persisted for the duration of the test (Figure 1). This result was reproduced multiple times with different positions of the phone over the pocket,” the doctors said.

“Contemporary studies [1, 2] have shown minimal risk of electromagnetic interference from ICDs and older-generation smartphones not having a magnetic array.”
The new warning comes to supersede an Apple support page published last year on the same topic.
In that page, Apple estimated that even if iPhone 12 models contained more magnets, the new models were “not expected to pose a greater risk of magnetic interference to medical devices than prior iPhone models.”
The tech giant did advise users of implanted pacemakers and defibrillators that in order to “avoid any potential interactions,” they should keep their iPhones and MagSafe chargers at a safe distance from their implants of more than 12 inches (30 cm).
Furthermore, Apple said that if users suspected that their iPhone or any MagSafe accessories are interfering with their medical devices, they should stop using their iPhone or MagSafe accessories right away. More

TikTok, the video-sharing social network, drove a lot of interest from consumers last year. It also piqued their interest in Virtual Private Networks (VPNs), according to new research.
The research by Brooklyn, NY-based security advisors Security.org found that interest in VPNs was directly correlated with newsworthy events.

ZDNet Recommends

The company measured the amount of web traffic in a day compared to the average web traffic of a week prior to the date and correlated this with significant events during 2020.
VPN technology is used for various reasons. It can be used to create a secure channel to communicate with the workplace protecting sensitive business information, to bypass government restrictions, or to hide activity from Internet Service Providers amongst others.
Almost one in 10 US adult VPN users cite whistleblowing, activism, or bypassing government or organization restrictions as a reason for use of VPN technology.
Security.org’s research showed that interest in VPN technology tends to increase significantly whenever there is a newsworthy event that impacts travel, or internet usage, or impacts working from home environments.
Security.org
On March 22020, the first deaths due to COVID-19 were reported, leading to an increase in VPN interest of 99 percent compared with average web traffic the week before..

On March 24 2020 when the postponement of the Tokyo 2020 Olympics was announced, there was a 78 percent increase in consumers’ VPN interest.
This was due to people looking to secure their at-home networks for the possibility of stay-at-home orders and working from home due to the pandemic.
On August 13, average consumer interest in VPNs increased by 74 percent when President Trump proposed a ban on TikTok in August 2020. Interest also spiked by 34% on September 20th – the day the TikTok ban was said to start.
When internet censorship is threatened, average consumer interest in VPNs increases, and consumers flock to buy routers – like the GL.iNet Beryl router which has VPN software built in to the router.
A VPN will allow people to access the internet in countries where restrictions are in place. Countries with levels of internet censorship can bypass firewalls to get to otherwise-restricted content.
As restrictions on free content continue to grow, I think that more and more of us will switch to VPN technology. We can then ensure that we have the freedom to access the content we want to and to communicate as if there were no restrictions at all – wherever we happen to live. More

There’s been a huge increase in cyber criminals attempting to perform attacks by exploiting remote login credentials over the last year, as many employees continue to work from home.
Working from home has become a necessity for many and it’s only by remotely logging in to corporate VPNs and application suites that people are able to continue to do their jobs.

More on privacy

However, the rise in remote working has provided cyber criminals with a greater opportunity to slip into networks unnoticed by using legitimate login credentials – whether they are phished, guessed or otherwise stolen. By using legitimate login details instead of deploying malware, it’s easier for attackers to go about their business without being detected.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
According to researchers at cyberscurity company ESET, that ease has led to a 768% growth in Remote Desktop Protocol (RDP) attacks over the course of 2020. In total, ESET detected 29 billion attempted RDP attacks across the year, as cyber criminals attempt to exploit remote workers.
In some cases, RDP ports are even misconfigured, providing attackers with even greater access to networks.
Either way, RDP attacks can be used to infiltrate networks to examine and steal sensitive information, while it can also be used as a means of gaining enough access to the network to deploy ransomware attacks.

This is all in environments that might be less protected than they would be if employees were working from within the office, rather than working remotely.
“RDP attacks are focusing on technology not on the human beings, thus require less handiwork from the attackers. Misconfigured RDP in many cases leads to valuable resources, such as company servers or devices with admin rights, that represent a springboard for further, often network-wide, compromises,” Ondrej Kubovič, security awareness specialist at ESET told ZDNet.
The ESET report notes that there was a drop off in RDP attacks during December, something that they’ve attributed to cyber criminals taking time off over Christmas. But it’s expected that 2021 will continue to see cyber criminals attempting to use RDP attacks to break into corporate networks, especially as employees continue to work remotely.
However, there are actions that organisations can take to make it much more difficult for cyber criminals to successfully compromise the network with RDP attacks.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
IT security teams should encourage users to use strong passwords that are difficult to guess with brute force attacks. That password shouldn’t be used for any other accounts in order to lower the risk of compromise as a result of the password being leaked or breached elsewhere.
Applying two-factor authentication across the network will also go a long way to preventing cyber criminals conducting successful RDP attacks, as it’s much harder to get old of the extra layer of verification needed to access accounts.
Ensuring that users are using the latest versions of operating systems and software by having a solid patching strategy in place can also provide an additional layer of defence against attempted attacks.

MORE ON CYBERSECURITY More

With a single update, a popular barcode scanner app on Google Play transformed into malware and was able to hijack up to 10 million devices. 

ZDNet Recommends

Lavabird Ltd.’s Barcode Scanner was an Android app that had been available on Google’s official app repository for years. The app, accounting for over 10 million installs, offered a QR code reader and a barcode generator —  a useful utility for mobile devices. 
The mobile application appeared to be legitimate, trustworthy software, with many users having installed the app years ago without any problems — until recently. 
According to Malwarebytes, users recently started to complain of adverts appearing unexpectedly on their Android devices. It is often the case that unwanted programs, ads, and malvertising are connected with new app installations, but in this example, users reported that they had not installed anything recently. 
Upon investigation, the researchers pinpointed Barcode Scanner as the culprit. 
Malwarebytes
A software update issued on roughly December 4, 2020, changed the functions of the app to push advertising without warning. While many developers implement ads in their software in order to be able to offer free versions — and paid-for apps simply do not display ads — in recent years, the shift of apps from useful resources to adware overnight is becoming more common. 
“Ad SDKs can come from various third-party companies and provide a source of revenue for the app developer. It’s a win-win situation for everyone,” Malwarebytes noted. “Users get a free app, while the app developers and the ad SDK developers get paid. But every once in a while, an ad SDK company can change something on their end and ads can start getting a bit aggressive.”

Sometimes, ‘aggressive’ advertising practices can be the fault of SDK third-parties — but this was not the case when it comes to Barcode Scanner. Instead, the researchers say that malicious code was pushed in the December update and was heavily concealed to avoid detection.
The update was also signed with the same security certificate used in past, clean versions of the Android application. 
Malwarebytes reported its findings to Google and the tech giant has now pulled the app from Google Play. However, this doesn’t mean that the app will vanish from impacted devices, and so users need to manually uninstall the now-malicious app. 
Transforming clean SDKs into malicious packages is only one method employed to avoid Google Play protection, with time checks, long display times, the compromise of open source libraries used by an app, and dynamic loading also cited as potential ways for attackers to compromise your mobile device.
Another interesting method, spotted by Trend Micro, is the implementation of a motion sensor check. In 2019, Android utility apps were found to contain the Anubis banking Trojan which would only deploy once a user moved their handset. 
ZDNet has reached out to the developer and will update if we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google’s new website aims to address issues around the triage of newly discovered bugs via automation.
Image: Getty Images/iStockphoto
Google has launched the Open Source Vulnerabilities (OSV) website, offering up a vulnerability database to help triage bugs in open-source projects and help maintainers and consumers of open source.
Google argues that users of open-source software find it difficult to map a vulnerability such as a Common Vulnerabilities and Exposures entry to the package versions they are using because versioning schemes in existing vulnerability standards do not map well with the actual open-source versioning schemes, which are typically versions/tags and commit hashes. “The result is missed vulnerabilities that affect downstream consumers,” it warns.

Google is already sponsoring open-source projects to move them from buggy C code to the memory-safe programming language, Rust. Last week, it also proposed a framework for the open-source community to judge which projects should be deemed “critical” and tougher rules on developers who contribute to these projects. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
The OSV aims to address issues around the triage of newly discovered bugs via automation. 
“For open source maintainers, OSV’s automation helps reduce the burden of triage. Each vulnerability undergoes automated bisection and impact analysis to determine precise affected commit and version ranges,” Google notes. 
“Similarly, it is time consuming for maintainers to determine an accurate list of affected versions or commits across all their branches for downstream consumers after a vulnerability is fixed, in addition to the process required for publication. Unfortunately, many open source projects, including ones that are critical to modern infrastructure, are under resourced and overworked. Maintainers don’t always have the bandwidth to create and publish thorough, accurate information about their vulnerabilities even if they want to.

“We are planning to work with open source communities to extend with data from various language ecosystems (e.g. NPM, PyPI) and work out a pipeline for package maintainers to submit vulnerabilities with minimal work.”
Google’s effort mirrors Microsoft’s open-source security initiatives through GitHub that aim to speed up remediation via tools like Microsoft Teams. 
According to Google, OSV is meant to provide precise data on “where a vulnerability was introduced and where it got fixed, thereby helping consumers of open-source software accurately identify if they are impacted and then make security fixes as quickly as possible.”
Currently, this feed contains vulnerabilities from OSS-Fuzz, the bot it created to probe open-source software for bugs. Most of the bugs filed in OSV are from C and C++ code. 
SEE: Programming languages: Julia users most likely to defect to Python for data science
OSS-Fuzz has been a successful program at Google, helping uncover thousands of bugs in key open-source projects. Fuzzing involves throwing code at an application with the intent of crashing the program.
OSV is another step in Google’s efforts to improve the state of security in open-source software development in light of these recent supply chain attacks. Google wants the community to agree on what is a critical project and then apply more stringent rules on maintainers of those projects. It’s just a discussion but the company wants the industry to improve vulnerability management in open-source software development. 
However it has listed over 380 open-source software projects it considers critical and is working with package distribution platforms to improve vulnerability management. 
“Vulnerability management can be painful for both consumers and maintainers of open source software, with tedious manual work involved in many cases,” Google said.  More

The inner workings of the Domestic Kitten hacking group’s surveillance operations have been disclosed by researchers. 

Domestic Kitten, also tracked as APT-C-50, is an advanced persistent threat (APT) group. First discovered in 2018, the APT has ties to the Iranian government and has been linked to attacks against domestic citizens “that could pose a threat to the stability of the Iranian regime,” according to Check Point. 
Target individuals could include regime dissidents, civil rights activists, journalists, and lawyers. 
In a blog post on Monday, the Check Point research team said Domestic Kitten has been conducting widespread surveillance for the past four years, launching at least 10 separate campaigns and maintaining a target list of 1,200 individuals, at a minimum. 
At present, four active campaigns have been recorded, the most recent of which appears to have begun in November and is ongoing. Domestic Kitten victims are located across the world including in countries such as Iran, the US, Pakistan, and Turkey.
The APT uses mobile malware dubbed FurBall. The malware is based on commercially-available monitoring software called KidLogger, and according to the researchers, “it seems that the developers either obtained the KidLogger source code, or reverse-engineered a sample and stripped all extraneous parts, then added more capabilities.”
FurBall is spread through a variety of attack vectors including phishing, Iranian websites, Telegram channels, and via SMS messages containing a link to the malware. The malware utilizes a variety of disguises to try and trick a victim into installation; such as being packaged as “VIPRE” mobile security, masquerading as a news outlet app, acting as repackaged legitimate mobile games found on Google Play, app stores, restaurant services, and wallpaper applications. 

Once installed on a target device, FurBall is able to intercept SMS messages, grab call logs, gather device information, record communication, steal media and stored files, monitor device GPS coordinates and so track their targets’ movements, and more. 
When information has been gathered from the compromised device, it can be sent to command-and-control (C2) servers that have been used by Domestic Kitten since 2018. Linked IP addresses were found in Iran, in both Tehran and Karaj.
On Monday, Check Point researchers, together with SafeBreach, also disclosed the activities of a second threat group which is actively targeting Iranian dissidents — but rather than focus on their smartphones, their PCs are at risk. Dubbed Infy, this APT — known to have existed since 2007 and suspected of being state-sponsored — has now renewed its efforts with a previously-undetected malware strain, a refreshed main Infy malware payload, and an overhaul of past C2 infrastructure. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More