Information Technology

The UK’s cybersecurity agency has set out advice for companies considering taking out insurance against hacking and ransomware attacks.
Cyber insurance can help businesses to recover after a ransomware attack or data breach by providing financial support to put the damage right, and can also help with legal and regulatory headaches after an incident.

More on privacy

But as the National Cyber Security Centre (NCSC) notes in its new guidance, this insurance will not fix your security issues, and won’t prevent a breach or attack taking place. “Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about,” it said.
SEE: Network security policy (TechRepublic Premium)    
Almost half of UK firms reported a cyberattack over the past year, but take-up of cyber insurance by businesses still remains low. Cyber insurance might not be right for everyone and it can never replace good security practice, said Sarah Lyons, NCSC deputy director for economy and society engagement.
NCSC poses seven questions for senior execs at organisations considering cyber insurance:
What existing cybersecurity defences do you already have in place?
How do you bring expertise together to assess a policy?
Do you fully understand the potential impacts of a cyber incident?
What does the cyber-insurance policy cover (or not cover)?
What cybersecurity services are included in the policy, and do you need them?
Does the policy include support during (or after) a cybersecurity incident?
What must be in place to claim against (or renew) your cyber-insurance policy?
The NCSC said most insurance offered covers the immediate effects of an attack on an organisation by working to quickly restore network systems and data, while seeking to minimise losses from business interruption. With data breaches there might be legal action from customers or others affected, and defending or settling those claims would also normally be covered. 
SEE: Cisco alert: Four high-severity flaws in routers, switches and AnyConnect VPN for Windows
However, it also said potential buyers should make sure of what is excluded: for example, some insurance policies will not cover money lost through business email compromise fraud. As cyberattacks are constantly evolving all of the time, companies should also check that new types of cyberattack are covered. It’s also worth investigating what services the insurer provides in the immediate response to an incident to help manage recovery and improve resilience – and to learn what went wrong.
Some aspects of cyber insurance are more controversial; in a number of cases, insurers have paid the ransoms demanded by ransomware gangs, which critics have said will encourage more attacks in the future. Insurers argue that such payouts are made at the request of their clients who are often faced with a tricky choice between paying off the criminals or a long and complicated job of restoring their computer systems or building the network again from scratch – which might be far more expensive. More

A new credit card skimming campaign making use of homoglyph techniques has been connected to an existing Magecart threat group.

Homoglyph attacks may sound complicated, but they are extremely simple to pull off in practice. Characters are used in domain names to make website addresses appear legitimate, when in fact, threat actors are relying on visitors not noticing small differences or mistakes when they visit. 
For example, characters may be selected from a different language set or picked to look like another letter — such as swapping a capital “i” to appear like an “l”.
If a victim is sent to a fraudulent domain — let’s take PayPal for example — the difference between “paypal.com” which uses a legitimate, lower-case “l” may not be apparent in comparison to “paypaI.com,” which uses an upper-case “i” instead. 
Furthermore, this can instill trust in a domain as legitimate, whereas in fact malicious code, exploit kits, or credential skimmers may be operating. 
On Thursday, Malwarebytes researcher Jérôme Segura documented a recent homoglyph attack wave, in which fraudsters are using numerous domain names to load the Inter skimming kit inside of a favicon file. 
See also: Black Hat: Hackers are using skeleton keys to target chip vendors
A Malwarebytes YARA rule detected the Inter kit on a file uploaded to VirusTotal. Inter is a popular framework that is being sold online for $1,300 per license and is used by cybercriminals to harvest information submitted into pages — by masquerading as visitor trackers, payment forms, and more. 
Inter is often detected through suspicious HTML or JavaScript. However, in this case, malicious software was embedded in an .ico file, otherwise known as a favicon, which are small images associated with a website. 
The cybersecurity firm pulled up this alert and explored further, finding that the script was connected to a data exfiltration server, cigarpaqe[.]com. 
Noting the use of “q,” the team found that the legitimate website, “cigarpage[.]com,” had been compromised and code referencing the .ico file meant that the malicious copycat favicon was loaded from the homoglyph domain.
When visitors submitted their information via the legitimate domain’s payment page, Inter would harvest their data and transfer it to the attacker’s server. 
CNET: Browser privacy: Change these settings now, whether you use Chrome, Safari or Firefox
Other domains, too, were registered using the same homoglyph technique, including fieldsupply.com:fleldsupply.com and wingsupply.com:winqsupply.com. 
“It may not be their first rodeo either as some ties point to an existing Magecart group,” the researcher says. 
Malwarebytes believes that Magecart Group 8 is the orchestrator of these attacks due to a fourth domain, zoplm[.]com, that has been tied to the threat actors and has recently been re-registered following a past takedown. 
The company reached out to the webmaster of the impacted cigarpage domain, but the malicious code had already been removed. 
TechRepublic: Security analysts want more help from developers to improve DevSecOps
Segura noted that while homoglyph attacks are not attributable to just one threat actor or group of cybercriminals, it is still worth exploring in correlation to infrastructure reuse. 
“One thing we know from experience is that previously used infrastructure has a tendency to come back up again, either from the same threat actor or different ones,” the researchers say. “It may sound counterproductive to leverage already known (and likely blacklisted) domains or IPs, but it has its advantages, too — in particular, when a number of compromised (and never cleaned up) sites still load third party scripts from those.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The New South Wales Police Force has submitted 13 non-compulsive Technical Assistance Requests (TARs) to designated communications providers (DCPs) since the enactment of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act).
NSW Police assistant commissioner Michael Fitzgerald told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) the requests were related to investigations into murder, armed robbery, and commercial drug supply and importation.
12 of the 13 TARs were sought for investigations that already had coverage of either the surveillance device warrant or a telecommunications interception warrant, or both.
“The assistance was sought to facilitate the execution of those judicial warrants,” he added. “The other TAR related to the examination of property lawfully in police custody relating to a homicide investigation.”

TARs are voluntary requests for DCPs to use their existing capabilities to access user communications, while the TOLA Act also allows for Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs), which are compulsory notices to compel communications providers to use or create a new interception capability, respectively.
He said the state police force has not sought a TAN or TCN under TOLA.
NSW Police was appearing alongside the Australian Federal Police (AFP) as part of the PJCIS review of the TOLA Act.  
In its submission to the committee, provided earlier this week, the AFP revealed it had used the non-compulsive TAR process three times between 1 July 2019 and 30 June 2020.
The AFP has also not sought any TANs or TCNs to date, telling the PJCIS that this does not indicate these provisions are not required, rather that it demonstrates the effectiveness of TOLA’s “tiered approach”.
Fitzgerald said TOLA has “positively” impacted the relationships between NSW Police and some DCPs, calling it an effective tool to drive engagement and confrontation.
Globally, however, discussions and interactions were not so constructive or helpful.
“Our experience with engaging some overseas designated communication providers has been less successful. Those providers viewed their own domestic laws as legislative impediments to their ability to assist the New South Wales Police Force,” Fitzgerald said.
Similarly, AFP deputy commissioner of investigations Ian McCartney said a “productive working relationship with the service providers and industry” has meant they are prepared to give assistance under the TAR, negating the need to move to the more compulsive measures.
“We do engage as a matter of course with industry and the fact that all the assistance to-date has been through the Technical Assistance Request regime, being a voluntary regime, demonstrates the value in which that engagement has occurred and that collaboration,” superintendent Robert Nelson added.
Liberal MP Julian Leeser raised concerns that the committee was told when the legislation was being rammed through Parliament in 2018 that it was required to battle the threat of terrorism over the upcoming Christmas period, despite the TAR process not being used until mid-2019. 
“My concern and what I want clarification on is specifically, we were told it needed to be passed because of a terrorism threat and I don’t get a sense from your submission or your evidence that you used the TAR until at least in the middle of 2019,” he asked.
McCartney said there were 11 instances of TARs being utilised in counterterrorism cases but took the question on notice.
Australian Security Intelligence Organisation (ASIO) Director-General Mike Burgess similarly told the PCJIS that TOLA allows for a “well-defined framework” for engagement with industry.
“In many ways, the legislation is a licence to cooperate with industry. Industry engagement has been important to ASIO for a long time,” he said.
“The Assistance and Access Act recognised that we need the assistance of a broader range of industry partners, traditional and new.”
Burgess said the Act has repeatedly proved important in countering terrorism and espionage investigations. In total, ASIO has used the industry assistance powers fewer than 20 times.
“Always to protect Australians from threats to their security,” Burgess said. “And the internet has not broken as a result.”
HERE’S MORE More

United States President Donald Trump has signed two executive orders addressing what he has labelled as the threat posed by apps such as TikTok and WeChat.
The president is calling the pair of Chinese apps a “national emergency” with respect to the information and communications technology and services supply chain.
According to the first order that will take effect in 45 days, any transaction with TikTok’s owner, ByteDance Ltd, or its subsidiaries, will be prohibited. The second order similarly prohibits any transaction that is related to WeChat by any person, or with respect to any property, subject to the jurisdiction of the United States, with Tencent Holdings.
While TikTok has clocked over 175 million downloads in the US, around 800 million globally, WeChat has over 1.2 billion monthly active users.
In the orders, Trump says that apps developed in China continue to threaten the national security, foreign policy, and economy of the United States.
“At this time, action must be taken to address the threat posed by one mobile application in particular, TikTok,” he said.
“TikTok automatically captures vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search histories,” the order continues.
“This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of federal employees and contractors, build dossiers of personal information for blackmail, and conduct espionage.”
The second order says that like TikTok, WeChat automatically captures vast swaths of information from its users, similarly noting again the ties to the Chinese Communist Party.
“WeChat, like TikTok, also reportedly censors content that the Chinese Communist Party deems politically sensitive and may also be used for disinformation campaigns that benefit the Chinese Communist Party,” it adds.
“The United States must take aggressive action against the owner of WeChat to protect our national security.”
The orders come the same day of Facebook launching its own TikTok competitor through its wholly-owned picture-sharing app, Instagram.
Earlier this week, Australian Prime Minister Scott Morrison said that he has had a “good look” at TikTok and that there was no evidence to suggest the misuse of any people’s data.
“We have had a look, a good look at this, and there is no evidence for us to suggest, having done that, that there is any misuse of any people’s data that has occurred, at least from an Australian perspective, in relation to these applications,” he told the Aspen Security Forum.
“You know, there’s plenty of things that are on TikTok which are embarrassing enough in public. So that’s sort of a social media device.”
Morrison said the same issues are present with other social media companies, such as Facebook.
“Enormous amounts of information is being provided that goes back into systems. Now, it is true that with applications like TikTok, those data, that data, that information can be accessed at a sovereign state level. That is not the case in relation to the applications that are coming out of the United States. But I think people should understand and there’s a sort of a buyer beware process,” the prime minister added.
“There’s nothing at this point that would suggest to us that security interests have been compromised or Australian citizens have been compromised because of what’s happening with those applications.”
The orders follow Microsoft toying with the idea of buying TikTok.
SEE ALSO More

Image: Getty Images/iStockphoto
The New South Wales government has launched its Smart Places Strategy and Smart Infrastructure Policy, which outlines how it plans to build sensors and technology into infrastructure and buildings.
Under the strategy, the government hopes to see all smart places be embedded with sensors and communications technology in infrastructure and the natural environment; see sensors and technology solutions be used to capture, safely store, and make government-acquired data available; and be able to communicate information and insights using the data to drive decisions.
Some of the specific technology the state government hopes to deliver includes dedicated communications networks; smart CCTV, smart lighting, predictive analytics, and push to talk emergency systems to reduce crime; smart metres to help residents track water and energy usage; smart traffic signalling and real-time route planning to reduce traffic congestion; sensors to monitor air quality to help reduce hospital admissions; and digital models to improve construction planning and reduce costs. 
According to the strategy, smart places can be a street or neighbourhood, a local government area, or a region in either the city or region.
Minister for Customer Service Victor Dominello boasted how building smart tech into infrastructure and buildings will create jobs, enhance security, improve quality of life, reduce environmental impacts, and promote data sharing.
“Whether it’s easing cost of living pressure for households, busting congestion or improving health outcomes for communities, technology is the new weapon in our arsenal,” he said.
“Data and precision modelling is just as important as bricks and mortar. Information is power and technology should be embedded in every major infrastructure project.
“Similar strategies have worked effectively in other global centres including Dublin, Barcelona, and Boston. We cannot be spectators on the sidelines — we must lead in this arena.”
The government said in delivering the strategy, it is currently developing a Data Protection Policy and Smart Places Customer Charter that will guide how data gathered by smart devices will be collected, managed, and stored.
To be delivered within the next 12 months, the Data Protection Policy will be in addition to the NSW Privacy and Personal Protection Act 1998 that protects private information.
“Everyone involved in deploying and managing smart solutions needs to actively manage networks and data to ensure they are safe and secure, and privacy is protected,” the state government stated.
“The NSW government is committed to making sure safeguards are in place at all times covering the data being collected, how it is being used, who is able to access the data and how it is being protected.”
See also: Citizen data compromised as Service NSW falls victim to phishing attack  
Other standards and policies that the state government will be developing to support the creation of smart places include “data as an asset” guidelines to support agencies making investment decisions to turn administrative data sets into machine-readable data sets; a guide to assist place owners and precinct planners design smart places; and a standards approach to promote safe, secure, and competitive technology solutions. These are expected to be completed in the next 18 months.
Partnering with industry and startups, and establishing new funding models, such as the Smart Places Acceleration Fund to support local governments and place owners in developing smart places, are also part of the NSW government’s smart places agenda.
The state government also highlighted how one of the key initiatives under its smart places strategy will be the Western Sydney City Deal, a 20-year agreement that has been sealed by all levels of government to create the state’s first smart city.
Read more: 5G will bring smart cities to life in unexpected ways (TechRepublic)
The strategies are in addition to the state government’s launch of the Spatial Digital Twin earlier this year. At the time, Dominello described how technology would transform urban planning and infrastructure across Western Sydney.
Delivered in partnership with CSIRO’s Data61, the NSW Spatial Digital Twin is expected to provide 3D and 4D digital spatial data and models of the built and natural environments.
The Spatial Digital Twin will initially cover the councils of Blue Mountains, Camden, Campbelltown, Fairfield, Hawkesbury, Liverpool, Penrith, and Wollondilly.
The interactive tool includes 22 million trees with height and canopy attributes, almost 20,000km of 3D roads, and 7,000 3D strata plans and 546,206 buildings.
Additionally, the NSW government had also set aside AU$240 million to bolster its cybersecurity capability, including investments towards protecting existing systems, deploying new technologies, and increasing the cyber workforce.
Earlier this week, the NSW government’s data portal, Data.NSW, was given a refresh to enable users, including government staff, members of the public, and private businesses, to easily search for data on the platform.
“The redesign has focused on the portal’s home page, information architecture and the overall look and feel for users, supporting data-driven decision making and delivering better outcomes for the people of NSW,” NSW Department of Customer Service Secretary Emma Hogan said.
“By making this information more accessible and easier to navigate, we’re putting the customer experience at the centre of the accessing important data.”
Related Coverage
Smart Cities Council ANZ launches digital twin resource hub
Gives guidance on the benefits of digital twin technology and how to build a digital twin roadmap.
Commonwealth claims NBN has capacity to handle IoT and smart transport initiatives
The federal government also touted there will be greater data collection and visibility across federal and state governments to improve livability outcomes for cities.
Georges River Council install ‘chillout’ hubs as part of smart cities program
The space features multiple environment sensors, free Wi-Fi, and charging ports. More

Targeted attacks against semiconductor companies in Taiwan may not be well-known, but this does not mean the ripple effect of a successful hack would not be felt worldwide. 

Black Hat 2020

Over the past decade, Taiwan has slowly established itself as a hotbed for chip companies in both development and production. Taiwan Semiconductor Manufacturing Company (TSMC) is a major player in the field and over time, the market value of the overall semiconductor and equipment manufacturing sector in the country has increased.
The technology industry is a top target for advanced persistent threat (APT) groups, given the often-lucrative and valuable intellectual property — as well as customer data — that companies in the sector guard. 
At Black Hat USA on Thursday, CyCraft Technology researchers Chung-Kuan Chen and Inndy Lin described a set of attacks believed to have been conducted by the same Chinese APT group in the quest for semiconductor designs, source code, software development kits (SDKs), and other proprietary information. 
“If such documents are successfully stolen, the impact can be devastating,” the researchers said. “The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals.”
According to the team, attacks have been launched on numerous semiconductor vendors located at the Hsinchu Science Industrial Park in Taiwan. To date, it is thought at least seven vendors — as well as their subsidiaries — have been attacked by the same APT group in what the team calls “precise and well-coordinated attacks.”
See also: Cybersecurity 101: Protect your privacy from hackers, spies, and the government
Dubbed Operation Chimera, also known as Skeleton, the APT launched a series of attacks throughout 2018 and 2019 with a variety of tools, including Cobalt Strike — a legitimate penetration testing tool that threat actors are known to abuse — and a custom skeleton key derived from code ripped from both Dumpert and Mimikatz.
In two case studies described in CyCraft’s whitepaper (.PDF), a variety of endpoints and user accounts were found to be compromised at the time malware infections were detected. 
Initial access came from a valid, corporate ID — potentially stolen in a separate data breach — and a virtual private network (VPN) connection in the first case.
“Many enterprises often neglect this attack vector, by default trusting VPN connections and welcoming them into their intranet; and Chimera is one of the most skilled threat actors that we have seen at abusing VPN policies,” the researchers added.
In the following stage of the attack chain, a remote desktop protocol (RDP) was used to gain access to company servers. 
During the second Chimera attack, abnormalities were discovered during a network upgrade in which the malware payload was directly injected into system memory, made possible through encoded PowerShell scripts. 
Once loaded into a compromised network, an adapted version of Cobalt Strike masqueraded as a Google Update function (GoogleUpdate.exe), while actually establishing backdoor beacons and persistence mechanisms. 
To exfiltrate data from an infected machine, Chimera makes use of an old version of RAR, a legitimate archive program, which has also been tampered with for malicious purposes. The customized tool, dubbed ChimeRAR, archives data harvested from a network and transfers it to a command-and-control (C2) server controlled by the cyberattackers. 
To further mask its activity, the threat group also hosted multiple C2s in the Google Cloud platform and through Microsoft Azure, as well as via other public cloud services. 
CNET: The best home security camera of 2020
The skeleton key, however, is perhaps the most interesting weapon in Chimera’s arsenal. Dell Secureworks’ Counter Threat Unit first documented the use of a skeleton key able to bypass authentication checks on Active Directory (AD) servers back in 2015, giving cybercriminals unfettered access to remote access services. 
Chimera’s tool, named “SkeletonKeyInjector,” is designed to be implanted into AD and domain controller (DC) servers, allowing the cyberattackers to move laterally across a network and to make direct syscalls, thereby circumventing existing security software. 
Code snippets taken from Mimikatz and Dumpert give the malware the capability to bypass API monitoring, a common defense mechanism used by today’s antivirus and endpoint protection solutions. 
TechRepublic: Security analysts: Industry has not solved the talent gap or provided clear career paths
“The malware altered the New Technology LAN Manager (NTLM) authentication program and implanted a skeleton key to allow the attackers to log in without the need of valid credential[s],” the researchers said. “Once the code in memory was altered, the attackers could still gain access to compromised machines even after resetting passwords.”
The team adds that as AD machines rarely receive a reboot, this could mean skeleton keys could go undetected for long periods, and also facilitate the threat actors’ wishes to move laterally across networks without detection. In one of the firm’s case studies, the APT group was present for roughly a year before being removed from the compromised network. 
“Based on the stolen data, we infer that the actor’s goal was to harvest company trade secrets,” CyCraft says. “The motive may be related to business competition or a country’s industrial strategy.”
ZDNet has reached out to the researchers with additional queries and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Americans are becoming increasingly concerned with, and distrustful of, how companies use, manage, and protect their personal data. More

There is increasing interest in national cybersecurity as the line between military, economic, and diplomatic conflict blurs. The role that cloud computing plays as part of every nation’s critical infrastructure is once again under scrutiny. More