Information Technology

Dell Technologies has established an innovation facility in Singapore that focuses on research and development (R&D) work in key digital transformation technologies, including edge computing, data analytics, and augmented reality. The result of a three-year investment totalling $50 million, it is the company’s first such facility to be built outside the US. 
It also houses a team dedicated to enhancing user experience, according to Dell’s president of Asia-Pacific Japan and global digital cities, Amit Midha. Of the total investment, $23 million alone will be invested this year. 
The facility also accommodates Dell’s existing R&D work in Singapore that is responsible for the company’s global design and development work for product categories that include monitors and client peripherals. In addition, it encompasses a hardware prototyping lab focused exclusively on product design, including the development of artificial intelligence (AI) technologies. 

Speaking to media in the lead up to the hub’s official launch Monday, Midha said more than 160 new roles would be added by year-end to support the innovation hub, including designers and developers, with most of the positions currently already filled. These new hires would push R&D initiatives for the vendor’s customers and partners across the globe. 
Pointing to Dell’s goal of creating technologies that “drive human progress”, he said key investment areas for the Singapore facility would be in line with the company’s focus areas comprising 5G, edge, data management, hybrid cloud, AI and machine learning, and cybersecurity. 
“The world needs technology now more than ever,” he added. “In encouraging the adoption of digital solutions and new technologies, strengthening our product and process innovation system, and engaging the talent pipeline, we believe we are paving the path for a more resilient, progressive, inclusive, and sustainable economy.” 
Dell earlier this month launched a skills accelerator programme in Singapore, offering to equip 3,000 students, fresh graduates, and mid-career professionals over the next two years with skills in cloud computing, data protection, data science, and big data analytics. The scheme encompassed two separate programmes, including a partnership with Singapore Management University that would see more than 1,000 of the school’s undergraduates experience cloud-native technologies and content as part of their curriculum. A five-week training programme also would be offered to 1,000 employees of Dell’s local partners and customers that had enrolled in Singapore’s SGUnited Traineeship or Mid-Career Pathways programme. 

Asked what challenges companies currently faced in their efforts to innovate, Midha said the COVID-19 pandemic had expanded every organisation’s remote workforce. It underscored the need to figure out how innovation could be facilitated while employees worked from home or remotely, he noted. 
This was where collaboration and digital tools came into play, he said. He added that companies also would need to establish the right polices and culture that would drive innovation in the new work environment and enable colleagues build on each other’s ideas.
RELATED COVERAGE More

Most Brazilian companies have not increased their investments in information and cyber security since the Covid-19 pandemic emerged despite an increase in threats, according to a new study on perceptions of cybersecurity risk in Latin America since the start of the crisis.
According to the survey, carried out by consulting firm Marsh on behalf of Microsoft, 84% of organizations failed to boost their security spend since March 2020, even though 30% of those polled saw an increase in malicious attacks as a consequence of the novel coronavirus crisis, with phishing and malware being the most frequent types of occurrences.
Despite the increase in security threats, 56% of the Brazilian companies polled currently invest 10% or less of their IT budget in cybersecurity. According to the study, 52% of Brazilian organizations said investment in security has not changed since the start of the pandemic.

In terms of employee practices around security, only 23% of the Brazilian organizations that took part in the study said their workforce is using company-provided equipment to work. At a regional level, 70% of Latin organizations allowed their employees to use their personal devices following the shift to remote working.
According to the study this significantly increased exposure to some type of cyber incident, but remote access security is a priority for only 12% of respondents and the second item on the list for 7% of respondents.
Only a quarter of the Latin companies surveyed increased their cyber security budgets after the pandemic, while the increase in the data protection budget was 26%. Moreover, only 17% of organizations in Latin America have insurance against cyber threats.
“Many results found in this analysis are really worrying, such as the low rates of companies with insurance against cyber risks and security investment”, said Marta Schuh, cyber risks superintendent at Marsh Brazil.

“Now that companies are more exposed to remote work and the use of personal devices, it is worrying that few companies have increased their cybersecurity budget after the pandemic and some have even reduced this investment, despite the notable increase in cyber attacks”, she added. The study follows the news on massive data leaks in Brazil, which have emerged over recent weeks. More

After receiving feedback from Experian over a massive data leak in Brazil, São Paulo state consumer rights foundation Procon described the company’s explanations as “insufficient” and said it is likely that the incident was initiated in a corporate environment.
Procon notified the credit information multinational following the emergence of a leak that exposed the personal data of more than 220 million citizens and companies, which is being offered for sale in the dark web. Security firm PSafe discovered the incident, which exposed all manner of personal details, including information from Mosaic, a consumer segmentation model used by Serasa, Experian’s Brazilian subsidiary.

Following the emergence of the leak in January, Procon notified the credit bureau, and asked the company for a confirmation of the incident, and an explanation of the reasons that caused the leak, the steps taken to contain it, how it will repair the damage to consumers impacted and the measures taken to prevent it from happening again.
“No hypothesis has been ruled out, and at the moment we consider it is more likely that the leak came from inside companies rather than hackers,” said Procon’s executive director Fernando Capez, adding that Experian’s feedback prompts more questions than answers. The explanations from the company will be analyzed by the board of the consumer rights body, and a fine may be applicable if any wrongdoing becomes evident.
According to Procon, Experian informed that all its activities that involve personal data comply with the Brazilian data protection regulations, and that processing of such data can legally serve several purposes. That part of the answer was insufficient, the consumer rights body said, since “there is no legal basis for the treatment and use of data in an indiscriminate manner” and that includes data of deceased individuals, also exposed in the leak.
In addition, Procon noted that Serasa Experian did not specify the technical and organizational measures adopted to implement its data protection policy. Moreover, the company reinforced what it had said in a statement released last week in its response to the notification, that there is no evidence that credit data has been illegally obtained from its Brazilian subsidiary. The company also argued that there is no evidence that its technology systems had been compromised.
In relation to Serasa Experian’s risk mitigation policy that may occur in such circumstances, Procon said the company only stated that a “comprehensive information security program” is currently in place. Regarding damage repair to consumers, Serasa Experian stated that its website has instructions on what to do in case of fraud. Procon’s stance is that this is a preventive measure rather than a reparative action.

Contacted by ZDNet, Serasa Experian did not answer to requests for comment on Procon’s response to its feedback. The agency’s demands for answers follow calls from the Brazilian Institute for Consumer Protection (IDEC) for urgent measures to investigate and punish those responsible for exposing the population’s data, as well as improved citizen information and transparency. More

One of the top challenges and misunderstandings that I continue to see is what the definition of Zero Trust actually is. Zero Trust is not one product or platform; it’s a security framework built around the concept of “never trust, always verify” and “assuming breach.” Attempting to buy Zero Trust as a product sets organizations up for failure. 

ZDNet Recommends

Vendors would have you believe that the security solution, platform, or widget they are selling is Zero Trust and that you can just purchase their solution to address your needs. This is false. Vendors enable Zero Trust; they are not Zero Trust itself.  
There Is No Easy Button To Zero Trust 
Starting down the path of Zero Trust is complicated. It’s difficult to figure out where to start, so we’ve established a handy guide on how to practically enable Zero Trust from an implementation standpoint. Don’t buy into vendor hype that you can purchase something and immediately be Zero Trust. That’s not the reality of the situation. 
Organizations need to build a strategy to get to a Zero Trust architecture that encompasses more than technology and buzzwords. One example is the Zero Trust eXtended (ZTX) ecosystem which, at a bare minimum, requires: 

Assessing your existing security program’s Zero Trust maturity (people, skills, technology, capabilities, etc.). This includes understanding how people are doing their jobs and how existing business processes are done today, mapping existing technology capabilities, and understanding gaps. 

Mapping the output of this maturity assessment to the ZTX framework to understand what pillars you are strong in and which ones are lacking, specifically the capabilities in which you need to improve. 

Considering tools and technology to address the areas where you’re lacking and integrating Zero Trust implementation into existing business, IT, and security projects. 

Zero Trust Is A Security Framework, Not An Individual Tool Or Platform 
ZTX is an ecosystem with both technology and non-technology pieces. Protecting the perimeter and other prior security strategies didn’t easily adapt to change because they were designed around monolithic point solutions that didn’t integrate with each other. Zero Trust, however, is designed to be in a state of continuous review and optimization. 
The fluid, integrated nature of Zero Trust is designed to easily adapt to business changes. Organizations need to be cautious about vendor messaging, dive into details about vendor offerings, and call them out when the technology they’re pitching seems too good to be true. 
Ask the vendor you’re considering where the capability they’re describing fits in the ZTX ecosystem. If they can’t describe it, it’s a very clear sign that they don’t understand Zero Trust. Security vendors need to update their messaging to reflect the reality that Zero Trust is a journey that’s different for every organization and stop advertising Zero Trust as a product that can be bought. By selling their solutions as Zero Trust easy buttons, they continue to set their customers up for failure by perpetuating this false paradigm. 
Zero Trust isn’t a race; It’s a continuous journey 

While Zero Trust continues to be marketed as the cool new thing, at the end of the day we need to ground ourselves. Zero Trust is the new normal. COVID-19 has significantly changed the way we work and forced a lot of organizations to accelerate their digital transformation and security strategies. Take a second to see if these security solutions are the real deal by scrutinizing how they fit into the different pillars of the ZTX ecosystem and, most importantly, your organization’s overall Zero Trust strategy. They should be helping to enable organizations reach Zero Trust while improving the employee experience and should not be just another security tool that gets in the way of doing business. 
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
This post was written by Analyst Steve Turner, and it originally appeared here.  More

A year ago, Forrester set out to document a new model for security and networking that was gaining mindshare in the market. As a result, Forrester recently published its research in a new report that introduces the Zero Trust Edge model for security and network services. There’s a similar name going around in the market, “Secure Access Services Edge” (SASE) to describe the same model. We put the emphasis on the Zero Trust part.  

ZDNet Recommends

Forrester is an advocate for this model for several reasons. But the primary one is this: The internet was designed without security in mind. Should we, as technologists, just expect every organization in the world to simply attach themselves directly to it and hope it all works out for them? For 25 years, we’ve just been putting Band-Aids on top of Band-Aids, hoping to stop the cybersecurity bleeding, but the carnage gets worse every year. The Zero Trust Edge (ZTE) model is a safer on-ramp to the internet for organizations’ physical locations and remote workers. 
A ZTE network is a virtual network that spans the internet and is directly accessible from every major city in the world. It uses Zero Trust Network Access (ZTNA) to authenticate and authorize users as they connect to it and through it. If those users are accessing corporate services like an on-prem application or Office 365, they may rarely even “touch” the internet, except to be safely tunneled through it, and they’ll certainly be kept away from the bad parts of town. 
Tactics Vs. Strategy 
Many enterprises are looking at this model to tactically solve a specific problem: securing the remote workforce. These organizations realize that acquiring more VPN licenses during the COVID-19 lockdown was just a stopgap measure to keep people working. Now, they’re looking for a ZTNA solution. 
All ZTE vendors have ZTNA because it’s the primary security service of their stack. Once enterprises start talking with vendors like Zscaler, Akamai, or Netskope, they realize there are more security services they can consume as a service, and now they’re talking themselves into ZTE strategy. 
In the future, after other technologies like SWG, CASB, and DLP are integrated into the stack, organizations will look to put all their network traffic through these ZTE networks. And that’s where the security and network teams will have to work together, because legacy on-prem networks are heterogenous, and the migration of giant datacenters or 12-story hospitals using software-defined WAN (SD-WAN) as a transport into the ZTE networks will be a challenge.  
We’ll solve the tactical problem, remote workforce, first with ZTNA. We’ll move on to the larger security challenges next. And finally, we’ll address the network. In the end, remote users, retail branches, remote offices, factories, and data centers will be connected to ZTE networks that will use Zero Trust approaches and technologies to authenticate, sanitize, and monitor connections through the network and into the internet and public clouds. 

To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
This post was written by Senior Analyst David Holmes, and it originally appeared here.  More

The Tor mode included with the Brave web browser allows users to access .onion dark web domains inside Brave private browsing windows without having to install Tor as a separate software package.
Added in June 2018, Brave’s Tor mode has allowed throughout the years access to increased privacy to Brave users when navigating the web, allowing them to access the .onion versions of legitimate websites like Facebook, Wikipedia, and major news portals.
But in research posted online this week, an anonymous security researcher claimed they found that Brave’s Tor mode was sending queries for .onion domains to public internet DNS resolvers rather than Tor nodes.
While the researcher’s findings were initially disputed, several prominent security researchers have, in the meantime, reproduced his findings, including James Kettle, Director of Research at PortSwigger Web Security, and Will Dormann, a vulnerability analyst for the CERT/CC team.

Furthermore, the issue was also reproduced and confirmed by a third source, who also tipped off ZDNet earlier today.
The risks from this DNS leak are major, as any leaks will create footprints in DNS server logs for the Tor traffic of Brave browser users.
While this may not be an issue in some western countries with healthy democracies, using Brave to browse Tor sites from inside oppressive regimes might be an issue for some of the browser’s other users.

Brave Software, the company behind the Brave browser, has not returned a request for comment sent before this article’s publication earlier today.
Over the past three years, the company has worked to build one of the most privacy-focused web browser products on the market today, second only to the Tor Browser itself.
Based on its history and dedication to user privacy, the issue discovered this week appears to be a bug, one the company will most likely hurry to address in the coming future.
Update: Minutes after this article went live, the Brave team announced a formal fix on Twitter. The patch was actually already live in The Brave Nightly version following a report more than two weeks ago, but after the public report this week, it will be pushed to the stable version for the next Brave browser update. The source of the bug was identified as Brave’s internal ad blocker component, which was using DNS queries to discover sites attempting to bypass its ad-blocking capabilities, but had forgotten to exclude .onion domains from these checks.

tl;dr1. this was already reported on hackerone, was promptly fixed in nightly (so upgrade to nightly if you want the fix now)2. since it’s now public we’re uplifting the fix to a stable hotfixroot cause is regression from cname-based adblocking which used a separate DNS query https://t.co/dLjeu4AXtP
— yan (@bcrypt) February 19, 2021 More

Malaysian officials announced on Thursday the arrest of 11 suspects believed to be part of a hacktivist group that defaced government websites during late January.
The group, calling itself Anonymous Malaysia, defaced 17 websites for local governments and universities, according to posts they made on a Facebook page earlier this month.
The defacements were part of a campaign the group called #OpsWakeUp21, during which they wanted to highlight the poor security of government websites by posting warning messages on their front pages (see screenshot above).
Malaysian authorities started an investigation after the attacks took place in late January, and 11 suspects were arrested on Wednesday.
According to local reports, the suspects were aged between 22 and 40, and from Pahang, Johor, Perak, and the Klang Valley regions.
Similar hacktivism activity reported in Myanmar
The arrests come after earlier this week, another hacktivist group, named the Myanmar Hackers, defaced sites for the Myanmar military, state-run broadcaster MRTV, the Central Bank, the Port Authority, the Food and Drug Administration, and local law enforcement.
The cyber intrusions and website defacements were part of nationwide protests against the current government, which illegitimately seized power earlier this month following a military coup.

On February 1, the Myanmar military leadership ordered the arrest of members of the National League for Democracy party, along with its leader Aung San Suu Kyi, which convincingly won the November 2020 elections after soundly defeating the military’s representatives.
Mass public protests have been taking place since the coup, in a country that just years before escaped from the rule of another failed junta regime.
Since the coup, the government has attempted several times to shut down internet access for the entire country, has blocked access to social networks to prevent citizens from organizing new protests, and is currently trying to pass a new draconian security law that would allow it to easier and unfettered access to any user’s personal data and browsing history.

An initial version of this article reported the arrests as members of the Myanmar Hackers group due to a misunderstanding in a source. More

WhatsApp is moving ahead with its controversial change to its privacy terms and it will soon push a banner to the app that it hopes will help explain that the change doesn’t mean you need to leave the service. 
WhatsApp last month delayed enforcing its new privacy terms after giving its two billion users the ‘choice’ to accept its new privacy terms by February 8, or essentially, stop using the app. 

More on privacy

The new date for users to accept the terms is May 15 and, ahead of that date, WhatsApp has posted a new blog attempting to explain what the changes mean for users. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
WhatsApp said it had deferred the policy change to “clear up the misinformation”, but not before tens of millions of WhatsApp users started exploring alternatives, such as Signal and Telegram, the latter of which recently released a feature to bring WhatsApp messages across to its platform. 
Part of WhatsApp’s effort to clear up “confusion” is an in-app banner that explains the changes and further updates an FAQ page about the changes. 
“In the coming weeks, we’ll display a banner in WhatsApp providing more information that people can read at their own pace,” WhatsApp said in a new blogpost. 

Per TechCrunch, the banner will have an option to click “to review”, which provides further explanation of the changes and details about how WhatsApp works with Facebook.   
WhatsApp says it has updated the FAQ page to “try to address concerns we’re hearing.”
“Eventually, we’ll start reminding people to review and accept these updates to keep using WhatsApp,” it notes in the blogpost. 
The privacy changes addressed the situation where a WhatsApp user communicates with a business.
While WhatsApp won’t share a user’s contacts or chats with Facebook, the Facebook-owned messaging app will share a user’s profile data with Facebook after the user communicates with a business on WhatsApp. 
That communication could happen in a number of ways and Facebook is opening more opportunities for that conversation between user and businesses. For example, as part of Facebook’s commerce plans with Shops, Facebook allows business to promote their goods in WhatsApp. If users interact with the offer on WhatsApp, their data is shared with Facebook and its advertiser. That communication could also influence what ads the same user sees on Facebook. 
WhatsApp also took a shot at rivals in its blogpost. 

“We’ve seen some of our competitors try to get away with claiming they can’t see people’s messages – if an app doesn’t offer end-to-end encryption by default that means they can read your messages,” writes WhatsApp.  
“Other apps say they’re better because they know even less information than WhatsApp. We believe people are looking for apps to be both reliable and safe, even if that requires WhatsApp having some limited data.” More