Information Technology

China has described the US government’s order to delist three Chinese telcos from the New York Stock Exchange (NYSE) as politically motivated and in breach of market rules. It urges need to respect rule of law and safeguard “order of global financial market”. 
Outgoing US President Donald Trump had issued an executive order last November prohibiting any trading and investment activities involving companies previously deemed to be Communist Chinese military companies by the US Department of Defense. Trump’s order would ban trading in any new companies 60 days after the US placed such a label on them.
Slated to begin on January 11, the ban would impact three NYSE-listed companies, namely, China Telecom, China Mobile, and China Unicom Hong Kong. 

Blocking China can lead to fragmented 5G market
With China-US trade relations still tense, efforts to cut out Chinese vendors such as Huawei from 5G implementations may create separate ecosystems and consumers could lose out on benefits from the wide adoption of global standards, as demonstrated with 4G.
Read More

In response, the China Securities Regulatory Commission said Sunday the delisting of the Chinese telcos “disregarded” the “legitimate rights” of global investors and “severely disrupted” market order. 
Citing a spokesperson from the commission, state-run media agency China Daily reported that the three Chinese companies had secured American Depositary Receipts and had been listed on the NYSE for almost or more than 20 years. The telcos also had complied with the rules and regulations in accordance with the US securities market. 
The China Securities Regulatory Commission spokesperson added that the delisting was politically charged and in serious breach of market rules and order. He said some US politicians had made attempts to suppress US-listed foreign companies at the “cost of damaging” the global standing of the US capital market, describing these moves as random, arbitrary, and “unwise”.
The spokesperson noted, however, that the delisting would have “very limited impact” on the operations and development of the three Chinese telcos, given the companies’ large user base, established operations, influence on the global telecommunications industry, and small volume of American Depositary Receipts in their total shares. 

He added that the commission would support the three companies in safeguarding their rights and interests. “We hope the US sides will respect the market and the rule of law and do more to protect the order of the global financial market, safeguard investors’ lawful rights and interests, and promote the steady development of the world economy,” the spokesperson said.
An official of the China Banking and Insurance Regulatory Commission also urged for a stabilising of relationships between China and the US, which would be the “fundamental interests” of both parties as well as meet the expectations of the international society.
It said: “We hope the US government will meet China halfway, uphold the spirit of non-conflict, non-confrontation, mutual respect, and win-win cooperation, promote the healthy development of the China-US relationship, and maintain international financial market stability together with us.”
RELATED COVERAGE More

The New York Stock Exchange will delist a trio of Chinese telcos as a November executive order from US President Donald Trump enters force on January 11.
The three listed companies hit by the change are China Telecom, China Mobile, and China Unicom Hong Kong.
“The order prohibits, beginning 9:30 am eastern standard time on January 11, 2021, any transaction in publicly traded securities, or any securities that are derivative of, or are designed to provide investment exposure to such securities, of any Communist Chinese military company, by any United States person,” the NYSE said in a statement.
Signed on 12 November 2020, the executive order forbids trading and investing in any of the companies previously deemed to be Communist Chinese military companies by the US Department of Defense, and bans trading in any new companies 60 days after the US places such a label on them.
Besides the three telcos, other large Chinese companies on the list include Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation.
In the executive order, Trump said the People’s Republic of China (PRC) was “exploiting United States capital” to boost and update its military, which allows Beijing to threat the US and its overseas forces, as well as develop “advanced conventional weapons, and malicious cyber-enabled actions against the United States and its people”.
“Through the national strategy of Military-Civil Fusion, the PRC increases the size of the country’s military-industrial complex by compelling civilian Chinese companies to support its military and intelligence activities,” Trump said.

“Those companies, though remaining ostensibly private and civilian, directly support the PRC’s military, intelligence, and security apparatuses and aid in their development and modernisation.”
Trump also said the PRC “exploits United States investors” to finance its military.
“At the same time, those companies raise capital by selling securities to United States investors that trade on public exchanges both here and abroad, lobbying United States index providers and funds to include these securities in market offerings, and engaging in other acts to ensure access to United States capital,” he said.
“To protect the United States homeland and the American people, I hereby declare a national emergency with respect to this threat.”
The winner of the 2020 US presidential election, Joe Biden, is due to be sworn in on January 20.
Related Coverage More

Image: Zyxel
More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.

The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets in terms of vulnerabilities.
Device owners are advised to update systems as soon as time permits.
Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse this backdoor account to access vulnerable devices and pivot to internal networks for additional attacks.
Affected modules include many enterprise-grade devices
Affected models include many of Zyxel’s top products from its line of business-grade devices, usually deployed across private enterprise and government networks.
This includes Zyxel product lines such as:
the Advanced Threat Protection (ATP) series – used primarily as a firewall
the Unified Security Gateway (USG) series – used as a hybrid firewall and VPN gateway
the USG FLEX series – used as a hybrid firewall and VPN gateway
the VPN series – used as a VPN gateway
the NXC series – used as a WLAN access point controller
Many of these devices are used at the edge of a company’s network and, once compromised, allow attackers to pivot and launch further attacks against internal hosts.

Patches are currently available only for the ATP, USG, USG Flex, and VPN series. Patches for the NXC series are expected in April 2021, according to a Zyxel security advisory.

Backdoor account was easy to discover
Installing patches removes the backdoor account, which, according to Eye Control researchers, uses the “zyfwp” username and the “PrOw!aN_fXp” password.
“The plaintext password was visible in one of the binaries on the system,” the Dutch researchers said in a report published before the Christmas 2020 holiday.
Researchers said the account had root access to the device because it was being used to install firmware updates to other interconnected Zyxel devices via FTP.
Zyxel should have learned from the 2016 backdoor incident
In an interview with ZDNet this week, IoT security researcher Ankit Anubhav said that Zyxel should have learned its lesson from a previous incident that took place in 2016.
Tracked as CVE-2016-10401, Zyxel devices released at the time contained a secret backdoor mechanism that allowed anyone to elevate any account on a Zyxel device to root level using the “zyad5001” SU (super-user) password.
“It was surprising to see yet another hardcoded credential specially since Zyxel is well aware that the last time this happened, it was abused by several botnets,” Anubhav told ZDNet.
“CVE-2016-10401 is still in the arsenal of most password attack based IoT botnets,” the researcher said.
But this time around, things are worse with CVE-2020-29583, the CVE identifier for the 2020 backdoor account.
Anubhav told ZDNet that while the 2016 backdoor mechanism required that attackers first have access to a low-privileged account on a Zyxel device — so they can elevate it to root —, the 2020 backdoor is worse as it can grant attackers direct access to the device without any special conditions.
“In addition, unlike the previous exploit, which was used in Telnet only, this needs even lesser expertise as one can directly try the credentials on the panel hosted on port 443,” Anubhav said.
Furthermore, Anubhav also points out that most of the affected systems are also very varied, compared to the 2016 backdoor issue, which only impacted home routers.
Attackers now have access to a wider spectrum of victims, most of which are corporate targets, as the vulnerable devices are primarily marketed to companies as a way to control who can access intranets and internal networks from remote locations.
A new wave of ransomware and espionage?
This is a big deal in the bigger picture because vulnerabilities in firewalls and VPN gateways have been one of the primary sources of ransomware attacks and cyber-espionage operations in 2019 and 2020.
Security flaws in Pulse Secure, Fortinet, Citrix, MobileIron, and Cisco devices have often been exploited to attack companies and government networks.
The new Zyxel backdoor could expose a whole new set of companies and government agencies to the same type of attacks that we’ve seen over the past two years. More

This time last year, I spent a lot of time working on the move, and that’s meant that sometimes I had to set up a temporary “office” at a café or restaurant. But the more gear you have out, the greater the chances of losing something (or, as I think of it, “donating” it). 
Here’s how I managed to keep the gear I started out with.
Must read: iOS bugs and annoyances Apple desperately needs to fix in 2020
Have a place for everything, and keep everything in its place
I owe this one to my grandfather. “Have a place for everything, and keep everything in its place,” he used to say (he said it in Welsh, but the sentiment was the same).
It works for me having a good method of carrying my stuff. Pockets are always a compromise.
I tend to pack my gear into Maxpedition sling pack, which holds my MacBook Pro, charger, and other bits. I also have a Maxpedition Wolfspur bag for shorter trips, which easily consumes an iPad Pro, charger, cables, with plenty of room sandwiches, water bottle, and other bits and pieces.

My hard working, hard wearing Maxpedition Kodiak Gearslinger sling pack
Must read: Hardware 2.0: Most used gadgets of 2020
Make it a habit to check pockets and pouches

I have a habit of unconsciously patting down my pockets every so often, checking to see that I still have everything I expect to have — smartphone, wallet, pen, multitool. It’s a good habit to get into, not in an obsessive way, but occasionally, when getting up from a seat or moving on public transport or about a busy place.
Keep zips and clasps on bags shut
It’s incredible the number of people I see walking along with their backpack or messenger bag half-open (I saw it just a few moments ago — a guy’s backpack was open, and his iPad was hanging out, ready to fall out, or be stolen). Again, make it a habit to check zips and clasps on your bags.
Use tech to keep your tech safe
Have “Find my” active on your iOS and Android devices. It’s one of those things that you’ll thank yourself for if you lose something. 
I’ve also been using Tile tags a lot lately, and it’s been a constant companion around Europe, keeping an eye on my wallet, backpack, and luggage. The hardware and software have performed flawlessly, and I highly recommend the gear.

A Tile Slim tirelessly keeping an eye on my wallet as I travel

Make your gear distinctive!
I’ve found that one of the best ways to not lose stuff is to make it distinctive. Not only is it harder to inadvertently leave something behind that stands out, but it also makes it less likely that someone else will take a fancy to it. I find that distinctive Velcro patches on bags (glue them on if you don’t want someone ripping them off), and reflective tape on bags, chargers and even cables (the marine grade SOLAS tape will survive years of hard use, and cling on to most surfaces) pays for itself.
For night time, I’ve found the TEC Accessories Embrite Velcro patch to be very useful for keeping track of my bag (also a handy visual so I don’t trip over it or tread on it!).
My charging cables are also pretty distinctive — I like bright red Amazon Basics cables!
My stuff might look goofy, but it’s my stuff, I am out of hoots to give about other people think, and this seems like an effective way to keep my stuff as mine. More

Image: ZDNet
The hackers behind the SolarWinds supply chain attack managed to escalate access inside Microsoft’s internal network and gain access to a small number of internal accounts, which they used to access Microsoft source code repositories, the company said on Thursday.

The OS maker said the hackers did not make any changes to the repositories they accessed because the compromised accounts only had permission to view the code but not alter it.
The news comes as an update to the company’s internal investigation into the SolarWinds incident, posted today on its blog.
Microsoft emphasized that despite viewing some source code, the threat actors did not escalate the attack to reach production systems, customer data, or use Microsoft products to attack Microsoft customers.
The Redmond-based company said its investigation is still ongoing.
Microsoft previously admitted on December 17 that it had used SolarWinds Orion, an IT monitoring platform, inside its internal network.
Days earlier, news broke that hackers breached IT software maker SolarWinds and inserted malware inside updates for the Orion platform. The malware was then used to gain an initial foothold on the internal networks of private companies and government agencies across the world.

Microsoft was one of the thousands of companies[1, 2, 3] that discovered evidence of malware on their networks, planted via tainted Orion updates.
Microsoft downplays incident
The OS maker downplayed today the fact that hackers viewed its internal source code repositories, claiming this was no big deal.
“At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft,” the company said.
“This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk,” it added.
Microsoft made this approach to source code secrecy clear in previous years after the source code of several Microsoft products leaked online — such as Windows 10, Windows XP, Windows 2000, Windows Server 2013, Windows NT, and Xbox. More

US federal agencies must update by the end of the year or take all SolarWinds Orion apps offline. More

Image via matthrono (Flickr/CC2.0)The US Federal Bureau of Investigation says pranksters are hijacking weakly-secured smart devices in order to live-stream swatting incidents.
“Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks,” the FBI said in a public service announcement published today.
Officials say pranksters are taking over devices on which owners created accounts but reused credentials that previously leaked online during data breaches at other companies.
Pranksters then place calls to law enforcement and report a fake crime at the victims’ residence.
“As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers,” the FBI said.
“In some cases, the offender also live streams the incident on shared online community platforms.”
These types of incidents, called swatting, have increased across the US in recent years and have even resulted in people’s deaths through accidental shootings.

The first known cases of a swatting incident being live-streamed online date back to the mid-2010s. The difference between what the FBI is reporting now and those initial incidents is that devices weren’t being hacked.
Pranksters would identify social events that were being streamed online and would arrange the event to be swatted, such as weddings, church meetings, and more.

Many of these swatting calls are being placed through online services that provide anonymous calling capabilities — such as Discord bots and dark web services.

To counteract with this new rising hack&swat cases, bureau officials said they are now working with device vendors to advise customers on how they could select better passwords for their devices.
Furthermore, the FBI said it’s also working to alert law enforcement first responders about this new swatting variation, so they may respond accordingly.
As for device owners, the same advice remains valid: Use complex and unique passwords for each of your online accounts. Use two-factor authentication where available. More

Consumers in Brazil are mostly unaware of the country’s data protection rules and fail to question companies’ personal data management practices, a new study has found.
The survey carried out by Brazilian credit intelligence company Boa Vista with over 500 consumers between August and September 2020 suggests that over 70% of those polled do not know what the General Data Protection Regulations are.

more on GDPR

The vast majority of the consumers polled (90%) feel their personal information is not protected appropriately by the companies requesting them, while 77% have expressed concerns over potential misuse of their data. Of the Brazilian consumers surveyed, 40% said they have been victims of fraud.
On the other hand, 53% of the Brazilian consumers surveyed said they don’t always take measures to protect their privacy before informing their personal data to companies. While 88% of respondents said they don’t feel comfortable informing data such as their taxpayer registration number, 55% don’t challenge companies when asked for such personal information.
Brazil’s data protection regulations were sanctioned by president Jair Bolsonaro on September 18, after nearly a month of uncertainty over the actual go-live date of the rules. The board members of the body responsible for enforcing the regulations, the National Data Protection Authority, were appointed in late October.
A survey carried out by the Brazilian Association of Software Companies (ABES) in partnership with EY soon after the introduction of the rules found that most Brazilian companies still needed to adjust to the rules. A subsequent study by ABES and EY found the technology sector fared better, but 56% of companies in the sector still needed to comply with the new regulations. More