Information Technology

Image: Sebastiaan Stam
The US Federal Bureau of Investigations says it is aware of incidents where the DoppelPaymer ransomware gang has resorted to cold-calling companies in order to intimidate and coerce victims into paying ransom demands.

The incidents have been happening since February 2020, the FBI said in a PIN (private industry notification) alert, a type of security advisory the Bureau sends to the US private sector on a regular basis to inform them of the latest cyber-security developments.
The FBI PIN alert, sent on December 10, confirms a ZDNet report from December 5 that detailed similar cold-calling tactics used by four other ransomware groups: Sekhmet (now defunct), Maze (now defunct), Conti, and Ryuk.
But while our reporting tracked down phone threats made by ransomware groups to September this year, the FBI says this tactic was actually first seen with the DoppelPaymer gang months before.
“Doppelpaymer is one of the first ransomware variants where actors have called the victims to entice payments,” the FBI said.
“As of February 2020, in multiple instances, DoppelPaymer actors had followed ransomware infections with calls to the victims to extort payments through intimidation or threatening to release exfiltrated data,” it added.
The agency then goes on to detail one particular incident where threats escalated from the attacked company to its employees and even relatives. From the PIN alert:

“In one case an actor, using a spoofed US-based telephone number while claiming to be located in North Korea, threatened to leak or sell data from an identified business if the business did not pay the ransom. During subsequent telephone calls to the same business, the actor threatened to send an individual to the home of an employee and provided the employee’s home address. The actor also called several of the employee’s relatives.”
Threats of violence, as in this case, are usually empty. On the other hand, threats to release or sell the data are not.
The DoppelPaymer gang is one of more than 20 ransomware gangs that operate leak sites where they publish data from companies who refuse to pay the ransom — as a form of revenge.
In many cases, companies ignore these threats and choose to restore from backups, but there are also known cases[1, 2] where companies chose to pay to prevent sensitive information from being released online.
In its DoppelPaymer PIN alert, the FBI recommends that victims secure their networks to prevent intrusions in the first place, and in the case of an attack, recommended that victims notify authorities and try to avoid paying the ransom as this emboldens attackers to carry out new intrusions, enticed by the easy profits they’re making. More

Despite the majority of businesses claiming to have well-defined consumer data privacy policies that are strictly applied, over three in five US and Canadian companies do not inform customers that they allow tracking code from third-party services on their websites.
Americans are becoming increasingly concerned with, and distrustful of, how companies use, manage, and protect their personal data.

Apple is cracking down on apps that track users without their permission, but new survey data shows this type of consumer data privacy abuse is also happening within the enterprise tech space.
Austin, TX-based productivity and collaboration apps provider Zoho surveyed 1,416 individuals across the United States and Canada in November 2020.
Participants of the study included a range of business leaders from manager roles to the C-level at small and large enterprises across a variety of industries.
Zoho wanted to find out their use of tracking software and consumer data privacy policies, and how frequently information is captured that is lucrative for advertisers.
The findings show how frequently unethical data collection tactics are used without consumer knowledge to capture information — especially in the B2B space.

It discovered that three in five (62%) of businesses do not inform customers about third-party ad trackers collecting their data. 
Almost three in four (72%) B2B respondents do not inform customers about third-party ad trackers, compared to 58% of B2C respondents
More surprisingly the survey uncovered that third-party ad tracking is ubiquitous. All respondents (100%) said their companies allow it, and almost three in five (57%) are “comfortable” or “very comfortable” with the way third-parties use customer data.
This business practice is also true in California, the only US state which has a consumer data privacy law.
Almost seven in ten (70%) of California companies do not inform customers that they allow third-party ad trackers on their websites, yet 56% say their company has a well-defined, documented policy for customer data privacy that is strictly applied.
The findings also show businesses that depend on third-party ad platforms to drive sales are more likely to be comfortable with how third parties use the data.
Over one in three businesses (36%) said that third-party ad platforms are the primary factor in their ability to meet sales goals.
The same group was nearly four times more likely to say they were “very comfortable” with how third-party ad platforms use data they collect
Companies that said ad platforms are not a factor in meeting sales goals were almost five times more likely to know that some software automatically installs third-party tracking code onto its website
Raju Vegesna, Chief Evangelist at Zoho. said: “If you’re using a free service, you’re paying for it with your data. That includes free B2B software and mobile apps you might be using, and we need companies to be transparent with customers about how they track users.”
Americans are keen to share social security, financial and medical information — if they believe it is to help others — but helping companies close deals might not be what they had in mind.
We are so keen to have a frictionless and personalised experience with websites that we freely allow them to take our valuable information. 
Perhaps more websites should compensate consumers for the use of their personal data — or leave their data alone — unless it is explicitly granted with full knowledge of both parties. More

Well, that didn’t take long. Google fixed multiple problems with its services this week but less than a day later network administrators and users started seeing another rash of Gmail problems.

Google confessed, “We’re aware of a problem with Gmail affecting a significant subset of users. The affected users are able to access Gmail but are seeing error messages, high latency, and/or other unexpected behavior. We will provide an update by 12/15/20, 5:30 PM [Eastern US]detailing when we expect to resolve the problem. Please note that this resolution time is an estimate and may change.”
Also: Microsoft 365 vs Google Workspace (formerly G Suite): Which productivity suite is best for your business? 
Downdtector reported a major spike at about 3 PM Eastern. 73% of the reported problems were with receiving messages. 23% of users reported having trouble logging into Gmail.
On the internet network administrator outages list, admins reported they were seeing random bounceback issues with an average of 10% bouncebacks on their test emails. Still, other administrators reported seeing bounces when sending from GSuite to consumer Gmail.
Typical bounceback error messages said “The email account that you tried to reach does not exist.”
This problem showed up mostly in the US, but it also caused failures in Europe, Australia, and New Zealand. 

There have also been scattered reports of trouble with YouTube and YouTube TV, but these have not been confirmed.
At 6:51 PM Eastern, Google reported the Gmail problem had been resolved. The company also stated: “We apologize for the inconvenience and thank you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better. If you are still experiencing an issue, please contact us via the Google Help Center.”
Related Stories: More

Singapore law firm Rajah & Tann has formed a joint venture with local cybersecurity vendor Resolvo Systems to offer integrated services to help businesses navigate their reliance on digital data amidst growing cyber threats. This, they say, will be increasingly important as the global pandemic has accelerated online activities alongside cybersecurity attacks. 
Called Rajah & Tann Cybersecurity (RTCyber), the joint venture was set up by the law firm’s ICT services arm Rajah & Tann Technologies, which focuses on technology-driven legal and regulatory services such as electronic discovery and data breach response. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

“RTCyber is uniquely placed to help clients protect, mitigate against cyber attacks, minimise disruptions from a security breach, and effectively deal with a breach incident,” the law firm said in a statement Wednesday, adding that the new entity would tap its knowledge in data protection and cybersecurity law as well as Resolvo’s 20 years experience in cybersecurity. 
The joint venture would provide a suite of six services, including legal tech, e-discovery, digital forensics, and contract management.
RTTech’s director Steve Tan said: “The COVID-19 pandemic has accelerated our clients’ reliance on digital data. As their transformation partner, we see ourselves providing them with a much-needed service at this most dire of times.
“It is a matter of when, not if, an organisation is hit by a data breach, especially since the number of malicious perpetrators targeting vulnerable systems, websites, and individuals continues to grow exponentially,” Tan said. “The key is to be prepared and effectively respond to a breach. Organisations have to be proactive in securing their data against loss or cyber attacks, not only for security reasons, but also to comply with data protection and other legal requirements.”
Resolvo CTO Wong Onn Chee added that the “one-stop shop” joint venture would provide both technology and legal expertise in an “expeditious and efficient manner”, which would be essential in managing cybersecurity incidents. 

Citing the World Health Organisation, Rajah & Tann said the global organisation reported a five-fold increase in cyber attacks 1.5 months into the global pandemic, while phishing attacks targeting Singapore more than doubled between March and May this year, according to Singapore’s Cyber Security Agency. 
Worldwide, 91% of enterprises reported an increase in cyber attacks as more employees working from home amidst the coronavirus outbreak, revealed a survey by VMware Carbon Black. COVID-19 inspired malware saw the highest jump, with 92% of respondents noting an increase in such threats compared to typical volumes before the outbreak.
In Singapore, 43% saw increased attack volumes over the past year, reporting an average 1.67 breaches, and 67% said such threats now were more sophisticated. OS vulnerabilities were the most common cause of breaches, as cited by 20% in the city-state, while 15% pointed to holes in third-party application that led to security breaches. 
Cybercrimes accounted for 26.8% of all crimes in Singapore last year, with e-commerce scams the most popular. Some 9,430 cybercrime cases were reported in 2019, up 51.7% from 2018 when there were 6,215 cases. 
RELATED COVERAGE More

Cryptocurrency is like a slimy green snake, hissing in a zoo.
You’re fascinated by it, but you’re not sure you want to touch it.

That was, at least, my impression until I was confronted by a new survey that offered some mind-stroking conclusions.
Also: Cryptocurrency 101: What every business needs to know 
1,004 representative Americans were asked several searching questions about crypto. I found myself searching for a large wine glass after I’d read their answers.
You see, 45.8% of these Americans claim they already owned cryptocurrencies.
Can this possibly be? Can crypto now be as usual, normal, and popular as The Voice? Why, 46.8% of Americans voted for Donald Trump. Can crypto be almost as popular as the great populist?

This all seemed very odd to me, as other surveys estimate cryptocurrency ownership last year at between 6% and 9% of the US population. And that seems to reflect a certain sort of, well, reality.
Still I plowed forward with this study, regardless of the consequences.
What was in the souls of these particularly forward-thinking beings? Well, 95% of these claimed crypto owners said they were quite happy with it being a genuine form of currency. 31.7% said it’s a legitimate alternative to cash. A more wary 40% still favored the Benjamins. It’s not clear whether any of them still believe in American Express, or even ever did.
But here’s another result that threatened my mental equilibrium: 30.1% of these respondents said they thought Bitcoin was a safer place than a bank. Another 28.3% said it probably was, but they’d need to find out more about cryptocurrency.
Moreover, 74% of those who don’t currently own crypto said they were open to the idea of getting some in the future.
Again against my better judgment, I delved deeper.
The No. 1 answer to the question “Why would you consider using cryptocurrency?” was “It’s a good way to earn money.” Oh, is that why it’s (allegedly) so popular?
Should I be disturbed, though, by the fact that 43% of these Americans, when asked their opinion of cryptocurrency, replied “I have no opinion”?
Should I quake a little for America’s future that 31.2% of the respondents said they were planning to give crypto-related gifts for Christmas? (How do you wrap a Bitcoin?)
Or should I pause at this moment to reveal that this survey was performed on behalf of cryptocurrency hardware wallet creator SatoshiLabs? And should I wonder if it’s relevant that the minimum age of respondents was thirteen?
I’m all for modernizing the world and making things both easier and more secure. That’s been the promise of the web from the beginning and my, has it delivered.
I’d be remiss, however, not to mention my colleague Charlie Osborne’s comprehensive compendium of 2020’s worst cryptocurrency breaches, thefts, and exit scams.
It’s always good to be aware of the pitfalls. Even if you merely got your cryptocurrency under a Christmas tree.

more Technically Incorrect More

All the signs were there. If my parents knew then what parents know now, they would have been prepared. But back in the 1960s and 1970s, the maker movement was still far in the future. Robots were something you only saw in movies and awesome TV shows (or as my Mom would often put it, “What in the world are you watching?”). Telling her that Lost in Space wasn’t “in the world” tended to get me the All Powerful Glare of Motherly Annoyance.
But now, if a kid is a natural tinkerer, there are positive outlets for their inclination. There are great STEM (science, technology, engineering, and mathematics) kits and toys that can ignite a kid’s interest and focus it on learning, while at the same time making learning fun.
In this guide, we’re focusing mostly on the technology and engineering areas, providing you with some great kits and toys that teach and inspire programming and making with robots and digital technology.

Lego Robotics for kids
LEGO
If you’re talking about robotics and kids, the very best place to start is Lego. Lego has long been an innovator not only in the maker space but in robotics as well. In this guide, we kick off our exploration of goodies for geeky girls and boys with a Star Wars-themed robotics kit.
Kids can build use more than a thousand components to build R2-D2, a Gonk droid, and a Mouse droid. Then, with an app, they can program these fan favorites with a variety of different easy-to-access programming and learning tools.
$149 at Amazon

Kids build their own computer
Piper
OK, I love this thing. You’re probably going to notice me saying that a lot during this guide because I was the kid this stuff was made for. I would have been so excited had I been given this kit.
Here are the details: Your kid puts together their computer, complete with circuit connections (no soldering required) and case assembly. Then they can use the Raspberry Pi to learn and play. But you know what will fire up your kid: there’s a Raspberry Pi Mindcraft edition kids can play right on this machine. It even includes a display and a mouse.
$249 at Amazon

Play with code without a computer
Playz
I love this thing, too! First, it allows you to be geeky even if you’re on a camping trip or have a power outage. So, if you’re living through an apocalypse (what? too soon?) and still want to teach your kid to code, this is a great place to start.
Computer science and coding revolve around some basic guidelines and theories that are common across all computing. This kit shows how that works, from the basics of encryption (where your kids can make an actual cypher mechanism) to sorting algorithms. If you want your kids to get some away-from-screen time and still learn what they’re fascinated by, this is a good buy.
$23 at Amazon

Learn the basics of mechanisms
Engino
Not only do I love this thing, I want it. Yes, even now. And not just because my wife says I sometimes have the emotional maturity of a five year old.  I want it (and so will your kid) because it shows how to make things that have mechanical properties.
Here’s the thing: If you want to make something that has a linkage, a connection, a joint, or moves as part of its operation, you need to understand these concepts. This Lego-clone kit shows you how to do just that, and as a bonus, it’s under $30.
$28 at Amazon

The definitive Lego robotics kit
LEGO
I have the previous version, and I’ve built all sorts of cool programmable machines. I often use this for prototyping ideas before I decide to fabricate a more robust unit out of wood, metal, or plastic.
This is an amazing kit. It is pricey, but you get a complete robotics building experience with very few limitations. If you can budget for it, it’s definitely a gift to buy for yourself, er, your kid. Yeah, for your kid. Or buy it for yourself and get your kid a stuffed animal. That’s what I did. Of course, my kid is an 8-pound dog and he hates robots, tech, and plastic. My dreams of building him a robot car were completely dashed by his Luddite level of disinterest*, so I had to use this for other fun projects.
*Yes, we definitely see the irony in that an uber-geek’s dog, named Pixel, is completely anti-technology. But we love him so very much anyway.
$479 at Amazon

An inexpensive project that’s fun to assemble
SOMAN
If you had fun with LEGO or Erector (Meccano for those of you outside the US), this toy will be familiar. It’s not technically a robot because it has no autonomous or even remote control, and no programming. But your kid can put it together, learn about how gears work, hook up the solar panel and learn a bit about sustainable energy, all the while having a blast. 
Just a quick note: the eyes aren’t sensors. They’re decoration on a backup battery compartment. But that’s okay, ’cause they’re still cute. 
$17 at Amazon

App-enabled robot ball
Sphero
I have a couple of Sphero robots, including the BB8 version. And yes, I did buy it because I thought my little dog would have a blast chasing it, but Pixel doesn’t like it at all. Kids will, though, because — especially with this model — it’s app-enabled, allowing all sorts of interesting programming and experimenting.
Don’t discount the value of a ball as a programmable device. It can easily go up and down carpets, it’s small enough to make it through relatively narrow gaps, and it’s maneuverable as heck. It’s even waterproof.
$96 at Amazon

Arduino kit with lots of parts
Elegoo
I’ve bought three or four of these for myself over the past few years, mostly as a way to have a wide selection of parts and sensors for my Arduino projects.
This kit is not for little kids. Your kid should probably be a teenager and have some experience building things and possibly programming. The kit comes with some basic tutorials, but, to be honest, they’re not fabulous. But the selection of components is, and that’s where the magic comes. So, if you or your kid are comfortable Googling or YouTube searching for near Arduino projects and tutorials, this kit will give you the parts to make it happen. Plus, it’s under $50.
$37 at Amazon

Let’s get away from plastic for just a little while
Smartstoy
Tired of everything being made from plastic? Want to teach your kid about sustainable materials? Consider this laser-cut solar-powered car kit. Not only is the power from the sun, but the wooden chassis is both robust and biodegradable.
You can probably just snap it together, but a little wood glue (or plain old Elmer’s) should make the car strong enough to put it through its paces.
$21 at Amazon

Build a robot with a POV camera
Yahboom
The only thing I’m not that thrilled about with this is you have to add your own Raspberry Pi because the kit doesn’t come with one. I really think they should have listed two models on Amazon, one with a Pi and one without. That way, you’re not tasked with finding your own (don’t worry, we’ll list a standalone Pi in our next listing).
In any case, this is great because it allows you to build a roving device that your kid can drive from the point of view of the robot’s camera. That seems like it would be a ton of fun.
$138 at Amazon

Put together your own little computer
CanaKit
I can’t say I love this thing because it’s not a toy, but I like it. I’ve bought a bunch of these, because I use them to drive my 3D printers. While you can get a standalone Pi for about $60, I recommend spending the extra $20 to have a power source, heat sinks, fan, and case that you know will work with the Pi. It even has an HDMI cable in the kit.
If you want that $20 back and don’t mind using a board with only 2GB of RAM instead of 4GB, then this version is for you. You’re spending just about $60 and getting all the goodies.
$83 at Amazon

All of DJI’s drone smarts in a robot kit
DJI
If you want to learn robotics and have fun doing it with primo hardware, this is your toy. At more than $500, it’s not cheap, but it comes with omni-directional wheels, a laser canon, and a canon that shoots small beads (yeah, I’m thinking of Ralphie and “You’ll shoot your eye out,” too).
You can create an instant battle bot scenario with two or more of these (just in case you want to spend thousands of dollars on robot toys), but the real meat of the product is the programmability and teaching tools. There are a bunch of exercises, and you can program with either Sketch or Python. Finally, DJI includes a full series of videos, so your kid can take a video class with hands-on use of the device. It’s just so darned cool.
$449 at Amazon
Our process
I used a very simple selection mechanism while looking for these toys. If I didn’t have an overwhelming desire to buy it, and it didn’t take a supreme act of willpower to not click the Buy Now button, I didn’t list it. Since my internal kid is about as wonder-filled and geeky as they come, I figured if I was excited by it, other kids would probably be as well.
Obviously, I stuck to the coding and robotics world, but I wanted to go beyond some of the classic robot toys like LEGO and provide toys that were not only of a wide range of capabilities but price points and even learning experiences. Let me know in the comments below if I nailed it or not.
How to choose
Normally, in these lists, I try to provide you with guidance on how to pick the product or service you need. But you know your kids far better than I. As I mentioned, I’m a doggie daddy, so I don’t have a lot of experience with what kids these days groove on. But I’ll tell you this:Choose less complex toys for kids who have less experience and more complex toys for kids who have already built or programmed more ambitious projects.
Good luck and have a happy holiday season.
Need more gift ideas?

Check out our ZDNet Recommends directory or Holiday Gifts hub for some more inspiration. 
Our sister sites also have the following gift guides: 
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

The size and scope of SolarWinds as an IT software provider and the nature of the breach announced on December 13 rocked the IT and security world — rightfully so. While security leaders guide their companies to respond, there’s some generalized advice for the vendor world about this. 
Attackers Continue To Exploit Product Security Weaknesses 

SolarWinds Coverage

Throughout 2020, product security failures have happened month after month, but most focused on consumer-facing products and services. Enterprise B2B vendors didn’t get quite as much attention, but the scale balanced out with the SolarWinds breach. 
Companies competing with SolarWinds on providing important infrastructure, monitoring, and security products and security vendors should focus on the following: 

Poor product security efforts risk market share for B2B firms. Forrester has a body of research around product security, which provides extensive guidance on how to establish or improve your product security initiatives. Expect this to become a major focus of procurement and legal teams as a result of this breach. 

Vendors should NOT use the SolarWinds breach as a marketing opportunity. Attempting to exploit the misfortune of others never makes a company look good, and in the cybersecurity industry, everyone knows that today it might be them, but tomorrow it could be you. Ambulance chasing, dunking on, or victim shaming is not just in poor taste. It’s deplorable and won’t win clients over. FireEye exhibited tremendous transparency as a result of its breach and was able to also provide one of the first detailed technical write-ups on the SolarWinds incident. 

Even a security-mature software supplier could have missed this. To identify security flaws in their supply chain, top software organizations regularly run software composition analysis to identify vulnerabilities in open source components, and they use code-signing certificates to assure the integrity of supplied code. Neither approach would have discovered this attack — the malicious code was not in an open source library, and the compromised DLL (dynamic-link library) was signed by a valid (albeit compromised) certificate. Don’t equate susceptibility with a lack of security maturity. 

SolarWinds’ degree of transparency with its customer list might need to change. SolarWinds was large and prominent enough that it was an attractive target for attackers without mentioning customer names. But the customer page on its website went as far as listing all five branches of the US military, all 10 large US telecoms, and the top five accounting firms as clients. That doesn’t mean any of those organizations are caught in the breach, but it does mean attackers have some idea of the value of SolarWinds as a target if they are successful. Third-party risk management, legal, and procurement will likely force CISOs to reevaluate if they want to be listed in the future. 

To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here.      
This post was written by Principal Analyst Jeff Pollard, and it originally appeared here.  More

FICO has teamed up with Bitfury Group to create a cryptocurrency risk assessment solution for financial institutions. 

Announced on Wednesday, FICO said the partnership with Bitfury will focus on creating a risk management and monitoring service for banks and other organizations considering cryptocurrency-related future products. 
When cryptocurrency first began to establish itself as a major financial heavyweight, traditional banks and financial companies maintained their distance due to the decentralized nature of trading and the relatively untested technology that underpinned cryptocurrency exchanges: the blockchain. 
In recent years, the potential of blockchain technologies beyond virtual coins has prompted technology vendors and banks alike to take the market more seriously — and as cryptocurrency has proven itself to be a popular alternative to fiat currency, many financial service providers are now seeking a way to cash in. 
However, there is risk associated with cryptocurrency-related projects: the stability of the technology used, whether or not control of funds is centralized — and, therefore, potentially at risk of theft or exit scams — cybersecurity controls, money laundering, and more.
See also: The biggest hacks, data breaches of 2020 
To address these issues, FICO and Bitfury say that the new offering will focus on risk issues at the Know Your Customer (KYC) stage, a verification process used by banks to manage risk and to verify identities before a relationship is established. 

The joint solution will combine FICO’s financial crime and money laundering investigation services with Crystal blockchain analysis technologies. 
“The joint offering will help banks assess the risk of their clients’ crypto business at the onboarding stage, as well as monitor that risk on all active accounts,” the companies say. “This unique combination will enable banks to fully understand and actively manage the risk-exposure from customers — individuals and corporations alike — that engage in virtual currency transactions.”
At the onboarding stage, KYC processes will include listing cryptocurrency assets and wallets. These assets will be cross-checked with Crystal to create a risk score, based on transaction histories and other data for due diligence. 
It may also be the case that the new solution will be applied to existing clients for crypto-related monitoring; for example, the risk score may change if suspicious activity is detected.
“Cryptocurrency services are an under-utilized market for many large banks, due to the crypto-related risks and lack of transactional intelligence available,” said Sebastian Hetzler, VP of financial crimes product management at FICO. “This partnership integrates FICO’s AI-powered financial crimes detection with Crystal’s extensive blockchain analysis, providing financial institutions with an in-depth crypto-risk assessment of client activities and relationships.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More