Information Technology

Banks in Singapore are teaming up to develop a digital trade finance registry that will serve as a central database from which they can access records of trade transactions. To be built on blockchain technology, the platform aims to drive greater transparency and reduce the risk of trade fraud, including duplicate financing. 
Led by DBS Bank and Standard Chartered, the initiative is supported by 12 other banks including ABN AMRO, ANZ, Deutsche Bank, ICICI, OCBC, and UOB. Singapore-based blockchain technology startup DLTLedgers has been roped in to develop the platform, said DBS in a statement Tuesday.

The Singapore bank said it, alongside Standard Chartered, have worked for three months to establish the proof-of-concept for the digital registry that they hoped would enhance lending practices and improve transparency in commodity trade. 
“[It] aims to be an industry utility by serving as a secure central database for the banking industry to access records of trade transactions financed across banks in Singapore. This mitigates against duplicate financing from different bank lenders for the same trade inventory, leading to greater trust and confidence among banks and traders alike,” DBS said.
The initiative was supported by Enterprise Singapore and endorsed by The Association Banks of Singapore (ABS).
Without a digital registry, banks currently need to conduct validations within a single customer entity or across their own banking network, with no view of what other banks have financed or undertaken payment obligations against. The digital registry would plug this gap by facilitating collaboration across market players and government agencies, DBS said. 
Enterprise Singapore’s assistant CEO Satvinder Singh noted that the development of the “neutral and secure platform” would ease the flow of information between banks and boost their risk management capabilities, driving greater confidence in the finance and trade sectors. 
After the proof-of-concept was completed, DBS said it would work with Standard Chartered and ABS to deploy the digital registry in Singapore before expanding it at a later stage to cover “major trade corridors” globally.
The ABS would also manage the digital registry, supported by a committee comprising ABS Council member banks. In addition, three working groups of banks would be set up to jointly lead the governance, technical development, and business scope of the project. All banks would be invited to join the registry as members. 
RELATED COVERAGE More

Australia’s Communications Access Coordinator (CAC) is concerned by the level of understanding within the nation’s telcos about the risk that network virtualisation can introduce.
The CAC role was created under Australia’s Telecommunications Sector Security Reforms (TSSR) and is charged with assessing whether changes made by telcos to their networks expose them to unauthorised access or interference, and if that is the case, it issues recommendations for changes.
In the Telecommunications Sector Security Reforms — Report for 2019-20 tabled in Parliament on Tuesday, a number of Australian telcos notified the CAC that they were automating their network configurations.
“These changes featured high levels of technical complexity and equally complex supply chains. In several instances the CAC had concerns about the notifying carrier’s understanding and appreciation of the risks presented by the proposed change, particularly the risks associated with complex multi-vendor/subcontractor, multi-jurisdiction supply chains,” the report said.
“The CAC also had concerns in several instances with carriers misunderstanding the level of exposure they had in proposing to outsource or ‘hybridise’ their infrastructure environment.
“In each of these instances during the reporting period the CAC informed the relevant carriers of the concerns and suggested measures that they could implement to ensure they could continue to comply with their security obligation while proceeding with the change.”
The report also said the CAC received multiple notices of a carrier proposing to use a managed service provider, where the CAC thought the carrier would lose its ability to “maintain competent supervision of, and effective control over, telecommunications networks and facilities owned or operated by the carrier”.
The CAC was concerned by the lack of supervision over the provider’s activities, the lack of consideration over the location from where the provider would be serving the telco out of, and “limited assurance” the carrier had “effective control” over the network or facilities being provided. In these instances, the CAC recommended changes.
Over the course of the year to June 30, the CAC responded with 24 “some risk” notices to telcos, 6 “no risk” notices, and had two notices outstanding. The Minister for Home Affairs did not issue any directions over the year.
The TSSR laws were used in 2018 to ban Huawei and ZTE from Australia’s 5G networks.
“The Department [of Home Affairs] has continued to work closely with telecommunications operators to ensure they understand their TSSR obligations with respect to deploying and operating 5G networks and services,” the report said.
“The department has also worked with non-5G mobile network operators to understand and manage the potential sustainment risks associated with the United States’ export restrictions affecting certain telecommunications infrastructure vendors.”
The report said CAC would be able to respond quicker if telcos provided sufficient information.
The TSSR was passed by Parliament in September 2017, after the Parliamentary Joint Committee on Intelligence and Security recommended a number of changes, including an annual reporting mechanism to Parliament.
Also tabled on Tuesday was a report on the operation of the Critical Infrastructure Act for the year to June 30.
Passed in March 2018, the Act created a register of critical infrastructure assets which included asset ownership, access, and control.
Over the year, the nation’s electricity, water, gas, and port sectors reported 118 notifications to Home Affairs, which consisted of 109 changes, and nine new additions to the register.
None of the ministerial directions, information gathering powers, enforcement powers, nor any private declarations were issued.
The recent 2020 Cyber Security Strategy said the federal government was looking to impose an enforceable “positive security obligation” on designated critical infrastructure operators through amendments to the Act.
Related Coverage More

Image: Tony Lee

In one of the weirdest arrests of the year, at least five bar and cafe managers from the French city of Grenoble were taken into custody last week for running open WiFi networks at their establishments and not keeping logs of past connected users.
The bar and cafe owners were arrested for allegedly breaking a 14-year-old French law that dictates that all internet service providers must keep logs on all their users for at least one year.
According to local media reports [1, 2, 3], the bar and cafe owners claimed they were not aware that such a law even existed, let alone that it applied to them as they had not received notifications from their union, which usually sends alerts of industry-wide legal requirements.
Nonetheless, French media pointed out that the law’s text didn’t only apply to internet service providers (ISPs) in the broad meaning of the word — as in telecommunications providers — but also to any “persons” who provide internet access, may it be free of charge or via password-protected networks.
The bar and cafe owners were eventually released after questioning.
According to French law number 2006-64, they now risk up to one year in prison, a personal fine of up to €75,000, and a business fine of up to €375,000.
Connection logging is a feature supported on most commercial routers and has been added for this specific reason, as countries around the world began introducing data logging laws for their local ISPs.
Law enforcement agencies often rely on these logs to track down malicious behavior or details about suspects using public WiFi networks to commit crimes. More

Payment security is getting weaker as 27.9% of global organizations were in full compliance with the Payment Card Industry Data Security Standard (PCI DSS), according to Verizon.
The Verizon Business 2020 Payment Security Report highlights that PCI DSS compliance is down 27.5% from 2016. Full PCI DSS compliance meets 12 requirements. Those requirements are:
Protect your system with firewalls
Configure passwords and settings
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software
Regularly update and patch systems
Restrict access to cardholder data to business need to know
Assign a unique ID to each person with computer access
Restrict physical access to workplace and cardholder data
Implement logging and log management
Conduct vulnerability scans and penetration tests
Documentation and risk assessments
Verizon’s findings are a bit alarming given that credit cards are a big target for cybercrime. Consider a few recent events:
According to Verizon, companies are struggling to retain qualified chief information security officers and lack long-term planning.
Among the key items in the report:
51.9% successfully test security systems and processes as well as unmonitored system access.
Two-thirds of all businesses track and monitor access to business-critical systems.
70.6% of financial institutions maintain essential perimeter security controls.
Here’s a look at the five-year trends for full PCI DSS compliance by requirement.

A look at the five-year trends for complying to the 12 requirements of payment card security. 
Verizon More

Cisco has been ordered by a US District judge to pay over $1.9 billion to a Virginian security company for infringing upon four cybersecurity patents.
Senior District Judge Henry Morgan made the decision following a month-long trial over video conference, saying it was “clear and not a close call”. The trial did not use a jury due to the coronavirus pandemic.
The Virginian company, Centripetal Networks, made the allegations at the start of 2018 after it claimed Cisco’s network devices used its solutions and patents.
According to Morgan, virtually all of Cisco’s exhibits, technical documents, and demonstratives for the trial focused on its old technology rather than the accused products.
“Their demonstratives of the functionality of Cisco’s accused products were not based upon their own current technical documents, but rather upon inaccurate animations produced post facto for use in the litigation which served to confuse the issues, rather than inform the court,” Morgan said.
“Most of Cisco’s challenges amounted to no more than conclusory statements by its experts without evidentiary support.”
The $1.9 billion owed to Centripetal Networks comprises of $1.89 billion in damages and $13.7 million in interest. 
While the actual damages suffered by Centripetal Networks amounted to around $755 million, the court multiplied that figure by 2.5 times to reflect Cisco’s wilful and egregious conduct in infringing upon the cybersecurity patents. 
In addition, the court also ordered a running royalty of 10% on the apportioned sales of Cisco’s products that infringed upon Centripetal Network’s patents. These royalties will be provided for a period of three years followed by a second three-year term of a running royalty of 5%.
Cisco said it was disappointed with the decision and would make an appeal at the US Court of Appeals for the Federal Circuit.
“We are disappointed with the trial court’s decision given the substantial evidence of non-infringement, invalidity and that Cisco’s innovations predate the patents by many years,” Cisco said in a statement.
Related Coverage
Cisco announces plans to acquire Kubernetes security player Portshift
Portshift’s platform is used to secure cloud applications on Kubernetes environments.
Cisco, ServiceNow announce integration for workplace contact tracing
The companies said they will integrate Cisco’s indoor location services platform, DNA Spaces, with ServiceNow’s contact tracing and workplace safety application.
Former IT director gets jail time for selling government’s Cisco gear on eBay
Former Horry County IT security director sentenced to two years in federal prison.
Cisco warns of actively exploited IOS XR zero-days
Cisco said it discovered the attacks last week during a support case the company’s support team was called in to investigate.
Patch now: Cisco warns of nasty bug in its data center software
Cisco Data Center Network Manager (DCNM) exposed to critical flaw that can be exploited by anyone on the internet. More

Microsoft said on Monday that Iranian state-sponsored hackers are currently exploiting the Zerologon vulnerability in real-world hacking campaigns.
Successful attacks would allow hackers to take over servers known as domain controllers (DC) that are the centerpieces of most enterprise networks and enable intruders to gain full control over their targets.
The Iranian attacks were detected by Microsoft’s Threat Intelligence Center (MSTIC) and have been going on for at least two weeks, the company said today in a short tweet.

MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: https://t.co/ieBj2dox78
— Microsoft Security Intelligence (@MsftSecIntel) October 5, 2020

MSTIC linked the attacks to a group of Iranian hackers that the company tracks as MERCURY, but who are more widely known under their monicker of MuddyWatter.
The group is believed to be a contractor for the Iranian government working under orders from the Islamic Revolutionary Guard Corps, Iran’s primary intelligence and military service.
According to Microsoft’s Digital Defense Report, this group has historically targeted NGOs, intergovernmental organizations, government humanitarian aid, and human rights organizations.
Nonetheless, Microsoft says that Mercury’s most recent targets included “a high number of targets involved in work with refugees” and “network technology providers in the Middle East.”
Attacks began after public Zerologon PoC
Zerologon was described by many as the most dangerous bug disclosed this year. The bug is a vulnerability in Netlogon, the protocol used by Windows systems to authenticate against a Windows Server running as a domain controller.
Exploiting the Zerologon bug can allow hackers to take over an unpatched domain controller, and inherently a company’s internal network.
Attacks usually need to be carried out from internal networks, but if the domain controller is exposed online, they can also be carried out remotely over the internet.
Microsoft issued patches for Zerologon (CVE-2020-1472) in August, but the first detailed write-up about this bug was published in September, delaying most of the attacks.
But while security researchers delayed publishing details to give system administrators more time to patch, weaponized proof-of-concept code for Zerologon was published almost on the same day as the detailed write-up, spurring a wave of attacks within days.
Following the bug’s disclosure, DHS gave federal agencies three days to patch domain controllers or disconnect them from federal networks in order to prevent attacks, which the agency was expecting to come — and they did, days later.

Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.
— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020

The MERCURY attacks appear to have begun around one week after this proof-of-concept code was published, and around the same time, Microsoft began detecting the first Zerologon exploitation attempts. More

Image: CNET
By combining two exploits initially developed for jailbreaking iPhones, security researchers claim they can also jailbreak Macs and MacBook devices that include Apple’s latest line of T2 security chips.
While exploitation is still pretty complex, the technique of combining the two exploits has been mentioned on Twitter and Reddit over the past few weeks, having been tested and confirmed by several of today’s top Apple security and jailbreaking experts.

With @checkra1n 0.11.0, you can now jailbreak the T2 chip in your Mac. An incredible amount of work went into this and it required changes at multiple levels.There’s too many people to tag, but shoutout to everyone who worked on getting this incredible feature shipped.
— Jamie Bishop (@jamiebishop123) September 22, 2020

checkm8 + blackbird and the T2 SEP is all yours…
— Siguza (@s1guza) September 5, 2020

If exploited correctly, this jailbreaking technique allows users/attackers to gain full control over their devices to modify core OS behavior or be used to retrieve sensitive or encrypted data, and even plant malware.
What are T2 chips?
For Apple users and ZDNet readers that are not aware of what T2 is, this is a special co-processor that is installed alongside the main Intel CPU on modern Apple desktops (iMac, Mac Pro, Mac mini) and laptops (MacBooks).
T2 chips were announced in 2017 and began shipping with all Apple devices sold since 2018.
Their role is to function as a separate CPU, also known as a co-processor. By default, they handle audio processing and various low-level I/O functions in order to help lift some load off the main CPU.
However, they also serve as a “security chip” —as a Secure Enclave Processor (SEP)— that processes sensitive data like cryptographic operations, KeyChain passwords, TouchID authentication, and the device’s encrypted storage and secure boot capabilities.
In other words, they have a significant role in every recent Apple desktop device, where the chips underpin most security features.
How the jailbreak works
Over the summer, security researchers have figured out a way to break T2s and found a way to run code inside the security chip during its boot-up routine and alter its normal behavior.
The attack requires combining two other exploits that were initially designed for jailbreaking iOS devices — namely Checkm8 and Blackbird. This works because of some shared hardware and software features between T2 chips and iPhones and their underlying hardware.
According to a post from Belgian security firm ironPeak, jailbreaking a T2 security chip involves connecting to a Mac/MacBook via USB-C and running version 0.11.0 of the Checkra1n jailbreaking software during the Mac’s boot-up process.
Per ironPeak, this works because “Apple left a debugging interface open in the T2 security chip shipping to customers, allowing anyone to enter Device Firmware Update (DFU) mode without authentication.”
“Using this method, it is possible to create an USB-C cable that can automatically exploit your macOS device on boot,” ironPeak said.
This allows an attacker to get root access on the T2 chip and modify and take control of anything running on the targeted device, even recovering encrypted data.
Danger to users
The danger regarding this new jailbreaking technique is pretty obvious. Any Mac or MacBook left unattended can be hacked by someone who can connect a USB-C cable, reboot the device, and then run Checkra1n 0.11.0.
The news isn’t especially great for travelers during security checks at border crossings or for enterprises that employ large fleets of Macs and MacBook notepads, all of which are now exposed to attacks and having their secrets pilfered in classic evil maid attacks.
However, the new jailbreaking method also opens the door for new law enforcement investigation tools that could allow investigators to access suspects’ Macs and MacBooks to retrieve information that would have been previously encrypted.
Unpatchable
Unfortunately, since this is a hardware-related issue, all T2 chips are to be considered unpatchable.
The only way users can deal with the aftermath of an attack is to reinstall BridgeOS, the operating system that runs on T2 chips.
“If you suspect your system to be tampered with, use Apple Configurator to reinstall bridgeOS on your T2 chip described here. If you are a potential target of state actors, verify your SMC payload integrity using .e.g. rickmark/smcutil and don’t leave your device unsupervised,” ironPeak said.
Apple did not return a request for comment. More

Many victims of ransomware aren’t reporting attacks to police, making it harder to measure the level of crime and to tackle the gangs involved.
Europol’s Internet Organised Crime Threat Assessment 2020 report details the key forms of cyber crime which pose a threat to businesses right now and ransomware remains one of the main concerns, especially as these gangs increasingly display high levels of skill and sophistication.
In many cases, ransomware gangs don’t just encrypt the network with malware and demand hundreds of thousands or millions of dollars in bitcoin, they’ll also threaten to leak stolen sensitive corporate files or personal data if they don’t receive a payment.
And while ransomware is one of the most high profile forms of cyber attack, Europol’s report warns that it remains an under-reported crime as many organisations still aren’t coming forward to law enforcement after falling victim.
Several law enforcement agencies across Europe say they’ve only heard of ransomware cases via reports in local media.
The report suggests that approaching police to start a criminal investigation was “not generally a priority” for victims, who are more concerned with maintaining business continuity and limiting reputational damage. For some, the idea of getting law enforcement involved could be seen as a risk to their reputation.
SEE: Security Awareness and Training policy (TechRepublic Premium)
That’s why some businesses are choosing to engage with what Europol describes as “private sector security firms” to investigate attacks or negotiate ransom payments, instead of approaching the authorities.
Companies do this so evidence of the attack and their response to it can remain outside the public eye, especially given how law enforcement agencies recommend that organisations should never give into the demands of cyber criminals. But many businesses still view paying the ransom as the quickest and easiest way of restoring operations, even if cyber criminal groups can’t always be trusted to keep their word.
And on top of the moral quandaries when it comes to dealing with cyber criminals or private negotiators, police warn that not reporting ransomware attacks is detrimental to others.
“By using such companies, victims will not file an official complaint, which increases the lack of visibility and awareness concerning real figures of ransomware attacks among law enforcement,” says the Europol paper.
“Not reporting cases to law enforcement agencies will obviously hamper any efforts, as important evidence and intelligence from different cases can be missed”.
But it isn’t just businesses which were actively attempting to avoid publicity which don’t report ransomware attacks; the report notes that some victims just don’t think that law enforcement is able to do anything to help.
However, the report adds that investigating every attack possible helps the authorities build up a better picture of the ransomware landscape and how to potentially prevent attacks or aid organisations which fall victim.
For example, Europol’s No More Ransom portal provides free decryption keys for various families of ransomware. The keys are provided by both cybersecurity companies and law enforcement agencies which have been able to break the encryption following investigation of the ransomware. If organisations don’t report ransomware attacks, it could prevent other victims from being able to use free tools like this.
READ MORE ON CYBERSECURITY More