Information Technology

The past few years of Alexa-related product launches have seen rise to some of the most unusual devices launched by a major tech company. (OK, Google, we’ll give you Google Clips.) There’s been the Alexa ring, the Alexa glasses, the Alexa wall clock, and the Alexa microwave. This year, though, as Amazon released the biggest upgrade to Alexa since the agent first showed up in its cylindrical house called Echo, its developer brought forth a smaller range of Alexa devices. That may be in part because the company has been doing such a good job of getting third parties to spread the cyan-accompanied conversationalist far and wide as well as the company’s commitment to sustainability, which not only favors fewer, more durable devices, but those using sustainable materials that may not be so easily leveraged in niche forays.

In contrast to the Echo proliferation slowdown, Amazon’s Ring product line continued to expand well beyond its signature video doorbell with a new premium service offering and a move into vehicles with a car alarm and camera connection service that showed more thoughtfulness than the dashboard screen invasions of Apple CarPlay and Android Auto. The division also showed off a small mailbox sensor that can alert you of new postal mail and address mail theft. It raised the most eyebrows by far, though, with the Always Home Cam, a self-docking drone designed to autonomously fly through one unoccupied floor of a home, capturing footage of what it sees.
Also: Prime Day 2020: Amazon reveals when its annual sale takes place
Drones don’t have the best reputation when it comes to privacy, so it’s natural that the Always Home Cam has inspired skepticism. Stepping back, though, let’s consider the practicality of Ring’s ambitious sentry. For those who want to surveil their homes, the drone tackles the longstanding challenge of not only mounting security cameras but keeping them charged.
Plus, unlike stationary cameras, which can be used to capture parts of the home at any time, the Always Home Cam makes limited runs through the home and cannot capture video while docked. Amazon says that it can be activated only manually, not on a scheduled basis. And if the rooms you’d rather have the drone avoid, such as bedrooms, are on another floor of the home, one can take comfort in that the Always Home Cam is currently limited to patrolling only one floor at a time.
Still, based on some casual web research looking back at the early days of the Roomba, which debuted in 2002, the novelty of the Always Home Cam’s flight seems to give more pause than that pioneering robotic vacuum cleaner did. To combat this, Amazon could do a better job in providing assurances around privacy and hacking. For example, while it is likely the case that a homeowner can designate only the areas that the drone is allowed to fly, the Always Home Cam can theoretically capture more of a home than fixed cameras that can pan, tilt and zoom. Given this, small offices may have been a better initial market for what could have been called the Always There Cam.
Likewise, were a bad actor to take over the drone, its physical presence would likely be, at worst, a nuisance (albeit one that could frighten someone who was unaware). But Amazon could allay fears related to this by clarifying the drone’s maximum speed and whether it is programmed to avoid human contact should it be detected. A secret “kill word” that could be spoken to the drone and cause it to immediately softly land and turn off would also offer some assurance.

More Alexa More

Universal Health Services (UHS), a Fortune 500 company and one of the largest healthcare providers in the US, has been impacted by a ransomware attack over the weekend.
UHS hospitals have been operating without internal IT systems since Sunday morning, according to employees and patients who took to social media today.
Some patients have been turned away and emergencies have been redirected to other hospitals after UHS facilities were unable to carry out lab work.

Spring Valley Hospital Las Vegas NV CANT TREAT PATIENCE EFFECTIVELY OR EFFICIENTLY because Computer System went Down about 11:00 pm 09/26/2020 Still down it’s 6:10 pm 09/27/2020 their excuse for not giving me Blood Transfusion I needed Yesterday Oh Lordy Please Say a Prayer
— Sassy Jacks (@jacks_sassy) September 28, 2020

According to UHS employees, the ransomware attack took place on the night between Saturday and Sunday, September 26 to 27, at around 2:00 am CT.
Employees said computers rebooted and then showed a ransom note on the screen. Computers were then shut down, and IT staff asked hospital personnel to keep systems offline.
ZDNet has confirmed IT issues with UHS hospitals and care centers in North Carolina and Texas.
Similar IT issues were also reported in Arizona, Florida, and California, according to a Reddit thread started today.
The Reddit thread also contains first-hand accounts from multiple users claiming to be UHS employees.
“I work at a UHS facility in Tucson and our [EXPLETIVE] is definitely down. They won’t even let us turn the computers on for going on over 24 hours. We’re a psych hospital so no one is dying from not getting their lab results back in time,” wrote a user named chickenismurder.
“I work at an inpatient psych site in Philly PA. The nurses told me they asked the patients what they take for morning meds and then didn’t even distribute evening meds bc they have no record of their medications. I had to hand write all my notes from photocopies of the note format and look through the charts for each treatment goal. It was a nightmare,” wrote another user named rebeIduckling.
On its website, UHS claims to manage more than 400 hospitals and care centers in the US and UK. The true extent of the attack remains to be determined.
Despite early reports today that UHS’ entire network was impacted, several hospitals denied having issues in phone calls with ZDNet today.
While UHS hospitals were willing to confirm IT issues to ZDNet today, a UHS spokesperson from its corporate offices did not return a request for comment. The company did, however, issue a formal statement admitting to the incident after this article’s publication.
Employees from the same Reddit thread have told ZDNet the incident was caused by a ransomware strain named Ryuk, but could not provide any evidence to support their claims except what they heard from fellow workers. Ryuk is a ransomware operation that has been recently quiet for months, but has returned to normal operations last week.

There are different groups using the Ryuk ransomware. But yes, the OG group that disappeared around April has popped up again about a week ago and we are seeing cases again. The fringe splinter groups however never really disappeared.
— Fabian Wosar (@fwosar) September 24, 2020

Article updated at 12:20am ET with link to UHS official statement. More

Cyber criminals are lowering the prices they are charging for access to corporate networks
 compromised remote desktop protocol (RDP) logins in a move which indicates how  leaked usernames and passwords are becoming an increasingly more available to hackers as a means gaining access to corporate networks – and demonstrates how poor passwords continue to plague enterprise security.
Remote desktop protocol (RDP) enables employees to securely connect to the servers of their organisation remotely – a practice which has grown during 2020 as employees have increasingly worked from home. RDP is also regularly used by administrator accounts, enabling IT and security teams to perform updates and provide assistance to users.
However, while extremely useful, an improperly secured RDP account or server can provide cyber criminals with easy access to a corporate network with either stolen or easily cracked passwords.
Cybersecurity researchers at Armor analysed 15 different dark web markets and underground cyber criminal forums and found that the average price for RDP credentials has dropped to between $16 and $25, compared with an average of over $20 during 2019. Some dark web vendors are advertising these credentials as “non-hacked”, claiming that they haven’t been used before.
In many cases, the reason why stolen RDP login credentials have become available in the first place is because they’re poorly secured with commonly used and weak passwords, as well as simple-to-guess user names such as ‘administrator’.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Often an automated brute force attack will uncover these usernames and passwords, providing the access required to the network – or giving an underground vendor with the opportunity to quickly make money by selling the credentials on.
Attackers buying the credentials could use the login details for anything from performing reconnaissance on the network, to using them as a gateway for stealing additional usernames and passwords, confidential information or intellectual property. They could also use the RDP credentials as the first stage of a major malware or ransomware attack against the organisation.
And the way in which the cost of RDP credentials is going down suggests that the problem is getting worse, implying that prices are declining as the underground market gets saturated with more and more remote login details.
“Any time access used to compromise an organization gets cheaper – in this case RDP credentials – this increases the threat for businesses because there is a lower price to entry for the fraudsters,” Chris Stouff, CSO of Armor told ZDNet.
It’s potentially the case that more login credentials have become available because of the rise in remote working during this year.
However, it’s possible for organisations to boost the security of corporate RDP services by following two simple steps. First of all, default credentials should never be used to secure accounts and instead organisations should encourage users to set up a strong password for their account.
Secondly, organisations should apply multi-factor authentication when possible as it provides a substantial barrier to cyber criminals being able to take advantage of accounts – even if the username and password have been leaked.
READ MORE ON CYBERSECURITY More

Customers of Tyler Technologies, one of the biggest software providers for the US state and federal government, are reporting finding suspicious logins and previously unseen remote access tools (RATs) on their networks and servers.
The reports come days after Tyler Technologies admitted last week to suffering a ransomware attack.
The Texas-based company said that an intruder gained access to its internal network on the morning of Wednesday, September 23.
The intruder installed ransomware that locked access to some of the company’s internal documents.
Tyler initially played down the incident
Tyler played down the incident and said that only its internal corporate network and phone systems were impacted.
Its cloud infrastructure, where the company hosts its customer-facing applications, was not impacted, the company said in a statement published on its website and via emails sent to customers last week.
But over the weekend, the situation changed as Tyler made headway investigating the incident. The company changed its statement on Saturday.
“Because we have received reports of several suspicious logins to client systems, we believe precautionary password resets should be implemented,” the company said.
“If clients haven’t already done so, we strongly recommend that you reset passwords on your remote network access for Tyler staff and the credentials that Tyler personnel would use to access your applications, if applicable.” [emphasis Tyler’s]
Customers report remote access tools on their servers
At the same, some of Tyler’s customers also reported seeing new software installed on their systems.
“If you’re a Tyler customer check your servers for Bomgar that they installed,” wrote one of many users on Reddit over the weekend.
A similar report followed on Monday from cyber-security training outfit SANS.
“One of our readers, a Tyler Technologies’s customer, reported to us that he found this morning the Bomgar client (BeyondTrust) installed on one of his servers,” said Xavier Mertens, one of the SANS ISC handlers.
According to users, Tyler uses the Bomgar client to manage its servers, but some reports claim the software was not installed prior to this weekend, prompting some to panic.
While Tyler insists in its updated statement that the attack was aimed at its internal system, customers now believe attackers might have gained access to passwords for Tyler’s web-hosted infrastructure that were stored on the company’s local network — and attackers are now escalating access to Tyler’s client networks.
While the Tyler Technologies name might not say anything to the regular American, the ransomware attack on this company’s network might quietly become one of the biggest cyber-attacks of the year, if indeed attackers gained access to passwords for customer networks and the Reddit and SANS reports aren’t isolated cases.
According to its website, Tyler provides more than 50 types of web-based applications to the US public sector, such as student and school management software, public transport management solutions, jail management, courts and jury management systems, cyber-security solutions, tax and billing software, fire and EMS solutions, and entire city staff management systems, known as “Munis,” just to name a few.
According to Reuters, which first broke the story about the ransomware attack, some of Tyler’s software is also scheduled to be used in the upcoming US presidential election — for aggregating voting results from other sources into central dashboards.”
The gang behind the Tyler attack was identified as the RansomExx group. More

As the COVID-19 pandemic continues to disrupt the education system, students are fighting back against the remote methods employed by some colleges to keep an eye on their activities during assessments. 

Due to stay-at-home and lockdown orders, teachers and students worldwide were required to pivot to remote learning systems and platforms. Without warning, teachers found themselves trying to engage pupils over Zoom; online libraries and research platforms replaced traditional, brick-and-mortar buildings, and the parents of younger students found themselves balancing work from home and entertaining their kids. 
For many governments, now, keeping kids in school is a top priority — not only for their education but also to free up parents to go back to work. 
See also: Students, university clash over forced installation of remote exam monitoring software on home PCs
As college and university students head to campus to start their new term, at the same time the cold and flu season is beginning, COVID-19 outbreaks are also occurring.
Despite social distancing efforts, thousands of confirmed and suspected cases at US campuses have prompted local lockdowns and students are being told to self-isolate.
In the UK, mere days after welcoming a new wave of students, 32 universities recorded positive cases, including the University of Kent at Canterbury, the University of Glasgow, and Manchester Metropolitan University. In the latter case, students have called imposed lockdowns a form of “false imprisonment.”
The escalating situation may see many students — whether or not they are in college accommodation — return to online-only teaching. However, this has now become a minefield for privacy. 
Back in August, ZDNet reported protests organized by Australian National University (ANU) students for the enforced download of Proctorio, a remote monitoring tool, on personal devices. 
Proctorio is a “secure remote exam” solution for invigilating exams remotely, including features such as microphone and camera monitoring, as well as eye-tracking to flag any behavior deemed suspicious. 
ANU students consider Proctorio an affront to their personal privacy — and one that “crosses the line” as the software was loaded on home PCs, rather than electronics belonging to the university and provided to exam takers. 
This form of activism against surveillance and exam monitoring tools — also known as proctoring software — adopted by colleges is taking shape worldwide, and it is one that academic institutions should watch closely. 
An investigation into student activity in this arena, conducted by digital rights group the Electronic Frontier Foundation (EFF), has found dozens of similar petitions and protests. 
CNET: The best DIY home security system for 2020
Across the globe, students are rising up against the forced use of proctoring software; not only Proctorio but also other variations such as Honorlock and ProctorU. Some of the most noteworthy petitions are below:
University of Texas at Dallas: Students are asking for the removal of Honorlock, claiming the software is a “blatant violation of our privacy as students and infeasible for many.”
California State University Fullerton: Proctorio is at the heart of the conflict here, with students saying, “we believe it is unacceptable in any circumstance for the university to track our keystrokes, access our computers’ cameras, film us in our homes, and use AI technology to determine we look “suspicious.””
Miami University: Students call Proctorio “inherently ableist and discriminatory,” highlighting concerns with racial bias and exam takers with conditions such as ADHD potentially being labeled as moving suspiciously.
Auburn University: Students describe proctoring software as “legitimized spyware.”
The City University of New York: Students successfully reached over 27,000 signatures, ending the compelled use of proctoring software.
Change.org reveals other petitions worldwide, ranging from colleges in Sri Lanka to the UK, Canada, and Italy. 
Schools, colleges, and universities are in an unenviable position. They have been thrust into a world when they are responsible for pupil education but need to rely on remote technology to do so — and they must also work out ways to monitor assessments and exams fairly to reduce the risk of cheating. 
However, with disruption unlikely to end for the educational sector any time soon, educational and social policy should not disregard an individuals’ right to privacy — and it should not become a common and accepted fact of life to have remote surveillance tools installed on personal devices in order to have an academic career.
Security concerns must be addressed, proctoring software needs to be transparent and their use temporary, and the issue of spyware as a forced install on devices that belong to students, rather than educational institutes, needs to be addressed — and quickly.  
TechRepublic: SpyCloud and CyberDefenses join forces on election security effort
“While almost all the petitions we’ve seen raise very real privacy concerns — from biometric data collection to the often overbroad permissions these apps require over the students’ devices, to the surveillance of students’ personal environments — these petitions make clear that proctoring apps also raise concerns about security, equity, accessibility, cost, increased stress, and bias in the technology,” the EFF says. 
ZDNet has reached out to the proctoring software providers mentioned and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Police always advise ransomware victims against paying off the criminal gangs that have encrypted their computer systems – and there are many good reasons for that.
At the most basic level, even after the companies have handed over the money, it’s not always certain they will get their data restored. They are negotiating with crooks after all.

But even if they do get their data back, paying up is still a bad idea. It gives the crooks a big payday, which encourages further attacks – perhaps even on the same organisation again. And that big payoff means that gangs can invest in hiring more software developers and hackers to go after even bigger targets.
SEE: Network security policy (TechRepublic Premium)
Paying the ransom might save you pain in the short term but means a bigger problem for everyone else in the longer run.
Currently businesses in the UK are unlikely to be prosecuted for paying up to a ransomware gang – unless there is a reasonable chance of the payment being used to fund terrorism. But at least one senior figure in the security industry thinks that it should be a lot harder or even illegal to pay ransoms.
In a speech earlier this month at security think tank RUSI, former head of the National Cyber Security Centre (NCSC) Ciaran Martin explained just how big a problem the agency considers ransomware to be.
“Right up until my final hours at NCSC last month, I remained of the view that the most likely cause of a major incident was a ransomware attack on an important service,” he said.
“For the attacker, the choice of the service would be incidental. They were just after money. But from the point of view of national harm, that incidental choice of victim could be important. What most kept me awake at night was the prospect of physical harm inadvertently resulting from ransomware.”
He added: “Criminal ransomware used recklessly by amoral criminals is one of the biggest but least discussed scourges of the modern internet.”
Martin said if he had “one policy card to play in the next year”, he would ask for “a serious examination of whether we should change the law to make it illegal for organisations in the UK to pay ransoms in the case of ransomware”.
“The case for doing so is not – and I stress is not – a slam dunk, and if the answer is no [to making paying ransoms illegal], we should think of something else to counter ransomware, because it’s the single biggest contemporary scourge in cyberspace right now.”
Martin said it was a curious anomaly that UK extortion laws are largely based on the experience of kidnapping by terrorist groups.  That is, if you are ransomwared by a proscribed terrorist group, it is illegal to pay, but if the attackers are ordinary criminals, or even state attackers, then it’s fine. “Surely that needs a look,” he said.
It’s thought that as many as half of organisations pay up when hit with ransomware, which has made data-encrypting malware a major source of revenue for sophisticated criminal gangs. Some versions of ransomware have raked in tens of millions in ransom, usually in the form of hard-to-trace cryptocurrencies like bitcoin.
SEE: Mobile security: These seven malicious apps have been downloaded by 2.4m Android and iPhone users
Many victims feel they have little choice but to pay up if the alternative is rebuilding all their computer systems and databases effectively from scratch – and trying not to go out of business as they do it. 
But critics have warned being able to pay the ransom means that ransomware attacks are viewed by some as just another cost of doing business, which means they are less likely to invest in the sometimes-costly security systems that would prevent such attacks.
If paying the ransom were no longer a legal option, companies would have to make sure their systems were robust enough to stop the attackers in the first place. But it would also put much more pressure on police to track down gangs as well. More

The Australian Taxation Office (ATO) is looking to introduce a “liveness” feature to myGovID, the Australian’s government’s digital identity credential.
The agency, which handles myGovID, has gone to market seeking a supplier to deliver a software solution that will allow people who are registering to prove they are a live person and physically present, as well as allow them to take a selfie to verify their identity against a stored identity document, such as their passport or driver’s licence.
The ATO quietly released the app last year to enable citizens to have their identity verified once so they could access government services online using their verified identity, rather than having to continually be verified by each Commonwealth entity.
The ATO emphasised that the successful contractor would need to adhere to strict security guidelines. These include delivering a security management and governance functionality in accordance with the Australian Cyber Security Centre (ACSC) Information Security Manual and Essential Eight mandatory requirements, provide an authenticated log-on for individual ATO users, and configure its IT systems and environments to effectively respond to the latest threats.
Additionally, the ATO said the supplier must utilise securely configured cryptographic data transmission protocols and algorithms to transfer information across untrusted networks, and be able to control the connection of peripheral devices to IT systems that store, process, or transfer ATO information.
See also: Australian Taxation Office happy to go it alone with cybersecurity
Last week, it was revealed that the default login option on myGovID for agents used by the ATO was vulnerable to a code replay attack.
In a blog post, scurity researchers Ben Frengley and Vanessa Teague described how an attacker could use a malicious login form to capture user details, which the attacker could then use to login into other accounts held by the myGovID user.
The pair said they informed the Australian Signals Directorate of the issue on August 19, and were told by the ATO that “they did not intend to change the protocol, at which point we immediately informed them that we would make a warning to users public”.
A spokesperson for the ATO said the flaw was not a “security vulnerability of the myGovID solution or application” and that it can used against login procedures including “passwords, SMS, physical code generators, and mobile apps codes”.
“The approach identified by the researchers, to scam a user by redirecting them to a malicious phishing website requesting credentials, is a well-known and common challenge across authentication systems and is not unique to the myGovID platform,” the spokesperson said.
“The ATO takes IT security very seriously.”
In October, the Digital Transformation Agency said almost 7,000 Australians had created a myGovID.
The ATO said it expected approximately five million Australians would sign up over the first three years of the myGoveID app going live.
As part of the selection process, the tax office said it plans to conduct software trial activities to ensure shortlisted tenderers meet its requirements.
The contract will be for a period to 30 September 2021, with the option to extend it three times for up to two years per extension.
Submissions for the tender closes October 20. 
Related Coverage
More privacy conscious and not Australia Card 2.0: DTA defends digital identity play
The agency spent its entire Senate Estimates appearance explaining what exactly is digital identity and why Australians don’t really know about its existence.
Canberra wants to open digital identity system to commercial sector
The federal government has opened discussions on how the commercial sector can participate in Australia’s digital identity system.
Nearly 7,000 Australians have created a myGovID
By the end of 2018-19, the Digital Transformation Agency said there had been 11,785 downloads of its myGovID iOS smartphone app. More

Image: TikTok
A federal judge has ordered an injunction against the Trump administration’s ban of TikTok, which was set to come into effect on Sunday. 
The ruling was in relation to a lawsuit filed by TikTok that argued the ban undermined the free speech rights of US citizens.
“To ensure that the rule of law is not discarded, and that our company and users are treated fairly, we have no choice but to challenge the executive order through the judicial system,” TikTok said in its originating motion.
The ban had sought to block TikTok and WeChat as well as remove them from the Apple and Google app stores. Additionally, updates to the existing apps would have also been banned. 
The ban would not have prevented existing users from using the apps, however, as long as the apps were already installed prior to the app store removals.
Following the judge’s order, the US Commerce Department, which is responsible for enforcing the ban, issued a statement that said it would “vigorously defend” the ban from legal challenges.
Last week, the US courts issued a similar nationwide injunction against President Donald Trump’s executive order to prevent a WeChat ban from coming into effect. 
For that case, magistrate judge Laurel Beeler granted the injunction as the plaintiffs showed serious questions about whether the ban impinged on the US first amendment. She also acknowledged the ban would provide hardship for the plaintiffs as it would shut down the primary means of communication for the Chinese community.
The TikTok ban was initially scheduled for September 20, but the US Commerce Department delayed it by a week to September 27 due to “recent positive developments” in talks regarding the sale of the US operations of TikTok. 
Earlier this month, Oracle and Walmart announced they would acquire 20% of a newly formed TikTok Global and issue an IPO within 12 months, effectively saving TikTok’s US footprint from being banned.        
The US Commerce Department also has a second TikTok ban on the cards. This second ban has a deadline of November 12, and demands Bytedance to sell TikTok due to national security concerns. This second ban was not part of the injunction that was ordered on Sunday evening.
Both of these bans are the official instruments for enforcing the two executive orders that were signed by President Donald Trump in early August, which had labelled the pair of Chinese apps as national security threats. 
Related Coverage
US district court blocks Trump’s WeChat ban
The presiding judge granted the motion to block the ban as there is ‘scant little evidence’ that it effectively addresses national security concerns.
TikTok to sue US government over ban
Chinese mobile app maker has confirmed plans to “challenge” the Trump administration’s August 6 executive order “through the judiciary system”, though, any lawsuit will not stop its forced sale in the US market.
What TikTok’s big deal means for cloud, e-commerce: TikTok Global created with Oracle, Walmart owning 20%
Oracle and Walmart team up on TikTok’s US operations with an IPO within a year. Oracle lands its cloud customer in TikTok and Walmart eyes e-commerce.
You can bypass TikTok’s MFA by logging in via a browser
Enabling MFA in the TikTok mobile app doesn’t apply it for the web dashboard. TikTok promised to fix the issue.
Microsoft out of race to purchase TikTok as US ban draws near
Oracle reported as being the controversial app’s new ‘trusted tech partner’.
How the TikTok deal still poses pitfalls (TechRepublic)
A deal that would see a new TikTok Global entity owned partly by Oracle and Walmart may still trigger national security concerns. More