Information Technology

Police dogs are now being trained to hunt out electronic devices that could provide key evidence in criminal cases.

Sota, a black Labrador belonging to Minnesota law enforcement, is the result of such training. According to local publication the Star Tribune, Sota is able to sniff out small electronics — including smartphones, USB drives, and microSD cards — that may contain key evidence in sexual abuse and child predation cases, as well as white-collar crimes. 
Two-year-old K-9 Sota made her debut this week with a public introduction organized by the state’s Department of Public Safety (DPS). 
See also: EFF’s new database reveals what tech local police are using to spy on you
So-called electronic storage detection (ESD) dogs are able to recognize a particular chemical commonly found on coatings applied to small electronics called triphenylphosphine oxide (TPPO). 
Labradors are touted as a suitable breed for such work, considering how food-motivated they generally are. According to GT, labs will smell TPPO during training before they are fed, learning to associate TPPO with food — until they actively go on the hunt for the chemical in order to be rewarded.
CNET: Best Android VPNs for 2020
The DPS says that while she is the first police dog in Minnesota focused primarily on sniffing out electronics, Sota also highlights an emerging trend in training. 
Rather than training dogs to focus on weapons and drugs, law enforcement has moved from a count of three electronic sniffer dogs across the United States two years ago to “three dozen” now working in the country.  
ESD dogs have been trained in the United States since 2011, but it was in 2015 that Bear, an ESD-trained black labrador, showed their worth in a child pornography case by finding a hidden flash drive missed by investigators. 
TechRepublic: Cybersecurity Perception Study shows increasing admiration for those in the profession
The discovery led to a man being found guilty of sexual abuse and the distribution of child pornography, resulting in a 15-year prison sentence and a $175,000 fine. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

One year on from reaching general availability, Microsoft’s Azure-based Sentinel security system now brings new user and entity behavioral analytics to help detect unknown and insider threats faster. 
The behavioral analytics feature also gives customers another reason to send more security logs to the Azure cloud for analysis. Pay-as-you-go pricing is $2.46 per gigabyte (GB) of data analyzed by the Azure Sentinel security information and event management (SIEM) system.

Rather than customers buying their own hardware for an SIEM solution, Sentinel offers an option with no hardware setup or licensing costs. 
SEE: Hiring Kit: Computer Hardware Engineer (TechRepublic Premium)    
But while the Azure security product can be cheaper than traditional SIEM solutions, Eric Doerr, vice president of cloud security at Microsoft, told ZDNet that Sentinel is definitely not free and that customers are sometimes surprised by the cost of the cloud service after being tempted to stuff it with data and logs they might not have done with a legacy SIEM. 
“No doubt about it, the total cost of ownership is for sure superior to going and buying a bunch of physical machines. But we have a funny challenge, which is a lot of people say: ‘Oh my god, this is so amazing, so I want to import 10 times as much data as I was importing in my old solution’,” said Doerr. 
“And they’re like, ‘Oh wait, but that’s expensive’. And we’re like, ‘Well, right, 10 times the data volume instead of being a different number, right?’ It’s not free, you still have to pay for what you really care about. If all data in the universe were free, you’d store everything for ever. 
“If there was no compliance – obviously for compliance reasons you don’t want to keep data around for too long. But it’s still like, ‘Do I install every firewall log for two years or do I store them for 90 days? Or do I find some hybrid model?'”
Microsoft Sentinel has gained 6,500 customers in the year since reaching general availability. 
The Sentinel User and Entity Behavioral Analytics platform, or UEBA in industry jargon, helps customers detect unknown and insider threats. The feature is available in preview and works by building a behavior profile of a user or device to detect anomalies.  
SEE: Microsoft renames and unifies more products under Microsoft Defender brand
The feature syncs information from Azure Active Directory and uses Active Directory audit logs, signing logs and Azure activity logs, combined with security event information that is displayed in a dashboard indicating whether a user or device is potentially high risk.
Security analysts can run a text search to find and open an entity profile, or click on an entity while investigating an incident. The profile includes contextual information, a timeline of activities and alerts across the most relevant data sources.
Microsoft has also launched a preview of Azure Security Center support for monitoring configuration and vulnerabilities for applications such as SQL that customers host in Google Cloud and Amazon Web Services. The feature is designed to help customers that may have merged with another company that uses a rival cloud to Azure. 

More Microsoft Ignite More

Facebook has patched a critical vulnerability in Instagram that could lead to remote code execution and the hijack of smartphone cameras, microphones, and more. 

Privately disclosed to Facebook, the owner of Instagram, by Check Point, the security flaw is described as “a critical vulnerability in Instagram’s image processing.”
Tracked as CVE-2020-1895 and issued a CVSS score of 7.8, Facebook’s security advisory says the vulnerability is a heap overflow problem.
See also: Adobe out-of-band patch released to tackle Media Encoder vulnerabilities
“A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 128.0.0.26.128,” the advisory says. 
In a blog post on Thursday, Check Point cybersecurity researchers said sending a single malicious image was enough to take over Instagram. An attack can be triggered once a crafted image is sent — via email, WhatsApp, SMS, or any other communications platform — and then saved to a victim’s device.
Whether or not an image is saved locally or manually, just opening Instagram afterward is enough for malicious code to execute. 
The issue is in how Instagram handles third-party libraries used for image processing. In particular, Check Point focused on Mozjpeg, an open source JPEG decoder developed by Mozilla that was improperly utilized by Instagram to handle image uploads. 
A crafted image file can contain a payload able to harness Instagram’s extensive permissions list on a mobile device, granting access to “any resource in the phone that is pre-allowed by Instagram,” the team says. 
CNET: Twitter faces class-action privacy lawsuit for sharing security info with advertisers
This could include accessing a device’s phone contacts, location/GPS data, camera, and locally-stored files. On the Instagram app itself, the RCE vulnerability could also be used to intercept direct messages and read them; delete or post photos without permission, or change account settings. 
“At the most basic level, the exploitation could be used to crash a user’s Instagram app, denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data,” Check Point added.
TechRepublic: How to create a secure username
The write-up of the vulnerability was made six months after private disclosure to give the majority of handset users time to accept security updates and mitigate the risk of exploit. 
“We’ve fixed the issue and haven’t seen any evidence of abuse,” Facebook said. “We’re thankful for Check Point’s help in keeping Instagram safe.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

More than 80% of organisations have experienced a data breach as a result of security vulnerabilities in their supply chains, as cyber criminals take advantage of the poor security of smaller vendors as a means of gaining access to the networks of large organisations.
Research by cybersecurity company BlueVoyant found that organisations have an average of 1,013 vendors in their supplier ecosystem – and that 82% of organisations have suffered a data breach in the past 12 months due to cybersecurity weakness in the supply chain.

More on privacy

But, despite the risk posed by security vulnerabilities in the supply chain, a third of organisations have little to no indication if hackers had got into their supply chain, meaning that they may not find out that they’ve been the victim of an incident until it’s too late.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Large companies are likely to be better protected than smaller companies, which means hackers are increasingly turning towards their suppliers as a means of infiltrating the network in a way that will often go unnoticed.
“Very often people think, well, what are our most critical suppliers and inevitably they end up with their top ten being some of the world’s biggest names, like cloud providers. But that’s not where the threat comes from,” said Robert Hannigan, chairman of BlueVoyant International, told ZDNet.
“It’s much more likely that the real threat is going to come from a much smaller company you’ve never heard of but which is connected to your network,” said Hannigan, who was previously director of GCHQ. 
An example of this was seen in 2017 when the NotPetya attack infected organisations around the world, which was apparently first spread using the hijacked software-update mechanism of an accounting software company. The attack quickly spread out of control and took down networks of organisations across Europe and beyond.
“Who would have thought with NotPetya that some accountancy software being updated would lead to massive disruption across Europe. It wasn’t a top supplier for any of the companies that were hit, but it lead to huge damage and interruption,” said Hannigan.
Other attacks against the supply chain are much more subtle, with cyber criminals infiltrating the vendor with malware or phishing emails and taking over accounts – which they then use as as a gateway to breaching the larger organisation, especially if there’s already a trusted relationship between them.
This was the case when a utilities company suffered a data breached when cyber criminals targeted it via its law firm, compromising the account of someone at the firm and using that to compromise the utility company.
“What the attacker has done is compromise the inbox of someone in this particular firm and because the attacker was using the identity of a real person and their real inbox, the normal protection against phishing emails didn’t work because it’s just an email from a regular trusted person – but unfortunately it wasn’t the regular person, it was an attacker,” Hannigan explained.
One of the key reasons that supply-chain vulnerabilities can go unnoticed is because it often isn’t clear who is in charge of managing risk when it comes to relationships with third-party vendors – so even if it’s known that a supplier might have vulnerabilities, fixing the problem might never happen as there’s no fixed person or team with the responsibility for this vendor.
“I haven’t met a CISO who’s not aware that there’s a huge ecosystem to make sense of, but finding a way to do it is a challenge. Even the biggest organisations have a limited team for dealing with cyber risk and there’s a limit to what they can get to. You can’t expect a small team to manage risks of 10,000 vendors,” said Hannigan.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
In order to better manage the risk posed by supply-chain vulnerabilities, the report recommends that organisations must decide who owns third-party cyber risk in order to adopt an effective strategy to manage it, as well as improving visibility of the whole supply chain.
The report also recommended that organisations who think there are risks in their supply chain should alert and aid third parties with potential vulnerabilities – because that’s who cyber criminals will target in an attempt to breach your network.
“Criminals don’t just give up, they look for easier ways in. It’s inevitable that when companies’ perimeters got better defended, criminals would start to look at the soft ways to get in – and the supply chain is the obvious way to do that,” said Hannigan.
MORE ON CYBERSECURITY More

Redmond, WA, USA – January 30, 2018: One of the biggest Microsoft signs is placed next to green trees at a public intersection near Microsoft’s Redmond campus
/ Getty Images
Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said this morning.
“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks,” the company wrote in a series of tweets.

Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.
— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020

The attacks were expected to happen, according to security industry experts.
Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.
The first proof-of-concept exploit was published hours after the explanatory blog post, confirming Secura’s analysis that the Zerologon bug is easy to exploit, even by low-skilled threat actors.
A more in-depth explanation of the Zerologon bug is available in our initial coverage of the vulnerability, but, to simplify it, the Zerologon bug is a vulnerability in Netlogon, the protocol used by Windows systems to authenticate against a Windows Server running as a domain controller. Exploiting the Zerologon bug can allow hackers to take over the domain controller, and inherently a company’s internal network.
Zerologon was described by many as the most dangerous bug revealed this year. Over the weekend, the DHS gave federal agencies three days to patch domain controllers or disconnect them from federal networks.
In an alert on Monday, CISA said the Zerologon bug also impacts the Samba file-sharing software, which also needs to be updated.
While Microsoft has not released details about the attacks, it did release file hashes for the exploits used in the attacks.
As several security experts have recommended since Microsoft revealed the attacks, companies that have their domain controller exposed on the internet should take systems offline to patch them.
These internet-reachable servers are particularly vulnerable as attacks can be mounted directly, without the hacker first needing a foothold on internal systems. More

Image via Rami Al-zayat on Unsplash

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.
Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.
In a report shared this week with ZDNet, security researchers from ThreatFabric dug deep into forum posts and Alien samples to understand the malware’s evolution, tricks, and features.
Cerberus out, Alien in
According to researchers, Alien is not truly a new piece of code but was actually based on the source code of a rival malware gang named Cerberus.
Cerberus, while an active MaaS last year, fizzled out this year, with its owner trying to sell its codebase and customerbase, before eventually leaking it for free.
ThreatFabric says Cerberus died out because Google’s security team found a way to detect and clean infected devices. But even if Alien was based on an older Cerberus version, Alien doesn’t seem to have this problem, and its MaaS stepped in to fill the void left by Cerberus’ demise.
And researchers say that Alien is even more advanced than Cerberus, a reputable and dangerous trojan in its own right.
Alien can intercept some 2FA codes, phish ton of apps
ThreatFabric says Alien is part of a new generation of Android banking trojans that have also integrated remote-access features into their codebases.
This makes Alien a dangerous concoction to get infected with. Not only can Alien show fake login screens and collect passwords for various apps and services, but it can also grant the hackers access to devices to use said credentials or even perform other actions.
Currently, according to ThreatFabric, Alien boasts the following capabilities:
Can overlay content on top of other apps (feature used for phishing login credentials)
Log keyboard input
Provide remote access to a device after installing a TeamViewer instance
Harvest, send, or forward SMS messages
Steal contacts list
Collect device details and app lists
Collect geo-location data
Make USSD requests
Forward calls
Install and start other apps
Start browsers on desired pages
Lock the screen for a ransomware-like feature
Sniff notifications showed on the device
Steal 2FA codes generated by authenticator apps
That’s quite an impressive array of features. ThreatFabric says these are mostly used for fraud-related operations, as most Android trojans tend to be these days, with the hackers targeting online accounts, searching for money.
During its analysis, researchers said they found that Alien had support for showing fake login pages for 226 other Android applications (full list in the ThreatFabric report). 
Most of these fake login pages were aimed at intercepting credentials for e-banking apps, clearly supporting its assessment that Alien was intended for fraud.
However, Alien targeted other apps as well, such as email, social, instant messaging, and cryptocurrency apps (i.e., Gmail, Facebook, Telegram, Twitter, Snapchat, WhatsApp, etc.).
Most of the banking apps targeted by Alien developers were for financial institutions based mostly in Spain, Turkey, Germany, the US, Italy, France, Poland, Australia, and the UK.

Image: ThreatFabric
ThreatFabric didn’t include details about how Alien makes its way onto users’ devices, primarily because this varies based on how the Alien MaaS customers (other criminal groups) chose to distribute it.
“A lot of it seems distributed via phishing sites, for example malicious page tricking the victims into downloading fake software updates or fake Corona apps (still a common trick at the moment),” Gaetan van Diemen, a malware analyst at ThreatFabric, told ZDNet.
“Another method observed to be used is the SMS, once they infect a device they collect the contact list which they then reuse for further spreading of their malware campaign,” he added.
Some malicious apps make it on the Play Store, once in a while, but most of the time, they’re distributed through other channels, van Diemen said.
All of these shady Alien-tainted apps can be easily spotted as they often require users to grant them access to an admin user or to the Accessibility service.
As self-evident of an advice “don’t install apps from shady sites and grant them admin rights” might sound, not all Android users are technical enough to understand it, and many users will download and install apps from any location, and then just click through all the prompts during installations.
This is how malware operates in general, targeting non-technical users, and not the “experts.” And there are many of these non-technical users around, hence why Android malware is big business these days on hacking forums.
So… don’t install apps from shady sites and grant them admin rights. More

Facebook has removed dozens of accounts for breaching its foreign or government interference policies, including several with links to the Philippine military and police. The social media operator uncovered “the full scope” of such activities after investigating information brought to its attention by the civil society and Rappler, an independent news organisation in the Philippines. 
Operating under two main networks, originating from China and the Philippines, individuals behind the activities had coordinated with each other and used fake accounts as an integral part of their operations to mislead people about who they were and what they were doing. 

Singapore must look beyond online falsehood laws as elections loom
Country’s government is missing the point with its use of correction directives, when it should be looking more closely at how the legislation can be used to address bigger security threats as it prepares for its first elections since the emergence of technology, such as deepfake, and increased online interference.
Read More

For the network that originated from China, Facebook removed 155 accounts, 11 Pages, nine Groups, and six Instagram accounts for coordinated inauthentic behaviour on behalf of a foreign or government entity, which it defined as foreign or government interference. Such activities had originated in China and focused primarily on the Philippines and Southeast Asia, though, some attention also was placed on the US. 
In addition, some 133,000 accounts had followed at least one of these Pages, while 61,000 people joined at least one of these Groups. Another 150 accounts had followed at least one of these Instagram accounts. Some $60 also were spent on ads, paid for in Chinese yuan. 
“We identified several clusters of connected activity that relied on fake accounts to pose as locals in countries they targeted, post in Groups, amplify their own content, manage Pages, Like, and comment on other people’s posts particularly about naval activity in the South China Sea, including US Navy ships,” said Nathaniel Gleicher, Facebook’s head of security policy, in a post Tuesday. “This campaign took operational security steps to conceal their identity and location including through the use of VPNs (virtual private networks).”
Some of the Pages previously had been removed for violating the site’s inauthentic behaviour and spam policies, Gleicher noted.
They had posted in Chinese, Filipino, and English about global news and current events including Beijing’s interests in the South China Sea and Hong Kong. They also focused on content supportive of Philippine President Rodrigo Duterte and Sarah Duterte’s potential run in the country’s presidential elections in 2022 as well as criticism of Rappler, an independent news organisation in the Philippines, which had alerted Facebook about some of the content. 
With regards to the US, the network placed the least focus and had little or no following, posting content both in support of and against presidential candidates Pete Buttigieg, Joe Biden, and Donald Trump.
Facebook’s investigations found links to individuals in China’s Fujian province. 
According to Gleicher, amongst those removed, the Philippine network was behind 57 Facebook accounts, 31 Pages, and 20 Instagram accounts and focused its efforts on domestic audiences. Notably, this network was found to have links to both the military and police in the Philippines.
Here, 276,000 accounts followed at least one of these Pages, while 5,500 people had followed at least one of the Instagram accounts. Some $1,100 was spent on ads on Facebook, paid for in Philippine peso. 
The Philippine network comprised several clusters of connected activity that relied on fake accounts to evade enforcement, post content, comment, and manage Pages, he said, adding that this operation appeared to have accelerated between 2019 and 2020. The network posted in Filipino and English about local news and events, including domestic politics, military activities against terrorism, pending anti-terrorism bill, criticism of communism, as well as the Communist Party of the Philippines and its military wing the New People’s Army.
RELATED COVERAGE More

The Office of the Australian Information Commissioner (OAIC) has said data privacy is now the number one consideration for Australians when choosing a digital service, with 97% of those it surveyed saying this factor trumps cost and reliability.
In its 2020 Australian Community Attitudes to Privacy Survey, which was shaped after questioning 2,866 adults, the OAIC said 59% of respondents had experienced problems with how their data was handled in the previous 12 months. The survey was conducted from  February to March this year, with additional research performed in early April.
The report [PDF] said 70% of respondents considered the protection of their personal information to be a major concern in their lives. Identify theft and fraud was the biggest privacy risk identified, with 76% of respondents pointing to this as a major concern. The category of data security and data breaches was second, with 61%; digital services, including social media sites sat at 58%; smartphone apps at 49%; and surveillance by foreign entities was flagged as a major concern by 35% of respondents, while that figure was 26% when they were asked about Australian entities.
“Our comfort with certain data practices depends on the type of information collected, the purpose behind it, and the level of trust in the organisation involved. Australians appear more comfortable with data practices where the purpose is clearly understood — for example, law enforcement using facial recognition and video surveillance to identify suspects,” Commissioner Angelene Falk said in her foreword.
See also: ‘Booyaaa’: Australian Federal Police use of Clearview AI detailed
The report says that there is a strong understanding of why individuals should protect their personal information, but respondents were less sure how they could do this, with 49% admitting they did not know how to protect themselves due to a lack of knowledge, lack of time, and the difficulty of the process.
As well as greater control over their personal information, Australians want to be protected against harmful practices, with 84% believing personal information should not be used in ways that cause harm, loss, or distress. 84% of respondents also wanted increased rights around certain issues such as asking businesses to delete information.
Additionally, 64% of respondents believed they should have the right to ask a government agency to delete their personal information, 78% wanted the right to seek compensation in the courts for a breach of privacy, 77% wanted to know when their personal information is used in automated decision-making if it could affect them, and 77% of respondents wanted the right to object to certain data practices while still being able to access and use the service.
Only 20% of respondents, however, read privacy policies and were confident they understood them.
“Concerns regarding data privacy are driven by a belief that many companies routinely use personal information for purposes that make Australians uncomfortable,” the report said.
The OAIC said that when comparing the results to those provided in 2017, fewer Australians are taking measures to protect their privacy, with a lower number of people asking public or private sector organisations why they need personal information. There were also fewer people that chose not to use an app on a mobile device because of concerns over handling personal information, as well as fewer people adjusting privacy settings on a social networking website than in 2017.
The survey also revealed Australians trust social media the least with their personal information, and that the federal government is generally more trusted than businesses with the protection of personal information.
62% of respondents said they were particularly uncomfortable with businesses tracking their location through their mobile or web browser. The same percentage of respondents also said that databases of information that keep what they have said and done online made them uncomfortable.
“Australians are increasingly questioning data practices where the purpose for collecting personal information is unclear, with 81% of Australians considering ‘an organisation asking for information that doesn’t seem relevant to the purpose of the transaction’ as a misuse,” the report said.
Falk said her office would use the findings of the survey to inform its input into the review of the Privacy Act 1988 and its priorities for the coming years.
MORE ON THE OAIC More