Information Technology

Former National Security Agency director, general Keith Alexander, has joined Amazon’s board of directors. 
As first reported by The Verge, Amazon has revealed Alexander’s appointment in a new filing with the Securities and Exchange Commission. 

“Alexander served as the commander of US Cyber Command from May 2010 to March 2014 and was director of the National Security Agency and chief of the Central Security Service from August 2005 to March 2014,” Amazon states in the filing. 
SEE: Guide to Becoming a Digital Transformation Champion (TechRepublic Premium)
He’s also co-CEO and president of IronNet Cybersecurity, a cybersecurity company he founded in 2014 after leaving the NSA. 
Alexander headed up the NSA at the time when former government contractor Edward Snowden leaked thousands of documents revealing the intelligence agency’s mass-surveillance programs, such as PRISM.
At Black Hat US 2013, Alexander defended NSA’s surveillance programs as critical to defending the US against terrorist attacks. 
As a former NSA chief with deep intelligence and defense connections, Alexander is likely to be useful in Amazon’s ongoing challenge to the Pentagon’s selection of Microsoft for its $10bn JEDI contract. 
The Department of Defense last week concluded its review of the decision and opted to uphold the award to Microsoft. 
Amazon last week said the Pentagon’s decision was “politically corrupted” by Defense Department officials who bowed to pressure from President Trump. The company also highlighted concerns over “a growing trend where defense officials act based on a desire to please the President, rather than do what’s right”.
Following a meeting Alexander had with President Trump in 2013, the former NSA chief said he was “really impressed” with Trump and that he was the “president our nation needs – somebody who is looking how to solve cybersecurity issues”.

With his deep intelligence and defense connections, ex-NSA chief Alexander is likely to be useful in Amazon’s challenge to the Pentagon’s choice of Microsoft for its $10bn JEDI contract. 
Image: CBS/YouTube More

Image: Equinix

Equinix, one of the world’s largest providers of on-demand colocation data centers, has disclosed today a security breach.
In a short statement published on its website, Equinix said it found ransomware on its internal systems, but that the main core of its customer-facing services remained unaffected.
“Our data centers and our service offerings, including managed services, remain fully operational, and the incident has not affected our ability to support our customers,” the company said.
There is no suggestion that the company is downplaying the incident, with no major outages being reported at the time of writing, and no wave of customer complaints flooding social media.
“Note that as most customers operate their own equipment within Equinix data centers, this incident has had no impact on their operations or the data on their equipment at Equinix,” the company added.
Details about the ins and outs of the attack are not available, with Equinix citing an ongoing investigation.
Equinix is just the latest in a long list of ransomware incidents that have impacted web hosting and data center providers. The list also includes CyrusOne, Cognizant, A2 Hosting, SmarterASP.NET, Dataresolution.net,  and Internet Nayana.
Such companies are ripe targets for cyber-criminals, and especially for ransomware gangs. The reasons are simple and involve the immediate effect of their attacks, which often bring down services for impacted companies, but also for their respective customers, all of whom are expecting near-perfect uptime.
This usually puts the pressure on the data center or web hosting provider to restore services right away, which may sometime include paying huge ransom demands.
Equinix is listed on the NASDAQ stock exchange as EQIX and had around 8,000 employees. Earlier this year, Equinix entered into an agreement to purchase a portfolio of 13 data center sites, representing 25 data centers across Canada from BCE Inc. for approximately $750 million. More

Image: Group-IB

Since the start of the year, a new ransomware gang named ProLock has made a name for itself by hacking into large companies and government networks, encrypting files, and demanding huge ransom payments.
ProLock is the latest ransomware gang that has adopted the “big-game hunting” approach to its operations. Big-game hunting refers to going after larger targets in order to extract big payments from victims who can afford it.
System administrators who manage these larger networks are most likely to see attacks from this particular group.
Below is a short summary of all ProLock activities that system administrators need to be aware of, based on reports published by Group-IB, Sophos, and two FBI alerts [1, 2].
ProLock’s start
The ProLock gang began its activity (attacks) in late 2019. They initially operated under the name of PwndLocker but rolled out a major code upgrade and changed their name to ProLock in March 2020, after security researchers identified a bug in the original PwndLocker strain and released a free decrypter.
Distribution
In most of the incidents analyzed by security researchers, the ProLock ransomware was deployed on networks that have been previously infected with the Qakbot trojan.
The Qakbot trojan is distributed via email spam campaigns or is dropped as a second-stage payload on computers previously infected with the Emotet trojan. System administrators who find computers infected with either of these two malware strains should isolate systems and audit their networks, as the ProLock gang could be already wandering around their systems.
Lateral movement
But since the ProLock gang usually buys access to one Qakbot-infected computer and not entire networks, they also have to expand their access from this initial entry point to other nearby computers, for maximum damage.
This operation is called “lateral movement,” and there are various ways the ProLock gang does this.
Group-IB says ProLock uses the CVE-2019-0859 Windows vulnerability to gain administrator-level access on infected hosts and then deploys the MimiKats tool to dump credentials from the infected system.
Depending on what they find, the ProLock gang can use these credentials to move laterally across a network via RDP, SMB, or via the local domain controller.
WMIC is used at the last moment to push the actual ransomware to all compromised hosts, where it encrypts files, and according to Sophos, plays the OS alert tone at the end to signal the end of the encryption routine.
Impact
All the operations needed to move laterally across a network are executed by a human operator in front of a terminal — and are not automated.
As a result, ProLock incidents usually manage to infect a large number of computers, as the ProLock human operator bides their time in order to maximize damage.
Group-IB says this tactic allows the group to demand very high decryption fees from victims, most of which face prolonged downtimes, in case they decide to rebuild internal networks.
“The fact that their average ransom demands range anywhere from 35 to 90 Bitcoin (approx. $400,000 to $1,000,000) only confirms their ‘think big’ strategy,” Group-IB said in a private report shared with ZDNet today.
These sums are below the average ($1.8 million) of some other big-game hunting ransomware gangs, but ProLock extortions have been gradually increasing in recent months. For example, Group-IB told ZDNet that the recent ProLock case they traced involved a ransom of 225 Bitcoin, which is around $2.3 million.
Some of the group’s past victims include big names like ATM maker Diebold Nixdorf, the city of Novi Sad in Serbia, and Lasalle County in Illinois.
Paying the ransom
But despite the damage this ransomware group can do, in one of its two alerts, the FBI warned organizations against paying the ransom, as the ProLock decrypter that victims receive doesn’t always work as intended, and usually fails when decrypting larger files.
Victim shaming
Furthermore, ProLock has also been seen in some incidents leaking data from the networks of victims they infected, and which refused to pay.
While some other ransomware groups have created special sites where they leak this data, ProLock prefers to dump it on hacking forums or pass it to journalists via email.
All in all, ProLock appears to be the first ransomware gang that uses Qakbot as an initial entry point, but most of its other tactics are shared with most other big-game hunting and human-operated ransomware gangs — so, defending networks against ProLock should be straightforward for companies that have already taken precautions against the other ransomware groups. More

The University of South Australia (UniSA) has called for more work to be done on ensuring blockchain technology conforms to privacy rights and expectations.
The university said there are key privacy issues inherent to current blockchain platforms, with a paper from UniSA emerging technologies researcher Dr Kirsten Wahlstrom and Charles Sturt University’s Dr Anwaar Ulhaq and professor Oliver Burmeister saying the exact features that make blockchain such a secure technology also make it a privacy minefield.
See also: Is FOMO making enterprises unnecessarily leap into blockchain?
This is due to blockchain using details of previous transactions, including participants’ identities and exchange values, to verify future transactions by embedding this information in the data chain, in addition to the viability of the system being dependent on the uneditable nature of each block.
Pointing to the “right to be forgotten” as present currently in laws such as Europe’s General Data Protection Regulation (GDPR), Wahlstrom said the inherent idea of blockchain clashes with such directive.
“The European Court of Justice ruled European citizens have the right to be forgotten, but once someone’s details are embedded in a blockchain, the system never forgets — yes, those details might be encrypted, but they are also part of an irreversible ledger, and one that’s on the cloud,” she said. “As long as a blockchain is in existence, it clashes with the European ruling that people have the right to retract data.”    
To counter this, Wahlstrom suggests greater efforts should be placed on developing variations of blockchain technology, to allow it to retain its virtues while also taking the privacy consideration seriously.
“For example, our research has looked at the Holochain platform, which uses a distributed hash table to break the blockchain up, and then the chain, instead of sitting on the cloud, sits where end users want it to sit,” Wahlstrom added.
See also: How blockchain will disrupt business (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) “This allows individuals to verify data without disclosing all its details or permanently storing it in the cloud, but there are also still a lot of questions to answer about how this affects the long-term viability of the chain and how it obtains verifications.”
With the Australian government earlier this month releasing a code of practice for securing the Internet of Things (IoT) that is only voluntary, Wahlstrom also said considerations must be anticipated and addressed as an integral part of developing new technologies, rather than just treated as a secondary issue that can be tackled reactively and retrospectively.
“We know that technologies disrupt society, and too often they do that in ways that we’re not fully aware of when it is actually happening,” she said. “We’re at a really delicate point with this because, increasingly, societies and economies are organised around data, and that has huge implications for privacy.
“The main problem is, we’re still struggling to understand what ‘privacy’ actually means in an online world — it’s not the same as data security and protection, it’s about how individuals control their whole online identity, and expectations around that change from person to person and situation to situation.”
She said the crucial first step is for the industry to develop a clear definition of what privacy actually is, and then agree to standards to ensure those requirements are met across the board.
RELATED COVERAGE More

ETERBASE, a Bratislava-based cryptocurrency exchange, disclosed this week a security breach. The exchange said hackers breached its internal network and stole cryptocurrency funds worth $5.4 million.
The incident, which was disclosed on Thursday, involved the theft of various cryptocurrencies from the company’s hot wallets.
Hot wallets are cryptocurrency accounts that are actively connected to the internet and which ETERBASE was using to power its inter- and intra-currency exchange operations.
Funds were stolen from six hot wallets, storing Bitcoin, Ether, ALGO, Ripple, Tezos, and TRON assets.
In a series of messages posted on its Telegram channel, the company said it detected the attack but could not stop it from taking place.
Nonetheless, ETERBASE said it tracked the transactions as they left its wallets, and is currently tracing the stolen funds as they move around their respective blockchains.
ETERBASE has also already contacted exchanges where the stolen funds have landed and requested that its stolen assets are frozen.

Currently, all transactions on ETERBASE have been suspended until September 10, but the company said it planned to resume operations and reassured users that it had enough reserve funds to continue operating.
Law enforcement was also notified, the company added. More

Image: Merget et al.

A team of academics has disclosed today a theoretical attack on the TLS cryptographic protocol that can be used to decrypt the HTTPS connection between users and servers and read sensitive communications.
Named Raccoon, the attack has been described as “really hard to exploit” and its underlying conditions as “rare.”
How the Raccoon attack works
According to a paper published today, the Raccoon attack is, at its base, a timing attack, where a malicious third-party measures the time needed to perform known cryptographic operations in order to determine parts of the algorithm.
In the case of a Raccoon attack, the target is the Diffie-Hellman key exchange process, with the aim being to recover several bytes of information.
“In the end, this helps the attacker to construct a set of equations and use a solver for the Hidden Number Problem (HNP) to compute the original premaster secret established between the client and the server,” the research team explained.

Image: Merget et al.
According to the researchers, all servers that use the Diffie-Hellman key exchange in setting up TLS connections are vulnerable to attacks.
This is a server-side attack and cannot be performed on a client, such as browsers. The attack also needs to be executed for each client-server connection in part, and cannot be used to recover the server’s private key and decrypt all connections at once.
Servers that use the Diffie-Hellman key exchange and TLS 1.2 and below are considered vulnerable. DTLS is also impacted.
TLS 1.3 is considered safe.
Not a practical attack
But despite having the capability to decrypt TLS sessions and read sensitive communications, the research team was also the first to admit that the Raccoon attack was also extremely hard to pull off.
For starters, the attack requires that certain and extremely rare conditions be met.
“The vulnerability is really hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable,” researchers said.
“[The attacker] needs to be close to the target server to perform high precision timing measurements. He needs the victim connection to use DH(E) and the server to reuse ephemeral keys. And finally, the attacker needs to observe the original connection.
“For a real attacker, this is a lot to ask for,” academics said.
“However, in comparison to what an attacker would need to do to break modern cryptographic primitives like AES, the attack does not look complex anymore.
“But still, a real-world attacker will probably use other attack vectors that are simpler and more reliable than this attack,” researchers added.
While the attack has been deemed hard to exploit, some vendors have done their due diligence and released patches. Microsoft (CVE-2020-1596), Mozilla, OpenSSL (CVE-2020-1968), and F5 Networks (CVE-2020-5929) have released security updates to block Raccoon attacks.
Additional technical details are also available on a dedicated website and in a research paper titled “Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles inTLS-DH(E)” [PDF]. More

The organizations behind the Bluetooth wireless technology has published guidance today on how device vendors can mitigate a new attack on Bluetooth capable devices.
Named BLURtooth, this is a vulnerability in a component of the Bluetooth standard named Cross-Transport Key Derivation (CTKD).
This component is used for negotiating and setting up authentication keys when pairing two Bluetooth-capable devices.
The component works by setting up two different sets of authentication keys for both the Bluetooth Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) standard.
CTKD’s role is to have the keys ready and let the paired devices decide what version of the Bluetooth standard they want to use. It’s primary use is for the Bluetooth “dual-mode” feature.
BLURtooth attack leads to key overwrite
But according to security notices published today by the Bluetooth Special Interest Group (SIG) and the CERT Coordination Center at the Carnegie Mellon University (CERT/CC), an attacker can manipulate the CTKD component to overwrite other Bluetooth authentication keys on a device, and grant an attacker connecting via Bluetooth access to other Bluetooth-capable services/apps on the same device.
In some versions of the BLURtooth attack, the authentication keys can be overwritten completely, while in other authentication keys can be downgraded to use weak encryption.
All devices using the Bluetooth standard 4.0 through 5.0 are vulnerable. The Bluetooth 5.1 standard comes with features that can be activated and prevent BLURtooth attacks.
Bluetooth SIG officials say they started notifying vendors of Bluetooth devices about the BLURtooth attacks and how they could mitigate its effects when using the 5.1 standard.
Patches… uhm… will be ready… when they’re ready
Patches are not immediately available at the time of writing. The only way to protect against BLURtooth attacks is to control the environment in which Bluetooth devices are paired, in order to prevent man-in-the-middle attacks, or pairings with rogue devices carried out via social engineering (tricking the human operator).
However, patches are expected to be available at one point. When they’ll be, they’ll most likely be integrated as firmware or operating system updates for Bluetooth capable devices.
The timeline for these updates is, for the moment, unclear, as device vendors and OS makers usually work on different timelines, and some may not prioritize security patches as others. The number of vulnerable devices is also unclear and hard to quantify.
Users can keep track if their device has received a patch for the BLURtooth attacks by checking firmware and OS release notes for CVE-2020-15802, the bug identifier of the BLURtooth vulnerability.
According to the Bluetooth SIG, the BLURtooth attack was discovered independently by two groups of academics from the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University. More

Singapore will begin issuing COVID-19 contact tracing wearables to all residents and introducing additional safety measures, as it looks to resume more public activities in the coming weeks. These new measures will include the mandatory use of the TraceTogether Tokens or contact tracing app TraceTogether to facilitate digital check-in procedures at some locations where ‘higher-risk activities” are held.
A new “Self-Check” service and SMS service also would be rolled out on Thursday to alert people if they had visited the same venues at the same time as COVID-19 cases, said the Health Ministry and Smart Nation and Digital Government Office in a joint statement Wednesday. Both services would be based on data from individuals’ SafeEntry check-ins.

The government agencies said the new measures were necessary to support the country’s further opening of the economy “by ensuring more effective contact tracing for the community”.
To date, its TraceTogether app has topped 2.4 million downloads, accounting for about 40% of the local population. 
An initial batch of 10,000 Bluetooth-enabled TraceTogether Tokens were distributed to the elderly in June, days after the country’s plans to introduce the wearables sparked public outcry amongst individuals concerned about their privacy. It prompted the government to reveal that the contact tracing devices did not contain a GPS chip and would not have internet or cellular connectivity, so the data collected could only be extracted when the devices were physically handed over to a health official. 
The government had explained that the wearable devices were essential to plug gaps within the community where, for instance, children or individuals who did not have a smartphone would not be able to download the TraceTogether contact tracing app. It said the TraceTogether Tokens also offered an option for others who preferred to use a separate device to facilitate Singapore’s digital contact tracing efforts. 
The wearable devices would be distributed nationwide from September 14, with the government targeting to issue the token for free to all residents by November. The device’s battery has an estimated lifespan of six months and will not require any additional charging.  
Records of proximity data of close contacts are encrypted and stored locally in the token for up to 25 days. This data can be accessed only by the relevant authorities and only if a user is confirmed to be a COVID-19 case. 
Plans were underway to further pilot the mandatory use of the TraceTogether app or wearable to facilitate SafeEntry check-ins at selected venues that held higher-risk activities, such as larger-scale business-to-business events. This would be further expanded over time as the distribution of the wearables widened, the Singapore government said. These could include venues such as hotels, which often were used for weddings, F&B outlets, cinemas, gyms, and some workplaces. 
“As such settings have the potential to spark off large outbreaks from a single positive COVID-19 case that spread beyond the activity or venue, the use of TraceTogether can facilitate rapid and comprehensive contact tracing to stem onward spread,” the government said. 
SafeEntry currently already is compulsory at several locations including all workplaces, shopping malls, hotels, schools and educational institutes, healthcare facilities, supermarkets, and hairdressers. Since its launch, the digital check-in system has clocked an average of 9 million check-ins a day and tapped by more than 2.2 million unique users across 200,000 locations.
The system collects data that can be used to facilitate contact tracing should an individual who visited the location test positive for COVID-19. QR codes are displayed at the entry and exit points of a venue, which visitors must scan and input their name, national identification number, and mobile number. Alternatively, they can use any identification card that carries a barcode such as their driver’s licence, work permit, or student pass, which is then scanned by staff stationed at the venue’s entry point. 
With the launch of the “Self-Check” service, individuals will be able to refer to their SafeEntry records to check if they have been in close proximity to COVID-19 cases. 
The new SMS notification alerts also will be sent to groups of individuals who were at locations assessed to pose a higher risk of transmission, such as dining places and gyms where people do not wear masks for extended periods of time. Those whose SafeEntry check-in and check-out times that overlap with COVID-19 cases in such locations will receive an SMS alert. 
From October, Singapore is permitting bigger exhibitions and conferences comprising up to 250 participants to resume on a trial basis, where organisers will have to apply to pilot such Meetings, Incentives, Conventions, and Exhibitions (MICE). 
The country today confirmed 75 new COVID-19 cases, including 14 that were imported. It has just over 57,160 cases in total and 27 fatalities, with the most recent death recorded on July 14.

(Source: Singapore’s Smart Nation and Digital Government Office)

×
tracetogether-singapore-covid.png

RELATED COVERAGE More