Information Technology

Credit: ZDNet

The Department of Defense is upholding its decision to award its $10 billion, 10-year cloud-computing contract to Microsoft, according to a statement the DoD released on Sept. 4. The statement comes just a couple of weeks after the Pentagon asked for more time to complete its review of the Joint Enterprise Defense Infrastructure (JEDI) cloud deal.According to a statement posted to the DoD press site: 

“The Department has completed its comprehensive re-evaluation of the JEDI Cloud proposals and determined that Microsoft’s proposal continues to represent the best value to the Government. The JEDI Cloud contract is a firm-fixed-price, indefinite-delivery/indefinite-quantity contract that will make a full range of cloud computing services available to the DoD. While contract performance will not begin immediately due to the Preliminary Injunction Order issued by the Court of Federal Claims on February 13, 2020, DoD is eager to begin delivering this capability to our men and women in uniform.” 

I asked Amazon if the company intends to appeal the decision, but no word back so far. 
A Microsoft spokesperson provided the following statement upon request: 

“We appreciate that after careful review, the DoD confirmed that we offered the right technology and the best value. We’re ready to get to work and make sure that those who serve our country have access to this much needed technology.” 

Microsoft was awarded the JEDI contract in October 2019. Shortly thereafter, Amazon Web Services (AWS) filed a suit claiming President Donald Trump’s interference played a big part in Microsoft’s win.Throughout much of the bidding process, Amazon was expected by many to be the triumphant bidder. In the later rounds, AWS and Microsoft emerged as the two final bidders in the winner-take-all deal. Google dropped out of the JEDI bidding late last year, while Oracle and IBM were eliminated earlier this year. Earlier this week, a federal appeals court rejected again Oracle’s attempt to protest the company’s elimination from the bidding.In March 2020, the DoD requested revised bids from AWS and Microsoft for the storage solutions component of the JEDI contract-year $10 billion JEDI contract. In mid-August, which was slated to be the deadline for DoD to announce the winner after review, the agency asked for 30 additional days to issue its decision, which would have made Sept. 16 the new deadline.The JEDI contract is designed to upgrade legacy DoD systems with newer cloud services. The JEDI Cloud will provide “enterprise-level, commercial IaaS (infrastructure as a service) and PaaS (platform as a service) to the Department and any mission partners for all Department business and mission operations,” the government said.     More

Image: Threema

Secure end-to-end messaging app Threema has announced this week plans to open-source its apps’ codebase in an effort to improve transparency and win over users’ trust.
“Within the next months, the Threema apps will become fully open source, supporting reproducible builds,” the company said in a blog post.
“This is to say that anyone will be able to independently review Threema’s security and verify that the published source code corresponds to the downloaded app,” the company added.
“Being advocates of the Open Source initiative (one of our founders created the m0n0wall project that went on to become the basis for many security and firewall products, both commercial and non-commercial), we have been thinking about this step for a long time,” a Threema spokesperson told ZDNet in an email.
“And of course the users have often asked for it, too. Now we are in a position that allows us to go Open Source without endangering our business model and our source of income.”
Threema joins Signal and Wickr
Threema, which is one of a handful of instant messaging services that support end-to-end encryption (E2EE) between users, is the third service to go open source, after Signal and Wickr.
Just like Signal and Wickr, Threema is expected to make its client-side apps source code available on GitHub.
Prior to this week’s announcement, Threema has faced the regular criticism from users — namely that they can’t fully trust the app since nobody can review its code, which could easily hide encryption backdoors or other logging features.
For example, Telegram, another very popular E2EE messaging client, still faces such criticism today.
Threema’s move to go open source will, without a doubt, give the app a boost in popularity. As one user explained on the HackerNews community portal this week, the announcement “is really big news” as this will put the app on the same level with Wickr as one of today’s most secure E2EE messaging apps, and above Signal, which still doesn’t support creating accounts without tying the user’s identity to a phone number.
The company’s announcement comes after it also announced last month support for E2EE video calls, another highly requested feature.
New partnership announced as well
In addition, Threema also announced a new business partner this week in German-Swiss investment company Afinum Management AG.
“The additional resources gained through this partnership enable Threema to grow beyond the German-speaking part of Europe, and we can use our energy for visionary new ideas and projects,” Threema added.
Threema’s current leadership structure, headed by its three original founders, has remained the same, the company said. More

Image: Digital Shadows

A study of 225 typosquatted domains registered using election-related terms found that around two-thirds were non-malicious in nature, either hosting politically-themed propaganda or were left in a parked state, without any content.
The report, compiled by threat intelligence firm Digital Shadows, looked at so-called typosquatted domains, which are URLs modeled to mimic legitimate sites.
While the Digital Shadows report found that 67% of domains were “non-malicious,” researchers also found that 21% of the election-related typosquatted domains were either misconfigured or illegitimate sites. This includes websites that were either down, peddled scams, sold products using candidate brands, or falsely claimed to be affiliated with the official campaign.
Per the same report, the rest of the domains (12%) were redirecting users to other sites. Most were official candidate and campaign sites, and the domains were likely registered by the campaigns themselves, as a form of protection. However, the researchers also said that not all redirections were in good nature, and they also found typosquatted domains redirecting to sites attacking the candidate whose name they abused (i.e., trump-is-bad-for-us[.]com and biden[.]exposed).
This week’s report is a follow-up to a similar study researchers carried out in October 2019 when they looked at typosquatted domains for 34 candidate- and election-related terms, finding 550 sites in total.
But as the US presidential election has advanced to its final stage, Digital Shadows re-did its older report, and only looked at terms like Trump, Pence, Biden, Kamala, Kamala Harris, vote, elect, and poll.
But while the new 2020 report found that two-thirds of sites were non-malicious, Digital Shadows says this shouldn’t be taken at face value, as this could change as we near election day.
“Most of the non-malicious sites that we detected were parked domains, which can act as a false sense of safety; sure, it’s not hosting right now, but that can change within an instant and without warning,” the company said.
“Additionally, if a parked domain has an MX (Mail eXchange) record, it could potentially be leveraged in a phishing campaign, which we know is bad news all around.”
Furthermore, even if the sites that were categorized as “non-malicious” (as part of the 67% data set) didn’t host scams or malware, that doesn’t mean they weren’t malicious in the spectrum of election interference, with many of them hosting “negative sentiment” and “brand-damaging” propaganda, for both sides of the election aisles. In fact, this is what the DHS warned about last month in a bulletin sent to state and local officials across the US last month. More

Image: Mozilla

Mozilla will add a new security feature to Firefox in October that will make it harder for malicious web pages to initiate automatic downloads and plant malware-laced files on a user’s computer.
Called a drive-by download, this type of attack has been around for two decades and usually takes place when users visit a website that contains malicious code placed there by an attacker.
The role of the malicious code is to abuse legitimate features in browsers and web standards to initiate an automatic file download or download prompt, in the hopes of tricking the user into running a malicious file.
There are multiple forms of drive-by downloads, depending on the browser feature attackers decide to use.
Browsers like Chrome, Firefox, and Internet Explorer have, across the years, gradually deployed various forms of protections against automatic drive-by downloads, but 100% protection can’t be fully achieved because browser makers can’t fully block legitimate web features and also because of the shifting landscape of web attacks, with attackers always finding a new hole to poke at.
The latest round of protections that browser makers have decided to ship against drive-by downloads targets a technology called “sandboxed iframes,” which is often used to load ads and embeddable widgets (videos, music tracks, podcasts) on third-party sites.
The idea is that websites rarely initiate downloads via sandboxed iframes since most of these widgets are usually used to embed content.
Chrome was first to block downloads initiated from “sandboxed iframes” with the release of Chrome 73, in March 2019, and the option was removed completely in Chrome 83, in May 2020.
This week, Firefox announced similar plans. Starting with Firefox 82, scheduled for release next month, in October 2020, Firefox will block all file downloads that originate from a sandboxed iframe.
The only situations were downloads will be honored is if the website owner or the web widget provider has an “allow-download” flag on the iframe; however, most don’t since this is a security risk and a reason why they use sandboxed iframes in the first, rather than classic iframes.
Browsers are complex piles of code, and this is a small update in the grand scheme of things, but this is usually how you build a secure product, reacting to threats as they come, and making tiny adjustments here and there, over time.
A similar feature was proposed to the Safari WebKit team, but no plans have been laid out yet for its implementation. More

“Cyberwar is not a thing. We’re not going to bother about it,” said Bangkok-based hacker and cyber analyst The Grugq during this week’s Disclosure cybersecurity conference.
“What’s more interesting for us is understanding cyber craft, [which is] the application and use of cyber power, and the ways that cyber warfare gets used as a element as a component of cyber craft,” he said.
The kind of cyberwar The Grugq has in mind here is the kind of massive coordinated cyber attack that’s been dubbed “cyber Pearl Harbor”, or even as Australian analyst Greg Austin now puts it, a cyber blitzkrieg.
As Austin told ZDNet last year, “We’re really talking the plans by states to attack each other with multi-wave, multi-vector destructive cyber attacks across the entire civil and military infrastructure of the enemy.”
The Grugq doesn’t think that’s the right conceptual framework, however.
“A lot of the cyberwar theorists, the guys who are wrong, they believe that pretty much the only thing that cyber brought to the table was that it gave you strategic surprise,” he said.
That thinking comes from an “unconscious desire to pick battles where America lost the battle, but won the war,” he said. 
“[In World War Two], the Japanese attacked and got us good, but we got them in the end.
“Wars end. And what we’re going into, what we’re experiencing now, is a sort of constant cyber conflict, and there’s not really a reason for it to stop.
“So it’s not cyber war. But cyber warfare, on the other hand, is actually very useful to think about.”
Cyber craft works ‘really, really well’ at the strategic layer
The Grugq’s presentation offered a framework for thinking about cyber conflict between nations in ways that move beyond the military.
“Cyber power means that you do things in cyber, and it impacts outside of cyber, and it can do this across all of the instruments of power,” he said.
This power spectrum is sometimes described as DIME: diplomatic, informational, military, and economic. Sometimes it’s PEST: politics, economy, socio-cultural, and technology.
“These are the ways that states can basically use their power. These are the levers available to them,” he said.
“Our thinking [about using cyber power] has to be sophisticated enough to include all four layers of war as we understand them.”
Those layers are the political, where the broad decisions get made; the strategic, where specific objectives are set to achieve; the operational, which comprises a series of tasks and means to achieve those strategic objectives; and the tactical, where the detailed grunt work gets done.
“The thing about cyber craft is it works really, really well as a strategic layer,” he said.
In some ways, The Grugq’s comments echo those of major general Marcus Thompson, head of the Australian Army’s Information Warfare Division, though the wording is different.
“Despite the fact that my job title is head of information warfare, and I talk a lot about cyber warfare, there’s actually no such thing. There’s just warfare,” Thompson said during a cyber hypothetical at the Australian Defence Force Academy last year.
“Any response that the government might choose to make that involves the military could occur using any capabilities that the military has available,” he said.
“A military response would be one of any number of options, or could be part of a suite of options.”
50 million K-pop fans are a force to be reckoned with
Cyber power isn’t just about nation-state conflicts either. “There’s a lot of non-states which have more cyber power than states do,” The Grugq said.
His example is K-pop band BTS, with a fan base numbering 40 to 50 million globally. They’re devoted, they’re online, and many of them will participate in political action when they’re directed.
BTS fans weaponised their social media presence during the Black Lives Matter protests. But K-pop has always been political, and it’s a phenomenon that foreign policy analysts are watching.
“These people are going to be operating in cyberspace,” The Grugq said.
“They already are. And I think that’s awesome. But it also means cyber power now belongs to a K-pop band.”
How Huawei and ZTE seized the 5G cyber high ground
Nation-states pay a lot of attention to potential cyber attacks against critical national infrastructure, with electricity grids being the most commonly cited example. The Grugq says that “critical cyber infrastructure” is more important, however.
“Critical national infrastructure basically just provide subsistence. It’s the utilities, it’s the transport, it’s groceries, all of those things that keep the body alive,” he said.
But critical cyber infrastructure is where society and indeed the nation as a coherent entity actually exist. Culture, business, finance, law, family, community, education — and of course, politics and strategy and every other kind of organisation.
“All of this critical cyber infrastructure, the places where society exists and where these complex functions of society exist, these make up the cyber terrain.” The Grugq said.
“Cyber terrain is very useful in the sense that once you control the terrain, you can, for example, have a home field advantage.”
The Grugq’s historical example is from World War One.
Transatlantic telegraph cables ran through the UK, so when Germany needed to talk to Mexico about a potential military alliance, the Brits had visibility. This then led to the interception of the so-called Zimmermann Telegram, which in turn, partially led to the US entering the war.
The Grugq’s contemporary example is China’s dominance of 5G technology.
China has recognised 5G as a strategic advantage to them, he said, so they have made sure they dominate the protocol design meetings.
“They would flood every session with more engineers and more people than anyone else,” The Grugq said.
“As a result, their people from Huawei and ZTE were the ones that roughly designed 5G, and have a lot of patents, and have the experience, and have been doing the test, and built everything,” he said.
“So Huawei, due to a strategic decision early on, now provides access to cyber terrain.”
The same applies to smartphone hardware. Broadly speaking, you’ve got a choice between Apple and Android.
The same applies to the platforms where people communicate. TikTok is fighting back against a US government ban, and WeChat is an enormously effective tool of influence.
“The most interesting and most useful one is Zoom,” The Grugq said. “Strategically they’re everywhere,” including business meetings and academia.
“Zoom, of course, is a Chinese company, making, it one of the most important communications companies that is not owned by the US or by a US entity.”
To those, your correspondent would add Facebook and Google dropping plans for an underwater cable to Hong Kong after security warnings, and Facebook countering Australian government plans to make companies pay to link to news stories by threatening a ban of news being shared on its platform.
These platforms have plenty of cyber power, and they’ve certainly seized the high ground of the cyber terrain.
ACSC releases new cyber threat report
Which brings us to Australia.
On Friday, the defence minister, Senator Linda Reynolds, launched the latest annual cyber threat report from the Australian Cyber Security Centre.
It’s the first such unclassified threat report since the Australian Cyber Security Centre (ACSC) became part of the Australian Signals Directorate in 2018. Reports were previously produced in 2015, 2016, and 2017.
“We’re now facing an environment where cyber-enabled activities have the potential to drive disinformation, and also directly support interference in our economy, interference in our political system, and also in what we see as critical infrastructure,” Reynolds said.
“This type of activity really does blur what we previously understood to be peace and war, which is what we call that grey zone in between.”
While not naming China as one of the “sophisticated and very well-resourced state-based actors” involved, Reynolds did say that the threat has increased further since Prime Minister Scott Morrison warned of continued cyber attacks in June.
As your correspondent noted at the time, the steady increase in such attacks isn’t anything new.
Disclosure: Stilgherrian travelled to the Australian Defence Force Academy as a guest of UNSW Canberra Cyber.
Related Coverage More

After launching a New Zealand chapter last month, Australian cybersecurity powerhouse CyberCX has already started its expansion, adding Insomnia Security to its growing list of companies.
Based in Auckland, with offices in Wellington, Insomnia Security is known for its team of 30 specialised security testers. Founded in 2007, the company specialises in offensive security testing services and is touted by CyberCX as defending against the most current attacks and exploitation techniques through expert training, research, and tool development.
See also: Cybersecurity: These two basic flaws make it easy for hackers to break into your systems
The team of 30 will join the CyberCX brand.
“We are delighted to join CyberCX,” Insomnia Security managing director Brett Moore said. “What CyberCX is building is truly unique — New Zealand’s most formidable force of cybersecurity professionals. A world class cybersecurity capability with a dedicated trans-Tasman focus. We are very proud to be part of it.”
CyberCX, backed by private equity firm BGH Capital, in October brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co, Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.
It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as CEO John Paitaridis, who was formerly Optus Business’ managing director.
In announcing it was launching in New Zealand, the company said it was cementing its position as the region’s “leading cybersecurity player”, creating a full-service cybersecurity operator in the country.
“New Zealand is a natural market focus for CyberCX. With the exponential growth in the number of cyber attacks on Australian and New Zealand businesses and government agencies, and the aggressive tactics we are seeing from threat actors, we need to significantly bolster our trans-Tasman cyber capability to secure our companies and sovereign interests, in particular, Australian and New Zealand critical infrastructure including utilities, agricultural, financial systems, logistics, and supply chain,” Paitaridis said at the time.
Paitaridis said the Insomnia Security acquisition has established CyberCX’s penetration testing workforce as the largest in the region.
“Insomnia Security provides CyberCX with a significant enhancement to our security testing expertise and a major boost to our trans-Tasman capability,” he said.
“The Insomnia Security team has a global reputation, specialising in offensive security testing services. With a customised client-focused approach, Insomnia Security identifies key cyber threats and works strategically with organisations to contain cyber threats before they become a serious breach.”
CyberCX has also scooped up two Melbourne-based startups since it launched, Basis Networks and Identity Solutions.
LATEST KIWI NEWS More

Image: Dmitry Bayer

Music recording powerhouse Warner Music Group has disclosed today a security incident that involved some of the company’s online stores.
Called “web skimming” or “magecart,” this type of attack happens when hackers take control over a website and insert malicious code that logs customer details entered inside payment forms.
In a data breach notification letter filed today with the Office of the Attorney General in the state of California, Warner Music said it suffered one such attack earlier this year.
Between April 25 and August 5, Warner Music said hackers compromised “a number of US-based e-commerce” that were “hosted and supported by an external service provider.”
“Any personal information you entered into one or more of the affected website(s) between April 25, 2020 and August 5, 2020 after placing an item in your shopping cart was potentially acquired by the unauthorized third party,” the company said.
“This could have included your name, email address, telephone number, billing address, shipping address, and payment card details (card number, CVC/CVV and expiration date).”
Payments made through PayPal were not impacted, Warner Music added.
However, this is about where the data breach notification ends being useful. Warner Music didn’t list the stores where the malicious code was injected, meaning regular shoppers wouldn’t be able to tell if they were impacted or not.
Since the company manages tens of smaller music studios, it is unclear which of these were affected.
Warner Music is now offering free credit monitoring through Kroll — details included in the notification letter linked above. More

Facebook engineers manage one of the biggest software portfolios in the world, with tens of apps and millions of lines of code that provide a wide variety of services to billions of users around the world.
Managing this gigantic codebase is hard work due to its sheer size, and, of course, its complexity.
Finding security bugs in this giant pile of code isn’t always simple, but trough in-house-developed static analysis tools like Pysa and Zoncolan, Facebook has made a concerted effort to find issues before they reach public-facing code.
However, not much has been revealed about what happens when Facebook engineers discover security bugs inside their code.
Obviously, the vulnerability is patched, but some bugs are harder to fix than others. That’s because not all of Facebook’s code is unique. A large portion of Facebook’s applications is also propped up by smaller libraries developed by third-parties.
For the past few years, Facebook has often found vulnerabilities in these third-party components, which the company’s security team has always reported to their respective owners.
However, not all disclosures have gone to Facebook’s liking. Some library developers have fixed bugs within days, while in other cases, Facebook had to fork libraries patch the code itself, or develop its own in-house alternatives.
But Facebook doesn’t believe this shouldn’t be the norm, as it’s not fair to the other users of these third-party libraries, most of which will continue to use the unpatched code.
A way through which Facebook wants to address these problematic disclosures is through a new policy the company intends to apply, starting today.
Facebook’s new vulnerability disclosure policy
Called a “vulnerability disclosure policy,” these are a set of rules that Facebook engineers plan to apply when reporting vulnerabilities they find to third-party entities.
According to a summary of these new rules, Facebook promises to “make a reasonable effort to find the right contact for reporting a vulnerability” to any third-party entity.
After contact is made, Facebook says it will provide an in-depth technical report describing the bug, but if a company/developer doesn’t acknowledge receiving this report within 21 days, its engineers will publicly disclose bug details online so other users/developers can protect their products.
Third-parties who acknowledge reports have 90 days to fix issues, which is the unofficial standard timeframe in the software community that bug hunters give companies to patch security flaws.
While Facebook might give some companies some leeway over this 90-day deadline, once this passes, Facebook says it will publicly disclose bug details and let users and companies mitigate the third-party bug as they see fit.
The only situation where Facebook will go public right away is when a bug in a third-party component is under active exploitation. Not all zero-days, as these bugs are also called, will be disclosed right away, however, but only those cases where disclosing the bug helps users stay safe.
These VDPs, or “ethics statements,” as their also known, are not unique to Facebook, and other companies and even independent security researchers have one, usually listed on their websites.
For example, this is the VDP of Project Zero, a security team inside Google that’s specialized in finding security flaws in products usually deployed inside Google’s own network.
Each VDP is unique, and Facebook’s is pretty standard when it comes to it, so third-parties shouldn’t have any issues with following its basic rules.
A more in-depth look at Facebook’s VDP is available below:
Reporting 
Facebook will make a reasonable effort to find the right contact for reporting a vulnerability, such as an open source project maintainer. We will take reasonable steps to find the right way to get in touch with them securely. For example, we will use contact methods including but not limited to emailing security reporting emails (security@ or secure@), filing bugs without confidential details in bug trackers, or filing support tickets. 
The contact should acknowledge the report as soon as reasonably possible. 
The contact should confirm whether we’ve provided sufficient information to understand the reported problem. 
In its report, Facebook will include a description of the issue found, a statement of Facebook’s vulnerability disclosure policy, and the expected next steps.
If needed, Facebook will provide additional information to the contact to aid in reproducing the issue. 
If we do not receive a response within 21 days from a contact acknowledging the report of a vulnerability, we will assume that no action will be taken. We then reserve the right to disclose the issue.
For purposes of the disclosure timeframe, Facebook’s sending the report constitutes the start of the process. 
Facebook will generally decline to sign non-disclosure agreements specific to an individual security issue that we have reported.
 
Mitigation & Timeline
Whenever appropriate, Facebook will work with the responsible contact to establish the nature of the issue and potential fixes. We will share relevant technical details to help expedite the fix.
The contact should be as transparent as possible about the mitigation progress. They are expected to make reasonable effort to fix the reported issue within 90 days.
Facebook will coordinate the disclosure with the availability or rollout of the fix. 
If no fix is forthcoming at the 90-day mark, we will notify the contact of our intent to disclose the reported issue. 
If there are no mitigating circumstances, we will disclose the issue as soon as we are reasonably able to do so.
 
Disclosure
Depending on the nature of the problem, there may be a number of disclosure paths: 1) we may disclose the vulnerability publicly, 2) we may disclose it directly to the people using the project, or 3) we may issue a limited disclosure first, followed by a full public disclosure. Facebook will work with the contact to determine which approach is most appropriate in each case.
Our intent is to disclose vulnerabilities in a way that is most helpful to the community. For example, we may include guidance on workarounds, methods for validating patches are in place, and other material that helps people contain or remediate the issue. 
We may choose to include a timeline to document communication and remediation actions taken by both Facebook and the third party. Where reasonable, our disclosure will include suggested steps for mitigating actions.
We will include a CVE when available, and, if necessary, issue an appropriate CVE.
Additional disclosure considerations
Here are some potential scenarios when Facebook may deviate from our 90-day requirement:

If the bug is actively being exploited, and disclosing would help people protect themselves more than not disclosing the issue. 
If a fix is ready and has been validated, but the project owner unnecessarily delays rolling out the fix, we might initiate the disclosure prior to the 90-day deadline when the delay might adversely impact the public.
If a project’s release cycle dictates a longer window, we might agree to delay disclosure beyond the initial 90-day window, where reasonable.

Facebook will evaluate each issue on a case-by-case basis based on our interpretation of the risk to people. 
We will strive to be as consistent as possible in our application of this policy.
Nothing in this policy is intended to supersede other agreements that may be in place between Facebook and the third party, such as our Facebook Platform policies or contractual obligations. More