Information Technology

Image: ZDNet
Google said today that Chrome for Android will soon support DNS-over-HTTPS (DoH), a protocol that encrypts and secures DNS queries to boos user privacy.
DoH support is already available for desktop versions of the Chrome browser since May, since the release of Chrome 83; however, the feature was never added to the Android and iOS versions.
In a short blog post today, Google said that it has now decided to enable the feature for Android users, where it will progressively enable DoH inside Chrome mobile browsers over the coming weeks.
All users who have updated to Chrome for Android 85 will, at one point or another, see a new option in their browser’s settings, titled “Secure DNS.”

Image: Google
The Secure DNS option will be enabled by default for all users, and once turned on, Chrome will attempt to make DNS queries in an encrypted form (via DoH), where supported, and use classic plaintext DNS as a fallback.
Under the hood, Google said the feature works identically to the desktop versions of Chrome, meaning that users don’t have to tinker with Android’s overall DNS settings.
Instead, Chrome will use an internal list of DoH-capable DNS servers, and if the user has one configured as the OS-wide DNS setting, Chrome will use that server’s DoH interface instead of the default one, and replace plaintext DNS queries with encrypted DoH queries on the fly.
In addition, for situations where users don’t want to change their Android device’s system-wide DNS server to one that supports DoH, Google also lets users customize Chrome’s DoH server just for their browser alone.
Chrome users can do this by using the second option in the screenshot above, named “Choose another provider,” and add the IP address of the DNS server they want to use. Since this option is configured inside Chrome’s settings, it only applies to Chrome for Android, and not to the entire Android OS.
Furthermore, Google says that Chrome for Android will also automatically disable DoH if it finds that the smartphone is part of a managed environment, such as those in corporate networks. On these types of networks, IT staff usually deploy enterprise-wide policies to control a company’s smartphone fleet for security reasons, and DoH might, sometime, open users to attacks, hence the reason Google won’t force the setting in such tightly-controlled environments.
Google didn’t say when DoH was coming to Chrome for iOS; however, this is very likely a long way away, as Apple has only recently added support for the DoH protocols to iOS and macOS. More

Image: MoFi

Canadian networking gear vendor MoFi Network has patched only six of ten vulnerabilities that security researchers have reported to the company earlier this year, in May.
Unpatched have remained a command injection vulnerability and three hard-coded undocumented backdoor mechanisms, all impacting the company’s line of MOFI4500-4GXeLTE routers.
These devices are very powerful business routers that MoFi describes as “high performance mission critical enterprise rugged metal router made for businesses or customers.”
MOFI4500-4GXeLTE routers provide high bandwidth connections to business users via LTE (4G) uplinks and are normally deployed by internet service providers or other companies that need to ensure internet access to remote business points where normal wired internet connections aren’t available.
Ten security flaws discovered in MOFI4500-4GXeLTE routers
In a report shared with ZDNet today, cyber-security firm CRITICALSTART says it discovered ten vulnerabilities in the firmware of MOFI4500-4GXeLTE routers earlier this year.
The ten vulnerabilities included a wide range of issues, one more serious than the other, all detailed in the table below.

Image: CRITICALSTART
CRITICALSTART said it notified the MoFi security staff of the vulnerabilities, but when the company issued a firmware update earlier this year, it only included patches for six of the ten bugs.
The four rows in yellow above represent the four vulnerabilities that MoFi has not (yet?) patched.
Asked to comment on this report and why it didn’t patch the last four bugs, MoFi did not return a contact request sent yesterday via the company’s website.
Exploitation is possible in some scenarios
Since the list of bugs contains quite a few backdoors, one would expect that these bugs are quite attractive for botnet operators — and indeed they are.
Exploiting the ten vulnerabilities only requires that an attacker have a direct line to the device’s web management interface, which CRITICALSTART says is accessible by default on all network interfaces — via both LAN (internal) and WAN (external).
However, CRITICALSTART says that since many MOFI4500-4GXeLTE routers are employed by ISPs, some of these devices have some sort of minimal protection in place, blocking attackers from easy hacks.
“Many Internet Service Providers (ISP) use Carrier Grade NAT which prevents direct access to the management interface from the Internet,” CRITICALSTART said.
“This does not limit an attacker with access to the LAN interface or to the internal ISP network. In some cases, the vulnerability can be triggered indirectly by a user clicking a link or visiting a malicious web site.”
For example, one such scenario of how these bugs could be exploited is via malicious code embedded inside ads. When an ISP employee or a customer on the ISP’s network accesses a website with one of these ads, the malicious code runs inside the browser (located in the ISP’s LAN) and hacks the MOFI4500-4GXeLTE router on behalf of the attackers.
This means that preventing access to the router’s management WAN interface may not be a full-proof solution in the long run, and, eventually, a firmware update needs to be applied to patch the rest of the bugs and prevent future attacks.
Because of the danger that these bugs pose, CRITICALSTART said it also notified US-CERT about its findings, and the organization appears to have worked behind the scenes on securing these devices.
CRITICALSTART reached this conclusion after observing the number of internet-accessible MoFi devices go down by more than 40% over the summer, from 14,000 devices on June 25, to around 8,200 devices on August 25.
“We suspect this is the result of US-CERT working with ISPs to restrict network access,” the CRITICALSTART research team said. More

Earlier this year, Linus Torvalds approved of adding drivers and other components in Rust to Linux. Last week, at the virtual Linux Plumbers Conference, developers gave serious thought to using the Rust language for new Linux inline code. And, now Amazon Web Services (AWS) has announced that its just-released Bottlerocket Linux for containers is largely written in Rust.

Open Source

Mozilla may have cut back on Rust’s funding, but with Linux embracing Rust, after almost 30-years of nothing but C, Rust’s future is assured.
Rust was chosen because it lends itself more easily to writing secure software. Samartha Chandrashekar, an AWS Product Manager, said it “helps ensure thread safety and prevent memory-related errors, such as buffer overflows that can lead to security vulnerabilities.” Many other developers agree with Chandrashekar.
Bottlerocket also improved its security by using Device-mapper’s verity target. This is a Linux kernel feature that provides integrity checking to help prevent attackers from overwriting core system software or other rootkit type attacks. It also includes the extended Berkeley Packet Filter (eBPF), In Linux, eBPF is used for safe and efficient kernel function monitoring.
This new Linux discourages administrative connections to production servers. The admin container runs Amazon Linux 2. It contains utilities for troubleshooting and debugging Bottlerocket and runs with elevated privileges. The goal is to make logging into an individual production Bottlerocket instance largely unnecessary except for advanced debugging and troubleshooting.
To make sure that Bottlerocket instances are as secure as possible they run with  Security-Enhanced Linux (SELinux) in enforcing mode. This increases the isolation between containers and the host operating system.
Normally when someone mentions SELinux, administrators fear they’ll have trouble running applications on it. AWS assures users that that’s not the case here. Besides security, Bottlerocket is also designed to be quick and easy to maintain.
It does this, like other container-oriented Linux distributions such as Flatcar Container Linux, Red Hat Enterprise Linux CoreOS (RHCOS), and RancherOS, by including the bare essentials needed to run containers. Many AWS partners already support their applications on Bottlerocket such as Datadog, Splunk, and Puppet.
To administer Bottlerock, initially, you’ll need to use Amazon Elastic Container Service (ECS) or Amazon Elastic Kubernetes Service (EKS)
Don’t think that Bottlerocket is just an AWS show. It’s not. Bottlerocket is an open-source project. GitHub hosts all its design documents, code, build tools, tests, and documentation. Besides its standard open-source elements, such as the Linux kernel and containerd container runtime, Bottlerocket’s own code is licensed under your choice of either the Apache 2.0 or the MIT license. If you modify Bottlerocket, you may use “Bottlerocket Remix” to refer to your builds in accordance with the policy guidelines.
For AWS users, the attraction is, of course, that it’s an easy-to-use, secure container Linux for their favorite public cloud. As someone’s who used Linux for decades, I find its use of Rust to be its most fascinating feature. For both cloud developers and Linux programmers, there are interesting times ahead.
Related Stories: More

Cybersecurity researchers have unmasked six applications on the Google Play store with a combined total of over 200,000 downloads in yet another example of the highly persistent malware that has been plaguing Android users for the past three years.
Joker malware pretends to be a legitimate app in the Play Store but after installation conducts billing fraud by either sending SMS messages to a premium rate number or using the victim’s account to repeatedly make purchases using WAP billing, which also lines the pockets of Joker’s operators.

More on privacy

The activity occurs behind the scenes and without any input required from the user, meaning they often won’t find out that they’ve been scammed until they receive a phone bill full of additional charges.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
Google has removed over 1,700 apps containing Joker malware from the Play Store since 2017, but the malware keeps re-emerging and now six new malicious apps have been identified by researchers at cybersecurity company Pradeo.
Of the six apps uncovered as delivering Joker, one called ‘Convenient Scanner 2’ has been downloaded over 100,000 times alone, while ‘Separate Doc Scanner’ has been downloaded by 50,000 users.
Another app, ‘Safety AppLock’, claims to ‘protect your privacy’ and has been installed 10,000 times by unfortunate victims who will eventually find that the malicious download harms, rather than protects, them.
Two more apps have also received 10,000 downloads each – ‘Push Message-Texting&SMS’ and ‘Emoji Wallpaper’, while one named Fingertip GameBox has been downloaded 1,000 times.
The six apps have now been removed from the Play Store after being disclosed to Google by Pradeo. ZDNet has attempted to contact Google for comment; no response had been received at the time of publication.
Users who have any of the applications on their Android smartphone are urged to remove them immediately.
The six apps are just the latest in a long line of malicious downloads that the group behind Joker – also known as Bread – have attempted to sneak into the Play Store.
A previous blog post by Google’s Android security and privacy team describes Joker as one of the most persistent threats the Play Store faces, with the attackers behind it having “at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected”. They also note that the sheer number of attempted submissions to the Play Store is one of the reasons it has remained so successful, with up to 23 different apps submitted a day during peak times.
SEE: Google details its three-year fight against the Bread (Joker) malware operation
In many cases, the malicious apps have been able to bypass the defences of the Play Store by submitting clean apps to begin with, only to add malicious functionalities at a later date.
“These apps are riddled with permission requests and submitted to Google Play by their developers. They get approved, published and installed by users. Once running on users’ devices, they automatically download malicious code,” Pradeo’s Roxane Suau told ZDNet. “Then, they leverage their numerous permissions to execute the malicious code. Security checks of these apps’ source code as it is published on the store do not detect the malware, because it’s not there yet,” she added.
The authors of Joker attempt to encourage downloads of the malware by entering fake positive reviews – although many of the apps identified by Pradeo also have many negative reviews by users who’ve fallen victim to the malware, something that users should look out for when downloading apps.
The individual or group behind Joker is highly likely to still be active and attempting to trick more users into downloading malware in order to continue the fraud operation.
MORE ON CYBERSECURITY More

Cyber-security firm ESET has published a report today detailing a new strain of Windows malware that the company has named KryptoCibule.
ESET says the malware has been distributed since at least December 2018, but only now surfaced on its radar.
According to the company, KryptoCibule is aimed at cryptocurrency users, with the malware’s main three features being to (1) install a cryptocurrency miner on victims’ systems, (2) steal cryptocurrency wallet-related files, and (3) replace wallet addresses in the operating system’s clipboard to hijack cryptocurrency payments.
These features are the results of extensive development work from the part of the malware’s creators, who have slowly added new items to KryptoCibule’s code since its first version back in late 2018.
Image: ESET
According to ESET, the malware has slowly evolved into a convoluted multi-component threat, far above what we have seen in most other malware strains.
Currently, the malware is spread via torrent files for pirated software. ESET says that users who download these torrents will install the pirated software they wanted, but they’ll also run the malware’s installer as well.
This installer sets up a reboot persistence mechanism that relies on scheduled tasks and then installs the core of the KryptoCibule malware (the launcher), the OS clipboard hijacker module, and Tor and torrent clients.
ESET says KryptoCibule uses the Tor client to securely communicate with its command-and-control (C&C) servers, hosted on the dark web, while the torrent client is used to load torrent files that will eventually download other additional modules, such as proxy servers, crypto-mining modules, and HTTP and SFT servers, all useful for one or more tasks in the malware’s modus operandi.

Image: ESET
All in all, KryptoCibule is bad news for cryptocurrency users, since this is clearly a strain designed by persons with knowledge of modern malware operations.
However, there is also good news, at least for now. ESET says that despite being a pretty complex threat, KryptoCibule’s distribution appears to have been limited to only two countries, namely the Czech Republic and Slovakia.
ESET researchers say that almost all the malicious torrents distributing pirated software laced with KryptoCibule were only available on uloz.to, a popular file-sharing site in the two countries.
This limited distribution appears to have been something that was planned from the beginning, as KryptoCibule also contains a feature that checks for the presence of antivirus software on a victim’s computer, and this module only checks for the presence of ESET, Avast, and AVG – all three being antivirus companies based either in the Czech Republic and Slovakia and most likely to be on the computers of most targeted users.
However, the fact that this malware strain is currently only distributed in a small area of the globe is no reason to believe this will remain so in the future.
Users should remain vigilant, and the simplest way to avoid a threat like KryptoCibule is to not install pirated software. Multiple reports over the last decade have warned users that most torrent files for pirated software are usually laced with malware and not worth the risk. More

Red Background with Binary Code Numbers. Data Breach Concept
Getty Images/iStockphoto
The Australian Computer Emergency Response Team (AusCERT) denied claims today that hackers had breached the Department of Education, Skills, and Employment (DoE), and downloaded the personal details of more than one million students, teachers, and staff.
Rumors of a supposed hack first surfaced yesterday after a hacker shared an archive file on a hacker forum, which they initially advertised as data obtained from the Australian DoE.
According to a screenshot of a now-deleted forum post, the hacker claimed the data contained more than one million records for Australian students, teachers, and DoE staff, that they obtained back in 2019.

Actor hacked and dumped the Australian department of education’s database containing 1,000,000 records of students, teachers, and staff.The leak contains information such as emails, names, and hashed passwords. pic.twitter.com/MmewoWPuWE
— Alon Gal (Under the Breach) (@UnderTheBreach) September 1, 2020

However, AusCERT says that such a hack never took place. 
In a statement posted on its website, AusCERT said that after analyzing the data with cyber-security firm Cosive, it determined that the leaked data originated from K7Maths, an online service providing school e-learning solutions.
“It’s likely that the data came from an exposed Elasticsearch instance,” AusCERT said, also adding that this was not a new leak, and had been previously shared online already, back in March 2020.
Per AusCERT, the leaked data contained details such as first names, emails, password strings, and K7Maths site settings.
“There are no plaintext passwords exposed, just bcrypt hashes, although they can be cracked with enough effort,” AusCERT said.
The non-profit organization, which provides cyber-security alerting services for the Australian public and private sector, said that only the email addresses and country of origin fields in the leaked data count as “personal information,” and the leak is not severe enough to trigger a need to notify victims via a data breach. 
AusCERT is now urging Australian schools to check if their staff are using the K7Maths service for their daily activities, and take appropriate measures, such as resetting the teacher and students’ password, in case they had re-used passwords across other internal applications.
Furthermore, AusCERT says that staff accounts should also be monitored for suspicious logins, just in case an account is compromised and used to access school resources.
K7Maths could not be immediately reached for comment. ZDNet will update this article with a statement from the company if it wishes to issue one. More

Australia’s Department of Defence has started its search for a partner that can help deliver a new recruitment system for the Australian Defence Force (ADF).
Defence said under the contract, which will be worth more than AU$1 billion over 10 years, the successful partner would be responsible for delivering an “adaptable, scalable, modern, competitive, collaborative, and transparent” recruiting system.
“The partner will bring expertise in marketing, recruiting operations and candidate management, medical and psychological testing and assessments, ICT, facilities management and administration,” the agency said.
“Defence is focused on maximising industry participation and engaging with a wide range of companies with the capability and capacity to deliver the requirements. Defence aims to modernise its ADF recruiting approach through the process.”
Defence said the tender process would be undertaken in two stages. The first involves an open market request for proposal (RFP) to identify potential respondents, and the second would be a request for tender (RFT) to a number of shortlisted respondents that were successful in stage one.
Submissions for the RFP will close on December 18, with plans to notify shortlisted respondents by July 2021. Shortlisted respondents will then have until December 2021 to provide their submission to the RFT.
Defence said the successful contractor would be finalised by October 2022.
Plans to develop the new recruitment system come after the Australian Signals Directorate (ASD) notified Defence and its recruitment database contractor that it had reason to believe it was vulnerable to a Netscaler bug a month after Citrix made the vulnerability public.
“On the 24th of January … through sensitive other sources, had a concern that the Department of Defence and its contractor running the DFRN [Defence Force Recruiting Network] may have been vulnerable to a malicious act as a result of the Citrix issue,” director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates in March.
See also: Aussie Parliament’s sad cyber espionage saga is a salient lesson for others  
Noble added that ASD believed no data was compromised, but it did see attempts to access the network related to the vulnerability.
The ASD said the database was full of personal information such as health information, medical exams, and psychological information.
“This particular network that we are talking about here for the Defence Force recruiting is an external network, not part of the Defence network,” Defence CIO Stephen Pearson said.
As reported by the ABC, the DFRN was offline and quarantined for 10 days from February 2 to February 12. A source told the ABC that the issue was detected before Christmas and crisis meetings were held twice a day over the issue. The database was run by ManpowerGroup, the ABC reported.  
In response to Questions on Notice, Defence said Citrix issued its notice on 17 December 2019, but the agency was only aware of it a week later.
“On 24 December 2019, Defence became aware of the vulnerability through normal monitoring of open source reporting and commenced assessments with the DFR hosting provider to ascertain the relevance of this vulnerability to Defence,” Defence said.
“The Australian Cyber Security Centre (ACSC) issued public advice on 25 December 2019 that notified of the vulnerability and mitigations strategies.
Defence said on December 27 that it began monitoring for “external reconnaissance and scanning attempts” against Citrix assets in its environment.
“On 6 January 2020, a Vulnerability Alert was issued to all identified system owners within Defence, and to our Managed Service Providers,” it said.
“Between 6 January 2020 and 19 January 2020 Defence continued working with system owners and managed service providers to ensure mitigations were applied.”
The Defence timeline showed the department had a month before the ASD stepped in.
Related Coverage More

Earlier this week, it was revealed information on thousands of New South Wales driver’s licence-holders was breached, with reports indicating a cloud storage folder that had over 100,000 images was mistakenly left open.
According to Transport for NSW (TfNSW), it was told on Thursday by Cyber Security NSW that a cloud storage folder hosted by Amazon Web Services (AWS) containing personal information, including photos of driver’s licences, was not adequately secured.
“Transport for NSW quickly established that it was not the owner of the cloud storage folder,” it said in a statement.
On Tuesday, Cyber Security NSW confirmed a commercial entity was responsible for the breach of scanned driver’s licence images. It said it was the responsibility of the commercial entity to investigate this matter and notify any customers if their data had been breached.
AWS has so far not provided information on the identity of the commercial entity, nor the customers that may have been affected by the breach, Cyber Security NSW chief cybersecurity officer Tony Chapman said.
“There are mandatory reporting requirements under the Office of the Australian Information Commissioner that the commercial entity needs adhere to,” he said. “Cyber Security NSW will continue to work with other organisations to seek more information about the commercial entity involved and encourage them to reach out to their customers if their information has been breached.”
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
Chapman said the information was not provided by, nor sourced from NSW government agencies, and that his team does not know how long this commercial entity had this data open for, nor who had access to it.
TfNSW said as it is not the owner of the folder and does not have access to its contents, the identities of all those who may have been affected cannot be determined.
“Transport for NSW takes customer data security concerns seriously and will support those who have been the victim of identity theft,” TfNSW said. “Where necessary new driver licence/photo cards are reissued on a case-by-case basis.”
Cyber Security NSW launched its Cyber Security Vulnerability Management Centre in July. Operating out of Bathurst, 200kms west of Sydney, the centre is responsible for detecting, scanning, and managing online vulnerabilities and data across departments and agencies. 
Service NSW in April fell victim to a phishing attack. The email accounts of 47 Service NSW Staff members were illegally accessed, with the emails containing customer information.
A spokesperson for Service NSW told ZDNet that an investigation into the matter was still ongoing.
“The analysis into the attack on Service NSW staff email accounts is ongoing and the specialist teams are working through complexities including ensuring the data remains secure during the review,” they said.
Also this year, the state government experienced a power outage at one of its data centres in Silverwater, west of Sydney, resulting in many state health and customer service functions reverting to manual processes.
RELATED COVERAGE
NSW pledges AU$60m to create cyber ‘army’
As part of the New South Wales government’s AU$240 million commitment to all things cyber.
New South Wales to implement sector-wide cybersecurity strategy
With help from industry, the new document will supersede the 2018 strategy.
Australian government pledges 10-year, AU$1.35 billion cyber kitty
AU$470 million will be used to create 500 cyber-related jobs within the Australian Signals Directorate. More