Networking

Of all the situations you might find yourself in when using a VPN, perhaps the one where your VPN is at its most mission critical is when you’re traveling. When you’re away from home, you’re dependent on whatever communication infrastructure exists where you are. That might be a solid, secure infrastructure, or it might be one that’s insecure, or even one designed by the host government where you’re located to siphon up every last bit of information about you that it can. Also: Air-gapping the planet: How to travel safely in digitally scary places VPNs create secure tunnels that should allow you to get back to your home network resources, whether that’s a public cloud in your home country or your corporate server. They protect your ability to conduct whatever financial transactions you need to make while traveling. They may even protect your identity from stalkers or local organized crime that might be looking for an executive to kidnap and ransom.  Keep in mind that VPNs are illegal in some countries, precisely because the host government wants to snoop on all traffic. Make sure you check into local laws before you do something that may be frownNed upon, possibly with quite serious consequences. Also: Take home along: How a VPN can help travelers connect wherever they go Sure, VPNs can also let you stream your movies from your home services while away, but they serve a much more serious purpose when on the road. Choose carefully.

Servers in 94 countries

Locations: 160Simultaneous Connections: 5 or unlimited with the router appKill Switch: YesPlatforms: A whole lot (see the full list here)Logging: No browsing logs, some connection logsTrial/MBG: 30 daysWith 160 server locations in 94 countries, ExpressVPN has a considerable VPN network across the internet. In CNET’s review of the service, staff writer Rae Hodge reported that ExpressVPN lost less than 2% of performance with the VPN enabled and using the OpenVPN protocol vs. a direct connection.When it comes to travel, a key advantage of ExpressVPN is the private DNS it runs on every VPN server. That means that when you’re trying to access Gmail, for example, ExpressVPN’s DNS will give you an actual IP address for Gmail. If you’re relying on your local host network’s DNS, you have no idea what actual IP address you’re being sent to. It looks like Gmail, but is it really? Or did you just give a hostile government or organized crime your Gmail credentials? Make use of ExpressVPN’s private DNS.Must read:ExpressVPN is one of the most popular VPN providers out there, offering a wide range of platforms and protocols. Platforms include Windows, Mac, Linux, routers, iOS, Android, Chromebook, Kindle Fire, and even the Nook device. There are also browser extensions for Chrome and Firefox. Plus, ExpressVPN works with PlayStation, Apple TV, Xbox, Amazon Fire TV, and the Nintendo Switch. There’s even a manual setup option for Chromecast, Roku, and Nvidia Switch. While you’re unlikely to use all these platforms while traveling, it’s nice to know ExpressVPN will be useful when you’re back home as well.While the company does not log browsing history or traffic destinations, it does log dates connected to the VPN service, amount transferred, and VPN server location. We do want to give ExpressVPN kudos for making this information very clear and easily accessible.Exclusive offer: Get 3 extra months free.

Servers in 65 countries

Servers: 3,200+Simultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, Linux, iOS, Android, Fire TV, Firefox, ChromeLogging: None, except billing dataTrial/MBG: 30 dayAt two bucks a month for a two-year plan (billed in one chunk), Surfshark offers a good price for a solid offering. In CNET’s testing, no leaks were found (and given that much bigger names leaked connection information, that’s a big win). The leak protection can be a big deal when traveling, especially if you want to hide the fact that you’re using a VPN from either the local Internet service provider or the host government.The company seems to have a very strong security focus, offering AES-256-GCM, RSA-2048, and Perfect Forward Secrecy encryption. To prevent WebRTC leaks, Surfshark offers a special purpose browser plugin designed specifically to combat those leaks.Surfshark also offers a private DNS capabilities, as well as what they call NoBorders mode. This feature is designed to enable you to access sites regardless of restrictive border connections. Be careful, though. Countries restricting access tend to frown on your bypassing those restrictions.Must read:Surfshark’s performance was higher than NordVPN and Norton Secure VPN, but lower than ExpressVPN and IPVanish. That said, Surfshark also offers a multihop option that allows you to route connections through two VPN servers across the Surfshark private network. We also like that the company offers some inexpensive add-on features, including ad-blocking, anti-tracking, access to a non-logging search engine, and a tool that tracks your email address against data breach lists.

Servers in 59 countries

Servers: 5,517Simultaneous Connections: 6Kill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Android TV, Chrome, FirefoxLogging: None, except billing dataTrial/MBG: 30 dayAlso: How does NordVPN work? Plus how to set it up and use itNordVPN is one of the most popular consumer VPNs out there. We found that NordVPN performance was generally consistent across a wide range of test situations. This means that if you’re traveling, you’re likely to be able to count on NordVPN performing about as well, no matter where you’re connecting from and to.Also: My in-depth review of NordVPNIn our review, we liked that it offered capabilities beyond basic VPN, including support of P2P sharing, a service it calls Double VPN that does a second layer of encryption, Onion over VPN which allows for TOR capabilities over its VPN, and even a dedicated IP if you’re trying to run a VPN that also doubles as a server. It supports all the usual platforms and a bunch of home network platforms as well. The company also offers NordVPN Teams, which provides centralized management and billing for a mobile workforce.Also: My interview with NordVPN management on how they run their servicePerformance testing was adequate, although ping speeds were slow enough that I wouldn’t want to play a twitch video game over the VPN. To be fair, most VPNs have pretty terrible ping speeds, so this isn’t a weakness unique to Nord. Overall, a solid choice, and with a 30-day money-back guarantee, worth a try.

Servers in 52 countries

Servers: 1,900 Simultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Chrome, plus routers, Fire Stick, and KodiLogging: None, except billing dataTrial/MBG: 30 dayIPVanish is a deep and highly configurable product that presents itself as a click-and-go solution. I think the company is selling itself short doing this. A quick visit to its website shows a relatively generic VPN service, but that’s not the whole truth.Also: My in-depth review of IPVanishIts UI provides a wide range of server selection options, including some great performance graphics. It also has a wide variety of protocols, so no matter what you’re connecting to, you can know what to expect. The company also provides an excellent server list with good current status information. This list can prove hugely helpful when on the road, because it will give you the option to tune which service and server you choose based on your current location.There’s also a raft of configuration options for the app itself. In terms of performance, connection speed was crazy fast. Overall transfer performance was good. However, from a security perspective, it wasn’t able to hide that I was connecting via a VPN — although the data transferred was secure. Inability to hide being on a VPN could be problematic for traveling, which is why this is the last choice in our list of recommendations. Overall, a solid product with a good user experience that’s fine for home connections as long as you’re not trying to hide the fact that you’re on a VPN. The company also has a partnership with SugarSync and provides 250GB of encrypted cloud storage with each plan.

How can I find out what the VPN rules are for the countries I’m visiting?

There are a number of sources. First, it’s always a good idea to reach out to your VPN vendor. They often have a good feel for the countries their services operate in. If you’re an American citizen, contact the US State Department. Foggy Bottom often lists travel advisories for US citizens, and they have foreign service officials who can provide general guidance. Check the travel advisories web page. If you’re outside the US, your nation’s foreign ministry may have a similar service.

Is a VPN all I need to be protected while traveling?

No. No way. VPNs can, generally, protect your data while it’s in motion. But if your computer or phone is seized (whether or not its encrypted), it’s possible governments can access your data. Some governments might simply hold your devices for whatever reason they deem useful. Online services you access in-country might have less protections than the very same services in your host country. And, of course, there’s all the normal travel security issues, like being careful what you spend, how you handle cash, who you trust, and so on that could cause risk while traveling.

If my hotel has a wired connection, do I still need to use a VPN?

Yes. Don’t assume any network endpoint is safe when traveling. Always make sure your connections are encrypted when communicating from any network connection.

ZDNet Recommends

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Image: Getty Images
There are two areas when rolling out broadband that present issues: The most remote and the most dense areas. For the remote areas, the argument is based purely on economics, but for built-up areas where it makes absolute economic sense, other issues come to the fore. In the case of Australia, the national broadband wholesaler is busy ensuring that 75% of its fixed-line footprint is capable of hitting 1Gbps by 2023. The gaping hole in this plan are those living in apartments, who are unlucky enough to not have a fibre or cable connection and instead have to make do on twisted pair. Unlike many places in North America, Australia had the briefest flirtation with cable rollouts in the 1990s, which means that even with fairly modern apartment blocks, there is no guarantee anything other than twisted pair will be installed from the fibre connection in the comms room to your unit. NBN CEO Stephen Rue told ZDNet last year when the upgrade plans were announced that the company was looking at “ways that all our networks can have greater capability”. A year on, the company must still be looking because as it soldiers on upgrading houses, standalone businesses, and single-dwelling premises, apartment dwellers are being left behind. It is into this void, Australia’s telcos have entered, none more so than TPG Telecom, which has actively tried to get users interested in 12Mbps connections onto its LTE fixed wireless. The company recently said it saw its number of users on the service triple in the first six months of the year.

Speaking last week, CEO Iñaki Berroeta was buoyant about the telco’s prospects in replicating its success on 5G fixed wireless. “5G technology is enabling us to deliver much faster speeds on our new 5G home internet service than similarly priced NBN50 and NBN100 plans,” he said. “Consumers have different speed usage and budget requirements for their home broadband service, and we’re giving them choice.” Given NBN has less than 8% of its users on plans over 100Mbps, and the majority on 50Mbps, the addressable market is certainly there. Upgrading apartment blocks can be a tough problem to solve at the best of times. When an owners’ groups can struggle to agree on fixing and paying for waterproofing, and are thoroughly disturbed by the idea of laundry being visible from the street, raising the idea of retrofitting a piece of fibre up the inside of a building, or heaven forbid the outside, seems like a bridge too far — it’s much easier to fire electromagnetic waves into the building instead. This also works for the telcos because they can mount microcells on street lights to boost capacity and coverage when needed, and while guaranteeing to stick around 100Mbps on LTE could be touch and go, doing so on 5G is much less of a regulatory risk. Under its Vodafone moniker, TPG is offering a AU$75 plan capped at 100Mbps, and another for AU$10 a month more removes the speed cap. That’s all well and good, but the real ace up its sleeve could be its AU$85 a month all-you-can-eat-mobile plan. It is currently unknown at what sort of usage limit TPG will start to apply its fair use policies on the plan, but it looks extremely tempting if you can get a Vodafone 5G signal to drop the existing fixed connection, hotspot the phone, and go for broke. Vodafone has said there is a 30GB tethering quota on the plan, but unless it is doing active traffic sniffing and monitoring or assuming everyone is still on tethering-locked iPhones from last decade, the question of detecting tethering by users is unanswered. In the wake of Vodafone’s recent announcement, the Australian Communications Consumer Action Network (ACCAN) slightly shifted its position on whether 5G is a substitute for fixed wireless. “For some households, a 5G home internet plan may better suit their needs than an NBN connection — for example if they move quite frequently, or there’s only one or two people in the household. However, for households that have multiple people trying to use the internet at once for things like streaming video, using video conferencing, and playing video games online, they will still likely be better serviced by an NBN connection,” ACCAN deputy CEO Andrew Williams said. “We also believe that at AU$85 per month, Vodafone’s plan may be too expensive for many households, especially those on low incomes, to consider making the switch.” Not for the last time, if a trend is to take off, it will first be seen when trendy inner city types take it up. ZDNET’S MONDAY MORNING OPENER  The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. A member writes it of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.  PREVIOUSLY ON MONDAY MORNING OPENER: More

Ever left documents, images, or video on a laptop, tablet, or phone that isn’t close at hand and needed to obtain that content fast? Well, there’s a new-gen app for that.IDrive on Sept. 9 launched Remote Desktop, a new cloud service that enables users to remotely access their RDP-based Windows computers and servers from any PC, Mac, Android, or iOS device at any time from any location. The company claims that this is the first cloud app to perform these functions.Remote Desktop Protocol (RDP) is a proprietary protocol originally developed by Microsoft in 1997 that provides a user with a graphical interface to connect to another computer over a network connection. Both the user and the other PC must employ RDP client software for this purpose.Using RDP can get complicated, especially in enterprises where one or more servers are used among multiple teams or individuals. But all this configuration involving a VPN (virtual private network), Microsoft RD Gateway, public servers/IP, or firewall changes isn’t necessary with Remote Desktop, which automatically makes all the connections necessary for a remote desktop session. All that’s needed is for each user to subscribe to Remote Desktop, download an iDrive RD agent onto a device, and then connect to the service.”Remote Desktop allows users to access their work, share files/folders, and manage their computer as if they are sitting in front of it, making it ideal for remote work, remote learning, and work-from-home,” CEO Raghu Kulkarni told ZDNet.”RDP requires complex configurations. If you use the Microsoft gateway, you have to have a domain controller and configure a specific device you had to buy licenses to, to be able to access from anywhere; if the servers are within a NAT (network address translation, a way to map multiple local private addresses to a public one before transferring the information); are outside of the public IP (internet protocol); or inside of a public IP in a local network; or use VPN solution,” Kulkarni said.”So what we bring to the table is account-based access to RDP servers; you can access from anywhere without any configuration–you just need a username, password and you connect. We have created a tunnel solution.”

Remote Desktop features end-to-end encryption from client to server. “It’s secure and it’s faster,” Kulkarni said. “When you try it, you will see that you can connect to the RDP-based host really fast, and so you have the best of both worlds. On one hand, you use a Microsoft RDP, which is a proven reliable platform for enterprise or even a small business, remote access and service; we piggyback on top of it and add our service to make it easily accessible from anywhere.”A summary of Remote Desktop features:User management: Users can be added to the Remote Desktop account and manage their remote access rights via the web application.File transfer and remote printing: Copy and paste multiple files and folders between local and remote computers, and print remotely stored documents, PDFs, images, and other files using local printers.Multi-access sessions: Establish simultaneous remote connections to one computer/server from multiple Remote Desktop viewers.Device redirection: Access local devices and resources such as drives, printers, smart cards, video-capturing devices, and PnP devices in remote sessions.Access via agent installation: Remotely access PCs via agent installation and skip configuring Microsoft RD Gateway, VPN tunneling, and firewall changes.Remote deployment: Deploy the Remote Desktop agent on multiple computers via Microsoft Group Policy using the MSI and MST files.Multi-monitor support: Work with multiple monitors of your remote desktop. View and switch between multiple monitors on a single screen.Remote Desktop also enables businesses to meet the mandates of government and industry regulations regarding digital data management, safekeeping, and privacy, Kulkarni said.Pricing for the service starts at $9.95/year per computer for unlimited users and unlimited remote access. Remote Desktop also offers a free seven-day trial for up to five users. More

Users of HAProxy 2.0 and earlier versions are being urged to push through updates after a vulnerability was found that could allow “an attacker to bypass the check for a duplicate HTTP Content-Length header, permitting a request smuggling attack or a response-splitting attack.””Our analysis confirmed that the duplication is achieved by making use of the memory layout of HAProxy’s internal representation of an HTTP message to slip a select character from the header’s name to its value,” HAProxy explained in a blog.”Due to the difficulty in executing such an attack, the risk is low.”HAProxy provided a list of affected versions and fixed versions while also providing a workaround for those who are not able to update right away.The vulnerability was announced earlier this week by researchers with JFrog, who released a report on the problem.JFrog researchers Ori Hollander and Or Peles wrote that CVE-2021-40346 is an Integer Overflow vulnerability that makes it possible to conduct an HTTP Request Smuggling attack, explaining that it has a CVSSv3 score of 8.6. “This attack allows an adversary to ‘smuggle’ HTTP requests to the backend server, without the proxy server being aware of it,” the researchers said, commending HAProxy CTO Willy Tarreau and their security team for “promptly and professionally handling this issue.”

Tarreau released his own note on the issue, thanking JFrog for their work.”Quite honestly they’ve done an excellent job at spotting this one because it’s not every day that you manage to turn a single-bit overflow into an extra request, and figuring this required to dig deeply into the layers,” Tarreau said. Vulcan Cyber CEO Yaniv Bar-Dayan said the HAProxy load balancing software is “one of the most commonly used components of our digital age,” calling it “plumbing used to build the infrastructure behind the Web.” Bar-Dayan explained that it is distributed with Linux operating systems and by cloud service providers, and is used in production by some of the largest web services and applications in the world. “This vulnerability has the potential to have a wide-spread impact, but fortunately there are plenty of ways to mitigate risk posed by this HAProxy vulnerability, and many users most likely have already taken the necessary steps to protect themselves,” Bar-Dayan told ZDNet. “CVE-2021-40346 is mitigated if HAProxy has been updated to one of the latest four versions of the software. Like with most vulnerabilities, CVE-2021-40346 can’t be exploited without severe user negligence. The HAProxy team has been responsible in their handling of the bug. Most likely the institutional cloud and application services that use HAProxy in their stack have either applied upgrades or made the requisite configuration changes by now. Now it is up to all HAProxy users to run an effective vulnerability remediation program to protect their businesses from this very real threat.”Michael Isbitski, technical evangelist at Salt Security, added that HAProxy is a multi-purpose, software-based infrastructure component that can fulfill a number of networking functions including load balancer, delivery controller, SSL/TLS termination, web server, proxy server and API mediator. “It’s a popular free open source choice along with F5 NGINX. HAProxy deployments are prominent in many organizational networks and the collective Internet,” Isbitski said. “Depending how a given HAProxy instance is deployed, potential risks include user session hijacking, authorization bypass, sensitive data exposure, unauthorized command execution and unauthorized data modification.”Other experts, like NTT Application Security vice president Setu Kulkarni, noted that HAProxy has over 500 million downloads from dockerhub and for an adversary, targeting such widely used critical components that are open source is a lucrative option, Kulkarni said. “With access to code, they can now pretty much run static application security tests to determine weaknesses and once they’ve found a potential vulnerability to exploit, they can execute large scale attacks. In the case of HAProxy, the key is to upgrade to the latest version of the software package where the vulnerability has been fixed — the burden of this task has to be shared equally by DevOps, SecOps and RunOps teams to ensure that the system continues to remain operational as a critical component as HAProxy is being upgraded,” Kulkarni said.  More

Google Cloud is reorganizing its technical management team as Brad Calder will take over product and engineering for the cloud unit and Urs Hölzle takes over technical infrastructure for Google overall. Hölzle had overseen parts of the day-to-day product engineering efforts for Google Cloud. The reorg, outlined internally by Google Cloud, comes as the company has scaled its revenue, focused on industry sales and landed large enterprise accounts under CEO Thomas Kurian. With the move, Calder becomes the leader of Google Cloud’s product and engineering teams. Calder’s official title will be vice president of engineering product for Google Cloud/Technical Infrastructure. Calder joined Google Cloud in 2015 and has been leading a large product and engineering org. Hölzle will remain senior vice president of technical infrastructure and Google Fellow. Hölzle will continue to collaborate and work closely with Kurian as well as Google CEO Sundar Pichai but will focus on long-term architecture and infrastructure across Google. Indeed, Hölzle will manage the technical infrastructure org responsible for global capacity delivery, unified fulfillment optimization, data center ops and construction, reliability, network infrastructure and cloud chief information security officer. In a nutshell, Calder will productize Google’s infrastructure via Google Cloud and Hölzle will focus on what’s next.Google Cloud confirmed the reorg and a spokesperson said:As Google Cloud grows, we regularly evaluate the best organizational structure to better scale our business and provide a world-class experience for our customers. More

Image: Optus
Moreton Bay Regional Council has rolled out a number of IoT water tank sensors that remove the need to send staff to remote locations to check on water levels. The sensors are connected via low Earth orbit nanosatellites, and have been estimated to save the council around AU$20,000 each year. The council partnered with Optus Enterprise and Myriota on the deployment, with Optus parent company Singtel having a stake in Myriota. “As a council we have made great strides in implementing smart technologies, from our AI road scanning system on garbage trucks to pathway defect detection e-bikes, just to name a few,” Mayor Peter Flannery said. “These water tanks are critical in supplying water for toilets and other amenities at our region’s remote areas, which are used by many locals and tourists each year.” Further up the Queensland coast, Livingstone Shire Council said last year it was trialling smart lights to help confused turtle hatchlings. Due to the street lighting around the area, sometimes when the hatchlings leave their eggs, they can become disorientated, fail to find the horizon, and stray from the path they should be taking into the ocean. Even after they reach the sea, the hatchlings can sometimes be lured back by the lights.

The lights are connected to a LoRaWAN network provided by NNNCo, which was deployed to the shire in 2019. On Thursday, Optus launched a feature in its My Optus app dubbed Sidekick that allows customers to ask contacts to check in with them. “Many of us can identify with that feeling of wanting someone to check in with us in a little while to make sure we are okay, even if we can’t exactly pinpoint why we feel that way. It may feel awkward to ask someone for that extra assurance,” Optus director of digital AI Kate Brodie said. “Optus Sidekick can help you prearrange a time when Optus will let the people you care about know you want them to check in on you, and only gets in touch if that time arises. We have also discovered that it’s not just women who may want to use Optus Sidekick, but also kids walking home from school, people out for a late-night walk, and even an elderly neighbour who walks to the store alone.” A beta of the feature is being run on iOS. Related Coverage More

Atlassian CISO Adrian Ludwig spoke to ZDNet this week to discuss the Atlassian Confluence vulnerability — CVE-2021-26084 — and defend the company’s response to the problem.Ludwig said the vulnerability was initially reported through Atlassian’s bug bounty program on June 30th by Benny Jacob and that their security team quickly realized it was a critical issue. The patch was available by August 15 and security bulletins were sent out on August 25. They also submitted the vulnerability and patch to NIST and other government organizations so that it could be disseminated further. The information was sent out to Atlassian’s channel partners and account managers so that emails to customers could be sent out. Atlassian has its own test instances of Confluence and began seeing evidence of automated exploitation around September 1. Ludwig said it was bots probing the services and attempting to exploit them using the vulnerability. “As part of our normal process evaluating a vulnerability, we go back through the logs of our environment and our infrastructure and look to see whether there’s any historic exploitation. In this instance, we did not see any exploitation prior to our security advisory going out, but we did see it starting about September 1st,” Ludwig explained. “On September 3, having confirmed that, and also, having heard that there were plenty of folks that have not yet patched, we put out an update to our advisory saying that we have seen evidence of active exploitation and also encouraging people to patch.”Ludwig said Atlassian sent a second notification to customers after security companies and government agencies, like US Cybercom, began to send out notices about the problem. 

Despite Atlassian’s efforts, thousands of organizations were still vulnerable to the issue. Security company Censys found that the number of vulnerable Confluence instances was more than 8,500 as of September 5. Jenkins, a leading open source automation server, announced on Saturday that its deprecated Confluence service was successfully attacked through the Confluence exploit. As of Wednesday evening, security company GreyNoise found that hundreds of organizations were still being targeted through the vulnerability despite the notices and news coverage of the problem. GreyNoise CEO Andrew Morris said there was a big uptick on Wednesday in Atlassian Confluence attacks, with “over a hundred devices opportunistically exploiting the vuln and counting. If you haven’t patched, you’re owned.”Morris told ZDNet that GreyNoise runs a large network of collector sensors in hundreds of data centers around the globe and saw the first opportunistic exploitation occur at 4:45 pm on August 31st.”We’ve seen it ramp up quite a bit in the last few days. And now, just today alone, we’ve seen over a hundred devices opportunistically attempting to exploit this vulnerability out on the internet,” Morris said, putting the number at 144.  “All that means is that if if Atlassian Confluence customers have not patched in the last week, it’s still extremely important for them to do so, but what’s even more important than that is probably calling an incident response team or network hunt team because there’s a really good chance — I would say like, 99.999% — that any Confluence customers that have not patched in the last week have probably been compromised.”Bad Packets reported that CVE-2021-26084 exploit activity was being detected from hosts based in Russia targeting their Atlassian Confluence honeypots. They previously said they “detected mass scanning and exploited activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the US targeting Atlassian Confluence servers vulnerable to remote code execution.”Of the instances in Atlassian’s environment, Ludwig said all of the attacks have been automated and all of them have been cryptomining. Morris noted that it is hard to tell who exactly is exploiting the vulnerability because many times threat actors commoditize access, exploiting new vulnerabilities and then selling access to the system to other actors. “They could be some combination of APTs, criminal groups, financially motivated groups, government state actors, or even people that are trying to build up their botnet quite a bit. So it’s not altogether clear,” he said. “But usually when things like this happen, at least some amount of the bad guys are directly financially motivated and usually the quickest path to monetization is using cryptojacking. In this case, I don’t have any evidence to suggest what the bad guys are doing once they compromised these devices.”The problem with updatesLudwig told ZDNet that the vulnerability is a “classic challenge that on-premise software has had to deal with forever.””I remember 20 years ago, when I was at Adobe, we made a decision that we were going to start doing monthly security bulletins because that was a way to drive more consistency in terms of getting updates out there,” Ludwig said. “But even that level of consistency is just not sufficient to get people to patch on a regular basis. We’re fortunate that the Atlassian products don’t have, frankly, a lot of security advisories that go out. It can be months, if not a year, between when these go out. They’re relatively uncommon, but that also makes it a little bit more challenging to make sure that people are updating quickly because they’re not in practice the same way they might be for some of their other enterprise products.”He added that those who have internet facing services and are not able to update in 24-48 hours should consider moving to the cloud. “You really need to consider getting to a point where your security is not dependent on the process that just doesn’t conform with modern expectations for how quickly you need to update. Right now, I don’t think we’re ever architecturally going to fix the fact that it’s hard to push out a software update, notify everybody, have them take action and do that faster than exploitation starts to happen,” Ludwig explained. Ludwig said Atlassian does not know how many organizations have not updated their systems or which ones may have run a script that they provided as part of the advisory process for customers that did not want to update. Ludwig said he personally checked with customer support this week and noted that they are getting comments and questions as some run into issues updating their software. “In general, the volume of that has been lower than we’ve seen for previous security instances. So it seems like things are going pretty well,” Ludwig said. “For those who are attempting to do the update, it seems to be working. And the script also provides an easy way for people to make sure their environment is protected.”Ludwig added that they followed up with some customers on Friday and have provided Atlassian field teams with additional information.He told ZDNet it was difficult to know how many customers had been affected, how many customers are still not in a safe place and how many customers are “not in a safe place because they’ve made a conscious decision.””We will follow up when we can, but my expectation is that there will always be some number of instances of software on the internet that’s out of date and that’s being exploited,” Ludwig explained. “Ultimately, we want to do everything that we can to make sure customers get patched or apply the scripts that they need to as quickly as possible.”A number of IT experts defended Atlassian’s response, saying it is typically difficult to get customers to update software, particularly during and after holiday weekends.  David McNeely, CTO at ThycoticCentrify, said it was particularly difficult given that it simply takes time and in many cases requires changes to control approvals and subsequent downtime to manually perform updates or patching. Morris of GreyNoise similarly defended Atlassian’s response, noting that this kind of thing happens “pretty regularly.””I think that when something like this happens, it’s really easy to rush and want to pile on to Atlassian for doing the wrong thing or making their customers vulnerable. They are responsible, I’m not absolving them of responsibility. But this happens to pretty much every software company on the planet,” Morris said. “From time to time, a vulnerability is disclosed, a patch is released and then there’s a period of time where the vendor wants you to patch as soon as humanly possible. But they can’t make you do it.”This situation is particularly bad because of how many organizations are affected and because the timing — Labor Day weekend — was tough, Morris added. “It was kind of a perfect storm because Confluence runs on the internet, which means that it has to be resilient to attackers that would come in from anywhere on the entire Internet. It’s not like it’s buried deep inside someone’s network, where it would be a little bit safer by default,” Morris added. “If this is running in your environment, I would really, really strongly recommend patching and calling an incident response team.”  More

Image: Microsoft
Microsoft has announced plans to cement Azure Space as a key player in the growing Australian space market through new partnerships with Nokia, the University of Adelaide’s Australian Institute for Machine Learning (AIML), and the South Australian government.Microsoft launched its Azure Space initiative last October. Azure Space was developed by the tech giant to position Azure in the space and satellite-related connectivity and compute part of the cloud market.Azure Space Australia’s operations are based in Adelaide’s Lot Fourteen and is headed up by former US Air Force colonel Lynn McDonald.On Thursday, the tech giant said it inked an agreement with Nokia and the South Australian government to build communications, connectivity, and advanced data processing solutions featuring satellite imagery, AI analytics, and 5G-based technology that could be used for various applications such as rail safety, mine automation, defence, and public sector use cases.Microsoft’s Azure cloud, Azure Edge, Azure Orbital, and emerging Azure Space, AI, and machine learning technologies, plus Nokia’s 5G Digital Automation Cloud platform will be leveraged to build these capabilities, Microsoft said.Nokia also plans to expand its Adelaide-based 5G services so it can co-develop these use cases with the Azure Space team. “We are delighted about this agreement with the South Australian government and the opportunity to work with Nokia as we bring together interdisciplinary experts to develop, test, and deploy new technologies and strategies that respond to some of the biggest challenges facing organisations today,” McDonald said.

“This important collaboration with Nokia will allow Australian organisations in multiple sectors to take a giant leap forward into a new era of communications and cloud computing, making the most of space data and technology and catapulting them to the very forefront of digital innovation.”Additionally, Microsoft has signed a memorandum of understanding with AIML to jointly explore how advanced cloud computing, AI, computer vision, and machine learning can be applied in space.Dubbed Project AI Off Earth, the pair will conduct modelling, emulation, and simulation of complex space operations and systems; build algorithms for on-board satellite data processing; develop solutions for the remote operation and optimisation of satellites, constellations, and swarms; and address space domain awareness and debris monitoring.”Although focused on in-space technologies, Project AI Off Earth will explore how space-related technologies and data, and cognitive systems can be used to support automation of multiple different industries, help establish smart cities, as well as address sustainability and important environment challenges,” Microsoft Australia Azure Space engineer Nicholas Moretti said.These latest announcements follow the launch of a Microsoft for Space Startups Australia Program in July. The new program was designed to support space startups, give them access to Azure credits, and provide a range of Microsoft technologies, technical specialists, and mentors. Office of Planetary Observations and Spiral Blue were named as the first startups to join the initiative. Related Coverage More