Author: - Computing_redesign

The NLRB says Amazon unfairly influenced the outcome of the election

An official at the National Labor Relations Board (NLRB) in the USA has recommended overturning the results of the landmark union election at an Amazon warehouse in Bessemer, Alabama this year. While the plan to unionise was defeated, the NLRB now says Amazon's tactics unduly influenced the vote's outcome.

The Retail, Wholesale and Department Store Union (RWDSU), which sought to represent Bessemer workers, said on Monday that the NLRB's investigation found that Amazon had used anti-union tactics to influence the results of the election, including surveillance and making workers fear for their jobs.

A regional director for the NLRB is expected to take a final decision on whether to order a new election within weeks.

Amazon plans to appeal the recommendation, which has not been released publicly yet.

"Our employees had a chance to be heard during a noisy time when all types of voices were weighing into the national debate, and at the end of the day, they voted overwhelmingly in favor of a direct connection with their managers and the company," an Amazon spokesperson told NPR.

"Their voice should be heard above all else, and we plan to appeal to ensure that happens," the spokesperson added.

Workers at the Bessemer facility rejected unionisation by a 2-1 margin in April. RWDSU filed a legal challenge after the result was announced, alleging that Amazon had used unfair labour practices to discourage workers from unionising.

During an NLRB hearing in May, RWDSU said Amazon compromised the election's integrity by using a ballot collection box installed in the warehouse's private parking lot, under the sight of company cameras.

The mailbox's placement inside a tent also prompted employees to wonder whether the company was trying to monitor the vote.

Amazon argued that the mailbox was installed by the US Postal Service for workers' convenience and that the tent actually shielded workers from cameras.

During hearing, one worker testified that managers at the Bessemer warehouse warned workers during mandatory meetings that the facility could close if employees voted to unionise.

A long history of anti-union action

Amazon has been accused of discouraging workers' attempts to organise for years.

In February, RWDSU alleged that Amazon's management was sending text messages to workers at the Bessemer warehouse and asking them to attend anti-union meetings, despite the company's own social distancing policy. The company was also accused of working with local authorities to speed up traffic light switching outside the plant, so union organisers woudn't have time to hand out literature to passing workers.

The latest finding coincides with another NLRB observation that Amazon unlawfully interfered with employees organising at its JFK8 fulfilment centre in New York in May.

Motherboard claims to have reviewed NLRB documents, which suggest that Amazon prohibited an employee from distributing pro-union literature to other workers at the Staten Island fulfilment centre.

The company also seized the literature (in violation of US labour laws) and gave employees the impression that their unionisation activities were being monitored, according to the report.

Connor Spence, a worker at the JFK8 warehouse, told Motherboard that he was handing out leaflets about unions to other workers on 16th May when a security guard approached and confiscated them.

"He took the union literature away and wouldn't give it back," Spence said.

"I filed the charge so that there's accountability in place that prevents them from doing this in the future."

According to Spence, Amazon crosses the line a lot "when it comes to stopping workers from unionising".

"Unfortunately labour law isn't very strong in our country, but I'm hoping Amazon cares about its image and these stains on their record."

Six schools and the Isle of Wight of Education Federation have had data encrypted in an attack that could delay the start of the new term

Six schools on the Isle of Wight have been hit by a ransomware attack that resulted in the encryption of data and may delay the start of the new term.

The attack, which encrypted data, hit the schools and their umbrella organisation the Isle of Wight of Education Federation between July 28th and 29th, according to the Federation. All the schools' websites have been offline since Friday.

The schools affected were Carisbrooke College, Island 6th Form, Medina College, Barton Primary, Hunnyhill Primary and Lanesend Primary. Lanesend Primary announced that the start of the new in September may be delayed by several days.

"As you can imagine, the team now have hours, days, and months of work ahead of them to recreate the information that has been lost. In order to assist with this painstaking process, the Trustees have approved the school to close for 3 extra days at the end of the summer holidays. This means the children will not be returning to school until Monday 6th September 2021. We ask that you are patient with the team during this period," a spokesperson for the school said.

The Isle of Wight Education Federation said it is liaising with the authorities to pursue the cyber criminals and understand the full impact of the attack.

"We are working with the local Police and Authority, Department for Education, Cyber support and various ICT system providers to move this forward and ensure that necessary and appropriate systems are in place for the new academic year," a spokesperson said.

Schools, universities and other public service and public sector organisations have become popular targets for ransomware gangs. Five schools on Anglesey had their systems taken down in June, and  Newcastle University was one of a number of higher education establishments badly affected by ransomware last year. Meanwhile, the Irish health service is still recovering from a large scale ransomware incident in May which saw patients' details published on the dark web.

Commenting on the latest incident, Oz Alashe, CEO and founder of security platform CybSafe, said: "Malicious actors see educational institutions as a soft target, who will be more willing to pay a ransom given the vital nature of their work and the disruption that can be caused to pupils' education."

He continued: "Addressing human security behaviours remains the most effective measure organisations can take to mitigate this kind of risk. For both pupils and staff, increasing awareness of ransomware attacks and providing the means to identify and flag such attacks will help prevent these kinds of breaches, and ensure schools can avoid disruption at this critical time."

There’s only one constant when it comes to cyber-attacks, and that is that each one is different

Cybercrime is a constant thorn in the side for every IT professional, and IT leaders most of all. You probably employ training, help desks and support services to handle the constant stream of attacks, but did you know that attackers are doing the same thing?

Cybercrime is big business; attack programmes and payloads are increasingly commoditised, and many are sold on the dark web. Like any seller, criminal gangs have a vested interest in keeping their clients happy, and offer a range of support services to get them what they need. If you've been unlucky enough to have been a victim of a recent ransomware breach, you may have seen the same thing from the other side: websites with live chat support dedicated to parting you from your hard-earned revenue.

"The increasing professionalisation of cyber gangs means CISOs need to put in place the right security controls to protect their organisations," says KnowBe4 security awareness advocate Javvad Malik. "Nothing is a case of ‘set and forget', and continual improvement needs to be made to stay a step ahead of the gangs."

Threat intelligence is crucial, of course, but so is information sharing. For too long, commercial organisations have tried to stand alone against cybercrime, but talking to your peers, and even your rivals, can mean the difference between paying a ransom and it never striking in the first place.

"Incident response and recovery should not be an afterthought, either. CISOs should know what to do in the event of an incident including knowing how to notify law enforcement, regulators, customers, partners, employees, and even the media," says Malik.

Enforcement agencies and governments have promised to get tough on cybercrime, with some urging peers to treat ransomware attacks with the same priority as terrorism, and others working together in cross-continental operations - and it all adds up.

"We've seen law enforcement take down some large cyber-criminal gangs recently. While this is a time-consuming process that involves international cooperation, it can be very effective in disrupting criminal activities.

"Just seeing more cyber criminals arrested and sentenced to prison can act as a massive deterrent to others who may be considering entering into crime as a profession."

These moves have come too late to discourage the recent tide of ransomware attacks that have swept the world in the last eight months: from Solarwinds to Colonial Pipeline, JBS and Kaseya. The first and last of these were supply chain attacks: by compromising just one company, the hackers were able to breach hundreds of the victims' customers.

Supply chains are notoriously difficult to secure, though Malik says there are steps to take that can help, including:

• Conducting business impact assessments
• Knowing and understanding all partner organisations
• Having the right policy and legal clauses in contracts
• Communicating clear security needs with partners
• Having technical assurance in place
• Putting in place a joint incident response plan that maps out all responsibilities
• Having an exit strategy to leave any relationship

Several of these attacks, and many others like them, were successful due to phishing and other social engineering tactics. A collaborative culture, where employees are encouraged to talk to the IT team (rather than staying silent for fear of punishment), should be your first line of defence when it comes to bolstering the human layer of your security.

Building or changing a culture can be a slow and laborious process, but it will pay dividends. It's important that everyone is on-board, though - including the executives.

"A top-down approach is the ideal approach - CEOs and executives play a big part in creating the organisational culture. But that's not to say that a culture can't go from bottom up or from middle out.

"What's important to remember is that culture building is a slow process that often takes years to embed within an organisation, so consistency is key."

The presence of cybercrime is a constant, but the way it manifests is always changing. It's important for both you and your employees to stay informed, and have clear lines of communication, to effectively combat the threat.

The MOD crowdsourced pen-testing with US-based HackerOne

For the first time, the UK's Ministry of Defence (MOD) has paid bounties to white hat hackers for discovering security bugs in its computer networks, to raise security across its networks and devices.

The Bug Bounty Programme, which ran for 30 days, saw the MOD pay an undisclosed sum to 26 hackers, who probed the organisation's systems for vulnerabilities before they could be found and exploited by threat actors.

US-based HackerOne, which specialises in bug bounty competitions and effectively outsources pen-testing, ran the programme with the MOD.

The MOD said that it invited hackers to investigate its devices by giving them 'privileged access' to certain internal systems.

The individuals were allowed to participate only after undergoing background checks with HackerOne.

The participants were not testing public-facing assets, although the MOD and HackerOne had previously agreed on a vulnerability disclosure policy for individuals who discovered issues with those.

The programme follows the government's publication of its integrated review of security, defence, development and foreign policy in March, which highlighted the need for greater resilience and capabilities to tackle cyber threats. The government also used the review to call for greater collaboration with different actors.

'[We] will continue to make use of the Bug Bounty expertise, in addition to other capabilities available to ensure cyber security and resilience,' the MOD said.

James Heappey, Minister for the Armed Forces, described the Bounty Programme as an exciting new capability for the MOD.

"This work will contribute to better cyber and information security for the UK," he added.

Christine Maxwell, the MOD's chief information security officer, said that the effort was an "essential step in reducing cyber risk and improving resilience."

"Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets," she explained.

Bug bounty programmes are used throughout the industry as a way to reward ethical hackers for uncovering and reporting issues in computer systems.

The majority of HackerOne's users are organisations in the USA and Canada, followed by a long tail led by the UK, Germany, Singapore and Russia.

Salesforce will make Servicetrace part of MuleSoft, to focus on unified integration, API management and RPA

Salesforce has entered into a definitive agreement to acquire German robotic process automation (RPA) software provider Servicetrace, intending to make it a part of Mulesoft: another Salesforce acquisition back in in 2018.

In a blog post, Brent Hayward, CEO of Mulesoft, said that the addition of Servicetrace would enable MuleSoft to "deliver a leading unified integration, API management, and RPA platform, which will further enrich the Salesforce Customer 360 [platform]."

Hayward expects Servicetrace's RPA capabilities to enhance Salesforce's Einstein Automate solution, "enabling end-to-end workflow automation across any system for service, sales, industries, and more".

The financial terms of the deal were not disclosed. It is expected to close by the end of the Salesforce's third quarter (October 31st, 2021).

In recent years, automation, combined with robotics, has become as a must-have technology to perform repetitive tasks. Businesses can use RPA to quickly automate manual tasks across multiple departments, including IT service desks, finance, HR, customer support and more. It is often seen as the easiest entry point into automation.

Gartner estimates global RPA software revenue will reach $1.9 billion in 2021, up 19.5 per cent from 2020.

According to Salesforce's Trends in Workflow Automation report, 95 per cent of engineering and IT managers say their organisations are prioritising workflow automation.

Salesforce's Einstein Automate solution is a modern solution to automate specific tasks, but RPA is a generally a better option for legacy operations. The Serivcetrace acquisition will bridge Salesforce's capabilities between older on-premises tools and modern cloud software.

Servicetrace has three product lines - Robotic Process Automation, Automated Software Testing and Application Performance Monitoring - with customers including Siemens, Fujitsu, Merck and Deutsche Telekom.

The company is headquartered in Hessen, Germany and was founded in 2006.

This is just the latest in a series of recent acquisitions by Salesforce.

In December, Salesforce announced the acquisition of popular workplace communication tool Slack, for about $27.7 billion.

In 2019, Salesforce bought BI and analytics firm Tableau for $15.7 billion, adding a more advanced analytics element to its existing cloud-based CRM services, particularly in combination with the AI platform Salesforce Einstein.

The company also acquired ClickSoftware in 2019 for $1.4 billion in cash and stock, to 'accelerate the growth of Service Cloud' and to 'drive further innovation with Field Service Lightning to better meet the needs of customers'.

The malware initiates screen recording session if the app running in the foreground is in its target list

Researchers at cyber security firm ThreatFabric have published a report warning of a new kind of malware that is attempting to steal banking credentials of Android users through screen recordings.

Dubbed Vultur, this banking Trojan makes its way onto Android devices via a dropper called Brunhilda, which has been found in several fitness, phone-security and authentication apps available on Google Play.

About 30,000 Android devices are thought to have been infected with Brunhilda to date, meaning that thousands of Android users have likely been infected with Vultur.

Like other malware targeting Android devices, Vultur also begins its compromise by exploiting Android Accessibility Services designed to help users customise their devices.

Vultur's technique for stealing login details from the infected device is also different from other banking Trojans.

In previously observed banking Trojan attacks, threat actors have mostly relied on overlay techniques, where they trick users into believing that they are typing their login credentials in a legitimate banking app. That approach usually requires more effort and time to steal user data, according to researchers.

Vultur, on the other hand, uses code to recognise when a user is filling a data entry form. It then uses the device's Virtual Network Computing (VNC) to record the screen, begins keylogging also via VNC and sends all captured data to a malicious site operated by the attackers.

"The biggest threat that Vultur offers is its screen recording capability. The Trojan uses Accessibility Services to understand what application is in the foreground. If the application is part of the list of targets, it will initiate a screen recording session," the report notes.

While Vultur has been designed to mainly harvest banking login credentials, the researchers say they have also observed instances where hackers carried out keylogging for social media apps, including Facebook, TikTok and WhatsApp. In a limited number of cases, the malware was also seen targeting cryptocurrency apps.

"The story of Vultur shows again how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of the actor," the report adds.

"With Vultur, fraud can happen on the infected device of the victim. These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware back-end."

Vultur has so far mostly infected devices in Italy, Australia, UK and the Netherlands, according to the researchers.

To protect themselves from a Vultur malware attack, the researchers advise users not to let the infected app use the Accessibility Services in their device.

When Vultur transmits data to its central server, the system shows active 'casting' icon in the Android notifications. If a user is not casting something but the icon still appears in the notification, it indicates a security issue with the device.

Inventories ‘are at a historic low’ warns German chipmaker Infineon, while STMicroelectronics says prices will rise for the next two years

In its financial report for the quarter ending 30 June, German chipmaker Infineon warns of a continuing ‘difficult supply environment', with inventories at a ‘historic low', and with resource problems exacerbated by Covid-19 in key supplier countries such as Malasia.

"Demand for semiconductors is unbroken, as they play a key role in enabling the energy transition and digitalisation. Currently, however, the market is faced with an extremely tight supply situation," said CEO Reinhard Ploss.

"Inventories are at a historic low; our chips are being shipped from our fabs straight into the end applications. Under these circumstances, any pandemic-related restrictions on manufacturing, such as those recently imposed in Malaysia, are especially grave."

Despite the strong demand for semiconductors and an increased profit margin, Infineon's profits grew just 1 per cent, below analysts' expectations, owing to the supply line issues.

Car-makers have been particularly badly affected by global chip supply problems, which have been caused by adverse weather conditions in Taiwan and factory fires in Japan combined with the pandemic and booming demand.

Analyst firm Ifo said that the German automobile industry has been affected by shortages of ‘intermediate products', with 83 per cent of car companies saying they'd been impacted in July compared with 65 per cent in April.

"Semiconductor bottlenecks in particular are likely to continue for a while," said director Oliver Falck, who said that suppliers were deliberately stocking up on supplies to mitigate any shortages.

Last week, chief executive of Geneva-based chipmaker STMicroelectronics, Jean-Marc Chery, told Reuters the chip shortage would likely continue until the first half of 2023.

The price of the company's chips has increased 5 per cent compared with a year ago, Chery said, predicting the combination of continued high demand and a disrupted supply chain would lead to further rises for the next two years.

"It's not like in the past, when everyone was waiting for Microsoft to release a new operating system that would drive demand for many more computers," Chery said.

"What we have is global shift ... with massive orders for components."

STMicro will only be able to meet 70 per cent of its orders this year, Chery went on, although he foresees the situation easing after that as the company invests in more production capacity.

Pricing for the subscription-based service starts at $20 per user per month and goes up to $162

Microsoft on Monday announced the general availability of Windows 365, the cloud PC service that allows users to access their desktop from anywhere via a web browser.

The software giant unveiled the new subscription-based service last month, saying it would enable users to connect to an always-on cloud PC from anywhere with an internet connection.

It also said that it would release pricing details on the day the service becomes generally available to the public.

As promised, the pricing details for Windows 365 are now public, ranging between US $20 and $162 per user per month, depending on the level of service provided.

In a blog post, Scott Manchester, director of program management at Microsoft, said he was "thrilled" to announce "the general availability of Windows 365 and the resources" that are now available to help users get started with the new cloud service.

"Windows 365 introduces a new way to experience Windows 10 or Windows 11 (when it's generally available later this calendar year) for all types of workers, from interns and contractors to software developers and industrial designers," he added.

According to Microsoft, Cloud PC is specifically designed to fulfil the growing demands of hybrid work environments that enable employees to divide their time between the office and home.

The new service will let users access their devices, including data, apps and settings, from either a personal or business device or a phone, thereby eliminating the need to commute with their PC.

It is designed to provide a complete computing experience through a web browser or a native app on any device that has an active Internet connection. Users can use Windows 365 from a PC, Mac, iPad or any mobile device with a browser, including the Raspberry Pi micro-computers that are starting to become popular in education.

Windows 365 will come in two editions: Business and Enterprise. Business plans are capped at 300 users per organisation, while Enterprise subscribers can have unlimited users. Another different between the two editions is that Business customers can access Windows 365 through the URL windows365.microsoft.com, while Enterprise customers will have it integrated with Microsoft Endpoint Manager.

The company is also offering a 'Windows Hybrid Benefit' which means that users with existing licences can apply for a discount.

The entry-level $20 per user per month Business prices provides a Cloud PC with a single virtual core, 2 GB of RAM, and 64 GB of storage and requires the Windows Hybrid Benefit.

Those without an existing licence will pay $4 more per user per month.

A "Premium" plan with four virtual cores, 16 GB RAM, and 128 GB storage costs $66 per month with the $4 discount.

The most expensive $158 per user per month ($162 without Hybrid Benefit) option provides a Cloud PC with 8 virtual cores, 32 GB of RAM, and 512 GB of storage.

Organisations can choose the storage size of the Cloud PC through an admin panel.

SBOMs are now law in the US, but it will be a challenge to make them work

Over the past year, software supply chain attacks have affected public sector and private enterprises alike. As services have moved to digital and more complex deployments have been rolled out, the likelihood of flaws existing in those software supply chains has increased. So how should we react to this?

The US government provides one example. It published an Executive Order on cybersecurity that will enforce secure software development processes. As part of this, all federal organisations will require their suppliers to give them a Software Bill of Materials (SBOM) for their IT projects, listing all the components involved. Based on the guidance from the US National Telecommunications and Information Administration, using these SBOMs will provide a complete list of all the software in place across the organisation, which can then be used to prevent potential threats in the future.

This approach is aimed at preventing vulnerable components making their way into federal IT implementations, as well as helping those security teams plan ahead when a new issue is discovered. By providing a complete picture across internal and external IT projects, teams can prevent issues leading to breaches over time and have better insight into their software supply chains.

What can the UK government learn from this, and can other enterprises adopt something similar?

Will the SBOM approach work?

In theory, SBOMs makes a lot of sense. Gaining more visibility into the software supply chain can only be a good thing, but making this work in practice will involve creating a solid workflow that can keep up with all the changes taking place within IT vendors' products as well as in internal IT assets

To get this right, there are some lessons that can be learned from the IT asset management (ITAM) projects that most public sector organisations have in place. ITAM describes how organisations track hardware assets, software products and licenses. An up-to-date asset inventory provides an accurate picture of all the software installed across an organisation. Based on this, you can keep track of your assets and flag any potential problems or software vulnerabilities for updates as they arise.

But ITAM is a challenge to implement correctly and even harder to maintain. With so many software assets and multiple platforms in place, changes occur all the time. After Covid-19 - when IT teams had to scramble to provide more endpoint assets for people to work from home, or when users simply took their corporate devices home - this has become even more difficult, as so many assets are now outside of the office, in the cloud or absent from official managed lists.

For many companies and public sector bodies, ITAM gets moved into the ‘too hard' pile

For many companies and public sector bodies, ITAM gets moved into the ‘too hard' pile because it is difficult to maintain an accurate list of assets and software. However, without that accurate list of assets, it is impossible to have an idea of your potential vulnerabilities. For SBOMs, getting over this hurdle will be essential if it is to deliver on that promise of value.

To make SBOMs work effectively, senior level support will be needed. The fact that the US government has mandated SBOMs will help here, as all vendors will have to put these together in a timely manner. Any time that a component in a product or service gets updated, a new SBOM will be needed.

For the vendor, automating this process should help them deliver this information efficiently to all those that need it. For the internal team, tracking all the products and software projects in place will be more challenging. The NTIA suggests that this will be automated in future, which should make the process easier. For other companies and public sector organisations looking on, this automation process should be something that they can learn from or adopt as well.

Combining established ITAM, vulnerability management and software supply chain management processes will provide that fuller picture of what is in place at the organisation. Using this data over time, IT teams will be able to prioritise what they have to update, see what they have to mitigate, and put more effective pressure on suppliers to fix issues in their software as well.

The future for SBOMs

The Biden government's Executive Order and the NTIA Minimum Standards document combine to inform everyone involved in software supply chains of their roles and responsibilities in improving security. This can provide a blueprint for governments around the world to follow. However, there are lessons to learn from existing processes for tracking IT assets too. The UK, in particular, is relatively advanced in IT process management thanks to the adoption of ITIL in the past - but not all IT teams use this framework.

Using SBOMs to track updates should help IT teams track how suppliers update their software products and this prevent problems at an early stage. However, unless they can depend upon suppliers providing data in a timely fashion, it will be hard to prioritise or apply pressure where it's needed; without a combination of internal and external data sources, it is difficult to keep this information in context; and without executive level support, it will be hard to keep these programmes running and providing value.

There are many elements to get right, but by doing so SBOMs should help keep public services more secure.

Matthew Middleton-Leal is vice president EMEA at Qualys

 

You're out to impress your peers: our judges

It's been a tough year for cybersecurity; from the initial panic about home working, safety and confidentiality, to the recent spate of ransomware attacks - and, ironically, fears about a return to the office. Security teams coulkd be forgiven for not knowing whether they're coming or going.

As we said, it's been a tough year - but not an insurmountable one. Vendors and service partners quickly pivoted to support remote working,  and plenty of companies came through the pandemic untouched, at least from an IT perspective, thanks to their security teams. Now, it's time to celebrate those stories.

Computing's Security Excellence Awards celebrate the achievements of the security industry over the last year, recognising and rewarding the companies, people, products and projects that keep the rest of us safe.

Enter now

This year we're featuring returning categories like the Enterprise Threat Detection Award, Cloud Security Award and CISO/CSO of the Year, as well as new categories: Security Project of the Year and Best Use of AI/Automation in Security. While we had hoped that the pandemic would be a distant memory by this point, its effects are still being felt so we're also bringing back our Special Award for Pandemic Resilience, which we launched in 2020.

You have until Friday 17th September to get your entries in, so don't delay. Winners will be announced at an online ceremony on the 1st December.

All valid entries must have a UK presence, and should not consist of marketing copy; any that do will be rejected.

Security Excellence Awards categories 2021

• DevSecOps Award
• Backup, Recovery and DLP Award
• IoT and Edge Computing Security Award
• Email Security Award
• Enterprise Threat Detection Award
• IAM Award
• Managed Security Award
• Network Security Award
• Remote Security Award
• Risk Management Award
• AI/Automation Security Product Award
• Cloud Security Award
• Enterprise Security Solution Award
• SME Security Solution Award
• Security Training Programme of the Year
• Security Team of the Year
• Security Rising Star
• Security Woman of the Year
• CISO/CSO of the Year
• Security Vendor of the Year - SME
• Security Vendor of the Year - Large Organisations
• Special Award: Pandemic Resilience
• Security Innovation of the Year
• * NEW * Security Project of the Year
• * NEW * Best Use of AI/Automation in Security