Month: August 2021

Investigations into allowing network operators to run cables through the electricity, gas, water and sewer networks, and alongside roads and railways

The government has launched a £4 million scheme to support running fibre-optic cables through water pipes, in order to connect homes to fast broadband that would otherwise be hard to reach without disruptive excavations or expensive construction work.

In a press release, digital infrastructure minister Matt Warman said he is consulting on options to change the regulations, potentially allowing broadband network operators to run broadband cables through the electricity, gas, water and sewer networks, and alongside roads and railways.

"These measures could significantly reduce the time and cost it takes to roll out gigabit-capable broadband to every home and business in the UK, giving people future-proof internet connections capable of reaching download speeds of up to 1 gigabit (1,000 megabits) per second," the press release says.

Installing new ducts and poles for broadband cables accounts for almost four-fifths of the cost of new broadband infrastructure, according to the government.

The £4 million fund will be used to investigate how existing passive infrastructure can be used to speed the rollout of high-speed broadband, as part of an ongoing review of the Access to Infrastructure (ATI) Regulations 2016. Those regulations govern access to physical infrastructure across the utility, transport and communications sectors, but the government says that to date they have not been widely used to share infrastructure.

The government is behind on a key election promise of delivering gigabit-speed broadband to every home by 2025, last November downgrading its commitment to "a minimum of 85 per cent coverage". This move was derided by campaigners who feared rural communities would be left behind.

The initiative could also be used to place leak sensors in water pipes, according to The Guardian, to reduce continuing problems with wasted water that suppliers have been slow to fix.

ProxyShell is a set of three security flaws that have already been addressed by Microsoft, but not all instances are patched

Attackers are currently scanning the internet for Microsoft Exchange Server instances that have not been patched for the ProxyShell vulnerability,  researchers have warned.

The technical details of the bug were disclosed last week by Devcore security researcher Orange Tsai at the Black Hat 2021 conference.

Tsai and his teammates are credited for discovering this bug during the Pwn2Own 2021 hacking contest held in April.

Microsoft Exchange Server, an email solution, is a long-time target of state-backed threat actors as corporate mail servers store the confidential secrets of government agencies and enterprises.

ProxyShell is a set of three security flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) which, when used together, could enable a threat actor to perform unauthenticated, remote code execution (RCE) on unpatched Microsoft Exchange servers.

According to Orange Tsai, these vulnerabilities can be remotely exploited through Microsoft Exchange's Client Access Service (CAS) running on port 443 in IIS.

Microsoft quietly patched CVE-2021-34473 and CVE-2021-34523 in April with its KB5001779 cumulative update, while CVE-2021-31207 was patched about a month later.

CVE-2021-34473 is a pre-authentication path confusion bug that could result in ACL bypass, while CVE-2021-34523 results in elevation of privilege on Exchange PowerShell Backend, according to BleepingComputer.

The third flaw, CVE-2021-34473, is a post-authentication arbitrary-file-write bug that enables attackers to remotely execute arbitrary code on a machine.

Tsai explained in his talk last week that one of the components of the ProxyShell attack chain targets the Microsoft Exchange Autodiscover service that was introduced by Microsoft to provide an easy way for mail client software to auto-configure itself with minimal input from the user.

After watching Tsai's talk, security researchers PeterJson and Jang published a blog post detailing how they were able to successfully reproduce the ProxyShell exploit.

IT security researcher Kevin Beaumont also said last week that a threat actor had probed his Microsoft Exchange server, which he had set up as a honeypot.

Interesting thing I noticed in MailPot with Exchange servers - somebody has started targeting them using autodiscover.json, a detection avoidance and relatively undocumented feature it appears. pic.twitter.com/MOuTaoOQL2

— Kevin Beaumont (@GossiTheDog) August 2, 2021

Honeypots are sacrificial computer systems with known security vulnerabilities that are exposed on the Internet to attract cyber attacks. They can help cyber security experts to monitor activities of cyber groups.

Beaumont said that while initial attacks were unsuccessful, he later observed entries in the log against the server's Autodiscover service, suggesting that the attackers had managed to conduct successful attacks.

These findings also indicate that threat actors are watching presentations at security conferences and quickly adapting their automatic tests.

Experts advise Exchange server admins to install the latest cumulative updates from Microsoft as soon as possible.

There are currently 400,000 Microsoft Exchange servers exposed on the Internet, so successful attacks are expected to come very soon, Tsai warned.

SAP's sustainability executives on the company's approach to helping customers reach their goals

The need to reconcile the activities of the humans currently occupying our planet with our longer- term survival has become increasingly pressing of late. Few people, despite considerable efforts in some cases, are still managing to reject the evidence of their own eyes and ears. Climate change can no longer be filed under ‘future problems'.

Anita Varshney, Global Vice President of Strategy for Sustainability for SAP S/4HANA spoke with Computing to explain how SAP is acting as both an exemplar and enabler of greater sustainability and equality and of how they are working to change the perception that sustainability and profitability are mutually exclusive.

"Our goal is to make sustainability profitable and profitability sustainable," explains Varshney.

"To achieve this, enterprises must integrate sustainability into the heart of their strategy. This is the rationale behind the collaboration between SAP and Accenture on a series of guides with United Nations Global Compact which provide business leaders and their technology partners with a methodology to integrate and mainstream ambitious sustainability goals across business units by pioneering a performance integration approach that utilises enabling technologies."

The aim is to help SAP customers on their Sustainable Development Goals (SDG) Ambition transformation. This encourages organisations to set themselves more ambitious targets where their business can have the most impact.

At present, many businesses who signed up to the principle of SDGs are not on target to meet these goals by 2030. A lack of ambition and urgency has stymied progress. What SAP is trying to do is to elevate ambitions and then translate those ambitions into tangible actions and outcomes.

Promoting sustainability

SAP has set out to exemplify the approach that they encourage others to take, and a big part of its own approach is accountability for change. A big part is having representation at the highest level, said Varshney.

"We believe that our overall corporate strategy must itself be sustainable, and we therefore strive to promote sustainability across our entire business.

"Led by our chief sustainability officer, a dedicated team works to embed sustainability into our corporate strategy and drives new sustainability initiatives across the organisation.

"Our CFO is the sponsor for sustainability on the Executive Board, and we also have at least one dedicated senior executive in charge of sustainability in each Board area. These individuals form our Sustainability Council and are responsible for embedding sustainability in their business practices, such as by setting and reviewing relevant targets and implementing related programmes.

"Our external sustainability advisory panel consists of expert representatives from our customers, investors, partners, NGOs and academia. We have been leading the Dow Jones Sustainability World Index but we have to find ways to continuously improve and set higher standards."

Varshney is keen to communicate other ways that SAP is trying to exemplify the changes they want more enterprises to make. She mentions the use of an Environmental Management Systems (EMS) at more than 50 sites across 30 countries which is certified to ISO14001:2015 standards. As well as corporate offices, data centres are a significant source of carbon emissions.

"In 2014, SAP strengthened the integration of our environmental strategy into our business strategy by creating a ‘green cloud' powered by 100 per cent renewable electricity - one major step towards achieving carbon neutrality and upholding our commitment towards the RE100 initiative," Varshney said.

"We realise our green cloud with a dual approach. Firstly, we invest in very high-quality, EKOenergy-certified renewable energy certificates (RECs) to foster renewable energy generation; secondly, we produce renewable electricity in selective SAP locations worldwide through solar panels. This allows us to compensate all our facility and data centre emissions. Therefore, customers can significantly reduce their carbon emissions (Scope 3) by using our green cloud solutions and services."

This leads us nicely into the enablement aspect of SAP's program. Sustainability has moved up the corporate agenda, including those of SAP customers and prospects. A virtual sustainability summit held earlier this year was expected to attract around 500 registrations but attracted in excess of 4,000.

Customers can't wait, they want it now, Anita Varshney, SAP

"There is a huge demand from our customers on having sustainability embedded into their end-to-end business processes. They look to SAP because we understand how complex business processes can get, they look to us to help them with these challenges, not only within their enterprise, but also expanding towards the entire business network," explained Varshney.

"Customers can't wait, they want it now. They see EU regulations, potential mandatory disclosure on ESG, etcetera. They need to prepare right away because they can't change overnight. They want to do better and they're extremely motivated. We are proud that we are already delivering on our customers' asks, with a robust SAP S/4HANA product roadmap, embedded with sustainability innovations, beginning with SAP Product Footprint Management to be released in August."

Four dimensions of sustainable transformation

It was at this summit that SAP launched its four dimensions of sustainable transformation. The first of these centres on carbon and aims to enable SAP customers both to reduce carbon emissions, but also to share carbon data with their customers, supplier and partners, increasing transparency across Scope 1, 2 and 3 emissions. The second dimension is the circular economy, with the goal of plastic free oceans by 2030. The third involves ESG reporting with SAP enabling more transparency and granularity of reporting, and the fourth the building of socially responsible value networks.

Of course, in a year when very few business flights took place, and car journeys were drastically reduced, SAP, like most enterprises, experienced a significant drop in its own carbon emissions in 2020 and by the time their data was published, the firm was well ahead of both its original and revised targets. Rather than banking the rise, SAP has chosen to increase the scope of its ambitions and bring forward its target of being carbon neutral in its own operations by two years to 2023.

This willingness to take the stance of a role model and be more ambitious in their sustainability goals is an excellent way to convince others to do likewise and speed the pace of progress towards hitting SDGs across multiple industries.

 

As tech costs climb on cloud hosting expenses, digitisation push.

The feature could be exploited by threat actors in the long run, experts warn

More than 5,000 individual and organisations have signed an open letter urging Apple to rethink roll out of its new photo scanning feature that has been designed to identify child sexual abuse material (CSAM) on iPhones and iPads.

Apple announced the feature last week, saying that its upcoming versions of iOS and iPadOS will be equipped with 'new applications of cryptography' - enabling the company to identify CSAM images as they are uploaded to iCloud Photos, Apple's online storage.

However, the open letter from industry experts and privacy advocates cautions that upcoming changes have the potential to bypass any end-to-end encryption that would otherwise safeguard the user's privacy.

"While child exploitation is a serious problem, and while efforts to combat it are almost unquestionably well-intentioned, Apple's proposal introduces a backdoor that threatens to undermine fundamental privacy protections for all users of Apple products," reads the letter that was posted on Friday and has already been signed by over 5,000 tech executives, privacy supporters, legal experts, researchers, professors and more.

The letter cautions that the photo-scanning feature amounts to creating backdoors in Apple's software, which could be exploited by threat actors in the long run.

It requests that Apple halts implementation of the photo-scanning feature and also issues a statement "reaffirming their commitment to end-to-end encryption and to user privacy".

On Thursday, the Electronic Frontier Foundation (EEF) published a blog post, warning that Apple was "opening the door to broader abuses".

"Apple's compromise on end-to-end encryption may appease government agencies in the US and abroad, but it is a shocking about-face for users who have relied on the firm's leadership in privacy and security," the EEF said.

It argued that it was impossible to create a client-side scanning system that "can only be used for sexually explicit images sent or received by children".

"That's not a slippery slope; that's a fully built system just waiting for external pressure to make the slightest change," it added.

The Center for Democracy and Technology said it was "deeply concerned that Apple's changes in fact create new risks to children and all users, and mark a significant departure from long-held privacy and security protocols".

In a series of tweets, Will Cathcart, CEO of WhatsApp, said that WhatsApp will never use such image-scanning systems, although they do intend to combat CSAM content itself.

While announcing the new feature on Thursday, Apple said it system ensures that nobody cannot learn about images stored on a device if they are not sexually explicit.

Before an image is stored in iCloud Photos, an on-device matching process will be performed for that image against the database of known CSAM images, compiled by the US National Center for Missing and Exploited Children (NCMEC).

The image being checked will be converted into a hash key or unique set of numbers, and then the system will try to match the key against NCMEC's database using cryptography.

If the system flags an image, a human reviewer will review the image, to confirm a match. If it is found that the image contains child abuse material, the user's account will be disabled, and the findings reported to the NCMEC.

Obviously, Apple cannot check images for users who have iCloud Photos disabled on their devices. Similarly, images that are stored in iCloud backups will not be scanned.

The only time Apple will run CSAM image-scanning tools it when the image it being uploaded to iCloud Photos.

Apple claims that its system has an error rate of 'less than one in 1 trillion' per year, and that it does not breach users' privacy.

The world is in trouble, lives are at stake and supply lines are under threat. Wondering how you can help? Register for Tech Impact and find out.

The word 'sustainability' is appearing with increasing frequency. As it becomes the focus of governments and organisations of all sizes, you can expect to see and hear it more and more often. But while the word is becoming more prevalent, what it means to the tech and IT community remains as vague and elusive as ever, leaving many asking questions.

IT leaders today wonder how they can - or if they should - marry sustainability with IT; what they can do to make their own organisation more sustainable; and what impact that will have on performance. There are difficult questions to ask and answer around eco-friendly supply chains, and how to contribute to the wider fight against climate change on a regional, national or global scale.

These are important topics, and every IT professional - from the help desk to the CIO - must consider them. Green credentials are no longer just nice to have, but critical for the planet's survival.

Computing's inaugural Tech Impact conference will answer these questions and many more, by unpacking and exploring the diverse approaches organisations can take to set and meet sustainability targets.

Join us and your peers virtually from 10am-3pm on the 14th October, for this eclectic range of sessions by industry leaders and experts with a wealth of experience and knowledge. We'll look at important subjects like how to approach a net zero strategy, climate transparency, and supply chains, and hear from the IT leaders who've already been there and done that successfully.

Register now

If you're still unsure as to what your organisation's first or next step should be, and what it will take to comply with - or even exceed - international carbon neutral and net-zero targets, then join us at Computing's CIPD-accredited Tech Impact for a clear view of the path forward.

It's time to step up.

In a saga that stretches back to late 2017.