Month: August 2021

According to news report.

Nabs TransGrid's CISO in latest intake.

The malware initiates screen recording session if the app running in the foreground is in its target list

Researchers at cyber security firm ThreatFabric have published a report warning of a new kind of malware that is attempting to steal banking credentials of Android users through screen recordings.

Dubbed Vultur, this banking Trojan makes its way onto Android devices via a dropper called Brunhilda, which has been found in several fitness, phone-security and authentication apps available on Google Play.

About 30,000 Android devices are thought to have been infected with Brunhilda to date, meaning that thousands of Android users have likely been infected with Vultur.

Like other malware targeting Android devices, Vultur also begins its compromise by exploiting Android Accessibility Services designed to help users customise their devices.

Vultur's technique for stealing login details from the infected device is also different from other banking Trojans.

In previously observed banking Trojan attacks, threat actors have mostly relied on overlay techniques, where they trick users into believing that they are typing their login credentials in a legitimate banking app. That approach usually requires more effort and time to steal user data, according to researchers.

Vultur, on the other hand, uses code to recognise when a user is filling a data entry form. It then uses the device's Virtual Network Computing (VNC) to record the screen, begins keylogging also via VNC and sends all captured data to a malicious site operated by the attackers.

"The biggest threat that Vultur offers is its screen recording capability. The Trojan uses Accessibility Services to understand what application is in the foreground. If the application is part of the list of targets, it will initiate a screen recording session," the report notes.

While Vultur has been designed to mainly harvest banking login credentials, the researchers say they have also observed instances where hackers carried out keylogging for social media apps, including Facebook, TikTok and WhatsApp. In a limited number of cases, the malware was also seen targeting cryptocurrency apps.

"The story of Vultur shows again how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of the actor," the report adds.

"With Vultur, fraud can happen on the infected device of the victim. These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware back-end."

Vultur has so far mostly infected devices in Italy, Australia, UK and the Netherlands, according to the researchers.

To protect themselves from a Vultur malware attack, the researchers advise users not to let the infected app use the Accessibility Services in their device.

When Vultur transmits data to its central server, the system shows active 'casting' icon in the Android notifications. If a user is not casting something but the icon still appears in the notification, it indicates a security issue with the device.

Inventories ‘are at a historic low’ warns German chipmaker Infineon, while STMicroelectronics says prices will rise for the next two years

In its financial report for the quarter ending 30 June, German chipmaker Infineon warns of a continuing ‘difficult supply environment', with inventories at a ‘historic low', and with resource problems exacerbated by Covid-19 in key supplier countries such as Malasia.

"Demand for semiconductors is unbroken, as they play a key role in enabling the energy transition and digitalisation. Currently, however, the market is faced with an extremely tight supply situation," said CEO Reinhard Ploss.

"Inventories are at a historic low; our chips are being shipped from our fabs straight into the end applications. Under these circumstances, any pandemic-related restrictions on manufacturing, such as those recently imposed in Malaysia, are especially grave."

Despite the strong demand for semiconductors and an increased profit margin, Infineon's profits grew just 1 per cent, below analysts' expectations, owing to the supply line issues.

Car-makers have been particularly badly affected by global chip supply problems, which have been caused by adverse weather conditions in Taiwan and factory fires in Japan combined with the pandemic and booming demand.

Analyst firm Ifo said that the German automobile industry has been affected by shortages of ‘intermediate products', with 83 per cent of car companies saying they'd been impacted in July compared with 65 per cent in April.

"Semiconductor bottlenecks in particular are likely to continue for a while," said director Oliver Falck, who said that suppliers were deliberately stocking up on supplies to mitigate any shortages.

Last week, chief executive of Geneva-based chipmaker STMicroelectronics, Jean-Marc Chery, told Reuters the chip shortage would likely continue until the first half of 2023.

The price of the company's chips has increased 5 per cent compared with a year ago, Chery said, predicting the combination of continued high demand and a disrupted supply chain would lead to further rises for the next two years.

"It's not like in the past, when everyone was waiting for Microsoft to release a new operating system that would drive demand for many more computers," Chery said.

"What we have is global shift ... with massive orders for components."

STMicro will only be able to meet 70 per cent of its orders this year, Chery went on, although he foresees the situation easing after that as the company invests in more production capacity.

Pricing for the subscription-based service starts at $20 per user per month and goes up to $162

Microsoft on Monday announced the general availability of Windows 365, the cloud PC service that allows users to access their desktop from anywhere via a web browser.

The software giant unveiled the new subscription-based service last month, saying it would enable users to connect to an always-on cloud PC from anywhere with an internet connection.

It also said that it would release pricing details on the day the service becomes generally available to the public.

As promised, the pricing details for Windows 365 are now public, ranging between US $20 and $162 per user per month, depending on the level of service provided.

In a blog post, Scott Manchester, director of program management at Microsoft, said he was "thrilled" to announce "the general availability of Windows 365 and the resources" that are now available to help users get started with the new cloud service.

"Windows 365 introduces a new way to experience Windows 10 or Windows 11 (when it's generally available later this calendar year) for all types of workers, from interns and contractors to software developers and industrial designers," he added.

According to Microsoft, Cloud PC is specifically designed to fulfil the growing demands of hybrid work environments that enable employees to divide their time between the office and home.

The new service will let users access their devices, including data, apps and settings, from either a personal or business device or a phone, thereby eliminating the need to commute with their PC.

It is designed to provide a complete computing experience through a web browser or a native app on any device that has an active Internet connection. Users can use Windows 365 from a PC, Mac, iPad or any mobile device with a browser, including the Raspberry Pi micro-computers that are starting to become popular in education.

Windows 365 will come in two editions: Business and Enterprise. Business plans are capped at 300 users per organisation, while Enterprise subscribers can have unlimited users. Another different between the two editions is that Business customers can access Windows 365 through the URL windows365.microsoft.com, while Enterprise customers will have it integrated with Microsoft Endpoint Manager.

The company is also offering a 'Windows Hybrid Benefit' which means that users with existing licences can apply for a discount.

The entry-level $20 per user per month Business prices provides a Cloud PC with a single virtual core, 2 GB of RAM, and 64 GB of storage and requires the Windows Hybrid Benefit.

Those without an existing licence will pay $4 more per user per month.

A "Premium" plan with four virtual cores, 16 GB RAM, and 128 GB storage costs $66 per month with the $4 discount.

The most expensive $158 per user per month ($162 without Hybrid Benefit) option provides a Cloud PC with 8 virtual cores, 32 GB of RAM, and 512 GB of storage.

Organisations can choose the storage size of the Cloud PC through an admin panel.

SBOMs are now law in the US, but it will be a challenge to make them work

Over the past year, software supply chain attacks have affected public sector and private enterprises alike. As services have moved to digital and more complex deployments have been rolled out, the likelihood of flaws existing in those software supply chains has increased. So how should we react to this?

The US government provides one example. It published an Executive Order on cybersecurity that will enforce secure software development processes. As part of this, all federal organisations will require their suppliers to give them a Software Bill of Materials (SBOM) for their IT projects, listing all the components involved. Based on the guidance from the US National Telecommunications and Information Administration, using these SBOMs will provide a complete list of all the software in place across the organisation, which can then be used to prevent potential threats in the future.

This approach is aimed at preventing vulnerable components making their way into federal IT implementations, as well as helping those security teams plan ahead when a new issue is discovered. By providing a complete picture across internal and external IT projects, teams can prevent issues leading to breaches over time and have better insight into their software supply chains.

What can the UK government learn from this, and can other enterprises adopt something similar?

Will the SBOM approach work?

In theory, SBOMs makes a lot of sense. Gaining more visibility into the software supply chain can only be a good thing, but making this work in practice will involve creating a solid workflow that can keep up with all the changes taking place within IT vendors' products as well as in internal IT assets

To get this right, there are some lessons that can be learned from the IT asset management (ITAM) projects that most public sector organisations have in place. ITAM describes how organisations track hardware assets, software products and licenses. An up-to-date asset inventory provides an accurate picture of all the software installed across an organisation. Based on this, you can keep track of your assets and flag any potential problems or software vulnerabilities for updates as they arise.

But ITAM is a challenge to implement correctly and even harder to maintain. With so many software assets and multiple platforms in place, changes occur all the time. After Covid-19 - when IT teams had to scramble to provide more endpoint assets for people to work from home, or when users simply took their corporate devices home - this has become even more difficult, as so many assets are now outside of the office, in the cloud or absent from official managed lists.

For many companies and public sector bodies, ITAM gets moved into the ‘too hard' pile

For many companies and public sector bodies, ITAM gets moved into the ‘too hard' pile because it is difficult to maintain an accurate list of assets and software. However, without that accurate list of assets, it is impossible to have an idea of your potential vulnerabilities. For SBOMs, getting over this hurdle will be essential if it is to deliver on that promise of value.

To make SBOMs work effectively, senior level support will be needed. The fact that the US government has mandated SBOMs will help here, as all vendors will have to put these together in a timely manner. Any time that a component in a product or service gets updated, a new SBOM will be needed.

For the vendor, automating this process should help them deliver this information efficiently to all those that need it. For the internal team, tracking all the products and software projects in place will be more challenging. The NTIA suggests that this will be automated in future, which should make the process easier. For other companies and public sector organisations looking on, this automation process should be something that they can learn from or adopt as well.

Combining established ITAM, vulnerability management and software supply chain management processes will provide that fuller picture of what is in place at the organisation. Using this data over time, IT teams will be able to prioritise what they have to update, see what they have to mitigate, and put more effective pressure on suppliers to fix issues in their software as well.

The future for SBOMs

The Biden government's Executive Order and the NTIA Minimum Standards document combine to inform everyone involved in software supply chains of their roles and responsibilities in improving security. This can provide a blueprint for governments around the world to follow. However, there are lessons to learn from existing processes for tracking IT assets too. The UK, in particular, is relatively advanced in IT process management thanks to the adoption of ITIL in the past - but not all IT teams use this framework.

Using SBOMs to track updates should help IT teams track how suppliers update their software products and this prevent problems at an early stage. However, unless they can depend upon suppliers providing data in a timely fashion, it will be hard to prioritise or apply pressure where it's needed; without a combination of internal and external data sources, it is difficult to keep this information in context; and without executive level support, it will be hard to keep these programmes running and providing value.

There are many elements to get right, but by doing so SBOMs should help keep public services more secure.

Matthew Middleton-Leal is vice president EMEA at Qualys

 

You're out to impress your peers: our judges

It's been a tough year for cybersecurity; from the initial panic about home working, safety and confidentiality, to the recent spate of ransomware attacks - and, ironically, fears about a return to the office. Security teams coulkd be forgiven for not knowing whether they're coming or going.

As we said, it's been a tough year - but not an insurmountable one. Vendors and service partners quickly pivoted to support remote working,  and plenty of companies came through the pandemic untouched, at least from an IT perspective, thanks to their security teams. Now, it's time to celebrate those stories.

Computing's Security Excellence Awards celebrate the achievements of the security industry over the last year, recognising and rewarding the companies, people, products and projects that keep the rest of us safe.

Enter now

This year we're featuring returning categories like the Enterprise Threat Detection Award, Cloud Security Award and CISO/CSO of the Year, as well as new categories: Security Project of the Year and Best Use of AI/Automation in Security. While we had hoped that the pandemic would be a distant memory by this point, its effects are still being felt so we're also bringing back our Special Award for Pandemic Resilience, which we launched in 2020.

You have until Friday 17th September to get your entries in, so don't delay. Winners will be announced at an online ceremony on the 1st December.

All valid entries must have a UK presence, and should not consist of marketing copy; any that do will be rejected.

Security Excellence Awards categories 2021

• DevSecOps Award
• Backup, Recovery and DLP Award
• IoT and Edge Computing Security Award
• Email Security Award
• Enterprise Threat Detection Award
• IAM Award
• Managed Security Award
• Network Security Award
• Remote Security Award
• Risk Management Award
• AI/Automation Security Product Award
• Cloud Security Award
• Enterprise Security Solution Award
• SME Security Solution Award
• Security Training Programme of the Year
• Security Team of the Year
• Security Rising Star
• Security Woman of the Year
• CISO/CSO of the Year
• Security Vendor of the Year - SME
• Security Vendor of the Year - Large Organisations
• Special Award: Pandemic Resilience
• Security Innovation of the Year
• * NEW * Security Project of the Year
• * NEW * Best Use of AI/Automation in Security