Cybersecurity firm FireEye has recently released a report detailing the techniques used by the SolarWinds hackers inside the networks of companies they breached.

With the report, FireEye researchers have also released a free tool on GitHub named Azure AD Investigator that they say can help companies determine if the SolarWinds hackers (also known as UNC2452) used any of these techniques inside their networks.

Today's FireEye report comes as the security firm has spearheaded investigations into the SolarWinds supply chain compromise, together with Microsoft and CrowdStrike.

The SolarWinds hack came to light on December 13, 2020, when FireEye and Microsoft confirmed that a threat actor broke into the network of IT software provider SolarWinds and poisoned updates for the Orion app with malware.

The malware, known as Sunburst (or Solorigate), was used to gather info on infected companies. Most of the 18,000 SolarWinds customers who installed a trojanized version of the Orion app were ignored. Still, for some selected targets, the hackers deployed a second strain of malware known as Teardrop. They then used several techniques to escalate access inside the local network and the company's cloud resources, focusing on breaching Microsoft 365 infrastructure.

In its 35-page report, FireEye has detailed these post initial compromise techniques, along with detection, remediation, and hardening strategies that companies can apply.

Summarized, they are as follows:

1. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user's password or their corresponding multi-factor authentication (MFA) mechanism.
2. Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
3. Compromise the credentials of on-premises user accounts synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
4. Highjack an existing Microsoft 365 application by adding a rogue credential to it to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc., while bypassing MFA.

"While UNC2452 has demonstrated a level of sophistication and evasiveness, the observed techniques are both detectable and defensible," FireEye said.

FireEye's ability to detect these techniques inside its network led to the company investigating an internal breach and then discovering the broader SolarWinds incident.
​
Similar tools to the one FireEye released today have also been released by the US Cybersecurity and Infrastructure Security Agency (called Sparrow) and CrowdStrike (called CRT).

At least 80% of cybersecurity failures involve direct attacks on users' passwords, the World Economic Forum warns. This is a problem that's not going away any time soon. For Microsoft, as it explains in an official blog post, the solution may lie in a passwordless future, and it's hoping to ramp it up next year.

Whether it's storing personal information about addresses, finances, and highly private records, or running companies entirely virtually, the internet is where people live a good deal of their lives. And these people rely on passwords to guard their data and information against malicious actors. In response to hackers, some experts encourage the use of two-factor authentication, but that still isn't airtight.

"Passwords are a hassle to use," it notes, "and they present security risks for users and organizations of all sizes, with an average of one in every 250 corporate accounts compromised each month."

Security keys. For years now, Microsoft has been nudging people to adapt to a passwordless virtual landscape. To dispense with passwords without compromising security, the company offers physical encryption devices like the FIDO2 security key to open Hybrid Azure Active Directory Windows 10 devices.

Biometrics. Apart from security keys, Microsoft also emphasizes the need to try other techniques, like using biometric data to open devices as they do with mobile phones: fingerprints, iris scans, or Apple-style Face ID systems.

Biometric security measures come with their share of privacy concerns, though. But Microsoft is nonetheless eager to encourage a transition to biometrics and FIDO2 security keys. Because those are still more difficult to manipulate and compromise and less susceptible to the social engineering that so often sees passwords come undone.

The company wants this passwordless paradigm to be able to transcend different environments. Users should be able to, for instance, gain access to laptops and cloud-based apps with the same information that would let them access company buildings. Of course, this sort of cross-device and environment security makes ensuring it can't be compromised all the more critical.

Microsoft says its research has found that people are very open to the idea of ditching passwords for good. "Passwordless usage in Azure Active Directory is up by more than 50% for Windows Hello for Business, passwordless phone sign-in with Microsoft Authenticator, and FIDO2 security keys," according to the blog post.
​
But if this passwordless strategy is to become common and reliable in everyday use, Microsoft will have to go beyond its own users and bring rivals like Google and Apple on board, too. That could still take a little convincing.

Remember when Amazon (quietly) announced its expansion to Sidewalk, back in September? Well, the feature is live for some in a new update for the Amazon Alexa app, and you might want to go turn it off. We covered it in Issue 7-25.

Sidewalk is a feature that extends the network coverage of your devices, particularly Ring surveillance tech (like its cameras, smart lights, and pet trackers) and Echo smart speakers. But it'll also share a small chunk of that internet bandwidth to provide the same services to your neighbors – so your privately-owned devices won't be so private anymore. 

Sidewalk has been slowly rolling out to Echo and Ring owners in the U.S. as of Thanksgiving, which users were made aware of via an email from Amazon. While the feature isn't up and running yet, the email essentially notifies users that it's "coming soon." But it's also the company's discreet way of letting you know the feature has officially been turned on. 

Amazon makes it easy to opt out if you're only just unboxing your shiny, new Sidewalk-compatible device. During the setup process, users are asked if they want to join the network via the Amazon Alexa app. However, if you already own one of the 20 Sidewalk-enabled products, it'll automatically opt-in for you. 
To disable Sidewalk, all you need to do is: 

• Update the Amazon Alexa app or double-check that you're on the latest version
• Open the Amazon Alexa app and tap on the More tab
• Then, tap Settings > Account Settings > Amazon Sidewalk and toggle off the Enabled button
  ​
  

Thankfully, the additional Community Finding feature – which "can help your neighbors find pets and important items connected to Sidewalk by sharing the approximate location of [your] device and other Sidewalk bridges you own" is disabled automatically.

Of course, if you'd like to use Sidewalk on either your Echo smart speaker or Ring security device, you'll be happy to know you're already all set for when Amazon officially launches the new feature.

Microsoft is urging users to abandon telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via Short Message Service (SMS) and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys.

The warning comes from Alex Weinert, Director of Identity Security at Microsoft. For the past year, Weinert has been advocating on Microsoft's behalf, urging users to embrace and enable MFA for their online accounts.

In a blog post last year, citing internal Microsoft statistics, Weinert said that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts.

But in a follow-up blog post, Weinert says that if users have to choose between multiple MFA solutions, they should stay away from telephone-based MFA.

The Microsoft exec cites several known security issues, not with MFA, but with today's state of the telephone networks.

Weinert says that both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.

SMS-based one-time codes are also phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.

Further, phone network employees can be tricked into transferring phone numbers to a threat actor's SIM card – in attacks known as SIM swapping – allowing attackers to receive MFA one-time codes on behalf of their victims.

On top of these, phone networks are also exposed to changing regulations, downtimes, and performance issues, all of which impact the availability of the MFA mechanism overall, which, in turn, prevents users from authenticating on their account in moments of urgency.

SMS and voice calls are the least secure MFA method today.

All of these make SMS and call-based MFA "the least secure of the MFA methods available today," according to Weinert.

The Microsoft exec believes that this gap between SMS & voice-based MFA "will only widen" in the future.
As MFA adoption increases overall, with more users adopting MFA for their accounts, attackers will also become more interested in breaking MFA methods, with SMS and voice-based MFA naturally becoming their primary target due to its extensive adoption.

Weinert says that users should enable a more robust MFA mechanism for their accounts, if available, recommending Microsoft's Authenticator MFA app as a good starting point.

But if users want the best, they should go with hardware security keys, which Weinert ranked as the best MFA solution in a blog post he published last year.
​
This preference for app or security key alternatives for MFA shouldn't mean that users should disable SMS or voice-based MFA for their accounts without substituting another MFA approach. SMS MFA is still way better than no MFA at all.

If ever there was a decade that announced itself so defiantly in the first year, it’s the 2020s. With so much change and volatility already, 2020 has proven this decade will be dramatically different than the one before it. IT and business leaders must prepare for ten years, unlike any others. 

For IT and business leaders, success in the 2010s meant capitalizing on innovative commercial IT (think cloud and mobile). As the decade went on, many of those firms began leveraging the same commercial platforms, looking and feeling very similar to their customers. Forward-thinking organizations began examining how digital differentiation could give them a leg up and then – wham! – 2020 came in with a bang.

In only a few months, business models were flipped on their heads. The coronavirus pandemic, economic downturns, the rise of values-based consumers, and increasing climate issues forced most businesses to pivot to new, mostly digital, models quickly this year. 

In case it’s not clear by now: What worked in the 2010s will not work in the 2020s as we see business shift from global toward hyperlocal operations. So, what will work? 

For starters, every business role must incorporate systemic risk into long-term planning. For future-fit IT leaders, the risks aren’t limited to the data center or network outages. Today’s threats include rapidly changing consumer trends that require digital pivots, increasingly complex security concerns, the ethical use of AI, and the increasing impacts of climate change. 

Feeling overwhelmed? The good news is that several emerging technologies can help your organization identify and address these risks and create a competitive advantage through disruptive innovation. A few examples include: 

• Employee privacy software that leverages the downpour of employee data without infringing on employee trust 
• AI that is learning how to code enterprise software and changing firms’ organizational structures 
• Cloud-native technology that helps you innovate with software everywhere, especially at the edge 
• Software dedicated to analyzing climate risk to evaluate your individual organization’s risk 
• Robotic process automation that can scale back-office processes for increased resiliency 

Aligning your tech stack to address your organization’s highest risks and pursue the right innovations will be the differentiator for future-fit firms in the 2020s. One of my prime reference sources is Forrester Research. They practice what they preach. Here are some of the steps they are taking to move productively into the 2020’s:

• Leveraging new technology platforms and models to deliver our research and insights to clients more efficiently in formats that let you decide how you want to learn from us. For example, each of the links above will take you to a short-form story explaining an important technology trend in video and text. Each further provides direction on the most critical emerging technologies to invest in, along with a link to our research to learn more. 
• We are moving from an annual trends and technologies report cadence to twice a year in the spirit of more insight faster, with new trends and emerging tech updates published in between.    
• Lastly, to start planning your roadmap for the decade ahead, our upcoming event, Technology & Innovation Global, will dive deep into many of these trends in a keynote panel I will be hosting. We will also feature several breakout sessions from our top analysts. At that event, we’ll demonstrate our next generation of emerging technology and trends research tools, so please join us!   

There are a lot of encrypted USB flash drives out there. You plug them in, and either there's an on-screen popup that asks for your passcode, or some sort of physical keypad that is used to gain access.

But what about transferring the unlocking mechanism to a mobile device – such as a smartphone or your Apple Watch?

This is precisely what the iStorage datAshur BT hardware-encrypted USB flash drive does.

Visually, the iStorage datAshur BT looks like any other USB flash drive. It has a tough epoxy-like exterior that gives the drive a water- and dust-resistant rating of IP57 (protected against damage from dust ingress, and water resistant to 1 meter).

The datAshur BT comes in capacities from 16GB to 128GB.

Data on the datAshur BT is fully encrypted using AES-XTS 256-bit hardware encryption, which is FIPS 140-2 Level 3 compliant design and technology. Brute force is defended against by a built-in data wipe if there are too many wrong attempts made.

Everything is protected by a 7-15-character password or a biometric unlock such as Face ID/Facial recognition, Touch ID/Fingerprint, or IRIS scanning from a smartphone or tablet. The drive communicates using Bluetooth to any smartphone/tablet (iOS/Android) or Apple Watch. The Bluetooth channel is secured by a FIPS validated encryption layer and is only used for connection purposes. There is also support for 2FA using SMS.

The drive itself is completely host independent, so it will work with Windows, Mac, Linux, Chrome, and so on, VDIs such as Citrix and VMWare, and also with embedded systems such as medical devices, TVs, drones, printers, scanners, or pretty much anything with a USB port.
​
Prices for the iStorage datAshur BT range from $103 to $181, depending on the capacity.

Microsoft has disrupted a massive hacking operation that it said could have indirectly affected election infrastructure if allowed to continue. 

Last Monday, the company said it took down the servers behind Trickbot, a massive malware network that criminals were using to launch other cyberattacks, including a strain of highly potent ransomware. 

Microsoft said it obtained a federal court order to disable the IP addresses associated with Trickbot's servers and worked with telecom providers worldwide to stamp out the network. According to The Washington Post, the action coincides with an offensive by US Cyber Command to disrupt the cybercriminals, at least temporarily.

Microsoft acknowledged that the attackers are likely to adapt and seek to revive their operations eventually. Microsoft said the company's efforts reflect a "new legal approach" that may help authorities fight the network going forward.

Trickbot allowed hackers to sell what Microsoft said was a service to other hackers – offering them the capability to inject vulnerable computers, routers, and other devices with other malware. 

That includes ransomware, which Microsoft and US officials have warned could pose a risk to websites that display election information or third-party software vendors that provide services to election officials.

"Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust," Microsoft VP of security Tom Burt wrote in a blog post.

Ransomware seizes control of target computers and freezes them until victims pay up – though experts urge those affected by ransomware not to encourage hackers by complying with their demands. The Treasury Department has warned that paying ransoms could violate US sanctions policy.

He added: "We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems."

A separate technical report by Microsoft said Trickbot had been used to spread the Ryuk ransomware. Security experts say Ryuk has been attacking 20 organizations per week.

But Trickbot has also been used to spread false and malicious emails containing malware that tried to lure victims in with messaging surrounding Black Lives Matter and Covid-19, Microsoft said.

Microsoft said Trickbot had infected more than 1 million computing devices globally since 2016 and that its operators have acted on behalf of both governments and criminal organizations, but their exact identity remains ambiguous.

Taking down Trickbot follows a series of attacks that became highly publicized in recent weeks: One targeting Tyler Technologies, a software vendor used by numerous local governments, and Universal Health Services, one of the nation's largest hospital companies. A statement on Tyler Technologies' website has said the company does not directly make election software. The software it produces that is used by election officials to display voting information is separate from its internal systems affected by the attack.
​
Ransomware could pose a risk to the election process if systems designed to support voting are brought down, according to Check Point threat analyst Lotem Finkelstein. Still, so far, experts regard it as "mainly a hypothetical threat right now."

Companies are tracking what you do online. You know this. But it can be a challenge to see the extent because the methods are hidden on purpose. At least 87% of the world’s most-popular Web domains engage in some form of digital tracking without you ever signing in, according to investigative journalism nonprofit the Markup.

To investigate the pervasiveness of online tracking, The Markup researchers spent 18 months building a one-of-a-kind free public tool that can be used to inspect websites for potential privacy violations in real time. Blacklight reveals the trackers loading on any site—including methods created to thwart privacy-protection tools or watch your every scroll and click.

In one study, scanning more than 80,000 of the most popular websites using the Blacklight software, found more than 5,000 were “fingerprinting” users, identifying them even if they block third-party cookies.

The study also found more than 12,000 websites loaded scripts that watch and record all user interactions on a page – including scrolls and mouse movements. It’s called “session recording,” and the study found a higher prevalence of it than researchers had documented before.

74% of sites loaded Google tracking technology, and 33% loaded Facebook trackers. It’s staggering to see the reach of those two Silicon Valley giants – it’s easy to forget they track you even when you’re not using their websites or apps.

Try it out here. Just enter a URL, and you’ll see a real-time count of the ad trackers, third-party cookies, cookie evaders, and keystroke recorders on any given site.

What you find might surprise you. Pet food-maker Purina notched almost every possible kind of tracking Blacklight detects, which Purina can use to learn about the demographics and interests of people, their brand loyalty and even to understand how they use their website. It had 16 ad trackers, 34 third-party cookies, fingerprinting, and monitoring of keystrokes and mouse clicks.

Joe Biden’s website as of Thursday used fewer third-party cookies, 7, than President Trump’s website, 38, according to Blacklight.
​
Microsoft had 50 third-party cookies. Apple had zero – in fact, it uses no tracking tech at all, according to Blacklight.

Wireless engineers, automakers, and governments have spent years preparing for a future where autonomous cars will communicate with each other and sophisticated transportation networks – an initiative known as “cellular vehicle to everything,” commonly abbreviated C-V2X. Recently, the 5G Automotive Association (5GAA) offered a roadmap for mass deployments of automotive communications technologies, and its timeline includes several interesting dates that aren’t as far off as some people might have guessed.

Based on the current pace of cellular industry standards organization 3GPP’s 5G releases, global 5G deployments, and the state of the automotive communications supply chain, the 5GAA expects three C-V2X stages over the next decade:

1. From 2020 through 2023, automakers will rely on 4G LTE-V2X technology to enable basic safety features, such as left-turn assistance and emergency electronic brake light features, to improve traffic efficiency. They’ll augment primary local hazard and traffic information that’s already being shared over cellular networks.
2. Starting in 2024, the 5GAA predicts a “large-scale introduction” of 5G-enabled automated driving technologies that rely on communications between vehicles and infrastructure. For example, 5G-V2X will be used to park cars in parking garages automatically – a car-to-private infrastructure use case Bosch is already testing in German and U.S. locations – followed by “more complex environments and scenarios” including public roads. Tele-operated driving will also be possible.
3. In 2026, 5GAA expects all new autonomous vehicles will include 5G-V2X, kicking off an age where cars cooperate by sharing high-definition sensor data. Some of C-V2X’s most widely anticipated autonomous functionality, such as cars being able to share their upcoming intentions with each other and the network, as well as combining video and depth information for real-time cooperative perception, will be in pilot test stages at this point. Urban and highway pilot programs for dynamic intersection management and cooperative traffic flows could take until 2029.

5GAA expects that the 3GPP will continue to evolve the 5G standard from current Release 16 through 2023’s Release 18, enhancing industry support and specifications for 5G-V2X as carriers continue building out their 5G infrastructures. As nice as it would be if autonomous vehicles could just start relying on 5G today, the reality is that 5G infrastructure isn’t yet built out enough around the world. There are technological and legal practicalities to consider, as well.
​
Allocating wireless spectrum to vehicles will be critical to 5G-V2X deployments, the 5GAA notes, ideally harmonized internationally at 5.9GHz, as well as low band spectrum for use in rural driving, and mid-band spectrum in urban environments. The group expects basic safety to require 10 to 20MHz of spectrum for direct 4G communications, plus 40MHz or more for advanced 5G driving.

Microsoft, IBM, Hyperledger, and other technology and financial organizations have formed an alliance to develop global standards for tokenized ecosystems. 

Microsoft’s principal architect, Marley Gray, and Enterprise Ethereum Alliance’s former executive director, Ron Resnick, recently launched the InterWork Alliance (IWA), a nonprofit organization aimed at bringing global standards to the token-based ecosystem.

At launch, the IWA included more than 28 blockchain, technology, and financial organizations from around the world, including Microsoft, Chainlink, Hyperledger, IBM, Nasdaq, Accenture, and others.

The IWA indicated that startups presently working on tokenized ecosystems are mostly focusing on their individual solutions and marketing their platforms to other businesses.

Setting global standards, it said, will help focus this wide-scale innovation to make a collective impact on businesses. Resnick, IWA’s president, stated:

“For this approach to work, standards are urgently needed around defining what a token is and how its contractual behaviors will work.”

Common Frameworks. InterWork Alliance plans to work on three different frameworks of global standards for tokenized ecosystems. First, the Token Taxonomy Framework will provide a common language and toolset so that multiple parties can agree on the same terms that define a token and its use. 

The InterWork Framework will help businesses compose multiparty contracts from standard, globally recognized clauses set by the IWA. Lastly, the Analytics Framework will help companies to analyze multiparty deals and utilize artificial intelligence services and market-driven data reporting.

With these, the IWA will eventually work on interoperability between decentralized applications from different blockchain networks. 

Standardization for Wider Adoption. Organizations involved with the IWA are highly optimistic about how bringing global standards to the token ecosystem will further the adoption of distributed business models.

Gray noted that providing indstry participants with token standards for a variety of distributed technology use cases can help foster interoperability and drive widespread adoption. 

Brian Behlendorf, the executive director of Hyperledger (an IWA member), said:

“Standards play a critical role in the evolution and adoption of any emerging technology. Distributed applications and token-based services will require established frameworks that assure solutions interwork on the business level, regardless of underlying technology platforms.”
​
“The Alliance will help establish a foundation not only for technology and business but for the changing tokenization landscape as well. A platform-neutral alliance is critical for the entire industry,” said Nitin Gaur, the director of IBM WW Digital Asset Labs.