Connect with us

Technology

Welcome to DarkSide – and the inexorable rise of ransomware | John Naughton

Voice Of EU

Published

on

On Friday 7 May, Colonial, the quaintly named operator of the pipeline that brings 45% of the US east coast’s gasoline and jet fuel from Texas to New York, announced that it had been hacked. My initial assumption was that this was Russian retaliation for the Biden administration’s punitive cyber-attacks on Russia in response to the SolarWinds hack. After all, if a pipeline like this isn’t “critical infrastructure”, what is? If so, were we not witnessing a significant escalation in information warfare between two nuclear-armed powers?

Fortunately, my overheated imagination turned out to be wrong, but the reality – in a way – is almost as interesting. On 10 May, the FBI announced that the attack on Colonial was caused by an outfit called DarkSide, which specialises in ransomware, and that the bureau had forced the company to halt its pipeline’s operations so that it could carry out a full investigation into the breach.

So who or what is DarkSide? According to Intel 471, a security company that surveys the teeming cybercriminal ecosystem of the internet, DarkSide was first spotted in November 2020 on a Russian-language hacker forum, advertising for partners for a ransomware service. What it was pitching was a platform that “approved” cybercriminals could use to infect companies with ransomware and carry out negotiations and payments with victims. “We are a new product on the market,” it burbled, “but that does not mean that we have no experience and came from nowhere. We received millions of dollars profit by partnering with other well-known cryptolockers. We created DarkSide because we didn’t find the perfect product for us. Now we have it.” Not long afterwards, its software was found to be behind several ransomware attacks on manufacturers and legal firms in Europe and the US.

According to Intel 471, in March 2021, DarkSide “rolled out a number of new features in an effort to attract new affiliates. These included versions for targeting Microsoft Windows- and Linux-based systems, enhanced encryption settings, a fully fledged and integrated feature built directly into the management panel that enabled affiliates to arrange calls meant to pressure victims into paying ransoms and a way to launch a distributed denial of service (DDoS).”

Note the reference to a “management panel”. In conventional software packages, this would be called a “dashboard”, a visual tool to enable non-technical managers to run a complex program without knowing anything about the code. The panel also seems to provide scripts for conducting negotiations with victims. Intel 471 monitored one of these conversations. “This is a lot of money,” the victim writes. “My management needs a better understanding of what data you may have taken. Can you provide proof that you have our data?” Answer: “Yes will provide a sample for you.” The victim continues: “When you receive payment you will not publish the attack or sell exfiltrated data?” Answer: “Of course not, you will get access to a server with data and will delete it yourself. Also we can provide you with a pentest [penetration test] report how you have been breached and what [you] need to improve.”

You get the picture. This is awfully like the kind of dialogue you would see in a conventional business negotiation. What it shows is what the security expert Ross Anderson has been pointing out for years: that cybercrime has been industrialised and that one can analyse it using the methods and economic concepts that one would use if studying any burgeoning line of business.

In that sense, public discourse about cybercrime and its practitioners is way behind the curve. As Ross and his colleagues have shown, criminals are rational actors, not lone hackers with poor hygiene and a penchant for pizza. They see what they do as a low-risk activity with very high profit margins. And they operate in a networked world in which even large and wealthy companies are still failing to take computer security seriously. The significance of the Colonial hack is its confirmation of cybercrime as a major new industry.

Many years ago, I got my first insight into this underworld when a senior police officer took me on a virtual tour of this netherworld. We looked at the online markets in which stolen personal details were traded and the different prices at which various “products” were bought and sold. (PayPal logins attracted premium prices at the time; maybe they still do.) What it looked like was eBay for crooks. And the most striking thing was that in these marketplaces the traders seemed as anxious as you or I would be to establish reputations for reliability and quality. In some cases, there were even star rating systems like you’d see on Uber or, for that matter, on eBay. There may be honour among thieves, as the saying goes, but they still fretted about their online reputations. And DarkSide’s claim that it has occasionally donated some of its profits to charity suggests an interesting new interpretation of “corporate responsibility”. It’s time we wised up to this new reality.

What I’ve been reading

Picture perfect
Obscura No More is a lovely essay in the American Scholar by Andy Grundberg on the rise of photography as an art form.

Pandemic pandemonium
The origin of Covid: Did people or nature open Pandora’s box at Wuhan? is a great piece of analysis by Nicholas Wade in the Bulletin of the Atomic Scientists.

Ready for future shocks?
What Is Ours Is Only Ours to Give is an excellent essay by Maria Farrell on the Crooked Timber blog triggered by Kim Stanley Robinson’s new novel, The Ministry for the Future.

Source link

Technology

Microsoft to kill off old access rules in Exchange Online • The Register

Voice Of EU

Published

on

Microsoft next month will start phasing out Client Access Rules (CARs) in Exchange Online – and will do away with this means for controlling access altogether within a year.

CARs are being replaced with Continuous Access Evaluation (CAE) for Azure Active Directory, which can apparently in “near-real time” pick up changes to access controls, user accounts, and the network environment and enforce the latest rules and policies as needed, according to a notice this week from Microsoft’s Exchange Team.

That might be useful if suspicious activity is detected, or a user account needs to be suspended, and changes to access need to be immediate.

“Today, we are announcing the retirement of CARs in Exchange Online, to be fully deprecated by September 2023,” the advisory read. “We will send Message Center posts to tenants using client access rules to start the planning process to migrate their rules.”

CARs is used by Microsoft 365 administrators to allow or block client connections to Exchange Online based on a variety of characteristics set forth in policies and rules.

“You can prevent clients from connecting to Exchange Online based on their IP address (IPv4 and IPv6), authentication type, and user property values, and the protocol, application, service, or resource that they’re using to connect,” according to a Microsoft document from earlier this year.

For example, access can be granted to Exchange resources from specific IP address, and all other clients blocked. Similarly, the system can filter access to Exchange services by department or location, or based on usernames.

Microsoft announced the replacement CAE in January, touting its ability to act fast on account revocation, disablement, or deletion; password or user location changes; the detection of nefarious activity; and other such updates, according to a blog post at the time by Alex Simons, corporate vice president of product management for the Windows giant’s identity and network access division.

“On receiving such events, app sessions are immediately interrupted and users are redirected back to Azure AD to reauthenticate or reevaluate policy,” Simons wrote. “With CAE, we have introduced a new concept of zero trust authentication session management that is built on the foundation of zero trust principles – verify explicitly and assume breach.”

With this zero-trust focus, session integrity – rather than a set session duration – is what dictates a user’s authentication lifespan, we’re told.

CAE not only aims to give enterprises greater and more immediate control over access and events, but users and managers may appreciate the speed at which changes are adopted, Microsoft claims.

“Continuous access evaluation is implemented by enabling services, like Exchange Online, SharePoint Online, and Teams, to subscribe to critical Azure AD events,” Microsoft added earlier this month. “Those events can then be evaluated and enforced near real time. Critical event evaluation doesn’t rely on Conditional Access policies so it’s available in any tenant.”

Critical events can include a user account being deleted or disabled, a user password is changed or reset, or multifactor authentication is enabled for a user. There also are other events, such as when an administrator explicitly revokes all refresh tokens for a user or a rogue insider is detected by Azure AD Identity Protection.

Finally, for workload identities, CAE enforces token revocation for workloads, among other things, according to Microsoft. ®

Source link

Continue Reading

Technology

EU proposes new liability rules around AI tech to protect consumers

Voice Of EU

Published

on

The current EU rules around product liability are more than 40 years old, meaning they do not cover harm caused by drones and other AI tech.

The European Commission has outlined a set of new proposals to enable people who are harmed by AI tech products to seek and receive compensation.

The proposals were published today (28 September). They are designed to comply with the EU’s 2021 AI Act proposal, which set out a framework for trust in AI-related technology.

Today’s AI Liability Directive aims to provide a clear and comprehensive structure for all Europeans to claim compensation in the event they are harmed by AI tech products, such as drones and robots.

The EU’s directive includes rules for businesses and consumers alike to abide by. Those who are harmed by AI products or tech can seek compensation just as they would if they were in harmed any other way.

The rules will make it easier for people who have been discriminated against by AI technology as part of the recruitment process, for example, to pursue legal action.

An example of harm that may be caused by tech products is data loss. Robots, drones, smart-home systems and other similar digital products must also comply with cybersecurity regulations around addressing vulnerabilities.

The directive builds on existing rules that manufacturers must follow around unsafe products ­– no matter how high or low-tech they are.

It is proposing a number of different strategies to modernise and adapt liability rules specifically for digital products. The existing rules around product liability in the EU are almost 40 years old, and do not cover advanced technologies such as AI.

European commissioner for internal market, Thierry Breton, said that the existing rules have “been a cornerstone of the internal market for four decades”.

“Today’s proposal will make it fit to respond to the challenges of the decades to come. The new rules will reflect global value chains, foster innovation and consumer trust, and provide stronger legal certainty for businesses involved in the green and digital transition.”

Vice-president for values and transparency, Věra Jourová, said that for AI tech to thrive in the EU, it is important for people to trust digital innovation.

She added that the new proposals would give customers “tools for remedies in case of damage caused by AI so that they have the same level of protection as with traditional technologies”. The rules will also “ensure legal certainty” for the EU’s internal market.

As well as consumer protection, the proposals are designed to foster innovation. They have laid down guarantees for the AI sector through the introduction of measures such as the right to fight a liability claim based on a presumption of causality.

The AI Liability Directive will need to be agreed with EU countries and lawmakers before it can become law.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Source link

Continue Reading

Technology

Alfred Hitchcock: Vertigo review – uncomfortable for all the wrong reasons | Games

Voice Of EU

Published

on

Pendulo Studios’ Vertigo begins, just like the 1958 film, with a visual and musical motif of spirals. Round and round they go until you meet author Ed Miller in the worst moment of his life. Ed narrowly survives a car crash, but he loses his wife, Faye and their daughter. Staring down at the wreck of his car in a ravine, Ed suffers a debilitating bout of vertigo, only to relive the suicide of his father shortly after. A little later, you step into the shoes of Dr Julia Lomas, a therapist called in to deal with Ed’s vertigo and why he keeps talking about a wife and child whom no one but him seems to recall.

While it’s called Vertigo, complete with the licence of Hitchcock’s name and likeness, the game makes hamfisted references to the director’s work. Yes, there are birds, yes, someone will be ripping a shower curtain to the side. But when it comes to embodying the spirit of Vertigo itself, Sight and Sound’s greatest film of all time, it falls almost comically flat.

The mystery that Vertigo the game initially presents is intriguing, if quickly soured by how unbearable its protagonist is. Ed is childish and rude to the point of hostility without any obvious reason why. His behaviour is explained away by a traumatic childhood, bluntly presented as the root of all his issues and teased out by his therapist in a series of non-consensual hypnoses. The gameplay mimics Quantic Dream’s Detroit: Become Human, from awkwardly moving the controller to open a fridge and using timed button-presses to run, to rewinding memories, an idea that actually fits the concept of a therapist analysing her patient’s recollections quite well.

Screenshot from Alfred Hitchcock: Vertigo.
Awkward animation and mediocre voice acting … Alfred Hitchcock – Vertigo. Photograph: Microids

Due to its big licence and popular influences, it comes as a particularly sharp disappointment that the writing in the game version of Vertigo is the worst thing about it. Awkward animation and mediocre voice acting certainly don’t help. Dialogue, presumably recorded separately by actors alone in sound booths, sounds like two people having two different conversations (“What am I going to do without my husband?” “Well, you could start by making dinner”).

You might reasonably expect that a game named after the film Vertigo would, you know, follow the plot of Vertigo, but no. Everything happens in service of an increasingly ridiculous story, which reduces a film that featured male obsession, the male gaze and the ways in which victims unknowingly facilitate their own abuse, to the vendetta of a psychopath with a seemingly unlimited supply of drugs. If you thought the film was convoluted, try getting your head around this nonsense. It is almost worth playing for the part where an elderly man is, apparently convincingly, impersonated by a 24-year-old woman in a trenchcoat and sunglasses.

This version of Vertigo portrays women in a way that is seriously difficult to stomach in a post-#MeToo era. Here, women prey on an unsuspecting man using, for instance, sex and hypnosis to lure him in and do him harm. Male trauma is of course absolutely real, but this game doesn’t have the tools to examine it with the required care, and ends up essentially saying #MenToo – and doing a significant disservice to the body of cinematic work that inspires it.

Alfred Hitchcock – Vertigo is out now, £34.99.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!