The Metropolitan Police Service (MPS) has awarded a strategic IT infrastructure contract to services provider Capgemini, with the aim of improving the user experience of its internal platforms.

The contract is said to be worth £600 million and will run for five years, with the option to extend for an additional two years if needed.

The MPS is looking to improve its IT infrastructure services within the Pegasus Programme, a digital policing programme to procure new key IT suppliers for the police.

Capgemini will be working on moving the MPS away from its multi-supplier “Towers” model, essentially separated categories of services that led to unnecessary fragmentation.

The bulk of the contract work will involve amalgamating services such as the service desk, network services, end user services, cyber security services, and others under a single umbrella.

“We are delighted to have been chosen as the strategic infrastructure services provider for MPS, one of the world’s leading police forces and one of the largest public sector organisations in the UK,” said Nive Bhagat, CEO of Cloud Infrastructure Services at Capgemini.

Capgemini has a history of providing services to the police, including helping it to transform its budget control back in 2008. The contract was signed with the London’s Mayor’s Office for Policing and Crime who have used Capgemini in the past in projects involving email services or agile scrum teams.

Angus McCallum, chief digital and technology officer at the Metropolitan Police, said: “Capgemini will help us continue to develop the next stage in our journey towards Met’s digital policing vision.

“Capgemini was chosen as our infrastructure partner based on the strong capabilities demonstrated throughout the bid process. We look forward to working closely with Capgemini in the delivery of critical infrastructure services over the coming years.»

Last year, Capgemini signed a three-year partnership with Barts Health NHS Trust to modernise its ICT estate.

Hackers are targeting legacy Linux systems with sophisticated malware believed to have been developed by cyber criminals backed by the Chinese state.

The malware, branded RedXOR, encodes its network data with a scheme based on the XOR Boolean logic operation used in cryptography, and is compiled with a legacy compiler on an older release of Red Hat Enterprise Linux (RHEL).

This, according to Intezer researchers, suggests RedXOR is being used in targeted attacks against legacy systems.

Its operators deploy RedXOR to infiltrate Linux endpoints and systems in order to browse files, steal data, upload or download data, as well as tunnel network traffic. The backdoor is also difficult to identify, disguising itself as a polkit daemon, which is a background process for managing a component that controls system-wide privileges.

“Based on victimology, as well as similar components and Tactics, Techniques, and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat actors,” said Intezer researchers Avigayil Mechtinger and Joakim Kennedy.

“Linux systems are under constant attack given that Linux runs on most of the public cloud workload. Along with botnets and cryptominers, the Linux threat landscape is also home to sophisticated threats like RedXOR developed by nation-state actors.”

Upon installation, the malware moves its binaries to a hidden folder dubbed ‘po1kitd.thumb’, as part of its efforts to disguise itself as the polkit daemon. The malware then communicates with the command and control server in the guise of HTTP traffic, from where instructions are then sent.

Researchers have monitored the server issuing a total of 19 separate commands, including requesting system information and issuing updates to the malware. The presence of «on and off» availability in the command and control server also indicates the operation is still active, the researchers claim.

To build the backdoor, the hackers used the Red Hat 4.4.7 GNU Compiler Collection (GCC) compiler, which is the default GCC for RHEL 6. This was first released in 2010.

Mainstream support for RHEL 6 only ended recently, in November 2020, meaning a swathe of servers and endpoints are likely still running RHEL 6. Intezer, however, hasn’t disclosed the number of, or nature of, the victims it’s identified. According to Enlyft, roughly 50,000 companies use RHEL installations.

Although the discovery of Linux malware families has increased in recent times, backdoors attributed to advanced threat groups, such as nation state-backed attackers, are far rarer.

Researchers are confident in their attribution, however, identifying 11 distinct similarities between RedXOR and the PWNLNX backdoor, as well as parallels with the XOR.DDOS and Groundhog botnets – all associated with hackers supported by the Chinese state.

The samples discovered were also uploaded from Indonesia and Taiwan, countries known to be targeted by state-backed hackers operating from China.

Hackers are targeting legacy Linux systems with sophisticated malware believed to have been developed by cyber criminals backed by the Chinese state.

The malware, branded RedXOR, encodes its network data with a scheme based on the XOR Boolean logic operation used in cryptography, and is compiled with a legacy compiler on an older release of Red Hat Enterprise Linux (RHEL).

This, according to Intezer researchers, suggests RedXOR is being used in targeted attacks against legacy systems.

Its operators deploy RedXOR to infiltrate Linux endpoints and systems in order to browse files, steal data, upload or download data, as well as tunnel network traffic. The backdoor is also difficult to identify, disguising itself as a polkit daemon, which is a background process for managing a component that controls system-wide privileges.

“Based on victimology, as well as similar components and Tactics, Techniques, and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat actors,” said Intezer researchers Avigayil Mechtinger and Joakim Kennedy.

“Linux systems are under constant attack given that Linux runs on most of the public cloud workload. Along with botnets and cryptominers, the Linux threat landscape is also home to sophisticated threats like RedXOR developed by nation-state actors.”

Upon installation, the malware moves its binaries to a hidden folder dubbed ‘po1kitd.thumb’, as part of its efforts to disguise itself as the polkit daemon. The malware then communicates with the command and control server in the guise of HTTP traffic, from where instructions are then sent.

Researchers have monitored the server issuing a total of 19 separate commands, including requesting system information and issuing updates to the malware. The presence of «on and off» availability in the command and control server also indicates the operation is still active, the researchers claim.

To build the backdoor, the hackers used the Red Hat 4.4.7 GNU Compiler Collection (GCC) compiler, which is the default GCC for RHEL 6. This was first released in 2010.

Mainstream support for RHEL 6 only ended recently, in November 2020, meaning a swathe of servers and endpoints are likely still running RHEL 6. Intezer, however, hasn’t disclosed the number of, or nature of, the victims it’s identified. According to Enlyft, roughly 50,000 companies use RHEL installations.

Although the discovery of Linux malware families has increased in recent times, backdoors attributed to advanced threat groups, such as nation state-backed attackers, are far rarer.

Researchers are confident in their attribution, however, identifying 11 distinct similarities between RedXOR and the PWNLNX backdoor, as well as parallels with the XOR.DDOS and Groundhog botnets – all associated with hackers supported by the Chinese state.

The samples discovered were also uploaded from Indonesia and Taiwan, countries known to be targeted by state-backed hackers operating from China.

The Linux Foundation has launched a free-to-use service for open source developers to cryptographically sign software to reassure users further down the supply chain that the software they’re using is legitimate.

Developed in partnership with Google and Red Hat, the sigstore project will allow the open source community to sign software artefacts including release files, container images and binaries before these elements are stored in a public log.

The aim is to make it easier for developers to sign releases and for users to verify them, with widespread uptake translating to a reduction in the threat of open source supply chain attacks. This is because one of the major issues with open source software is it’s often difficult to determine where the software came from, and how it was built.

​

“Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine,” said Google’s product manager Kim Lewandowski and product engineer Dan Lorenc. “To address this we need to make it possible to verify the provenance of all software – including open source packages.

“The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code.”

Sigstore takes a unique approach to key management by issuing short-lived certificates based on OpenID Connect grants, and storing all activity in logs backed by the Trillian instant management software. This is so the team can detect compromises, and recover from them, when they do occur.

This approach has been devised in light of the fact that key distribution is “notoriously difficult”, leading developers to design away the need for a management hub by building a Root Certificate Authority (CA) which will be made available for free.

News of this project follows Google’s commitment to help fund two Linux developers in their ambitions to fix kernel security problems. This responded to a need for additional work on open source software security that recent research identified.

“I am very excited about sigstore and what this means for improving the security of software supply chains,” said Luke Hinds, one of the lead developers on sigstore and Red Hat’s security engineering lead.

“Sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.”

The team behind the sigstore project will build on this momentum in the near future with further tweaks, including hardening the system, adding support for other OpenID Connect providers, and updating documentation.

The Linux Foundation has launched a free-to-use service for open source developers to cryptographically sign software to reassure users further down the supply chain that the software they’re using is legitimate.

Developed in partnership with Google and Red Hat, the sigstore project will allow the open source community to sign software artefacts including release files, container images and binaries before these elements are stored in a public log.

The aim is to make it easier for developers to sign releases and for users to verify them, with widespread uptake translating to a reduction in the threat of open source supply chain attacks. This is because one of the major issues with open source software is it’s often difficult to determine where the software came from, and how it was built.

​

“Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine,” said Google’s product manager Kim Lewandowski and product engineer Dan Lorenc. “To address this we need to make it possible to verify the provenance of all software – including open source packages.

“The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code.”

Sigstore takes a unique approach to key management by issuing short-lived certificates based on OpenID Connect grants, and storing all activity in logs backed by the Trillian instant management software. This is so the team can detect compromises, and recover from them, when they do occur.

This approach has been devised in light of the fact that key distribution is “notoriously difficult”, leading developers to design away the need for a management hub by building a Root Certificate Authority (CA) which will be made available for free.

News of this project follows Google’s commitment to help fund two Linux developers in their ambitions to fix kernel security problems. This responded to a need for additional work on open source software security that recent research identified.

“I am very excited about sigstore and what this means for improving the security of software supply chains,” said Luke Hinds, one of the lead developers on sigstore and Red Hat’s security engineering lead.

“Sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.”

The team behind the sigstore project will build on this momentum in the near future with further tweaks, including hardening the system, adding support for other OpenID Connect providers, and updating documentation.

Google has announced a number of new features for Chrome OS to mark the operating system’s 10th birthday, including some new ones for enterprise users. 

Starting today, businesses can download the Chrome OS Readiness Tool to help them identify which Windows devices in their organisation are ready to switch fully to Chrome OS and which need support from VDI or Parallels Desktop.

This is a free, completely private and customisable tool that allows enterprises to see if apps are compatible or whether they are cloud-ready or not.

Organisations can also now configure over 500 policies in the Google Admin console. New policies have been added over the past year including those affecting new security, updates, accessibility, network file sharing and more. Importantly, all policies default to a Google recommended setting ensuring that users only have to set up the ones they need.

Moreover, to help enterprises configure their policies at scale, Chrome is launching the Chrome Policy API. This allows user and printer settings to be managed via an API and enables users to configure settings through a script or command line. Chrome is looking to expand this in the future so it also applies to apps, extensions and device settings too.

These new additions come on top of other features announced including the Phone Hub, where users can respond to their phone messages, check its battery life and even locate it from their Chromebook.

In the coming months, the company plans to release “Nearby share”, a feature that allows users to securely share files between a Chromebook and other Chrome OS or Android devices without needing to share contact details.

These new features come after Google announced in December it was teaming up with other tech giants such as Intel and Dell to form the Modern Computing Alliance. The group hopes to foster greater collaboration and integration between their different systems.

Google has announced a number of new features for Chrome OS to mark the operating system’s 10th birthday, including some new ones for enterprise users. 

Starting today, businesses can download the Chrome OS Readiness Tool to help them identify which Windows devices in their organisation are ready to switch fully to Chrome OS and which need support from VDI or Parallels Desktop.

This is a free, completely private and customisable tool that allows enterprises to see if apps are compatible or whether they are cloud-ready or not.

Organisations can also now configure over 500 policies in the Google Admin console. New policies have been added over the past year including those affecting new security, updates, accessibility, network file sharing and more. Importantly, all policies default to a Google recommended setting ensuring that users only have to set up the ones they need.

Moreover, to help enterprises configure their policies at scale, Chrome is launching the Chrome Policy API. This allows user and printer settings to be managed via an API and enables users to configure settings through a script or command line. Chrome is looking to expand this in the future so it also applies to apps, extensions and device settings too.

These new additions come on top of other features announced including the Phone Hub, where users can respond to their phone messages, check its battery life and even locate it from their Chromebook.

In the coming months, the company plans to release “Nearby share”, a feature that allows users to securely share files between a Chromebook and other Chrome OS or Android devices without needing to share contact details.

These new features come after Google announced in December it was teaming up with other tech giants such as Intel and Dell to form the Modern Computing Alliance. The group hopes to foster greater collaboration and integration between their different systems.

Dropbox announced today it will acquire DocSend, a secure document sharing and analytics company with over 17,000 customers, for $165 million (£118 million).

Organisations that use Dropbox will now be able to use Docsend to deliver proposals and track engagement. Through this service, users can share documents easily and securely and customise who has access to them. 

Dropbox co-founder and CEO Drew Houston said that the plan is to package together Dropbox, DocSend, and HelloSign – which Dropbox bought for $230m in 2019 – as an “end-to-end suite” of products spanning collaboration, sharing, and e-signatures. 

«DocSend is a perfect complement to our product roadmap and we’re thrilled to welcome them to our team,» Houston said.

“By bringing Dropbox, HelloSign, and DocSend together, we’ll be able to offer a full suite of secure, self-serve products to help them manage critical document workflows from start to finish.”

Russ Heddleston, DocSend co-founder and CEO,  had interned at Dropbox over a decade ago before their paths crossed again in 2019 when the two companies became extension partners.

Heddlestone said: “As we’ve grown, we’ve realized that the ability to securely share content and engage with documents after they are sent offers powerful benefits to a variety of customer segments.

“By joining Dropbox, we’ll be able to rapidly scale, bringing our vision and capabilities to the hundreds of millions of people around the world who already trust Dropbox with their most important content.”

This is the first acquisition the company has announced since declaring its shift to a remote working strategy. It had reported a “one-off” loss of $398.2 million in its fourth-quarter report last year as the company made a decision to sublease most of its office space.

Following that decision, Dropbox announced on Monday that the building it was leasing as its headquarters in San Francisco would be sold for $1.08 billion. According to Kilroy Realty Corporation, its owner, this was a new high in the San Francisco commercial real estate market, as reported by Yahoo! Finance.

Dropbox announced today it will acquire DocSend, a secure document sharing and analytics company with over 17,000 customers, for $165 million (£118 million).

Organisations that use Dropbox will now be able to use Docsend to deliver proposals and track engagement. Through this service, users can share documents easily and securely and customise who has access to them. 

Dropbox co-founder and CEO Drew Houston said that the plan is to package together Dropbox, DocSend, and HelloSign – which Dropbox bought for $230m in 2019 – as an “end-to-end suite” of products spanning collaboration, sharing, and e-signatures. 

«DocSend is a perfect complement to our product roadmap and we’re thrilled to welcome them to our team,» Houston said.

“By bringing Dropbox, HelloSign, and DocSend together, we’ll be able to offer a full suite of secure, self-serve products to help them manage critical document workflows from start to finish.”

Russ Heddleston, DocSend co-founder and CEO,  had interned at Dropbox over a decade ago before their paths crossed again in 2019 when the two companies became extension partners.

Heddlestone said: “As we’ve grown, we’ve realized that the ability to securely share content and engage with documents after they are sent offers powerful benefits to a variety of customer segments.

“By joining Dropbox, we’ll be able to rapidly scale, bringing our vision and capabilities to the hundreds of millions of people around the world who already trust Dropbox with their most important content.”

This is the first acquisition the company has announced since declaring its shift to a remote working strategy. It had reported a “one-off” loss of $398.2 million in its fourth-quarter report last year as the company made a decision to sublease most of its office space.

Following that decision, Dropbox announced on Monday that the building it was leasing as its headquarters in San Francisco would be sold for $1.08 billion. According to Kilroy Realty Corporation, its owner, this was a new high in the San Francisco commercial real estate market, as reported by Yahoo! Finance.

Microsoft was aware of the Exchange Server vulnerabilities two months prior to the attack orchestrated by state-backed hackers, having confirmed that it was initially notified in “early January”.

The tech giant made the statement to cyber security journalist Brian Krebs, who has compiled a basic timeline of the hack on his blog. 

Krebs’ research shows that, on 5 January, Microsoft was first notified of two of the four zero-day vulnerabilities by a researcher at security testing firm DevCore. On 2 February, cyber security solutions provider Volexity also reported the same two vulnerabilities to Microsoft, having witnessed attack traffic going back to 3 January.

Warnings also came from Danish cyber security provider Dubex, which first witnessed clients being hit on 18 January. The company reported their incident response findings to Microsoft on 27 January.

In a blog post, Dubex detailed how hackers took advantage of the ‘unifying messaging’ module in Exchange, which allows organisations to store voicemail and fax files, as well as emails, calendars, and contacts in users’ mailboxes, in order to install web shell backdoors.

“A unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App. Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone,” Dubex revealed.

However, Dubex’s CTO Jacob Herbst told KrebsOnSecurity that the company “never got a ‘real’ confirmation [from Microsoft] of the zero-day before the patch was released”.

The four zero-day vulnerabilities were ultimately patched on 2 March, a week earlier than previously planned. However, only a day later it was revealed that tens of thousands of Exchange servers had been compromised worldwide, with the number of victims increasing by the hour.

Krebs questioned Microsoft’s response timing, saying that the timeline illustrates that the company «had almost two months to push out the patch it ultimately shipped Mar. 2, or else help hundreds of thousands of Exchange customers mitigate the threat from this flaw before attackers started exploiting it indiscriminately”.

IT Pro has contacted Microsoft for comment but is yet to hear back from the company.

The number of victims is estimated to be in the hundreds of thousands, with the European Banking Authority (EBA) becoming the latest major public body to be compromised by the hack.

In a statement, the EBA said that it “is working to identify what, if any, data was accessed”, adding that it had “decided to take its email systems offline” as a “precautionary measure”. 

Chinese state-sponsored hacking group Hafnium is believed to be behind the attack.