The Linux Foundation has launched a free-to-use service for open source developers to cryptographically sign software to reassure users further down the supply chain that the software they’re using is legitimate.

Developed in partnership with Google and Red Hat, the sigstore project will allow the open source community to sign software artefacts including release files, container images and binaries before these elements are stored in a public log.

The aim is to make it easier for developers to sign releases and for users to verify them, with widespread uptake translating to a reduction in the threat of open source supply chain attacks. This is because one of the major issues with open source software is it’s often difficult to determine where the software came from, and how it was built.

​

“Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine,” said Google’s product manager Kim Lewandowski and product engineer Dan Lorenc. “To address this we need to make it possible to verify the provenance of all software – including open source packages.

“The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code.”

Sigstore takes a unique approach to key management by issuing short-lived certificates based on OpenID Connect grants, and storing all activity in logs backed by the Trillian instant management software. This is so the team can detect compromises, and recover from them, when they do occur.

This approach has been devised in light of the fact that key distribution is “notoriously difficult”, leading developers to design away the need for a management hub by building a Root Certificate Authority (CA) which will be made available for free.

News of this project follows Google’s commitment to help fund two Linux developers in their ambitions to fix kernel security problems. This responded to a need for additional work on open source software security that recent research identified.

“I am very excited about sigstore and what this means for improving the security of software supply chains,” said Luke Hinds, one of the lead developers on sigstore and Red Hat’s security engineering lead.

“Sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.”

The team behind the sigstore project will build on this momentum in the near future with further tweaks, including hardening the system, adding support for other OpenID Connect providers, and updating documentation.

Microsoft has partnered with the job-seeking platform GetMyFirstJob to launch an online hub that will connect UK organisations seeking to recruit digital apprentices with a wide pool of prospective applicants.

Apprenticeship Connector will simplify the recruitment process by listing vacancies across Microsoft’s network of partners and customers, which young jobseekers can access to seek new opportunities. The firm said its partners and customers will also be able to promote their vacancies to a larger and more diverse range of candidates.

GetMyFirstJob was chosen as the ideal partner platform in light of its recognition that traditional recruitment processes were exacerbating existing batteries to social mobility. Its own platform has sought to channel skills into the right areas, reaching more than 4.1 million users in 2020.

The partnership aims to solve the specific problem of small and medium-sized businesses (SMBs) struggling to recruit the right candidates while also aiming to raise the diversity of new recruits generally.

“Digital apprenticeships are one of the best routes to well-paid careers in businesses of all types, not just in tech,” said Microsoft’s UK CEO, Clare Barclay. “It’s why we have worked hard over the past 10 years to help provide thousands of people with the skills and training needed for the in-demand jobs of today and tomorrow. 

“Yet even in the current jobs market, the reality is there are many vacancies going unfilled. I encourage anyone thinking about getting started in digital to visit The Microsoft Apprenticeship Connector and take the next step.”

Microsoft also shared some statistics highlighting the tech recruitment problem in the UK, also referred to as the digital skills crisis. For example, the UK needs more than three million skilled people in technology roles by 2025, while almost half of UK businesses are also looking to recruit workers with the same technical skills, ranging from data analytics to cyber security, regardless of sector.

Last February, experts urged the government to reform its apprenticeship scheme after it fell short of its own targets. Figures at the time showed that the number of people starting an apprenticeship between August and October 2019 fell to 125,800 – down from 132,000 the previous year. 

This represented a 4.7% drop, although the situation is even bleaker today. The latest ONS figures show that new starts between August and October 2020 fell by a staggering 27.6% to 91,100. The effects of COVID-19 would have certainly played a role, although it nevertheless feeds into a long-term downward trend.

The UK chancellor, Rishi Sunak, also last week stressed the importance of apprenticeships as he was outlining the latest Budget. He doubled the cash incentive for employers to hire apprentices and introduced a new flexi-job programme that would allow apprentices to work with a number of different employers within one sector.

“It’s great to see Microsoft using its technology expertise to make it easier for people to engage with these fantastic opportunities,” Sunak said. “As the world becomes increasingly more digital, these skills will play a crucial role in helping us build back better from the pandemic.”

There are potentially hundreds of thousands of victims from cyber attacks exploiting newly-discovered Microsoft Exchange Server vulnerabilities, with the White House urging businesses to patch their systems immediately.

US-based victims exceed 30,000 including small businesses, towns and cities as well as local government organisations, according to security researcher Brian Krebs, with Chinese hackers determined to steal their email communications.

This figure, however, only represents a portion of “hundreds of thousands” of servers that state-backed Chinese hackers have seized, based on information provided to Krebs by two security experts. Each targeted server, deployed to process email communications, represents roughly one organisation here. 

“This is an active threat,” White House press secretary Jen Psaki said at a press briefing, as reported by BBC News. “Everyone running these servers – government, private sector, academia – needs to act now to patch them.” 

She added that the White House was concerned “there are a large number of victims” and that these vulnerabilities discovered last week could have “far-reaching impacts”.

Microsoft patched four actively exploited flaws in several versions of its Microsoft Exchange Server service last week, which attackers were taking advantage of to steal emails from web-facing systems running the software. 

In these attacks, the perpetrators left behind a password-protected web shell that could be accessed from anywhere, giving them administrative access to victims’ servers.

The company also warned businesses that this charge was being led by state-backed hackers, specifically the Hafnium group, although refrained from disclosing how many victims there were at the time.

The US Cybersecurity and Infrastructure Security Agency (CISA) then ordered US federal agencies to immediately patch their Exchange Server installations, or disconnect the programme until it can be reconfigured, for fear of falling victim to hacking attempts.

“Patching and mitigation is not remediation if the servers have already been compromised,” the White House’s National Security Council also tweeted. “It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted.”

Vice president of Volexity, Steven Adair, who first reported the Exchange flaws to Microsoft, also told KrebsonSecurity that the hacking group first exploited these bugs on 6 January, but shifted into a much higher gear over the last few days.

“Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server,” he said. “The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”

Google has upgraded its Flutter toolkit to allow mobile developers to seamlessly port native apps across a breadth of operating systems and web browsers, as well as devices such as TVs, cars, and smart home appliances.

Flutter, an open source software development kit (SDK) launched by Google in December 2018, allows developers to build mobile apps across both Android and iOS devices from a single codebase using the Dart language.

The next generation, dubbed Flutter 2, is a logical extension of this principle, with developers able to programme native apps across not just Android and iOS but also Windows, macOS, and Linux systems too. This is alongside web-based experiences across Chrome, Firefox, Safari, and Edge, as well as the operating systems powering IoT and smart devices.

“Our goal is to fundamentally shift how developers think about building apps, starting not with the platform you’re targeting but rather with the experience you want to create,” Google said in its Developer blog.

“In Flutter 2, released today, we’ve broadened Flutter from a mobile framework to a portable framework, unleashing your apps to run on a wide variety of different platforms with little or no change.”

Developing for Android devices with Android Studio, an integrated development environment (IDE), differs from developing with Flutter, in that it’s a Java-incorporated development workbench for creators to develop and debug their source code for one platform.

Using Android Studio means developers can’t build apps native to iOS as well as Android – and must jump through hoops to convert their codebase to be compatible with iPhones, or rewrite them from scratch.

Flutter, by contrast, was launched with native cross-platform development in mind, with app creators able to build applications for both iOS and Android using a single codebase. Features such as platform APIs, third-party SDKs and reusable user interface (UI) blocks lend themselves to this aim.

Google also touts Flutter as allowing you to build aesthetically-pleasing apps at-pace, in addition to making changes as your app’s running in real-time with the ‘hot reload’ feature. The ecosystem of Flutter-developed apps includes roughly 150,000 services including apps such as WeChat and Yandex Go.

Google Pay even switched to Flutter in September last year to achieve improvements in productivity and quality. By unifying the iOS and Android codebases, the development team removed roughly 500,000 lines of code. There’s also been a reported increase in the efficiency for engineers, with a reduction in work needed around releases such as security reviews and experimentation, given two codebases have been contracted to one.

Desktop support was added to an earlier alpha release of Flutter, but this has just been moved into the toolkit’s ‘stable’ channel, meaning it’s now generally available.

To make it happen, Google partnered with Canonical, the company that publishes Ubuntu, with the organisation’s engineers contributing code to support development and deployment on Linux installations.

Google has also expanded its partnership with Microsoft, with the Windows developer releasing contributions to the Flutter engine to support foldable Android devices, including new design patterns and functionality.

With Flutter 2, app developers will also find added support for the web with a focus on progressive web apps (PWAs) as well as single-page apps (SPAs) and bringing existing Flutter mobile apps to the web with shared code.

Finally, a partnership with Toyota paves the way for writing in-vehicle software using Flutter, with the car manufacturer using Flutter’s embedder API to tailor Flutter for the unique needs of its vehicles.

Identity access management firm Okta has agreed to purchase its main industry competitor Auth0 in a deal worth $6.5 billion (roughly £5.6 billion).

This merger will eventually see the two businesses’ expertise and products unify under a single brand, with Okta’s cloud-based platform expected to combine with Auth0’s device and app-based identity management suite.

Auth0 was founded in 2013, four years after Okta was established, and recently attracted $120 million (£85.9 million) of funding in its Series F round in July last year. In doing so, it attained an overall valuation of approximately $2 billion (£1.4 billion).

Okta hopes that the merger will allow the two companies to jointly address more identity management problems and use cases than they each could alone. Both platforms will be supported, invested in, and eventually integrated with one another over time.

“Combining Auth0’s developer-centric identity solution with the Okta Identity Cloud will drive tremendous value for both current and future customers,” said Okta CEO and co-founder Todd McKinnon.

“Okta’s and Auth0’s shared vision for the identity market, rooted in customer success, will accelerate our innovation, opening up new ways for our customers to leverage identity to meet their business needs. We are thrilled to join forces with the Auth0 team, as they are ideal allies in building identity for the internet and establishing identity as a primary cloud.”

The company describes its own and Auth0’s services as being complementary, with customers able to opt for one or another depending on their particular needs. While this has traditionally been true, in recent years both companies have expanded their offerings to such an extent they’ve begun to encroach on each other’s customer base.

Okta had initially aimed to be a single sign-on (SSO) platform for web applications, while Auth0 carved out a reputation for providing backend user management. Product expansion has seen the lines blur, however, and the rivalry between the companies intensify.

“Okta and Auth0 have an incredible opportunity to build the identity platform of the future,” said CEO and co-founder of Auth0, Eugenio Pace.

“We founded Auth0 to enable product builders to innovate with a secure, easy-to-use, and extensible customer identity platform. Together, we can offer our customers workforce and customer identity solutions with exceptional speed, simplicity, security, reliability and scalability. By joining forces, we will accelerate our customers’ innovation and ability to meet the needs and demands of consumers, businesses and employees everywhere.”

The boards of both companies have approved the transaction, with the acquisition expected to finalise before the end of July 2021.

Microsoft has launched new functionality across its Azure Active Directory (AD) authentication portal and Microsoft 365 to advance its zero trust security strategy and protect its customers against insider threats. 

‘Zero trust’ is a security strategy based on the need for businesses to adapt to increasingly sophisticated threats, and is based on the assumption that nothing within the corporate network can be trusted. 

Microsoft is among a handful of tech companies to adopt these policies in a meaningful way over the past few years, with features revealed at its Ignite 2021 conference in Azure AD and Microsoft 365 bolstering the firm’s zero trust capabilities. 

Passwordless authentication is now generally available in AD across all cloud and hybrid environments, with users able to use biometrics, Windows Hello for Business, the Microsoft Authenticator app or FIDO2 security key to log-in.

The policy engine Azure AD Conditional Access now uses authentication context to enforce more granular policies based on user interactions within an app, also taking into account the sensitivity of data they’re trying to access. 

Verifiable credentials, which lets organisations confirm pieces of information on their employees such as education or professional certificates, is also entering public preview within the next few weeks. This verifies claims made without collecting any personal data. The government of Flanders and the NHS are already piloting this service.

“As defenders ourselves, we are passionate proponents of a Zero Trust mindset, encompassing all types of threats – both outside in and inside out,” said Microsoft’s corporate VP for security, compliance and identity, Vasu Jakkal.

“We believe the right approach is to address security, compliance, identity, and device management as an interdependent whole, and to extend protection to all data, devices, identities, platforms, and clouds – whether those things are from Microsoft, or not.”

Changes in Microsoft 365 are largely based on trying to eliminate the insider threat, both malicious and unwitting, with the firm investing in creating inside-out protection by extending its capabilities to third parties.

Improvements in compliance include co-authoring documents protected with Microsoft Information Protection, which allows multiple users to work simultaneously on documents while benefitting from the extensive protection for documents and emails across Microsoft 365 apps.

Microsoft 365’s Insider Risk Management Analytics will allow customers to identify potential insider risk activity within an organisation, which will then inform policy configurations. Tools include daily scans of tenant audit logs, including historical activities, with machine learning used to identify any risky activity.

Azure Pureview, Microsoft’s unified government platform for on-premises, multi-cloud and software as a service (Saas) data, can also be used to scan and classify data residing in AWS S3 buckets, SAP EEC, SAP S4/HANA and Oracle Database.

“Adopting a Zero Trust strategy is a journey,” Jakkal continued. “Every single step you take will make you more secure. In today’s world, with disappearing corporate network perimeters, identity is your first line of defence. 

“While your Zero Trust journey will be unique, if you are wondering where to start, our recommendation is to start with a strong cloud identity foundation. The most fundamental steps like strong authentication, protecting user credentials, and protecting devices are the most essential.”

Microsoft is also launching what it calls an “assume breach” toolset, which comprises tools and features that can help customers adopt the assume breach mentality without being hampered by the complexity that it can often entail. This is a critical component of the overall zero trust umbrella. 

Among the improvements, Microsoft Defender for Endpoint and Defender for Office 365 customers can now probe threats directly from the Microsoft 365 Defender portal, which provides alerts and in-depth investigation pages. A Threat Analytics section also provides a set of reports from Microsoft security researchers that help customers understand, prevent and mitigate active threats.

Two ransomware strains have retooled to exploit vulnerabilities in the VMware ESXi hypervisor system publicised last week and encrypt virtual machines (VMs).

The company patched three critical flaws across its virtualisation products last week. These included a heap buffer overflow bug in the ESXi bare-metal hypervisor, as well as a flaw that could have allowed hackers to execute commands on the underlying operating system that hosts the vCenter Server.

Researchers with CrowdStrike have since learned that two groups, known as ‘Carbon Spider’ and ‘Sprite Spider’, have updated their weapons to target the ESXi hypervisor specifically in the wake of these revelations. These groups have historically targeted Windows systems, as opposed to Linux installations, in large-scale ransomware campaigns also known as big game hunting (BGH).

The attacks have been successful, with affected victims including organisations that have used virtualisation to host many of their corporate systems on just a few ESXi servers. The nature of ESXi means these served as a “virtual jackpot” for hackers, as they were able to compromise a wide variety of enterprise systems with relatively little effort.

This follows news that cyber criminals last week were actively scanning for vulnerable businesses with unpatched VMware vCenter servers, only days after VMware issued fixes for the three flaws.

“By deploying ransomware on ESXi, Sprite Spider and Carbon Spider likely intend to impose greater harm on victims than could be achieved by their respective Windows ransomware families alone,” said CrowdStrike researchers Eric Loui and Sergei Frankoff. 

“Encrypting one ESXi server inflicts the same amount of damage as individually deploying ransomware on each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operations.

“If these ransomware attacks on ESXi servers continue to be successful, it is likely that more adversaries will begin to target virtualization infrastructure in the medium term.”

Sprite Spider has conventionally launched low-volume BGH campaigns using the Defray777 strain, first attempting to compromise domain controllers before exfiltrating victim data and encrypting files. 

Carbon Spider, meanwhile, has traditionally targeted companies operating point-of-sale (POS) devices, with initial access granted through phishing campaigns. The group abruptly shifted its operational model in April last year, however, to instead undertake broad and opportunistic attacks against large numbers of victims. It launched its own strain, dubbed Darkside, in August 2020.

Both strains have compromised ESXI systems by harvesting credentials that can be used to authenticate to the vCenter web interface, which is a centralised server admin tool that can control multiple ESXi devices. 

After connecting to vCenter, Sprite Spider enables SSH to allow persistent access to ESXi devices, and in some cases changes the root password or the host’s SSH keys. Carbon Spider, meanwhile, accesses vCenter using legitimate credentials but also logged in over SSH using the Plink tool to drop its Darkside ransomware.

VMware has fixed three critically-rated flaws across its virtualisation products that could be exploited by hackers to conduct remote code execution attacks against enterprise systems.

The firm has issued updates for three flaws present across its VMware ESXi bare-metal hypervisor and vSphere Client virtual infrastructure management platform, including a severe bug rated 9.8 out of ten on the CVSS scale.

This vulnerability, tracked as CVE-2021-21972, is embedded in a vCenter Server plugin in the vSphere Client. Attackers with network access to port 443 may exploit this to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Also patched is CVE-2021-21974, which is a heap buffer overflow vulnerability in the OpenSLP component of ESXi and is also rated a severe 8.8. Cyber criminals lying dormant within the same network segment as ESXi, also with access to port 427, may trigger the issue in OpenSLP which could also result in remote code execution. 

Finally, CVE-2021-21973 is a server-side request forgery (SSRF) flaw in vSphere Client which has arisen due to improper validation of URLs in a vCenter Server plugin. This is not as severe as the other two bugs, having only been rated 5.3, but can also be exploited by those with access to port 443 to leak information. 

There are workarounds that users can deploy for both CVE-2021-21972 and CVE-2021-21973 that are detailed here until a fix is deployed by the system administrator. 

Users can patch these flaws, however, by updating the products to the most recent versions. These include 7.0 U1c, 6.7U3I and 6.5 U3n of vCenter Server, 4.2 and 3.10.1.2 of Cloud Foundation, as well as ESXi70U1c-17325551, ESXi670-202102401-SG and ESXi650-202102101-SG of ESXi.

These vulnerabilities were privately brought to the attention of VMware and customers are urged to patch their systems immediately.

Microsoft will launch a standalone, offline version of its flagship Office productivity suite for users and businesses unwilling to take out a subscription, more than two years after launching Office 2019.

Dubbed Office 2021, this software suite will launch alongside a long-term servicing channel (LTSC) version developed primarily for enterprises, according to the Verge.

Office LTSC will include new features such as support for dark mode, and accessibility improvements, alongside enhancements to core functionality – although the company has refrained from detailing these feature changes.

The announcement follows the company’s hints last year that it would release a ‘perpetual licence’ edition of its productivity suite. This is despite an understanding that Microsoft was seeking to phase out offline variants of Office in light of the huge shift to cloud-based collaboration. 

Office 2019, for example, was released with a reduced extended support period against that offered in previous offline editions. Users were able to tap into just five years of mainstream support, as opposed to the standard seven years afforded in the past.

Microsoft’s desire to migrate its customers to subscription-based services was also signalled by the launch of Microsoft 365, which encompasses the breadth of its workplace services, including Outlook and Teams.

The imminent launch of Office 2021 and Office LTSC, however, suggests the company understands not all its customers are ready to move to the cloud. 

“It’s just a matter of trying to meet customers where they are,” head of Microsoft 365, Jared Spataro, told the Verge.

“We certainly have a lot of customers that have moved to the cloud over the last 10 months, that’s happened en masse really. At the same time, we definitely have customers who have specific scenarios where they don’t feel like they can move to the cloud.”

Like Office 2019, Office LTSC will only be supported for five years, excluding extended support. Pricing for Office Professional Plus, Office Standard and individual apps will also increase by 10% for commercial customers against Office 2019. Pricing for consumer and small business customers with Office 2021, however, will not change. 

The software giant is planning to release a preview of Office LTSC in April ahead of a full release later this year. Office 2021 will launch at the same time, but won’t be available in preview.

Samsung has developed a computing architecture that combines memory with artificial intelligence (AI) processing power to double the performance of data centres and high-performance computing (HPC) tasks while reducing power consumption.

Branded an ‘industry first’, this processor-in-memory (PIM) architecture brings AI computing capabilities to systems normally powered by high-bandwidth memory (HBM), such as data centres and supercomputers. HBM is an existing technology developed by companies including AMD and SK Hynix.

The result, according to Samsung, is twice the performance in high-powered systems, and a reduction in power consumption by more than 70%. This is driven largely by the fact the memory and processor components are integrated and no longer separated, vastly reducing the latency in the data transferred between them.

“Our groundbreaking HBM-PIM is the industry’s first programmable PIM solution tailored for diverse AI-driven workloads such as HPC, training and inference,” said Samsungs vice president of memory product planning, Kwangil Park. 

“We plan to build upon this breakthrough by further collaborating with AI solution providers for even more advanced PIM-powered applications.”

Most computing systems today are based on an architecture which uses separate memory and processor units to carry out data processing tasks, known as von Neumann architecture. 

This approach requires data to move back and forth on a constant basis between the two components, which can result in a bottleneck when handling ever-increasing volumes of data, slowing system performance.

HBM-PIM, developed by Samsung, places a DRAM-optimised AI engine within each memory bank, enabling parallel processing and minimising the movement of data.

“I’m delighted to see that Samsung is addressing the memory bandwidth/power challenges for HPC and AI computing,” said Argonne’s associate laboratory director for computing, environment and life sciences, Rick Stevens. Argonne National Laboratory is a US Department of Energy research centre.  

“HBM-PIM design has demonstrated impressive performance and power gains on important classes of AI applications, so we look forward to working together to evaluate its performance on additional problems of interest to Argonne National Laboratory.”

Samsung’s innovation is being tested inside AI accelerators by third-parties in the AI sector, with work expected to be completed within the first half of 2021. Early tests with Samsung’s HBM2 Aquabolt memory system demonstrated the performance improvements and power consumption reduction cited previously.