Technology

Microservices are at the heart of many cloud-native architectures, using tools such as Kubernetes to manage service scaling on demand. Microsoft has been at the forefront of much of this movement, with a deep commitment to the Cloud Native Computing Foundation and by using Kubernetes to support its hyperscale Azure and its on-premises hybrid Azure Stack.

Part of that commitment comes from its tools, with a range of different platforms and services to support cloud-native microservice development. One of those tools is Dapr, the Distributed Application Runtime, an event-driven runtime that supports creating and managing service elements using best practices. It’s designed to be platform agnostic, so you can use your choice of target environments (local, Kubernetes, or any other environment with Dapr support) and your choice of languages and frameworks.

To read this article in full, please click here

The two most mentioned advantages of cloud-based platforms are pay-per-use billing and the ability to scale up to an almost unlimited number of resources. No more buying ahead of resource demand, attempting to guess the amount of physical hardware and software that you’ll need.

But enterprise IT needs to understand that scale and costs are coupled concepts in cloud computing. The more resources you use, either self-scaling or auto-scaling, the more you pay. How much you pay may depend on the architecture patterns as much as on the cost of the resources themselves. Here’s why.

In building cloud-based systems, I’ve discovered that cloud architecture is really just making a bunch of the right decisions. Those who make bad decisions are not punished, they are just underoptimized. That everything works conceals the fact that you’re paying twice as much as you would if the architecture were fully optimized as to scaling and cost.

To read this article in full, please click here

Joker’s Stash, by some accounts the largest underground shop for selling stolen credit card and identity data, says it’s closing up shop effective mid-February 2021. The announcement came on the heels of a turbulent year for the major cybercrime store, and just weeks after U.S. and European authorities seized a number of its servers.

A farewell message posted by Joker’s Stash admin on Jan. 15, 2021.

The Russian and English language carding store first opened in October 2014, and quickly became a major source of “dumps” — information stolen from compromised payment cards that thieves can buy and use to create physical counterfeit copies of the cards.

But 2020 turned out to be a tough year for Joker’s Stash. As cyber intelligence firm Intel 471 notes, the curator of the store announced in October that he’d contracted COVID-19, spending a week in the hospital. Around that time, Intel 471 says many of Joker’s loyal customers started complaining that the shop’s payment card data quality was increasingly poor.

“The condition impacted the site’s forums, inventory replenishments and other operations,” Intel 471 said.

Image: Gemini Advisory

That COVID diagnosis may have affected the shop owner’s ability to maintain fresh and valid inventory on his site. Gemini Advisory, a New York City-based company that monitors underground carding shops, tracked a “severe decline” in the volume of compromised payment card accounts for sale on Joker’s Stash over the past six months.

“Joker’s Stash has received numerous user complaints alleging that card data validity is low, which even prompted the administrator to upload proof of validity through a card-testing service,” Gemini wrote in a blog post about the planned shutdown.

Image: Gemini Advisory

Then on Dec. 16, 2020, several of Joker’s long-held domains began displaying notices that the sites had been seized by the U.S. Department of Justice and Interpol. The crime shop quickly recovered, moving to new infrastructure and assuring the underground community that it would continue to operate normally.

Gemini estimates that Joker’s Stash generated more than a billion dollars in revenue over the past several years. Much of that revenue came from high-profile breaches, including tens of millions of payment card records stolen from major merchants including Saks Fifth Avenue, Lord and Taylor, Bebe Stores, Hilton Hotels, Jason’s Deli, Whole Foods, Chipotle, Wawa, Sonic Drive-In, the Hy-Vee supermarket chain, Buca Di Beppo, and Dickey’s BBQ.

Joker’s Stash routinely teased big breaches days or weeks in advance of selling payment card records stolen from those companies, and periodically linked to this site and other media outlets as proof of his shop’s prowess and authenticity.

Like many other top cybercrime bazaars, Joker’s Stash was a frequent target of phishers looking to rip off unwary or unsophisticated thieves. In 2018, KrebsOnSecurity detailed a vast network of fake Joker’s Stash sites set up to steal login credentials and bitcoin. The phony sites all traced back to the owners of a Pakistani web site design firm. Many of those fake sites are still active (e.g. jokersstash[.]su).

As noted here in 2016, Joker’s Stash attracted an impressive number of customers who kept five and six-digit balances at the shop, and who were granted early access to new breaches as well as steep discounts for bulk buys. Those “partner” customers will be given the opportunity to cash out their accounts. But the majority of Stash customers do not enjoy this status, and will have to spend their balances by Feb. 15 or forfeit those funds.

The dashboard for a Joker’s Stash customer who’s spent over $10,000 buying stolen credit cards from the site.

Gemini said another event that may have contributed to this threat actor shutting down their marketplace is the recent spike in the value of Bitcoin. A year ago, one bitcoin was worth about $9,000. Today a single bitcoin is valued at more than $35,000.

“JokerStash was an early advocate of Bitcoin and claims to keep all proceeds in this cryptocurrency,” Gemini observed in a blog post. “This actor was already likely to be among the wealthiest cybercriminals, and the spike may have multiplied their fortune, earning them enough money to retire. However, the true reason behind this shutdown remains unclear.”

If the bitcoin price theory holds, that would be fairly rich considering the parting lines in the closure notice posted to Joker’s Stash.

“We are also want to wish all young and mature ones cyber-gangsters not to lose themselves in the pursuit of easy money,” the site administrator(s) advised. “Remember, that even all the money in the world will never make you happy and that all the most truly valuable things in this life are free.”

Regardless, the impending shutdown is unlikely to have much of an impact on the overall underground carding industry, Gemini notes.

“Given Joker’s Stash’s high profile, it relied on a robust network of criminal vendors who offered their stolen records on this marketplace, among others,” the company wrote. “Gemini assesses with a high level of confidence that these vendors are very likely to fully transition to other large, top-tier dark web marketplaces.”

I cringe when development teams tell me that their organization makes them capture hours in Jira Software, Azure DevOps, or whatever agile management tool they are using. Capturing hours is understandable and often required for professional services organizations, which often charge clients on a time and materials contract. But for most organizations, selecting accounting metrics to quantify development productivity is an antipattern carried over from command and control management practices. 

There is a long list of other production metrics that are also problematic. Calculating productivity by lines of code completed? That’s a good way to encourage development teams to bury the organization with technical debt from bloated codebases. Measuring the numbers of user stories or story points delivered? That’s just asking developers to break down features into more stories or inflate their story point estimates.

To read this article in full, please click here

Dependency injection is a first-class citizen in ASP.NET Core MVC 5. Part of the new .NET 5, ASP.NET Core MVC 5 is the latest version of Microsoft’s framework for building web apps and APIs using the model-view-controller design pattern.

In this article we’ll take a deep dive into dependency injection in ASP.NET Core MVC 5 as well as learn the best practices that one should follow when working with dependency injection.

To work with the code examples provided in this article, you should have Visual Studio 2019 installed in your system. If you don’t already have a copy, you can download Visual Studio 2019 here.

To read this article in full, please click here

CES 2021, Samsung Galaxy S21, Section 230, escaping big tech, Clubhouse

• Misinformation has slowed now that Trump is off Twitter.
• Denise describes the effects of Section 230 on big tech.
• Is it possible for someone to escape big tech if they want to?
• Germany and France don't agree with Trump's deplatforming.
• Is CES 2021 the model for trade shows going forward?
• IoT at the Consumer Electronics Show.
• Samsung unveiled the Galaxy S21 series smartphone.
• Galaxy S21 will not support MST payments.
• Samsung Galaxy SmartTag with UWB support.
• Justine and David spot the biggest trends from CES 2021.
• GM announced BrightDrop for commercial electric vehicles.
• Google's acquisition of Fitbit is complete.
• Apple might soon charge for certain podcasts.
• Justine introduces Leo to Clubhouse.
• Are TikTok's new age limitations good for users?
• Differences between Huawei and Xiaomi in the eyes of the US.
• Intel CEO Bob Swan is out, Pat Gelsinger is in.
• Walmart's e-commerce chief's city of the future.
• Bill Gates and all of his collection of farmland.
• From petabytes to hellabytes.

Host: Leo Laporte

Guests: Justine Ezarik, Denise Howell, and David Ruddock

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Sponsors:

• www.stamps.com - promo code: TWIT
• itpro.tv/twit use the code TWIT30
• casper.com/twit1 - promo code: TWIT1

Java Development Kit (JDK) 16 has reached its second rampdown phase, with the feature set frozen. The new features in JDK 16 range from a second preview of sealed classes to pattern matching to concurrent thread-stack processing for garbage collection.

JDK 16 will be the reference implementation of the version of standard Java set to follow JDK 15, which arrived September 15. An initial rampdown phase was reached last month. A proposed release schedule for JDK 16 calls for release candidates arriving February 4 and February 18, 2021. The production release is due March 16, 2021.

To read this article in full, please click here

Google Cloud Platform (GCP) is the most performant public cloud infrastructure-as-a-service (IaaS) provider for running online transactional processing (OLTP) workloads, but Amazon Web Services (AWS) remains the best value for the money.

That’s according to the 2021 Cloud Report from Cockroach Labs, the company behind the open source CockroachDB database, which recently raised a $160 million mega-round of funding.

“Declaring a winner was much harder to declare than in years past,” according to the authors of the report, as the gap on most metrics was razor thin.

To read this article in full, please click here

A new study from Cloudreach and IDC entitled “Cloud Trends 2021” (registration required) surveyed more than 200 CIOs. Questions focused on the COVID-19 pandemic’s effect on the use of cloud computing and digital transformation. Keep in mind that the sponsor has a dog in the hunt in that they sell technology.

Of course, it’s the usual “cloud is good,” “cloud is important” stuff you find in most other analyst reports. However, the number that I found interesting is that 27.5 percent stated that large-scale migration to the public cloud was “essential for survival.” Hop in a time machine and just five years ago most enterprises considered cloud as an option for consuming technology such storage and compute, but really not essential. What changed?

To read this article in full, please click here

Microsoft has published a beta version of TypeScript 4.2, an update to the popular open source language that adds types to JavaScript. With a final release due February 23, TypeScript 4.2 features enhancements pertaining to tuple types and type aliases.

TypeScript 4.2, launched January 12, expands the ways rest elements in tuple types can be used. Previously, TypeScript only permitted rest elements in the last position of a tuple type. Now, rest elements can occur almost anywhere within a tuple, with a few restrictions. A rest element cannot be followed by another optional element or rest element, and only one rest element is permitted per tuple.

To read this article in full, please click here

The core purpose of a React component is to define the displayed view and bind it to the code that drives its behavior. React’s functional components distill this down to the simplest possible profile: a function that receives properties and returns a JSX definition. Everything required for behavior is defined within the function body, and the class-related parts of object-oriented components are dropped.

Functional components are capable of performing all the work of a class-based component beginning with React 16, via the “hooks” API.

Let’s begin by comparing a very simple class-based component with a functional version.

To read this article in full, please click here

Traditional in-person physical offices have been disappearing from our work lives for many years. With pandemic-wracked 2020 receding into history, many sectors of the global economy now have experienced the pleasures and frustrations of working from home.

We’ve now seen practically every big technology company from Google to VMware give up trying to bring employees back to traditional offices for the indefinite future. According to a recent enterprise survey by 451 Research, the emerging technology research unit of S&P Global Market Intelligence, 80 percent of companies have implemented or expanded universal work-from-home policies, and 67 percent plan to keep at least some work-from-home policies in place long term or permanently.

To read this article in full, please click here

Google’s Go finally could be adding generics, long sought by many Go users as a mechanism to simplify the language.

A Go language change proposal filed January 12 in GitHub calls for adding support for type parameters for types and functions, thus enabling a form of generic programming. Efforts to add generics to Go have been going on for years, with support for generics being one of the most-commonly requested features since Go was first released in 2009. Now, Go developers may see an implementation by the end of this year, perhaps included as part of Go 1.18 beta releases. The implementation would be complete but perhaps not fully optimized.

To read this article in full, please click here

CockroachDB was architected from the ground up to be cloud-native, so that it can scale elastically and survive any failure, natively, without any additional setup or configuration. Since its inception, the Cockroach Labs team has made regular updates and improvements to the distributed database. Today, this database helps thousands of developers more efficiently build data driven applications in the cloud and is the foundation of many of the game-changing applications that are driving the modern, digital economy.

The latest release, CockroachDB 20.2, includes support for spatial data and introduces a custom Kubernetes Operator. All the while, the team continues to improve the security and management capabilities of the database, along with considerable improvements to the overall performance of CockroachDB. Notably, with this release, the majority of these new capabilities are available in the free version of the database, CockroachDB Core.

To read this article in full, please click here

Even without the oodles of extensions that make Visual Studio Code a power tool for every developer, Microsoft’s open source programming editor is loaded with nifty features by default. However, some of these useful features are not obvious, even to seasoned users. And with each new release of VS Code, more handy features get rolled in—often remaining below the waterline.

Here we’ve listed six useful Visual Studio Code capabilities that you might not be aware of. Most will appeal to developers of all levels of VS Code expertise, from the newcomer to the seasoned vet.

Want to find a command, any command, in VS Code? Press Ctrl-Shift-P and start typing. The command palette, as it’s called, gives you fast access to any registered command, including those provided by add-ons. Plus, if there’s a key binding associated with a given command, it’s displayed in the type-to-search drop-down list. This way, you can cut straight to the key shortcut in the future.

To read this article in full, please click here

SolarWinds smoking gun, Signal influx of WhatsApp users, male chastity cage.

• Firefox and Chromium updates address remote system take over bugs.
• Tenable researchers reported a critical Chromium bug.
• What Firefox's backspace key does and should do.
• How Ryuk malware operations netted $150 million via cryptocurrency exchange.
• Intel: A triumph of marketing over technology.
• The strange case of the Male Chastity Cage.
• A SolarWinds smoking gun? "Sunburst backdoor."
• A class action lawsuit filed by shareholders of SolarWinds stock.
• The "Krebs Stamos Group"
• Zyxel security endpoints under attack.
• WhatsApp revises their privacy policy.
• Signal sees a mass influx of WhatsApp users.
• Out with the old: A look at the history of SpinRite code.

We invite you to read our show notes at https://www.grc.com/sn/SN-801-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

• WWT.COM/TWIT
• barracuda.com/securitynow

Microsoft today released updates to plug more than 80 security holes in its Windows operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users.

Most concerning of this month’s batch is probably a critical bug (CVE-2021-1647) in Microsoft’s default anti-malware suite — Windows Defender — that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it’s not entirely clear how this is being exploited.

But Kevin Breen, director of research at Immersive Labs, says depending on the vector the flaw could be trivial to exploit.

“It could be as simple as sending a file,” he said. “The user doesn’t need to interact with anything, as Defender will access it as soon as it is placed on the system.”

Fortunately, this bug is probably already patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle.

Breen called attention to another critical vulnerability this month — CVE-2020-1660 — which is a remote code execution flaw in nearly every version of Windows that earned a CVSS score of 8.8 (10 is the most dangerous).

“They classify this vulnerability as ‘low’ in complexity, meaning an attack could be easy to reproduce,” Breen said. “However, they also note that it’s ‘less likely’ to be exploited, which seems counterintuitive. Without full context of this vulnerability, we have to rely on Microsoft to make the decision for us.”

CVE-2020-1660 is actually just one of five bugs in a core Microsoft service called Remote Procedure Call (RPC), which is responsible for a lot of heavy lifting in Windows. Some of the more memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities.

Allan Liska, senior security architect at Recorded Future, said while it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC — CVE-2019-1409 and CVE-2018-8514 — were not widely exploited.

The remaining 70 or so flaws patched this month earned Microsoft’s less-dire “important” ratings, which is not to say they’re much less of a security concern. Case in point: CVE-2021-1709, which is an “elevation of privilege” flaw in Windows 8 through 10 and Windows Server 2008 through 2019.

“Unfortunately, this type of vulnerability is often quickly exploited by attackers,” Liska said. “For example, CVE-2019-1458 was announced on December 10th of 2019, and by December 19th an attacker was seen selling an exploit for the vulnerability on underground markets. So, while CVE-2021-1709 is only rated as [an information exposure flaw] by Microsoft it should be prioritized for patching.”

Trend Micro’s ZDI Initiative pointed out another flaw marked “important” — CVE-2021-1648, an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI prior to today.

“It was also discovered by Google likely because this patch corrects a bug introduced by a previous patch,” ZDI’s Dustin Childs said. “The previous CVE was being exploited in the wild, so it’s within reason to think this CVE will be actively exploited as well.”

Separately, Adobe released security updates to tackle at least eight vulnerabilities across a range of products, including Adobe Photoshop and Illustrator. There are no Flash Player updates because Adobe retired the browser plugin in December (hallelujah!), and Microsoft’s update cycle from last month removed the program from Microsoft’s browsers.

Windows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you have ample opportunity to back up your files and/or system, see this guide.

Please back up your system before applying any of these updates. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. You never know when a patch roll-up will bork your system or possibly damage important files. For those seeking more flexible and full-featured backup options (including incremental backups), Acronis and Macrium are two that I’ve used previously and are worth a look.

That said, there don’t appear to be any major issues cropping up yet with this month’s update batch. But before you apply updates consider paying a visit to AskWoody.com, which usually has the skinny on any reports about problematic patches.

As always, if you experience glitches or issues installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

The developers of Angular 12, a planned upgrade to the popular Google-built web development framework, have set their sights on a host of improvements, ranging from better integration with deployment providers to improved error messages.

Currently planned for release in May 2021, Angular 12 would follow the November release of Angular 11, which offered stricter types and better router performance.

Among the improvements under consideration for Angular 12 is having ng build  compiler command and the yarn build bundler command running production builds by default. The goal would be to improve integration with many deployment providers, such as Heroku, Netlify, and others, according to Minko Gechev, who works on Angular at Google. Another item on the prospective features list is improved error messages, with top 10 errors getting much more detailed error messages and docs.

To read this article in full, please click here

New research into the malware that set the stage for the megabreach at IT vendor SolarWinds shows the perpetrators spent months inside the company’s software development labs honing their attack before inserting malicious code into updates that SolarWinds then shipped to thousands of customers. More worrisome, the research suggests the insidious methods used by the intruders to subvert the company’s software development pipeline could be repurposed against many other major software providers.

In a blog post published Jan. 11, SolarWinds said the attackers first compromised its development environment on Sept. 4, 2019. Soon after, the attackers began testing code designed to surreptitiously inject backdoors into Orion, a suite of tools used by many Fortune 500 firms and a broad swath of the federal government to manage their internal networks.

Image: SolarWinds.

According to SolarWinds and a technical analysis from CrowdStrike, the intruders were trying to work out whether their “Sunspot” malware — designed specifically for use in undermining SolarWinds’ software development process — could successfully insert their malicious “Sunburst” backdoor into Orion products without tripping any alarms or alerting Orion developers.

In October 2019, SolarWinds pushed an update to their Orion customers that contained the modified test code. By February 2020, the intruders had used Sunspot to inject the Sunburst backdoor into the Orion source code, which was then digitally signed by the company and propagated to customers via SolarWinds’ software update process.

Crowdstrike said Sunspot was written to be able to detect when it was installed on a SolarWinds developer system, and to lie in wait until specific Orion source code files were accessed by developers. This allowed the intruders to “replace source code files during the build process, before compilation,” Crowdstrike wrote.

The attackers also included safeguards to prevent the backdoor code lines from appearing in Orion software build logs, and checks to ensure that such tampering wouldn’t cause build errors.

“The design of SUNSPOT suggests [the malware] developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers,” CrowdStrike wrote.

A third malware strain — dubbed “Teardrop” by FireEye, the company that first disclosed the SolarWinds attack in December — was installed via the backdoored Orion updates on networks that the SolarWinds attackers wanted to plunder more deeply.

So far, the Teardrop malware has been found on several government networks, including the Commerce, Energy and Treasury departments, the Department of Justice and the Administrative Office of the U.S. Courts.

SolarWinds emphasized that while the Sunspot code was specifically designed to compromise the integrity of its software development process, that same process is likely common across the software industry.

“Our concern is that right now similar processes may exist in software development environments at other companies throughout the world,” said SolarWinds CEO Sudhakar Ramakrishna. “The severity and complexity of this attack has taught us that more effectively combatting similar attacks in the future will require an industry-wide approach as well as public-private partnerships that leverage the skills, insight, knowledge, and resources of all constituents.”