It has taken four years of legal battles – but now, if you were born in South Africa to foreign parents, you can apply for citizenship. It has been an “agonizing journey” for those who consider South Africa to be their only home.The department of home affairs’ opposition to the court bid by five adults, representing others in a similar situation, for the vindication of their rights, was dealt a death blow by the Constitutional Court last week. The court simply ruled that it would not hear any further argument on the matter.

The department had not filed its papers in time, and it had not given good reason for this. What this means for Mariam Ali, Aden Salih, Kanu Nkololo, Caroline Masuki, Murphy Nganga and any others “similarly situated” is that their previous victory in the Supreme Court of Appeal (SCA) now stands.In terms of that order, the minister must accept their applications for citizenship and make a decision within 10 days.

The SCA declared that if you were born in South Africa to foreign parents who have not been admitted as permanent residents, you qualify to apply for South African citizenship upon becoming a major – if your birth was registered and if you have lived here all your life, irrespective of the date of your birth.It also ordered the minister to enact the necessary forms to allow for such applications within one year. Pending this, he must accept applications on affidavit. The application, brought with the assistance of the Legal Resources Centre (LRC), was first set down in the Western Cape High Court.

It was argued that the centre’s clients had all complied with the Citizenship Amendment Act, which came into effect in January 2013. They were all born in South Africa to foreign parents and they had all turned 18, but their applications for citizenship under naturalisation laws were being refused.

.In that court, the minister argued that the act only applied to children born after January 2013 and could not be applied retrospectively. In fact, his lawyers argued, it did not even apply to children who turned 18 after that date but only to children born after that date.

There, the department of home affairs changed its argument. Retrospectivity was no longer an issue. Instead, it was argued that those affected should have put the minister on terms to deal with their applications and, if they were refused, they could then launch court proceedings to review and set aside the decisions.

“

.

“Despite these concessions, some 10 months later, the state decided to change its stance. We believed it was an abuse of process. They plainly had no reasonable prospects of success and again it showed a total disregard for taxpayers, who have to foot the bill for these types of vexatious proceedings.”

She said that during those 10 months, when there was no indication of any appeal, the clients had submitted their citizenship applications but they were not dealt with.

“Following the dismissal of their appeal, we will now be demanding the adjudication of those citizenship applications and we will approach the courts if necessary, should a decision not be made within 10 days, in accordance with the SCA ruling.

“Our clients have had to endure a long and painful journey to obtain citizenship, with some of them all but giving up hope of being finally accepted by a country they have grown to love – the only country they have called home.

“A large part of this agonizing journey could have been avoided if decision makers within the department of home affairs exercised reason and caution by not arbitrarily abusing the court processes to delay and frustrate the exercise of the clear and unequivocal right of these applicants.

Minister of Home Affairs v Miriam Ali and Others [2018] ZASCA 169 (SCA) (Case no. 1289/17, Supreme Court of Appeal – Court Order Date: 30 November 2018)

2.1 The matter pertains to the interpretation of section 4(3) of the South African Citizenship Act 88 of 1995 (amendment that came into effect on 1 January 2013) in which the main issue was whether or not the section applies with retrospective effect and further is the respondents (on appeal) satisfy the requirements of citizenship by naturalisation. The question was whether in the absence of Regulations, the High Court was correct in directing the Minister to accept applications on affidavits as the order encroached upon the doctrine of separation of powers.

 2.2 The Supreme Court of Appeal issued the order that:

 “The Minister shall –

3.1 Within one year of the date of this order make regulations in terms of s 23(a) of the South African Citizenship Act 88 of 1995 (the Act) in respect of applications for citizenship by naturalisation in terms of s 4(3) of the Act;

3.2 Pending the promulgation of the regulation in 3.1 above, accept applications in terms of s 4(3) South African Citizenship Act 88 of 1995, on affidavit.”.

Why has his department not fully complied with the court order?

2.3 The DHA was advised to approach the Constitutional Court (“CC”) as the Order of the SCA had the effect of encroaching upon the subordinate legislative powers of the Minister. The CC declined to hear the matter largely because the DHA delayed in launching the appeal proceedings.

www.samigration.com

Business Insider SA -  Sep 30, 2020

South Africa's borders open for all foreign travellers on Thursday, and airlines already have flights lined up.

• But there is still no list of countries for which travel restrictions will apply, based on their level of coronavirus risk.
• Transport minister Fikile Mbalula should announce that list at 15:00 – but cabinet still has to sign off on it, so it may not happen.

South Africa may release its red list, of countries for which travel restrictions apply due to their coronavirus risk, this afternoon – some nine hours before borders officially open.

But not necessarily.

His team "expect that" transport minister Fikile Mbalula will announce the list at a press conference scheduled for 15:00, his spokesperson Esethu Hasane told Business Insider South Africa, but it is not entirely in his hands.

"Cabinet is due to discuss it today," said Hasane. "If cabinet gives the green light, the minister will then announce."

President Cyril Ramaphosa announced the reopening of South Africa's borders for leisure travellers in mid-September, and immediately cautioned that there may be restrictions for travel to and from some countries, "based on the latest scientific data we can get on those countries".

There has been no indication from the government in the intervening two weeks as to what metrics may be used, how often a red list would be updated, or what kind of notice travellers would be given before any countries are added or removed from the list.

Nor has there been any official word on whether restrictions will be limited to a requirement to self-isolate on arrival, for those from high-risk countries, or whether travellers could be banned from entering South Africa entirely.

According to already in-force regulations, travellers to and from other countries on the African continent will be excluded from any such restrictions, while cruise ships remain explicitly banned from SA shores.

All travellers, including those from elsewhere in Africa, will be required to present a negative test result for the coronavirus that is less than 72 hours old, or face quarantine.

Several airlines expect to resume flights to South Africa tomorrow, including from countries with high and rising rates of infection.

www.samigration.com

ZD Net -  25 September  2020

A honeypot created by Cybereason to lure cybercriminals and analyze their methods showed that ransomware attacks infiltrate their victims in multiple stages.

Some types of cyberattacks are one-and-done deals where the cybercriminals get in and out quickly after infecting or compromising an organization. Other types of attacks, however, expand over a period of time as they try to impact additional resources within the organization. Using a honeypot, researchers at security firm Cybereason were able to attract multiple criminals using ransomware and follow each stage of an attack.

A honeypot is a network infrastructure built specifically to reel in cybercriminals to see how they behave and carry out a typical attack. In this case, Cybereason devised an extensive network architecture that pretended to be part of an electricity generation and transmission provider's network. As such, this honeypot contained an IT environment, an OT (operational technology) environment, and HMI (human machine interface) management systems.

More about cybersecurity

After the honeypot officially opened for business, it took only three days for cyberattackers to infiltrate the network and fill it with malware, Israel Barak, chief information security officer at Cybereason, told ZDNet. But the attack was carried out in distinct stages as the criminals carefully and stealthily forced their way from one resource to another.

In the first stage, the attackers gained initial access by exploiting publicly accessible remote administration interfaces. Such interfaces are typically designed by network operators to give technical support staff the ability to remotely connect to the network. To invade the network, the attackers were able to brute force the administrator's account password and sign in remotely. After that, the criminals uploaded and ran a PowerShell script to create a backdoor so the attackers could persistently use and abuse the admin account without being detected.

Image: Cybereason

In the second stage, the criminals uploaded more attack tools via PowerShell. One of those was Mimikatz, an open-source tool used to steal user credentials. The stolen credentials were used in an attempt to move laterally across the network to the domain controllers. However, the attempt failed as none of the compromised accounts had permission to access the domain controllers.

In stage three, the attack continued to try to move laterally by leveraging a network scanner to discover additional endpoints. Finally, in the fourth stage, the ransomware launched on all the compromised endpoints.

The ransomware attack against the honeypot shows that cybercriminals use multiple stages to infect as many machines as possible and maximize their profits. Instead of just deploying the ransomware on one system, they'll move laterally throughout the network to hit one machine after another before finally launching the ransomware.

"This finding is consistent with what we have been seeing about ransomware in particular," Javvad Malik, security awareness advocate for KnowBe4, told TechRepublic. "It is no longer a case that criminals will want to infect every machine as soon as possible. Rather ransomware, once broken in, will dial-home so the best strategy can be determined. This includes what to encrypt, the ability of the victim to pay, corrupting backups, and exfiltrating data and credentials."

Beyond just encrypting sensitive files and demanding payment from the victim, ransomware attackers are going further with their threats.

"In this whole process, ransomware is the last to be deployed because it allows the criminals to not only demand payment for the decryption key, but also demand payment to not publicly release or sell data they have exfiltrated," Malik said. "Sometimes they will use the stolen information to attack partners or try to extort customers."

To better protect your organization against ransomware attack, Cybereason serves up the following recommendations:

1. Establish cyber incident response tools and procedures across both IT and OT networks with the goal to minimize Mean-Time-To-Response. Minimizing damage and preventing an ICS (industrial control system) network from being taken offline is essentially the cat-and-mouse game being played by attackers and defenders. To keep hacking groups at bay, organizations need to minimize the time it takes to respond to a threat. This can be achieved by deploying threat hunting services around the clock.
2. Establish unified security operation center and workflows across both IT and OT environments. Operating a unified security operations center (SOC) provides visibility into the IT and OT environments because attackers are looking to use IT environments as gateways into OT environments. Some companies may already have a network operations center (NOC) monitoring the OT environment, but a combined SOC lets operators see all operations as they move through the network.
3. Design and operate with resiliency in mind. Resiliency and security can no longer be an afterthought. As new critical infrastructure systems are built and installed, legacy networks will be retired and taken offline. It is very important for next-generation systems to be built with resiliency and security in mind. The design and ongoing operation of the system must take into consideration what security threats will become commonplace in the months and years ahead.
4. Partner with experts. Be sure to partner with experts with vast knowledge of ICS threats. The public and private sector need to work together closely to protect this industry. Partner with a security company that can stay ahead of new threats and help operators address issues in real time. 
5. Test, test, test. Regular testing must be a focal point in this sector. Tabletop exercises that enable a red and blue team to role play different catastrophic scenarios and the real-time response to those scenarios is critical when having to actually have to deal with a threat in real time. Never underestimate the value of tabletop exercises in shoring up weakened defenses and helping executives understand the importance of security.

Based on the latest ransomware threats, Malik has another piece of advice for organizations:

"Even having reliable and up-to-date backups won't help," Malik said, "which is why preventing criminals from gaining a foothold is of utmost importance. The top three controls organizations can deploy would include security awareness training so that users can identify and respond to phishing attacks, MFA (multifactor authentication) to prevent credential compromise, and patching external-facing systems."

www.vsoftsystems.co.za

A honeypot created by Cybereason to lure cybercriminals and analyze their methods showed that ransomware attacks infiltrate their victims in multiple stages.

Some types of cyberattacks are one-and-done deals where the cybercriminals get in and out quickly after infecting or compromising an organization. Other types of attacks, however, expand over a period of time as they try to impact additional resources within the organization. Using a honeypot, researchers at security firm Cybereason were able to attract multiple criminals using ransomware and follow each stage of an attack.

A honeypot is a network infrastructure built specifically to reel in cybercriminals to see how they behave and carry out a typical attack. In this case, Cybereason devised an extensive network architecture that pretended to be part of an electricity generation and transmission provider's network. As such, this honeypot contained an IT environment, an OT (operational technology) environment, and HMI (human machine interface) management systems.

More about cybersecurity

After the honeypot officially opened for business, it took only three days for cyberattackers to infiltrate the network and fill it with malware, Israel Barak, chief information security officer at Cybereason, told ZDNet. But the attack was carried out in distinct stages as the criminals carefully and stealthily forced their way from one resource to another.

In the first stage, the attackers gained initial access by exploiting publicly accessible remote administration interfaces. Such interfaces are typically designed by network operators to give technical support staff the ability to remotely connect to the network. To invade the network, the attackers were able to brute force the administrator's account password and sign in remotely. After that, the criminals uploaded and ran a PowerShell script to create a backdoor so the attackers could persistently use and abuse the admin account without being detected.

Image: Cybereason

In the second stage, the criminals uploaded more attack tools via PowerShell. One of those was Mimikatz, an open-source tool used to steal user credentials. The stolen credentials were used in an attempt to move laterally across the network to the domain controllers. However, the attempt failed as none of the compromised accounts had permission to access the domain controllers.

In stage three, the attack continued to try to move laterally by leveraging a network scanner to discover additional endpoints. Finally, in the fourth stage, the ransomware launched on all the compromised endpoints.

The ransomware attack against the honeypot shows that cybercriminals use multiple stages to infect as many machines as possible and maximize their profits. Instead of just deploying the ransomware on one system, they'll move laterally throughout the network to hit one machine after another before finally launching the ransomware.

"This finding is consistent with what we have been seeing about ransomware in particular," Javvad Malik, security awareness advocate for KnowBe4, told TechRepublic. "It is no longer a case that criminals will want to infect every machine as soon as possible. Rather ransomware, once broken in, will dial-home so the best strategy can be determined. This includes what to encrypt, the ability of the victim to pay, corrupting backups, and exfiltrating data and credentials."

Beyond just encrypting sensitive files and demanding payment from the victim, ransomware attackers are going further with their threats.

"In this whole process, ransomware is the last to be deployed because it allows the criminals to not only demand payment for the decryption key, but also demand payment to not publicly release or sell data they have exfiltrated," Malik said. "Sometimes they will use the stolen information to attack partners or try to extort customers."

To better protect your organization against ransomware attack, Cybereason serves up the following recommendations:

1. Establish cyber incident response tools and procedures across both IT and OT networks with the goal to minimize Mean-Time-To-Response. Minimizing damage and preventing an ICS (industrial control system) network from being taken offline is essentially the cat-and-mouse game being played by attackers and defenders. To keep hacking groups at bay, organizations need to minimize the time it takes to respond to a threat. This can be achieved by deploying threat hunting services around the clock.
2. Establish unified security operation center and workflows across both IT and OT environments. Operating a unified security operations center (SOC) provides visibility into the IT and OT environments because attackers are looking to use IT environments as gateways into OT environments. Some companies may already have a network operations center (NOC) monitoring the OT environment, but a combined SOC lets operators see all operations as they move through the network.
3. Design and operate with resiliency in mind. Resiliency and security can no longer be an afterthought. As new critical infrastructure systems are built and installed, legacy networks will be retired and taken offline. It is very important for next-generation systems to be built with resiliency and security in mind. The design and ongoing operation of the system must take into consideration what security threats will become commonplace in the months and years ahead.
4. Partner with experts. Be sure to partner with experts with vast knowledge of ICS threats. The public and private sector need to work together closely to protect this industry. Partner with a security company that can stay ahead of new threats and help operators address issues in real time. 
5. Test, test, test. Regular testing must be a focal point in this sector. Tabletop exercises that enable a red and blue team to role play different catastrophic scenarios and the real-time response to those scenarios is critical when having to actually have to deal with a threat in real time. Never underestimate the value of tabletop exercises in shoring up weakened defenses and helping executives understand the importance of security.

Based on the latest ransomware threats, Malik has another piece of advice for organizations:

"Even having reliable and up-to-date backups won't help," Malik said, "which is why preventing criminals from gaining a foothold is of utmost importance. The top three controls organizations can deploy would include security awareness training so that users can identify and respond to phishing attacks, MFA (multifactor authentication) to prevent credential compromise, and patching external-facing systems."

www.vsoftsystems.co.za

Security experts have given an insight into how a targeted ransomware attack took down the network of a food and drink manufacturer after hackers took advantage of common security vulnerabilities.

The crooks used a phishing attack and took advantage of a number of vulnerabilities – from old hardware to default passwords – to first deploy Emotet and Trickbot malware before delivering the Ryuk ransomware and attempting to extort a fee from the victim to restore the network.

In this case, the organisation didn't opt to pay the ransom – something that authorities discourage and would only fund additional attacks by cyber criminals – but instead had security experts come in to examine the network and restore functionality within 48 hours.

"This was a targeted attack. This is targeting organisations such as this one which, if they don't have the security retainer or IT staff, the initial reaction would be to give into the ransomware attack because they want to return their operations quickly," Bindu Sundaresan, director at AT&T cybersecurity, told ZDNet.

AT&T investigated the attack and helped the unnamed manufacturer get back online without giving into a ransom demand while also experiencing the least amount of disruption to production as possible. But the company likely would not have fallen victim if basic security vulnerabilities hadn't allowed the initial stages of the attack to happen.

Ryuk, like some other forms of ransomware, is deployed as the final stage in a three-pronged attack that also delivers Emotet and Trickbot. Emotet started life as a banking trojan before evolving into a botnet that is leased out to deliver other malware, which in this case is the Trickbot trojan.

Trickbot is a powerful form of malware that provides attackers with a full backdoor into compromised systems, including the ability to move around networks, issue commands and steal additional data.

After this the Ryuk ransomware is downloaded onto the network by the hackers because cyber criminals view it as the quickest and easiest way to make money from a compromised network.

While many ransomware campaigns now start with targeting remote ports, this one began with a phishing attack.

"A user was sent a Microsoft Word document as part of a phishing campaign. It was labelled as an invoice and this user downloaded the document, then malicious code executed a PowerShell command that downloaded an Emotet payload," Sundaresan explained.

PowerShell commands generally aren't required by users who don't need administrator rights, so if PowerShell had been disabled for those who don't need it, the cyberattack could've been cut off at this point.

After Emotet formed the initial part of the attack, gaining a foothold in the network the next step was to use the Trickbot malware to steal login credentials for corporate accounts and cloud services to gain access to other parts of the network.

By exploiting this cycle, cyber criminals were able to gain control of over half the network, before eventually delivering the Ryuk ransomware.

"Malware like this wants to get the most bang for its buck and go after organisations that are at the point where they feel like they need to give in due to the damage it's costing to their network, the valuable data that's being held – so they have a sense of urgency," said Sundaresan.

However, the attack could have been much worse, given Ryuk had not compromised the entire network but about 60% of it, including ordering and billing applications. This was in part because security personnel were about to contain the attack after being called in by the manufacturer.

"The ability to contain it and the response time was crucial. The ability to contain the incident is the key to recover from it and having the business up and running before it got to the crucial databases," Sundaresan explained.

Within 48 hours, much of the business was back up and running again – crucially without having given into paying a ransom demand to criminals. However, two days of downtime would have been costly to the organisation and restoring the network isn't likely to have been cheap either – plus there's the prospect of having to upgrade security in the aftermath, so attackers don't strike again.

And like many organisations that fall victim to cyberattacks, this one could've prevented itself from falling victim to ransomware by ensuring that cybersecurity hygiene was well managed – but there were simple-to-fix vulnerabilities that attackers were able to take advantage of.

For example, the vulnerabilities that Emotet, Trickbot and Ryuk take advantage of have been known about for a long time and critical security updates have been issued to protect users – but despite these updates being years old, there are organisations that still haven't applied them.

"Microsoft has put out patches but patch management and security hygiene still remain issues for organisations," said Sundaresan, who added that this ransomware attack could've also been prevented if strong passwords and multi-factor authentication had been used to secure systems.

"A lot of this can be prevented. If they didn't have default password and end-of-life machines, a lot of this would've been prevented."

And when it comes to cyberattacks, prevention is the best cure, because not only does it stop your organisation from falling victim to ransomware or other malware, the cost of securing the network in advance is almost certainly going to be less expensive than having to do it in the aftermath of an incident – especially if the attack disrupts operations or causes reputational damage that could keep customers away.

So while it might potentially seem expensive, it could be very much worth having security experts from outside the organisation come in to examine the network before damage can be done – and not after.

"Get a security assessment done from an offensive attacker point of view, you don't want to be just doing the security initiatives from compliance or internal testing – it's not enough. You have to get your network tested using multiple attack vectors and you have to do it objectively with full penetration testing," Sundaresan said.

Because ultimately, ransomware – be it Ryuk or another family – is still out there and still remains a threat because too many organisations aren't following the security basics. And until this is fixed, ransomware will remain a problem.

www.vsoftsystems.co.za