Image: Robert Anasch The government of North Rhine-Westphalia, a province in western Germany, is believed to have lost tens of millions of euros after it failed to build a secure website for distributing coronavirus emergency aid funding. The funds were lost following a classic phishing operation. Cybercriminals created copies of an official website that the […] More

The UK’s security agency has told organizations of the steps to take to beef up their defenses “when the cyber threat is heightened” by zero-day software flaws or geopolitical tensions. The National Cyber Security Centre (NCSC) is not alone in warning companies to take action. Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) also warned all organizations to take “near, urgent steps” to mitigate critical cyber threats in response to last week’s cyberattacks on Ukraine government websites and IT systems. This advice comes amid growing fears of a Russian invasion of Ukraine.

ZDNet Recommends

CISA raised the alarm after Microsoft discovered wiper malware, dubbed “WhisperGate”, on several Ukraine systems. CISA reminded US businesses of NotPetya, the wiper malware that targeted Ukraine organizations in 2017 via a tainted update to a popular accounting software package, but that also infected worldwide IT networks of US and European businesses. The attack cost European and US businesses billions of dollars in the White House’s estimates.  SEE: A winning strategy for cybersecurity (ZDNet special report)Rafe Pilling, senior security researcher at Secureworks’ Counter Threat Unit, reckons US and European organizations could become casualties of WhisperGate in a similar fashion. “While it is unlikely that organizations outside of Ukraine will be directly targeted, customers should consider their exposure to collateral damage via service providers or business partners in Ukraine,” said Pilling.”Organizations should be extra vigilant and maintain current backups of business-critical systems and data, exercise restoration processes before they are needed, and ensure that backups cannot be impacted by ransomware-style or wiper malware attacks.”

So what should potentially affected businesses and public agencies in the UK and elsewhere do to mitigate the risk of becoming collateral damage? The UK’s NCSC says organizations need to balance cyber risks and defense and notes there “may be times when the cyber threat to an organisation is greater than usual.”  Triggers for heightened risk include a spike in adversary capability from new zero-day flaws in popular software, or something “more specific to a particular organisation, sector or even country, resulting from hacktivism or geopolitical tensions,” says the NCSC. The NCSC’s answer is to control what you can because you can’t control the threat level. And that means patching systems, checking configurations and shielding the network from password attacks. “It is rare for an organisation to be able to influence the threat level, so actions usually focus on reducing your vulnerability to attack in the first place and reducing the impact of a successful attack,” NCSC says.Like CISA, the NCSC has provided a checklist of fundamental cybersecurity actions that are “important under all circumstances but critical during periods of heightened cyber threat.” They’re important to do because organizations probably can’t quickly implement widespread changes when threat levels rise.  NCSC’s list includes:Check your system patching: Ensure your users’ desktops, laptops and mobile devices are all patched Verify access controls: Ask staff to ensure that their passwords are unique to your business systems and are not shared across other, non-business systems Ensure defences are working: Check antivirus and firewalls Logging and monitoring: Understand what logging you have in place, where logs are stored, and for how long Review your backups: Confirm that your backups are running correctly Incident plan: Check your incident response plan is up to date Check your internet footprint: Perform an external vulnerability scan of your whole internet footprint Phishing response: Ensure that staff know how to report phishing emails Third-party access: Have a comprehensive understanding of what level of privilege is extended into your systems, and to whom NCSC services: Register for the Early Warning service, so that the NCSC can quickly inform you of any malicious activity Brief your wider organisation: Ensure that other teams understand the situation and the heightened threat More

The New South Wales government has been using a tool to help de-identify data related to COVID-19 prior to the release of that data to the public, the CSIRO said on Thursday.
The tool, dubbed Personal Information Factor (PIF), has been created by Data61, the NSW government, the Australian Computer Society, Cyber Security Cooperative Research Centre (CSCRC), and “several other groups”.
“The privacy tool assesses the risks to an individual’s data within any dataset; allowing targeted and effective protection mechanisms to be put in place,” the CSIRO claimed.
“The software uses a sophisticated data analytics algorithm to identify the risks that sensitive, de-identified and personal information within a dataset can be re-identified and matched to its owner.”
NSW chief data scientist Dr Ian Oppermann said the tool was being used on datasets containing data on people who had been infected with COVID-19 before it was made publicly available.
“Given the very strong community interest in growing COVID-19 cases, we needed to release critical and timely information at a fine-grained level detailing when and where COVID-19 cases were identified,” Oppermann said.
“This also included information such as the likely cause of infection and, earlier in the pandemic, the age range of people confirmed to be infected.

“We wanted the data to be as detailed and granular as possible, but we also needed to protect the privacy and identity of the individuals associated with those datasets.”
Data61 said PIF assigns a risk score to a dataset and makes recommendations to make de-identification “more secure and safe”.
The tool is also being used on other datasets such as domestic violence data and public transport usage, Data61 said.
PIF will be made available by June 22.
In a recent submission to a review of the Privacy Act, security researcher Vanessa Teague said de-identification does not work.
“A person’s detailed individual record cannot be adequately de-identified or anonymised, and should not be sold, shared, or published without the person’s explicit, genuine, informed consent,” Teague said.
“Identifiable personal information should be protected exactly like all other personal information, even if an attempt to de-identify it was made.”
At the end of 2017, a team of academics, including Teague, were able to re-identify some of the data from a set containing historic longitudinal medical billing records on one-tenth of all Australians.
“We found that patients can be re-identified, without decryption, through a process of linking the unencrypted parts of the record with known information about the individual such as medical procedures and year of birth,” Dr Chris Culnane said at the time.
“This shows the surprising ease with which de-identification can fail, highlighting the risky balance between data sharing and privacy.”
In September 2016, the same dataset was found by the University of Melbourne team to not be encrypting supplier codes properly. The dataset was subsequently pulled down by the Department of Health.
“Leaving out some of the algorithmic details didn’t keep the data secure ­– if we can reverse-engineer the details in a few days, then there is a risk that others could do so too,” the team said at the time.
“Security through obscurity doesn’t work — keeping the algorithm secret wouldn’t have made the encryption secure, it just would have taken longer for security researchers to identify the problem.
“It is much better for such problems to be found and addressed than to remain unnoticed.”
In response, the Australian government sought to criminalise the intentional re-identification and disclosure of de-identified Commonwealth datasets and reverse the onus of proof, with the aim of applying the changes retrospectively from 29 September 2016.
The changes lapsed at the 2019 election.

Coronavirus More

When it comes to creating strong, secure passwords, the best course of action is to use a password generator, which is much better than humans are at randomizing characters into long (16 or more) and hard-to-crack credentials. Thankfully, there are numerous tools available. Also: The best password managersWhat is the best password generator right now?At ZDNET, we’ve tested a long list of password generators to find the top tools for creating strong (random) passwords to secure your digital accounts. The best password generator is the one you’ll actually use — and if you have a password manager, the simplest and most seamless way to create and save strong passwords is to use the built-in generator. That said, NordPass More

Image: Peter Kruse Since May 2018, a malware botnet has been launching brute-force attacks against Microsoft SQL (MSSQL) databases to take over admin accounts and then install cryptocurrency mining scripts on the underlying operating system. The botnet, detailed in a report published today by cyber-security firm Guardicore and shared with ZDNet, is still active and […] More