Eliana Willis

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Heroku has explained why it emailed users with a sudden password reset warning earlier this week, and how it was due to the theft of OAuth tokens from GitHub. “[Our investigation] revealed that the same compromised token was leveraged to gain access to a database and exfiltrate the hashed and salted passwords for customers’ user accounts,” the company said in its incident notification. “For this reason, Salesforce is ensuring all Heroku user passwords are reset and potentially affected credentials are refreshed. We have rotated internal Heroku credentials and put additional detections in place. We are continuing to investigate the source of the token compromise.” The company also said an attacker first gained access on April 7, two days before the previous earliest date of the attack made public by either Heroku or GitHub. “On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account,” it said.”According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code.” GitHub noticed the activity on April 12, with a notification from GitHub landing on April 13, and Heroku revoking all GitHub integration OAuth tokens three days later. “We value transparency and understand our customers are seeking a deeper understanding of the impact of this incident and our response to date,” the company said at the top of the incident notification page that has been running since April 15. Heroku has previously said it would not be reconnecting to GitHub until it was certain it was safe to do so. This week, GitHub said it would be mandating the use of multi-factor authentication by end of 2023. Related Coverage More

Image: WhatsApp
WhatsApp, the messaging platform owned by Meta, has announced new features in line with last month’s communities announcement that includes larger file sharing, a new emoji reactions feature to respond to messages, and eventually larger chat groups.  WhatsApp claimed in a blog post that the new features will “make it easier” for its app to facilitate internal conversations within small business groups, school groups, and community organisations. The announcement detailed that users can now send files, protected by end-to-end encryption, of up to 2GB in size, an increase from the previous limit of 100MB.  “We recommend using Wi-Fi for larger files and we’ll display a counter while uploading or downloading to let you know how long your transfer will take,” the company added. WhatsApp also confirmed that it will begin to roll out the option for larger group chats of up to 512 people, up from the previous number of 256. Additionally, the company announced WhatsApp Reactions, a new feature that will be available on the latest version of the app. “Reactions are fun, fast, and they reduce overload in groups too. We’ll continue improving them be adding an even broader range of expressions in the future,” it said.”Building private, safe, and secure communities takes work and we think this series of improvements will help people and groups stay close to one another.” Earlier this year, Meta announced that it would delay the launch of WhatsApp’s Communities feature in Brazil as part of plans to tackle the spread of false information ahead of the presidential elections. According to the company, the feature will only be launched in Brazil after the presidential elections, set to take place in October. Related Coverage More

Written by

Eileen Yu, Contributor

Eileen Yu
Contributor

Eileen Yu began covering the IT industry when Asynchronous Transfer Mode was still hip and e-commerce was the new buzzword. Currently an independent business technology journalist and content specialist based in Singapore, she has over 20 years of industry experience with various publications including ZDNet, IDG, and Singapore Press Holdings.

Full Bio

If applied inappropriately, artificial intelligence (AI) can bring more harm than good. But, it can offer a much-needed helping hand when humans are unable to find comfort from their own kind.  AI hasn’t always gotten a good rep. It has been accused of replacing human roles, taking away a person’s livelihood, and threatening human rights. With the right checks and balances in place, though, few can deny the potential for AI to enhance business operations and improve lives.  Others have tapped AI to help save lives. The Chopra Foundation in September 2020 introduced a chatbot, dubbed Piwi, to provide a “community-driven solution” that aims to prevent suicide. The AI-powered platform is trained by “experts” and, based on the online interactions, will connect users to 5,000 counsellors who are on standby. 

The foundation’s CEO Poonacha Machaiah said: “With Piwi, we are giving people access to emotional AI to learn, interpret, and respond to human emotions. By recognising signs for anxiety and mood changes, we can improve self-awareness and increase coping skills, including steps to reduce stress and prevent suicide by timely real-time assistance and intervention.” Piwi has deescalated more than 6,000 suicide attempts and handled 11 million conversations through text, according to The Chopra Foundation’s founder, Deepak Chopra, an Indian-American author famed for his advocacy of alternative medicine. He described Piwi as an “ethical AI” platform trained with safeguards built into the system, adding that there were always humans in the backend to provide support where necessary.  Young individuals, in particular, were drawn to the chatbot, Chopra said. Noting that suicide was the second-most common cause of deaths amongst teenagers, he said youths loved talking to Piwi because they didn’t feel judged. “They are more comfortable talking to a machine than humans,” he said in a March 2022 interview on The Daily Show.  in Singapore, suicide is the leading cause of death for those aged between 10 and 29. It also was five times more deadly than road accidents in 2020, when the highest number of suicide cases were recorded in the city-state since 2012. The cause of death accounted for 8.88 per 100,000 residents that year, compared to 8 in 2019. Increases also were seen across all age groups, in particular those aged 60 and above, where the number who died by suicide hit a new-high of 154, up 26% from 2019. Industry observers attributed the spike in numbers to the COVID-19 pandemic, during which more likely had faced social isolation and financial woes. It is estimated that every one suicide in Singapore affects at least six loved ones. I, too, have lost loved ones to mental illness. In the years since, I’ve often wondered what else could have been done to prevent their loss. They all had access to healthcare professionals, but clearly that proved insufficient or ineffective.  Did they fail to reach help when they needed it most in their final hour because, unlike chatbots, human healthcare professionals weren’t always available 24 by 7? Or were they unable to fully express how they felt to another human because they felt judged?  Would an AI-powered platform like Piwi have convinced them to reconsider their options during that fateful moment before they made their final decision? I’ve had strong reservations about the use of AI in some areas, particularly law enforcement and autonomous vehicles, but I think its application in solutions such as Piwi is promising.  While it certainly cannot replace human healthcare specialists, it can prove vital where humans aren’t deemed viable options. Just look at the 6,000 suicide attempts Piwi is said to have deescalated. How many lives amongst these might otherwise have been lost? And there is so much more room to leverage AI innovation to improve the provision of healthcare. Almost a decade ago, I posed the possibility of a web-connected pill dispenser that could automatically dispense a patient’s prescribed medication. This would be especially useful for older folks who had difficulty remembering the numerous pills and supplements they required on a daily or weekly basis. It also could mitigate the risk of accidental overdose or wrongful consumption.There have been significant technological advancements since I wrote that post that can further improve the accuracy, and safety, of the pill dispenser. AI-powered visual recognition tools can be integrated to identify and ensure the correct medication is dispensed. The machine also can contain the updated profile of each medication, such as how much each pill weighs and its unique features, to further determine the right drugs have been dispensed. Clinics and pharmacies can issue each patient’s prescribed medication in a cartridge, refillable every few months, and protected with the necessary security features. Relevant medical data is stored in the cartridge, including dispensing instructions that can be accessed when it is inserted into the machine at home. The cartridge also can trigger an alert when a refill is needed and automatically send an order to the clinic for a new cartridge to be delivered to the home, if the patient is unable to make the trip.  The pill dispenser can be further integrated with other healthcare functions, such as the ability to analyse blood for diabetic patients, as well as telemedicine capabilities so doctors can dial in to check on patients should the data sent across indicate an anomaly. AI-powered solutions such as the pill dispenser will be essential in countries with an ageing population, such as Singapore and Japan. They can support a more distributed healthcare system, in which the central core network of hospitals and clinics isn’t overly taxed.  With the right innovation and safeguards, AI surely can help where humans cannot. For instance, 66% of respondents in Asia-Pacific believe bots will achieve success where humans have failed with regards to sustainability and social progress, according to a study released by Oracle, which polled 4,000 respondents in this region including Singapore, China, India, Japan, and Australia. In addition, 89% think AI will help businesses make more progress towards sustainability and social goals. Some 75% express frustration over the lack of progress, to date, by businesses and 91% want concrete action from organisations on how they’re prioritising ESG (environmental, social, and governance) issues, rather than delivering mere words of support. Like The Chopra Foundation, CallCabinet also believes AI can help customer service agents cope with the mental stress of dealing with cases. The UK-based speech analytics software vendor argues that AI-powered tools with advanced acoustic algorithms can process key phrases and assess voice pace as well as volume and tonality. These enable organisations to ascertain emotions behind words and evaluate the sentiment of every interaction. CallCabinet suggests that these can allow managers to monitor service calls and identify patterns that signal potential mental health issues, such as negative customer interactions, raised voices, and profanity directed at agents.  Because when humans cannot provide solace to those who need it, then maybe AI can?RELATED COVERAGE More

Written by

Adrian Kingsley-Hughes, Contributor

Adrian Kingsley-Hughes
Contributor

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over two decades to helping users get the most from technology — whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera. Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs.

Full Bio

It’s May 5, the first Thursday in May, which means that it’s World Password Day. The day was created by security researcher Mark Burnett to raise awareness of the importance of having secure passwords.Well, how secure are your passwords?

There are a lot of hints and tips and tricks out there for creating and maintaining secure passwords. I’m pretty comfortable with tech and keeping my accounts secure, but I find most of these tips too complicated to follow. It’s better to keep things simple. And I’m going to simplify things for you.This is the 21st century, and people don’t need to create and remember their passwords.My advice is simple — use a password manager.What is a password manager? A password manager is an app, usually tied to an online service, that safely and securely stores your passwords. It’s also used to securely distributes these passwords to all your devices, no matter whether you are on a desktop, laptop, tablet, or smartphone.Good password managers not only store your passwords and securely transfer them to your browser or apps as needed, but they can also help you generate strong passwords, and even search the internet for any of your passwords that might be leaked on the internet.Some password managers also allow you to secure your passwords with high-security features such as hardware authentication, making it almost impossible for hackers to get access to your data and informing you if you try to use duplicate passwords.So, what are the best password managers?My ZDNet colleague Ed Bott has a list of the best password managers, and it’s a good list. Of the services there, Bitwarden, 1Password, and LastPass are my top choices. They’re fully featured, offer solid security, and encompass a broad range of platforms and operating systems.If you’re looking for a no-cost solution, the Bitwarden offers a free option, and even the paid option ($10 per year for a single user, $40 annually for a family of up to six users) is great.But you might already have a password manager and not know about it. For example, if you use a Mac or iPhone, or iPad, then you can use Apple’s Keychain password manager. The only downside here is that you have to be on an Apple device to access your passwords, but it’s a superb solution for those in the Apple ecosystem.If you use Google Chrome, then there’s a password manager built right into that. The downside here is that it’s quite basic, and you can only access your passwords from the browser.Both these are great options. But they have their limitations.So, my advice for World Password Day is that you make sure to use a password manager, not only to store your passwords but also to generate secure passwords when needed. And secure your password manager with a good, unique password.Also, a bonus tip — if your password manager tells you that you’re using duplicate passwords on different websites, or that one of your passwords has been leaked in a company data breach, then pay attention to this and take the actions that your password manager recommends, because using duplicate passwords or passwords that have leaked into the wild is a surefire way to get your online accounts compromised.

ZDNet Recommends More

The FBI has warned that business email compromise (BEC) fraud has cost businesses around the world $43 billion in losses in the period between June 2016 and December 2021. The FBI’s Internet Crime Center (IC3) has logged a whopping 241,206 complaints in the four and half year period with losses totaling $43 billion, according to a new public service announcement. BEC fraud was the biggest category of cybercrime by financial losses in 2021, according to IC3. BEC cost businesses $2.4 billion in 2021, up from $1.8 billion in 2020. US losses recorded by the FBI are much larger than losses reported by victims in non-US jurisdictions. Between October 2013 and December 2021, 116,401 victims reported total losses of $14.8 billion. In that period, 5,260 non-US victims reported losses of $1.27 billion.       BEC is a global problem. The scam has been reported in all 50 US states and by victims in 177 countries. Meanwhile, over 140 countries have received fraudulent transfers, according to IC3, however banks located in Thailand and Hong Kong were the primary destination for the funds, followed by China, Mexico and Singapore. BEC scams are considered a sophisticated ruse that targets business and individuals who are duped into transferring funds to the scammer’s account under the belief they are performing a legitimate transaction. The FBI believes the pandemic and the shift to everything online spurred a 65% growth in BEC fraud losses between July 2019 and December 2021.”Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars,” IC3 notes. “This increase can be partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually.”It also reports an uptick in complaints involving cryptocurrency transfers. The value of cryptocurrency today had a market cap of $3 trillion in November, up from just $14 billion five years ago, the US secretary of the Treasury recently noted.     The two main forms of BEC involving cryptocurrency were direct transfers, just like traditional BEC fraud, while the second involves a “second hop”, usually to a cryptocurrency exchange. In both situations, the victim is unaware that the funds are being sent to be converted to a cryptocurrency, says IC3. Second hop transfers often involves tricking the victim into providing identity documents such as a drivers license or passport, which the attacker uses to open cryptocurrency wallets in the victim’s name. In 2020, IC3 received reports of $10 million in losses from victims involving cryptocurrency. By 2021, the value of cryptocurrency-related losses ballooned to $40 million. FBI advice for protecting yourself includes:Use two-factor authentication to verify requests for changes in account information.Ensure the URL in emails is associated with the business or individual it claims to be from.Be alert to fake hyperlinks that may contain misspellings of the actual domain name.Avoid supplying login credentials or personal information via email. Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.Ensure the settings in employees’ computers allow full email extensions to be viewed.Monitor your personal financial accounts on a regular basis for irregularities More

The White House has announced a set of proposals for keeping the US ahead of quantum computing race globally, while mitigating the risk of quantum computers that can break public-key cryptography. Quantum computers powerful enough to break public-key encryption are still years away, but when it happens, they could be a major threat to national security, financial and private data. Some projects like OpenSSH have implemented mitigations for the event that an attacker steals encrypted data today with the hope decrypting it when such a computer exists, but so far there are no official US standards for quantum-resistant cryptography. The Biden administration’s memorandum outlines its desire for the US to maintain its leaderships in quantum information science (QIS) as well as a rough timeline and responsibilities for federal agencies to migrate most of the US’s cryptographic systems to quantum-resistant cryptography. There’s no hard deadline for the post-quantum cryptographic migration, but the White House wants the US to migrate cryptographic systems to ones that are resistant to a ‘cryptanalytically’ relevant quantum computer (CRQC), with the aim of “mitigating as much of the quantum risk as is feasible” by 2035. “Any digital system that uses existing public standards for public-key cryptography, or that is planing to transition to such cryptography, could be vulnerable to an attack by a QRQC,” the White House states. The migration will affect all sectors of the US economy, including government, critical infrastructure, businesses, cloud providers, and basically anywhere today’s public-key cryptography is used. The memorandum protection mechanisms may include counter-intelligence and “well-targeted export controls”.  The quantum-cryptography memorandum follows the NATO Cyber Security Centre’s recent test run of secure communication flows that could withstand attackers using quantum computing. The renewed urgency comes as China makes headway in quantum computing. Scientists in China last year tested two quantum computers on tasks they claimed were more challenging than those that Google put its 54-qubit Sycamore quantum computer in through in 2019 when it claimed to have achieved “quantum supremacy”. IBM researchers contested Google’s claim. In October, US intelligence officials singled out quantum computing as one of five key foreign threats like China and Russia. Others were artificial intelligence, biotechnology, semiconductors and autonomous systems.   “Whoever wins the race for quantum computing supremacy could potentially compromise the communications of others,” the US National Counterintelligence and Security Center warned in a white paper, noting that China wants to achieve leadership in these fields by 2030. “Without effective mitigation, the impact of adversarial use of a quantum computer could be devastating to national security systems and the nation, especially in cases where such information needs to be protected for many decades.”Despite lacking a hard deadline for the migration, the memorandum does outline roles, reporting requirements and key dates for relevant federal agencies.  The directors of the National Institute of Standards and technology (NIST) and the National Security Agency (NSA) are developing standards for quantum-resistant cryptography. The first set of these standards are slated for public release by 2024.Within the next 90 days, the Secretary of Commerce will work with NIST to establish a working group involving industry, critical infrastructure and others on how to progress the adoption of quantum-resistant cryptography. And within a year, the heads of all Federal Civilian Executive Branch (FCEB) agencies — all agencies except Defence and intelligence — will deliver a list of CRQC-vulnerable IT systems to CISA and the National Cyber Director. The inventory will include cryptographic methods used on IT systems, including sysadmin protocols, as well as non-security software and firmware that require upgraded digital signatures.    FCEB agencies have been instructed not to purchase any quantum-resistant cryptography systems until NIST releases its first set of standards of the technology and those standards have been implemented in commercial products. However, these agencies are encouraged to test commercial products in this category.  More