Eliana Willis

Telstra’s biggest cyber concern is organisations that use “Microsoft-style” environments when it comes to preventing cyber threats.”The place that concerns us most as an organisation … don’t read anything into the fact I’m going to mention the word Microsoft, they’re probably a Microsoft-only environment. They don’t have ERPs, CRMs, they are basically a Microsoft-style environment,” said Telstra Enterprise group executive David Burns, who gave a keynote to the Trans Tasman Business Circle.  “How do we build [cyber resilience] into the tools of systems and networks that we provide … because I think we could all do the basics, and we should all do the basics but [cyber attackers] are very sophisticated players.” He provided an example of how one of Telstra’s business partners, which he said used a “Microsoft-style” environment, suffered a cyber attack which then put the telco’s customers at risk. “We are all very vulnerable and you and your organisation are as vulnerable as your weakest link. And that’s how we need to think about it. It is not the role of an IT organisation to protect us. It is each and every one of our roles to work out how to protect us,” Burns said.He added that government agencies also needed to figure out how to improve their cyber resilience in an increasingly broadening cyberthreat landscape. At the start of this month, New South Wales auditor-general Margaret Crawford revealed all of the state’s lead cluster agencies have failed to implement all Essential Eight controls. The cybersecurity policy for New South Wales government agencies was not sufficiently robust which is a cause for “significant concern”, Crawford said.

To address these cybersecurity concerns, Telstra currently provides cybersecurity services to enterprise customers and is involved in the government’s Cleaner Pipes Program. Burns, however, conceded this work would not be a big revenue driver. “We will ask people to help us pay for that, but it’s not exactly going to be as the greatest revenue earner for us,” he said. “It’s about protecting our environments because I think we all think of the cyber world, certainly amongst our customers, [as] not a differentiator. We want all boats to rise in a tide here. You don’t want to win by someone else being cyber attacked.” Telstra’s concern isn’t unique. The federal government in March called for organisations to counter ransomware through using multifactor authentication and urging businesses to keep software up to date, archiving data and back-ups, building in security features to systems, and training employees on good cyber hygiene. “All businesses have valuable data and systems they need to protect. It is vital that they establish strong foundational controls and practice good cybersecurity hygiene practices,” the federal government said at the time. Related Coverage More

The Telecommunications Industry Ombudsman (TIO) has called for telcos to have a 24-hour hotline, or at a minimum extend current hotline hours, to allow consumers to report cases of fraud, especially involving SIM swapping. In its report on systemic investigations into fraud enabled through phone and internet accounts, the TIO pointed out that fraudsters have exploited slow responses from telcos to create security breaches. This included a customer being kept on hold when trying to report fraud, failure of customers being able to contact telcos outside of business hours, staff not blocking fraudulent activity, staff not knowing how to deal with fraud, and attackers maintaining access to accounts after telcos were notified.Typically, attackers were interested in ordering handsets and additional services once they controlled an account, or using control of a SIM to access other information including bank and government accounts. “This can expose affected customers to considering financial and non-financial loss,” the TIO said. “Where a breach of privacy has occurred, providers may have to pay significant amounts of compensation to settle a consumer’s complaint — a cost that could have been avoided had the provider acted more quickly.” Other issues highlighted by the report included fraudsters getting access to accounts because telcos did not conduct proper identity checks, with one telco agreeing to use a government database for verification during the investigation, or incorrect advice being given to consumers about how to secure accounts.”One provider gave consumers the option of using robust multi-factor authentication, such as one-time passwords or an authenticator app,” the report said.

“However, this provider also offered other security measures which were not supported by its systems, such as passwords and PINs. This meant staff did not always ask for the password or PIN when someone wanted to access the account. “A consumer may believe their account is secure when it is not.” The Communications Alliance said combating fraud was a challenge to all parties. “Telcos are continually improving their practices to keep up with the ever-changing tactics of fraudsters,” CEO John Stanton said. “It is important that we do not become complacent and remind our customers to protect their personal information, offline as much as online.” In its most recent Complaints in Context report released a fortnight ago, the Comms Alliance said TIO complaints per 10,000 services in operation continued to trend down, being reported at 4.8 for the July to September quarter. Many telcos recorded the lowest complaint level since the report adopted its current format in 2019. Related Coverage More

Apple on Tuesday filed a lawsuit against mercenary spyware company NSO Group and its parent company, seeking a permanent injunction that bans NSO Group from using any Apple software, services or devices. The complaint also provides new information on how NSO Group infected victims’ Apple devices with its Pegasus spyware. “State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple SVP of Software Engineering, said in a statement. “While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”Apple’s complaint says NSO Group delivered its FORCEDENTRY exploit to Apple devices by creating Apple IDs that sent malicious data to a victim’s device. This enabled the installation of Pegasus spyware without a victim’s knowledge. Researchers with Citizen Lab discovered the zero-day, zero-click exploit in September, and  Apple released an urgent security update for Mac, iPhone, iPad and Watch users to patch the vulnerability. Apple says in its complaint that Apple servers were misused to deliver FORCEDENTRY but were not hacked or compromised in the attacks. The company also said it is notifying the small number of users that it discovered may have been targeted by FORCEDENTRY. Apple also said it is contributing $10 million, as well as any damages from the lawsuit, to organizations like the Citizen Lab and Amnesty Tech to further cybersurveillance research and advocacy. More

Several customers of DBS Bank have not been able to log into or access the Singapore bank’s online and mobile services since Tuesday morning. The service disruption remains unresolved, with few details from DBS on what it is doing behind the scenes to address the issue.Instead, the bank posted the same message Tuesday afternoon on its Twitter and Facebook profiles as well as website: “Some of our customers are facing intermittent slowness when accessing our banking services, and we are currently working to resolve this. We apologise for the inconvenience caused during this time, and please try again later.”Its customers took issue with the statement, with several saying there was nothing “intermittent” or “slow” about the disruption when they were not able to access their account at all. Others noted the service outage began as early as 8.30 in the morning and had continued into the night. At the time this article was published, the issue remained unresolved. “There is no ‘intermittent’ slowness. The whole banking service is down. Now it keeps giving ‘expired’ session msg when I clearly have responded quickly to the authentication. This is ridiculous. it’s been down for hours,” one customer posted on the bank’s Facebook page. Another noted that while they were able to log into their account, the balance on their account was inaccurate. They added that a service agent handling DBS’ customer hotline attributed the source to the bank’s app, which was “having problem”. According to DBS’ website, a scheduled maintenance was carried out on its mobile platform early this morning, between 1am and 4am, during which “login and access to digital services may be intermittently unavailable”. 

ZDNet asked the bank if this had caused the service outage and whether there was a cybersecurity incident. ZDNet also asked if its IT team was checking external systems, such as those operated by the bank’s third-party suppliers. A DBS spokesperson did not address any of the questions, pointing instead to a statement the bank issued later in the evening. “Some of our customers are facing intermittent slowness when accessing our banking services, and we are currently working to resolve this. Customers who need to make fund transfers can do so via our DBS PayLah app. We apologise for the inconvenience caused, and seek your patience during this time. We will provide an update once services are fully restored.”This statement was later updated at around 10pm, with DBS saying it would be suspending some of its services as part of efforts to resolve the issue.”Many of our customers have been unable to access our digital banking services today. The inability to access an essential service over such an extended period of time is unacceptable and we deeply regret the inconvenience caused. We are doing our best to resolve the situation and as part of our recovery efforts, we will take some services temporarily offline. This means that DBS PayLah, digibank, and 3D e-comm transactions will be unavailable today, from 10pm to 11pm (SGT). We apologise for the inconvenience caused and will update once services are restored.”Singapore last December issued four digital bank licences to Alibaba’s Ant Group, joint bidders Singtel and Grab, and internet services company Sea. They are expected to begin operations from early-2022. The consortium comprising Grab and Singtel as well as Sea were issued digital full bank licences. Ant and another consortium comprising Greenland Financial Holdings, Linklogis Hong Kong, and Beijing Co-operative Equity Investment Fund Management were awarded digital wholesale bank licences. DBS then had issued a brief statement welcoming its new competitors. Noting that digital banking was “already a reality”, it said its “strong capital position” and physical capabilities would serve well alongside its digital offerings to differentiate the bank’s services in the market.RELATED COVERAGE More

As COVID-19 spread, many American millennials finally began their estate planning. Yet, many of them do not have the correct digital information if their parents pass on, according to new research from Toronto — Canada-based security and privacy company 1Password.

In partnership with digital estate planning companies Trust & Will and Willful, it surveyed 1,000 American millennials aged 25-40 years old for its Great Wake up Call Report. It wanted to discover how this generation favours securing important documents and passwords and storing and transferring digital assets before and after death.  Over two in three (68%) of millennials do not have a will, and under two in five (38%) of millennials have provided clear guidance on how they’d like their digital accounts managed after they die. The report shows that although almost three in four (72%) of American millennials had wills that were created or updated in the past year, only 3% of those wills included online passwords. Traditional ways of securing important documents still dominate our behaviour. More than four in five (81%) of millennials say they keep important paperwork, like their birth certificate, in a physical location such as a filing cabinet, safe, or safety deposit box. For online security, over half (51%) of respondents say that they store their passwords by memory, and 25% store their passwords on a piece of paper. 20% of respondents use a password manager.

Over half (57%) of American millennials believe giving their executor access to their social media accounts is more important than access to their email, subscriptions, or shopping accounts such as Amazon or Target. However, sharing credentials to banking/financial accounts still tops the list of priorities (67%). Millennials still have to have difficult conversations with their parents. Over half (52%) of respondents admitted to never talking to their parents about a digital handover or cannot remember the conversation. Six in 10 (63%) of respondents who have executed wills said it was harder than expected to access accounts of the deceased. Although over half (51%) will be responsible for executing their parent’s wills, only one in three (36%) of respondents know or have access to their parents’ passwords for their online accounts. When asked how they have shared passwords, two in five (41%) said via a written list, followed by 39% verbally and 25% digitally via email, cloud Google Docs, PDF, or a similar platform. The irony is sharing passwords is increasingly critical to granting loved ones access to your digital legacy when you die. Jeff Shiner, CEO of 1Password, said: “Millennials especially are facing the brunt of these shifting pressures, as they’re balancing responsibilities for their own growing families while also caring for ageing parents. Transition plans have long been a taboo topic, but it’s time to destigmatize these discussions and ensure our digital lives are in order, so the responsibility doesn’t fall on others.” The COCID-19 pandemic has made us think more deeply about our mortality, but how can we make sure that we ensure a smooth handover of our estate — especially those digital platforms where we spend more and more of our time. According to the report, descendants of those millennials surveyed would lose access to an estimated average of $22,500 due to mismanaged wills. Creating a way to manage that digital handover means that those authorized to act on your behalf when you die can make sure that your wishes are carried out in full. More

ZDNet Recommends

Best 5G phone 2021

5G is now standard on US networks, with the expectation that every flagship includes support for 5G.

Read More

There is great debate in the industry as to whether iOS or Android provides the most secure mobile device. In all my conversations with security pros, most, if not all, believe Apple’s iOS to be inherently more secure than the Google-built Android. This recent article spells out a number of strengths iOS has over Android in the area of privacy, such as Apple’s new feature in which users can stop apps from tracking them. In the article, the author states: “When it comes to privacy, Google and Apple are almost on extreme opposite ends.” However, a new study begs to differ; a report from research firm Omdia caught my attention. The key finding is that the Google Pixel 6 running Android 12 is significantly more secure than the
Apple iPhone 12 Pro

 running iOS 15. There are comparisons to two other Android-based phones: the
Samsung Galaxy S21 Ultra

 and the 
Xiaomi Mi 11 5G

. The report scored each vendor on nine different factors and weighted them in order of importance.
The Google Pixel 6

 achieved a perfect score of 5.4, while Apple was fourth at 4.03. The weighting turned out to be irrelevant because of the Pixel 6’s perfect score.Since I had always believed Apple to have better security by a wide margin, I thought it was worth diving into this report and understanding the criteria. One interesting point is that I had always looked at iOS versus Android software; this report did its analysis at the device level, meaning a mix of hardware and software. See also: Pixel 6 hardware is buggy garbage and Google’s tech support is worse |  Goodbye Google Pixel 6 Pro: 9 reasons it’s not the phone for me | Google Pixel 6 review After reading through the report, I found several questionable points that I felt were worth raising. They are: SponsorshipThe most questionable fact about the report is that Google, the manufacturer of the Pixel phones, was the sponsor of a report in which it gained a perfect score. It’s essentially saying the Google Pixel 6 is a perfect device with respect to security, and that’s just not true because any device can be breached. Google has been issuing security patches for the phone, indicating there were at least a few issues. Not all sponsored research is bad, but it makes one wonder when coupled with a perfect ranking. Methodology

The weighting of the security criteria is done by asking consumers to rank the importance of the nine features. While the report does not explicitly say this, I believe the 1,520 respondents were asked to pick their top three because the total percentage adds up to 300%. In my opinion, this is a questionable way to do it because the average end-user is not a security expert. This would be akin to asking a person on the street what safety features are most important in an airplane. I fly a lot, but I have no idea of the relative importance of each feature. The survey should have used a panel of security professionals. Scoring This was also flawed as the scoring in each section was derived from counting the number of features versus meeting the objective of the category. A good way to think about this is that it counted “tick boxes” versus how well those worked. It’s certainly not the most effective way to score, and I’ll elaborate below. Identity protection: This was the top-ranked feature by users, but the methodology was completely botched. Google scored highest because it had the most identity options, which makes sense because it’s tied to one’s Gmail account. Users can choose between one-time passwords, FIDO, push notifications, and others, where Apple only has two-factor, so Google got the highest score. What’s not told here is that Apple iCloud is the largest and one of the most — if not the most — successful deployment of two-factor security in the industry. With identity, more isn’t always better. Apple also does some interesting things when users have multiple devices; for example, it will inform you if you’re logging into your Mac in San Jose while your phone has just been authenticated in Russia.Security updates: The report takes a curious approach to security updates. One of the criteria is how long the vendor commits to providing security updates. It gives Google Pixel 6 a perfect score as it commits to what it calls “a solid five years’ security update period,” which is the longest of all vendors tested. It grades Apple more harshly because it does not document how long the support period is but then states, “Apple devices tend to receive five to six years of support.” It also rewards Google for enabling upgrades via the Google Play store and refers to Apple’s methodology as “monolithic” but doesn’t define what that means. The fact is Apple does have a proven track record of providing updates to over a billion devices in less than a week when it is required to do so and isn’t that the most important thing? Anti-malware: The fact that Apple has a lower score here than the three Android phones actually made me laugh. The report states: “While Samsung, Google, and Xiaomi have anti-malware solutions built into their devices to protect and detect malicious software, Apple is lacking here.” Apple does not have on-device anti-malware because it offers App Store and ecosystem protection, whereas Google does not. Also, to many users’ chagrin, Apple does not allow for apps to be side-loaded, so there can be no “back-door” malware. This report from Panda Security stated that Android devices are responsible for 47% of all observed malware compared to less than 1% for iPhones. This becomes a vicious circle; threat actors will often target Android first because breaches are easier, adding to the Android problem.  Lost devices: The report gives both Apple and Google Pixel top marks for having a web-based tool and mobile app to locate, trigger, lock, and wipe the device if it’s lost or stolen. What’s omitted is that iPhone supports the finding of offline (and even powered-off) devices, whereas Pixel must be powered on and connected to Wi-Fi or cellular. Physical access control: Here is another area where Apple and Google Pixel 6 each received full marks, but they would not have been ranked that highly if effectiveness was looked at instead of simply having the feature. The iPhone 13 face ID has a 1:1 million false acceptance rate (FAR), while Pixel 6 has a 1:50,000 FAR. Also, there have been many reports of the Pixel 6 having a slow fingerprint scanner. Also: Go Google free: We pick privacy-friendly alternatives to every Google serviceI can make similar arguments for secure backups, hardware security, and network security where Apple is as good or better than Google Pixel 6. The one section I did feel was accurate was anti-phishing, although the write-up was somewhat misleading. Safari uses Google safe browsing, but the report fails to mention that. The Pixel 6 does have an on-device anti-phishing warning system, which the iPhone does not have. Oddly enough, the one area where Google does have a clear win over Apple is ranked very low on the importance scale. 
The net result is that, after reading the report, I would have ranked Apple as good or better than Google Pixel 6 if effectiveness was used instead of counting sub-features. In this case, Apple is being penalized for having solid features. This is akin to ranking a car safer because it has a parachute to stop it when it has brakes that are known to fail versus one that has brakes that never fail. More