Eliana Willis

Photo by Daniel Romero on Unsplash
One of the things most interesting about the Android OS is the wide variety of devices it’s available in. Sure, there are Android phones and tablets. But Android also functions inside most recent Chromebooks and now — improbably, but in a fully supported way — Windows 11 devices, even Intel-based Windows 11 computers. That diversity of deployment makes the Android implementations of VPN clients particularly interesting. If, for example, you want to run a VPN on your Chromebook, your best bet is to install an Android VPN client and let that client do all the heavy lifting. We discussed that in-depth in our Best VPN for Chrome and Chromebooks 2021 guide. Unfortunately, the more open environment of Android means that there are many different implementations, versions aren’t regularly updated, and as this interesting piece by the NordVPN folks shows, malware is more prevalent. That makes inherent malware scanning within the VPN client particularly helpful. In this overview, we look at four of the most popular Android VPNs. Here’s what we think:

4.3 Google Play Store average, 446K ratings

Family Sharing: YesMalware Scanner: YesSimultaneous Connections: 6Kill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Android TV, Chrome, FirefoxLogging: None, except billing dataCountries: 59Servers: 5517Trial/MBG: 30 dayAlso: How does NordVPN work? Plus how to set it up and use itNordVPN is one of the most popular consumer VPNs out there. Last year, Nord announced that it had been breached. Unfortunately, the breach had been active for more than 18 months. While there were failures at every level, NordVPN has taken substantial efforts to remedy the breach.Also: My in-depth review of NordVPNIn our review, we liked that it offered capabilities beyond basic VPN, including support of P2P sharing, a service it calls Double VPN that does a second layer of encryption, Onion over VPN which allows for TOR capabilities over its VPN, and even a dedicated IP if you’re trying to run a VPN that also doubles as a server. It supports all the usual platforms and a bunch of home network platforms as well. The company also offers NordVPN Teams, which provides centralized management and billing for a mobile workforce.Also: My interview with NordVPN management on how they run their servicePerformance testing was adequate, although ping speeds were slow enough that I wouldn’t want to play a twitch video game over the VPN. To be fair, most VPNs have pretty terrible ping speeds, so this isn’t a weakness unique to Nord. Overall, a solid choice, and with a 30-day money-back guarantee, worth a try.

4.3 Google Play Store average, 220K ratings

Family Sharing: YesMalware Scanner: NoSimultaneous Connections: 5 or unlimited with the router appKill Switch: YesPlatforms: A whole lot (see the full list here)Logging: No browsing logs, some connection logsCountries: 94Locations: 160Trial/MBG: 30 daysExpressVPN has been burning up the headlines with some pretty rough news. We’ve chosen to leave ExpressVPN in this recommendation, and I wouldn’t necessarily dismiss ExpressVPN out of hand because of these reports, but it’s up to you to gauge your risk level. The best way to do that is read our in-depth analysis:ExpressVPN is one of the most popular VPN providers out there, offering a wide range of platforms and protocols. Platforms include Windows, Mac, Linux, routers, iOS, Android, Chromebook, Kindle Fire, and even the Nook device. There are also browser extensions for Chrome and Firefox. Plus, ExpressVPN works with PlayStation, Apple TV, Xbox, Amazon Fire TV, and the Nintendo Switch. There’s even a manual setup option for Chromecast, Roku, and Nvidia Switch.Must read:With 160 server locations in 94 countries, ExpressVPN has a considerable VPN network across the internet. In CNET’s review of the service, staff writer Rae Hodge reported that ExpressVPN lost less than 2% of performance with the VPN enabled and using the OpenVPN protocol vs. a direct connection.While the company does not log browsing history or traffic destinations, it does log dates connected to the VPN service, amount transferred, and VPN server location. We do want to give ExpressVPN kudos for making this information very clear and easily accessible.Exclusive offer: Get 3 extra months free.

4.2 Google Play Store average, 15K ratings

Family Sharing: YesMalware Scanner: NoSimultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Chrome, plus routers, Fire Stick, and KodiLogging: None, except billing dataServers: 1,500 Locations: 75Trial/MBG: 30 dayIPVanish is a deep and highly configurable product that presents itself as a click-and-go solution. I think the company is selling itself short doing this. A quick visit to its website shows a relatively generic VPN service, but that’s not the whole truth.Also: My in-depth review of IPVanishIts UI provides a wide range of server selection options, including some great performance graphics. It also has a wide variety of protocols, so no matter what you’re connecting to, you can know what to expect. The company also provides an excellent server list with good current status information. There’s also a raft of configuration options for the app itself.In terms of performance, connection speed was crazy fast. Overall transfer performance was good. However, from a security perspective, it wasn’t able to hide that I was connecting via a VPN — although the data transferred was secure. Overall, a solid product with a good user experience that’s fine for home connections as long as you’re not trying to hide the fact that you’re on a VPN.The company also has a partnership with SugarSync and provides 250GB of encrypted cloud storage with each plan.

4.0 Google Play Store average, 36K ratings

Family Sharing: YesMalware Scanner: YesSimultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, Linux, iOS, Android, Fire TV, Firefox, ChromeLogging: None, except billing dataTrial/MBG: 30 dayAt two bucks a month for a two-year plan (billed in one chunk), Surfshark offers a good price for a solid offering. In CNET’s testing, no leaks were found (and given that much bigger names leaked connection information, that’s a big win). The company seems to have a very strong security focus, offering AES-256-GCM, RSA-2048, and Perfect Forward Secrecy encryption. To prevent WebRTC leaks, Surfshark offers a special purpose browser plugin designed specifically to combat those leaks.Must read:Surfshark’s performance was higher than NordVPN and Norton Secure VPN, but lower than ExpressVPN and IPVanish. That said, Surfshark also offers a multihop option that allows you to route connections through two VPN servers across the Surfshark private network. We also like that the company offers some inexpensive add-on features, including ad-blocking, anti-tracking, access to a non-logging search engine, and a tool that tracks your email address against data breach lists.

Will these apps work on all Android devices?

Probably not. Unfortunately, many Android-based devices are not updated to the latest Android releases and have no update path. Sadly, some vendors even ship brand-new devices running older (and far more vulnerable) versions of Android. Generally, VPN vendors make sure their clients run on the most recent and a few previous versions of Android, but since there are still a tremendous number of devices in service running very out-of-date Android, it’s unlikely those will be able to run these apps. That’s why it’s good to take advantage of the money-back offerings and test your download shortly after purchase.

What’s the difference between anti-malware software and VPN software?

While both technologies are intended to protect you and your device, they protect different aspects of your usage. VPNs fundamentally protect data-in-motion, that is the data being sent to and from the internet. The protection they generally offer is encryption, so hackers can spy on the data while it moves. Anti-malware software protects against execution of bad software on your device. Those apps often scan inside the data as it comes into your machine, look at the apps on your machine, and intercept the actions of apps while they’re running on your machine.As an analogy, think of VPN software as an armored car moving a payload from one location to another in safety. Think of anti-malware as building inspectors constantly looking at your building’s infrastructure to see if there’s any, say, mold and as gatekeepers, checking everything that passes through to make sure it’s not harmful.

Why do I even need a VPN on my phone?

This question is often asked by people who know their phone’s data runs through their local carrier, which is moderately hard for hackers to intercept. And, generally, if you’re using your carrier’s LTE or 5G connection, you’re reasonably safe. But carriers have data caps and data carriage fees that can get expensive. Even if you have an unlimited data plan, carriers charge for hotspot use (ask me how I know, or how much that pisses me off). The way around that is to use whatever local Wi-Fi is available. Many coffee shops, airport lounges, hotels, and schools offer free Wi-Fi access. Unfortunately, that Wi-Fi is often open and easy to intercept. A big (and very important) use of VPNs on phones is to protect your data when you’re accessing the internet through one of these hotspots. In fact, I’d go so far as to say never, ever access the internet through a Wi-Fi hotspot without an active VPN on your device.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

An international scam ring is targeting dating app users in a romance scam to not only deprive victims of their cryptocurrency but also the control of their handsets. 

On Wednesday, Sophos cybersecurity researchers named the gang “CryptoRom” and said they have recently expanded their operations from Asia, spreading to both the United States and Europe.  Romance scams are an insidious and constant problem, and thanks to the rising popularity of dating apps, are now not only limited to phishing emails. Instead, fraudsters will ‘match’ with their victims, pretend interest until they build a foundation of trust, and then they will ask for money — only to vanish soon after. In recent years, romance scams have become more sophisticated, with some cybercriminals offering their victims ‘exclusivity’ in trading deals or in cryptocurrency investments, using the lure of easy profit as well as potential love matches.  Interpol warned of an uptick in investment-based romance fraud taking place across dating apps in January this year.  The CryptoRom scam artists target iPhone users of dating apps including Tinder and Bumble. One tactic used is to lure victims into downloading a fake cryptocurrency trading app that gives the operators remote control over the handset.  The researchers say this has been made possible by abusing Apple’s Enterprise Signature platform, used by software developers to test out iOS apps ahead of submission to the App Store. 

Victims are asked to purchase cryptocurrency through Binance and then transfer the funds to a wallet via the fake trading app. Matches are pointed to fraudulent websites that mimic the look and feel of the legitimate App Store — likely in the hope they won’t look at the address bar too closely and they will install a malicious app.  “At first, the returns look very good but if the victim asks for their money back or tries to access the funds, they are refused and the money is lost,” explained Jagadeesh Chandraiah, Senior threat researcher at Sophos. “Our research shows that the attackers are making millions of dollars with this scam.”
Sophos
Unfortunately, it seems the group is competent, as a wallet controlled by them contains close to $1.4 million in cryptocurrency, thought to have been stolen from victims who fell for their tactics and who invested their cash into crypto. However, there could easily be more than one wallet in use.  As Enterprise Signature allows developers to test out app functionality, the fake apps are also able to perform other functions such as data theft, account compromise, as well as potentially download and execute other payloads.  Sophos reached out to Apple with its findings but at the time of writing has not received a response.  “To avoid falling victim to these types of scams, iPhone users should only install apps from Apple’s App Store,” Chandraiah cautioned. “The golden rule is that if something seems risky or too good to be true — such as someone you barely know telling you about some ‘great’ online investment scheme that will deliver a big profit  — then sadly, it probably is.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Sophos has released a new report this week about a dating app scam that led to the theft of millions of dollars from people on Tinder, Bumble, Grindr, Facebook Dating and similar apps.After gaining their trust on these dating apps, scammers convinced victims to download fake crypto apps, where they duped them into investing money before freezing the accounts. The scammers were somehow able to easily game Apple’s Developer Enterprise program — and the Apple Enterprise/Corporate Signature — to distribute these fraudulent crypto apps, which were masquerading as Binance and other legitimate brands. Sophos said its threat hunters observed the scammers abusing Apple’s Enterprise Signature to manage victims’ devices remotely.Apple did not respond to requests for comment. Sophos also contacted Apple about the issue and did not get a response. 
Sophos
Named “CryptoRom,” according to Sophos researchers Jagadeesh Chandraiah and Xinran Wu, the scam has led to at least $1.4 million being stolen from victims in the US and EU. In their report, the two say that the attackers moved beyond going after victims in Asia and instead are now targeting people in Europe and the US. Sophos researchers even managed to find a Bitcoin wallet that was being controlled by the attackers thanks to one victim, who shared the address he initially sent the money to before being shut out. Chandraiah said the CryptoRom scam relies heavily on social engineering at almost every stage. Victims came to Sophos to discuss the scam and the researchers found other reports of people being taken advantage of. 

“First, the attackers post convincing fake profiles on legitimate dating sites. Once they’ve made contact with a target, the attackers suggest continuing the conversation on a messaging platform,” Chandraiah said. “They then try to persuade the target to install and invest in a fake cryptocurrency trading app. At first, the returns look very good but if the victim asks for their money back or tries to access the funds, they are refused and the money is lost. Our research shows that the attackers are making millions of dollars with this scam.”Victims are initially contacted on apps like Bumble, Tinder, Facebook dating and Grindr before the conversation is moved to other messaging apps. From there, the conversation is steered toward getting victims to install fake trading applications onto their devices. Once a victim is drawn in, they are asked to invest a small amount before being locked out of accounts if they demand their money back. 

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

The attack is two-pronged, giving cybercriminals the ability to steal money from victims and gian access to their iPhones. According to Wu and Chandraiah, the attackers are able to use “Enterprise Signature” — a system built for software developers that assists enterprises with pre-test new iOS applications with selected iPhone users before they submit them to the official Apple App Store for review and approval. “With the functionality of the Enterprise Signature system, attackers can target larger groups of iPhone users with their fake crypto-trading apps and gain remote management control over their devices. This means the attackers could potentially do more than just steal cryptocurrency investments from victims. They could also, for instance, collect personal data, add and remove accounts, and install and manage apps for other malicious purposes,” the researchers said. Chandraiah added that until recently, criminal operators mainly distributed the fake crypto apps through fake websites that resemble a trusted bank or the Apple App Store.”The addition of the iOS enterprise developer system introduces further risk for victims because they could be handing the attackers the rights to their device and the ability to steal their personal data,” Chandraiah said.”To avoid falling victim to these types of scams, iPhone users should only install apps from Apple’s App Store. The golden rule is that if something seems risky or too good to be true – such as someone you barely know telling you about some ‘great’ online investment scheme that will deliver a big profit  – then sadly, it probably is.”Sophos published another report on a similar scam in May that was aimed solely at people in Asia. But over the last few months the researchers saw a startling expansion of the attacks. “This scam campaign remains active, and new victims are falling for it every day, with little or any prospect of getting back their lost funds. In order to mitigate the risk of these scams targeting less sophisticated users of iOS devices, Apple should warn users installing apps through ad hoc distribution or through enterprise provisioning systems that those applications have not been reviewed by Apple,” the two researchers wrote. “And while institutions dealing with cryptocurrency have started implementing ‘know your customer’ rules, the lack of wider regulation of cryptocurrency will continue to draw criminal enterprises to these sorts of schemes, and make it extremely difficult for victims of fraud to get their money back. These scams can have have a devastating effect on the lives of their victims.” More

Apple has defended its position on the restriction of app sideloading in light of current EU discussions surrounding competition in the tech space.

On Wednesday, the iPad and iPhone maker published a new paper (.PDF) on sideloading, a process allowed by other mobile OS developers — such as Google, albeit with some friction — to install apps on devices outside of official app repositories. Sideloading can be useful when users want access to software that is not available in official stores. Users may want to install apps that have been discontinued or when newer versions are not compatible with an existing handset, or for whatever reason — such as legal battles — an app has been pulled from an official source.  However, there are caveats to this practice. If you bypass an official store such as Google Play, Apple’s App Store, or the Microsoft Store, you may be missing out on the security protections and verification in place for an app to be hosted, and, therefore, you may be exposing yourself to mobile malware.  In June, Apple chief executive Tim Cook claimed that sideloading was not in the best interests of Apple product users, and reviewing all apps introduced into the ecosystem keeps mobile malware rates low.  “Mobile malware and the resulting security and privacy threats are increasingly common and predominantly present on platforms that allow sideloading,” Apple says.  There are a number of ways that malware can reach a handset. On occasion, malicious apps can circumvent existing protections in an official app repository; but more commonly, apps can be spread through phishing, masquerading as legitimate software or OS updates, and website spoofing. 

According to Apple’s research paper, “Building a Trusted Ecosystem for Millions of Apps: A threat analysis of sideloading,” — which builds upon a paper published in June — there are far more malware infections on Android-based devices than on iPhones. These infections include ad fraud software, spyware, Trojans, ransomware variants, and fake apps that could result in the theft of data or funds. The research has been published in light of discussions in Europe concerning the Digital Services Act (DSA) and the Digital Markets Act (DMA). The EU’s proposals would require tighter controls on “illegal” content online and for “gatekeepers” — such as tech and service providers — to protectively preserve and permit competition.  As previously reported by ZDNet, this could include measures such as increased interoperability between services and third-party software and banning the prevention of uninstalling pre-installed apps on mobile devices by users.  According to the Center for Strategic & International Studies, the DMA could force vendors such as Apple and Google to facilitate sideloading in the future.  While renewed regulation could be a positive force, there may be not enough discussion concerning the security of mobile device users, and the ramifications of taking away their choice to purchase a handset contained in a closed — and, therefore, potentially safer — mobile ecosystem.  Apple says that if the company was forced to support sideloading, even if limited to “third-party app stores only,” this would increase the spread of harmful applications as these sources may not have sufficient vetting procedures.Apple claims that users would end up with less control over their apps and features including parental controls, accessibility, and app tracking transparency would be negatively impacted. In addition, Apple says that users could end up being forced to sideload apps due to work or school.  “Some sideloading initiatives would also mandate removing protections against third-party access to proprietary hardware elements and non-public operating system functions,” Apple says. “This would undermine core components of platform security that protect the operating system and iPhone data and services from malware, intrusion, and even operational flaws.” The tech giant added: “Forcing Apple to support sideloading on iOS through direct downloads or third-party app stores would weaken these layers of security and expose all users to new and serious security risks: It would allow harmful and illegitimate apps to reach users more easily; it would undermine the features that give users control over legitimate apps they download; and it would undermine iPhone on-device protections.  Sideloading would be a step backward for user security and privacy: supporting sideloading on iOS devices would essentially turn them into “pocket PCs,” returning to the days of virus-riddled PCs.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Critical security issues in the OpenSea NFT marketplace that allowed attackers to steal cryptocurrency wallet funds have been patched. 

NFTs, also known as non-fungible tokens, are digital assets that can be sold and traded on the blockchain. While some NFTs — from a pixel cartoon to a popular meme — can reach a sale price of millions of dollars, the popularity of this phenomenon has also created a new attack vector for exploitation.  On Wednesday, the Check Point Research (CPR) team said that flaws in the OpenSea NFT marketplace could have allowed “hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs.” An investigation was launched after reports surfaced of malicious NFTs, airdropped for free, being used as conduits for cryptocurrency theft and account hijacking.  The NFT itself, and the airdrop, was not the source of the issue. Instead, once an NFT had been gifted to a potential victim, they would view it — and then a pop-up would trigger, requesting a signature to connect to a wallet. A secondary signature request prompt would then appear, and if accepted, could grant attackers access to an unwitting user’s wallet, funds, and more.  In OpenSea’s case, the security flaw allowed the team to upload an .SVG file containing a malicious payload, which would execute under the OpenSea storage subdomain. “In our attack scenario, the user is asked to sign with their wallet after clicking an image received from a third party, which is unexpected behavior on OpenSea, since it does not correlate to services provided by the OpenSea platform, like buying an item, making an offer, or favoring an item,” CPR says. “However, since the transaction operation domain is from OpenSea itself, and since this is an action the victim usually gets in other NFT operations, it may lead them to approve the connection.”

The researchers disclosed their findings to OpenSea on September 26. Within less than an hour, the marketplace had triaged and verified the security issues and deployed a fix.  In a statement, OpenSea said: “Security is fundamental to OpenSea. We appreciate the CPR team bringing this vulnerability to our attention and collaborating with us as we investigated the matter and implemented a fix within an hour of it being brought to our attention.  These attacks would have relied on users approving malicious activity through a third-party wallet provider by connecting their wallet and providing a signature for the malicious transaction.” OpenSea added that the organization has not found any evidence of exploitation in the wild. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

A new report from cybersecurity company Randori has categorized the most tempting internet-exposed assets that an attacker is likely to go after and exploit, finding that one in 15 organizations currently runs a version of SolarWinds that is known to be actively exploited.In the 2021 Randori Attack Surface Report, researchers assigned each asset with a “Temptation Score” — effectively the likelihood an attacker will go after it. Any exposed asset with a score over 30 is considered to be high, with the highest-ranking assets currently within their corpus reaching an attacker Temptation Score of 55. The version of SolarWinds being actively exploited have an average Temptation Score of 40. The report found that more than 25% of organizations have RDP exposed to the internet, while 15% of organizations are still running outdated versions of IIS 6, which Microsoft hasn’t supported for six years. Randori gave the IIS 6 a Temptation Score of 37.Nearly 40% of organizations use Cisco’s Adaptive Security Appliance (ASA) firewall, which has a history of public vulnerabilities and a Temptation Score of 37. Almost half of all organizations run Citrix NetScaler, which has a score of 33 and multiple public exploits. Both CiscoWeb VPN and Palo Alto Global Protect joined Citrix NetScaler as VPNs listed in the report with high Temptation Scores.Just 3% of organizations are still running versions of Microsoft Outlook Web Access, but this alarmed Randori researchers, who noted the recent Exchange hacks and several known exploits for the tool. It was one of the highest on the Temptation Score scale at 38. “Many of the exposed assets — like SolarWinds and OWA — are there because of ignorance, not negligence. Organizations struggle to know what they have been exposed to on the internet. Cloud migration and the work-from-home boom dramatically increased the number of exposed assets — but it is possible to deploy security measures to help you secure the unknown,” David Wolpoff, CTO of Randori, told ZDNet.

The report notes that the SolarWinds issue ranked high in the report because it has publicly disclosed vulnerabilities, it is a mission-critical technology for many businesses, and it is widely used. “Many assume prioritizing based on vulnerability severity will keep you safe.  But that’s simply not true. Attackers think differently, and vulnerability severity is just one of many factors weighed by an attacker. Our hope with releasing this report is that people will get deeper into the attacker’s mindset, apply attacker logic to their security programs, and get one step ahead,” Wolpoff said. Wolpoff explained that the report is based on attack surface data from millions of internet-exposed assets and noted that The Temptation Score applies a proprietary weighting of six different attributes to determine the Temptation Score of an asset: enumerability, exploitability, criticality, applicability, post-exploitation potential, and research potential. Wolpoff said he is continually surprised to see that low effort, easy-to-break-in attacks still work at successful enterprises — like exploitable OWA. “What strikes me is the lack of focus on the basics, like hardening the default configurations or seeing default settings that contain admin/admin as the username and password. The number of times that the default username and password ‘admin/admin’ has gotten us into boxes is extremely surprising,” Wolpoff said. “For example, many enterprises are running old Microsoft OWA with the default settings — exposing the name, version, and, better yet, configuration information! The more an attacker knows about a system, the more tempting it is — it makes it easier for an attacker to cross-check to see if there are any known public vulnerabilities or exploits weaponized against that specific version and to confirm if an exploit will land.”He was also shocked by the high percentage of people not using MFA. He explained that his attack team often successfully conducts an attack with previously disclosed credentials because MFA wasn’t deployed.Wolpoff suggested security teams always change the default settings so the version number isn’t publicly visible, noting that if enterprises are unable to patch or upgrade a tool, they should at least hide it. He urged security teams to find ways to reduce their attack surfaces by taking things offline or disabling functionalities that go unused. It is no longer appropriate for organizations to settle for the configuration the manufacturer sets as default, and Wolpoff added that enterprises should segment critical assets as well as appliance and IoT devices.  More

The Australian government has announced a new set of standalone criminal offences for people who use ransomware under what it has labelled its Ransomware Action Plan.Under the new plan [PDF], people who use ransomware to conduct cyber extortion will be slapped with new stand-alone aggravated criminal charges.A new criminal offence has also been created for people that target critical infrastructure with ransomware. The acts of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence as well as buying or selling malware for the purposes of undertaking computer crimes are also both now criminalised.”The Ransomware Action Plan takes a decisive stance — the Australian Government does not condone ransom payments being made to cybercriminals. Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk,” Minister for Home Affairs Karen Andrews said.Alongside the new criminal offences, the plan will also roll out a new mandatory ransomware incident reporting regime, which would require organisations with a turnover of over $10 million per year to formally notify government if they experience a cyber attack. The new plan will also see government work to introduce additional legislative reforms that potentially allow law enforcement to track, seize or freeze ransomware gangs’ proceeds of crime. 

All of the new measures will be developed through a new tranche of legislation rather than through the Security Legislation Amendment (Critical Infrastructure) Bill 2020 currently being considered by Parliament. This is in spite of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 already containing provisions that seek to create mandatory reporting requirements for organisations that suffer a cyber attack and provide more powers for government to undertake action against cyber attacks.While the plan itself says some of the new measures will be regulated through the Security Legislation Amendment (Critical Infrastructure) Bill 2020, a federal government representative clarified that the Bill would just be providing clarity surrounding the definitions of critical infrastructure.The government representative also said the new tranche of legislation would be primarily focused on introducing new offenses to allow law enforcement to charge cybercriminals on ransomware grounds, while the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is focused on providing government more powers to intervene during cyber attacks.That Bill received the tick of approval from a parliamentary joint committee two weeks ago, with the parliamentary committee saying at the time there was compelling evidence that the complexity and frequency of cyber attacks on critical infrastructure was increasing.”Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure,” committee chair Senator James Paterson said at the time.The Bill was originally meant to be broader in scope, but the committee advised that other “less urgent” aspects of the Bill should be introduced under a second, separate Bill following further consultation.Under the government’s new ransomware plan, a multi-agency taskforce led by the Australian Federal Police, called Operation Orcus, has also been created. Created in July, the government has touted the new taskforce as being the country’s “strongest response to the surging ransomware threat”.According to Andrews, these new measures all fall within one of the plan’s three objectives, which are to build Australia’s resilience to ransomware attacks; strengthen responses to ransomware attacks; and disrupt and deter cybercriminals through tougher laws. To achieve these three objectives, Andrews said the federal government would work closely with state and territory governments and industry stakeholders.The new plan builds on Australia’s overarching 2020 Cyber Security Strategy, which aims to impose cyber standards on operators of critical infrastructure and systems of national significance and create powers that allow the federal government to get on the offensive and actively defend networks and critical infrastructure.Updated at 2:30pm AEST, 13 October 2021: Updated article to reflect clarifications from the federal government about how the ransomware plan’s new measures would be legislated. MORE ON THE BILL More