Eliana Willis

Asean has championed the region’s efforts in cybersecurity and pledges to drive further collaboration amongst member states, including plans to adopt common standards and best practices. It also urges the need for participation from the international community, particularly as digital transformation continues to accelerate amid increasing cyber threats.  To date, Asean is the only regional organisation to have subscribed, in principle, to the United Nations’ (UN) 11 voluntary, non-binding norms of responsible state behaviour in cyberspace, according to Singapore’s Minister for Communications and Information and Minister-in-charge of Smart Nation and Cybersecurity, Josephine Teo.   Asean advocated the need to implement the international cyber stability framework and was making good progress on the roadmap to guide adoption of the norms, said Teo, who was speaking Wednesday at the Asean Ministerial Conference on Cybersecurity, held in conjunction with Singapore International Cyber Week.

Pointing to the Asean Regional Action Plan, she said Singapore and Malaysia recently organised a workshop with other member states. The region was expected to officially endorse the action plan at the Asean Digital Ministers’ Meeting on December 1, 2021.  There currently are 10 Asean member states including Singapore, Indonesia, Thailand, Malaysia, and the Philippines. The region in September 2018 agreed on the need for a formal framework to coordinate cybersecurity efforts, outlining cyber diplomacy, policy, and operational issues.  Members states had underscored the importance of “a rules-based cyberspace” to drive economic progress and improve living standards. Internal laws, voluntary, and non-binding norms of state behaviour, as well as practical “confidence-building” measures were essential to ensure the stability of cyberspace, they said.  They added that such plans would include the region’s efforts to observe the 11 norms recommended in the 2015 Report of the UN Group of Governmental Experts. The 11 norms outline what the the international organisation deemed necessary for to create a “free, open, peaceful, and secure cyberspace”, including global cooperation to develop and apply “measures to increase stability and security in the use of ICTs” and to “not knowingly allow their territory to be used for internationally wrongful acts using ICTs”.

Speaking virtually at the Asean Ministerial Conference, Asean Secretary-General Lim Jock Hoi said the global pandemic underscored the need for a coordinated approach to address address cyber threats.  Noting that digitalisation had accelerated, Lim said Asean–ready or not–would have to embrace digital transformation to maximise its benefits and work towards building a regional community. Here, he added that the region had kicked off various initiatives including digital economy agreements and the 2019 Asean Agreement on Electronic Commerce, which aimed to facilitate collaboration and growth of e-commerce transactions in the region. With increased digital adoption, though, came higher exposure to cybersecurity threats that could cause significant damage, he said. He noted these included ransomware, phishing, and Distributed Denial of Service (DDos) attacks that had disrupted business operations, impacted individuals, and threatened the stability of Asean communities.  Such threats and cybercrimes were becoming widespread across the region, targeting critical information infrastructures (CII) such as oil, energy, and e-commerce. Without “resolute action” within Asean member states, Lim said these challenges would significantly undermine the resilience of and trust in the region’s digital economies and prevent them from realising their full potential.  He said member states already were working to enhance the region’s cybersecurity posture, including efforts to strengthen partnerships amongst the respective CERTs (Computer Emergency Response Teams) to build “mutual trust” in dealing with security incidents. The Asean CERT was established to improve the region’s knowledge and capacity to respond and mitigate the impact of cyber attacks, he noted.  The development of a coherent regulatory and policy framework on cybersecurity also was essential in Asean, he added, which he said could be accomplished through regional frameworks for cybersecurity maturity assessment and CII security.  There also should be cybersecurity standards and best practices to drive interoperability across the region, which would further support the secure and trusted use of digital technologies and drive an integrated Asean economy, he said.  International communities should build cyber norms, rules With cybersecurity a global issue, Lim said Asean would collaborate with the international community and play its role in developing a rules-based cyberspace with cyber norm behaviours.  Further stressing the importance of global cooperation, Teo said supply chain and ransomware attacks were increasing in frequency, scale, and impact. She cited the SolarWinds breach, the US Colonial Pipeline attack that posed real-world consequences, and the Kaseya breach, which forced more than 800 Swedish Coop supermarkets to close.

“These examples show the importance of strengthening our cybersecurity. They also highlight the need for international cooperation to build consensus on the rules, norms, principles, and standards governing cyberspace,” she said. “Such efforts will help to ensure that states behave responsibly in their use of ICT, so we can achieve an open, secure, and interoperable ICT environment. In doing so, we can also strengthen the rules-based multilateral order.” According to Teo, Asean currently was laying the groundwork to drive its updated Digital Masterplan 2025, which involved five key objectives including advancing cyber readiness cooperation, strengthening both regional and international cyber policy coordination, and enhancing regional capacity building. She said recent global supply chain attacks also highlighted the need for swift exchange of threat information to mitigate the spread of such attacks. This emphasised the importance of “cyber ops-tech collaboration” such as the Asean CERT, and through the development and implementation of technical standards.  “Often, we are forced into a reactive position when dealing with cyber incidents. In fact, we would rather be proactive on cybersecurity, by making our systems, networks, and devices secure-by-design,” she said. She pointed to Singapore’s efforts here with the introduction of the Cybersecurity Labelling Scheme for IoT devices, enabling consumers to identify the level of cybersecurity of such devices.  Teo said Asean member states could collectively raise the cyber hygiene level in the region by working towards a common baseline cybersecurity standard for IoT devices.  Singapore on Wednesday also announced the official opening of the Asean-Singapore Cybersecurity Centre of Excellence campus. Announced in 2019 to facilitate cyber capacity building efforts in the region, the centre aimed to conduct research and provide training in areas that included international law, cyber norms, and various cybersecurity policy issues. The facility also would offer CERT-related technical training, conduct virtual cyberdefence training and exercises, as well as drive the exchange of best practices, cyber threat, and other related cyber threat information. The centre comprises two training labs that can hold up to 100 in-person participants, conference rooms, and amenities to facilitate capacity building efforts, CSA said. RELATED COVERAGE More

Facebook founder and CEO Mark Zuckerberg has publicly addressed claims that the social media giant prioritises profit over safety and wellbeing is “just not true”. “We care deeply about issues like safety, wellbeing, and mental health. It’s difficult to see coverage that misrepresents our work and our motives. At the most basic level, I think most of us just don’t recognize the false picture of the company that is being painted,” Zuckerberg wrote in note to Facebook employees that he publicly posted on his Facebook page. “The argument that we deliberately push content that makes people angry for profit is deeply illogical,” he continued. “We make money from ads, and advertisers consistently tell us they don’t want their ads next to harmful or angry content. And I don’t know any tech company that sets out to build products that make people angry or depressed. The moral, business and product incentives all point in the opposite direction.”The response comes after Facebook whistleblower Frances Haugen fronted the US Senate as part of its inquiry into Facebook’s operations, declaring the company as “morally bankrupt” and casting “the choices being made inside of Facebook” as “disastrous for our children, our privacy, and our democracy”. Haugen, who used to work as the lead product manager for Facebook’s civic misinformation team, told the Senate that Facebook “is choosing to grow at all costs” — which means that profits are being “bought with our safety.” This, in turn, is encouraging “more division, more harm, more lies, more threats, [and] more combat” online. Haugen added that Zuckerberg “has built an organisation that is very metrics-driven — the metrics make the decision,” and, therefore, the buck stops with him.

The allegations stem from The Facebook Files, a series of investigations posted by The Wall Street Journal. The articles are based on internal files, draft presentations, research, and internal staff communication leaked by the whistleblower. The Wall Street Journal published six of the internal documents which were the basis of its investigation. Facebook then published two of them, complete with annotations last week.  Zuckerberg said many of the claims “don’t make any sense”. “If we wanted to ignore research, why would we create an industry-leading research program to understand these important issues in the first place? If we didn’t care about fighting harmful content, then why would we employ so many more people dedicated to this than any other company in our space — even ones larger than us?” he wrote. “If we wanted to hide our results, why would we have established an industry-leading standard for transparency and reporting on what we’re doing?”He also took the opportunity to address claims that raised questions about the impact Facebook has in relation to the safety and wellbeing of children specifically. Haugen told Senate members that “Facebook knows that its amplification algorithms can lead children from innocuous topics — such as healthy food recipes — to anorexia-promoting content over a short period of time”. “When it comes to young people’s health or wellbeing, every negative experience matters … we have worked for years on industry-leading efforts to help people in these moments and I’m proud of the work we’ve done. We constantly use our research to improve this work further,” Zuckerberg said. Facebook announced last week it was hitting pause on plans to develop a version of Instagram for kids, citing the need for more time to work more closely with “parents, experts, policymakers, and regulators.”  RELATED COVERAGE More

Image: Mozilla
Version 93 of Mozilla’s Firefox browser has arrived, and chief among its new features is tab unloading. Available at the moment only on Windows, with macOS and Linux to follow, the feature kicks in when the browser believes an out-of-memory crash is imminent, and it will unload tabs with the least recently used ones unloaded first. Tabs that are in the foreground are never unloaded with tabs that are pinned, using picture-in-picture, or playing sound are less likely to be unloaded. On Windows, the threshold is around the 6% mark, Mozilla engineer Haik Aftandilian wrote in a blog post. “We have experimented with tab unloading on Windows in the past, but a problem we could not get past was that finding a balance between decreasing the browser’s memory usage and annoying the user because there’s a slight delay as the tab gets reloaded, is a rather difficult exercise, and we never got satisfactory results,” Aftandilian said. “We have now approached the problem again by refining our low-memory detection and tab selection algorithm and narrowing the action to the case where we are sure we’re providing a user benefit: if the browser is about to crash.” A month of testing in Firefox’s Nightly channel found a decrease in browser and content process-related crashes, but also an increase in out of memory crashes, as well as an increase in average memory usage. “The latter may seem very counter-intuitive, but is easily explained by survivorship bias … browser sessions that had such high memory usage would have crashed and burned in the past, but are now able to survive by unloading tabs just before hitting the critical threshold,” the engineer said.

“The increase in OOM crashes, also very counter-intuitive, is harder to explain. “We’re working on improving our understanding of this problem and the relevant heuristics. But given the clearly improved outcomes for users, we felt there was no point in holding back the feature.” In the next release of Firefox, an about:unloads page will be added to provide diagnostics on tab unloading. Also coming in Firefox 93 is functionality to block HTTP downloads from HTTPS pages, followed by showing a dialog to users warning it is a potential security risk and asking if they wish to continue as well as blocking downloads from sandboxed iframes, unless they have the allow-downloads attribute. The browser has also ended by default support for 3DES encryption but it will still be available when sites use deprecated TLS versions. “Recent measurements indicate that Firefox encounters servers that choose to use 3DES about as often as servers that use deprecated versions of TLS,” Mozilla said. “As long as 3DES remains an option that Firefox provides, it poses a security and privacy risk. Because it is no longer necessary or prudent to use this encryption algorithm, it is disabled by default in Firefox 93.” Firefox 93 is also packing the third version of its SmartBlock technology, which can replace Google Analytics, Optimizely, Criteo, Amazon TAM, and various Google advertising javascript with local versions that behave close enough like the originals to prevent sites from breaking. The browser is changing its referrer policy to ensure sites cannot overwrite the default trimming that Firefox applies to cross site URLs. Same site requests will continue to pass the full referring URL. Related Coverage More

The Australian government has updated the Consumer Data Right (CDR) rules, with accredited CDR participants now able to sponsor other parties to become accredited or allow them to operate as their representative.Parties that are representatives of accredited data recipients (ADRs) will be able to access and use CDR data without accreditation so long as they offer CDR-related services, which the government hopes will increase industry participation in the CDR.Previously, only ADRs have been able to receive consumers’ data from a data holder and make use of it in their own products or services.The CDR is a government initiative aimed at allowing individuals to “own” their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it. The Federal Treasury, the lead agency in rolling out the initiative, envisions the CDR as being a tool that will help individuals to monitor finances, utilities, and other services, and compare and switch between different offerings more easily. The first tranche of Australia’s CDR was officially launched on July 1, requiring financial services providers to share a customers’ data when requested by the customer. While the first tranche only applies to the financial services industry, energy and telecommunications will soon join the regime.In addition to giving more functions to accredited CDR participants, the third version of the CDR rules also expands consumers’ rights, where they are now able to nominate trusted advisers to access CDR data. Trusted advisers include accountants, tax agents, financial counsellors, financial advisers, and mortgage brokers.

The updated rules also mean consumers will now be able to disclose limited data insights outside the CDR for a specific purpose such as for verifying identity and confirming bank account balances.Data sharing processes for consumers with joint accounts will also be simplified, with each account holder in a joint account to be able to consent to data being shared on the account from July next year.Minister for Superannuation, Financial Services and the Digital Economy Senator Jane Hume labelled the updated rules as a “game change for digital innovation”.”The rules made today are an important step in supporting the development of a vibrant data economy that provides benefits to business and consumers. The government is committed to supporting businesses and consumers to participate in the Consumer Data Right and will continue to ensure that the rules support that objective,” Hume said.In the previous set of amendments, made in December, the government permitted ADRs to offer CDR consumers the ability to amend an existing consent, which included the ability to add or remove uses, data types, accounts or data holders, or to amend the duration of the consent. It also provides for separate consent types, including consents for collection, use, disclosure, direct marketing, and research. Related coverage More

Google announced on Tuesday that it will be auto-enrolling 150 million of their users in two-step verification by the end of 2021. The platform will also force two million YouTube creators to turn on two-step verification by the end of the year as well.In a blog post, Google Chrome product Manager AbdelKarim Mardini and Google account security and safety director Guemmy Kim said the best way to keep users safe is to turn on security protections by default. “For years, Google has been at the forefront of innovation in two-step verification (2SV), one of the most reliable ways to prevent unauthorized access to accounts and networks. 2SV is strongest when it combines both ‘something you know’ (like a password) and ‘something you have’ (like your phone or a security key),” the two explained. “2SV has been core to Google’s own security practices and today we make it seamless for our users with a Google prompt, which requires a simple tap on your mobile device to prove it’s really you trying to sign in. And because we know the best way to keep our users safe is to turn on our security protections by default, we have started to automatically configure our users’ accounts into a more secure state.”In addition to requiring 2SV — also known as two-factor authentication — Google said it checks the security of 1 billion passwords and works to protect Google’s Password Manager, which is built directly into Chrome, Android and the Google App.Even iOS users can use Chrome to autofill saved passwords and soon Apple users will have access to Chrome’s strong password generation — a feature Apple has been rolling out over the last year on its own devices and platforms. Google is also planning to add a feature that gives users access to all of the passwords saved in the Password Manager directly from the Google app menu.

In addition to its work for regular users, Google will be providing additional protection for “over 10,000 high risk users this year” through a partnership with organizations that will see them provide free security keys. “We recently launched One Tap and a new family of Identity APIs called Google Identity Services, which uses secure tokens, rather than passwords, to sign users into partner websites and apps, like Reddit and Pinterest. With the new Google Identity Services, we’ve combined Google’s advanced security with easy sign in to deliver a convenient experience that also keeps users safe,” Mardini and Kim wrote. “These new services represent the future of authentication and protect against vulnerabilities like click-jacking, pixel tracking, and other web and app-based threats. Ultimately, we want all of our users to have an easy, seamless sign-in experience that includes the best security protections across all of their devices and accounts.” More

Hong Kong marketing firm Fimmick has been hit with a ransomware attack, according to a British cybersecurity firm monitoring the situation.Fimmick has offices in Hong Kong and across China, serving several high-profile clients like McDonalds, Coca-Cola, Shell, Asus and others. Their website is currently down and there was no response to ZDNet requests for comment. Matt Lane, CEO of UK-based cybersecurity firm X Cyber Group, said his team routinely “scrutinizes the activities of cybercriminals for evidence of their behaviors,” as a way to protect clients and customers. On Tuesday, they discovered that REvil had breached Fimmick’s databases and claimed to have data from a number of global brands. Lane shared screenshots showing REvil’s threatening posts toward Fimmick that included information stolen from the company’s website”We discovered this intelligence as part of those routine activities. We noted, with interest, that the attacker’s ‘Happy Blog’ also appears to be temporarily unavailable but have no further information as to why that might be,” Lane said, adding that the criminal group also shared a directory structure of the stolen data.”You can see Cetaphil, Coca-Cola, Hana-Musubi and Kate Spade are listed.”

Ransomware gangs have targeted marketing firms multiple times over the last few years because of their ties to larger companies with more valuable data. 

John Hammond, senior security researcher at Huntress, said that for ransomware operators, the most attractive targets are the ones that lead to even more targets. “In the same vein that cybercriminals prefer a spray-and-pray approach—always opting for the easiest targets and the low-hanging fruit — ransomware gangs love a one-to-many approach, which requires less effort to bring greater results,” Hammond said. “Marketing firms, PR firms, and organizations that integrate closely with other businesses could have a plethora of data and information that make targeting the next victim even easier. Much like service providers, attacking one could start a domino effect to target others that the original victim worked with. Attacking a marketing firm or PR firm allows ransomware gangs to get a bigger bang for their buck.”Allan Liska, a ransomware expert with cybersecurity company Recorded Future, said there have been at least three other marketing firms hit with ransomware over the last year. Wieden+Kennedy was attacked in November 2020 but was forced to notify Oregon Department of Justice officials in April after employees’ personal information was exposed during the incident. MBA Group was hit in March and Empirical Research Partners in September. “I don’t know if they are particularly ripe compared to other industries but I could see marketing firms being more vulnerable to attack, especially phishing attacks as they are used to dealing with a diverse client base and likely receive a lot of emails with attachments, which is a favorite initial access vector for many ransomware groups,” Liska said. “The actual number of marketing firms hit is likely much higher, but unlike hospitals or schools, when a marketing firm gets hit with ransomware, it doesn’t make the news.” More