Eliana Willis

Health Minister Greg Hunt launching the COVIDSafe app on 26 April 2020.
Image: Getty Images
The Digital Transformation Agency (DTA) has changed the way feedback is provided for the country’s COVIDSafe app, as the issue-plagued app moves to “business as usual” mode.As highlighted by software developer Geoffrey Huntley on Twitter, the DTA has disabled the ability to collaborate on GitHub. “This removes a huge wealth of information, history and discussion around decisions made, bugs that were fixed etc. @DTA surely this is a mistake?”But according to the DTA, it was not a mistake. “As part of the COVIDSafe app’s transition to ‘business as usual mode’, we have streamlined the channels for support and engagement with the community,” a spokesperson told ZDNet.”Feedback and support channels for the COVIDSafe app remain open via support@covidsafe.gov.au, we welcome input from the tech community. “The process for reporting security concerns remains unchanged and is published on GitHub.”

The reason for posting on GitHub was previously touted by the agency as enabling the tech community an opportunity to provide feedback.See also: A Bluetooth revamp touted to fix Australia’s COVIDSafe app connectivity flawsAfter pinning the cost of keeping the COVIDSafe app running at AU$100,000 a month in March, former DTA CEO Randall Brugeaud in May almost halved the previous estimate.”I estimated AU$100,000 per month to host COVIDSafe at the last hearing, that has ended up at AU$75,094.98 per month. And we’ve made a number of performance improvements to the app over the last couple of months, which should see that sitting at about AU$60,000 per month from the first of July,” he said at the time.The total cost to build and operate the app as of May was AU$7,753,863.38, including GST. To the end of January, that figure was AU$6,745,322.31, which Brugeaud said comprised around AU$5,844,182.51 for the app’s development and AU$901,139.80 for hosting.Earlier this week, the Department of Health released freedom of information documents requested by the Canberra Times pertaining to the evaluation of the operation and effectiveness of COVIDSafe and the National COVIDSafe Datastore. The final report is meant to provide information on the app’s appropriateness, implementation, and efficiency.In May, the DTA said the app had picked up 567 close contacts not found through my manual contact tracing, a large increase on the previous number of 17 contacts, and that there had been 779 uploads to the National Data Store since inception last year.Whole paragraphs that discuss the effectiveness of the app in New South Wales, Queensland, and Victoria are missing from the report, however.The heavily redacted document does however provide the finding that the app touted by Prime Minister Scott Morrison as digital sunscreen was the “correct tool” to implement.”As our technology review indicates, based on the parameters of knowledge and capabilities at the time of app launch, it is believed that the COVIDSafe app was the correct tool to employ,” the report says. “Many of the international contact tracing apps, such as Singapore’s TraceTogether, utilised BLE to capture digital ‘handshakes’ between mobile devices.”As of 9pm AEST 22 July 2021, there were around 1,700 active cases of COVID-19 in Australia, with most of the country remaining under strict lockdown orders.MORE DIGITAL SUNSCREEN14 COVIDSafe enquiries to OAIC, but still no complaints or breachesThe agency’s second six-month report shows there have been no reports of breaches, no complaints made, and no investigations underway regarding the COVIDSafe app that Labor has referred to as a ‘turkey’.Australian Committee calls for independent review of COVIDSafe appIt said the AU$5.24 million app has significantly under-delivered on the Prime Minister’s promise that the app would enable an opening up of the economy in a COVID safe manner.Attorney-General urged to produce facts on US law enforcement access to COVIDSafeIn its second interim report, Australia’s COVID-19 committee argues misuse of public interest immunity claims from agencies, including by the Attorney-General’s Department which it has accused of failing to confirm whether a US law enforcement agency was barred from accessing data collected by COVIDSafe. More

Within the Asia Pacific, Australians are second most likely to fall victim to a tech support cyber scam, according to new findings from Microsoft. Leading the way is India which recorded 69% of people encountered a tech support scam.The 2021 Global Tech Scam Research report [PDF] showed that in the past 12 months, 68% of Australians encountered some form of tech support scam. While it was a two-point decrease from 2018, it was still higher than the global average which came in at 59%, five points lower than in 2018.Of those Australians who encountered a scam in 2021, 9% lost money as a result, a three percentage point increase on 2018, and slightly higher than the global average of 7%. The amount lost by those who continued interacting with such scammers was about AU$126 on average. According to the research, the slight drop in scam encounters in Australia between 2018 and 2021 was largely driven by a decrease in pop-up ads and website redirect scams that accounted for 39% and 34% of scam interactions in 2021 respectively. On the flipside, unsolicited calls and unsolicited emails received by Australian customers increased to 46% and 41% respectively in 2021. When breaking down the type of scams and interaction by generation, Australian boomers, those who are aged 54-plus, were the most susceptible to unsolicited calls at 55%. Meanwhile, for millennials, aged 24-37, just under half fell for an unsolicited email.  Australian consumers continued to be distrustful of unsolicited contact, the survey indicated, noting of those surveyed in 2021, 88% thought that it was very or somewhat unlikely a company would contact them via an unsolicited call, pop-up, text message, ad, or email.

“Tech support scams are perpetrated globally and target people of all ages. The survey findings reveal that Australians are experiencing higher-than-average tech support scam encounters when compared globally, showing that consumers need to understand how these scammers work to better enable them to protect themselves from scams,” Microsoft Asia digital crimes unit regional lead assistant general counsel Mary Jo Schrade said. “Tactics used by fraudsters to victimise users online have evolved over time, from pure cold calling to more sophisticated ploys, such as fake ‘pop-ups’ displayed on people’s computers.”The report also showed that between 2018 and 2021, India recorded the biggest jump globally when it came to the number of people who lost money consistently. In 2018, it was 14% and this skyrocketed to 31% in 2021.This correlated closely with India, alongside Singapore, experiencing the largest jump in phone scams globally between the three-year period. India saw it increase by eight percentage points to 31%, while Singapore more than doubled to 34%. Despite these increases, Australia still experienced the most unsolicited calls globally in 2021 at 46%. Within the Asia Pacific, tech support scams that targeted Japan remained low at 29%, a decrease from the 36% in 2018. Of those scams that did occur, 24% were ignored. But where there was interaction, Gen Z, aged 18-23, was the generation that was most likely to engage with a scam that came from a pop-up ad or window. “Tech support scams will remain an industry-wide challenge until sufficient people are educated about these scams and can avoid them,” Schrade said. “The best way consumers in Australia and Asia Pacific can protect themselves is to learn about how these scammers are targeting people, be suspicious of any unsolicited contact from purported tech company employees and avoid letting people they do not know remotely access their computers.”Other findings from the report included those who lost money to scams engaged more in risky activities, such as using torrent sites, downloading music and videos, and sharing email addresses in exchange for content. These same people also displayed overconfidence in their computer literacy. At the same time, consumer protection agencies and government regulators are seen to have the biggest responsibility to protect consumers against scams. Related Coverage More

Image: Getty Images
The Office of the Australian Information Commissioner (OAIC) has handed down its determination that Uber interfered with the privacy of over 1 million Australians in 2016.Australia’s Information Commissioner and Privacy Commissioner Angelene Falk on Friday said US-based Uber Technologies Inc and Dutch-based Uber B.V. failed to appropriately protect the personal data of an estimated 1.2 million Australian customers and drivers, when it was accessed from a breach in October and November 2016.It came to light in late 2017 that hackers had stolen data pertaining to 57 million Uber riders worldwide, as well data on more than 600,000 drivers. Instead of notifying those impacted, Uber concealed the breach for more than a year and paid a hacker to keep it under wraps.While Uber required the attackers to destroy the data and there was no evidence of further misuse, OAIC said its investigation focused on whether Uber had preventative measures in place to protect Australians’ data.Reach the full story here: Former Uber CSO charged for 2016 hack cover-upFalk found the Uber companies breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access and to destroy or de-identify the data as required. The tech giant also failed to take reasonable steps to implement practices, procedures, and systems to ensure compliance with the Australian Privacy Principles (APP), she said.

“Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability,” the determination says. “Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.”APP 11.1 requires companies to take reasonable steps to protect personal information against unauthorised access, while APP 11.2 requires reasonable steps to be taken to delete or de-identify personal information that is no longer needed for a permitted purpose. Also breached, the OAIC found, was APP 1.2, which requires companies to take reasonable steps to implement practices, procedures, and systems relating to the entity’s functions or activities, to ensure compliance with the APPs.In her determination, Falk said the Uber companies must not repeat those acts and practices.She has also requested that Uber prepare, within three months, a data retention and destruction policy that will, when implemented, enable and ensure compliance by the Uber companies with APP 11.2.Falk has also asked Uber to establish an information security program and appoint an individual to run its helm. The program must identify risks related to the security or integrity of personal information of Australian users collected and/or held by the Uber companies that could result in misuse, interference, or loss, or unauthorised access, modification, or disclosure of this information. It must also include refresher training for staff and boast rigid safeguards.The privacy commissioner also wants an incident response plan implemented by the company, which includes a clear explanation of what constitutes a data breach.Falk said the matter raised complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group.In this case, Australians’ personal information had been directly transferred to servers in the United States under an outsourcing arrangement, and the US-based company argued it was not subject to the Privacy Act.”Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group,” she added.To that end, her determination also included a request for an independent assessment of Uber’s adherence to the Australian Privacy Act.The commissioner has also ordered the Uber companies to appoint an independent expert to review and report on these policies and programs and their implementation, submit the reports to the OAIC, and make any necessary changes recommended in the reports.Uber in September 2018 agreed to pay $148 million in a US settlement over the incident, and a few months later was fined over £900,000 by UK and Dutch watchdogs in relation to the 2016 data breach.Two men pleaded guilty in October 2019 to the hack and Uber’s former chief security officer was charged in August 2020 by US authorities over the cover-up.In response to the OAIC’s determination, an Uber spokesperson told ZDNet it welcomed the resolution to the incident.”We learn from our mistakes and reiterate our commitment to continue to earn the trust of users,” they said. “We have made a number of technical improvements to the security of our systems, including obtaining ISO 27001 certification of our core rides business information systems and updating internal security policies, as well as making significant changes in leadership, since this incident in 2016. “We are confident that these changes in security and governance will address the determination made by the OAIC, and will work with a third-party assessor to implement any further changes required.”Updated 4:10pm AEST Friday 23 July 2021: Added statement from Uber spokesperson.MORE FROM UBER More

You’ve heard it before, you’ll hear it again. Once more with feeling, the internet is having real trouble as we move into July 22’s early afternoon on the US East coast.  According to reports on the Outages list, which is the central mailing list for ISP and network operators to report and track major internet connection problems, and numerous Reddit threads, the major Content Delivery Network (CDN) Akamai is the root of the problem. Specifically, people are reporting that when they try to reach sites that use Akamai to host their DNS CNAMEs they can’t reach them. The sites are fine. But, thanks to trouble on Akamai’s DNS edge servers, your web browser, game application, whatever, can’t reach the sites. They’re not getting the right addresses so your local program doesn’t know how to find them. Akamai has admitted it’s having trouble. In a notification, Akamai stated: We are aware of an emerging issue with the Edge DNS service. We are actively investigating the issue. If you have questions or are experiencing impact due to this issue, please contact Akamai Technical Support. In the interest of time, we are providing you the most current information available, which is subject to changes, corrections, and updates.Oops. Akamai only has 9.6% of the CDN market. But, its share is a very important one. Sites that depend on Akamai include Amazon Web Services, Microsoft, Delta Airlines, Oracle, Capital One, and AT&T. Yeah, you’ll notice when those sites and the services they provide are offline. There are reports that Akamai has a handle on the problem now. The status page site itself, as of 1:02 PM Eastern time, states that “This incident has been mitigated.” Since it takes time for both problems and fixes to appear in the global DNS service, you may still have trouble reaching some sites or services. For example, I’m still having trouble using my Delta airlines app.

So, be patient. By the end of the business day, Akamai, and your internet connection should be back to normal. Related Stories: More

Credit: Microsoft
On July 22, Microsoft began rolling out version 92 of its Chromium-based browser to the Stable Channel, meaning mainstream users. The new version includes a number of new features, including a new Password Health Dashboard. The Password Health Dashboard is meant to help users refrain from using the same password across multiple sites and to identify whether their passwords are strong enough. Microsoft already has a Password Monitor feature for detecting whether their credentials saved to autofill have been detected on the dark web and Password Generator, an option for auto-generating passwords . Edge 92 also will allow users to bring their saved credentials into other apps and browsers on their phones when using Edge on Mobile. Saved login information from the browser can be used to log into mobile apps like Instagram and Pinterest. According to Microsoft’s Edge release notes, other features that will be part of Edge 92 include natural language search for browser history on the address bar; MHTML files opening in default in Internet Explorer mode; synchronization of payment information across devices; the ability to manage extensions from the toolbar; and an option to navigate from HTTP to HTTPS on domains that support HTTPS. Officials also touted the availability of a new Microsoft Outlook Extension that will allow them to see  their most recent personal and/or work emails, to-do lists and calendars without having to open a new tab or app.  More

(Image: StackCommerce)
Ransomware extortion demands, as well as the downtime they cause, continue to steadily increase. Unsurprisingly, the result is that digital security costs are rising, as well. But there are regulations in place now that make the privacy and security of your data a matter of compliance which means the strongest protection is essential. A lifetime subscription to the Encrypt Office Business Plan will help you take control of your company’s data before someone gets to it.

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

Encrypt Office is a SAAS solution that is fast and easy to implement. It will turbocharge your company’s productivity, compliance, and security. It surrounds all of your data with a wall of encryption. FIPS 140-2 compliant TLS encryption is used when data is in transit, while data at rest is protected by AES 256 bit encryption with 1,024-bit key strength.Not only are your email and large file transfers encrypted, but you also get encrypted vaults that require three-factor authentication. These can be used to store files and receive files securely from anyone via a web browser.Data compliance is ensured because all of the sensitive digital assets that are stored and transmitted by your company are protected against theft, misuse, and loss. Encrypt Office also provides the full audit trail of all data interactions that are required for HIPPA compliance.This plan includes encrypted file transfers of up to 5GB. It offers cloud integration, as well, so you can use it with Google Drive, Dropbox, OneDrive, and more. Encrypt Office is customizable so that your administrators are able to set specific policies that are most appropriate for your company.Don’t pass up this opportunity to get strong protection that will permanently keep your business data safe. Get a lifetime subscription to the Encrypt Office Business Plan while it is on sale for just $59.99.

ZDNet Recommends More

Tech analyst firm Gartner reckons that hackers will have turned computer systems into weapons to the point that they could injure or kill humans by 2025, and that beyond the human tragedy it will cost businesses $50 billion to remediate across IT systems, litigation and compensation.  Past malware attacks, such as Stuxnet, which is believed to have been the work of the NSA, have demonstrated that malware create real world damage, not just scramble data. And cyber-attacks have long had real-world implications such as the ransomware attacks on organizations like Colonial Pipeline and hospitals in the US and Europe. The UK’s NHS struggled for days after the 2017 WannCry ransomware attack, which was blamed on North Korean state-sponsored hackers. Gartner reckons that by 2025, hackers will have weaponized operational operational technology (OT) environments to “successfully harm or kill humans”. By OT, Gartner means “hardware and software that monitors or controls equipment, assets and processes.” It also calls them cyber-physical attacks (CPS): examples of that might be attacks on electronic medical equipment or physical infrastructure.”In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” says Wam Voster, a senior research director at Gartner. More worrying Voster went on: “Inquiries with Gartner clients reveal that organizations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.”Gartner breaks down OT and cyber-physical threats into three categories: actual harm; commercial vandalism, which reduces output; and vandalism against an organization’s reputation, which renders unreliable and untrustworthy as a manufacturer.

Gartner expects that the financial impact of CPS attacks that kill or injure people will reach over $50 billion by 2023. The costs to organizations will be significant and include compensation, litigation, insurance, regulatory fines and reputation loss, Gartner says. However, it should be noted that this figure is small compared to overall global spending on IT, which Gartner expects to reach $4.2 trillion in 2021.  Fortunately, Gartner does have some practical advice for organizations that control operational technology, such as appointing an OT security manager for each facility, security training and awareness for staff, and testing incident response capabilities. Given the perennial threat of ransomware, it also urges organizations to implement adequate backup, restore and disaster recovery capabilities. It also recommends managing portable media, such as USB sticks, that may be connected to OT systems: “Only media found to be free from malicious code or software can be connected to the OT,” it says. Companies need to have a current inventory of IT and OT assets; real-time logs and detection capabilities; secure configurations, and a formal patching process.  More