Information Technology

Consumers in Singapore may know what phishing entails, but few are able to properly identify the various types of phishing email. In addition, inertia continues to persist with amongst some who believe they will not fall victim to online scams. 
Some 66% in Singapore said they aware of phishing attacks, but just 4% were able to correctly identify all phishing email shown to them in an online study. Conducted in December last year for Cyber Security Agency (CSA), the annual Cybersecurity Public Awareness Survey polled 1,000 respondents to assess adoption and awareness of cyber hygiene behaviour and attitudes. 
While 86% correctly identified phishing email that promised attractive rewards, a lower 57% were able to pick out email message with suspicious attachments and 53% could identify phishing email requesting for confidential information.

The 2019 survey also revealed that 85% recognised the risks of not installing security apps on their mobile devices, but just 47% did so. This was a slight increase of 45% in 2018 who installed security apps on their devices. 
In addition, the adoption rate for two-factor authentication climbed slightly to 83% in 2019 from 80% in the previous year. 
This despite the fact that more Singaporeans were using their mobile devices for online transactions, with 80% doing so last year compared to 73% in 2018. Furthermore, 82% expressed moderate to extreme concern that cybercriminals would hijack control of their computer or obtain their financial information without prior consent. 
The survey revealed that 28% had fallen victim to at least one cyber incident over the past 12 months, with 14% experiencing unauthorised attempts to access their online accounts. Another 10% had such accounts used to contact others without their consent. 
Upon experiencing a security incident, 68% said they changed their passwords, while 46% reported the breach to the relevant organisation. Another 30% installed an antivirus software and 8% did not take any action.
Despite 78% of respondents who were worried about falling prey to online scammers or fraudsters, just 27% believed there was a likelihood such incidents could happen to them. 
CSA’s chief executive and commissioner of cybersecurity David Koh said: “With our increasing reliance on technology, especially amidst the COVID-19 pandemic, opportunistic cybercriminals now have a bigger hunting ground. It is important for us to shake off the ‘it will not happen to me’ mindset, stay vigilant, and take steps to protect ourselves online so that we do not become the next victim.”
Cybercrime accounted for 26.8% of all crimes in Singapore last year, with e-commerce scams the most popular and used by scammers who hoodwinked 2,809 victims. This was a 30% increase from 2,161 reported cases in 2018, according to the Singapore Cyber Landscape 2019 report released in June by CSA. Citing figures from the local police, the report noted that victims of e-commerce scams continued to be lured by attractive online deals on items such as electronic gadgets and event tickets.

(Source: Singapore’s Cyber Security Agency)
RELATED COVERAGE More

Geoscience Australia has gone to market as part of its plans to further modernise its IT environment by shifting off legacy platforms and making continued improvements toward more modern platforms through 2021.
In a request for tender, Geoscience Australia said it is seeking a service provider to act as the single point of contact for any IT-related incidents and requests; provide end user computing; and provision business and corporate applications.
Additionally, Geoscience Australia also plans to upgrade from Skype for Business to Microsoft Teams for enterprise voice, video conferencing, and collaboration tools; make networking enhancements around remote access/VPN and end of life elements; improve its record management system capabilities; and implement a customer relationship management system.
Geoscience added there are plans to make further IT security enhancements so that it is in line with the Essential Eight controls for mitigating cyber attacks, which entails reviewing all existing identity-related processes and automating “unnecessary manual steps” through single multifactor login.
“As we deal with more and more networks and endpoints, identity has become important as one of many factors that act as the new network boundary. Identity gives us a powerful common layer that we can control across many different networks and endpoints,” Geoscience Australia said.
“Identity is a critical component of the new chain of trust that binds and protects our resources across various endpoints in a way that facilitates our mobile workforce.”
In a previous ANAO audit on cyber resilience, Geoscience Australia was labelled as lacking where the Top Four mitigation strategies were concerned. 
Following the ANAO probe, Geoscience Australia agreed to up its security posture, telling the Joint Committee of Public Accounts and Audit in March last year that it would be compliant with the Top Four by 30 June 2019.
The Top Four are mandatory and the Essential Eight are recommended as best practice.  
See also: Industry report calls for ACSC to get offensive and smaller agencies to get cyber help
In its tender documents, Geoscience Australia also revealed how it is hoping to retire a “small number” of Window 7 devices, as well as upgrade the infrastructure of its existing Citrix-based remote desktop environment which is nearing the end of its life cycle.
Geoscience Australia’s plans to carry out additional IT work follows work the agency has been undertaking over the last two years across its IT environment, specifically in end user computing, enterprise voice and collaboration, in-cloud compute, identity, database, and IT security.
The IT service provider will be charged with providing support for Geoscience Australia’s headquarters based in the Australia Capital Territory and its remotes sites, such as its Alice Springs ground station and potentially Yarragadee in Western Australia, the tender documents said.
The initial contract will be for three years, with the option to extend it to a maximum term of five years.
Tender submissions close September 30, with an anticipated start date of April 2021.
Geoscience Australia had previously said it would fix its culture by immersing its staff in the world of government-owned enterprise by learning from others, such as Australia Post, that are “leading” the way.
“We ended up sending four staff down to Melbourne to go work for Australia Post for 100 days to learn their culture internally and flew another 30 or 40 people down on day trips to see how they worked with continuous delivery and cloud engineering,” Geoscience Australia director of scientific computing Ole Nielson said at the time.
Related Coverage  More

The Australian Securities and Investments Commission (ASIC) is alleging RI Advice Group Pty Ltd, an Australian Financial Services (AFS) licence holder focused on retirement advice, failed to have adequate cybersecurity systems in place.
ASIC has commenced proceedings in the Federal Court of Australia against RI, following a number of alleged cyber breach incidents at certain authorised representatives of RI.
According to ASIC, incidents included an alleged cyber breach at Frontier Financial Group Pty Ltd from December 2017 to May 2018.
Prior to October 2018, RI was a wholly-owned subsidiary of ANZ Bank. It then became a wholly-owned subsidiary of IOOF Holdings Limited as one of four financial planning dealer groups sold by ANZ under a AU$975 million deal.  
See also: Boards of Australian financial firms face tougher infosec rules from 1 July
ASIC alleges that Frontier was subject to a brute force attack whereby a malicious user successfully gained remote access to Frontier’s server. ASIC alleges the actor spent more than 155 hours logged into the server, which contained sensitive client information including identification documents.
The financial watchdog alleges that RI, including its authorised representatives, failed to implement adequate policies, systems, and resources that are reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.
With the proceedings being launched on Friday, ASIC is seeking declarations that RI contravened certain provisions of the Corporations Act, orders that RI pay a civil penalty, and compliance orders for RI to implement systems that are “reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience and provide a report from a suitably qualified independent expert confirming that such systems have been implemented”.
A report from ASIC in December found that while awareness and management of cybersecurity risk were improving in Australia’s financial market, there was still room for improvement across the entire sector.
“Organisations are alert to cybersecurity threats to their business and have focused their resources and efforts on improving their cybersecurity governance, risk management, and response and recovery capabilities,” the watchdog wrote.
MORE FROM ASIC More

Image via University of Utah; Composition: ZDNet

The University of Utah revealed today that it paid a ransomware gang $457,059 in order to avoid having hackers leak student information online.
The incident is the latest in a long string of ransomware attacks where criminal groups steal sensitive files from the hacked companies before encrypting their files; and in case victims refuse to pay, threaten to release the stolen documents as a second extortion scheme.
Unfortunately, this is exactly what happened in the case of the University of Utah. In a statement posted on its website today, the university said it actually dodged a major ransomware incident and that the hackers managed to encrypt only 0.02% of the data stored on its servers.
The university said its staff restored from backups; however, the ransomware gang threatened to release student-related data online, which, in turn, made university management re-think their approach towards not paying the attackers.
“After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker,” the university said today.
“This was done as a proactive and preventive step to ensure information was not released on the internet.
“The university’s cyber insurance policy paid part of the ransom, and the university covered the remainder. No tuition, grant, donation, state or taxpayer funds were used to pay the ransom,” University of Utah officials added.
University officials also provided details about the attack today, such as the date when it took place (July 19, 2020), and what part of the network it impacted (the network of the university’s College of Social and Behavioral Science [CSBS]).
However, the university did not reveal which ransomware gang was behind the attack.
All signs point to NetWalker
Brett Callow, a threat analyst at cyber-security firm Emsisoft, told ZDNet today that, although lacking concrete evidence, the NetWalker ransomware gang is most likely behind the attack.
This particular group, which is believed to have made more than $25 million from ransom payments this year, has been behind a recent wave of attacks against university networks, such as the attacks against Michigan State, the University of California at San Francisco (paid $1.14 million), Columbia College Chicago, and the City University of Seattle.
But Callow also took issue with University of Utah officials paying the attackers to stop a data leak; warning against such practice has little benefits.
“Paying ransoms to prevent data being published seems to make little sense,” Callow told us.
“All what organizations are paying for in this scenario is a pinky promise from a bad faith actor that the stolen data will be destroyed. Whether the groups do ever destroy data is something only they know, but I suspect they do not. Why would they? They may be able to monetize the information at a later data or use it for spear phishing or identity theft.” More

Image: nrd (Unsplash), Instacart

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

Grocery delivery and pick-up service Instacart disclosed a security incident caused by two employees working for a company providing tech support services for Instacart shoppers.
According to a press release published today, Instacart says the two employees “may have reviewed more shopper profiles than was necessary in their roles as support agents.”
The company is now notifying 2,180 shoppers via email about the incident. The figure represents the Instacart user profiles the company believes the two employees might have needlessly accessed while working as tech support agents.
Breach discovered following a routine audit
Instacart said it learned of the breach in procedure of the two support agents following a routine security audit.
The grocery delivery service said a subsequent forensic investigation did not find any evidence the two support agents had downloaded or digitally copied data from its systems.
Nonetheless, Instacart said that it took drastic measures when it came to dealing with the support agents and the company that hired them.
“First, we immediately worked with our third-party support vendor to ensure that their two employees will never work on behalf of Instacart again,” Instacart said today.
“Second, we suspended work at this third-party support location and have since ceased local operations indefinitely.”
Second security incident this year
This is the second security incident that Instacart had to deal with this summer. In July, hackers put up for sale the details of 278,531 Instacart accounts on a dark web marketplace.
The sold data included names, delivery addresses, the last four digits of credit card numbers, and order histories, according to Buzzfeed.
Instacart acknowledged the incident two days later, in a press release, and blamed it on a credential stuffing attack, accusing users of reusing passwords across online accounts. More

Uber’s former chief security officer was charged on Thursday for covering up the company’s 2016 security breach, during which hackers stole the personal details of 57 million Uber customers and the details of 600,000 Uber drivers.
Prosecutors in Northern California are charging Joe Sullivan, 52, who served as Uber CSO between April 2015 and November 2017, when Uber changed its CEO and most of its management team.
According to court documents, DOJ officials claim that Sullivan “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the [2016] breach.”
Speaking at a press conference today (see video below), US Attorney for the Northern District of California David Anderson said that by hiding the Uber hack from authorities and management, Sullivan indirectly helped the hackers breach other companies.
“This office charged the hackers and last year, and they pleaded guilty,” Anderson said. “In their guilty pleas, the hackers admitted to hacking other companies using similar techniques to those used in the Uber hack.
“If Sullivan had promptly reported the Uber hack those other hacks of those other companies may have been prevented,” Anderson said.
[embedded content]
How the 2016 Uber hack unfolded
But to understand what happened behind the scenes, we must combine details put forward by the DOJ today and court documents from the DOJ’s case against the Uber hackers — namely, Brandon Glover, 26, an American from Florida, and Vasile Mereacre, 23, a Canadian from Toronto.
Per these two sets of documents, the Uber hack took place after the two hackers used a custom-built tool to gain access to GitHub accounts.
Glover and Mereacre specifically targeted the accounts of employees working for large corporations, gained access to their GitHub profiles, and then searched through the employee’s projects for sensitive passwords and credentials.
This is how the two hackers got their hands on Amazon Web Services (AWS) credentials for Uber’s backend infrastructure, where they found and subsequentially downloaded details for 57 million Uber customers and 600,000 Uber drivers.
Per court documents, the two hackers reached out to Sullivan via email, claiming they “found a major vulnerability,” provided a sample of the stolen data, and then requested a $100,000 payment in bitcoin to reveal the company’s security hole.
Court documents unsealed today reveal that at the time Sullivan received this email, on November 14, Sullivan had just submitted a written testimony to the FTC about a 2014 security breach, during which a hacker stole the names and drivers licenses of about 50,000 drivers.
Prosecutors say that Sullivan and his security team confirmed the validity of the hackers’ sample data within 24 hours of receiving the email, but instead of notifying the FTC of this new security breach, Sullivan agreed to pay the hackers’ “hush money.”
Court documents filed today show conversations Sullivan had with then-Uber CEO Travis Kalanick about the security breach, with Kalanick giving the go-ahead for the hackers to receive their ransom in the form of a bug bounty program payout.

Investigators say that Sullivan proceeded with this plan and arranged for the hackers to sign a non-disclosure agreement even without knowing their real names. This initial contract was signed, and the bounty paid in December 2016 via the company’s HackerOne bug bounty program.
However, US prosecutors say that when Uber’s security team tracked down and identified the two hackers, instead of notifying authorities, Sullivan had the two hackers re-sign their confidentiality agreement in their true names.
Furthermore, the DOJ complaint claims that Sullivan insisted on the hackers signing a contract that claimed they had not taken any of Uber’s data, knowing this statement was false.
“When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements,” the DOJ said today in a press release.
New management comes in, exposes hack
Things then calmed down, but only until August 2017, when Uber’s board ousted Kalanick and replaced him with Dara Khosrowshahi.
The DOJ says that Sullivan notified the new management team about the 2016 security incident, but continued to cover up the hack.
“Specifically, Sullivan failed to provide the new management team with critical details about the breach,” the DOJ said. “In September 2017, Sullivan briefed Uber’s new CEO about the 2016 incident by email. Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it. His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.”
But despite the issue being resolved, the new Uber CEO disclosed the breach to the public in November 2017. This disclosure was followed by an FBI investigation, which quickly identified and arrested the hackers, both of which pleaded guilty in October 2019.
As the FBI investigated and gained access to the company’s internal communications, they also started to understand Sullivan’s role in covering up the 2016 breach.
“Silicon Valley is not the Wild West,” said Anderson today. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
Sullivan was charged today with obstruction of justice and misprision of a felony in connection to the 2016 hack and subsequent cover-up. If found guilty on both charges, Sullivan risks maximum prison sentences of five and three years, respectively.
As NPR pointed out today, before serving as a CSO at Uber, Sullivan had previously spent two years prosecuting computer hacking crimes as an assistant US Attorney in the very same office that charged him today. More

Image: Peggy_Marco on Pixabay

Two of today’s biggest ATM manufacturers, Diebold Nixdorf and NCR, have released software updates to address bugs that could have been exploited for “deposit forgery” attacks.
Deposit forgery attacks happen when fraudsters can tamper with an ATM’s software to modify the amount and value of currency being deposited on a payment card.
Such attacks are usually followed by quick cash withdrawals, either during weekends or via transactions at other banks, with the fraudsters trying to capitalize on the inexistent funds before banks detect any errors in account balances.
Two similar bugs impact Diebold Nixdorf and NCR ATMs
Deposit forgery bugs are rare, but two have been discovered last year and patched this year. Diebold Nixdorf patched CVE-2020-9062, an issue impacting ProCash 2100xe USB ATMs running Wincor Probase software, while NCR patched CVE-2020-10124, a bug in SelfServ ATMs running APTRA XFS software.
At their core, both bugs are identical, according to advisories published today by the CERT Coordination Center at Carnegie Mellon University.
CERT/CC says the ATMs do not encrypt, authenticate, or verify the integrity of messages sent between the ATM cash deposit boxes and the host computer.
An attacker that has physical access to connect to the ATM can tamper with these messages when cash is deposited and artificially inflate the deposited funds.
Diebold and NCR have secured their devices by releasing software updates that have hardened the communications between the cash deposit module and the host computer.
Disclosure and reporting delayed due to sanctions
Both vulnerabilities, and others, have been discovered by security researchers working at Embedi, a Moscow-based security firm that was sanctioned by the US Treasury Department in June 2018 for allegedly working with the Federal Security Service (FSB), Russia’s top intelligence agency, to bolster Russia’s “offensive cyber capabilities.”
Before working with Embedi researchers on coordinating the public disclosure of these bugs, the CERT/CC at CMU had to obtain a special permit from the Office of Foreign Assets Control (OFAC) at the US Treasury Department. More

Google has patched on Wednesday a major security bug impacting the Gmail and G Suite email servers.
The bug could have allowed a threat actor to send spoofed emails mimicking any Gmail or G Suite customer.
According to security researcher Allison Husain, who found and reported this issue to Google in April, the bug also allowed attachers to pass the spoofed emails as compliant with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), two of the most advanced email security standards.
Google delayed patches, despite a four months heads-up
However, despite having 137 days to fix the reported issue, Google initially delayed patches past the disclosure deadline, planning to fix the bug somewhere in September.
Google engineers changed their mind yesterday after Husain published details about the bug on her blog, including proof-of-concept exploit code.
Seven hours after the blog post went live, Google told Husain they deployed mitigations to block any attacks leveraging the reported issue, while they wait for final patches to deploy in September.
In hindsight, yesterday’s bug patching snafu is a common occurrence in the tech industry, where many companies and their security teams don’t always fully understand the severity and repercussions of not patching a vulnerability until details about that bug become public, and they stand to be exploited.
How the Gmail (G Suite) bug worked
As for the bug itself, the issue is actually a combination of two factors, as Husain explains in her blog post.
The first is a bug that lets an attacker send spoofed emails to an email gateway on the Gmail and G Suite backend.
The attacker can run/rent a malicious email server on the Gmail and G Suite backend, allow this email through, and then use the second bug.
This second bug allows the attacker to set up custom email routing rules that take an incoming email and forward it, while also spoofing the identity of any Gmail or G Suite customer using a native Gmail/G Suite feature named “Change envelope recipient.”
The benefit of using this feature for forwarding emails is that Gmail/G Suite also validates the spoofed forwarded email against SPF and DMARC security standards, helping attackers authenticate the spoofed message. See Husain’s graph below for a breakdown of how the two bugs can be combined.

Image: Allison Husain
“Additionally, since the message is originating from Google’s backend, it is also likely that the message will have a lower spam score and so should be filtered less often,” Husain said, while also pointing out that the two bugs are unique to Google only.
If the bug had been left unpatched, ZDNet has no doubt that the exploit would have most likely been widely adopted by email spam groups, BEC scammers, and malware distributors.

To summarize @ezhes_ s work, using an attacker-owned domain you can abuse G Suite’s “default routing” & “inbound gateway” settings to spoof ANY other G Suite domain and pass SPF/DMARC. So you can impersonate Larry Page, Intuit, or my grandma’s gmail. This is a BEC gold mine (2/n)
— Josh Kamdjou (@jkamdjou) August 20, 2020

Google’s mitigations have been deployed server-side, which means Gmail and G Suite customers don’t need to do anything. More