Information Technology

Google is once again delaying the phaseout of third-party cookies in Chrome. The browser will now fully support the tracking technology until the second half of 2024, Google said on Wednesday. In 2021, Google originally committed, to ending third-party cookie support within the Chrome browser in 2022. The commitment came two years after Google began working on its “privacy sandbox” for Chrome. 
ZDNet Recommends
The efforts were slow and met some setbacks along the way. In a blog post Wednesday, Google’s Privacy Sandbox VP Anthony Chavez said the company has taken a “deliberate approach to transitioning from third-party cookies.” He added, “The most consistent feedback we’ve received is the need more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome.” Google has been working on this for years in response to growing consumer concerns about privacy. Typically, businesses have relied on third-party cookies and data aggregators to assess the behavior of their users across multiple domains. This, however, clearly came at the cost of customer privacy. Consequently, companies like Google and Apple began restricting the use of third-party cookies. Google’s first attempt to replace the third-party cookie with its own technology, called FLoC, was met with staunch opposition from some, a wary eye from others, and very little positive feedback. Given this poor reception, Google subsequently said Chrome would continue supporting third-party cookies until at least mid-2023. Then in January of this year, it rolled out the Topics API, which aims to track users anonymously while still giving advertisers enough data for interest-based ads. Beginning in early August, the Privacy Sandbox trials will expand to millions of users globally. Google will gradually increase the trial population throughout the rest of the year and into 2023. The company expects the Privacy Sandbox APIs to be launched and generally available in Chrome by Q3 2023. Then it will begin phasing out third-party cookies in Chrome during the second half of 2024. More

Image: Sergey Nivens/Shutterstock Attackers are becoming faster at exploiting previously undisclosed zero-day flaws, according to Palo Alto Networks.  The company warns in its 2022 report covering 600 incident response (IR) cases that attackers typically start scanning for vulnerabilities within 15 minutes of one being announced. Among this group are 2021’s most significant flaws, including the […] More

Image: Getty A ransomware attack was prevented just because the intended victim was using multi-factor authentication (MFA) and the attackers decided it wasn’t worth the effort to attempt to bypass it.  It’s often said that using MFA, also known as two-factor authentication (2FA), is one of the best things you can do to help protect your accounts […] More

Image: Getty/10’000 Hours There’s been an uptick in malware native to Microsoft’s Internet Information Services (IIS) web server that is being used to install backdoors or steal credentials and is hard to detect, warns Microsoft.  Microsoft has offered insights into how to spot and remove malicious IIS extensions, which aren’t as popular as web shells […] More

The average cost of a data security breach has hit another record-high of $4.35 million per incident, growing 12.7% over the past two years. And some businesses are passing the buck to customers, even as the cost of products and services has climbed amidst inflation and supply chain constraints. This year’s figure was up 2.6% from last year’s $4.24 million per breach, according to IBM’s 2022 Cost of Data Breach report, which further revealed that 83% of companies surveyed had experienced more than one data breach. Conducted by Ponemon Institute, the report analysed 550 organisations across 17 global markets that were impacted by data breaches between March 2021 and March 2022.Just 17% said this was their first breach. In addition, 60% said they increased the price tag on their products and services due to losses suffered from the data breach. They also continued to chalk up losses long after the breach, where almost half of such costs were incurred more than a year after the incident. Organisations in the US saw the highest average cost of a breach, which climbed 4.3% to $9.44 million, followed by the Middle East region where the average cost clocked at $7.46 million this year, up from $6.93 million in 2021. Canada, the UK, and Germany rounded up the top five pack, chalking at average losses of $5.64 million, $5.05 million, and $4.85 million per breach, respectively. Six markets, including Japan, South Korea, and France, amongst the 17 markets analysed saw a dip in their respective average breach cost. Supply chains, user credentials fuel attacksAcross the board, companies took an average of 207 days to identify the breach and 70 days to contain it, down overall from last year’s average of 212 days to identify and 75 days to contain the breach.Some 19% of breaches were the result of supply chain attacks, costing an average $4.46 million and clocking a lifecycle of 26 days longer than the global average of 277 days, which measured the combined time to identify and contain a data breach. Supply chain breaches were due to a business partner being the initial point of compromise. Human errors, which encompassed negligent actions of employees or external contractors, accounted for 21% of incidents, while IT failures–the result of disruption or failure in a company’s IT systems that led to data loss–were behind 24% of breaches. The latter included errors in source codes or process failures, such as automated communication errors. Some 11% of breaches were ransomware attacks, up from 7.8% last year and at a growth rate of 41%, but the average cost of such attacks dropped slightly to $4.54 million from $4.62 million in 2021. Attacks from stolen or compromised credentials remained the most common cause of a data breach, accounting for 19% of all incidents this year, the report found. Breaches from stolen or compromised credentials cost an average $4.5 million per incident and had the longest lifecycle of 243 days to identify and 84 days to contain the breach. Phishing was the second-most common cause of a data breach, accounting for 16% for overall attacks, but the costliest with an average $4.91 million in losses. Amongst sectors, healthcare suffered a record-high average breach cost of $10.1 million, up almost $1 million from 2021 and sealing its ranking as the most expensive industry. In fact, the sector’s breach costs had climbed 41.6% since 2020. The financial services sector recorded the second-highest average breach cost of $5.97 million, followed by pharmaceuticals, technology, and energy at $5.01 million, $4.97 million, and $4.72 million, respectively. The average breach cost for organisations running critical infrastructures was $4.82 million, which was $1 million more than the average cost for organisations in other sectors. Critical infrastructure companies were from sectors that included financial services, energy, transport, healthcare, and government. Amongst these organisations, 28% experienced a destructive or ransomware attack and 17% pointed to a compromised supply chain partner. Mitigating losses with touted security strategiesThe IBM study also studied differences in the impact of a data breach amongst companies that had and had not adopted security strategies and technologies, such as zero trust, extended detection and response (XDR), and artificial intelligence (AI). The report noted that nearly 80% of critical infrastructure organisations without a zero trust strategy saw a higher average breach cost of $5.4 million, or $1.17 million more than those that adopted zero trust frameworks. Across the board, 41% of organisations said they had deployed a zero trust security framework, up from 35% last year, and the remaining 59% had not done likewise. In addition, those that deployed security AI and automation tools saw lower breach costs that were $3.05 million lower than their peers that did not implement any of such tools. They also took 74 days longer to identify and contain a breach than those that adopted security AI and automation technologies. The number of organisations that used such tools hit 70% this year, up from 59% in 2020. In addition, 43% of companies that were in the early stages or had yet to deploy security practices across their cloud platforms saw higher losses of at least $660,000 on average than those that had mature cloud security environments. Some 44% of breaches in the study happened in the cloud, with those occurring in a hybrid cloud environment costing an average $3.8 million, compared to $4.24 million for breaches in private clouds and $5.02 million in public clouds. At $4.99 million per incident, remote work-related breaches also cost almost $1 million more on average than breaches where remote work was not a factor. Some 44% of companies had implemented XDR technologies and they saw shorter breach lifecycles of about a month, on average, compared to their peers that had not deployed such tools who took 304 days to identify and contain a breach. Amongst organisations that suffered ransomware attacks, those that paid up clocked $610,000 lower breach costs–excluding cost of ransom–compared to those that chose not to pay.In addition, 62% of companies that said they were insufficiently staffed to support their cybersecurity needs saw an average $550,000 higher breach costs than those that were adequately staffed.RELATED COVERAGE More

For iPhone owners, this is always a tricky question. It’s always worth checking the incentives offered by your carrier, which might end up making the cost of one model significantly better than you think. If you’re considering changing carriers, now is a good time to see what kind of enticements they’re offering to get you to switch. You might end up with a new phone for significantly less than you’d pay otherwise.Which model is right for you? We asked ZDNet’s iPhone expert, Jason Cipriani, to help spell out the differences:Deciding between an iPhone 12 and iPhone 13 can be tough. Both phones are very similar. They both have two rear-facing cameras, the same core display tech, support 5G connectivity and run the latest version of iOS. However, there are some key differences that are sure to help you make your final decision one way or another.Those differences distill down to a new processor, battery life, storage, camera features and — if it’s important to you — color options. The iPhone 13 comes with Apple’s A15 processor while the iPhone 12 has the A14. Those numbers might not mean much, and even though my experience is that the iPhone 13 does perform better, it’s not something you should specifically seek out unless your budget allows.The iPhone 13 has slightly better battery life (19 hours for the iPhone 13 versus 17 hours for the iPhone 12), and the base storage for the non-Pro models has doubled to start at 128GB, instead of the iPhone 12’s 64GB starting point.The iPhone 13’s camera also has a few new camera tricks, including Cinematic Mode, which adds depth to your videos. There’s also a difference in color options, with the 12’s colors being brighter and more vibrant while the iPhone 13’s colors are darker, but still look fantastic.All told, the iPhone 12 is a very similar device to the iPhone 13. If you don’t care about the colors, storage, or a couple extra hours of battery and a performance bump, I think you’d be happy with the iPhone 12. However, if any of those factors are important to you, the iPhone 13 is the better investment.Side note: For those struggling with a similar decision regarding the iPhone 12 Pro and iPhone 13 Pro, then you should know there are some big differences between the two, especially when it comes to display technology.Specifically, the iPhone 13 Pro line has what Apple calls a ProMotion display, which means that the refresh rate of the screen maxes out at 120Hz compared to 60Hz on the iPhone 12 Pro. The impact of the faster refresh rate is that scrolling through long documents, in apps and even gaming all look smoother. Battery life goes from 17 hours on the iPhone 12 Pro to 22 hours on the iPhone 13 Pro, and you gain the ability to take macro photos using the rear cameras. More

Five technology giants including Twitter and Facebook have pledged to self-regulate and adhere to a new voluntary code of practice in New Zealand that aims to curb harmful online content. The move, however, has been dismissed as “window dressing” and an attempt to preempt regulation. Google, Meta, TikTok, Amazon, and Twitter agreed to sign up for the Aotearoa New Zealand Code of Practice for Online Safety and Harms, which “obligates” tech companies to “actively reduce harmful content” on their respective digital platforms and services in the country. The agreement includes Google’s YouTube, Meta’s Facebook and Instagram, and Amazon’s Twitch platforms. The move marked the launch of the code of practice, which came into effect Monday after a year of development efforts led by Netsafe, a non-profit organisation focused on online safety. Dependent on self-regulation, the code outlines principles and best practices that looks to improve online safety and cut harmful content. It can be applied to range of products and services that serve different user communities, addressing different concerns and use cases, according to Netsafe. The code focuses on seven themes under which content is deemed harmful, including cyberbullying or harassment, incitement of violence, misinformation, and child sexual exploitation and abuse.  Under the code, signatories will make “best efforts” to four key commitments that encompass reducing the prevalence of harmful online content, empowering users with more control and to make informed choices, enhancing transparency of policies and processes, as well as supporting independent research. Netsafe said: “It provides flexibility for potential signatories to innovate and respond to online safety and harmful content concerns in a way that best matches their risk profiles, as well as recalibrate and shift tactics in order to iterate, improve, and address evolving threats online in real-time.” It added that the code was not designed to replace “obligations” involved in existing laws or other voluntary regulatory frameworks. Instead, it focused on the signatories’ architecture comprising their systems, policies, processes, products, and tools put in place to combat the spread of harmful content.NZ Tech has been roped in take over the establishment and administration of the code. The not-for-profit NGO (non-governmental organisation) represents 20 technology communities and more than 1,000 members across New Zealand.Several digital platforms, including all the five tech companies that signed up for it, were involved in the initial drafting of the code. Feedback from civil society groups, interest groups, the government, and general public also was taken into consideration. The code will be monitored by a “new multi-stakeholder governance” group, Netsafe said, which noted that the code was built on online safety principles from Australia and EU. Companies that agreed to adhere to the new code of practice would have to publish annual reports about their progress in adherence with the code and would be subject to sanctions if they breached their commitments.Netsafe CEO Brent Carey said harmful content reports climbed more than 25% amidst increased online use fuelled by the global pandemic. “There are too many kiwis being bullied, harassed, and abused online, which is why the industry has rallied together to protect users,” Carey said. Code promotes model that avoids ‘real accountability’One industry critic, though, has hit out at the establishment of the code, calling it a framework that avoids change and accountability. Tohatoha NZ CEO Mandy Henk said in a post that the code seemed like a “Meta-led effort to subvert a New Zealand institution”, in a bid to claim legitimacy without having done work to earn it. “This is a weak attempt to preempt regulation, in New Zealand and overseas, by promoting an industry-led model that avoids the real change and real accountability needed to protect communities, individuals, and the health of our democracy,” Heml said. “This code talks a lot about transparency, but transparency without accountability is just window dressing. In our view, nothing in this code enhances the accountability of the platforms or ensures those who are harmed by their business models are made whole again or protected from future harms.”Tohatoha NZ is a not-for-profit organisation that advocates public education of the social impacts of technology. Henk said the processes that led to the Aotearoa New Zealand Code of Practice revealed that the minds behind it had “no awareness” of the imbalance of power between users and online platforms and had no interest in correcting this inequity.He also noted that NZ Tech was an advocacy group that lacked the expertise or experience as well as community accountability to administer a code of practice of this nature. It was neither impartial nor focused on the needs of those harmed by the tech platforms, he added.He further called out Netsafe for being involved in establishing the code, when its role as the approved administrator for New Zealand’s Harmful Digital Communications Act meant there was a conflict of interest. “It aligns [Netsafe] too closely with the companies impacted by the Harmful Digital Communications Act and increases the risk of regulatory capture,” he said. “This code is a distraction from their core work of administering the Act, which is crucially important. NetSafe’s focus should be on serving the New Zealand public and enhancing the safety of every New Zealander who uses the internet.”Henk instead urged the need for a government-led process to develop online content regulations. This would provide the legitimacy and resources needed to establish a regulatory framework that safeguarded the rights of internet users. He pointed to the Content Regulatory Review as the right step towards this direction. RELATED COVERAGE More

Image: Getty The battle against ransomware is challenging because not only are ransomware attacks extremely disruptive, but in many cases, victims opt to pay the ransom demand for a decryption key – fueling additional ransomware attacks because criminals know they can make easy money.  However, one scheme continues to take the fight to ransomware gangs […] More