Information Technology

Written by

Eileen Yu, Contributor

Eileen Yu
Contributor

Eileen Yu began covering the IT industry when Asynchronous Transfer Mode was still hip and e-commerce was the new buzzword. Currently an independent business technology journalist and content specialist based in Singapore, she has over 20 years of industry experience with various publications including ZDNet, IDG, and Singapore Press Holdings.

Full Bio

If applied inappropriately, artificial intelligence (AI) can bring more harm than good. But, it can offer a much-needed helping hand when humans are unable to find comfort from their own kind.  AI hasn’t always gotten a good rep. It has been accused of replacing human roles, taking away a person’s livelihood, and threatening human rights. With the right checks and balances in place, though, few can deny the potential for AI to enhance business operations and improve lives.  Others have tapped AI to help save lives. The Chopra Foundation in September 2020 introduced a chatbot, dubbed Piwi, to provide a “community-driven solution” that aims to prevent suicide. The AI-powered platform is trained by “experts” and, based on the online interactions, will connect users to 5,000 counsellors who are on standby. 

The foundation’s CEO Poonacha Machaiah said: “With Piwi, we are giving people access to emotional AI to learn, interpret, and respond to human emotions. By recognising signs for anxiety and mood changes, we can improve self-awareness and increase coping skills, including steps to reduce stress and prevent suicide by timely real-time assistance and intervention.” Piwi has deescalated more than 6,000 suicide attempts and handled 11 million conversations through text, according to The Chopra Foundation’s founder, Deepak Chopra, an Indian-American author famed for his advocacy of alternative medicine. He described Piwi as an “ethical AI” platform trained with safeguards built into the system, adding that there were always humans in the backend to provide support where necessary.  Young individuals, in particular, were drawn to the chatbot, Chopra said. Noting that suicide was the second-most common cause of deaths amongst teenagers, he said youths loved talking to Piwi because they didn’t feel judged. “They are more comfortable talking to a machine than humans,” he said in a March 2022 interview on The Daily Show.  in Singapore, suicide is the leading cause of death for those aged between 10 and 29. It also was five times more deadly than road accidents in 2020, when the highest number of suicide cases were recorded in the city-state since 2012. The cause of death accounted for 8.88 per 100,000 residents that year, compared to 8 in 2019. Increases also were seen across all age groups, in particular those aged 60 and above, where the number who died by suicide hit a new-high of 154, up 26% from 2019. Industry observers attributed the spike in numbers to the COVID-19 pandemic, during which more likely had faced social isolation and financial woes. It is estimated that every one suicide in Singapore affects at least six loved ones. I, too, have lost loved ones to mental illness. In the years since, I’ve often wondered what else could have been done to prevent their loss. They all had access to healthcare professionals, but clearly that proved insufficient or ineffective.  Did they fail to reach help when they needed it most in their final hour because, unlike chatbots, human healthcare professionals weren’t always available 24 by 7? Or were they unable to fully express how they felt to another human because they felt judged?  Would an AI-powered platform like Piwi have convinced them to reconsider their options during that fateful moment before they made their final decision? I’ve had strong reservations about the use of AI in some areas, particularly law enforcement and autonomous vehicles, but I think its application in solutions such as Piwi is promising.  While it certainly cannot replace human healthcare specialists, it can prove vital where humans aren’t deemed viable options. Just look at the 6,000 suicide attempts Piwi is said to have deescalated. How many lives amongst these might otherwise have been lost? And there is so much more room to leverage AI innovation to improve the provision of healthcare. Almost a decade ago, I posed the possibility of a web-connected pill dispenser that could automatically dispense a patient’s prescribed medication. This would be especially useful for older folks who had difficulty remembering the numerous pills and supplements they required on a daily or weekly basis. It also could mitigate the risk of accidental overdose or wrongful consumption.There have been significant technological advancements since I wrote that post that can further improve the accuracy, and safety, of the pill dispenser. AI-powered visual recognition tools can be integrated to identify and ensure the correct medication is dispensed. The machine also can contain the updated profile of each medication, such as how much each pill weighs and its unique features, to further determine the right drugs have been dispensed. Clinics and pharmacies can issue each patient’s prescribed medication in a cartridge, refillable every few months, and protected with the necessary security features. Relevant medical data is stored in the cartridge, including dispensing instructions that can be accessed when it is inserted into the machine at home. The cartridge also can trigger an alert when a refill is needed and automatically send an order to the clinic for a new cartridge to be delivered to the home, if the patient is unable to make the trip.  The pill dispenser can be further integrated with other healthcare functions, such as the ability to analyse blood for diabetic patients, as well as telemedicine capabilities so doctors can dial in to check on patients should the data sent across indicate an anomaly. AI-powered solutions such as the pill dispenser will be essential in countries with an ageing population, such as Singapore and Japan. They can support a more distributed healthcare system, in which the central core network of hospitals and clinics isn’t overly taxed.  With the right innovation and safeguards, AI surely can help where humans cannot. For instance, 66% of respondents in Asia-Pacific believe bots will achieve success where humans have failed with regards to sustainability and social progress, according to a study released by Oracle, which polled 4,000 respondents in this region including Singapore, China, India, Japan, and Australia. In addition, 89% think AI will help businesses make more progress towards sustainability and social goals. Some 75% express frustration over the lack of progress, to date, by businesses and 91% want concrete action from organisations on how they’re prioritising ESG (environmental, social, and governance) issues, rather than delivering mere words of support. Like The Chopra Foundation, CallCabinet also believes AI can help customer service agents cope with the mental stress of dealing with cases. The UK-based speech analytics software vendor argues that AI-powered tools with advanced acoustic algorithms can process key phrases and assess voice pace as well as volume and tonality. These enable organisations to ascertain emotions behind words and evaluate the sentiment of every interaction. CallCabinet suggests that these can allow managers to monitor service calls and identify patterns that signal potential mental health issues, such as negative customer interactions, raised voices, and profanity directed at agents.  Because when humans cannot provide solace to those who need it, then maybe AI can?RELATED COVERAGE More

Written by

Adrian Kingsley-Hughes, Contributor

Adrian Kingsley-Hughes
Contributor

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over two decades to helping users get the most from technology — whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera. Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs.

Full Bio

It’s May 5, the first Thursday in May, which means that it’s World Password Day. The day was created by security researcher Mark Burnett to raise awareness of the importance of having secure passwords.Well, how secure are your passwords?

There are a lot of hints and tips and tricks out there for creating and maintaining secure passwords. I’m pretty comfortable with tech and keeping my accounts secure, but I find most of these tips too complicated to follow. It’s better to keep things simple. And I’m going to simplify things for you.This is the 21st century, and people don’t need to create and remember their passwords.My advice is simple — use a password manager.What is a password manager? A password manager is an app, usually tied to an online service, that safely and securely stores your passwords. It’s also used to securely distributes these passwords to all your devices, no matter whether you are on a desktop, laptop, tablet, or smartphone.Good password managers not only store your passwords and securely transfer them to your browser or apps as needed, but they can also help you generate strong passwords, and even search the internet for any of your passwords that might be leaked on the internet.Some password managers also allow you to secure your passwords with high-security features such as hardware authentication, making it almost impossible for hackers to get access to your data and informing you if you try to use duplicate passwords.So, what are the best password managers?My ZDNet colleague Ed Bott has a list of the best password managers, and it’s a good list. Of the services there, Bitwarden, 1Password, and LastPass are my top choices. They’re fully featured, offer solid security, and encompass a broad range of platforms and operating systems.If you’re looking for a no-cost solution, the Bitwarden offers a free option, and even the paid option ($10 per year for a single user, $40 annually for a family of up to six users) is great.But you might already have a password manager and not know about it. For example, if you use a Mac or iPhone, or iPad, then you can use Apple’s Keychain password manager. The only downside here is that you have to be on an Apple device to access your passwords, but it’s a superb solution for those in the Apple ecosystem.If you use Google Chrome, then there’s a password manager built right into that. The downside here is that it’s quite basic, and you can only access your passwords from the browser.Both these are great options. But they have their limitations.So, my advice for World Password Day is that you make sure to use a password manager, not only to store your passwords but also to generate secure passwords when needed. And secure your password manager with a good, unique password.Also, a bonus tip — if your password manager tells you that you’re using duplicate passwords on different websites, or that one of your passwords has been leaked in a company data breach, then pay attention to this and take the actions that your password manager recommends, because using duplicate passwords or passwords that have leaked into the wild is a surefire way to get your online accounts compromised.

ZDNet Recommends More

The FBI has warned that business email compromise (BEC) fraud has cost businesses around the world $43 billion in losses in the period between June 2016 and December 2021. The FBI’s Internet Crime Center (IC3) has logged a whopping 241,206 complaints in the four and half year period with losses totaling $43 billion, according to a new public service announcement. BEC fraud was the biggest category of cybercrime by financial losses in 2021, according to IC3. BEC cost businesses $2.4 billion in 2021, up from $1.8 billion in 2020. US losses recorded by the FBI are much larger than losses reported by victims in non-US jurisdictions. Between October 2013 and December 2021, 116,401 victims reported total losses of $14.8 billion. In that period, 5,260 non-US victims reported losses of $1.27 billion.       BEC is a global problem. The scam has been reported in all 50 US states and by victims in 177 countries. Meanwhile, over 140 countries have received fraudulent transfers, according to IC3, however banks located in Thailand and Hong Kong were the primary destination for the funds, followed by China, Mexico and Singapore. BEC scams are considered a sophisticated ruse that targets business and individuals who are duped into transferring funds to the scammer’s account under the belief they are performing a legitimate transaction. The FBI believes the pandemic and the shift to everything online spurred a 65% growth in BEC fraud losses between July 2019 and December 2021.”Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars,” IC3 notes. “This increase can be partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually.”It also reports an uptick in complaints involving cryptocurrency transfers. The value of cryptocurrency today had a market cap of $3 trillion in November, up from just $14 billion five years ago, the US secretary of the Treasury recently noted.     The two main forms of BEC involving cryptocurrency were direct transfers, just like traditional BEC fraud, while the second involves a “second hop”, usually to a cryptocurrency exchange. In both situations, the victim is unaware that the funds are being sent to be converted to a cryptocurrency, says IC3. Second hop transfers often involves tricking the victim into providing identity documents such as a drivers license or passport, which the attacker uses to open cryptocurrency wallets in the victim’s name. In 2020, IC3 received reports of $10 million in losses from victims involving cryptocurrency. By 2021, the value of cryptocurrency-related losses ballooned to $40 million. FBI advice for protecting yourself includes:Use two-factor authentication to verify requests for changes in account information.Ensure the URL in emails is associated with the business or individual it claims to be from.Be alert to fake hyperlinks that may contain misspellings of the actual domain name.Avoid supplying login credentials or personal information via email. Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.Ensure the settings in employees’ computers allow full email extensions to be viewed.Monitor your personal financial accounts on a regular basis for irregularities More

The White House has announced a set of proposals for keeping the US ahead of quantum computing race globally, while mitigating the risk of quantum computers that can break public-key cryptography. Quantum computers powerful enough to break public-key encryption are still years away, but when it happens, they could be a major threat to national security, financial and private data. Some projects like OpenSSH have implemented mitigations for the event that an attacker steals encrypted data today with the hope decrypting it when such a computer exists, but so far there are no official US standards for quantum-resistant cryptography. The Biden administration’s memorandum outlines its desire for the US to maintain its leaderships in quantum information science (QIS) as well as a rough timeline and responsibilities for federal agencies to migrate most of the US’s cryptographic systems to quantum-resistant cryptography. There’s no hard deadline for the post-quantum cryptographic migration, but the White House wants the US to migrate cryptographic systems to ones that are resistant to a ‘cryptanalytically’ relevant quantum computer (CRQC), with the aim of “mitigating as much of the quantum risk as is feasible” by 2035. “Any digital system that uses existing public standards for public-key cryptography, or that is planing to transition to such cryptography, could be vulnerable to an attack by a QRQC,” the White House states. The migration will affect all sectors of the US economy, including government, critical infrastructure, businesses, cloud providers, and basically anywhere today’s public-key cryptography is used. The memorandum protection mechanisms may include counter-intelligence and “well-targeted export controls”.  The quantum-cryptography memorandum follows the NATO Cyber Security Centre’s recent test run of secure communication flows that could withstand attackers using quantum computing. The renewed urgency comes as China makes headway in quantum computing. Scientists in China last year tested two quantum computers on tasks they claimed were more challenging than those that Google put its 54-qubit Sycamore quantum computer in through in 2019 when it claimed to have achieved “quantum supremacy”. IBM researchers contested Google’s claim. In October, US intelligence officials singled out quantum computing as one of five key foreign threats like China and Russia. Others were artificial intelligence, biotechnology, semiconductors and autonomous systems.   “Whoever wins the race for quantum computing supremacy could potentially compromise the communications of others,” the US National Counterintelligence and Security Center warned in a white paper, noting that China wants to achieve leadership in these fields by 2030. “Without effective mitigation, the impact of adversarial use of a quantum computer could be devastating to national security systems and the nation, especially in cases where such information needs to be protected for many decades.”Despite lacking a hard deadline for the migration, the memorandum does outline roles, reporting requirements and key dates for relevant federal agencies.  The directors of the National Institute of Standards and technology (NIST) and the National Security Agency (NSA) are developing standards for quantum-resistant cryptography. The first set of these standards are slated for public release by 2024.Within the next 90 days, the Secretary of Commerce will work with NIST to establish a working group involving industry, critical infrastructure and others on how to progress the adoption of quantum-resistant cryptography. And within a year, the heads of all Federal Civilian Executive Branch (FCEB) agencies — all agencies except Defence and intelligence — will deliver a list of CRQC-vulnerable IT systems to CISA and the National Cyber Director. The inventory will include cryptographic methods used on IT systems, including sysadmin protocols, as well as non-security software and firmware that require upgraded digital signatures.    FCEB agencies have been instructed not to purchase any quantum-resistant cryptography systems until NIST releases its first set of standards of the technology and those standards have been implemented in commercial products. However, these agencies are encouraged to test commercial products in this category.  More

Sometime this year or next, we may finally get to say goodbye to our passwords. Google, Apple and Microsoft have all extended their commitment to building passwordless support into their device platforms. Over the next year, the three tech giants will implement passwordless FIDO sign-in standards across Android and Chrome; iOS, macOS and Safari; and Windows and Edge. This means that, sooner or later, you won’t need a password to log into devices, websites or applications. Instead, your phone will store a FIDO credential called a passkey, which is used to unlock your device — and your entire online account. 

A passkey is significantly more secure than a password because it’s protected with cryptography and is only shown to your online account when you unlock your device. Passwords, meanwhile, leave us vulnerable to phishing scams and our own bad habits, like using the same password across accounts. The three companies’ platforms actually already support passwordless sign-in standards created by the FIDO Alliance, an open standards industry body formed to solve password and phishing problems. However, under previous implementations, users have to sign into each website or app with each device before they can use passwordless functionality. With this extended commitment, users will be able to automatically access their passkey on many of their devices, even new ones, without having to re-enroll every account. Additionally, people will be able to use FIDO authentication on their mobile device to sign into an app or website on a nearby device, regardless of the OS platform or browser they’re running.Don’t forget your passwords just yet, though. Developers still have to implement passkey experiences into their websites and applications. To do so, developers can use APIs available in the browsers and operating systems to get cryptographic sign-in messages, which they verify on the server, Sampath Srinivas, Google PM Director for Secure Authentication and president of the FIDO Alliance, explained to ZDNet in a statement provided over email. These API calls have direct analogues in the password manager world, Srinivas explained. One API call is a direct analogue for “Create a new random password” (it can also create a random username since the user does not need to care about that). Another API call is a direct analogue for “Now play the username and password into the website”. Additionally, this new kind of “password manager” can play a password from a nearby phone onto your computer.”And finally, on the server-side, just like the developer has to write code to verify passwords, there is a standard way to verify the crypto message which comes from the user’s browser or app,” Srinivas said. This new collective commitment was commended by Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency, who called it “the type of forward-leaning thinking that will ultimately keep the American people safer online.””I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers,” said in a statement. “Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.” More

The internet does not like to forget. Many of us know this, or at least it’s something that’s in the backs of our minds as we post updates to Facebook, share photos on Instagram, detail little insights into our daily lives on Twitter, and enter our personal data into a variety of other social media platforms and online services. But now I can see that it’s really true, for me at least.

ZDNet Recommends

For years, I’ve been writing about cybersecurity, so I’m aware of the risks around personal information being shared online and how valuable our sensitive data can be to cyber criminals – as I wrote about when someone tried to use my stolen bank details over 4,500 miles away.SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsIt’s why I’m careful with what I sign-up to, what I post, and who can see it. I make sure that my passwords are complex enough so they can’t be guessed, plus whenever possible, I use multi-factor authentication to protect my accounts. These are all habits I’ve developed during the past 10 years or so. But prior to that, I was much more naive about putting personal data online, particularly when I started regularly using the internet, after getting a home computer for the first time as a teenager in around 2001. This access opened a lot of worlds to me. I was part of gaming clans, I got my first taste of social media with MySpace, and I joined various online forums, posting comments and talking with people with similar interests – later, even meeting other users in person at group meets. Back then, security and privacy didn’t really cross my mind. Gradually, as I got older, and went to university, found and changed jobs, moved to different cities and found new hobbies, I didn’t post on the forums anymore, and eventually I forgot about them. Which is why it was startling when someone showed me how easy it was to find my username for a particular forum – and linked to a thread from the bulletin board containing almost two-decade old photos of me from a forum meetup. These old photos were innocent enough – just group photos from a London pub – but I had completely forgotten they existed, yet there they were still sitting on the open internet. It was strange to see them and think about how they’d been sitting online for almost 20 years – and for a savvy cyber sleuth, that account could provide a pathway to finding out all sorts of other information about me and my online habits – and as I discovered, it does.Fortunately for me, it wasn’t anyone with ill-intent who’d been digging around my online history, but rather Jack Chapman, VP of threat intelligence at cybersecurity company Egress. But it gave me an insight into how this long-forgotten online profile – and other aspects of my digital footprint – were out there on the internet and how they could be abused. Because while finding old data about me had nostalgia value, in the wrong hands and against a different person, such information could be the key to unlocking a whole lot more.”We’re in the age of data and that data can easily be held by people with nefarious means,” Chapman told me. So how was it possible to track down an old forum account, along with a bunch of other information, and tie it to me?  It starts with something that, unfortunately, has happened to almost anyone who has online accounts – being involved in a data breach, where hackers have broken into online services, stolen and then leaked email addresses, passwords, contact information, credit dark details and other sensitive personal data.  It was one of these elements that was the first step to tracking down long-forgotten aspects – or so I thought – of my online footprint. SEE:  How to keep your bank details and finances more secure onlineIf you’re using the internet, it’s highly likely that you have at least one personal email address. It’s what we use to sign up for various services – and there can potentially be hundreds of those, even if we only use them once before forgetting about them. And that information doesn’t go away. I have a personal email address that that’s been active for almost 20 years, which has been used to sign up for many different websites and online services. Unfortunately, a number of those services have ended up being breached by cyber criminals and information about the accounts pasted online.  According to HaveIBeenPwned, that email address has been in at least 14 different breaches over the years, exposing linked information including my name, online usernames, passwords and more.  Some of these were huge data breaches that exposed the information of millions of people, such as May 2016’s LinkedIn data breach that exposed 164 million email addresses and passwords, or January 2019’s Collection 1 dump, a massive set of leaked and stolen data that contained 773 million usernames and passwords. Chapman was able to use that information as a jumping-off point to search for personal data about me available online that malicious cyber criminals could potentially use against me – and it was a shock to hear him read out some of my old passwords to me. In most cases, I knew these passwords had been revealed in breaches and previously made the effort to change each one to a unique new password. But 10 to 15 years ago when I was more naive about using the internet, I used the same password across multiple different online accounts – which meant if one account was breached, the others were also vulnerable to being hacked.  Cyber criminals often take advantage of the way people re-use the same password. For example, someone using one password on their personal email account and the same one for their corporate account could potentially provide cyber criminals with a route into a corporate network. Alternatively, if your username and password for your email is the same as your username and password for your bank, cyber crooks will quickly discover and exploit this loophole. Some of the breaches of my details involved some of my old online usernames related to forum accounts and online-gaming handles. By combining that information with my name and email address, it was possible to locate an old forum profile – particularly as it turned out I’d long forgotten that I’d written blogs for one of these websites, which linked my real name and user profile name together.  It was via this profile that Chapman was able to find my old forum posts, including those in the photo thread that I’d forgotten about until now – because my username was in the title for the forum thread. It was very weird seeing how someone could use leaked information to track old photos of me.This particular bit of online history was from 2005, when I hadn’t really considered online privacy as an issue. And yet over 15 years later, a determined attacker could use these – as it turned out – very public details to try to gather information about me that could be used to break into accounts or attempt to carry out phishing attacks designed around my habits. 

But at least I remember posting on these forums – what was worrying was how a database of breaches, which my old email address had been involved in, included various websites I don’t even remember signing up for or using. SEE: A winning strategy for cybersecurity (ZDNet special report)One of these that stood out was a data breach of online game Stronghold Kingdoms in July 2018, exposing usernames, passwords and email addresses. I’ve heard of the game but don’t remember ever signing up to play it. It’s possible I did, or given the nature of games, that the studio behind it was acquired or merged with another studio, which created a previous online game I played years before. Yet my username and password were exposed in this breach. And from there, Chapman was able to link to another data breach, at a website called Zoosk. This is another site I have no memory of at all, but it turns out to be a dating website that I apparently used in about 2010 – and that data breach gave away my date of birth and the city I was living in at the time. Further analysis of the breach even linked it back to an IP address and an internet provider. This was a location I haven’t lived in for over a decade now, but it was still unnerving to see how information on a website could be used to ultimately help trace the geolocation of where I was at the time.  All of this is sensitive information that cyber criminals could use to build a better picture of targets and to gain as much from them as possible – and, in this case, as much as possible about me. “By having more information, it allows an attacker two key advantages – first, it allows them a better understanding of your life and work. This allows them to tailor their attacks to improve their credibility and likelihood of success,” says Chapman.  “The other opportunity is that it offers them the chance to understand your ‘social network’ both on a personal and work front. This is often used for robust targets, where they initially breach a more vulnerable victim in their target’s close network”. In my case, that ‘social network’ attack would involve a cyberattacker spying on people I know or hacking their accounts to gain more information about me. If I thought an email was really sent from a friend, I might be more willing to open links contained within it. A cyber criminal who controlled that account could use that link to deliver malware or carry out other nefarious activities.Some of the breaches my data has been exposed in are over a decade old. And the problem is that once that data is out there, it’s not going away. While it’s possible to change passwords, for other information – such as your name, address, online username and email address – it isn’t really possible. Our email address is often the key to our online lives. We use it to log in into social networks, banking, shopping and many other online services. Most of us stick to the email address that we’ve used for many years, because we’re used to it, and it’s tied to so many things we use everyday. That makes it difficult to alter – imagine having to go around dozens of your online accounts and in each case going through all the steps to change your email address every time it gets leaked in a breach. But is there a case to be made for potentially discontinuing the use of an email address if it’s been in too many breaches, because that could leave us vulnerable to being hacked, particularly if it’s a corporate email address? Chapman thinks so.”One thing we as an industry haven’t had a conversation about is retiring email addresses. If they have been in a certain number of breaches, should we have best practice where we say, ‘no, actually, that’s elevating the amount of risk we’re facing as a business – we should shut that down now,'” he says.But for most of our information, once it’s out there on the internet, it’s out there for good and there’s not much we can do about it. That means the best practice is to understand what information might be out there and to be alert about when your personal data might potentially be abused.  For example, if you know credit card details have been stolen in a data breach, it’s a good idea to contact your bank, cancel that card and get a new one to avoid fraudulent activity on your account. Meanwhile, if you get an alert from a service provider that they’ve been hacked and it’s possible information might have been stolen, it’s good practice to change your password for that account – and any other accounts that password may be used for – to stop cyber criminals abusing stolen data. SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easyIf you’re aware that your details have been leaked in a breach, you should also be on the lookout for phishing emails. In many cases, leaked emails just get put on spam lists. Many of these are simple to detect – emails claiming you’ve won gift cards or offering free items. But some are sneakier and will use worries around data breaches to send more targeted phishing emails. For example, when a Bitcoin trading site is the victim of a hack, other attackers look to take advantage by sending phishing emails to leaked lists of users, claiming their accounts are at risk and to ‘click here’ to fix it – only for that link to be a portal to steal login details and Bitcoin.  This happens with many different breaches, so it’s vital that users treat emails like this with suspicion. It’s unlikely that a company will inform you of a breach and include a link to log in. And if you do think there might be an issue, it’s best to open your internet browser and go to the site itself, thus avoiding getting caught out by a phishing email. If there’s old accounts that you don’t use anymore, it might be worth shutting them down, as they could contain a lot of personal information that could be used against you by cyber criminals. If the account doesn’t exist, there’s much less risk to the user.  “Unless you manually delete or change things, nothing is forgotten now – and attackers know that,” says Chapman.  That’s certainly the case with the old photos on the online forum. But in a frustrating twist, I checked to see if I could go back and delete the images from the forum posts, but it isn’t possible – my account was automatically shut down at some point because it wasn’t being used, only listing my profile as a ‘former member’ of the forum. But my username is in the title of the thread and the photos are still there.There’s no way to remove the photos or the connected forum posts, along with a traceable trail of information about my online history spanning almost 20 years. It’s a little disturbing but serves as a reminder that personal information that ends up on the internet can end up there forever, even if it’s something you’d rather forget. More

Researchers have disclosed two high-severity vulnerabilities in Avast and AVG antivirus products which have gone undetected for ten years. 

On Thursday, SentinelOne published a security advisory on the flaws, tracked as CVE-2022-26522 and CVE-2022-26523. Avast acquired AVG in 2016 for $1.3 billion. According to the cybersecurity firm, the vulnerabilities have existed since 2012 and, therefore, could have affected “dozens of millions of users worldwide.” CVE-2022-26522 and CVE-2022-26523 were found in the Avast Anti Rootkit driver, introduced in January 2012 and also used by AVG. The first vulnerability was present in a socket connection handler used by the kernel driver aswArPot.sys, and during routine operations, an attacker could hijack a variable to escalate privileges. Security products must run with high privilege levels, and so attackers able to exploit this flaw could potentially disable security solutions, tamper with a target operating system, or perform other malicious actions.  The second vulnerability, CVE-2022-26523, is described as “very similar” to CVE-2022-26522 and was present in the aswArPot+0xc4a3 function.  “Due to the nature of these vulnerabilities, they can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation,” SentinelLabs said. “For example, the vulnerabilities could be exploited as part of a second-stage browser attack or to perform a sandbox escape, among other possibilities.”SentinelLabs reported the vulnerabilities to Avast on December 20, 2021. By January 4, the cybersecurity solutions provider had acknowledged the report and released fixes in Avast v.22.1 to deal with the vulnerabilities after triage.  The vulnerabilities were patched by February 11. SentinelLabs said there is no evidence of active exploitation in the wild. 

ZDNet Recommends

The best antivirus software and apps

A roundup of the best software and apps for Windows and Mac computers, as well as iOS and Android devices, to keep yourself safe from malware and viruses.

Users should have received the necessary updates automatically and do not need to take further action.  “The impact this could have on users and enterprises that fail to patch is far-reaching and significant,” the company added. “We would like to thank Avast for their approach to our disclosure and for quickly remediating the vulnerabilities.”  Avast told ZDNet:”Avast is an active participant in the coordinated vulnerability disclosure process, and we appreciate that SentinelOne has worked with us and provided a detailed analysis of the vulnerabilities identified. SentinelOne reported two vulnerabilities, now tracked as CVE-2022-26522 and CVE-2022-26523, to us on December 20, 2021. We worked on a fix released in version 22.1 in February 2022 and notified SentinelOne of this applied fix. Avast and AVG users were automatically updated and are protected against any risk of exploitation, although we have not seen the vulnerabilities abused in the wild. We recommend our Avast and AVG users constantly update their software to the latest version to be protected. Coordinated disclosure is an excellent way of preventing risks from manifesting into attacks, and we encourage participation in our bug bounty program.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

on May 4, 2022

| Topic: Legal

In an Australian first, the Federal Court has found that financial services firm RI Advice breached its licence obligations by failing to implement adequate risk management systems to manage cybersecurity threats. This was the first case brought by the Australian Securities and Investments Commission (ASIC) against any licensee and, subsequently, sets a new legal standard for how financial service providers should seek to execute cybersecurity management plans. The company has been ordered by the court to pay AU$750,000 toward ASIC’s costs, and to engage a cybersecurity expert within the next month to advise and assist RI Advice’s authorised representative network.The decision comes after a significant number of cyber incidents affected authorised representatives of RI Advice between June 2014 and May 2020, leading ASIC to file against the company for breach of its licence obligations. In a statement, ASIC detailed that one of the incidents involved an unknown malicious agent who obtained access to an authorised representative’s file server, through a brute force attack, from December 2017 to April 2018 before being detected. ASIC claimed that this resulted in the “potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.In her judgment, federal court justice Helen Rofe said that cybersecurity risks pose a significant threat to the conduct of a business and its provision of financial services. “It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level,” said justice Rofe. ASIC deputy chair Sarah Court said the cyber attacks allowed third parties to gain access to sensitive personal information. “It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access. “ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber threat environment,” Court said.Prior to October 2018, RI was a wholly-owned subsidiary of ANZ Bank. It then became a wholly-owned subsidiary of IOOF Holdings Limited as one of four financial planning dealer groups sold by ANZ under a AU$975 million deal.   Related Coverage More