Information Technology

An investigation into mental health and prayer apps has revealed a disturbing lack of concern surrounding user security and privacy.

On Monday, Mozilla released the findings of a new study into these types of apps, which often deal with sensitive topics including depression, mental health awareness, anxiety, domestic violence, PTSD, and more, alongside religion-themed services.According to Mozilla’s latest *Privacy Not Included guide, despite the deeply personal information these apps manage, they “routinely share data, allow weak passwords, target vulnerable users with personalized ads, and feature vague and poorly written privacy policies.” In a study of 32 applications geared toward mental health and religion, the organization found that 25 of them did not meet Mozilla’s Minimum Security Standards. These standards act as a benchmark for the *Privacy Not Included reports. The mismanagement or unauthorized sharing and sale of user data, vague data management policies, a lack of encryption, weak password policies, no clear vulnerability management system, and other lax security policies can all downgrade a vendor product in the eyes of Mozilla. If an app or service fails to meet these basic requirements, they are slapped with the “*Privacy Not Included” warning label. The mental health and prayer-related apps have received an accolade — but not one you’d covet. The company says:”When it comes to protecting people’s privacy and security, mental health and prayer apps are worse than any other product category Mozilla researchers have reviewed over the past six years.” The organization examined apps including Talkspace, Better Help, Calm, Glorify, 7 Cups, Wysa, Headspace, and Better Stop Suicide. As a result, each app now has a dedicated space that can be accessed to find out more about the software’s privacy and security rating. For example, Better Stop Suicide, a suicide prevention app, failed Mozilla’s test. “Holy vague and messy privacy policy Batman! Better Stop Suicide’s privacy policy is bad,” Mozilla says. “Like, get a failing grade from your high school English teacher bad.” While the app gathers some personal information and says that users can reach out to them if they have further queries, they did not respond to Mozilla’s attempts at contact and did not mention who “trusted partners” were when data sharing. Only two applications on the list, PTSD Coach and the AI chatbot Wysa, seemed to take data management and user privacy seriously. “The vast majority of mental health and prayer apps are exceptionally creepy,” commented Jen Caltrider, Mozilla’s *Privacy Not Included lead. “They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data. Turns out, researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Xiaomi
India’s anti-money laundering agency, the Directorate of Enforcement (ED), has seized assets worth ₹5551.27 crore (around $725 million) from Xiaomi India after it found the company had broken foreign exchange laws. In 2014, the company began operations in India and is alleged to have commenced the illegal activity in 2015. The ED claimed that Xiaomi India remitted foreign currency to three off-shore entities under the guise of royalties, with one of those including a company within the Xiaomi group, whilst the others were US-based. Further, the ED stated that the payments were made “on the instructions of their Chinese parent group entities”.Xiaomi India responded via Twitter, claiming that their financial processes are compliant with Indian laws and regulations.”We believe our royalty payments and statements to the bank are all legit and truthful,” said the company in its response. “These royalty payments that Xiaomi India made were for the in-licensed technologies and IPs used in our Indian version products. It is a legitimate commercial arrangement for Xiaomi India to make such royalty payments.” Xiaomi India did, however, commit “to working closely with government authorities to clarify any misunderstandings”.After experiencing 83% year-on-year growth during the 2021 second quarter, parent-company Xiaomi achieved 17% market share for smartphones, surpassing Apple, and eventually Samsung, to briefly take the number one spot in the global smartphone market, according to Counterpoint Research.RELATED COVERAGE More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

Investing over AU$33 million to enhance eSafety capabilities and legislating the proposed anti-trolling laws are just some of the policies the Coalition government has pledged to follow up if it is re-elected at the upcoming federal election on May 21. Specifically, the policy includes AU$23 million to raise awareness of the eSafety Commissioner’s support for Australian schools, provide training programs for teachers, improve online safety resources for schools, and enhance support for schools with external online safety providers. It also includes an additional AU$10 million for the eSafety Commission to further expand coordination with other regulatory and law enforcement agencies, ensuring victims “tell-us-once” and are supported with the right service. Additionally, the Morrison government said it will continue to stick with legislating proposed anti-trolling laws, touting that it will ensure social media companies are held accountable, while Australians are given more power to deal with harmful defamatory comments from anonymous trolls. Read: Inman Grant’s reappointment as eSafety commissioner comes with new powers The proposed laws, however, have been blasted by senators, online abuse victims, and organisations including the eSafety Commission for being too hard to access and unclear, and would require more work if it is to become law. The government said it also wants to introduce a binding industry code under the Online Safety Act to ensure smartphones and tablet devices have “strong” parental controls installed that are easier to find and activate — and harder for kids to bypass — if industry does not act within 12 months. An additional AU$2 million has also been earmarked under the Online Safety Grants to benefit online safety projects that support women and girls in culturally and linguistically diverse communities. “Our kids should be able to learn, be entertained, or connect with their friends and family without facing abuse, humiliation or online predators. The online world cannot be a cowards’ cavern where the rules of the real world do not exist,” Prime Minister Scott Morrison said. “Big tech and social media giants must be held to account. Our plan will force them to do more – they cannot create it, and wash their hands of all consequences of it. “Our plan will also ensure parents can protect their kids online with strong parental controls, help to prevent harm by raising awareness in every school, and improve our support for those harmed online.” See also: Musk’s Twitter goal of authenticating all users is good for ending bots but bad for humansAt the same time, the government said a new AU$3.8 million funding, delivered through the 2022-23 Budget, would be handed to youth mental health organisation Batyr to expand its OurHerd digital platform, which endeavours to provide young people with a safe digital space to view and learn from positive mental health stories shared by peers. The funding would build on the government’s previous investment of AU$2.8 million through the 2019-20 Budget to develop OurHerd. Minister for Health and Aged Care Greg Hunt said the additional funding for OurHerd will support approximately 60,000 young people aged 14-30 years with mild to moderate mental health needs, their families, carers and communities. “Through peer-to-peer education and the sharing of stories of lived experience, Batyr is helping more young people to get help before they reach a crisis point,” Minister Hunt said. “This early support reduces the lifelong impacts of mental illness and saves lives.” Meanwhile, the Opposition, as part of its election campaign, has vowed to establish a Royal Commission into robo-debt by the end of this year, with consultation to begin after the election. It envisions the Royal Commission will identify who was responsible for the robot-debt scheme; establish what advice, and what processes informed the design and implementation; investigate the handling of complaints for the scheme; determine how much the implementation, suspension, and wind-back of the scheme cost taxpayers; investigate the harm caused to Australians; and investigate the use of third-party debt collectors under the scheme. Labor has been advocating for a Royal Commission into the government’s robo-debt disaster since June 2020. “We still do not know how this reckless scheme was unleashed. We do not know whether poor legal advice was given or whether legal advice was simply never sought,” Shadow Minister for Government Services Bill Shorten said.  “We do not know if public servants were inappropriately heavied and politicised. And without knowing the true origins we do not know what safeguards could be put in place to prevent a repeat.”  In May 2020, the federal government conceded its data-matching Online Compliance Intervention (OCI) initiative, dubbed robo-debt, got around 470,000 “debts” wrong.  Read also: Federal Court approves AU$112m compensation in settlement for robo-debt failure The OCI program automatically compared the income declared to the Australian Taxation Office (ATO) against income declared to Centrelink, which resulted in debt notices, along with a 10% recovery fee, being issued whenever a disparity in government data was detected. Centrelink’s OCI program from 1 July 2016 through 31 August 2019 saw 1,159,662 assessments initiated using the automated data-matching technique. Separately, the Opposition also said it will launch a user audit of the myGov government services digital portal to “take a fresh look” at how well it is performing and help identify what changes and improvements can be made.  “Millions of Australians interact with myGov everyday and rely on it to provide essential services. It’s not up to scratch, and Australians deserve better. That’s why we will review myGov, and make improvements where necessary,” Opposition leader Anthony Albanese stated. Related Coverage More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Jakub Porzycki/NurPhoto via Getty Images
Say what you will about Elon Musk, and no doubt there is plenty to say, but should the $44 billion deal to buy Twitter close, at least the person in control of the social media site actually uses the damn thing. A common criticism across recent years over the direction of Twitter has been whether those at the top use the site like its regular users do. Rather than tackle abuse properly by giving everyone access to the German option of autobanning neo-Nazi and white supremacist content, Twitter gave us Fleets, which didn’t even survive a year. That sort of approach looks really good as a box ticking exercise for project managers, but for users, it looks like the company is distracted and doesn’t really understand its own service. Enter Elon Musk with his billions in financing and a plan to remake Twitter. “Free speech is the bedrock of a functioning democracy, and Twitter is the digital town square where matters vital to the future of humanity are debated,” Musk said in the official announcement of the deal. “I also want to make Twitter better than ever by enhancing the product with new features, making the algorithms open source to increase trust, defeating the spam bots, and authenticating all humans.” There is a lot of meaning in that single paragraph to unpack. Even Musk has walked back his prior apparent absolutist approach to free speech, saying if it is legal, it will be allowed. That leaves an awful lot of legal speech that is utterly abhorrent, which Musk will accept. See also: No, Elon, Twitter will never be a platform for ‘Free Speech’ “He has a kind of primitive libertarian notion of free speech, which essentially amounts to freedom of the microphone belongs to the person with the loudest voice and and the biggest club to beat away anybody else,” executive director of the Dart Centre for Journalism and Trauma at Columbia University Bruce Shapiro said on ABC Radio last week. “It’s not really a free speech model. It’s a bullying model, that ends up turning platforms into vehicles for jeering culture wars and indeed, suppressing often more reasoned voices.” The big issue for a future Musk Twitter to consider is laws in places other than America. Traditionally a blind spot for US companies at the best of times, for a social network it takes on new meaning when concepts like defamation, hate speech, and authoritarian regimes are added.For someone sitting in Australia, reading the words “authenticating all humans” from Musk sounds like the Australian government’s dreams come true. With an election due later this month, the anti-trolling Bill — that was actually a big stick for the powerful and cashed up to potentially start lobbying defamation threats and actions against those they disagreed with — lapsed as Parliament rose. Given the bipartisan backing the concept has, it’s best to think of it as sleeping, rather than deceased. The Bill was something that Twitter had raised its own concerns about. “Under this bill, online platforms choose between facing liability in court or turning over private sensitive information about users without a legal determination as to whether the content is in fact defamatory under the law,” Twitter Australia’s director for public policy Kara Hinesley said in March. “We’ve seen a number of people both from a whistleblower space to even domestic violence situations, people that identify within the LGBTQIA community, utilising anonymous or synonymous accounts as ways and basically entry points into conversations about important matters. “We do think that there are potential safety concerns which would be the opposite result of the stated intention of the Bill.” Retrospect: Twitter founder Jack Dorsey regrets playing a role in centralising the internetExecutive director of Digital Rights Watch, James Clark, told ZDNet that anonymity is vital in challenging the powerful. “In an age when our digital footprint is more permanent and traceable than ever before, staying anonymous is a way to maintain a private life alongside a public one online,” he said. “I would also add that given Musk’s history of intimidating critics and whistleblowers, I imagine there are many people who would be rightfully reluctant to upload identification documents to a platform that he controls.” Twitter being a billionaire’s plaything is nothing new — the last one in charge is now using the moniker of Block Head — but it may soon be captured by a shitposting owner focused solely on killing off spambots and pursuing free speech as defined by the US First Amendment. Those in the rest of the world where Musk’s initiatives result in the sort of speech-stifling lawfare he seeks to avoid, are likely to be regarded as nothing more than collateral damage, even as they sink under legal fees. ZDNet’s Monday Morning Opener is our opening take on the week in tech, written by members of our editorial team. We’re a global team so this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US, and 11:00PM in London. PREVIOUSLY ON MONDAY MORNING OPENER :  More

Written by

Mary Jo Foley, Contributor

Mary Jo Foley
Contributor

Mary Jo Foley has covered the tech industry for 30 years for a variety of publications, including ZDNet, eWeek, and Baseline. She is the author of Microsoft 2.

Full Bio

Microsoft rolled out a new Windows 11 Insider test build, No. 22610, to the Dev and Beta Channels on April 29. This build includes a lot of fixes, along with a handful of new features and updates. Today’s test build also no longer enables the SMB1 file-sharing client by default in the name of security. However, testers who have installed SMB1 manually or upgraded from a preview Windows version where SMB1 was installed will not have SMB1 removed from the latest test builds. Build 22610 adds new mobile device management and group policies for IT admins. These new policies can be configured locally using the group policy editor or via Microsoft EndPoint Manager. Among the policies available as of today:Disable Quick Settings flyoutDisable Notification Center and calendar flyoutsDisable all taskbar settingsDisable search (across Start & taskbar)Hide Task View from taskbarBlock customization of ‘Pinned’ in StartHide ‘Recommended’ in StartDisable Start context menusHide ‘All apps’ in StartToday’s test build also includes an update to the Family Safety Widget which provides a new location-sharing view to show where those using the Family Safety app are located. There’s also an update that includes “an improved view” of screen time usage across apps and devices. For those with PCs that support it, the estimated battery life timing will show up in the battery icon in the system tray. Today’s test build does not include the usual build watermark, which typically indicates that Microsoft is closing in on completing a new Windows feature update. However, officials reminded testers “this doesn’t mean we’re done” and said the watermark will be back in a future build. And even once Windows 11 22H2, expected this fall, does “RTM” relatively soon, testers will get updates and fixes for months before 22H2 rolls out to the mainstream.Today’s build also disables the tablet-optimized taskbar feature that Microsoft began rolling out in Build 22563. Officials said they are hoping to bring this feature back “after further refinement of the experience.” Build 22610 also updates the rename, properties, and optimize icons used in the context menu and command bar to improve discoverability and consistency.For a full list of the fixes, updates and known issues in Build 22610, see Microsoft’s blog post.

Windows 11 More

A mass phishing campaign is targeting Windows PCs and aims to deliver malware that can steal usernames, passwords, credit card details and the contents of cryptocurrency wallets. Detailed by cybersecurity researchers at Bitdefender, RedLine Stealer is offered to in a malware-as-a-service scheme, providing even low-level cyber criminals with the ability to steal many different forms of sensitive personal data – for as little as $150. 

ZDNet Recommends

The malware first appeared in 2020, but recently RedLine has added additional features and has been widely distributed in mass spam campaigns during April. The mass phishing emails contain a malicious attachment which, if run, will start the process of installing the malware. Victims being targeted are mostly in North America and Europe. SEE: A winning strategy for cybersecurity (ZDNet special report)The malware uses CVE-2021-26411 exploits found in Internet Explorer to deliver the payload. The vulnerability was disclosed and issued with a patch last year, so the malware can only infect users who have yet to apply the security update. After being executed, Redline Stealer performs initial recon against the target system, scouting for information including usernames, which browsers are installed and whether anti-virus software is running.  From there, it seeks out information that can be stolen and then exfiltrates passwords, cookies and credit card data saved in browsers, as well as crypto wallets, chat logs, VPN login credentials and text from files. Redline is available in underground marketplaces and cyber criminals are offered several levels of tiered service, reflecting how malware has become easily available: would-be crooks can ‘lease’ the software for $100 or they can buy a ‘lifetime’ subscription for $800. The malware is relatively simple, but it’s potent, with the ability to steal vast amounts of sensitive information, even if the affiliates are relatively inexperienced. However, it’s possible to protect against Redline by applying security patches, particularly for Internet Explorer, as that will prevent the exploit kit from taking advantage of the CVE-2021-26411 vulnerability. It’s also recommended that users keep operating systems, applications and anti-virus software up to date, in order to prevent known vulnerabilities being exploited to help deliver malware. MORE ON CYBERSECURITY More

Vulnerable plugins, extensions, and default settings are responsible for a high rate of website compromise, according to new research.

Content management systems (CMSs) are frequently used to structure websites and online services, including e-commerce shops, and make it easier for web admins to manage and publish content.Plugins and extensions add to website functionality and can provide everything from contact forms to SEO optimization, maps, image albums, and payment options. As a result, they are incredibly popular — but if they are vulnerable to exploitation, their use can put entire websites at risk of being hijacked. Sucuri’s 2021 Website Threat Research Report (.PDF) has examined these issues in-depth with a particular focus on CMS usage, including WordPress, Joomla, and Drupal. According to the researchers, vulnerable plugins and extensions “account for far more website compromises than out-of-date, core CMS files,” with roughly half of website intrusions recorded by the firm’s clients occurring on a domain with an up-to-date CMS. Threat actors will often leverage legitimate — but hijacked — websites to host malware, credit card skimmers, or for the deployment of spam. Sucuri says that websites containing “a recently vulnerable plugin or other extension” are the most likely to be abused in these ways. “Even a fully updated and patched website can suddenly become vulnerable if one of the website elements has a vulnerability disclosure and action is not swiftly taken to remediate it,” the researchers commented. In addition, webmasters who leave their CMS websites and control panels on default configurations are considered a “serious liability,” especially when multi-factor authentication (MFA) is not implemented or possible. The report has listed the most common types of malware found on compromised websites. At the top, we have backdoors — forms of malware that give their operators persistent access to a domain and the ability to exfiltrate data, among other features. Sucuri said over 60% of its website compromise cases involved at least one backdoor. In addition, credit card skimmers remain a persistent threat to e-commerce retailers. Skimmers are usually small pieces of code implanted on payment pages, which harvest customers’ card details. and transfer them to an attacker-controlled server. They now account for over 25% of new PHP-based malware signatures detected in 2021.Spam is also one of the most common forms of website compromise. In total, 52.6% of websites cleared up by the firm contained SEO spam, such as URL redirects, which are used to force visitors to landing pages that display malicious content. Furthermore, the team found evidence of spam injectors that hide spam links in hijacked websites to boost their SEO rankings. Most spam-related content relates to pharmaceuticals such as viagra, essay writing services, escorts, gambling, adult websites, and pirated software. “While there is no 100% security solution for website owners, we have always advised that a defense in depth strategy be used,” Sucuri says. “Laying defensive controls helps you better identify and mitigate attacks against your website. […] At its core, maintaining a good security posture comes down to a few core principles: keep your environment updated and patched, use strong passwords, exercise the principle of least privilege, and leverage a web application firewall to filter malicious traffic.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

HackerOne has acquired PullRequest, a code-review-as-a-service platform. 

The deal was announced on Thursday. No financial details have been disclosed.HackerOne is known for its bug bounty platform, a system for security researchers to privately disclose vulnerabilities in services and software to vendors in return for credit and financial rewards.  However, the organization has also branched out into vulnerability management, cloud environment protection, and application security services.  Customers include General Motors, GitHub, Google, Microsoft, and PayPal.  Founded in 2017, PullRequest provides on-demand code reviews by engineers to thousands of organizations. By having more eyes on code before it goes too far down the production line, it is possible to catch vulnerabilities and errors early — and before they could potentially be exploited by threat actors.  Different languages and frameworks, including Go, Python, PHP, and JavaScript are supported across web, mobile, and other platforms.  The company previously raised $12.7 million in funding.  According to HackerOne, the acquisition of PullRequest “builds upon HackerOne’s focus on reducing [it’s] customers’ attack resistance gap – the space between what organizations can defend and what they need to defend.” This “will ultimately help customers release trustworthy software faster by embedding expert security reviewers within their software development lifecycle,” the company added.  HackerOne CTO Alex Rice says that there is a shift occurring from reactive security — finding and patching bugs after code has been published — to a “developer-first” model that will attempt to eradicate vulnerabilities far sooner in software development cycles.  Rice commented: “Over 70% of organizations claim to integrate aspects of security earlier in development to minimize their attack resistance gap, yet less than 25% of security issues are found during development. Clearly, something more is needed. We’re bringing feedback from security experts to the developer workflow so they can quickly fix bugs and get back to building.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More