Information Technology

Image: Getty Images
Meta, formerly Facebook, has reiterated fact-checking of politician claims will not be part of its measures for preventing the spread of misinformation in this year’s Australian federal election. “The speech of politicians are already very highly scrutinised,” Meta Australia policy head Josh Machin told reporters at a press briefing “It’s scrutinised by [journalists], but also by academics, experts, and their political opponents who are pretty well-positioned to push back or indicate they don’t believe something’s right if they think they’re being mischaracterised.” Misinformation that is political in nature and comes from people who are not politicians will be eligible to be fact-checked, however. In clarifying Meta’s stance about fact-checking politicians, the company said its election integrity measures for Australia’s upcoming federal election are its “most comprehensive” yet. “This is by far the most comprehensive package of election integrity measures we have ever had in Australia,” Machin said. The Australia Electoral Commission (AEC) last month said it received assurances from large social media platforms that they would allocate more resources for monitoring election disinformation and misinformation for the upcoming Australian federal election. As part of these measures, Meta has expanded its third-party fact-checking program in Australia to include RMIT FactLab, which joins Agence France Presse and Australian Associated Press (AAP) to review and rate content on the company’s platforms. The company has also provided one-off grants to these fact-checking organisations for the intent of bolstering misinformation-detection capabilities during the Australian federal election, but the organisations are not required to use those funds for that purpose. RMIT FactLab’s services are already being used by Australian media organisations, such as the ABC, but Machin clarified that the services used by Meta are separate from those. The tech giant is also working with the AAP to re-run the “Check the Facts” media literacy campaign in three additional languages — Vietnamese, Simplified Chinese, and Arabic — as part of efforts to help people recognise and avoid misinformation. The campaign was expanded to these languages due to them being the three largest non-English speaking communities in Australia, Meta said. Meta has also partnered with the online transparency organisation First Draft, which will publish related analysis and reporting on their website about online trends to help creators and influencers track what online misinformation might look like during the election campaign. These measures are in addition to Meta’s LiveDisplay tool, Ad Library that launched last year, and its updated political ad policies, which require advertisers to go through an authorisation process using government-issued photo ID to confirm they are located in Australia. All of these ads are also required to have a publicly visible disclaimer indicating who has paid for the ads. Meta’s announcement of its election integrity measures come in the face of heavy scrutiny by the federal government, which is looking to enact various new laws that aim to make tech giants more accountable for the content that exists on their platforms. Australian parliamentarians are also undertaking a probe to scrutinise major technology companies and the “toxic material” that resides on their online platforms. As part of the social media probe, Liberal MP Lucy Wicks last week criticised digital platforms for touting “very strong community standards policies” despite various instances of users not being protected by those standards. “My concern is that I see very strong community standard policies, or hateful content policies or ‘insert name of keep the community safe’ policies from various platforms. I almost can’t fault them but I find a very big gap with the application of them,” she told Meta during a social media and online safety parliamentary committee hearing. Wicks’ comments were made in light of 15 female Australian politicians, including herself, being the targets of abusive online comments that were only taken down following law enforcement intervention. Related Coverage More

Even if the cloud computing is on the rise, there are still a lot of corporate data centres around and these are a very tempting target for cyber criminals and malicious hackers. To help protect data centres – and the data stored within them – the National Cyber Security Centre (NCSC) and the Centre for the Protection of National Infrastructure (CPNI) have come together to offer security guidance to data centre operators and users. “Operators and users of data centres have a clear responsibility to protect the data that they hold and process – failing to do this poses a massive financial, reputational and, in some cases, national security risk,” said Dr Ian Levy, technical director at NCSC.  “Owning these responsibilities means understanding the array of methods that malicious actors could use to compromise a data centre both physically and digitally,” he added. There are several issues which data centre operators and users should be thinking about, in order ensure best security practices and that data is kept safe and secure. Risk Management Both data centre operators and data centre users should be able to identify their assets, identify threats, assess risks, develop a protective security strategy and implement the correct measures to ensure all these risks are managed. These processes should also be reviewed periodically as risks and threats can change. Measures should also be put in place so in the case of a data centre being targeted by an attack designed to disrupt it, services can be maintained. For data centre operators, risk management should be driven by senior leaders to be most effective. Resilience Data centres need to be resilient against various threats and hazards. While this includes denial-of-service (DDoS) attacks and other cyber attacks, they also need to be resistant to hardware failures, power outages and natural disasters. For power outages, for example, organisations need to ensure there’s a reliable backup system which can keep it going. Users should also make plans based on the assumption that at some point their cyber defences could be breached and know how they’d be able to detect and react to attacks to minimise the impact of cybersecurity incidents. Geography and ownership It’s important for organisations to know where data is stored, particularly if cloud hosting providers operate around the world. The NCSC notes that storing data with service providers which host servers in China and Russia could be considered a risk because of laws around access in those countries. Physical perimeter and buildings It isn’t just cyber attacks which are a threat to data centres, there’s the risk that they could be physically attacked or sabotaged too. Data centres should be physically secure perimeters designed to keep unauthorised visitors out and make the server rooms difficult for anyone without permission to enter. Detection measures should also be put in place to identify intruders and keep them out, including physical security systems, CCTV and alarms. People  With the right training, people can become a force to improve security. Employees and users who are aware of potential cyber threats can help to identify and disrupt potential cyber attacks, while a good security culture throughout the organisation can reduce the risk of insider threats becoming a problem. For data centre customers, it’s important that the data centre provider than demonstrate policies and procedures it has in place to show that it’s personnel operate securely. Supply chain Cybersecurity vulnerabilities can be introduced at any part of the software supply chain, especially if key services like data centres and storage are being purchased from third-party suppliers. As various incidents have proved, it’s possible for cyber attackers to compromise those suppliers and use them to gain access to the networks of their customers. It’s important to understand the potential risks in the supply chain, to research who the provider is and what their security structure is like – and have a plan in place if things go wrong. Cyber It’s important to remember that data centres are valuable targets for cyber criminals and nation-state backed hackers. In many cases, the aim of the attacks is to steal or even destroy data. Those responsible for data centres of their organisation should make plans based around the idea that a successful cyber attack will happen and take steps to ensure incidents can be detected and minimised. MORE ON CYBERSECURITY More

Passwords are a fact of life, and if you’re one of those people who reuses the same couple of passwords because that’s all you can remember, then you really need to think seriously about a password manager.But in a world where there are countless options, which one is the right one for you?Here I’m going to look at two of the most popular options — LastPass and 1Password — and examine the pros and cons of each.

But before I go on, what is a password manager?A password manager is an app, or more commonly these days, a combination of online services and apps that safely and securely store your passwords — it also securely distributes them to all your devices.Because password managers are storing your passwords, it’s important to choose a trustworthy, reliable, and secure service. This is not a job you want to entrust to any old no-name company.The two services I’m going to look at here are LastPass and 1Password. I’ve used both extensively for several months, and I’ve found them both to be very capable password managers. And while on the surface they seem similar, there are some key differences between the two that might influence which one you choose.Note: Neither LastPass nor 1Password have had any input on this review, and neither company got to see it before it was published.The plansLet’s begin by comparing the basics of the plans on offer for each offering. It’s important to realize that only LastPass offers a free plan, but it has become so limited (the one-device limit is very restrictive) that I don’t recommend it for those wanting a free password manager.Note: If you are looking for a free password manager, my recommendation is Bitwarden. 

Like”Power user” feelBroad platform support

Don’t LikeVery limited “free” offeringRelies on browser extensions

LastPassSettings options allow all sorts of customizations via the web interface.Limited “free” option.Uses browser extensions on most desktop platforms.LastPass offers three “single-user and families” plans, along with separate plans for business users.Free: $0Unlimited passwordsAccess on one device type — computer or mobile 30-day Premium trialSave and autofill passwordsOne-to-one sharing Multi-factor AuthenticationPassword generatorPremium: $3 per monthIncludes all Free featuresAccess on all devicesOne-to-many sharing 1GB encrypted file storageSecurity dashboardDark web monitoringEmergency accessPriority tech supportFamilies: $4 per monthIncludes all Premium features6 individual, encrypted vaultsFamily manager dashboard to manage users and securityGroup and share items in folders Individually encrypted storagesPersonal security dashboards and notifications

LikeCustom apps for all platformsFeels “easy” to useEasy setup

Don’t LikeNo free plan

1PasswordFeels “easier” to use, especially for those that don’t want or need to take deep dives into the service.Easy to set up and very easy to move to another device.Custom apps for all platforms.Extra protection from “secret key.”1Password offers two plans for home users, along with separate plans for teams and businesses.Individual: $2.99 per monthApps for Mac, iOS, Windows, Android, Linux, and Chrome OSUnlimited passwords, items, and 1GB document storage24/7 email support365-day item history to restore deleted passwordsTravel Mode to safely cross bordersTwo-factor authentication for an extra layer of protectionShare your sensitive information securely with anyoneFamilies: $4.99 per monthAll the 1Password features, plus:Invite up to 5 guests for limited sharingShare passwords, credit cards, secure notes, and moreManage what family members can see and doRecover accounts for locked out family membersWorking with your passwordsHow you’re going to be working with your passwords varies between the different services.I don’t mind if I have to use a browser extension or an app, but I know that other people have their preferences. Usability is so subjective that it’s borderline pointless to review because I can only tell you what I like and not what might work for you. But my feeling is that 1Password offers a simpler, cleaner approach, while LastPass is more basic and utilitarian. While I’m overgeneralizing here, 1Password is better suited to the average user, while LastPass is a better choice for those who want access to the bowels of the password manager.My advice here is to take LastPass and 1Password up on their free trial offer and see what works for you.EncryptionI don’t really have any concerns about the security offered by either service. But there is one difference that’s worth bearing in mind.Both services decrypt the data on your device, so there’s no risk of unencrypted data floating about the place. LastPass 256-bit AES encryption with PBKDF2 SHA-256 for master passwords.1Password uses 256-bit AES encryption with PBKDF2 password hashing for the master password, offering strong protection against brute force attacks. Additionally, there’s a 128-bit secret key backing up this master password.What this means in basic terms is both are awesome, but 1Password offers an additional step that adds a little more security. That said, I don’t think I’d make a switch to 1Password just for the security of the secret key.Multi-factor authentication and securityRelying on passwords alone is a bad idea, and having the ability to use multi-factor security significantly boosts the security offered.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Both LastPass and 1Password offer a wide array of multi-factor security options, including support for software authenticators and hardware keys (such as YubiKey).Also: Why everyone should have this cheap security toolThere are subtle differences in how this is implemented across both services and the wide array of platforms that each support, but you get full multi-factor authentication support.Both services also support specific device features such as Face ID/Touch ID on iOS and fingerprint readers on Android and other security features offered by platforms and operating systems. Again, this varies depending on service and the device, but it’s there for both.SupportThere may come a time when you need a little help. LastPass paid users to get premium support, but those on the free plan are limited to whatever information is on LastPass’s website. While the chances of you needing support is low, you can never rule it out. While 1Password offers a broad range of support options, the one feature that this company has that elevates it over LastPass, in my opinion, is an active and supportive community forum. In my experience, users will get a solution to most problems here even quicker than going through the support channels, which are themselves quite fast.The bottom lineThe truth is that both LastPass and 1Password are excellent password managers. Some key differences might help you choose between one or the other. However, if you are still totally torn, I recommend taking each company on its free trial offer.

ZDNet Recommends More

2021 was a record year for the number of zero-day flaws in Chrome that attackers were exploiting before Google knew about them. Is Google losing the race against attackers? According to Google Project Zero’s zero-day tracker, there were 25 browser zero-days patched last year, of which 14 were for Chrome, six were for Safari’s WebKit engine, and four were for Internet Explorer. In 2020, there were just 14 browser zero-day flaws, of which more than half were in Chrome. But between 2015 and 2018 there were no Chrome zero-day exploits in the wild, according to the tracker data. 

ZDNet Recommends

Adrian Taylor, a technical program manager on the Chrome Security Team, says in a blogpost that the increase in browser zero-days “may initially seem concerning” and “could point to a worrying trend”. But he argues it could be a good thing because it means more zero-days are being caught and fixed.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)In other words, interpreting trends in zero-day data – such as the suggestion there was no zero-days between 2015 and 2018 – is difficult because it only includes ones that are now known about and hopefully fixed. There are likely more undiscovered ones being used out there.”We don’t believe there was no exploitation of Chromium based browsers between 2015 and 2018,” notes Taylor. “We recognize that we don’t have full view into active exploitation, and just because we didn’t detect any zero-days during those years, doesn’t mean exploitation didn’t happen. Available exploitation data suffers from sampling bias.”That’s similar to a conclusion about zero-days that Google’s Threat Analysis Group (TAG) made last year: “There is not a one-to-one relationship between the number of 0-days being used in-the-wild and the number of 0-days being detected and disclosed as in-the-wild.” Still, there were a lot of zero-day exploits discovered in 2021. Taylor offers four reasons for this. First, browser makers today are more transparent about bugs being exploited in the wild than in the past. Google Project Zero – which gives vendors 90 days to fix a bug before publicly disclosing it – has helped normalize this behavior from major software vendors.     Another factor is the demise of the Adobe Flash Player desktop browser plugin, which used to be the top target for attackers in 2015 and 2016, but browser makers and Adobe dropped support for it on December 31, 2020. “As Flash is no longer available, attackers have had to switch to a harder target: the browser itself,” writes Taylor. On top of that is the popularity of open source Chromium used by Brave, Opera, Vivaldi and so on. While Edge isn’t anywhere near as popular as Chrome, it does ship with Windows 10 and Windows 11. “Attackers go for the most popular target. In early 2020, Edge switched to using the Chromium rendering engine. If attackers can find a bug in Chromium, they can now attack a greater percentage of users,” argues Taylor. Yet another cause for the apparent rise in browser zero-days is that due to efforts to harden the browser, such as Chrome’s site isolation, attackers need to chain together multiple bugs to actually exploit a browser. So, attackers need more ammunition for the same effect.    “For exactly the same level of attacker success, we’d see more in-the-wild bugs reported over time, as we add more layers of defense that the attacker needs to bypass,” he notes. SEE: How Russia’s invasion of Ukraine threatens the IT industryFinally, browser software is vast and now almost as complex as an operating system. “More complexity means more bugs,” Taylor comments.  He also points to Project Zero’s recently published research on how quickly software vendors patch flaws. Chrome was patched and released faster than WebKit and Firefox. Google is urging all vendors to implement a more frequent patch cadence for security issues. Chrome, for example, cut its stable release cycle from six weeks to four weeks. Microsoft is implemented the same cycle for Edge from version 94’s release in September.   Project Zero has tracked all zero-days for browsers.
Image: Google More

Image: Getty Images
The NetWalker ransomware gang affiliate who was sentenced to seven years in prison by Canadian courts at the end of January was extradited to the United States on Wednesday, where he will face further charges related to his participation in the gang. Sebastien Vachon-Desjardins, a Canadian citizen, received the Canadian prison sentence after he pleaded guilty to five charges related to “theft of computer data, extortion, the payment of cryptocurrency ransoms, and participating in the activities of a criminal organisation”. The charges in Canada were for Vachon-Desjardins’s involvement in 17 ransomware attacks that caused at least $2.8 million in damages.  He also received an additional 54-month sentence in Canada for trafficking drugs in Quebec in the following weeks. Vachon-Desjardins’ extradition to the United States was originally set for an earlier date, but was delayed due to the Netwalker affiliate’s drug trafficking charges in Canada being outstanding. With Vachon-Desjardins now in the United States, he faces further charges that accuse him of conspiracy to commit computer fraud and wire fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer. If convicted in the United States, the 34-year old Canadian man could be required to forfeit over $27 million for his involvement with the NetWalker ransomware gang. Vachon-Desjardins was arrested by Canadian police in January 2021 as part of an international law enforcement campaign targeting NetWalker. After his arrest, law enforcement authorities discovered and seized 719 Bitcoin, valued at approximately $28.1 million, and around CA$1 million from Vachon-Desjardins’s home in Gatineau, Canada. “As exemplified by the seizure of cryptocurrency by our Canadian partners, we will use all legally available avenues to pursue seizure and forfeiture of the alleged proceeds of ransomware, whether located domestically or abroad,” US Justice Department assistant attorney-general Kenneth Polite Jr said. “The department will not cease to pursue and seize cryptocurrency ransoms, thereby thwarting the attempts of ransomware actors to evade law enforcement through the use of virtual currency.” Related Coverage More

A prolific botnet used to deliver malware, ransomware and other malicious payloads is spreading itself by hijacking email conversations in order to trick PC users into downloading it in what’s described as an “extremely active” phishing campaign.Qakbot has plagued victims since 2008, since starting life as a banking trojan designed to steal usernames and passwords. The malware has continually added new capabilities, making it more dangerous and more effective. A recent campaign has been detailed by cybersecurity researchers at Sophos, who’ve warned that Qakbot is hijacking email threads to spread itself to more victims.By hijacking ongoing email threads between real people, there’s a better chance that the phishing attacks will be effective because those receiving the message are likely to trust a sender they know and have received emails from in that same thread already.Qakbot attacks are automated, spreading via the infected Windows computers of people who’ve already unwittingly fallen victim. Once installed on a compromised machine, Qakbot downloads a payload which hunts for email accounts,  stealing the username and passwords required to get into them.Automated tools then go through the inbox and use the compromised account to send out phishing emails using reply to all to existing email threads, quoting the original message being replied to make the response look more authentic. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)These messages generally contain a snippet of brief text content with a request to look at an attachment, often a zip file. The messages can be sent out in a variety of languages, tailored to the language the original emails have been sent in. While generic messages relating to paperwork or documents might seem too bland to lure people into opening malicious attachments, the fact that the messages look like they’re coming from someone the user knows, and has been talking to, could encourage them to let their guard down and open the file.Anyone who does this risks their device being infected by Qakbot, leaving any sensitive information or accounts on the machine ripe for being stolen. Machines infected with Qakbot can also be compromised with other malware, including ransomware. Cyber criminals can lease out the botnet to access machines infected with Qakbot in order to deliver their own malware payloads. “Qakbot is a full-service botnet that performs data theft and malware delivery services on behalf of either themselves or third parties. They clearly take advantage of credential theft to access the websites belonging to innocent third parties to use for hosting payloads,” Andrew Brandt, principal researcher at Sophos Labs told ZDNet. The malware remains what’s described as “extremely active” attempting to spread itself to new victims, while the authors Qakbot continue to add new features to it, including further obfuscating the malicious code to help it avoid detection and analysis. Users should therefore be wary of unusual emails they receive, even if they’re from known contacts, because there’s the potential that messages could be coming from a contact infected with Qakbot.”The best way to protect yourself is to train yourself to recognize when a message is out of character with the person allegedly sending it, and not to click the link to download the zip file,” said Brandt, who added that given the message is sent from the account of someone you know, you could contact them using different methods to email to check to see if it’s really them. “Verify that they intended to send you the file before you open it,” he concluded.  MORE ON CYBERSECURITY More

Getty Images/iStockphoto
Encouraging more women to pursue cybersecurity careers is “mission-critical” to filling some of the 2.5 million open jobs worldwide and tackling a global shortage of tech skills, Microsoft has said.Vasu Jakkal, Microsoft’s corporate vice president of security, compliance, identity and management, said women and people “with more diverse perspectives” were desperately needed in the cybersecurity industry to help address the evolving threat landscape and take pressure off of overburdened IT teams.

By bridging the gender gap in cybersecurity, where a lack of female representation is fuelling unequal pay and a lack of support for women, organizations can swiftly bridge organizational skill gaps as well as diversify operational thinking, which brings its own benefits in innovation and profitability, Jakkal said.SEE: Why improving diversity in cybersecurity is vital for everyoneIn 2021, women represented just 25% of the global cybersecurity workforce. A survey commissioned by Microsoft Security found that, while 83% of respondents believed there was an opportunity for women in cybersecurity, only 44% of female respondents felt sufficiently represented in the industry. Likewise, 54% of women said there was gender bias in the industry that results in unequal pay and support, compared to 45% of men.Self-limiting beliefs also need to be addressed in encouraging more women to pursue cybersecurity careers and “break through biases that limit women’s career options,” said Jakkal.Microsoft’s survey indicated that men are more likely than women (21% vs 10%) to feel qualified to apply for a cybersecurity job, whereas more women than men (27% vs 21%) believe men are seen as a better fit for technology fields. “That breaks my heart,” said Jakkal.SEE: How Women Who Code is narrowing the developer gender gap”I’ve always felt that cybersecurity is a calling but as our survey shows, the journey isn’t always easy. I’ve often been the only woman or person of color at the table. And, while I’ve tackled every challenge thrown at me, I sometimes doubted myself and struggled with imposter syndrome. Most of us do— women especially. The important thing is that over time, we find our voice and learn to speak up.”Nurturing the careers of women in cybersecurity is important for a number of reasons, said Jakkal. Security teams are already under immense strain due to a shortage of digital skills, therefore getting more women into the industry would “vastly decrease the deficit by deliberately expanding our hiring and mentorship of underrepresented groups who can bring so much to the table.”Studies have also shown that diversity is good for business, both in terms of boosting profitability as well as innovation, by bringing new ideas, perspectives and experiences to the organization. “Cybersecurity depends on it because cybercrime tactics keep evolving,” Jakkal added.SEE: When it comes to tackling diversity in tech, employers have set themselves up to fail”With all these compelling reasons to promote diversity, why is there such a shortage of women in cybersecurity?”Microsoft has partnered on a number of programmes aimed at improving female representation in cybersecurity, including Girl Security, a learning program that offers e-mentorship, professional development, and skill-building to women, girls and gender minorities interested in cybersecurity.”As you embark on a career in cybersecurity, know you are not alone,” said Jakkal. More

Businesses are reluctant to admit cybersecurity weaknesses because they fear reputational damage – but by choosing to hide their heads in the sand and ignore security vulnerabilities, they risking more significant damage to their brand if they do get hacked.Analysis by cybersecurity and bug bounty company HackerOne suggests that almost two-thirds of organisations maintain a culture of cybersecurity through obscurity, hoping that weaknesses and vulnerabilities will remain undetected or simply won’t causes issues. 

ZDNet Recommends

But by choosing to ignore vulnerabilities, organisations are leaving themselves open to cyberattacks and other security issues.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Unpatched security vulnerabilities are one of the most common weaknesses exploited by cyber criminals to successfully hack networks and software. Even patches for critical vulnerabilities are not applied by many, sometimes for years, giving hackers an easy way in for as long as the updates haven’t been rolled out.Many organisations aren’t taking security seriously because boardrooms view it as a hindrance – according to the research, two-thirds of security professionals have been told that taking care of cybersecurity is viewed as stifling to innovation. However, if employees aren’t aware of cybersecurity risks and don’t have appropriate measures put in place to maintain security, there’s the risk they could circumvent best cybersecurity practices.For example, if employees think that having to log in to enterprise software suites and use the approved collaboration tools is less effective and more time consuming than using a personal email address for sharing sensitive information, they could inadvertently expose sensitive data.Almost two-thirds of cybersecurity professionals surveyed say that their organisation has suffered a security breach as a result of staff side-stepping cybersecurity measures, while just a quarter said they’re very confident that staff are following cybersecurity best practices. The report also warns that developers are often pressured to release insecure products, putting organisations that use potentially vulnerable software at risk of being compromised. According to HackerOne, it’s vital for organisations to commit to more transparency around cybersecurity. “Security could be the difference between winning business and losing it,” Marten Mickos, CEO of HackerOne, told ZDNet. Even if organisations do fall victim to a cyberattack, being transparent about what happened can help improve the reputation of the company. Mickos cites Norsk Hydro, which fell victim to a ransomware attack and was transparent about the entire recovery process as an example of this situation. “The organisation took the responsibility to ensure frequent and candid communications with customers and the wider public, to keep everyone updated on how events were unfolding,” he said. “Not only did Norsk Hydro maintain customer trust by being transparent about what was happening, the organisation also had the power of exposing key information on the tactics being used by cyber criminals, which is beneficial to the wider industry and other organisations facing growing cyber risks,” Mickos added. MORE ON CYBERSECURITY More