Information Technology

Telstra’s biggest cyber concern is organisations that use “Microsoft-style” environments when it comes to preventing cyber threats.”The place that concerns us most as an organisation … don’t read anything into the fact I’m going to mention the word Microsoft, they’re probably a Microsoft-only environment. They don’t have ERPs, CRMs, they are basically a Microsoft-style environment,” said Telstra Enterprise group executive David Burns, who gave a keynote to the Trans Tasman Business Circle.  “How do we build [cyber resilience] into the tools of systems and networks that we provide … because I think we could all do the basics, and we should all do the basics but [cyber attackers] are very sophisticated players.” He provided an example of how one of Telstra’s business partners, which he said used a “Microsoft-style” environment, suffered a cyber attack which then put the telco’s customers at risk. “We are all very vulnerable and you and your organisation are as vulnerable as your weakest link. And that’s how we need to think about it. It is not the role of an IT organisation to protect us. It is each and every one of our roles to work out how to protect us,” Burns said.He added that government agencies also needed to figure out how to improve their cyber resilience in an increasingly broadening cyberthreat landscape. At the start of this month, New South Wales auditor-general Margaret Crawford revealed all of the state’s lead cluster agencies have failed to implement all Essential Eight controls. The cybersecurity policy for New South Wales government agencies was not sufficiently robust which is a cause for “significant concern”, Crawford said.

To address these cybersecurity concerns, Telstra currently provides cybersecurity services to enterprise customers and is involved in the government’s Cleaner Pipes Program. Burns, however, conceded this work would not be a big revenue driver. “We will ask people to help us pay for that, but it’s not exactly going to be as the greatest revenue earner for us,” he said. “It’s about protecting our environments because I think we all think of the cyber world, certainly amongst our customers, [as] not a differentiator. We want all boats to rise in a tide here. You don’t want to win by someone else being cyber attacked.” Telstra’s concern isn’t unique. The federal government in March called for organisations to counter ransomware through using multifactor authentication and urging businesses to keep software up to date, archiving data and back-ups, building in security features to systems, and training employees on good cyber hygiene. “All businesses have valuable data and systems they need to protect. It is vital that they establish strong foundational controls and practice good cybersecurity hygiene practices,” the federal government said at the time. Related Coverage More

The Telecommunications Industry Ombudsman (TIO) has called for telcos to have a 24-hour hotline, or at a minimum extend current hotline hours, to allow consumers to report cases of fraud, especially involving SIM swapping. In its report on systemic investigations into fraud enabled through phone and internet accounts, the TIO pointed out that fraudsters have exploited slow responses from telcos to create security breaches. This included a customer being kept on hold when trying to report fraud, failure of customers being able to contact telcos outside of business hours, staff not blocking fraudulent activity, staff not knowing how to deal with fraud, and attackers maintaining access to accounts after telcos were notified.Typically, attackers were interested in ordering handsets and additional services once they controlled an account, or using control of a SIM to access other information including bank and government accounts. “This can expose affected customers to considering financial and non-financial loss,” the TIO said. “Where a breach of privacy has occurred, providers may have to pay significant amounts of compensation to settle a consumer’s complaint — a cost that could have been avoided had the provider acted more quickly.” Other issues highlighted by the report included fraudsters getting access to accounts because telcos did not conduct proper identity checks, with one telco agreeing to use a government database for verification during the investigation, or incorrect advice being given to consumers about how to secure accounts.”One provider gave consumers the option of using robust multi-factor authentication, such as one-time passwords or an authenticator app,” the report said.

“However, this provider also offered other security measures which were not supported by its systems, such as passwords and PINs. This meant staff did not always ask for the password or PIN when someone wanted to access the account. “A consumer may believe their account is secure when it is not.” The Communications Alliance said combating fraud was a challenge to all parties. “Telcos are continually improving their practices to keep up with the ever-changing tactics of fraudsters,” CEO John Stanton said. “It is important that we do not become complacent and remind our customers to protect their personal information, offline as much as online.” In its most recent Complaints in Context report released a fortnight ago, the Comms Alliance said TIO complaints per 10,000 services in operation continued to trend down, being reported at 4.8 for the July to September quarter. Many telcos recorded the lowest complaint level since the report adopted its current format in 2019. Related Coverage More

Apple on Tuesday filed a lawsuit against mercenary spyware company NSO Group and its parent company, seeking a permanent injunction that bans NSO Group from using any Apple software, services or devices. The complaint also provides new information on how NSO Group infected victims’ Apple devices with its Pegasus spyware. “State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple SVP of Software Engineering, said in a statement. “While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”Apple’s complaint says NSO Group delivered its FORCEDENTRY exploit to Apple devices by creating Apple IDs that sent malicious data to a victim’s device. This enabled the installation of Pegasus spyware without a victim’s knowledge. Researchers with Citizen Lab discovered the zero-day, zero-click exploit in September, and  Apple released an urgent security update for Mac, iPhone, iPad and Watch users to patch the vulnerability. Apple says in its complaint that Apple servers were misused to deliver FORCEDENTRY but were not hacked or compromised in the attacks. The company also said it is notifying the small number of users that it discovered may have been targeted by FORCEDENTRY. Apple also said it is contributing $10 million, as well as any damages from the lawsuit, to organizations like the Citizen Lab and Amnesty Tech to further cybersurveillance research and advocacy. More

Several customers of DBS Bank have not been able to log into or access the Singapore bank’s online and mobile services since Tuesday morning. The service disruption remains unresolved, with few details from DBS on what it is doing behind the scenes to address the issue.Instead, the bank posted the same message Tuesday afternoon on its Twitter and Facebook profiles as well as website: “Some of our customers are facing intermittent slowness when accessing our banking services, and we are currently working to resolve this. We apologise for the inconvenience caused during this time, and please try again later.”Its customers took issue with the statement, with several saying there was nothing “intermittent” or “slow” about the disruption when they were not able to access their account at all. Others noted the service outage began as early as 8.30 in the morning and had continued into the night. At the time this article was published, the issue remained unresolved. “There is no ‘intermittent’ slowness. The whole banking service is down. Now it keeps giving ‘expired’ session msg when I clearly have responded quickly to the authentication. This is ridiculous. it’s been down for hours,” one customer posted on the bank’s Facebook page. Another noted that while they were able to log into their account, the balance on their account was inaccurate. They added that a service agent handling DBS’ customer hotline attributed the source to the bank’s app, which was “having problem”. According to DBS’ website, a scheduled maintenance was carried out on its mobile platform early this morning, between 1am and 4am, during which “login and access to digital services may be intermittently unavailable”. 

ZDNet asked the bank if this had caused the service outage and whether there was a cybersecurity incident. ZDNet also asked if its IT team was checking external systems, such as those operated by the bank’s third-party suppliers. A DBS spokesperson did not address any of the questions, pointing instead to a statement the bank issued later in the evening. “Some of our customers are facing intermittent slowness when accessing our banking services, and we are currently working to resolve this. Customers who need to make fund transfers can do so via our DBS PayLah app. We apologise for the inconvenience caused, and seek your patience during this time. We will provide an update once services are fully restored.”This statement was later updated at around 10pm, with DBS saying it would be suspending some of its services as part of efforts to resolve the issue.”Many of our customers have been unable to access our digital banking services today. The inability to access an essential service over such an extended period of time is unacceptable and we deeply regret the inconvenience caused. We are doing our best to resolve the situation and as part of our recovery efforts, we will take some services temporarily offline. This means that DBS PayLah, digibank, and 3D e-comm transactions will be unavailable today, from 10pm to 11pm (SGT). We apologise for the inconvenience caused and will update once services are restored.”Singapore last December issued four digital bank licences to Alibaba’s Ant Group, joint bidders Singtel and Grab, and internet services company Sea. They are expected to begin operations from early-2022. The consortium comprising Grab and Singtel as well as Sea were issued digital full bank licences. Ant and another consortium comprising Greenland Financial Holdings, Linklogis Hong Kong, and Beijing Co-operative Equity Investment Fund Management were awarded digital wholesale bank licences. DBS then had issued a brief statement welcoming its new competitors. Noting that digital banking was “already a reality”, it said its “strong capital position” and physical capabilities would serve well alongside its digital offerings to differentiate the bank’s services in the market.RELATED COVERAGE More

As COVID-19 spread, many American millennials finally began their estate planning. Yet, many of them do not have the correct digital information if their parents pass on, according to new research from Toronto — Canada-based security and privacy company 1Password.

In partnership with digital estate planning companies Trust & Will and Willful, it surveyed 1,000 American millennials aged 25-40 years old for its Great Wake up Call Report. It wanted to discover how this generation favours securing important documents and passwords and storing and transferring digital assets before and after death.  Over two in three (68%) of millennials do not have a will, and under two in five (38%) of millennials have provided clear guidance on how they’d like their digital accounts managed after they die. The report shows that although almost three in four (72%) of American millennials had wills that were created or updated in the past year, only 3% of those wills included online passwords. Traditional ways of securing important documents still dominate our behaviour. More than four in five (81%) of millennials say they keep important paperwork, like their birth certificate, in a physical location such as a filing cabinet, safe, or safety deposit box. For online security, over half (51%) of respondents say that they store their passwords by memory, and 25% store their passwords on a piece of paper. 20% of respondents use a password manager.

Over half (57%) of American millennials believe giving their executor access to their social media accounts is more important than access to their email, subscriptions, or shopping accounts such as Amazon or Target. However, sharing credentials to banking/financial accounts still tops the list of priorities (67%). Millennials still have to have difficult conversations with their parents. Over half (52%) of respondents admitted to never talking to their parents about a digital handover or cannot remember the conversation. Six in 10 (63%) of respondents who have executed wills said it was harder than expected to access accounts of the deceased. Although over half (51%) will be responsible for executing their parent’s wills, only one in three (36%) of respondents know or have access to their parents’ passwords for their online accounts. When asked how they have shared passwords, two in five (41%) said via a written list, followed by 39% verbally and 25% digitally via email, cloud Google Docs, PDF, or a similar platform. The irony is sharing passwords is increasingly critical to granting loved ones access to your digital legacy when you die. Jeff Shiner, CEO of 1Password, said: “Millennials especially are facing the brunt of these shifting pressures, as they’re balancing responsibilities for their own growing families while also caring for ageing parents. Transition plans have long been a taboo topic, but it’s time to destigmatize these discussions and ensure our digital lives are in order, so the responsibility doesn’t fall on others.” The COCID-19 pandemic has made us think more deeply about our mortality, but how can we make sure that we ensure a smooth handover of our estate — especially those digital platforms where we spend more and more of our time. According to the report, descendants of those millennials surveyed would lose access to an estimated average of $22,500 due to mismanaged wills. Creating a way to manage that digital handover means that those authorized to act on your behalf when you die can make sure that your wishes are carried out in full. More

ZDNet Recommends

Best 5G phone 2021

5G is now standard on US networks, with the expectation that every flagship includes support for 5G.

Read More

There is great debate in the industry as to whether iOS or Android provides the most secure mobile device. In all my conversations with security pros, most, if not all, believe Apple’s iOS to be inherently more secure than the Google-built Android. This recent article spells out a number of strengths iOS has over Android in the area of privacy, such as Apple’s new feature in which users can stop apps from tracking them. In the article, the author states: “When it comes to privacy, Google and Apple are almost on extreme opposite ends.” However, a new study begs to differ; a report from research firm Omdia caught my attention. The key finding is that the Google Pixel 6 running Android 12 is significantly more secure than the
Apple iPhone 12 Pro

 running iOS 15. There are comparisons to two other Android-based phones: the
Samsung Galaxy S21 Ultra

 and the 
Xiaomi Mi 11 5G

. The report scored each vendor on nine different factors and weighted them in order of importance.
The Google Pixel 6

 achieved a perfect score of 5.4, while Apple was fourth at 4.03. The weighting turned out to be irrelevant because of the Pixel 6’s perfect score.Since I had always believed Apple to have better security by a wide margin, I thought it was worth diving into this report and understanding the criteria. One interesting point is that I had always looked at iOS versus Android software; this report did its analysis at the device level, meaning a mix of hardware and software. See also: Pixel 6 hardware is buggy garbage and Google’s tech support is worse |  Goodbye Google Pixel 6 Pro: 9 reasons it’s not the phone for me | Google Pixel 6 review After reading through the report, I found several questionable points that I felt were worth raising. They are: SponsorshipThe most questionable fact about the report is that Google, the manufacturer of the Pixel phones, was the sponsor of a report in which it gained a perfect score. It’s essentially saying the Google Pixel 6 is a perfect device with respect to security, and that’s just not true because any device can be breached. Google has been issuing security patches for the phone, indicating there were at least a few issues. Not all sponsored research is bad, but it makes one wonder when coupled with a perfect ranking. Methodology

The weighting of the security criteria is done by asking consumers to rank the importance of the nine features. While the report does not explicitly say this, I believe the 1,520 respondents were asked to pick their top three because the total percentage adds up to 300%. In my opinion, this is a questionable way to do it because the average end-user is not a security expert. This would be akin to asking a person on the street what safety features are most important in an airplane. I fly a lot, but I have no idea of the relative importance of each feature. The survey should have used a panel of security professionals. Scoring This was also flawed as the scoring in each section was derived from counting the number of features versus meeting the objective of the category. A good way to think about this is that it counted “tick boxes” versus how well those worked. It’s certainly not the most effective way to score, and I’ll elaborate below. Identity protection: This was the top-ranked feature by users, but the methodology was completely botched. Google scored highest because it had the most identity options, which makes sense because it’s tied to one’s Gmail account. Users can choose between one-time passwords, FIDO, push notifications, and others, where Apple only has two-factor, so Google got the highest score. What’s not told here is that Apple iCloud is the largest and one of the most — if not the most — successful deployment of two-factor security in the industry. With identity, more isn’t always better. Apple also does some interesting things when users have multiple devices; for example, it will inform you if you’re logging into your Mac in San Jose while your phone has just been authenticated in Russia.Security updates: The report takes a curious approach to security updates. One of the criteria is how long the vendor commits to providing security updates. It gives Google Pixel 6 a perfect score as it commits to what it calls “a solid five years’ security update period,” which is the longest of all vendors tested. It grades Apple more harshly because it does not document how long the support period is but then states, “Apple devices tend to receive five to six years of support.” It also rewards Google for enabling upgrades via the Google Play store and refers to Apple’s methodology as “monolithic” but doesn’t define what that means. The fact is Apple does have a proven track record of providing updates to over a billion devices in less than a week when it is required to do so and isn’t that the most important thing? Anti-malware: The fact that Apple has a lower score here than the three Android phones actually made me laugh. The report states: “While Samsung, Google, and Xiaomi have anti-malware solutions built into their devices to protect and detect malicious software, Apple is lacking here.” Apple does not have on-device anti-malware because it offers App Store and ecosystem protection, whereas Google does not. Also, to many users’ chagrin, Apple does not allow for apps to be side-loaded, so there can be no “back-door” malware. This report from Panda Security stated that Android devices are responsible for 47% of all observed malware compared to less than 1% for iPhones. This becomes a vicious circle; threat actors will often target Android first because breaches are easier, adding to the Android problem.  Lost devices: The report gives both Apple and Google Pixel top marks for having a web-based tool and mobile app to locate, trigger, lock, and wipe the device if it’s lost or stolen. What’s omitted is that iPhone supports the finding of offline (and even powered-off) devices, whereas Pixel must be powered on and connected to Wi-Fi or cellular. Physical access control: Here is another area where Apple and Google Pixel 6 each received full marks, but they would not have been ranked that highly if effectiveness was looked at instead of simply having the feature. The iPhone 13 face ID has a 1:1 million false acceptance rate (FAR), while Pixel 6 has a 1:50,000 FAR. Also, there have been many reports of the Pixel 6 having a slow fingerprint scanner. Also: Go Google free: We pick privacy-friendly alternatives to every Google serviceI can make similar arguments for secure backups, hardware security, and network security where Apple is as good or better than Google Pixel 6. The one section I did feel was accurate was anti-phishing, although the write-up was somewhat misleading. Safari uses Google safe browsing, but the report fails to mention that. The Pixel 6 does have an on-device anti-phishing warning system, which the iPhone does not have. Oddly enough, the one area where Google does have a clear win over Apple is ranked very low on the importance scale. 
The net result is that, after reading the report, I would have ranked Apple as good or better than Google Pixel 6 if effectiveness was used instead of counting sub-features. In this case, Apple is being penalized for having solid features. This is akin to ranking a car safer because it has a parachute to stop it when it has brakes that are known to fail versus one that has brakes that never fail. More

Some 4,000 ICT graduates are thought to enter the Czech Republic’s tech industry each year.
Image: Getty / Joe Daniel Price

ZDNet Recommends

Each year, around 4,000 ICT graduates in the Czech Republic enter its tech and IT industry. According to some estimates, the IT sector in the country employs more than 300,00 people, with the demand for talent growing every day. The mix of startups, well-established tech firms and global companies opening offices or branches in Prague makes the Czech capital a popular destination for the country’s tech workforce.Software developers themselves say they are mostly motivated by the opportunity to learn and to work on interesting projects, as well as the quality of life that Prague offers.See also: Managers aren’t worried about keeping their IT workers happy. That’s bad for everyone.Thirty-seven-year-old SQM developer Martin Bohm has been living in Prague for 10 years, moving from neighboring Slovakia. For him, working in the Czech capital is the highlight of his career so far.”Opportunities in Prague are huge, skilled IT workers are needed and this is also visible on many job offer portals. This place has its spirit, cultural and historical; the difference with western EU countries is visible, but in a positive sense.” Bohm tells ZDNet.”The ratio between income and expenses is very well balanced, as the IT industry also offers high and above-average income.”

Several tech companies are looking to capitalize on this talent, with US cybersecurity company SentinelOne among them. Last month, the company launched its new office and innovation center in Prague. The company plans to hire 300 staff and create product development functions in Prague that will augment its existing teams in the Americas, Asia, and elsewhere in Europe. Prague will become the heart of SentinelOne’s European operations with a planned $45 million investment over the next three years.
Image: SentinelOne
SentinelOne’s total investment in the Czech Republic will exceed $45 million over the next three years. The company plans to hire across a number of engineering disciplines, such as kernel, frontend, backend, validation and data engineering, as well as in data science and detection. 

Innovation

With this investment, Prague will become the heart of SentinelOne’s European operations and the center of its global product development. This makes it an important strategic investment for the company, says SentinelOne COO, Nicholas Warner, and as such, access to talent will be crucial.”The Czech education system produces engineers of a particularly high caliber, so we see it as the ideal base to help us build our technology. We’re impressed with the math, science, critical thinking, and language skills of the talent pool,” Warner tells ZDNet. Martin Matula, the company’s VP of engineering, is the site lead for its operations in the Czech Republic. He joined SentinelOne from Avast, another successful cybersecurity company with its roots in the Czech Republic. The Czech Republic and Slovakia have created a number of successful cybersecurity companies. Matula believes this is why the region has such an abundance of tech talent.”We have a solid base of a talent pool for backend engineers, Java and JVM-based technologies. There are many SaaS companies based here, so when it comes to the experience of working with public cloud, developing microservices, public cloud backend, frontend, [and] quality assurance, I feel that we are doing pretty well on that front,” he tells ZDNet.Old dogs, new tricksPrague is also home to some of the Czech Republic’s biggest names in tech. 2N Telekomunikace, a developer and manufacturer of IP intercoms and access control systems, is considered one of the country’s IT pioneers. Founded in 1991, the company has since become a leader in the global access control market and has experienced an average growth of 20% annually since being acquired by Swedish video surveillance giant, Axis, in 2016.The demand for contactless technology in the workplace — something 2N has also been working on in recent years — is helping to fuel further growth for the company. “The value of technology in managing access to buildings or floor levels is becoming more widely recognized now,” 2N chief executive, Michal Kratochvil, tells ZDNet. 2N has ambitious plans to expand throughout Australia, Europe and the US, where the access control market size is expected to reach more than $15 billion by 2027.These regions are less price-sensitive than elsewhere and value innovation more highly, says Kratochvil — something that will prove crucial for the company’s ambitions to transition from analog intercom systems to ‘smart’ IP intercoms.Michal Kratochvil, chief executive of 2N Telekomunikace.
Image: 2N Telekomunikace
Even so, being based in the Czech Republic has significantly influenced the company’s development, Kratochvil says. “2N’s heritage is in the Czech Republic and our products are still developed here. It has proved to be the perfect base from which to grow internationally because the cost base is lower than Western Europe or North America and there is an outstanding talent pool.”With companies like 2N SentinelOne setting up shop in the Czech Republic and creating bountiful opportunities for the country’s software professionals, developers are less likely to move elsewhere.The success of Prague and Brno, another Czech city with a booming IT ecosystem, in attracting many of the world’s leading tech companies also means that tech also takes the pressure off relying on overseas talent.See also: Tech skills: Four ways you can get the right mix.Meanwhile, developers are able to work with companies that are serious about their workers’ career development. Organizational charts transformations — where employees are allowed to work for other parts of the business — and project relocations are becoming very common in the Czech Republic, says Bohn.”When it comes to personal growth, absolutely, companies I worked for are investing time for continuous employee development,” he says. “There is definitely big potential in the industry.”For Matula, no bigger is this potential than in the Czech Republic’s budding cyber-ecosystem. “There are lots of opportunities in Prague for starting up other R&D centers for e-commerce and other different domains, but I think cybersecurity is the future. Even now, it influences relationships between countries, it influences even how wars are being conducted,” he says.”In this region, the Czech Republic and Slovakia, we have a history of building cybersecurity companies… So, when it comes to cybersecurity, there is really good talent here.” More

Ahead of Thanksgiving this Thursday, the US Cybersecurity and Infrastructure Agency (CISA) and the FBI have released a warning for critical infrastructure providers to stay vigilant on holidays and weekends, because hackers don’t plan on taking a holiday break. The agency issued a similar warning in August ahead of the Labor Day weekend, warning that ransomware attackers often choose to launch attacks on holidays and weekends, specifically when businesses are likely to be closed. 

ZDNet Recommends

“Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways—big and small—to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure,” CISA and the FBI said.  SEE: A winning strategy for cybersecurity (ZDNet special report) The agencies said they had not identified any specific threats. However, they noted that some of the worst ransomware attacks happened on holidays and weekends, including Independence Day and the Mother’s Day weekend. To prepare for potential attacks on the Thanksgiving weekend, the agencies have outlined several key steps organizations can take to minimize the risk of an attack.  These include: identifying key IT security staff who could handle a surge in work after a ransomware attack; implementing multi-factor authentication for remote access and administrative accounts; enforcing strong passwords and avoiding password reuse; ensuring RDP is secure and monitored; and reminding employees not to click on suspicious links. 

Organizations also need to review incident response measures and procedures.  “To reduce the risk of severe business/functional degradation should your organization fall victim to a ransomware attack—review and, if needed, update your incident response and communication plans. These plans should list actions to take—and contacts to reach out to—should your organization be impacted by a ransomware incident.” CISA and the FBI urge users and organizations to take these actions “immediately” to protect themselves against this potential threat. SEE: Ransomware: Industrial services top the hit list – but cyber criminals are diversifying The agencies detailed several major ransomware attacks that aligned with US public holidays:  In May 2021, leading into Mother’s Day weekend, a ransomware gang deployed DarkSide ransomware against Colonial Pipeline. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked Kaseya’s remote monitoring and management tool.While most of these attacks have been attributed to suspected Russian-based hackers, Microsoft last week warned that state-sponsored hackers from Iran are increasingly using ransomware to disrupt their targets. The US, UK and Australia called out Iranian attackers for exploiting known flaws in Fortinet’s VPN and Microsoft Exchange to deploy ransomware.  More