Information Technology

GCHQ director Sir Jeremy Fleming.
Image: Getty
If you’ve wondered why ransomware has proliferated in recent years, it’s because until recently it has remained unchallenged, according to Sir Jeremy Fleming, director of British signals intelligence agency GCHQ. “We’ve seen twice as many [ransomware] attacks this year as last year in the UK – but the reason it is proliferating is because it works,” Fleming told the US Cipher Brief threat conference.

ZDNet Recommends

“It just pays. Criminals are making very good money from it and are often feeling that that’s largely uncontested…we’ve got to get our head around what this means and we have up until quite recently left a lot of this playing space to those criminal actors in effect to proliferate and to make a lot of money.” SEE: Ransomware: Industrial services top the hit list – but cyber criminals are diversifying Last month, the UK launched the National Cyber Force (NCF), a group with offensive capabilities that unites personnel from the Ministry of Defence (MoD), GCHQ, the Secret Intelligence Service (MI6), and the Defence Science and Technology Laboratory (DSTL). Despite its cyber-offensive capabilities, referring to the NCF, Fleming insisted that “the UK is not building a cyber warfare centre”.  “There’s real danger, I think, in over-militarising, with due respect to all of my military colleagues on both sides of the pond,” Fleming said. However, he added: “There is a place for western democratic liberal nations…to be able to contest cyberspace, and in the UK we’ve been doing that for decades.

“That’s been part of GCHQ’s mission for decades and we need our policymakers and, in some aspects of the mission, our military leaders to be able to bring cyber capabilities into play.” The way to address ransomware profits is through regulating and controlling cryptocurrencies, Fleming suggested.  “I can see in the policy debate on the US side and I see the policy debate here, and you quite quickly get into the ways in which criminals profit — you quite quickly get into cryptocurrencies and how those are regulated and controlled,” he said. While most countries back the idea of disrupting ransomware operators and the overall business model, some have developed policy that makes an exception for ransomware attacks on critical infrastructure.  SEE: Ransomware: Looking for weaknesses in your own network is key to stopping attacks The Netherlands minister of foreign affairs, Ben Knapen, recently outlined how its Defense Cyber Command “can carry out a counter-attack at the end of the day to avert an enemy action or to protect an essential interest of the state”. However, the minister said it normally resorts to diplomatic or legal channels.   At US President Joe Biden’s recent cybersecurity summit with 30 countries, participating nations agreed to cooperate to target the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable. They will also aim to disrupt the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors. Safe havens for ransomware criminals would be addressed, along with continued diplomatic engagement. There’s suspicion in the US that Russia turns a blind eye to ransomware gangs operating in its territory. Following the ransomware attack on Colonial Pipeline last year, Biden said he warned Russian President Vladimir Putin that critical infrastructure should be off limits. More

A new survey suggests the majority of US executives have encountered a cybersecurity incident but this has not translated into the creation of incident response plans.

On Tuesday, Deloitte published the results of a new survey, taking place between June 6 and August 24, 2021, which includes the responses of 577 C-suite executives worldwide (159 in the US) on today’s cybersecurity threats.  The research — including insight from those in CEO, CISO, and other leadership roles — suggests that nearly all US executives have come across at least one cybersecurity event over the past year, 98%, in comparison to 84% internationally.  The COVID-19 pandemic has led to an increase in cybersecurity incidents and it appears that the event rate may disproportionately have impacted organizations in the United States.  According to Deloitte’s research, 86% of US executives have noticed an uptick in attack attempts, a higher climb than that experienced by 63% of leadership worldwide.  Despite the ongoing risk of cyberattacks, US enterprise firms are not up to par when it comes to implementing defense and incident response initiatives. In total, 14% of US executives have no such plans, in comparison to 6% of non-US executives.  Problems including data management issues, infrastructure complexities, failures to keep up with technological advances, and missteps in prioritizing cybersecurity are all cited as challenges in coming up with workable cybersecurity plans. 

Over 2021, incidents including the Microsoft Exchange Server hacking wave, the ransomware incidents at JBS and Colonial Pipeline, and the DDoS attack against KT have highlighted the severe business disruption caused by successful attacks.  Of interest is that rather than malware, phishing, or data breaches being a top concern, 27% of executives said they were most worried about the actions of “well-meaning” employees who may inadvertently create avenues for attackers to exploit.  However, only 41% of organizations say they have implemented solutions to track and monitor the risk factors associated with staff access and behavior.  The research suggests that the common consequences experienced by today’s firms after an incident include disruption (28%), a drop in share value (24%), intellectual property theft (22%), and damage to reputation that prompts a loss in customer trust (22%).  In addition, in 23% of cases, a cyberattack can lead to a change in leadership roles. “No CISO or CSO ever wants to tell organizational stakeholders that efforts to manage cyber risk aren’t keeping up with the speed of digital transformations made, or bad actors’ improving tactics,” commented Deborah Golden, Deloitte Risk & Financial Advisory Cyber and Strategic Risk leader and principal. “Aggressive organizational digital transformations and continued remote work for some seem to be shining more of a spotlight on the human side of cyber events — both the cyber talent gap and the potential risk well-meaning employees can pose. We see leading organizations turning to advanced technologies to help bridge those gaps.”
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Another third-party security breach has been reported in Singapore, this time, affecting patients of Fullerton Health and compromising personal data that included bank account details in “a few cases”. The affected vendor Agape Connecting People, which platform facilitates appointment booking, first detected the breach on October 19 and appeared to affect only Fullerton Health.  The healthcare services provider said none of its own IT systems, network, and databases were impacted by the breach. It filed reports with both the police and Personal Data Protection Commission, which oversees Singapore’s Personal Data Protection Act.  Agape first detected the intrusion on October 19 and “acted immediately” to isolate and suspend use of the system, the vendor said in a statement Monday.  “None of our core infrastructure has been compromised,” it said, adding that the breach “appears” to be limited to Fullerton Health. However, it noted that it still was in the process of confirming that no other clients were affected. 

Describing itself as a social enterprise, Agape operates a contact centre to provide employment for the disadvantage, including inmates, physically disabled, ex-offenders, and single mothers. It has a capacity of more than 250 seats and aims to support 1,000 disadvantaged individuals by 2022. Agape said it was working with cybersecurity experts to implement “mitigating action” to minimise further impact from the breach.  Fullerton Health said on October 21 it was alerted “a few days ago” that its customer personal data could have been exposed and initiated an investigation. It found that an unauthorised party had gained access to a server used by Agape, compromising personal data of patients with whom Agape had assisted in making appointments.

Such details included names, identification numbers, and contact details, as well as bank account details in “a few cases” and “certain limited health-related information”. No credit card information or passwords were leaked, Fullerton Health said. The company services corporate clients and their employees, one of whom at least had been confirmed to have their personal data potentially exposed. Fullerton Health said it still was working to ascertain the number and identity of individuals affected by the breach. Digital forensic and cybersecurity professionals had been roped in to help with its investigations, the healthcare provider said, adding that they also were trying to determine the root cause and full extent of the breach. “We are conducting a thorough review of our processes and protocols relating to data security and the use of third-party service providers to further strengthen our information security,” Fullerton Health said. It said data relating to COVID-19 vaccinations carried out at its vaccination centres were not compromised, since the information had been stored separately on a system not shared with Agape.  Singapore has seen a spate of supply chain attacks this past year that compromised personal data of, amongst others, 580,000 Singapore Airlines (SIA) frequent flyers, 129,000 Singtel customers, and 30,000 individuals in an incident involving job-matching organisation e2i.  The Singapore Computer Emergency Response Team (SingCERT) last year handled 9,080 cases, up from 8,491 the year before and 4,977 in 2018, with marked increases in ransomware, online scams, ad COVID-19 phishing activities, revealed a July 2021 report released by Cyber Security Agency of Singapore (CSA). The number of reported ransomware attacks saw a significant spike of 154% in 2020, with 89 incidents, compared to 35 in 2019. These mostly affected small and midsize businesses (SMBs) in various sectors including manufacturing, retail, and healthcare.  RELATED COVERAGE More

Schools in the United Kingdom have paused the rollout of facial recognition scans in cafeterias following backlash from data watchdogs and privacy advocates.

Last week, the Information Commissioner’s Office (ICO), the UK’s data and privacy regulator, intervened after nine schools in North Ayrshire, Scotland, began scanning student faces to take payment for school lunches. At the time, more schools were expected to follow suit. The scheme was defended as a cashless, quick, and contactless means of payment in light of COVID-19.  However, the ICO and privacy outfits were quick to note that in a time where law enforcement is roundly criticized for using the same technology on the streets, introducing it in schools may be unnecessary.  Big Brother Watch director Silkie Carlo said: “It’s normalizing biometric identity checks for something that is mundane. You don’t need to resort to airport-style [technology] for children getting their lunch.” The ICO told The Guardian that the organization would contact North Ayrshire council to talk about data protection laws concerning minors and to see if a “less intrusive” payment option was available.  This could include contactless payment on cards or fingerprint readers, the former of which is widely used in the United Kingdom. 

As reported by the BBC, the local council has “temporarily paused” the program, while one of the schools has completely closed down the scheme.  “Whilst we are confident the new facial recognition system is operating as planned, we felt it prudent to revert to the previous PIN (personal identification number) system while we consider the inquiries received,” the North Ayrshire Council tweeted.  One of the companies named as involved in the rollout, CRB Cunninghams, describes the technology as “a contactless biometric method that enhances the speed of service and retains the security of fingerprints.” In other facial recognition news, several weeks ago, the European Parliament voted in favor of a resolution barring law enforcement in the region from using facial recognition technologies. While not legally binding, the parliamentary body is currently working on rules to rein in the use of facial recognition and artificial intelligence (AI) across both the public and private sectors.  ZDNet has reached out to CRB Cunninghams for comment.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Mozilla’s Firefox browser team has cracked down on malicious add-ons, blocking software with a 455,000 user base. 

On October 25, the development team said that in early June, Firefox discovered add-ons that were misusing the browser’s proxy API, used by software to manage how the browser connects to the internet. Add-ons are software modules that can be installed to customize a user’s browsing experience and may include anti-tracking software, ad blockers, themes, and utilities.  However, they may also become a conduit for malicious purposes, such as data theft or eavesdropping, a challenge faced by all browser developers.  According to Mozilla, the add-ons removed in the sweep tampered with the browser’s update functionality; in particular, users were unable to download updates, access updated blocklists, or update remotely configured Firefox content.  The add-ons have been blocked, and approval was temporarily paused for new add-on developer submissions when the proxy API was in use to create and deploy a fix.  Firefox, starting with v.91.1, now also includes changes to harden the update process. A fallback mechanism to direct connections for update purposes and other “important requests” made by the browser has been implemented, allowing downloads to take place whether or not a proxy configuration causes connection issues. 

The system add-on, “Proxy Failover,” has been deployed to Firefox users.  Mozilla released Firefox version 93 at the beginning of October. The latest build includes a new tab unloading feature, the ability to block HTTP downloads from HTTPS web pages, and the end of default support for 3DES encryption.  Mozilla has urged users to make sure their Firefox version is up to date. Developers making use of the proxy API are being asked to start including the code “browser_specific_settings “: {   “gecko”: {     “strict_min_version”: “91.1”   }  } in their add-ons to expedite future reviews.  “We take user security very seriously at Mozilla,” the team says. “Our add-on submission process includes automated and manual reviews that we continue to evolve and improve in order to protect Firefox users.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
South Korean telco KT has said its network outage on Monday was caused by an internal router issue, backtracking on its initial claim that the incident was caused by a large-scale distributed denial-of-service (DDoS) attack.In a statement, the telco said it initially suspected a DDoS attack due to traffic overload but after it scrutinised the matter it found that the cause was a routing error.KT added it would cooperate with the government to investigate the precise cause.The telco is yet to announce what caused the routing error in the first place and how this led to the outage, which is expected to be announced at a later date.KT’s nationwide network suffered an outage on Monday for around 40 minutes at around 11am local time. The telco’s subscribers were unable to use their credit cards, trade stocks, or access apps, while some large commercial websites were also shut down during that period.South Korean police, which is also investigating the matter, said it could not find any circumstances to indicate that there was an external cyber attack in its initial investigations.

Meanwhile, the Ministry of Science and ICT is still conducting its own investigations on the matter. The ministry has ordered KT to investigate the extent of the damage caused to customers by the outage.RELATED COVERAGE More

Image: Getty Images
The Department of Home Affairs is in talks with the telecommunications industry to provide more powers to telcos for blocking spam and malicious content.”We are in discussion with the telcos that provide your services … under the Telecommunications Act, section 313, there might be a possibility for the telcos to act as an authorised blocking agent — that is to say, it’s unwanted, I don’t want this to come to my computer, I don’t want this to come to my phone. It’s malicious,” Home Affairs secretary Mike Pezzullo told Senate Estimates on Monday evening.Pezzullo noted that more work needed to be done in this area, however, as it is currently unclear whether the Telecommunications Act deems providing a link to be an offence or whether the offence is actually the subsequent action taken by a criminal actor of taking advantage of a victim after they’ve clicked on a malicious link.”There are some complexities here because it has to be a nexus to an offence. So scamming, click this link, may itself not be an offence, in which case, our advice to government in due course might well be that legislative changes are required. But the act of clicking might create a nexus to an offence, that offence might be identity, theft, fraud, etc,” Pezzullo said.Marc Ablong, Home Affairs deputy secretary of National Resilience and Cybersecurity, analogised this “complexity” to how a mail service provider such as Australia Post would not be responsible for disposing the contents of a letter if it were dangerous.”If there was something criminal in [a letter], you wouldn’t go after Australia Post … nor would you ask Australia Post to block the letter. And so, the nature of the conversations that we’re having with the telco sector at the moment is: Do they have sufficient information at scale to be able to block the whole class of these spam messages? Or would they need to report each and every one that came in?” Ablong explained.Ablong added that part of Home Affair’s discussions with telcos about blocking malicious SMS messages have been focused on how best to define the attributes of an SMS message in a way that only blocks malicious messages, while still allowing normal SMS messages to be passed through.

The explanation of the potential expanded blocking measures followed the theme of yesterday’s Senate Estimates, at least for the Department of Home Affairs and federal law enforcement authorities, with Pezzullo saying they would all be “more aggressive” in addressing cyber threats moving forward.”We’re going hunting. We’re using offensive capabilities,” he said. “The AFP is very actively engaged with international colleagues to go after the gangs that, don’t only engage in ransomware — time’s up for them — but also other forms of identity theft, phishing, and so on and so forth.” In Pezzullo’s opening statement at Senate Estimates, he said Home Affairs was becoming increasingly concerned about the potential for adversaries to preposition malicious code in critical infrastructure, particularly in areas such as telecommunications and energy. “Such cyber-enabled activities could be used to damage critical networks in the future. The increasingly interconnected nature of Australia’s critical infrastructure exposes vulnerabilities which, if targeted, could result in significant consequences for our economy, security, and sovereignty,” he said. Earlier on Monday, AFP commissioner Reece Kershaw share a similar sentiment at Senate Estimates, saying the federal police has been implementing a new cyber offensive arm, which has entailed talking with the Five Eyes alliance about the growth of cyberthreats.”At the moment, we’re actually going through an internal review of how we can be more aggressive in cyber, and it may mean a mini restructure internally for us to really have what we would call a cyber offensive operation of the AFP, which would actually conduct disruption operations on these individuals,” he said.Throughout his testimony at Senate Estimates, Kershaw explained that the powers given to the AFP through the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021, which passed earlier this year, would allow its cyber offensive capabilities to increase across various fronts, from countering child abuse, to spam, to terrorism.Pezzullo’s declaration follows his department launching a national ransomware action plan earlier this month. The major focus for that plan is to create new laws and tougher penalties for people who use ransomware to conduct cyber extortion. The federal government last week also amended the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which is currently under consideration in Parliament, as part of efforts to expedite the process for it to become law. That Bill is seeking to create mandatory reporting requirements for organisations that suffer a cyber attack and provide government with “last resort” powers that allow it to direct an entity to gather information, undertake an action, or authorise the ASD to intervene against cyber attacks.  When asked by Senator and Shadow Minister for Home Affairs Kristina Keneally how the development of these capabilities have progressed, he said he expected the policy work to be completed by “this side of Christmas”. Kenneally and Shadow Assistant Minister Tim Watts the next morning said the lack of concrete details meant the federal government was “all announcement, no action”.”Three months after Home Affairs Minister Karen Andrews declared that ‘Time’s Up’ for ransomware gangs, Senate Estimates has confirmed the government has committed no new funding, has initiated no new law enforcement action, and will pass no new legislation in the Parliament before Christmas,” the Labor politicians said in a statement. Related Coverage More

The New South Wales government has established a dedicated unit that will provide support for citizens who have had their personal information or government proof of identity credentials stolen or fraudulently obtained.The new unit, known as IDSupport NSW, will become the single point of call for citizens who have had their identity stolen. It will work with other NSW government departments and Australia and New Zealand’s national identity and cyber support service, IDCare, to mitigate the risk of stolen personal information being used for identity crimes and replace compromised identity documents where appropriate.”IDSupport NSW will for the first time provide a single point-of-contact for citizens who have had their identity compromised, while ensuring we have a coordinated end-to-end privacy incident response service in NSW Government,” Minister for Digital and Customer Service Victor Dominello said.”The unit will remove the burden from customers who need to replace identification documents, improving their experience at what we know can be a difficult time.”The state government added IDSupport NSW would also provide citizens with options for additional support, such as counselling services, and deliver education and awareness campaigns about personal cybersecurity and identity resilience together with Cyber Security NSW and other government agencies.The Department of Customer Service is now recruiting experts to join IDSupport NSW, which is due to be launched early next year. The launch of IDSupport NSW forms part of the NSW government’s identity strategy [PDF] and follows on from recommendations made by the Parliamentary Inquiry into Cyber Security released earlier this year.

Back in 2019, the NSW government’s Cyber Security NSW arm established IDCare Identity Recovery Service to help state government customers whose identities are compromised due to a “cyber incident”.The service, at the time, was only available for up to 500 individual referrals by NSW government departments and agencies to IDCare.Related Coverage More