Information Technology

Organisations that fall victim to a ransomware attack shouldn’t let the cyber criminals know they have cyber insurance – because if the attackers know that their victim holds an insurance policy, they’re more likely to outright demand the ransom payment in full. Cybersecurity researchers at Fox-IT, part of NCC Group, examined over 700 negotiations between ransomware attackers and ransomware victims in order to analyse the economics behind the digital extortion attacks that demand a ransom payment – often millions of dollar in Bitcoin – in exchange for the decryption key.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

They found that if the victim has cyber insurance and that the attacker knows about it, then there’s little manoeuvre for negotiating for a smaller ransom payment, because the attackers will exploit the existence of the cyber insurance to cover the payment they’re demanding. SEE: A winning strategy for cybersecurity (ZDNet special report) “Look, we know about your cyber insurance. Let’s save a lot of time together? You will now offer 3M, and we will agree. I want you to understand, we will not give you a discount below the amount of your insurance. Never. If you want to resolve this situation now, this is a real chance,” said a chat message from an unspecified ransomware gang, according to the research. In this case, the attacker set the fee in the knowledge of the cyber-insurance plan, leaving the victim without any real platform for attempting to negotiate a lower ransom payment. Another note from an unspecified ransomware operator appears to show that the cyber criminals have set a significant ransom demand because they know about the victim’s cyber-insurance policy – seemingly after the victim claimed they couldn’t afford to pay.

“Yes, we can prove you can pay 3M. Contact your insurance company, you paid them money at the beginning of the year and this is their problem. You have protection against cyber extortion. I know that you are now in trouble with profit. We would never ask for such an amount if you did not have insurance,” said the attacker. A company could still claim that the insurance company wouldn’t pay for the ransom demand, but it’s unlikely to be accepted as the truth by the attacker. While researchers suggest telling the ransomware attacker about a cyber-insurance policy isn’t a good move for negotiations, there’s also the possibility that the attacker could find out about any cyber insurance the company has themselves once they’re inside the network ahead of the ransomware attack. “Preferably also do not save any documents related to it on any reachable servers,” warn researchers. Cyber insurance has become a way for victims to deal with the damage of a ransomware attack, but as Fox-IT’s research shows, knowledge of it can put criminals in an even more powerful position for demanding payment – especially if the insurance holder doesn’t have good cybersecurity in the first place. One answer could be that organisations that want to take out a cyber-insurance policy are required to meet certain requirements around cybersecurity before the provider can agree to issue it. “It’s a really difficult debate in which I think there are definitely some advantages to having cyber insurance, but only if there are certain thresholds for a company to get it,” Pepijn Hack, cybersecurity analyst at Fox-IT, told ZDNet. “Those thresholds can be an incentive to get a better grip on your cybersecurity awareness and your what your entire organisation’s cybersecurity is right now,” he said. However, this path could also be problematic because if businesses do fall victim to a cyberattack, and they don’t have cyber insurance, then it could be extremely damaging. “Some cyber-insurance service companies have found out that people get hacked a lot, so it’s become became really expensive and now they’re just stopping to give any cyber insurance at all, which I also don’t think is the right solution,” said Hack. “It has to be some some kind of middle ground – and I think we’ll get there eventually,” he said. While paying a ransom to cyber criminals is generally not recommended because it encourages further attacks, after analysing hundreds of negotiations, Fox-IT researchers offered some suggestions around what to do if your business is hit with ransomware. That approach starts with preparing employees on how to react to a ransomware attack and crucially not clicking links in any ransom notes, so as to not prematurely start negotiations by setting the hackers countdown running.  “The first thing any company should teach their employees is not to open the ransom note and click on the link inside it… the timer starts to count when you click on the link. You can give yourself some valuable time by not doing this. Use this time to assess the impact of the ransomware infection,” the researchers said. This time provides the response team with a chance to examine what infrastructure has been hit and what impact it has had on operations, allowing the victim to retake some degree of control over the situation. Before starting negotiations, it’s also useful to know what your end goal is – can the organisation restore from backups, or will a ransom have to be paid? If the victim is willing to pay a ransom, they should have an idea about what the maximum they’d pay would be. SEE: Dark web crooks are now teaching courses on how to build botnets Research into the attacker can also help prepare victims for negotiations. It’s possible that a free decryption tool for that particular strain of ransomware is available, preventing the need to pay a ransom at all. Examining research papers and media reports about the ransomware group can also provide information on how reliable they are at actually providing a decryption key and if they’ll engage in other tactics to try and force a payment, such as DDoS attacks, calling your customers or stealing and leaking data. When it comes to actually engaging in negotiations, researchers state that it’s important to be respectful and professional – it’s understandable that victims will be angry, but antagonising the attacker is unlikely to help the negotiation strategy. Meanwhile, being polite can help – in one example detailed in the blog post, a victim negotiated a ransom down from $4m to $1.5m. Many ransomware attacks try to pressure victims into paying within a set period, often with the threat of leaking data if they don’t. However, researchers suggest that attackers are almost always willing to negotiate an extended window – after all, they want the money, they’ve taken the time to infect the systems, so they’re likely to be willing to wait a little longer. There’s also the option of trying to convince the attacker that you can’t pay the ransom, but if the attacker has access to the network, they may be able to see financial documents or cyber-insurance policies – and likely have a figure in mind based off that document that will be the basis for negotiations. 
MORE ON CYBERSECURITY More

Perth city
Image: Getty Images
The Western Australia Auditor-General has slammed local government (LG) entities in the hard border state, after determining they were not managing cyber risks well. The outcome of the audit was summed up by two key findings noted in the audit report. The first was most vulnerabilities found during black box testing were over a year old, and in one instance, a vulnerability had existed for a decade and a half. “We tested the audited LG entities’ publicly accessible IT infrastructure and found vulnerabilities of varying types, severity, and age. The vulnerabilities included disclosure of technical information, out-of-date software, flawed or weak encryption, insecure software configuration, and passwords sent in cleartext over the internet,” it said. “44% of vulnerabilities were of critical and high severity, with a further 49% of medium severity. “Known critical and high severity vulnerabilities are generally easy to exploit and expose LG entities to increased risk of compromise.” This is not good
Image: Office of the Auditor General for Western Australia
The AG found out-of-date software accounted for 55% of vulnerabilities, followed by weak or flawed encryption on 34%, and insecure configuration on 8% of vulnerabilities. The second key finding was a phishing test, which led users to a page that asked them for login credentials. At one entity, over 50 people clicked the link, and around 45 submitted credentials, this was a result of one of the people selected for the phishing test forwarding it onto other staff and external contacts.

The AG said from that one forward action, it was able to collect 29 extra staff credentials that fell outside its intended testing scope, and 15 credentials from those external to the entity. The number of click and credentials collected was around 5 to 10 times higher than the next highest number from an audited entity. “[This] shows that people generally trust and are more likely to respond to emails from known contacts,” the report said. This is bad
Image: Office of the Auditor General for Western Australia
More generally, the report said the entities were found to have failed to consider the risks of malware and ransomware, data breaches including reuse of credentials found in other breaches, unauthorised access to systems or networks from an external attack, theft of IT devices, and third-party supply chain/cloud risks. Two entities were found to have not had a penetration test done since 2015, while one entity never had. When doing its tests, the Auditor-General found only three entities had systems to detect and block simulated attacks, while nine did not detect or respond, and three took two weeks to detect and only once the attacks ramped up. The latter 12 entities had intrusion detection systems but had no processes to look at the information generated in a timely manner, the AG said. Yikes!
Image: Office of the Auditor General for Western Australia
Seven recommendations were made to improve the entities’ cyber posture, which the AG said were “generally accepted”, and most had made improvements during the audit process. “Entities should give regard to good practice principles in the Australian Government Information Security Manual and the Essential Eight controls to protect systems and information,” the report said. “While remediations will require an investment of time and money, support from senior management is equally important to uplift cybersecurity maturity.” Related Coverage More

Farewell, sweet prince.
Image: Mozilla
Mozilla has emailed its Lockwise users to inform them that on December 13, it will be ending support for its Lockwise password management app. Lockwise has two guises: One in the browser itself at about:logins and a separate app for iOS and Android that can become the default password manager for your phone, without needing the overhead of Firefox the browser to start up. It is the latter and lighter option that has hit the end of the support road. “The Firefox Lockwise app will no longer be updated and supported by Mozilla and will not be available in the Apple App and Google Play Stores,” Mozilla said in its email. “After that date, current Lockwise users can continue to access their saved passwords and their password management in the Firefox desktop and mobile browsers.” Alternate password managers: Best password manager 2021: Business & personal use A support note that has replaced the site for Lockwise says that the app could keep working after December 13, but it will not get updates.

Android users can replace the password autofill functionality with Firefox itself, and see an arguable improvement in how it works, while iOS users that rely on Lockwise are left waiting. “Check back for updates in December 2021 on how to use Firefox for iOS as your system-wide password manager,” Mozilla states. Users in iOS will need to open up the browser to copy passwords the old school way. While it may not have all the bells and whistles of its commercial competition, Lockwise became good enough in recent times to get by with, and it is backed by an open-source organisation with more respect for privacy than some in the field. As Mozilla is heavily reliant on rival Chrome-maker Google for funding, Lockwise as an app could have been an avenue to increase its non-Google funding line, but it was not to be. Last week, Mozilla decided users might want to pay for email address hiding as it unveiled Firefox Relay Premium. The standard Relay service provides five free aliases that forward emails to a primary address, with the new paid tier offering one subdomain alias to allow users to create unlimited aliases, such as yourdomain.mozmail.com, a summary dashboard, and the ability to reply to emails from the alias. Firefox Relay Premium currently has introductory pricing of $1 or €1 each month in the US, Germany, UK, Canada, Singapore, Malaysia, New Zealand, France, Belgium, Austria, Spain, Italy, Switzerland, Netherlands, and Ireland. Related Coverage More

Telstra’s biggest cyber concern is organisations that use “Microsoft-style” environments when it comes to preventing cyber threats.”The place that concerns us most as an organisation … don’t read anything into the fact I’m going to mention the word Microsoft, they’re probably a Microsoft-only environment. They don’t have ERPs, CRMs, they are basically a Microsoft-style environment,” said Telstra Enterprise group executive David Burns, who gave a keynote to the Trans Tasman Business Circle.  “How do we build [cyber resilience] into the tools of systems and networks that we provide … because I think we could all do the basics, and we should all do the basics but [cyber attackers] are very sophisticated players.” He provided an example of how one of Telstra’s business partners, which he said used a “Microsoft-style” environment, suffered a cyber attack which then put the telco’s customers at risk. “We are all very vulnerable and you and your organisation are as vulnerable as your weakest link. And that’s how we need to think about it. It is not the role of an IT organisation to protect us. It is each and every one of our roles to work out how to protect us,” Burns said.He added that government agencies also needed to figure out how to improve their cyber resilience in an increasingly broadening cyberthreat landscape. At the start of this month, New South Wales auditor-general Margaret Crawford revealed all of the state’s lead cluster agencies have failed to implement all Essential Eight controls. The cybersecurity policy for New South Wales government agencies was not sufficiently robust which is a cause for “significant concern”, Crawford said.

To address these cybersecurity concerns, Telstra currently provides cybersecurity services to enterprise customers and is involved in the government’s Cleaner Pipes Program. Burns, however, conceded this work would not be a big revenue driver. “We will ask people to help us pay for that, but it’s not exactly going to be as the greatest revenue earner for us,” he said. “It’s about protecting our environments because I think we all think of the cyber world, certainly amongst our customers, [as] not a differentiator. We want all boats to rise in a tide here. You don’t want to win by someone else being cyber attacked.” Telstra’s concern isn’t unique. The federal government in March called for organisations to counter ransomware through using multifactor authentication and urging businesses to keep software up to date, archiving data and back-ups, building in security features to systems, and training employees on good cyber hygiene. “All businesses have valuable data and systems they need to protect. It is vital that they establish strong foundational controls and practice good cybersecurity hygiene practices,” the federal government said at the time. Related Coverage More

The Telecommunications Industry Ombudsman (TIO) has called for telcos to have a 24-hour hotline, or at a minimum extend current hotline hours, to allow consumers to report cases of fraud, especially involving SIM swapping. In its report on systemic investigations into fraud enabled through phone and internet accounts, the TIO pointed out that fraudsters have exploited slow responses from telcos to create security breaches. This included a customer being kept on hold when trying to report fraud, failure of customers being able to contact telcos outside of business hours, staff not blocking fraudulent activity, staff not knowing how to deal with fraud, and attackers maintaining access to accounts after telcos were notified.Typically, attackers were interested in ordering handsets and additional services once they controlled an account, or using control of a SIM to access other information including bank and government accounts. “This can expose affected customers to considering financial and non-financial loss,” the TIO said. “Where a breach of privacy has occurred, providers may have to pay significant amounts of compensation to settle a consumer’s complaint — a cost that could have been avoided had the provider acted more quickly.” Other issues highlighted by the report included fraudsters getting access to accounts because telcos did not conduct proper identity checks, with one telco agreeing to use a government database for verification during the investigation, or incorrect advice being given to consumers about how to secure accounts.”One provider gave consumers the option of using robust multi-factor authentication, such as one-time passwords or an authenticator app,” the report said.

“However, this provider also offered other security measures which were not supported by its systems, such as passwords and PINs. This meant staff did not always ask for the password or PIN when someone wanted to access the account. “A consumer may believe their account is secure when it is not.” The Communications Alliance said combating fraud was a challenge to all parties. “Telcos are continually improving their practices to keep up with the ever-changing tactics of fraudsters,” CEO John Stanton said. “It is important that we do not become complacent and remind our customers to protect their personal information, offline as much as online.” In its most recent Complaints in Context report released a fortnight ago, the Comms Alliance said TIO complaints per 10,000 services in operation continued to trend down, being reported at 4.8 for the July to September quarter. Many telcos recorded the lowest complaint level since the report adopted its current format in 2019. Related Coverage More

Apple on Tuesday filed a lawsuit against mercenary spyware company NSO Group and its parent company, seeking a permanent injunction that bans NSO Group from using any Apple software, services or devices. The complaint also provides new information on how NSO Group infected victims’ Apple devices with its Pegasus spyware. “State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple SVP of Software Engineering, said in a statement. “While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”Apple’s complaint says NSO Group delivered its FORCEDENTRY exploit to Apple devices by creating Apple IDs that sent malicious data to a victim’s device. This enabled the installation of Pegasus spyware without a victim’s knowledge. Researchers with Citizen Lab discovered the zero-day, zero-click exploit in September, and  Apple released an urgent security update for Mac, iPhone, iPad and Watch users to patch the vulnerability. Apple says in its complaint that Apple servers were misused to deliver FORCEDENTRY but were not hacked or compromised in the attacks. The company also said it is notifying the small number of users that it discovered may have been targeted by FORCEDENTRY. Apple also said it is contributing $10 million, as well as any damages from the lawsuit, to organizations like the Citizen Lab and Amnesty Tech to further cybersurveillance research and advocacy. More

Several customers of DBS Bank have not been able to log into or access the Singapore bank’s online and mobile services since Tuesday morning. The service disruption remains unresolved, with few details from DBS on what it is doing behind the scenes to address the issue.Instead, the bank posted the same message Tuesday afternoon on its Twitter and Facebook profiles as well as website: “Some of our customers are facing intermittent slowness when accessing our banking services, and we are currently working to resolve this. We apologise for the inconvenience caused during this time, and please try again later.”Its customers took issue with the statement, with several saying there was nothing “intermittent” or “slow” about the disruption when they were not able to access their account at all. Others noted the service outage began as early as 8.30 in the morning and had continued into the night. At the time this article was published, the issue remained unresolved. “There is no ‘intermittent’ slowness. The whole banking service is down. Now it keeps giving ‘expired’ session msg when I clearly have responded quickly to the authentication. This is ridiculous. it’s been down for hours,” one customer posted on the bank’s Facebook page. Another noted that while they were able to log into their account, the balance on their account was inaccurate. They added that a service agent handling DBS’ customer hotline attributed the source to the bank’s app, which was “having problem”. According to DBS’ website, a scheduled maintenance was carried out on its mobile platform early this morning, between 1am and 4am, during which “login and access to digital services may be intermittently unavailable”. 

ZDNet asked the bank if this had caused the service outage and whether there was a cybersecurity incident. ZDNet also asked if its IT team was checking external systems, such as those operated by the bank’s third-party suppliers. A DBS spokesperson did not address any of the questions, pointing instead to a statement the bank issued later in the evening. “Some of our customers are facing intermittent slowness when accessing our banking services, and we are currently working to resolve this. Customers who need to make fund transfers can do so via our DBS PayLah app. We apologise for the inconvenience caused, and seek your patience during this time. We will provide an update once services are fully restored.”This statement was later updated at around 10pm, with DBS saying it would be suspending some of its services as part of efforts to resolve the issue.”Many of our customers have been unable to access our digital banking services today. The inability to access an essential service over such an extended period of time is unacceptable and we deeply regret the inconvenience caused. We are doing our best to resolve the situation and as part of our recovery efforts, we will take some services temporarily offline. This means that DBS PayLah, digibank, and 3D e-comm transactions will be unavailable today, from 10pm to 11pm (SGT). We apologise for the inconvenience caused and will update once services are restored.”Singapore last December issued four digital bank licences to Alibaba’s Ant Group, joint bidders Singtel and Grab, and internet services company Sea. They are expected to begin operations from early-2022. The consortium comprising Grab and Singtel as well as Sea were issued digital full bank licences. Ant and another consortium comprising Greenland Financial Holdings, Linklogis Hong Kong, and Beijing Co-operative Equity Investment Fund Management were awarded digital wholesale bank licences. DBS then had issued a brief statement welcoming its new competitors. Noting that digital banking was “already a reality”, it said its “strong capital position” and physical capabilities would serve well alongside its digital offerings to differentiate the bank’s services in the market.RELATED COVERAGE More

As COVID-19 spread, many American millennials finally began their estate planning. Yet, many of them do not have the correct digital information if their parents pass on, according to new research from Toronto — Canada-based security and privacy company 1Password.

In partnership with digital estate planning companies Trust & Will and Willful, it surveyed 1,000 American millennials aged 25-40 years old for its Great Wake up Call Report. It wanted to discover how this generation favours securing important documents and passwords and storing and transferring digital assets before and after death.  Over two in three (68%) of millennials do not have a will, and under two in five (38%) of millennials have provided clear guidance on how they’d like their digital accounts managed after they die. The report shows that although almost three in four (72%) of American millennials had wills that were created or updated in the past year, only 3% of those wills included online passwords. Traditional ways of securing important documents still dominate our behaviour. More than four in five (81%) of millennials say they keep important paperwork, like their birth certificate, in a physical location such as a filing cabinet, safe, or safety deposit box. For online security, over half (51%) of respondents say that they store their passwords by memory, and 25% store their passwords on a piece of paper. 20% of respondents use a password manager.

Over half (57%) of American millennials believe giving their executor access to their social media accounts is more important than access to their email, subscriptions, or shopping accounts such as Amazon or Target. However, sharing credentials to banking/financial accounts still tops the list of priorities (67%). Millennials still have to have difficult conversations with their parents. Over half (52%) of respondents admitted to never talking to their parents about a digital handover or cannot remember the conversation. Six in 10 (63%) of respondents who have executed wills said it was harder than expected to access accounts of the deceased. Although over half (51%) will be responsible for executing their parent’s wills, only one in three (36%) of respondents know or have access to their parents’ passwords for their online accounts. When asked how they have shared passwords, two in five (41%) said via a written list, followed by 39% verbally and 25% digitally via email, cloud Google Docs, PDF, or a similar platform. The irony is sharing passwords is increasingly critical to granting loved ones access to your digital legacy when you die. Jeff Shiner, CEO of 1Password, said: “Millennials especially are facing the brunt of these shifting pressures, as they’re balancing responsibilities for their own growing families while also caring for ageing parents. Transition plans have long been a taboo topic, but it’s time to destigmatize these discussions and ensure our digital lives are in order, so the responsibility doesn’t fall on others.” The COCID-19 pandemic has made us think more deeply about our mortality, but how can we make sure that we ensure a smooth handover of our estate — especially those digital platforms where we spend more and more of our time. According to the report, descendants of those millennials surveyed would lose access to an estimated average of $22,500 due to mismanaged wills. Creating a way to manage that digital handover means that those authorized to act on your behalf when you die can make sure that your wishes are carried out in full. More