Information Technology

ZDNet Recommends

One particularly sneaky piece of malware is trying to trick Android users into downloading it by claiming that their smartphone is already infected with that very same malware and that they need to download a security update. The text message scam delivers FluBot, a form of Android malware that steals passwords, bank details and other sensitive information from infected smartphones. FluBot also exploits permissions on the device to spread itself to other victims, allowing the infection chain to continue. While the links can be delivered to iPhones, FluBot can’t infect Apple devices.  FluBot attacks have commonly come in the form of text messages which claim the recipient has missed a delivery, asking them to click a link to install an app to organise a redelivery. This app installs the malware.  But that isn’t the only technique cybercriminals are using to trick people into downloading FluBot malware — New Zealand’s Computer Emergency Response Team (CERT NZ) has issued a warning over scam text messages which claim the user is already infected with FluBot and they need to download a security update. See also: A winning strategy for cybersecurity (ZDNet special report).After following the link, the user sees a red warning screen claiming “your device is infected with FluBot malware” and explicitly states that FluBot is Android spyware that aims to steal financial login and password data.   At this point, the device is not actually infected with anything at all, but the reason the malware distributors are being so “honest” about FluBot is because they want the victim to panic and follow a link to install a “security update” which actually infects the smartphone with malware.  

This the attackers with access to all the financial information they want to steal, as well as the ability to spread FluBot malware to contacts in the victim’s address book.  FluBot has been a persistent malware problem around the world, but as long as the user doesn’t click on the link, they won’t get infected. Anyone who fears they’ve clicked a link and downloaded FluBot malware should contact their bank to discuss if there’s been any unusual activity and should change all of their online account passwords to stop cybercriminals from having direct access to the accounts.  If a user has been infected with FluBot, it’s also recommended they perform a factory reset on their phone in order to remove the malware from the device.  It can be difficult to keep up with mobile alerts, but it’s worth remembering that it’s unlikely that companies will ask you to download an application from a direct link — downloading official apps via official app stores is the best way to try to keep safe when downloading apps.  More on cybersecurity: More

iOS 15 brings several new security features to the iPhone. But ultimately, the security of a device is in the hands of the owner, who can choose to bolster that security or weaken it. Here’s what you need to know to make your iPhone a harder target for hackers and thieves. Note that these settings also mostly apply to the iPad.

The basics First off, everything starts off with the basics. These haven’t changed in years. Use a strong passcode using Custom Alphanumeric Code (if this is easily guessable, it’s game over). If you think someone knows your passcode, change it.Go to Settings > Face ID & Passcode (or Touch ID & Passcode).Turn on Face ID/Touch ID.Turn on screen Auto-Lock.Go to Settings > Display & Brightness and tap Auto-Lock and set to 30 seconds or 1 minute.Make sure iOS is up to date.Go to Settings > General > Software Update and make sure Automatic Update is enabled.Keep all your apps updated.Go to Settings > App Store and make sure App Updates are enabled. Keep an eye on apps that might be spying on you A new feature in iOS 15 is the ability to log what apps are up to on your iPhone. The feature is called Record App Activity, and this allows you to get a lot of when an app does one of the following: The user’s photo libraryA cameraThe microphoneThe user’s contactsThe user’s media libraryLocation dataScreen sharingTo enable this feature, go to Settings > Privacy and then scroll down to find Record App Activity. Built-in authenticator

iOS 15 brings an end to having to fire up a third-party two-factor authenticator app. Now Apple has built one right into iOS, and better still, it can even autofill the information for you. Got to Settings > Passwords, and then for each password entry, you can tap on it to get access to an option called Set Up Verification Codes… which allows you to enter the information required either using a setup key or QR code. Using a two-factor authenticator is far more secure than relying on SMS messages, so you should use this feature — either using Apple’s authenticator or another app — to get the highest security. Hide your IP address from trackers Safari can now cloak your IP address from trackers on websites, making it pretty much impossible for your browsing to be logged. Go to Settings > Safari and set Hide IP Address to From Trackers. Secure your browsing If you have an iCloud+ subscription, Apple has just given you a great reason to use the Safari browser — iCloud Private Relay. This is like a VPN in that it sends your web traffic through other servers to keep your location secret. To enable iCloud Private Relay, you’ll need an iCloud+ subscription. Then go to Settings, and at the top, tap your name and then go to iCloud and enable Private Relay. Put a stop to email trackers Protect Mail Activity is a feature built into the Mail app that prevents people from knowing if emails have been opened. To enable this feature, go to Settings > Mail, tap on Privacy Protection and enable Protect Mail Activity. If iCloud Private Relay is a good reason to switch to Safari, then this feature is a good reason to switch to Mail. More

Yesterday, I had a dozen — count ’em a dozen — spam calls. My carrier, Verizon, does a good job of marking most of them as spam, but it’s not perfect. Some calls get through. Now, if I were like most of you, I’d just ignore any call from an unknown number. Alas, I’m not. I’m a journalist, so I sometimes get calls that I must take from numbers I’ve never seen before. Sometimes you must do that too. But, now the Federal Communications Commission (FCC) is finally putting a stop to many spammers. 

The FCC is doing this by forbidding legitimate telecom companies from taking calls originating from voice service providers whose certification doesn’t appear in the FCC’s Robocall Mitigation Database. This means “voice service providers will be prohibited from directly accepting that provider’s traffic.” Technically that works because telecoms must now block traffic from “voice service providers that have neither certified to implementation of STIR/SHAKEN caller ID authentication standards nor filed a detailed robocall mitigation plan with the FCC.” Secure Telephone Identity Revisited (STIR)/ Signature-based Handling of Asserted Information Using toKENs (SHAKEN) is Caller-ID on steroids — it’s a protocol for authenticating phone calls with the help of cryptographic certificates. It’s meant to make certain that when someone calls you, the name showing up on Caller ID really is the person calling. It also lets your phone company know, in theory, who’s responsible for a specific call. STIR/SHAKEN works with both landline and cellular networks.  Acting FCC Chairperson Jessica Rosenworcel said, “The FCC is using every tool we can to combat malicious robocalls and spoofing – from substantial fines on bad actors to policy changes to technical innovations like STIR/SHAKEN. Today’s deadline establishes a very powerful tool for blocking unlawful robocalls. We will continue to do everything in our power to protect consumers against scammers who flood our homes and businesses with spoofed robocalls.” Much as I’d like to think that this would drop my spam call count to zero, I know better. For example, while digital telecoms must now be using STIR/SHAKEN, old-school.   Older time-division multiplexing (TDM)/public switched telephone network (PTSN) based networks are still grandfathered in. The FCC requires that “providers using older forms of network technology [must] either upgrade their networks to IP or actively work to develop a caller ID authentication solution.” Still, no date has been set for this changeover. In addition, as Brad Reaves, North Carolina State University professor of computer science, warned in a Marketplace interview, “There are just too many loopholes and ways to bypass this system.” These include smaller voice providers that still aren’t required to implement STIR/SHAKEN. Besides that, some providers provide US phone service to people living outside the country. They’re not required to participate in STIR/SHAKEN either.

Still, this new FCC move is a step forward. Will it end up substantially reducing spam calls? We’ll soon know if our phones finally stop ringing non-stop with junk calls. We live in hope. Related Stories: More

The chief executive of Group-IB has been arrested by law enforcement on suspicion of state treason. 

ZDNet Recommends

Ilya Sachkov, a co-founder of the prominent Russian cybersecurity company, was arrested on Tuesday at Group-IB’s Moscow office.  The company has confirmed the incident, adding that local law enforcement conducted a search of the property on the same day. At the time, Group-IB — with headquarters in Singapore — said that the “reason for the search was not yet clear.” State news agency TASS cited an unnamed source in the country’s security forces when reporting that Sachkov’s arrest is based on suspicion of treason, specifically the transfer of classified information to foreign agencies which allegedly “employed” the executive.  However, the agency says he has not “admit[ted] guilt in transferring intelligence data to foreign special services.” The case against the cybersecurity executive is confidential, and so there are no further details available concerning the allegations.  A court order will keep the 35-year-old in custody for two months. 

Sachkov was picked for the 2016 edition of the Forbes Under-30 entrepreneur list and has previously met Russia’s President, Vladimir Putin.  Group-IB maintains the innocence of its executive, as well as his “business integrity.” “Group-IB’s communications team refrains from commenting on the charges brought and the circumstances of the criminal case due to the ongoing procedural activities,” the firm added. In the meantime, lawyers for the firm are on the case, and Group-IB co-founder Dmitry Volkov will assume leadership, at least, for now.  The cybersecurity company says that all of Group-IB’s divisions will continue to operate as normal.  Previous and related coverage:Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

For the second time this month, Google has patched two previously unknown or ‘zero-day’ security flaws in Chrome that are already being exploited by attackers.      Google has released a stable channel Chrome update for Windows, Mac and Linux machines to address two zero-day flaws affecting the most popular browser on the web.  The update pushes Chrome up to version 94.0.4606.71. Due to the attacks, it’s prudent for organizations and consumers to update as soon as it becomes available. Google says it will roll out in the “coming days/weeks”.  SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakes The update includes four security fixes for Chrome, including the two zero-days. One of them, a high-severity flaw tracked as CVE-2021-37975, stems from Google’s hard-to-protect V8 JavaScript engine that was reported by an anonymous researcher.  Another medium-severity flaw, tracked as CVE-2021-37976, is an “information leak in core” and was reported by Google’s Threat Analysis Group (TAG) with assistance from Google Project Zero security researchers.      “Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild,” Google said in release notes.

These latest two flaws mean Google has patched 12 zero-days in Chrome since the beginning of 2021. Google patched two zero-day Chrome flaws on September 13, marking its 10th zero-day patch for the year.   TAG is the group at Google specializing in tracking state-sponsored attackers and has previously uncovered nefarious activity from North Korean hackers and attacks on iOS, and mainstream browsers.  Google Project Zero researcher Samuel Groß recently kicked off a project to resolve V8 bugs, which he noted are particular dangerous.  “V8 bugs typically allow for the construction of unusually powerful exploits,” Groß warned. These bugs are also resistant to modern hardware-assisted mitigations.    Details of the two new Chrome bugs haven’t yet been added Google Project Zero’s “0-day in the wild” tracker. After adding these Chrome bugs, the list would include a total 48 zero-day bugs found to have been exploited in the wild since the beginning of 2021. These bugs have affected software and hardware from from Google, Apple, Adobe, Microsoft, Qualcomm, and ARM. SEE: Half of businesses can’t spot these signs of insider cybersecurity threats Google Project Zero and TAG says there has been an uptick in zero-day exploits this year, but what that means in terms of offense and defense is less clear. “There is not a one-to-one relationship between the number of 0-days being used in-the-wild and the number of 0-days being detected and disclosed as in-the-wild. The attackers behind 0-day exploits generally want their 0-days to stay hidden and unknown because that’s how they’re most useful,” Google’s security researchers wrote.  The rise in zero-days could be because defenders are getting better at identifying and detecting them. But it could also be because attackers are using them more frequently because there are more platforms to attack and there are more commercial outfits selling governments access to zero-days, thus reducing the need for technical skills to use them. More

Facebook has released the Mariana Trench bug hunting software to the open source community.

This week, Dominik Gabi, Facebook software engineer said in a blog post that Mariana Trench was originally an internal tool for the company’s security engineers but has now been released to the public “to help scale security through building automation.” Mariana Trench (MT) is a tool for finding vulnerabilities in Android and Java, with a particular focus on examining code in Android applications. According to the tech giant, MT is able to scan “large mobile codebases” and will alert users to potential security problems found in the code by analyzing data flows prior to production.  MT hones in on data flows as a common source for bugs, whether this is due to incorrect data exposure or collection, or if they contain flaws that allow for the injection of malicious packages. MT scans the source of information and its sinks, tracking possible paths and then will compute models using static analysis to hunt for errors and issues in the codebase. “A security engineer would start by broadly defining the boundaries of the data flows she is interested in scanning the codebase for,” Facebook explained. “If she wants to find SQL injections, she would need to specify where user-controlled data is entering the code, and where it is not meant to go. However, this is only the start — defining a rule connecting the two is not enough. Engineers also have to review the identified issues and refine the rules until the results are sufficiently high-signal.” Facebook warns that this tool is only one addition to a security engineer’s arsenal, and false positives prior to production need to be considered.  “In using MT at Facebook, we prioritize finding more potential issues, even if it means showing more false positives,” the company says. “This is because we care about edge cases: data flows that are theoretically possible and exploitable but rarely happen in production.”

MT is now available on GitHub and a binary distribution has also been released on PyPI. In addition, Facebook has released the Static Analysis Post Processor (SAPP), an analysis tool for analyzing MT results.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Business strategies around technology are constantly evolving. Usually it’s a process that takes time, carefully plotted out in order to avoid disruption.But that wasn’t the case when many office workers were rapidly shifted over to remote working for the past 18 months. Employees who might not have experienced remote working suddenly found themselves working from a laptop on their living-room table, kitchen worktop or bedroom as a result of the pandemic.  

Special Report

Digital Transformation: A CXO’s Guide

Reimagining business for the digital age is the number one priority of many of today’s top executives. ZDNet offers practical advice and examples of how to get your digital transformation right.

Read More

The sudden shift may have helped organisations keep operating, but for many it also came at the expense of cybersecurity. SEE: A winning strategy for cybersecurity (ZDNet special report)Organisations had to transform their business processes, but security didn’t necessarily keep pace, says Ian Wood, head of technology for UK and Ireland at enterprise data management software company Veritas.”That was more of an afterthought — it was all about ‘how do I get up and running, how do I transform the business?’ Not thinking about how to secure things,” he adds. And it’s not just offices that were forced to change. For example, bars and restaurants suddenly found that, due to social distancing rules, they had to alter how they worked. Customers couldn’t queue up to order their food and drinks, so pubs and bars had to provide digital ordering services.

“Pubs which didn’t have much IT infrastructure suddenly had to adopt a huge amount of it,” says Wood. But without guidance some struggled, with privacy activists expressing concerns over the amount of information these applications were collecting — particularly when a lack of experience with collecting and storing all this data could lead to issues with information not being correctly secured.The rush to build new systems caused by the pandemic is an extreme example of digital transformation — one done with a deadline of days, rather than months or even years. However, the same problem — cybersecurity as an afterthought — is also a significant risk in long-term projects.Some boardrooms are focused primarily on efficiency and the bottom line — and when spending on applications and tools to help keep the company secure cuts into those areas, there’s reluctance to spend the money. 

Digital transformation

“There’s this split between the business decision and the view of the business risk, and then the view of the cyber risk, and at the moment, the two can’t combine, don’t collaborate and don’t come together in the way that they need to,” says Lorna Rea, consultant for central government at BAE Systems.That split in decision making means that in some cases of digital transformation, rolling out new ways of doing things takes priority over making sure the methods of doing business are secure. For example, digital transformation projects tend (obviously and inevitably) to involve doing more with technology. From a security point of view, that means they can expand the potential attack surface of the organisation — unless that risk is understood and tackled. “Security just isn’t keeping pace with the digital transformation. Organisations have finite resources, and it’s very difficult to mobilise the limited resources,” says Alastair Williams director of solutions engineering for EMEA at Skybox Security.But even if organisations have limited resources, that doesn’t mean that cybersecurity should simply be ignored: the cost of falling victim to a data breach or ransomware attack could cost a business much more than implementing cybersecurity practices ever would. And that’s without the ongoing damage that could be caused if consumers and partners lose faith in a business because it fell victim to an avoidable cyberattack.SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attackDigital transformation in many cases means investing in cloud computing services. And the basics of securing cloud services is a well understood, if sometimes, ignored practice.For example, securing the cloud means ensuring that multi-factor authentication (MFA) is applied to every user. Then, if usernames and passwords are breached, there’s an additional step that can prevent attackers gaining direct access to the network. Some executives might grumble that MFA cuts down productivity, because people need to take a little time out to verify their identity — but it’s one of the most effective actions that can be taken to help prevent unauthorised access to company services.Ultimately, when looking at digital transformation, one of the best ways to help ensure data protection is prioritised is to invest in an information security team and involve them in every step of the journey. There might sometimes be tension between the business and information security units, but such integration will ultimately ensure that security is baked into the whole process.”Have your security consultants embedded, so the decisions are being made together as a collaborative team,” says Rea. One of the key benefits of digital transformation is that employees can collaborate from anywhere. But to make sure they can do that securely, cybersecurity needs to be a key part of the process from the very start. More

Westpac Group has announced the expansion of its digital gambling block feature to St George, BankSA, and Bank of Melbourne debit cardholders. When the feature was initially released in March, the gambling block feature was available to all Westpac Group credit card customers, as well as Westpac debit card customers.The gambling block feature enables customers to apply an instant block on gambling-related transactions to certain gambling merchants, including casinos, sports betting agencies, and online gambling companies, through their mobile banking app or online banking. Customers can also contact the banks’ customer care teams to apply the block.As part of the update and to prevent underage gambling, a gambling block will also be automatically applied to all Westpac Group debit cardholders under the age of 18, Westpac added.According to Westpac customer vulnerability and financial resilience director Catherine Fitzpatrick, since launch, the feature has been activated more than 30,000 times.  “Problem gambling continues to be a serious issue in Australian communities, and as more people transact online during the pandemic, the digital feature gives customers the ability to manage their gambling spend whenever they might need it,” she said.

“The benefits of being able to apply a block in real-time also it gives customers more control and flexibility in the moment.”Taking this next step by Westpac reinforces an argument that both Visa and Mastercard have each put forward in their response to a question on notice from the Parliamentary Joint Committee on Corporations and Financial Services. The question was about who should be responsible for handling credit card gambling blocks, if it were to be implemented. As Mastercard puts it, it does not see all card transactions that carries its brand — only the banks do, and therefore recommends if any form of payment blocking was to be mandated in Australia then the responsibility should fall with the issuing bank, rather than the card scheme. “A typical transaction on the Mastercard network involves four participants in addition to us: The cardholder, merchant (a business who accepts payment for goods or services provided), issuer (the cardholder’s financial institution) and acquirer (the merchant’s financial institution) … in most cases, cardholder relationships belong to, and are managed by, our bank or financial institution customers,” it said.”Mastercard understands some Australian banks have already made the decision to prohibit the use of credit cards to pay for gambling transactions. In some cases, the decision is based on commercial considerations as gambling transactions tend to result in a greater number of disputed transactions compared to other, non-gambling, transactions.”Some card issuers have card controls that allow cardholders to block certain transaction types or issuers can do it directly at switch/card management level.”Similarly, Visa believes banks can use their existing real-time monitoring capabilities to apply blocks based on merchant category, as they do in the face-to-face environment.”Visa’s licensing and transaction processing processes do not distinguish between acceptance of credit, debit, or prepaid transactions. The Visa rules prohibit acquirers from submitting illegal transactions into the Visa payment system. To comply with this requirement, acquirers must ensure that their merchant’s transaction activity is legal in both the buyer’s and seller’s jurisdiction,” Visa said in its response.”In the event of any conflict between the Visa rules and any applicable laws or regulations, the requirements of the laws or regulations of course govern. Based on the above, issuers would be best placed to execute the block should a regulation be introduced.”This was the same argument Tabcorp put forward when it fronted the committee in early September. At the time, the gaming giant supported the call for banning credit card use by Australians on online gaming platforms, such as betting apps, but believes such mandate should be the responsibility of banks.”If we got more information from the banks that a card was suspect, we could shut it down. If the banks notified us that this was a problem, we would be able to stop dealing with that problem, but this flow of information doesn’t happen,” Tabcorp CEO David Attenborough said.Tabcorp reiterated the point again in response to a question on notice, outlining that banks are “best placed to do so, and many have already proceeded with restricting gambling transactions, even without legislation. Banks are also best placed to determine a customer’s credit worthiness”.IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527Related Coverage More