Information Technology

Today will see Google lift the lid on Android 12. And if it’s like previous versions, the way that most Android users will get to see this is if they buy a new smartphone.

Currently, based on StatCounter data, about 12% of Android devices run the latest Android 11, behind Android 9 (sitting at 30% and declining) and Android 10 (at 18% and declining). Android 11, released September 2020, will see its market share continue to grow over the coming months until Android 12 gets some traction, and will be around for years to come.And the cycle repeats.This is very different to iOS, where Apple aggressively pushes it to hardware hard and fast. Over 70% of iPhones are running iOS 14.4 or above, and remember, that version was released at the end of January of this year.Must read: The best Android apps for power users in 2021: Track data usage, test connections, and moreI used to think that the Android way of updating was broken. Handsets were slow to get updates, and very few got upgraded to a new Android release. This risked the Android ecosystem becoming a toxic hellstew of security vulnerabilities.But things have changed.

First, more Android handsets are getting timely security updates, which is a good thing. The prime reason for updating is to keep up with the endless torrent of security bugs and vulnerabilities.Another thing that’s happened is that Apple has shown me the downsides of a constant stream of updates that not only patch bugs, but bring new features.They bring more bugs with them.Over the past few years, I’ve watch iOS releases become increasingly buggy, despite what seems like a very active beta test regime. The last few years of releases have started out buggy, and then had a stream of buggy updates before finally hitting some sort of stable ground.Just in time for another release.Right now, iOS is a buggy hellstew of performance issues, battery issues, and weird, long-term bugs like the notifications problems that seems to be ongoing.Having spoken to a few people at Apple, it’s not clear what the issue is. Some cite the aggressive yearly update cycle combined with updates throughout the year. Others say that there’s a pressure to add more and more features, while one said that the size of the ecosystem and the support for too many older models was causing issues.Whatever the reason, there’s no sign of things getting better.Right now, I’d much rather if Apple separated security updates and bug fixes from feature updates so we could have the choice to be able to get patches but keep the rest of the platform the same. You know how you can get too much of a good thing. I feel that’s where I am with iOS updates. I used to eagerly await new releases. Now I wonder what new bugs and hassles the updates will bring.Maybe the Android model is the best way after all.

Google I/O 2021 More

The new LastPass app combines functionality for business and consumer customersOne of the most crucial steps in securing a modern business computing environment is to add multi-factor authentication (MFA), so that an attacker who steals credentials can’t gain access to protected resources. According to a 2019 Microsoft study, requiring the use of an additional authentication factor besides a password blocks 99.9% of automated attacks on cloud-based services. A separate report from Google from around the same time came to a similar conclusion.That fact explains why the developers of password management software are creating tighter links between their products and MFA technologies. The latest entrant is the widely used LastPass, which today announced the release of a new LastPass Authenticator mobile app.The new app consolidates functionality that was previously split into two apps, with a separate LastPass MFA app for business customers. According to Akhil Talwar, Director of Product Management for LastPass parent company LogMeIn, the availability of two apps was confusing to some consumer customers, who inadvertently downloaded the wrong solution.The updated app is available for Android devices today and should be available for iOS devices in the next week. The LastPass MFA app will continue to work for business customers that have deployed it, although the company expects those customers to migrate to the new app over time.LastPass isn’t the first technology company to make this sort of move. Microsoft similarly offered two authenticator apps, one for Microsoft accounts and the other for business and enterprise accounts running under Azure Active Directory, before releasing a unified Authenticator app in 2016.The new LastPass app should be familiar to anyone who’s used similar apps like Google Authenticator or Authy. (For an overview of the technology, see “Better than the best password: How to use 2FA to improve your security.”)Compared to the bare-bones Google solution, the updated LastPass Authenticator offers a few usability advantages, including the ability to sort, search, and filter a long list of saved MFA providers. Like Authy and Microsoft Authenticator, the LastPass app also includes the ability to back up and restore configurations and to save manual backup codes in the LastPass vault.

The new app also supports passwordless logins on accounts that support Security Assertion Markup Language (SAML). So, for example, a user who has paired the LastPass app with an Azure AD account can sign in to a Windows workstation by responding to a prompt rather than entering a TOTP code, similar to the mechanism that Microsoft Authenticator uses.

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

For businesses, LastPass can also act as a full identity platform, offering enterprise style single sign-on functions for smaller businesses, implemented with the help of a managed service provider. That sort of setup makes it easier to onboard new employees and securely shut off their access to protected resources when they leave the company.One feature you won’t see in the new LastPass app is combined access to passwords and MFA codes. That functionality is available in competing password managers like 1Password and recently debuted in Microsoft Authenticator. For now, Talwar says, LastPass customers are leery of combining both functions in the same app. More

Ireland’s health services were the target of a significant ransomware cyberattack last week.
Image: Getty Images
There is a risk that sensitive medical information and other patient data will be leaked in the aftermath of a serious ransomware attack against Ireland’s health services, the Irish government has warned. Condemning any public release by the attackers of stolen patient data as “utterly contemptible”, officials have urged anyone who is affected to contact the Health Service Executive (HSE) or the authorities. 

The HSE was the target of a “significant” ransomware cyberattack last week, which has caused country-wide disruptions to key healthcare and social services in hospitals and community centers.SEE: Network security policy (TechRepublic Premium)Ransomware is a form of malicious software deployed to encrypt a victim’s files, with the attacker then demanding a ransom in exchange for restoring access to the data.  The HSE is working with Ireland’s National Cyber Security Centre (NCSC), and experts have already confirmed the attack as a human-operated ransomware variant known as “Conti”. A remote-access tool called Cobalt Strike Beacon was found on the HSE’s systems, which was used by the hackers to move within the computer networks before launching the attack and demanding a ransom. Conti deploys what are known as “double extortion” attacks, in which the hackers threaten to make the stolen information public if the ransom isn’t paid. In cases such as this one, it could mean that sensitive patient health data could end up leaked online. 

The Irish government has already confirmed that it will not give in to the attacker’s demands and prime minister Micheál Martin ruled out paying any ransom.  “This attack on Ireland’s health care system and its patients was carried out by an international cyber-crime gang. It is aimed at nothing other than extorting money and those who carried it out have no concern for the severe impact on patients needing care or for the privacy of those whose private information has been stolen,” said the government in a press release. “There is a risk that the medical and other data of patients will be abused,” it added. The Garda authorities’ National Cyber Crime Bureau is investigating the exact origin of the hack together with international partners in the EU. Early reports from broadcaster RTE indicate that the gang behind the attacks is the eastern Europe-based “Wizard Spider” group. IT systems across the HSE, which were all immediately taken down as a precautionary measure to contain the attack, remain temporarily shut down. This means that some patients are seeing delays in access to care, notably as a result of very limited access to diagnostics, lab services and historical patient records. Emergency services as well as the national ambulance service are still running, and the HSE reported that vaccinations against COVID-19 and test-and-trace are operating. The most common impact of the attack is seen in radiology and laboratory systems. The HSE is working at speed to restore computer systems, which involves wiping, re-building and updating all the infected devices, before using offsite backups to restore the systems safely.  SEE: Ransomware just got very real. And it’s likely to get worseThere are up to 2,000 systems to go through and around 80,000 devices to check, all connected to an IT infrastructure that has grown over the course of 30 years. In other words, it could be some time before the situation is fully resolved, and the HSE expects disruptions to continue well into this week. “Hundreds of people are working flat out in response to this despicable cyber attack on our health system and on patients. We’re focused on getting health services and appointments for patients back on track as quickly as possible,” tweeted Stephen Donnelly, the minister for health. “Some priorities include radiation oncology, diagnostics, lab services and patient admin systems.”While it may take weeks to get all systems back, steady progress is being made, starting with services for the most urgent patients.” The country’s Department of Health (DoH) also reported an attempted cyberattack just one day before the HSE was targeted, but a combination of antivirus software and other tools deployed as part of an investigation by the NCSC enabled the attack to be stopped before it detonated. The aborted hack is believed to be part of the same campaign targeting the HSE, said the NCSC.  More

With software supply chain attacks on the rise, the UK government is proposing new rules to mitigate the threat of breaches through trusted software that’s been tampered with by cyberattackers. The Department for Digital, Culture, Media and Sport (DCMS) has put out a call for views on the new rules, which may require IT service provides and managed services providers (MSPs) to undergo the same cybersecurity assessments that critical national infrastructure providers do. 

“As supply chains become interconnected, vulnerabilities in suppliers’ products and services correspondingly become more attractive targets for attackers who want to gain access to the organisations,” the government said. “Recent high-profile cyber incidents where attackers have used Managed Service Providers as a means to attack companies are a stark reminder that cyber threat actors are more than capable of exploiting vulnerabilities in supply chain security, and seemingly small players in an organisation’s supply chain can introduce disproportionately high levels of cyber risk.”SEE: Network security policy (TechRepublic Premium)DCMS research found that only 12% of organizations vet suppliers for cybersecurity risks, and only about 5% address the vulnerabilities in their wider supply chain.The UK government is particularly concerned about the risks posed to the nation’s businesses and agencies from IT outsourcing, pointing to attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider. The new rules could mean that MSPs will need to meet the UK’s Cyber Assessment Framework (CAF), putting this sector alongside cyber requirements imposed on UK critical infrastructure providers.  

The CAF aims to ensure relevant sectors have policies to protect devices and prevent unauthorised access, ensure data is protected at rest and in transit, securing backups, and cybersecurity training for staff.The UK’s National Cyber Security Center (NCSC) in February warned that supply chain attacks are on the rise, pointing specifically to attacks on software build pipelines. SEE: Ransomware just got very real. And it’s likely to get worseSoftware supply chain risks came into focus after hackers breached SolarWinds’ enterprise network monitoring software Orion to compromise key US government agencies and the nation’s top cybersecurity firms. Microsoft president Brad Smith called the attack, which the US and UK have blamed on Russian intelligence, “a moment of reckoning” for the US tech and cybersecurity sector. The US is also on high alert over software supply chain attacks, given SolarWinds’ impact on the US tech sector, and the ransomware attack on Colonial Pipeline. US president Biden last week signed an executive order that mandates federal agencies to implement multi-factor authentication within 180 days and encrypt data both at rest and in transit.   Tech companies are also facing potentially disruptive new laws in Australia via the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which would encompass cloud providers along with traditional critical infrastructure operators. Microsoft has objected to the proposed legislation because it would allow government agencies to direct a company’s response to a cyberattack and request information from it. Cisco, Salesforce and Amazon Web Services (AWS) are also lobbying against the bill.    More

The FBI says that complaints concerning online scams and investment fraud have now reached a record-breaking level.  The FBI’s Internet Crime Complaint Center (IC3) received its six millionth complaint on May 15, 2021. While it took close to seven years for the IC3 to register its first one million reports, it took only 14 months to add the latest million to file.  According to the US agency, annual complaint volumes increased by close to 70% between 2019 and 2020. The most common crimes reported were phishing scams, schemes relating to non-payment or non-delivery, and extortion attempts.  The coronavirus pandemic paved the way for new kinds of scams over 2020, many of which centered around fake vaccination appointment requests, online delivery notifications — a popular phishing method made even more so due to stay-at-home orders — and spam sent under the names of agencies such as the World Health Organization (WHO). 
FBI
IC3 says that the most money is lost through three forms of online scam: -Business email compromise (BEC): BEC scams, usually crafted through social engineering and phishing, target businesses and attempt to dupe employees into paying for non-existent services, thereby transferring money belonging to a business into an account controlled by cybercriminals.  See also: This cybersecurity threat costs business millions. And it’s the one they often forget about

-Romance, confidence scams: These can include the stereotypical scheme in which scammers will pull on the heartstrings of victims to pressure them into sending money, as well as sextortion. Recent cases reported by UK police included scammers that conducted video chats with potential ‘matches,’ asking them to perform sexual activities on camera, and then blackmailing them for money.  In January, Interpol warned of an increase in dating apps being used by fraudsters to connect to potential victims, and once trust is established, conning them into signing up for fake investment opportunities. 

-Investment fraud: These can include dump-and-dump schemes for worthless stock, as well as cryptocurrency or other investment plans that promise guaranteed returns far beyond initial investments.  “The increase in crimes reported in 2020 may have also been due in part to the pandemic driving more commerce and activities online,” the FBI says. “The latest numbers indicate 2021 may be another record year.” On May 17, the US Federal Trade Commission (FTC) warned that consumers have lost over $80 million to cryptocurrency investment scams since October 2020.  Touted by celebrities including Elon Musk, renewed interest in the cryptocurrency space has unfortunately also led to an increase of cryptocurrency-related scams.  The FTC says that close to 7,000 reports of cryptocurrency fraud were received from US consumers in the last quarter of 2020 and Q1 2021. The average loss faced was $1,900 per victim.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

One of the world’s biggest cyberinsurance companies, AXA, was hit with a ransomware attack at its offices in Asia this weekend by noted ransomware gang Avaddon.In a statement to ZDNet, a spokesperson for AXA Partners said a targeted ransomware attack disrupted their IT operations in Thailand, Malaysia, Hong Kong, and the Philippines. Certain data processed by Inter Partners Asia in Thailand has been accessed, the spokesperson explained, but there was no evidence any other data was accessed.  The company has hired a forensic team to investigate the incident and said it notified business partners as well as regulators while it prepares to support all of the clients who may have been impacted. Members of the Avaddon group wrote on its dark web site that it has already taken three terabytes of data from AXA Group and that the files include information like passports, ID cards, denied reimbursements, contracts, customer claims, payments to customers, bank account information, files from hospitals about fraud investigations and medical reports that had sensitive information about patients. The group even posted samples of the data. DomainTools researcher Chad Anderson said people behind the ransomware gang Avaddon had posted about their latest victim on a dark web page, sharing a screenshot with ZDNet of the group’s list of targets as well as timers for how long each victim has until ransom will be demanded. 
Chad Anderson
The companies on the list include AXA Group, computer hardware company EVGA, software company Vistex, insurance broker Letton Percival, Henry Oil & Gas, the Indonesian government’s airport company PT Angkasa Pura I, and Acer Finance. Both the FBI and Australian Cyber Security Centre released warning notices last week about Avaddon’s ransomware tactics. 

AXA has about three days left, according to Anderson, before Avaddon members have said they will begin leaking the company’s documents. The cyberinsurance company has been in the news recently because they pledged to stop reimbursing customers in France who had been hit by ransomware attacks and decided to pay the ransom. The decision was made after pressure from French regulators who said the insurance payouts were fueling higher ransom payments and making the crimes lucrative for the gangs behind them. “In total, since their discovery in June 2020, the Avaddon gang has published data on dozens of victims on their dark web site, following the now common double-extortion technique amongst ransomware operators,” Anderson said. “Avaddon also maintains an affiliate program where they recruit hackers from underground forums to deploy their ransomware. This most recent intrusion shows that the human operators behind these ransomware families continue to hone their skills and become continually faster at deploying on victim networks.”Cybersecurity experts said it was impossible to ignore the timing of the attack. Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said Avaddon may have been targeting AXA to make an example of companies challenging their business goals. But on a deeper level, Clements said it was proof that almost all organizations are vulnerable in some way or on some level and that the scale and complexity of modern networks makes it nearly impossible to plug every potential hole. “Couple this with the fact that ransomware gang’s extortion earnings often give them higher budgets than their target teams’ defenders and it’s no wonder that ransomware is epidemic across the globe,” Clements said. Netenrich security advisor Sean Cordero added that for companies as large as AXA, it is often difficult to have sufficient visibility into the cybersecurity practices and controls across their business partners and subsidiaries.But the lessons learned from this attack, Cordero explained, may lead to better ways to collaborate for both the insured and insurer as this attack implies a weakness in risk assessment, validation, or execution. “If an insurer like AXA struggles to validate their cyber capabilities and needs — what is the chance that they may have incorrectly assessed the risks across their portfolio of cyber insurance clients?” Cordero asked. “I imagine that the professionals responsible for achieving positive returns on cybersecurity policies may have renewed discussions with assessors and underwriters in the wake of this most recent incident.” More

Android stalker and spyware detection surged by 48% over the past year, and not only do these apps invade user privacy, vendors do not appear to care about tackling vulnerabilities found in their creations.  This week, ESET researcher Lukas Stefanko released telemetry data focused on Android stalkerware detection, revealing that usage of these dubious apps began to climb in 2019 — with a five-fold increase reported in comparison to 2018 — and this trend continued in 2020, highlighting their ongoing popularity.ESET’s findings are corroborated by past research from Kaspersky, which found that stalkerware infections grew by 40% in 2019. Stalkerware is a term coined to describe the most invasive types of spyware that are often paid for, and used, by people close to home rather than unknown threat actors. 

These types of software can be covertly installed on a PC or mobile device and will track a user’s activities in a deep violation of privacy, with data gathered including their GPS location (where available), call logs, contact lists, SMS communication, social media usage, browser history, and more. Data harvested by these apps are then sent to an operator. In the case of mobile stalkerware, the operator often needs to have obtained physical access to side-load the malware, and so users tend to be close family, spouses, or parents. They may also be used by businesses to monitor employees.

While many of these apps are marketed as a way to monitor children in the interest of safety, the invasive nature of these apps is generally thought to make them unethical. Just because something is marketed as a safety net for minors does not mean it cannot be used to track a spouse, for example — and in either case, despite the age of the one being stalked, rights to privacy may be abused.  According to Stefanko, a recent analysis of stalkerware available for the Google Android mobile platform revealed many vendors tout their wares as a means to protect not only children, but also employees and women. The vendors producing them for financial gain also do not appear to care that inherent — and expansive — security vulnerabilities contained in their apps are also risking ‘users,’ and customers, in other ways.  “If nothing else, stalkerware apps encourage clearly ethically questionable behavior, leading most mobile security solutions to flag them as undesirable or harmful,” the researcher says. “However, given that these apps access, gather, store, and transmit more information than any other app their victims have installed, we were interested in how well these apps protected that amount of especially sensitive data.” In short, they didn’t. An examination of 58 Android stalkerware apps, provided by 86 vendors, revealed a total of 158 security issues (.PDF). These included the insecure transmission of sensitive data, command injection flaws, data leaks, information left on servers after accounts were deleted, and both source code and admin credentials exposure.  Not only was the victim’s data mishandled in many cases, but the bugs also impacted the security of the vendors themselves and their stalker customers.  The vulnerabilities were reported to the affected vendors, but only six developers have fixed their software, seven have made promises to patch that are yet to be kept, and 44 did not respond at all to ESET’s disclosure. “The research should serve as a warning to potential future clients of stalkerware to reconsider using software against their spouses and loved ones, since not only is it unethical, but also might result in revealing the private and intimate information of their spouses and leave them at risk of cyberattacks and fraud,” Stefanko commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Since the start of the 2019 financial year, Services Australia has reported a total of five eligible data breaches to the Office of the Australian Information Commissioner (OAIC).According to the agency, the five breaches reported in the financial years 2019-2020 and 2020- 2021, up until 12 April 2021, all involved human error.Revealed in response to questions taken on notice, Services Australia said 232 people have been affected by the breaches, as at 12 April.”The [eligible data breaches] occurred in the context of the agency’s many millions of customer interactions each year,” it declared. “For example, the agency had approximately 395 million customer interactions in 2019-2020.”For each eligible data breach, Services Australia said it takes appropriate remediation steps, including taking steps to notify affected customers, providing further training and education for staff, and reviewing and improving agency processes and procedures.Services Australia in March admitted it had reported a total of 20 cybersecurity incidents to the Australian Cyber Security Centre (ACSC) in 2019-20, covering its responsibility across the Department of Social Services, the National Disability Insurance Agency, and the Department of Veteran’s Affairs, in addition to its own IT shop.The ACSC reported receiving a total of 436 notifications from government entities.

Of those 20 incidents, the agency has now added that none involved a breach of the Australian Privacy Principles or met the threshold of an eligible data breach for the purposes of the Notifiable Data Breaches (NDB) Scheme.The NDB scheme came into effect in February 2018. It requires agencies and organisations in Australia that are covered by the Commonwealth Privacy Act 1988 to notify individuals, whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.  As detailed in the OAIC’s latest report, Australian entities covered by the Privacy Act reported 519 instances of data breaches in the six months to December 2020, a 5% increase from the first half of the year. The Australian government accounted for 6% of the total, with 33 notifications. Services Australia said internally it completed 125 investigations into unauthorised access of information by staff in the period spanning 1 July 2020 to 28 February 2021. “Unauthorised access to information by staff is access to agency information, which could include personal information, that they have no legitimate business reason to access, including individuals accessing their own data,” Services Australia clarified.It said none of those investigations led to a referral to Commonwealth Director of Public Prosecutions. However, Services Australia said it took administrative disciplinary action in response to a number of those investigations, ranging from formal warning letters to termination of employment. “None of the investigations involved a breach of the Australian Privacy Principles or met the threshold of an eligible data breach for the purposes of the Notifiable Data Breach Scheme,” it added.Elsewhere during Senate Estimates in March, the Department of Home Affairs took on notice a handful of questions related to ransomware, such as the number of criminal investigations of ransomware attacks against Australian organisations opened by the Australian Federal Police (AFP), the number of ransomware-related investigations underway, and the number of law enforcement operations against ransomware groups initiated in foreign jurisdictions that the AFP participated in.In response, Home Affairs listed the five potential offences that can be used to penalise ransomware-related activities. It did, however, confirm at least one charge has been laid by the AFP.”In the last 12 months, the AFP charged at least one individual in Australia with criminal offences related to ransomware,” it wrote.”The AFP is unable to include comprehensive statistics because of the lack of explicit provisions against ransomware offences as outlined.”The Department of Finance, meanwhile, responded to questions asked of it during March estimates, specifically related to the shared enterprise resource planning (ERP) technology platform, GovERP.Initially unveiled as part of the 2017 Budget, AU$89.5 million across three years was allocated to consolidate and streamline back-office corporate functions in the Australian Public Service. Finance was asked how much of the funding had been spent on those external to the department.GovERP has received funding of AU$67.1 million over the two years 2019-20 and 2020-21. Of this, Finance said AU$35.5 million has been spent to date on contractors and consultants.”The program will implement a new technology in which the APS has not yet developed expertise,” Finance said. “The majority of contractors and consultants are engaged to provide specialised skills and services to support the program, many of which are small to medium enterprises, particularly with respect to ICT labour.”GovERP has been funded for a further two years as part of the 2021-22 federal Budget, but the dollar amount has been listed in official documents as not for publication due to “commercial sensitivities”.LATEST FROM CANBERRA More