Information Technology

The US Department of Transportation (USDOT) has invoked emergency powers in response to the Colonial Pipeline ransomware attack in order to make it easier to transport fuel by road.The ransomware attack, disclosed late last week, impacted the pipeline company, which is responsible for supplying 45% of the East Coast’s fuel, including gasoline, diesel, jet fuel, home-heating oil, and fuel for the US military.

Colonial said it is developing a system restart plan and said that while its mainlines remain offline, some smaller lateral lines between terminals and delivery points are now operational. SEE: Security Awareness and Training policy (TechRepublic Premium)”Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring,” the company said. In the meantime, the USDOT’s Federal Motor Carrier Safety Administration (FMCSA) has issued a Regional Emergency Declaration – temporary exemptions involving laws restricting road transport of fuel, and allows drivers to work for longer.The exemptions apply to vehicles transporting gasoline, diesel, jet fuel and other refined petroleum products to Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, and Virginia.

“Such emergency is in response to the unanticipated shutdown of the Colonial pipeline system due to network issues that affect the supply of gasoline, diesel, jet fuel, and other refined petroleum products throughout the affected states,” FMCSA said in a statement.  Cybersecurity experts told Reuters today that the ransomware group DarkSide is suspected to have carried out the attack on Colonial Pipeline. Darkside runs a ransomware-as-a-service business that other cybercrime groups can rent. It’s been active since mid-2020 and although a decryptor was released in January, security firm Cyber Reason noted that the group recently released DarkSide 2.0. The group is known for encrypting, as well as stealing, some data and using the threat of its exposure on the internet as leverage for the victim to pay ransoms.SEE: Ransomware just got very real. And it’s likely to get worseFMCSA’s exemption is aimed at providing commercial tanker operators regulatory relief while directly supporting emergency efforts to patch up fuel supply shortages “due to the shutdown, partial shutdown, and/or manual operation of the Colonial pipeline system”.The shutdown of Colonial Pipeline might impact fuel prices depending on the length of the disruption. Gaurav Sharma, an independent oil market analyst, told the BBC that a lot of fuel is banking up at Texas refineries.”Unless they sort it out by Tuesday, they’re in big trouble,” said Sharma. “The first areas to be impacted would be Atlanta and Tennessee, then the domino effect goes up to New York.”  Colonial Pipeline confirmed on Sunday it was the victim of ransomware and said it had engaged an external cybersecurity firm to assist with its recovery effort.  More

Image: Asha Barbaschow/ZDNet
The Australian Department of Parliamentary Services has said its March outage was a result of a “deliberate choice” to shut down its mobile device management (MDM) system after it saw an attempted intrusion on the parliamentary network. “The attack did not cause an outage of the DPS systems. DPS shut down the MDM system. This action was taken to protect system security while investigation and remediation were undertaken,” DPS said in response to Senate Estimates Questions on Notice. “To restore services, DPS brought forward the rollout of an advanced mobile services solution that replaced the legacy MDM. The new solution provides greater security and functionality for mobile devices. This rollout was a complex activity and extended the outage experienced by users.” Nevertheless, DPS also said the legacy MDM system was still being used in a limited capacity. “DPS took two paths to restore services to PCN mobile devices. For some users it was possible to restore services using the legacy MDM in a limited capacity,” it said. “These users were utilising a component of the legacy MDM that did not contain vulnerabilities.” It added the MDM replacement had been piloted for three months leading up to the incident, and hence why the introduction of the planned replacement was able to be brought forward. The department added it had seen no evidence of any email accounts being compromised due to the attack, and the attack had nothing to do with recent Exchange vulnerabilities.

DPS said the Senate President would provide further information and “material not appropriately disclosed in the public domain” to the Senate Appropriations, Staffing and Security Committee. In response to another question asking DPS to list all outages impacting connectivity and email from the 2019-20 fiscal year to the present, the department said answering was not appropriate. Last month, ASIO Director-General Mike Burgess said he was not concerned by the outage. “As the director of security, I’m not concerned, by what I’ve seen,” he said. “From my point of view of, ‘Is espionage or cyber espionage being occurred?’ I’m not concerned by that incident. “Of course, in the broad, any network connected to the internet is subject to that frequently and the levels of cyber espionage attempts in this country are pretty high, so I remain concerned about that and through the actions of others, the [Australian Cyber Security Centre] that is dealing with the terms of that outage, I am not concerned. Related Coverage More

Image: Flurry Analytics
Apple’s app tracking transparency tool, which lets users decide whether they agree to their data being tracked, began rolling out as part of iOS 14.5 last month.The feature requires apps to get users’ permission before tracking their data across other companies’ apps or websites for advertising purposes. When asked by users not to track their data, apps will also have to refrain from sharing information with data brokers. But when given the choice, many users are denying permission for apps to gather tracking data.In a report from Verizon Media-owned Flurry Analytics, only 13% of global iOS users have allowed apps to track by the second week of the feature being enabled.As first spotted by Apple Insider, only around 5% of daily users in the United States by week two were allowing tracking.The Flurry report was compiled from aggregated insights across 2 billion mobile devices. It updates daily and ZDNet last accessed the data on Monday, 10 May 2021 at 9:30am AEST.It also found that there are around 5% of iOS users with “restricted” app tracking, meaning apps cannot ask those users to be tracked. This figure is 3% in the US.

If users select “Ask app not to track”, the app developer won’t be given access to the device’s advertising identifier, which is often used to collect advertising data; and apps that continue to track users that have opted out run the risk of being evicted from the App Store altogether. READ MOREApple’s new privacy tool lets you choose which apps can see and share your data. Here’s what you need to knowThe Cupertino giant has announced a new privacy feature coming next spring, which will let users make their own data choices.Apple now shows you all the ways iOS apps track youAnd for some apps, it’s quite scary.Apple’s new privacy feature will change the web. And not everyone is happy about itWith iOS 14.5, Apple has introduced some new privacy features that will limit targeted advertising. More

There’s just been another ransomware attack, but this one could have more significant consequences than the many that have come before.

Late last week, Colonial Pipeline, which accounts for 45% of the US East Coast’s fuel, was forced to shut down its operations due to a ransomware attack against its systems.Even President Biden was briefed on in the incident; it doesn’t get much more high profile than that. SEE: Security Awareness and Training policy (TechRepublic Premium)So will such a significant incident lead to changes in how ransomware is tackled? Possibly, but it’s worth remembering that there have been plenty of damaging and high-profile ransomware attacks across both the US, and elsewhere, without police or governments coming up with a way of tackling these gangs. That’s largely because the ransomware problem is actually a knotty set of interconnected problems, all of which defy easy solutions.

Certainly many companies need to take cybersecurity more seriously, and vendors need to focus more on selling software that is secure, and not just rushing it out to customers and (maybe) fixing it later. But forcing companies to spend money on cybersecurity with no obvious return is hard; obliging software companies to fix every fault before they ship their software would bring the industry to a halt. Persuading police to take these cases seriously is another problem. Few forces have the expertise to tackle this sort of complicated investigation and, even if they did, tracking down the culprits is hard – and securing a conviction all but impossible. Many of these gangs operate from jurisdictions (such as Russia) that are very unlikely to hand over suspects for trial elsewhere.And every time a victim reluctantly pays the gangs, they are making the gangs stronger, and able to take on even more ambitious attacks, even against organisations that have invested in security. But the bigger issue is that, as we connect more and more systems to the internet, the real world becomes more at risk of threats like this, that until now have only ever been a problem for the online world. That may focus the attention of governments and police a little more. If a ransomware attack means your company loses the sales data held on a few servers, no one – apart from you and your boss – is going to be too upset. But say those servers were running the traffic lights on a busy stretch of road, or running the x-ray machines at the local hospital – then the attack has a real-world impact.The growth of interest in smart cities is one example of how this threat could evolve. The idea behind smart cities is that by using data better we can run cities more effectively and efficiently. In practice that means using all manner of sensors and Internet of Things devices to collect information and automate processes.  But unless this is done with security in mind, it means that when the technology goes wrong, we could have big problems. As the UK’s cybersecurity agency the NCSC points out: “While smart cities offer significant benefits to citizens, they are also potential targets for cyberattacks due to the critical functions they provide and sensitive data they process, often in large volumes. The compromise of a single system in a smart city could potentially have a negative impact across the network, if badly designed.”Any sort of security threat to smart cities could be a problem, but ransomware seems to be the leading candidate for causing chaos right now.SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to doSo will anything really change any time soon? Well, having your activities brought to the attention of the President of the United States is never a good idea, if ransomware gangs have themselves courted publicity for their attacks in the past as a way of putting pressure on their victims. Such a high-profile incident might put a bit of momentum behind efforts to tackle the problem.If more funds are made available to improve the security of creaking but vital infrastructure, that will be a step in the right direction. Making it harder or even banning the payment of ransoms in this context would certainly bring short-term pain for victims but may in the longer term be a way of reducing attacks, too. Of all the complicated problems that have allowed ransomware to flourish, it could be that the geopolitical challenge is one of the toughest to overcome. Sanctions and indictments have done little so far to stop the flood of attacks. But if the nations that still allow these gangs to operate could be persuaded that it’s no longer in their interests to let them do so, that could change the situation hugely.Still, for now it’s hard to see that the threat of ransomware is going to go away any time soon. Even worse, as we put computers in charge of more of the real world around us, the problem is only likely to get worse.ZDNET’S MONDAY MORNING OPENER The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.PREVIOUSLY ON MONDAY MORNING OPENER: More

Colonial Pipeline, which accounts for 45% of the East Coast’s fuel, said it has shut down its operations due to a cyberattack.The attack highlights how ransomware and other cyberattacks are increasingly a threat to real-world infrastructure. The company delivers refined petroleum products such as gasoline, diesel, jet fuel, home heating oil and fuel for the U.S. Military. What is cyber insurance? Everything you need to know about what it covers and how it works | Best cyber insurance 2021In a statement, Colonial Pipeline said:On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems. Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have already launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies. Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.Cybersecurity: Let’s get tactical | A Winning Strategy for Cybersecurity | Cyberwar and the Future of Cybersecurity Here’s a look at the Colonial Pipeline system affected by the cyberattack.Colonial Pipeline’s shutdown should it continue may lead to supply shortages since it covers so much territory in the US. More

Russian cyber attacks are being deployed with new techniques – including exploiting vulnerabilities like the recent Microsoft Exchange zero-days – as its hackers continue to target governments, organisations and energy providers around the world.A joint advisory by, the US Department for Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA), FBI and the National Security Agency (NSA),as well as the UK National Cyber Security Centre looks to warn organisations about updated Tactics, Techniques and Procedures (TTPs) used by Russia’s foreign intelligence service, the SVR – a group also known by cybersecurity researchers as APT29, Cozy Bear, and The Dukes. It comes after cybersecurity agencies in the US and the UK attributed the SolarWinds attack to Russia’s civilian foreign intelligence service, as well as several campaigns targeting Covid-19 vaccine developers. “The SVR is a technologically sophisticated and highly capable cyber actor. It has developed capabilities to target organisations globally, including in the UK, US, Europe, NATO member states and Russia’s neighbours,” said the alert.The advisory warns that Russian cyber attackers have updated their techniques and procedures in an effort to infiltrate networks and avoid detection, especially when some organisations have attempted to adjust their defences after previous alerts about cyber threats.This includes the attackers using open source tool Sliver as a means of maintaining access to compromised networks and making use of numerous vulnerabilities, including vulnerabilities in Microsoft Exchange.Sliver is an open source red team tool, a tool used by penetration testers when legally and legitimately testing network security, but in this case is being abused to consolidate access to networks compromised with WellMess and WellMail, custom malware associated with SVR attacks.

SEE: Network security policy (TechRepublic Premium)Although the paper warns that this isn’t necessarily a full list, other vulnerabilities – all of which have security patches available – used by Russian attackers, include: CVE-2018-13379 FortiGateCVE-2019-1653 Cisco router CVE-2019-2725 Oracle WebLogic Server CVE-2019-9670 Zimbra CVE-2019-11510 Pulse Secure CVE-2019-19781 Citrix CVE-2019-7609 Kibana CVE-2020-4006 VMWare CVE-2020-5902 F5 Big-IP CVE-2020-14882 Oracle WebLogic CVE-2021-21972 VMWare vSphere The attackers are also targeting mail servers as part of their attacks as they’re useful staging posts to acquire administrator rights and the ability to further network information and access, be it for gaining a better understanding of the network, or a direct effort to steal information.But despite the often advanced nature of the attacks, the paper by US and UK cybersecurity authorities says that “following basic cyber security principles will make it harder for even sophisticated actors to compromise target networks”.This includes applying security patches promptly so no cyber attackers – cyber criminal or nation-state backed operative – can exploit known vulnerabilities as a means of entering or maintaining persistence on the network. Guidance by the NCSC also suggests using multi-factor authentication to help protect the network from attack, particularly if passwords have been compromised.MORE ON CYBERSECURITY More

Good people need encryption too.
Getty Images/iStockphoto
How do you tell your best friend that her boyfriend has all the charm of a malevolent vole?How do you explain to your doctor that you’ve just contracted a minor ailment after a night of major Pinot-fueled enthusiasm?And how do you reveal to your boss that, after two years of his dread ful direction, you’ve decided to enter a monastery?

more Technically Incorrect

May I suggest the answer to all of the above is: privately.This logic, however, may not be embraced by, say, every millennial. It’s definitely not embraced by many government agencies.Take, for example, the Australian Criminal Intelligence Commission. I’ll tell you where you should take it privately. Here, though, as my colleague Asha Barbaschow reported, are the public thoughts of the commission: If you use encryption, you’re likely a crook. Which may surprise one or two iMessage and WhatsApp users.

The commission’s actual words about encrypted communication services were: “These platforms are used almost exclusively by SOC [serious and organised crime] groups and are developed specifically to obscure the identities of the involved criminal entities and enable avoidance of detection by law enforcement.”I do understand that there are many bad people in the world. I fear I have done business with some. A few may have even become my friends for a short while.But to suggest — with a straight face and a public voice — that encryption is almost exclusive to the evil seems like the sort of exaggeration that only a politician would embrace. Publicly.Of course one should have sympathy with law enforcement in its quest to eliminate the truly bad. Of course it’s frustrating that the gentle and law-abiding use some of the same technological tools as the rancid and law-flouting. And governments far and wide have been exerting pressure — public and private — on tech companies to find some liberty-loving way around this dilemma. The governments insist it must be possible. Tech companies tend to follow the example set by Apple CEO Tim Cook when the company refused to hack into the San Bernardino terrorist’s iPhone: creating a backdoor for law enforcement creates a backdoor for bad actors too. And it’s not as if governments are just sitting there, playing by the supposed rules. Why, the MIT Review just revealed how the Chinese government took advantage of a hack that won a contest in Canada to spy on China’s Muslim Uyghurs.Moreover, who wouldn’t be suspicious that, given a backdoor, their government might be tempted to peek into the private lives of the law-abiding too? (Oh, you think they already do it?)There are still one or two things that humans want to communicate privately and securely to friends, family, lovers and even strangers they’ve just met on Tinder, rather than just post them on Facebook or Twitter.Even if there’s often the suspicion that nothing is private anymore, humans still cling to the belief that they can confide in one another, that they have to confide in one another.If nothing is private, what are we? A never-ending cabal of Instagram influencers? How dull that would be. More

Voice ID was introduced in 2016 to increase the security of bank transactions carried out over the phone.   
Francesco Carta Fotografo / Getty Images
British banking giant HSBC protected almost £249 million ($346 million) of customers’ money from fraudsters just in the past year, thanks to a voice recognition technology that does a better job of identifying a user during a telephone call. The voice system, called Voice ID, was introduced in 2016 to increase the security of bank transactions carried out over the phone. So far, the results seem promising: the rate of attempted telephone fraud this year was down 50% compared to the previous one. 

Since 2016, Voice ID has identified 43,000 fraudulent telephone calls and prevented £981 million ($1.3 billion) of customers’ money from falling into the hands of malicious hackers, said HSBC. “Scammers are sophisticated and it’s a constant challenge to keep ahead of them but this is promising,” said Kerri-Anne Mills, head of customer service at HSBC UK. “We’ve seen a 50% drop in reported telephone banking fraud year-on-year.” Telephone banking enables HSBC customers to carry out various sensitive operations, ranging from checking their balance to making payments and transferring money. Voice ID was introduced to replace the requirement to provide complex security numbers made of random digits, or to answer security questions which some users might struggle to remember.  Customers sign up to the service by registering their voiceprint. When, at a later stage, they phone their bank for a particular operation, they will first be asked to say a short phrase, which is analyzed by Voice ID against the original record to make sure that the voices match and that the caller is genuine. 

In addition to making the process more convenient, HSBC argues that the technology is more secure: while hackers can steal or guess personal codes or passwords to pass security checks, it is much harder to replicate someone’s voice.  To identify a customer, Voice ID checks over 100 behavioral and physical voice traits, including how fast the speaker talks or how they emphasize words, according to HSBC. The bank maintains that the technology is sensitive enough to detect if someone is impersonating the speaker or playing a recording – while also being capable of correctly identifying a voice even if the caller has cold or a sore throat. The bank has seen a recent increase in customers signing up to Voice ID, and the technology has now been adopted by 2.8 million users. According to Mills, 14,000 customers currently enroll in Voice ID each week. This is because, partly driven by the fast digitization of services caused by the COVID-19 pandemic, customers are turning to new channels to manage their finances, which don’t require physically going into a bank. “We’ve seen unprecedented challenges as the pandemic and lockdown restrictions transformed our lives significantly and, unsurprisingly, more people have turned to online and mobile banking to take control of their finances, utilizing other channels for very particular interactions,” said Mills. But although Voice ID has been praised for its security benefits, it is easy to see why things might become thorny if hackers manage to find a way around the voice recognition technology. To demonstrate the potential shortcomings of HSBC’s feature, in fact, in 2017 a BBC reporter and his twin brother successfully fooled the technology. One of the brothers managed to gain access to their twin’s account via telephone, and was able to see balances and recent transactions. The issue is not restricted to voice recognition. As more and more services are carried out digitally, biometrics of all sorts are projected to be used to authorize sensitive processes. A recent report from Juniper Research, for example, estimates that digital payments made with a handset will increasingly be based on biometric identification such as facial, voice or iris recognition, as well as fingerprints. Biometric capabilities such as Apple’s Face ID will reach 95% of smartphones globally by 2025, according to Juniper; and by that time, users’ biological characteristics will be authenticating over $3 trillion-worth of payment transactions. While the security advantages of using biometrics to prove identity are evident, those technologies are a double-edged sword. On top of the risk that a malicious actor might imitate a user’s biological characteristics to gain access to critical services, there are also concerns to do with the opportunities to hack stored biometric data. “The risk with biometrics in general is that you can’t change biometric characteristics,” Nick Maynard, lead analyst at Juniper Research, tells ZDNet. “You can’t change a fingerprint or your face.” “So if somebody comprises that data, you can’t change it, and that information becomes very risky,” he continues. “That means that vendors have to adopt very strong security principles around how they handle that data.”  More