Information Technology

Taiwanese chip maker MediaTek has addressed four vulnerabilities that could have allowed malicious apps to eavesdrop on Android phone users. Three the of vulnerabilities, tracked as CVE-2021-0661, CVE-2021-0662 and CVE-2021-0663, affected MediaTek’s audio digital signal processor (DSP) firmware. It’s a sensitive component that if compromised could allow attackers to spy on user conversations. Researchers at Check Point found and reported the flaws to MediaTek, which disclosed and fixed them in October. A fourth issue affects the MediaTek HAL (CVE-2021-0673). It was also fixed in October but will be disclosed in December. 

ZDNet Recommends

Best 5G phone 2021

5G is now standard on US networks, with the expectation that every flagship includes support for 5G.

Read More

“A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user,” explains Check Point researcher Slava Makkaveev. SEE: Best phone 2021: The top 10 smartphones availableAccording to market research firm Counterpoint, MediaTek’s system on chips (SoCs) accounted for 43% of the mobile SoCs shipped in Q2 2021. Its chips are found in high-end smartphones from Xiaomi, Oppo, Realme, Vivo and others. Check Point estimates MediaTek chips are present in about a third of all smartphones.The vulnerabilities are accessible from the Android user space, meaning a malicious Android app installed on a device could be used for privilege escalation against the MediaTek DSP for eavesdropping.

MediaTek rated CVE-2021-0661, CVE-2021-0662 and CVE-2021-0663 as medium severity heap-based buffer over flaws in DSP. In all three cases, it notes that “user interaction is not needed for exploitation.”Check Point also discovered a way to use the Android Hardware Abstraction Layer (HAL) as a way to attack MediaTek hardware. “While looking for a way to attack the Android HAL, we found several dangerous audio settings implemented by MediaTek for debugging purposes. A third-party Android application can abuse these settings to attack MediaTek Aurisys HAL libraries,” explains Makkaveev.SEE: Dark web crooks are now teaching courses on how to build botnetsHe adds that device manufacturers don’t bother validating HAL configuration files properly because they are not available to unprivileged users. “But in our case, we are in control of the configuration files. The HAL configuration becomes an attack vector. A malformed config file could be used to crash an Aurisys library which could lead to LPE,” writes Makkaveev. “To mitigate the described audio configuration issues, MediaTek decided to remove the ability to use the PARAM_FILE command via the AudioManager in the release build of Android,” he adds. More

DBS Bank has attributed the source of a service glitch to “access control servers”, which it says left many customers unable to log into their accounts. The Singapore bank has been instructed by the local regulator to investigate the cause of the problem that lasted two days. The service disruption was first reported Tuesday morning when several customers faced difficulties logging into or accessing DBS’ online and mobile services. The bank initially provided few details on what caused the issue, saying on its Twitter and Facebook profiles and website that it was aware customers were experiencing “intermittent slowness when accessing [its] banking services”.In an update posted early Wednesday morning, DBS said the problem was resolved and services restored. However, customers again reported difficulties accessing the bank’s online services, leading the bank to acknowledge later that day the issue had recurred. 

It posted a video message Wednesday afternoon from its Singapore head Shee Tse Koon, who said the problem was “less severe” than the previous day, while apologising for the “anxiety caused”. “We identified a problem with our access control servers and this is why many of you have been unable to log in. We have since been working round the clock, together with our third-party engineering providers, to fix the problem and services were restored at 2am,” Shee said. “Unfortunately this morning, the same problem recurred.”He added that the bank was aware many of its customers still were unable to access its services and was working on a resolution. “n the meantime, I want to assure you that your deposits and monies are safe, and that you can continue with your banking needs either through our branches, or through phone banking. To facilitate this, we’ve extended banking services at all our branches by two hours,” he said. 

DBS later posted an update at 10.35pm that its digital services were “returning to normal” and it was monitoring the situation to ensure services were running smoothly. In a statement Wednesday, Monetary Authority of Singapore (MAS) said it would consider appropriate actions after DBS had completed its assessment. “This is a serious disruption and MAS expects DBS to conduct a thorough investigation to identify the root causes and implement the necessary remedial measures,” said Marcus Lim, MAS’ assistant managing director for banking and insurance.The industry regulator said it was notified by DBS about its access control servers and was following up with the bank on the issue. Lim said all financial institutions were expected to have the “systems and processes” in place to ensure the “consistent availability” of their services to customers. DBS, along with subsidiary POSB, have some 5 million customers in Singapore.Early this month, DBS announced plans to invest SG$300 million ($220.22 million) next year to beef up its digital and intelligent banking capabilities that supported the bank’s wealth and retail products and services. It said efforts here would enhance personalised user experiences across its digital and physical touchpoints.RELATED COVERAGE More

Organisations that fall victim to a ransomware attack shouldn’t let the cyber criminals know they have cyber insurance – because if the attackers know that their victim holds an insurance policy, they’re more likely to outright demand the ransom payment in full. Cybersecurity researchers at Fox-IT, part of NCC Group, examined over 700 negotiations between ransomware attackers and ransomware victims in order to analyse the economics behind the digital extortion attacks that demand a ransom payment – often millions of dollar in Bitcoin – in exchange for the decryption key.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

They found that if the victim has cyber insurance and that the attacker knows about it, then there’s little manoeuvre for negotiating for a smaller ransom payment, because the attackers will exploit the existence of the cyber insurance to cover the payment they’re demanding. SEE: A winning strategy for cybersecurity (ZDNet special report) “Look, we know about your cyber insurance. Let’s save a lot of time together? You will now offer 3M, and we will agree. I want you to understand, we will not give you a discount below the amount of your insurance. Never. If you want to resolve this situation now, this is a real chance,” said a chat message from an unspecified ransomware gang, according to the research. In this case, the attacker set the fee in the knowledge of the cyber-insurance plan, leaving the victim without any real platform for attempting to negotiate a lower ransom payment. Another note from an unspecified ransomware operator appears to show that the cyber criminals have set a significant ransom demand because they know about the victim’s cyber-insurance policy – seemingly after the victim claimed they couldn’t afford to pay.

“Yes, we can prove you can pay 3M. Contact your insurance company, you paid them money at the beginning of the year and this is their problem. You have protection against cyber extortion. I know that you are now in trouble with profit. We would never ask for such an amount if you did not have insurance,” said the attacker. A company could still claim that the insurance company wouldn’t pay for the ransom demand, but it’s unlikely to be accepted as the truth by the attacker. While researchers suggest telling the ransomware attacker about a cyber-insurance policy isn’t a good move for negotiations, there’s also the possibility that the attacker could find out about any cyber insurance the company has themselves once they’re inside the network ahead of the ransomware attack. “Preferably also do not save any documents related to it on any reachable servers,” warn researchers. Cyber insurance has become a way for victims to deal with the damage of a ransomware attack, but as Fox-IT’s research shows, knowledge of it can put criminals in an even more powerful position for demanding payment – especially if the insurance holder doesn’t have good cybersecurity in the first place. One answer could be that organisations that want to take out a cyber-insurance policy are required to meet certain requirements around cybersecurity before the provider can agree to issue it. “It’s a really difficult debate in which I think there are definitely some advantages to having cyber insurance, but only if there are certain thresholds for a company to get it,” Pepijn Hack, cybersecurity analyst at Fox-IT, told ZDNet. “Those thresholds can be an incentive to get a better grip on your cybersecurity awareness and your what your entire organisation’s cybersecurity is right now,” he said. However, this path could also be problematic because if businesses do fall victim to a cyberattack, and they don’t have cyber insurance, then it could be extremely damaging. “Some cyber-insurance service companies have found out that people get hacked a lot, so it’s become became really expensive and now they’re just stopping to give any cyber insurance at all, which I also don’t think is the right solution,” said Hack. “It has to be some some kind of middle ground – and I think we’ll get there eventually,” he said. While paying a ransom to cyber criminals is generally not recommended because it encourages further attacks, after analysing hundreds of negotiations, Fox-IT researchers offered some suggestions around what to do if your business is hit with ransomware. That approach starts with preparing employees on how to react to a ransomware attack and crucially not clicking links in any ransom notes, so as to not prematurely start negotiations by setting the hackers countdown running.  “The first thing any company should teach their employees is not to open the ransom note and click on the link inside it… the timer starts to count when you click on the link. You can give yourself some valuable time by not doing this. Use this time to assess the impact of the ransomware infection,” the researchers said. This time provides the response team with a chance to examine what infrastructure has been hit and what impact it has had on operations, allowing the victim to retake some degree of control over the situation. Before starting negotiations, it’s also useful to know what your end goal is – can the organisation restore from backups, or will a ransom have to be paid? If the victim is willing to pay a ransom, they should have an idea about what the maximum they’d pay would be. SEE: Dark web crooks are now teaching courses on how to build botnets Research into the attacker can also help prepare victims for negotiations. It’s possible that a free decryption tool for that particular strain of ransomware is available, preventing the need to pay a ransom at all. Examining research papers and media reports about the ransomware group can also provide information on how reliable they are at actually providing a decryption key and if they’ll engage in other tactics to try and force a payment, such as DDoS attacks, calling your customers or stealing and leaking data. When it comes to actually engaging in negotiations, researchers state that it’s important to be respectful and professional – it’s understandable that victims will be angry, but antagonising the attacker is unlikely to help the negotiation strategy. Meanwhile, being polite can help – in one example detailed in the blog post, a victim negotiated a ransom down from $4m to $1.5m. Many ransomware attacks try to pressure victims into paying within a set period, often with the threat of leaking data if they don’t. However, researchers suggest that attackers are almost always willing to negotiate an extended window – after all, they want the money, they’ve taken the time to infect the systems, so they’re likely to be willing to wait a little longer. There’s also the option of trying to convince the attacker that you can’t pay the ransom, but if the attacker has access to the network, they may be able to see financial documents or cyber-insurance policies – and likely have a figure in mind based off that document that will be the basis for negotiations. 
MORE ON CYBERSECURITY More

Perth city
Image: Getty Images
The Western Australia Auditor-General has slammed local government (LG) entities in the hard border state, after determining they were not managing cyber risks well. The outcome of the audit was summed up by two key findings noted in the audit report. The first was most vulnerabilities found during black box testing were over a year old, and in one instance, a vulnerability had existed for a decade and a half. “We tested the audited LG entities’ publicly accessible IT infrastructure and found vulnerabilities of varying types, severity, and age. The vulnerabilities included disclosure of technical information, out-of-date software, flawed or weak encryption, insecure software configuration, and passwords sent in cleartext over the internet,” it said. “44% of vulnerabilities were of critical and high severity, with a further 49% of medium severity. “Known critical and high severity vulnerabilities are generally easy to exploit and expose LG entities to increased risk of compromise.” This is not good
Image: Office of the Auditor General for Western Australia
The AG found out-of-date software accounted for 55% of vulnerabilities, followed by weak or flawed encryption on 34%, and insecure configuration on 8% of vulnerabilities. The second key finding was a phishing test, which led users to a page that asked them for login credentials. At one entity, over 50 people clicked the link, and around 45 submitted credentials, this was a result of one of the people selected for the phishing test forwarding it onto other staff and external contacts.

The AG said from that one forward action, it was able to collect 29 extra staff credentials that fell outside its intended testing scope, and 15 credentials from those external to the entity. The number of click and credentials collected was around 5 to 10 times higher than the next highest number from an audited entity. “[This] shows that people generally trust and are more likely to respond to emails from known contacts,” the report said. This is bad
Image: Office of the Auditor General for Western Australia
More generally, the report said the entities were found to have failed to consider the risks of malware and ransomware, data breaches including reuse of credentials found in other breaches, unauthorised access to systems or networks from an external attack, theft of IT devices, and third-party supply chain/cloud risks. Two entities were found to have not had a penetration test done since 2015, while one entity never had. When doing its tests, the Auditor-General found only three entities had systems to detect and block simulated attacks, while nine did not detect or respond, and three took two weeks to detect and only once the attacks ramped up. The latter 12 entities had intrusion detection systems but had no processes to look at the information generated in a timely manner, the AG said. Yikes!
Image: Office of the Auditor General for Western Australia
Seven recommendations were made to improve the entities’ cyber posture, which the AG said were “generally accepted”, and most had made improvements during the audit process. “Entities should give regard to good practice principles in the Australian Government Information Security Manual and the Essential Eight controls to protect systems and information,” the report said. “While remediations will require an investment of time and money, support from senior management is equally important to uplift cybersecurity maturity.” Related Coverage More

Farewell, sweet prince.
Image: Mozilla
Mozilla has emailed its Lockwise users to inform them that on December 13, it will be ending support for its Lockwise password management app. Lockwise has two guises: One in the browser itself at about:logins and a separate app for iOS and Android that can become the default password manager for your phone, without needing the overhead of Firefox the browser to start up. It is the latter and lighter option that has hit the end of the support road. “The Firefox Lockwise app will no longer be updated and supported by Mozilla and will not be available in the Apple App and Google Play Stores,” Mozilla said in its email. “After that date, current Lockwise users can continue to access their saved passwords and their password management in the Firefox desktop and mobile browsers.” Alternate password managers: Best password manager 2021: Business & personal use A support note that has replaced the site for Lockwise says that the app could keep working after December 13, but it will not get updates.

Android users can replace the password autofill functionality with Firefox itself, and see an arguable improvement in how it works, while iOS users that rely on Lockwise are left waiting. “Check back for updates in December 2021 on how to use Firefox for iOS as your system-wide password manager,” Mozilla states. Users in iOS will need to open up the browser to copy passwords the old school way. While it may not have all the bells and whistles of its commercial competition, Lockwise became good enough in recent times to get by with, and it is backed by an open-source organisation with more respect for privacy than some in the field. As Mozilla is heavily reliant on rival Chrome-maker Google for funding, Lockwise as an app could have been an avenue to increase its non-Google funding line, but it was not to be. Last week, Mozilla decided users might want to pay for email address hiding as it unveiled Firefox Relay Premium. The standard Relay service provides five free aliases that forward emails to a primary address, with the new paid tier offering one subdomain alias to allow users to create unlimited aliases, such as yourdomain.mozmail.com, a summary dashboard, and the ability to reply to emails from the alias. Firefox Relay Premium currently has introductory pricing of $1 or €1 each month in the US, Germany, UK, Canada, Singapore, Malaysia, New Zealand, France, Belgium, Austria, Spain, Italy, Switzerland, Netherlands, and Ireland. Related Coverage More

Telstra’s biggest cyber concern is organisations that use “Microsoft-style” environments when it comes to preventing cyber threats.”The place that concerns us most as an organisation … don’t read anything into the fact I’m going to mention the word Microsoft, they’re probably a Microsoft-only environment. They don’t have ERPs, CRMs, they are basically a Microsoft-style environment,” said Telstra Enterprise group executive David Burns, who gave a keynote to the Trans Tasman Business Circle.  “How do we build [cyber resilience] into the tools of systems and networks that we provide … because I think we could all do the basics, and we should all do the basics but [cyber attackers] are very sophisticated players.” He provided an example of how one of Telstra’s business partners, which he said used a “Microsoft-style” environment, suffered a cyber attack which then put the telco’s customers at risk. “We are all very vulnerable and you and your organisation are as vulnerable as your weakest link. And that’s how we need to think about it. It is not the role of an IT organisation to protect us. It is each and every one of our roles to work out how to protect us,” Burns said.He added that government agencies also needed to figure out how to improve their cyber resilience in an increasingly broadening cyberthreat landscape. At the start of this month, New South Wales auditor-general Margaret Crawford revealed all of the state’s lead cluster agencies have failed to implement all Essential Eight controls. The cybersecurity policy for New South Wales government agencies was not sufficiently robust which is a cause for “significant concern”, Crawford said.

To address these cybersecurity concerns, Telstra currently provides cybersecurity services to enterprise customers and is involved in the government’s Cleaner Pipes Program. Burns, however, conceded this work would not be a big revenue driver. “We will ask people to help us pay for that, but it’s not exactly going to be as the greatest revenue earner for us,” he said. “It’s about protecting our environments because I think we all think of the cyber world, certainly amongst our customers, [as] not a differentiator. We want all boats to rise in a tide here. You don’t want to win by someone else being cyber attacked.” Telstra’s concern isn’t unique. The federal government in March called for organisations to counter ransomware through using multifactor authentication and urging businesses to keep software up to date, archiving data and back-ups, building in security features to systems, and training employees on good cyber hygiene. “All businesses have valuable data and systems they need to protect. It is vital that they establish strong foundational controls and practice good cybersecurity hygiene practices,” the federal government said at the time. Related Coverage More

The Telecommunications Industry Ombudsman (TIO) has called for telcos to have a 24-hour hotline, or at a minimum extend current hotline hours, to allow consumers to report cases of fraud, especially involving SIM swapping. In its report on systemic investigations into fraud enabled through phone and internet accounts, the TIO pointed out that fraudsters have exploited slow responses from telcos to create security breaches. This included a customer being kept on hold when trying to report fraud, failure of customers being able to contact telcos outside of business hours, staff not blocking fraudulent activity, staff not knowing how to deal with fraud, and attackers maintaining access to accounts after telcos were notified.Typically, attackers were interested in ordering handsets and additional services once they controlled an account, or using control of a SIM to access other information including bank and government accounts. “This can expose affected customers to considering financial and non-financial loss,” the TIO said. “Where a breach of privacy has occurred, providers may have to pay significant amounts of compensation to settle a consumer’s complaint — a cost that could have been avoided had the provider acted more quickly.” Other issues highlighted by the report included fraudsters getting access to accounts because telcos did not conduct proper identity checks, with one telco agreeing to use a government database for verification during the investigation, or incorrect advice being given to consumers about how to secure accounts.”One provider gave consumers the option of using robust multi-factor authentication, such as one-time passwords or an authenticator app,” the report said.

“However, this provider also offered other security measures which were not supported by its systems, such as passwords and PINs. This meant staff did not always ask for the password or PIN when someone wanted to access the account. “A consumer may believe their account is secure when it is not.” The Communications Alliance said combating fraud was a challenge to all parties. “Telcos are continually improving their practices to keep up with the ever-changing tactics of fraudsters,” CEO John Stanton said. “It is important that we do not become complacent and remind our customers to protect their personal information, offline as much as online.” In its most recent Complaints in Context report released a fortnight ago, the Comms Alliance said TIO complaints per 10,000 services in operation continued to trend down, being reported at 4.8 for the July to September quarter. Many telcos recorded the lowest complaint level since the report adopted its current format in 2019. Related Coverage More

Apple on Tuesday filed a lawsuit against mercenary spyware company NSO Group and its parent company, seeking a permanent injunction that bans NSO Group from using any Apple software, services or devices. The complaint also provides new information on how NSO Group infected victims’ Apple devices with its Pegasus spyware. “State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple SVP of Software Engineering, said in a statement. “While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”Apple’s complaint says NSO Group delivered its FORCEDENTRY exploit to Apple devices by creating Apple IDs that sent malicious data to a victim’s device. This enabled the installation of Pegasus spyware without a victim’s knowledge. Researchers with Citizen Lab discovered the zero-day, zero-click exploit in September, and  Apple released an urgent security update for Mac, iPhone, iPad and Watch users to patch the vulnerability. Apple says in its complaint that Apple servers were misused to deliver FORCEDENTRY but were not hacked or compromised in the attacks. The company also said it is notifying the small number of users that it discovered may have been targeted by FORCEDENTRY. Apple also said it is contributing $10 million, as well as any damages from the lawsuit, to organizations like the Citizen Lab and Amnesty Tech to further cybersurveillance research and advocacy. More