Information Technology

A former IT contractor with a grudge has been sentenced after mass-deleting the majority of a company’s Microsoft accounts. 

Deepanshu Kher was sentenced to two years in prison for breaking into the network of a Carlsbad, California-based firm after being fired potentially in connection to a consultancy job the firm hired him for. Kher worked for an IT consultancy firm from 2017 through May 2018. This company was recruited to help a client with migration to a Microsoft Office 365 environment and Kher was selected to assist.  The client was not pleased with Kher’s performance and once this feedback reached head office, the IT admin was sacked. A month after being fired, in June 2018, Kher returned to India.  However, two months later, Kher decided to exact revenge on the Californian company, according to the US Department of Justice (DoJ). The 32-year-old infiltrated the firm’s servers while outside of the US and deleted over 80% of employee Microsoft Office 365 accounts, with over 1,200 out of 1,500 wiped in total.  As staff members were suddenly unable to access emails, contacts, calendars, stored documents, as well as Microsoft’s Virtual Teams remote management platform, they were unable to work.  The company’s entire operations ground to a halt for two days. The VP of IT said, “In my 30-plus years as an IT professional, I have never been a part of a more difficult and trying work situation.”

IT issues persisted for a further three months after the cyberattack and the FBI was informed.  Kher was arrested while flying from India to the US on January 11, “unaware of the outstanding warrant for his arrest,” US prosecutors say.  US District Court Judge Marilyn Huff charged the Delhi, India resident with intentional damage to a protected computer, a crime which can lead to up to 10 years in prison and a $250,000 fine.  Kher will face two years behind bars and three years of supervised release, but must also pay $567,084 in damages — the bill his victim organization had to shoulder to restore its systems.  “The victim company’s swift notification and cooperation with the FBI contributed greatly to the successful outcome,” commented Suzanne Turner, Special Agent in Charge of FBI’s San Diego Field Office. “Living in a digital world, it is important to get ahead of the threats, be proactive and predictive in the way we approach cybersecurity.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Australian Information Commissioner and Privacy Commissioner’s office, the OAIC, has asked for the inclusion of additional privacy measures in the Bill that would allow the sharing of data held by government.The data reforms presented in the Data Availability and Transparency Bill 2020 are touted by Minister for Government Services Stuart Robert as being an opportunity to establish a new framework that is able to proactively assist in designing better services and policies.The Bill, as well as the Data Availability and Transparency (Consequential Amendments) Bill, were both introduced to Parliament in December, after two years of consultation.”Proposals to share data containing personal information will necessarily carry certain privacy risks, including the loss of control by individuals and the potential for mishandling of personal information,” the OAIC said in its submission [PDF] to the Senate Finance and Public Administration Committee currently probing the two Bills.”Privacy risks can be heightened in relation to government-held personal information, which is often collected on a compulsory basis to enable individuals to receive a service or benefit or is otherwise required by law.”The submission raised concerns that such data is often sensitive or can become sensitive when it is linked with other government datasets.It, therefore, has recommended the inclusion of additional privacy measures that would provide further protections for individuals and clarity for data scheme entities about their privacy obligations.

“The OAIC considers that these additional measures are necessary to ensure the proportionality of the scheme and to achieve the trust and confidence of the community, which is vital to the success of the DAT scheme,” it wrote. In a discussion paper in September 2019, the federal government tweaked what it proposed the year prior by removing a fundamental element of privacy — consent.The government’s position on consent has since become more nuanced, with the Bill currently stating that any sharing of personal information is to be done with the consent of the individuals, unless it is unreasonable or impracticable.”While the OAIC acknowledges the important privacy safeguards that have been included in the DAT Bill, there are other key privacy protective measures that should be included to further mitigate the risks posed by sharing personal information,” the OAIC said.Additionally, the OAIC is concerned about the proposed exemption of scheme data from the Freedom of Information Act, which the OAIC considers runs counter to the objects of both the FOI Act and the Data Availability and Transparency Bill.It said this would effectively exempt any data that government agencies share with each other through the scheme. “The OAIC is concerned that the proposal is unnecessarily broad and risks misalignment with the objects of the FOI Act to provide a fundamental legal right to access to documents,” the submission continued. “The OAIC is also concerned that this proposal reduces the information access rights of individuals, impacting on their ability to seek access to their own personal information and understand how agencies are using this information.”As a result, the OAIC recommended that the proposed consequential amendment to the FOI Act be removed, and that data shared by agencies under the scheme remains subject to the usual FOI processes and potential exemptions under the FOI Act. Elsewhere, the OAIC recommended that all accredited users – including Commonwealth bodies — are subject to the same accreditation processes and criteria as other entities seeking to become accredited under the Data Availability and Transparency scheme. Further, the OAIC has asked for definitions in the Bill to be consistent with those in the Privacy Act 1988, for example, the definition of “de-identified”. It also recommended that additional protections be included in the Data Availability and Transparency Bill to ensure that the “exit mechanism” minimise the risk to individuals’ privacy and is only used in specific and confined circumstances.Digital Rights Watch is similarly concerned that the Bill is moving ahead in parallel to the review of the Privacy Act, which the Attorney-General’s office is currently heading. In its submission [PDF] to the committee, the organisation said as the draft text stands, the Bill “threatens to further erode the limited protections enshrined in the existing Privacy Act”.”The Bill would make it easier for government agencies to share data containing personal information with each other, allowing any government entity to access any and all the information the government holds about an individual,” it explained. “The draft also permits the government to share data with accredited third parties and researchers. In absolute terms, the Bill almost constitutes an amendment of the Australian Privacy Principle 6 by redefining and altogether eliminating the limitations and protections the principle currently imposes on the data custodians.”Digital Rights Watch has also asked the Bill restrict the access of accredited parties from the single-application full access system proposed; define consent in line with international standards as presented under the GDPR, as one example; and maintain liability for data breaches, ensuring also a resolution mechanism for individuals who may want to seek redress if their data and privacy is compromised through the scheme.Also making a submission [PDF] was the Australian Privacy Foundation (APF), which considers the Bill as possessing weak legitimacy, that it erodes trust, and that it provides uncertain benefits alongside a history of underperformance.”The foundations of the proposed regime are weak, the superstructure is weaker,” APF wrote.”The proposed regime does not provide the necessary ‘strong privacy and security foundations’. Instead it embodies values of bureaucratic convenience that are antithetical to strong privacy protection.”MORE FROM THE OAIC More

SavvyShares, a survey panel which captures consumer opinions and data from survey panels has been launched by San Diego, CA-based market research company Luth Research. Unlike Killi which offers a portion of all data sales revenue each month to consumers who, through use of its ‘Paycheck’, receive a guaranteed amount of cash each week, SavvyShares does not offer cash to its members.

ZDNet Recommends

Instead it offers shares in the company, leading to annual dividends — if the company makes a profit. According to the SEC filing SavvyShares LLC will offer “sale of up to 200,000,000 unit-denominated common limited liability company interests, …. refer(red) to as SavvyShares” for a “maximum gross dollar offering of $50,000,000.”The filing says that the shares will be offered for data including “behavior data tracked through software installed to a Member’s phone, tablet or computer (our “App”), data obtained from self-reported surveys and interviews, behavior data obtained from third parties with a member’s consent, and any other social or related data.”Members who participate receive shares in the company based on the length and complexity of surveys, and additional shares for allowing digital data tracking through the app. The app runs in the background and collects data as participants surf the web. Dividends may then be paid to member shareholders annually, based on their number of shares and the profitability of the company – as long as the user remains a member. Paying dividends based on the success of the company means members have a stake in the business so they are probably more incentivized to share their data.The company was launched by Luth Research, a consumer survey business. The company is also managed by the Public Benefit Corporation (PBC), a for-profit company that is committed to specific public benefits.

SavvyShares Founder Roseanne Luth said, “As privacy concerns further restrict data collectors, SavvyShares ensures power and control is in the hands of consumers, giving them a stake in the success of the company as the ultimate reward for their opinions. As consumers are becoming more leery of data harvesting that is currently occurring through social media and other platforms, SavvyShares offers the control, compensation and privacy they deserve.”SavvyShares has filed with the SEC to use data as a form of currency — an unusual move. Compensating customers with shares in exchange for access to data could be very lucrative for people who currently share data for free. Of course the company needs to make a profit before any share dividends can be paid in cash to any member. Consumers already share their opinions and data for free with companies such as Facebook and Instagram, so there are good reasons for customers to be compensated for their data. Will paying for data sharing catch on? Or will we continue to share our data where we feel most comfortable — or stay on the platforms where are friends are most likely to be? More

There are still thousands of cyber attacks targeting zero-day security vulnerabilities in Microsoft Exchange Server every single day as cyber criminals attempt to target organisations which have yet to apply the security patches released to mitigate them, according to a tech security company.

Exchange attacks

Microsoft released critical updates to secure Microsoft Exchange Servers against the four vulnerabilities on March 2 with organisations urged to apply them as a matter of urgency to prevent cyber attacks to their email servers.But weeks later, many organisations are yet to apply the critical updates for Microsoft Exchange Server and cyber attackers are taking advantage to gain access to servers while it remains possible.And cyber criminals are doing just that, with security researchers at F-Secure identifying tens of thousands of attacks targeting organisations around the world which are still running vulnerable Microsoft Exchange Server every day. According to F-Secure analytics, only about half of the Exchange servers visible on the internet have applied the Microsoft patches for these vulnerabilities. “Tens of thousands of servers have been hacked around the world. They’re being hacked faster than we can count. Globally, this is a disaster in the making,” said Antti Laatikainen, senior security consultant at F-Secure. The fear is that an attack which successfully compromises a Microsoft Exchange Server not only gains access to sensitive information that’s core to how businesses are run, but could also open the door for additional attacks – including ransomware campaigns.In order to avoid falling victim to cyber attackers exploiting the Microsoft Exchange vulnerabilities, it’s recommended that organisations apply the critical updates as quickly as possible, because the longer the patches aren’t applied, the more time cyber criminals will have to potentially exploit the vulnerabilities as part of an attack.

Even if organisations have already applied the relevant security updates, there’s no guarantee they were not compromised by malicious hackers before the patches were applied – so it’s important to analyse the network to examine if it has already been accessed by cyber criminals.When it isn’t possible to install the critical Microsoft Exchange updates, the UK’s National Cyber Security Centre (NCSC) recommends that untrusted connections to Exchange server port 443 should be blocked, while Exchange should also be configured so it can only be accessed remotely via a VPN.In another step to protect against Exchange Server vulnerabilities, Microsoft has implemented an automatic mitigation tool within within Defender Antivirus which helps prevent unpatched servers falling victim to attacks. SEE: Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this toolTens of thousands of organisations around the world are known to have had their email servers compromised in attacks targeting Microsoft Exchange. Microsoft have attributed the campaign to a state-sponsored advanced persistent threat (APT) hacking group working out of China, dubbed Hafnium. However, once knowledge of the vulnerabilities became public following the release of the patch, other state-sponsored and cyber-criminal hacking groups have attempted to target Microsoft Exchange servers which have yet to have patches applied. It’s recommended that organisations take measures to mitigate attacks as soon as possible.”There are a ton of things they can do manually to prevent a full disaster. I just encourage them to do them immediately,” said Laatikainen.MORE ON CYBERSECURITY More

As attacks against APIs continue to increase, the enterprise is beginning to take the security aspects of API adoption more seriously.

In a new report released on Monday by Imvision, “API Security is Coming,” the company asked over 100 cybersecurity professionals in the US and Europe for insight on the current state of enterprise API security. Application programming interfaces (APIs) connect different technological services and systems. They can process queries from clients, deal with instructions server-side, and can facilitate the fetching and processing of data. While function sets contained in APIs can be of real value to an enterprise market that is becoming more data-driven every year, they may also represent an emerging cybersecurity issue for users — with API-based attacks believed to be on the rise in tandem with the continued adoption of cloud technologies.  According to the report, 91% of IT professionals say API security should be considered a priority in the next two years, especially as over 70% of enterprise firms are estimated to use over 50 APIs. The main aspects of API security respondents consider priority is access control, cited by 63% of those surveyed; regular testing (53%), and anomaly detection and prevention (43%). In total, eight out of 10 IT admins want more control over their organization’s APIs.However, finding a holistic approach to this ‘backbone’ of API security remains a challenge. Over 80% of organizations are estimated to either use, or plan to use, a centralized management solution for API security — such as an API Management (APIM) platform — but only a third of respondents believe their API setups are adequately protected from today’s cyberattacks.

Other statistics of note in the report include:19% of enterprises test their APIs daily for signs of abuse4 out of 5 organizations enable either partners or users to access data using external APIsThe current focus of API strategies is centered around application performance (64%) and development and integration (58%)Shadow APIs are considered the most vulnerable, according to 40% of those surveyed64% of survey respondents said their current solutions do not provide robust API protectionCompanies cited integrating API solutions with current systems and workflows and gaining visibility into overall API usage as the main barriers to improving API security.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Mozilla Firefox will soon include a revised Referrer Policy to tighten up queries and better protect user information. 

Firefox 87, due to ship on March 23, will cut back on path and query string information from referrer headers “to prevent sites from accidentally leaking sensitive user data.”In a blog post on Monday, developer Dimi Lee and security infrastructure engineering manager Christoph Kerschbaumer said the latest browser version will include a “stricter, more privacy-preserving default Referrer Policy.” Browsers send HTTP Referrer headers to websites to indicate which location has ‘referred’ a user to a website server. Full URLs of referring documents are often sent in the HTTP Referrer header with other subresource requests, and while this may contain innocent information used for purposes including analytics, private user data may also be included.  Referrer policies aim to protect this data, but if no policy is set by a website, this often defaults to “no-referrer-when-downgrade,” an element that Firefox says does trim down the referrer when navigating to a less secure resource, but still “sends the full URL including path and query information of the originating document as the referrer.””The ‘no-referrer-when-downgrade’ policy is a relic of the past web, when sensitive web browsing was thought to occur over HTTPS connections and as such should not leak information in HTTP requests,” the team says. “Today’s web looks much different: the web is on a path to becoming HTTPS-only, and browsers are taking steps to curtail information leakage across websites. It is time we change our default Referrer Policy in line with these new goals.” As such, Firefox 87 will introduce “strict-origin-when-cross-origin” as default in the browser’s Referrer Policy, which will cut away sensitive user information — including path and query string — accessible in URLs and in requests going from HTTPS to HTTP as well as all cross-origin requests.

“Firefox will apply the new default Referrer Policy to all navigational requests, redirected requests, and subresource (image, style, script) requests, thereby providing a significantly more private browsing experience,” Firefox says.  Google Chrome introduced also a stricter default Referrer Policy in version 85 of the browser, alongside speed improvements and tab previews. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Elon Musk has said Tesla would be “shut down” if accusations that the firm’s cars could be used for spying purposes were true.

Last week, the Wall Street Journal reported that the Chinese government has restricted the use of Tesla vehicles in military and key, state-owned company settings. Military and government staff are reportedly not permitted to drive these cars into such facilities due to the worry that Tesla vehicles could be used for covert data-gathering.People familiar with the matter told the WSJ that following a government security review, Chinese officials became concerned that Tesla’s smart car features could be abused for spying purposes.  Tesla vehicles, including the Model X, Model S, and Model Y, are electric vehicles (EVs) that come equipped with features including driver assistance, built-in mobile connectivity, an infotainment dashboard, cameras and sensors for driving, maps, and more.  However, the concern is that data-grabbing features — such as cameras or connectivity apps — could be used, with or without the driver’s knowledge, to obtain information on these facilities.  Tesla’s CEO and entrepreneur Elon Musk has commented on the Chinese government’s scrutiny of Tesla vehicle features, saying that, “if Tesla used cars to spy in China or anywhere, we will get shut down.”

Speaking at the China Development Forum, Musk added that Tesla has a “very strong incentive” to treat data confidentiality seriously, as reported by the Reuters news agency.  The United States and China have clashed over technology and national security for years, with both countries often citing national security concerns when changes in export rules are made, as well as impositions of vendor and country-specific technological product bans.  Perhaps the most high-profile case recently is that of Huawei, which together with ZTE, has been branded a national security threat by the US Federal Communications Commission (FCC).  The FCC has also recently added Hytera Communications, Hangzhou Hikvision Digital Technology Co., and Zhejiang Dahua Technology to a national security blacklist, which may restrict US companies in purchasing or installing equipment produced by these vendors. In diplomatic talks between the US and China last week, China’s foreign minister Wang Yi has accused the US of using its military and financial might to “obstruct normal trade exchanges.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

COVID-19 may have helped accelerate digitalisation efforts for many organisations worldwide, but majority of small and midsize businesses (SMBs) in Singapore that are falling behind in their adoption of digital tools are smaller companies. They cite lack of funds, concerns about cybersecurity risks, and inadequate digital skillsets as key reasons for their hesitation. Some 72% of the country’s SMBs that had yet to embark on digital transformation were smaller organisations, which had an annual turnover of less than SG$10 million ($7.45 million), according to a study released Monday by local bank UOB. Larger SMBs comprised those with turnover ranging from SG$10 million to SG$100 million ($74.45 million). 

Amongst small businesses, 34% cited cost as a key reason for not going the digital route, while 31% had concerns about cybersecurity and another 31% were worried about their employees lack of necessary digital skillsets. Some 28% found it difficult to justify the investment and 26% said they did not have sufficient funds to proceed with their digital transformation. Another 25% had to deal with interoperability issues between their old and new systems, revealed the study, which polled 782 SMBs in Singapore.Across the board, 41% that had pushed on with their digitalisation efforts saw stronger revenue growth, compared to their peers that did not do so. These included those that had done so organisation-wide or across multiple areas, in comparison to those that had only adopted digital tools in one area of their business. Furthermore, SMBs that had gone the digital route expressed more optimism for the year ahead, with 58% projecting higher revenue in 2021, compared to 32% of their peers that had yet to adopt digital tools. Another seven in 10 SMBs indicated more confidence in preparing for a post-COVID-19 growth, while just four in 10 amongst those that had not digitalised their business felt likewise. Six in 10 SMBs that did not adopt any digital tools saw a dip in their 2020 net revenue compared to the previous year. UOB’s head of group business banking Lawrence Loh said: “Digitalisation offers businesses many opportunities, from improving their processes and reaching out to new customers to having a direct and measurable impact on their revenue. Close to one in two SMBs that proactively took steps to adopt digital tools last year are already seeing benefits such as greater productivity and efficiency gains, improved customer experience, and higher revenue, even in a volatile business environment. 

“The digitalisation journey is a long one and we urge SMEs to stay the course to see their efforts pay off when they emerge stronger through the pandemic,” Loh added. The Singapore government last May set aside more than SG$500 million ($352.49 million) to support local businesses in their digital transformation efforts, which it said were increasingly imperative for enterprises to deal with the fallout of the COVID-19 crisis. The funds would go towards facilitating companies in their adoption of e-payments, e-invoicing, as well as more advanced digital tools. Funds and manpower also were offered to help SMB retailers kickstart their e-commerce journey, with the government buffering 90% of the cost for them doing so. The “e-commerce booster package” aimed to provide aid for small businesses that had little or no e-commerce experience in their digital transformation. RELATED COVERAGE More