Information Technology

A new survey suggests the majority of US executives have encountered a cybersecurity incident but this has not translated into the creation of incident response plans.

On Tuesday, Deloitte published the results of a new survey, taking place between June 6 and August 24, 2021, which includes the responses of 577 C-suite executives worldwide (159 in the US) on today’s cybersecurity threats.  The research — including insight from those in CEO, CISO, and other leadership roles — suggests that nearly all US executives have come across at least one cybersecurity event over the past year, 98%, in comparison to 84% internationally.  The COVID-19 pandemic has led to an increase in cybersecurity incidents and it appears that the event rate may disproportionately have impacted organizations in the United States.  According to Deloitte’s research, 86% of US executives have noticed an uptick in attack attempts, a higher climb than that experienced by 63% of leadership worldwide.  Despite the ongoing risk of cyberattacks, US enterprise firms are not up to par when it comes to implementing defense and incident response initiatives. In total, 14% of US executives have no such plans, in comparison to 6% of non-US executives.  Problems including data management issues, infrastructure complexities, failures to keep up with technological advances, and missteps in prioritizing cybersecurity are all cited as challenges in coming up with workable cybersecurity plans. 

Over 2021, incidents including the Microsoft Exchange Server hacking wave, the ransomware incidents at JBS and Colonial Pipeline, and the DDoS attack against KT have highlighted the severe business disruption caused by successful attacks.  Of interest is that rather than malware, phishing, or data breaches being a top concern, 27% of executives said they were most worried about the actions of “well-meaning” employees who may inadvertently create avenues for attackers to exploit.  However, only 41% of organizations say they have implemented solutions to track and monitor the risk factors associated with staff access and behavior.  The research suggests that the common consequences experienced by today’s firms after an incident include disruption (28%), a drop in share value (24%), intellectual property theft (22%), and damage to reputation that prompts a loss in customer trust (22%).  In addition, in 23% of cases, a cyberattack can lead to a change in leadership roles. “No CISO or CSO ever wants to tell organizational stakeholders that efforts to manage cyber risk aren’t keeping up with the speed of digital transformations made, or bad actors’ improving tactics,” commented Deborah Golden, Deloitte Risk & Financial Advisory Cyber and Strategic Risk leader and principal. “Aggressive organizational digital transformations and continued remote work for some seem to be shining more of a spotlight on the human side of cyber events — both the cyber talent gap and the potential risk well-meaning employees can pose. We see leading organizations turning to advanced technologies to help bridge those gaps.”
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Another third-party security breach has been reported in Singapore, this time, affecting patients of Fullerton Health and compromising personal data that included bank account details in “a few cases”. The affected vendor Agape Connecting People, which platform facilitates appointment booking, first detected the breach on October 19 and appeared to affect only Fullerton Health.  The healthcare services provider said none of its own IT systems, network, and databases were impacted by the breach. It filed reports with both the police and Personal Data Protection Commission, which oversees Singapore’s Personal Data Protection Act.  Agape first detected the intrusion on October 19 and “acted immediately” to isolate and suspend use of the system, the vendor said in a statement Monday.  “None of our core infrastructure has been compromised,” it said, adding that the breach “appears” to be limited to Fullerton Health. However, it noted that it still was in the process of confirming that no other clients were affected. 

Describing itself as a social enterprise, Agape operates a contact centre to provide employment for the disadvantage, including inmates, physically disabled, ex-offenders, and single mothers. It has a capacity of more than 250 seats and aims to support 1,000 disadvantaged individuals by 2022. Agape said it was working with cybersecurity experts to implement “mitigating action” to minimise further impact from the breach.  Fullerton Health said on October 21 it was alerted “a few days ago” that its customer personal data could have been exposed and initiated an investigation. It found that an unauthorised party had gained access to a server used by Agape, compromising personal data of patients with whom Agape had assisted in making appointments.

Such details included names, identification numbers, and contact details, as well as bank account details in “a few cases” and “certain limited health-related information”. No credit card information or passwords were leaked, Fullerton Health said. The company services corporate clients and their employees, one of whom at least had been confirmed to have their personal data potentially exposed. Fullerton Health said it still was working to ascertain the number and identity of individuals affected by the breach. Digital forensic and cybersecurity professionals had been roped in to help with its investigations, the healthcare provider said, adding that they also were trying to determine the root cause and full extent of the breach. “We are conducting a thorough review of our processes and protocols relating to data security and the use of third-party service providers to further strengthen our information security,” Fullerton Health said. It said data relating to COVID-19 vaccinations carried out at its vaccination centres were not compromised, since the information had been stored separately on a system not shared with Agape.  Singapore has seen a spate of supply chain attacks this past year that compromised personal data of, amongst others, 580,000 Singapore Airlines (SIA) frequent flyers, 129,000 Singtel customers, and 30,000 individuals in an incident involving job-matching organisation e2i.  The Singapore Computer Emergency Response Team (SingCERT) last year handled 9,080 cases, up from 8,491 the year before and 4,977 in 2018, with marked increases in ransomware, online scams, ad COVID-19 phishing activities, revealed a July 2021 report released by Cyber Security Agency of Singapore (CSA). The number of reported ransomware attacks saw a significant spike of 154% in 2020, with 89 incidents, compared to 35 in 2019. These mostly affected small and midsize businesses (SMBs) in various sectors including manufacturing, retail, and healthcare.  RELATED COVERAGE More

Schools in the United Kingdom have paused the rollout of facial recognition scans in cafeterias following backlash from data watchdogs and privacy advocates.

Last week, the Information Commissioner’s Office (ICO), the UK’s data and privacy regulator, intervened after nine schools in North Ayrshire, Scotland, began scanning student faces to take payment for school lunches. At the time, more schools were expected to follow suit. The scheme was defended as a cashless, quick, and contactless means of payment in light of COVID-19.  However, the ICO and privacy outfits were quick to note that in a time where law enforcement is roundly criticized for using the same technology on the streets, introducing it in schools may be unnecessary.  Big Brother Watch director Silkie Carlo said: “It’s normalizing biometric identity checks for something that is mundane. You don’t need to resort to airport-style [technology] for children getting their lunch.” The ICO told The Guardian that the organization would contact North Ayrshire council to talk about data protection laws concerning minors and to see if a “less intrusive” payment option was available.  This could include contactless payment on cards or fingerprint readers, the former of which is widely used in the United Kingdom. 

As reported by the BBC, the local council has “temporarily paused” the program, while one of the schools has completely closed down the scheme.  “Whilst we are confident the new facial recognition system is operating as planned, we felt it prudent to revert to the previous PIN (personal identification number) system while we consider the inquiries received,” the North Ayrshire Council tweeted.  One of the companies named as involved in the rollout, CRB Cunninghams, describes the technology as “a contactless biometric method that enhances the speed of service and retains the security of fingerprints.” In other facial recognition news, several weeks ago, the European Parliament voted in favor of a resolution barring law enforcement in the region from using facial recognition technologies. While not legally binding, the parliamentary body is currently working on rules to rein in the use of facial recognition and artificial intelligence (AI) across both the public and private sectors.  ZDNet has reached out to CRB Cunninghams for comment.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Mozilla’s Firefox browser team has cracked down on malicious add-ons, blocking software with a 455,000 user base. 

On October 25, the development team said that in early June, Firefox discovered add-ons that were misusing the browser’s proxy API, used by software to manage how the browser connects to the internet. Add-ons are software modules that can be installed to customize a user’s browsing experience and may include anti-tracking software, ad blockers, themes, and utilities.  However, they may also become a conduit for malicious purposes, such as data theft or eavesdropping, a challenge faced by all browser developers.  According to Mozilla, the add-ons removed in the sweep tampered with the browser’s update functionality; in particular, users were unable to download updates, access updated blocklists, or update remotely configured Firefox content.  The add-ons have been blocked, and approval was temporarily paused for new add-on developer submissions when the proxy API was in use to create and deploy a fix.  Firefox, starting with v.91.1, now also includes changes to harden the update process. A fallback mechanism to direct connections for update purposes and other “important requests” made by the browser has been implemented, allowing downloads to take place whether or not a proxy configuration causes connection issues. 

The system add-on, “Proxy Failover,” has been deployed to Firefox users.  Mozilla released Firefox version 93 at the beginning of October. The latest build includes a new tab unloading feature, the ability to block HTTP downloads from HTTPS web pages, and the end of default support for 3DES encryption.  Mozilla has urged users to make sure their Firefox version is up to date. Developers making use of the proxy API are being asked to start including the code “browser_specific_settings “: {   “gecko”: {     “strict_min_version”: “91.1”   }  } in their add-ons to expedite future reviews.  “We take user security very seriously at Mozilla,” the team says. “Our add-on submission process includes automated and manual reviews that we continue to evolve and improve in order to protect Firefox users.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
South Korean telco KT has said its network outage on Monday was caused by an internal router issue, backtracking on its initial claim that the incident was caused by a large-scale distributed denial-of-service (DDoS) attack.In a statement, the telco said it initially suspected a DDoS attack due to traffic overload but after it scrutinised the matter it found that the cause was a routing error.KT added it would cooperate with the government to investigate the precise cause.The telco is yet to announce what caused the routing error in the first place and how this led to the outage, which is expected to be announced at a later date.KT’s nationwide network suffered an outage on Monday for around 40 minutes at around 11am local time. The telco’s subscribers were unable to use their credit cards, trade stocks, or access apps, while some large commercial websites were also shut down during that period.South Korean police, which is also investigating the matter, said it could not find any circumstances to indicate that there was an external cyber attack in its initial investigations.

Meanwhile, the Ministry of Science and ICT is still conducting its own investigations on the matter. The ministry has ordered KT to investigate the extent of the damage caused to customers by the outage.RELATED COVERAGE More

Image: Getty Images
The Department of Home Affairs is in talks with the telecommunications industry to provide more powers to telcos for blocking spam and malicious content.”We are in discussion with the telcos that provide your services … under the Telecommunications Act, section 313, there might be a possibility for the telcos to act as an authorised blocking agent — that is to say, it’s unwanted, I don’t want this to come to my computer, I don’t want this to come to my phone. It’s malicious,” Home Affairs secretary Mike Pezzullo told Senate Estimates on Monday evening.Pezzullo noted that more work needed to be done in this area, however, as it is currently unclear whether the Telecommunications Act deems providing a link to be an offence or whether the offence is actually the subsequent action taken by a criminal actor of taking advantage of a victim after they’ve clicked on a malicious link.”There are some complexities here because it has to be a nexus to an offence. So scamming, click this link, may itself not be an offence, in which case, our advice to government in due course might well be that legislative changes are required. But the act of clicking might create a nexus to an offence, that offence might be identity, theft, fraud, etc,” Pezzullo said.Marc Ablong, Home Affairs deputy secretary of National Resilience and Cybersecurity, analogised this “complexity” to how a mail service provider such as Australia Post would not be responsible for disposing the contents of a letter if it were dangerous.”If there was something criminal in [a letter], you wouldn’t go after Australia Post … nor would you ask Australia Post to block the letter. And so, the nature of the conversations that we’re having with the telco sector at the moment is: Do they have sufficient information at scale to be able to block the whole class of these spam messages? Or would they need to report each and every one that came in?” Ablong explained.Ablong added that part of Home Affair’s discussions with telcos about blocking malicious SMS messages have been focused on how best to define the attributes of an SMS message in a way that only blocks malicious messages, while still allowing normal SMS messages to be passed through.

The explanation of the potential expanded blocking measures followed the theme of yesterday’s Senate Estimates, at least for the Department of Home Affairs and federal law enforcement authorities, with Pezzullo saying they would all be “more aggressive” in addressing cyber threats moving forward.”We’re going hunting. We’re using offensive capabilities,” he said. “The AFP is very actively engaged with international colleagues to go after the gangs that, don’t only engage in ransomware — time’s up for them — but also other forms of identity theft, phishing, and so on and so forth.” In Pezzullo’s opening statement at Senate Estimates, he said Home Affairs was becoming increasingly concerned about the potential for adversaries to preposition malicious code in critical infrastructure, particularly in areas such as telecommunications and energy. “Such cyber-enabled activities could be used to damage critical networks in the future. The increasingly interconnected nature of Australia’s critical infrastructure exposes vulnerabilities which, if targeted, could result in significant consequences for our economy, security, and sovereignty,” he said. Earlier on Monday, AFP commissioner Reece Kershaw share a similar sentiment at Senate Estimates, saying the federal police has been implementing a new cyber offensive arm, which has entailed talking with the Five Eyes alliance about the growth of cyberthreats.”At the moment, we’re actually going through an internal review of how we can be more aggressive in cyber, and it may mean a mini restructure internally for us to really have what we would call a cyber offensive operation of the AFP, which would actually conduct disruption operations on these individuals,” he said.Throughout his testimony at Senate Estimates, Kershaw explained that the powers given to the AFP through the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021, which passed earlier this year, would allow its cyber offensive capabilities to increase across various fronts, from countering child abuse, to spam, to terrorism.Pezzullo’s declaration follows his department launching a national ransomware action plan earlier this month. The major focus for that plan is to create new laws and tougher penalties for people who use ransomware to conduct cyber extortion. The federal government last week also amended the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which is currently under consideration in Parliament, as part of efforts to expedite the process for it to become law. That Bill is seeking to create mandatory reporting requirements for organisations that suffer a cyber attack and provide government with “last resort” powers that allow it to direct an entity to gather information, undertake an action, or authorise the ASD to intervene against cyber attacks.  When asked by Senator and Shadow Minister for Home Affairs Kristina Keneally how the development of these capabilities have progressed, he said he expected the policy work to be completed by “this side of Christmas”. Kenneally and Shadow Assistant Minister Tim Watts the next morning said the lack of concrete details meant the federal government was “all announcement, no action”.”Three months after Home Affairs Minister Karen Andrews declared that ‘Time’s Up’ for ransomware gangs, Senate Estimates has confirmed the government has committed no new funding, has initiated no new law enforcement action, and will pass no new legislation in the Parliament before Christmas,” the Labor politicians said in a statement. Related Coverage More

The New South Wales government has established a dedicated unit that will provide support for citizens who have had their personal information or government proof of identity credentials stolen or fraudulently obtained.The new unit, known as IDSupport NSW, will become the single point of call for citizens who have had their identity stolen. It will work with other NSW government departments and Australia and New Zealand’s national identity and cyber support service, IDCare, to mitigate the risk of stolen personal information being used for identity crimes and replace compromised identity documents where appropriate.”IDSupport NSW will for the first time provide a single point-of-contact for citizens who have had their identity compromised, while ensuring we have a coordinated end-to-end privacy incident response service in NSW Government,” Minister for Digital and Customer Service Victor Dominello said.”The unit will remove the burden from customers who need to replace identification documents, improving their experience at what we know can be a difficult time.”The state government added IDSupport NSW would also provide citizens with options for additional support, such as counselling services, and deliver education and awareness campaigns about personal cybersecurity and identity resilience together with Cyber Security NSW and other government agencies.The Department of Customer Service is now recruiting experts to join IDSupport NSW, which is due to be launched early next year. The launch of IDSupport NSW forms part of the NSW government’s identity strategy [PDF] and follows on from recommendations made by the Parliamentary Inquiry into Cyber Security released earlier this year.

Back in 2019, the NSW government’s Cyber Security NSW arm established IDCare Identity Recovery Service to help state government customers whose identities are compromised due to a “cyber incident”.The service, at the time, was only available for up to 500 individual referrals by NSW government departments and agencies to IDCare.Related Coverage More

Representatives from the Australian Transaction Reports and Analysis Centre (Austrac) on Monday said far-right extremists were increasingly using online platforms, such as Telegram and cryptocurrency exchange platforms, to fund their operations. But due to Austrac’s remit only being financing activity within Australia’s banking system, the agency’s CEO said its scope for catching financing of terrorism activities could often be limited. “That’s why we rely so heavily on the banks if it’s going to the banking system, but of course, much of this doesn’t go through the banking system so that’s why we’re [trying to] enhance our capability,” Austrac CEO Nicole Rose said at Senate Estimates. In terms of what Austrac can do when it comes to restricting prominent far-right extremists from fundraising through those digital channels, Rose said the agency can work with partner agencies to help identify these payments. “We provide intelligence on targets that we may create ourselves or the police may actually ask us national security agencies asked us to provide intelligence,” Rose said. Austrac deputy CEO John Moss added the agency was working with digital currency exchange providers to build indicators and financial crime guides that can be used to detect suspicious matter reports and send those to government, which can then be shared with governments outside of Australia. Identifying these payments is difficult though, with Moss explaining at Senate Estimates that terrorism financing through these digital channels are often in the form of small payments, which are hard to detect.

Last month, one of the country’s largest fintech industry bodies Fintech Australia said Austrac had too heavy of a burden in its fight against money laundering and counter terrorism. The fintech industry body said Austrac has struggled to respond to and rely upon various regulatory reports it receives to deal with money laundering and terrorism financing due to resourcing and technology budgeting reasons. Meanwhile, Australian Security Intelligence Organisation director-general Mike Burgess said current trends indicate that espionage and foreign interference would supplant terrorism as Australia’s principal security concern, despite terrorism continuing to remain as a key threat. “On a daily basis, multiple countries are making multiple attempts to conduct espionage and foreign interference against Australia,” Burgess said in his opening statement at Senate Estimates.”These attempts are sophisticated and wide-ranging. They are enabled and accelerated by technology.”Such cyber-enabled activities could be used to damage critical networks and infrastructure in the future, especially in times of increased tensions.”Concurring with the findings made by Austrac that online platforms have helped spur the rise of far-right extremism, Burgess said almost half of the agency’s domestic onshore counter-terrorism caseload was focused on far-right extremism. “People being online have potentially been subject to information that has helped put them up a path of radicalisation,” he said.”Obviously with lockdowns, they don’t benefit from the social interactions that tend to normalise what people get through their online interactions.”Related Coverage More