Information Technology

The FBI says that complaints concerning online scams and investment fraud have now reached a record-breaking level.  The FBI’s Internet Crime Complaint Center (IC3) received its six millionth complaint on May 15, 2021. While it took close to seven years for the IC3 to register its first one million reports, it took only 14 months to add the latest million to file.  According to the US agency, annual complaint volumes increased by close to 70% between 2019 and 2020. The most common crimes reported were phishing scams, schemes relating to non-payment or non-delivery, and extortion attempts.  The coronavirus pandemic paved the way for new kinds of scams over 2020, many of which centered around fake vaccination appointment requests, online delivery notifications — a popular phishing method made even more so due to stay-at-home orders — and spam sent under the names of agencies such as the World Health Organization (WHO). 
FBI
IC3 says that the most money is lost through three forms of online scam: -Business email compromise (BEC): BEC scams, usually crafted through social engineering and phishing, target businesses and attempt to dupe employees into paying for non-existent services, thereby transferring money belonging to a business into an account controlled by cybercriminals.  See also: This cybersecurity threat costs business millions. And it’s the one they often forget about

-Romance, confidence scams: These can include the stereotypical scheme in which scammers will pull on the heartstrings of victims to pressure them into sending money, as well as sextortion. Recent cases reported by UK police included scammers that conducted video chats with potential ‘matches,’ asking them to perform sexual activities on camera, and then blackmailing them for money.  In January, Interpol warned of an increase in dating apps being used by fraudsters to connect to potential victims, and once trust is established, conning them into signing up for fake investment opportunities. 

-Investment fraud: These can include dump-and-dump schemes for worthless stock, as well as cryptocurrency or other investment plans that promise guaranteed returns far beyond initial investments.  “The increase in crimes reported in 2020 may have also been due in part to the pandemic driving more commerce and activities online,” the FBI says. “The latest numbers indicate 2021 may be another record year.” On May 17, the US Federal Trade Commission (FTC) warned that consumers have lost over $80 million to cryptocurrency investment scams since October 2020.  Touted by celebrities including Elon Musk, renewed interest in the cryptocurrency space has unfortunately also led to an increase of cryptocurrency-related scams.  The FTC says that close to 7,000 reports of cryptocurrency fraud were received from US consumers in the last quarter of 2020 and Q1 2021. The average loss faced was $1,900 per victim.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

One of the world’s biggest cyberinsurance companies, AXA, was hit with a ransomware attack at its offices in Asia this weekend by noted ransomware gang Avaddon.In a statement to ZDNet, a spokesperson for AXA Partners said a targeted ransomware attack disrupted their IT operations in Thailand, Malaysia, Hong Kong, and the Philippines. Certain data processed by Inter Partners Asia in Thailand has been accessed, the spokesperson explained, but there was no evidence any other data was accessed.  The company has hired a forensic team to investigate the incident and said it notified business partners as well as regulators while it prepares to support all of the clients who may have been impacted. Members of the Avaddon group wrote on its dark web site that it has already taken three terabytes of data from AXA Group and that the files include information like passports, ID cards, denied reimbursements, contracts, customer claims, payments to customers, bank account information, files from hospitals about fraud investigations and medical reports that had sensitive information about patients. The group even posted samples of the data. DomainTools researcher Chad Anderson said people behind the ransomware gang Avaddon had posted about their latest victim on a dark web page, sharing a screenshot with ZDNet of the group’s list of targets as well as timers for how long each victim has until ransom will be demanded. 
Chad Anderson
The companies on the list include AXA Group, computer hardware company EVGA, software company Vistex, insurance broker Letton Percival, Henry Oil & Gas, the Indonesian government’s airport company PT Angkasa Pura I, and Acer Finance. Both the FBI and Australian Cyber Security Centre released warning notices last week about Avaddon’s ransomware tactics. 

AXA has about three days left, according to Anderson, before Avaddon members have said they will begin leaking the company’s documents. The cyberinsurance company has been in the news recently because they pledged to stop reimbursing customers in France who had been hit by ransomware attacks and decided to pay the ransom. The decision was made after pressure from French regulators who said the insurance payouts were fueling higher ransom payments and making the crimes lucrative for the gangs behind them. “In total, since their discovery in June 2020, the Avaddon gang has published data on dozens of victims on their dark web site, following the now common double-extortion technique amongst ransomware operators,” Anderson said. “Avaddon also maintains an affiliate program where they recruit hackers from underground forums to deploy their ransomware. This most recent intrusion shows that the human operators behind these ransomware families continue to hone their skills and become continually faster at deploying on victim networks.”Cybersecurity experts said it was impossible to ignore the timing of the attack. Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said Avaddon may have been targeting AXA to make an example of companies challenging their business goals. But on a deeper level, Clements said it was proof that almost all organizations are vulnerable in some way or on some level and that the scale and complexity of modern networks makes it nearly impossible to plug every potential hole. “Couple this with the fact that ransomware gang’s extortion earnings often give them higher budgets than their target teams’ defenders and it’s no wonder that ransomware is epidemic across the globe,” Clements said. Netenrich security advisor Sean Cordero added that for companies as large as AXA, it is often difficult to have sufficient visibility into the cybersecurity practices and controls across their business partners and subsidiaries.But the lessons learned from this attack, Cordero explained, may lead to better ways to collaborate for both the insured and insurer as this attack implies a weakness in risk assessment, validation, or execution. “If an insurer like AXA struggles to validate their cyber capabilities and needs — what is the chance that they may have incorrectly assessed the risks across their portfolio of cyber insurance clients?” Cordero asked. “I imagine that the professionals responsible for achieving positive returns on cybersecurity policies may have renewed discussions with assessors and underwriters in the wake of this most recent incident.” More

Android stalker and spyware detection surged by 48% over the past year, and not only do these apps invade user privacy, vendors do not appear to care about tackling vulnerabilities found in their creations.  This week, ESET researcher Lukas Stefanko released telemetry data focused on Android stalkerware detection, revealing that usage of these dubious apps began to climb in 2019 — with a five-fold increase reported in comparison to 2018 — and this trend continued in 2020, highlighting their ongoing popularity.ESET’s findings are corroborated by past research from Kaspersky, which found that stalkerware infections grew by 40% in 2019. Stalkerware is a term coined to describe the most invasive types of spyware that are often paid for, and used, by people close to home rather than unknown threat actors. 

These types of software can be covertly installed on a PC or mobile device and will track a user’s activities in a deep violation of privacy, with data gathered including their GPS location (where available), call logs, contact lists, SMS communication, social media usage, browser history, and more. Data harvested by these apps are then sent to an operator. In the case of mobile stalkerware, the operator often needs to have obtained physical access to side-load the malware, and so users tend to be close family, spouses, or parents. They may also be used by businesses to monitor employees.

While many of these apps are marketed as a way to monitor children in the interest of safety, the invasive nature of these apps is generally thought to make them unethical. Just because something is marketed as a safety net for minors does not mean it cannot be used to track a spouse, for example — and in either case, despite the age of the one being stalked, rights to privacy may be abused.  According to Stefanko, a recent analysis of stalkerware available for the Google Android mobile platform revealed many vendors tout their wares as a means to protect not only children, but also employees and women. The vendors producing them for financial gain also do not appear to care that inherent — and expansive — security vulnerabilities contained in their apps are also risking ‘users,’ and customers, in other ways.  “If nothing else, stalkerware apps encourage clearly ethically questionable behavior, leading most mobile security solutions to flag them as undesirable or harmful,” the researcher says. “However, given that these apps access, gather, store, and transmit more information than any other app their victims have installed, we were interested in how well these apps protected that amount of especially sensitive data.” In short, they didn’t. An examination of 58 Android stalkerware apps, provided by 86 vendors, revealed a total of 158 security issues (.PDF). These included the insecure transmission of sensitive data, command injection flaws, data leaks, information left on servers after accounts were deleted, and both source code and admin credentials exposure.  Not only was the victim’s data mishandled in many cases, but the bugs also impacted the security of the vendors themselves and their stalker customers.  The vulnerabilities were reported to the affected vendors, but only six developers have fixed their software, seven have made promises to patch that are yet to be kept, and 44 did not respond at all to ESET’s disclosure. “The research should serve as a warning to potential future clients of stalkerware to reconsider using software against their spouses and loved ones, since not only is it unethical, but also might result in revealing the private and intimate information of their spouses and leave them at risk of cyberattacks and fraud,” Stefanko commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Since the start of the 2019 financial year, Services Australia has reported a total of five eligible data breaches to the Office of the Australian Information Commissioner (OAIC).According to the agency, the five breaches reported in the financial years 2019-2020 and 2020- 2021, up until 12 April 2021, all involved human error.Revealed in response to questions taken on notice, Services Australia said 232 people have been affected by the breaches, as at 12 April.”The [eligible data breaches] occurred in the context of the agency’s many millions of customer interactions each year,” it declared. “For example, the agency had approximately 395 million customer interactions in 2019-2020.”For each eligible data breach, Services Australia said it takes appropriate remediation steps, including taking steps to notify affected customers, providing further training and education for staff, and reviewing and improving agency processes and procedures.Services Australia in March admitted it had reported a total of 20 cybersecurity incidents to the Australian Cyber Security Centre (ACSC) in 2019-20, covering its responsibility across the Department of Social Services, the National Disability Insurance Agency, and the Department of Veteran’s Affairs, in addition to its own IT shop.The ACSC reported receiving a total of 436 notifications from government entities.

Of those 20 incidents, the agency has now added that none involved a breach of the Australian Privacy Principles or met the threshold of an eligible data breach for the purposes of the Notifiable Data Breaches (NDB) Scheme.The NDB scheme came into effect in February 2018. It requires agencies and organisations in Australia that are covered by the Commonwealth Privacy Act 1988 to notify individuals, whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.  As detailed in the OAIC’s latest report, Australian entities covered by the Privacy Act reported 519 instances of data breaches in the six months to December 2020, a 5% increase from the first half of the year. The Australian government accounted for 6% of the total, with 33 notifications. Services Australia said internally it completed 125 investigations into unauthorised access of information by staff in the period spanning 1 July 2020 to 28 February 2021. “Unauthorised access to information by staff is access to agency information, which could include personal information, that they have no legitimate business reason to access, including individuals accessing their own data,” Services Australia clarified.It said none of those investigations led to a referral to Commonwealth Director of Public Prosecutions. However, Services Australia said it took administrative disciplinary action in response to a number of those investigations, ranging from formal warning letters to termination of employment. “None of the investigations involved a breach of the Australian Privacy Principles or met the threshold of an eligible data breach for the purposes of the Notifiable Data Breach Scheme,” it added.Elsewhere during Senate Estimates in March, the Department of Home Affairs took on notice a handful of questions related to ransomware, such as the number of criminal investigations of ransomware attacks against Australian organisations opened by the Australian Federal Police (AFP), the number of ransomware-related investigations underway, and the number of law enforcement operations against ransomware groups initiated in foreign jurisdictions that the AFP participated in.In response, Home Affairs listed the five potential offences that can be used to penalise ransomware-related activities. It did, however, confirm at least one charge has been laid by the AFP.”In the last 12 months, the AFP charged at least one individual in Australia with criminal offences related to ransomware,” it wrote.”The AFP is unable to include comprehensive statistics because of the lack of explicit provisions against ransomware offences as outlined.”The Department of Finance, meanwhile, responded to questions asked of it during March estimates, specifically related to the shared enterprise resource planning (ERP) technology platform, GovERP.Initially unveiled as part of the 2017 Budget, AU$89.5 million across three years was allocated to consolidate and streamline back-office corporate functions in the Australian Public Service. Finance was asked how much of the funding had been spent on those external to the department.GovERP has received funding of AU$67.1 million over the two years 2019-20 and 2020-21. Of this, Finance said AU$35.5 million has been spent to date on contractors and consultants.”The program will implement a new technology in which the APS has not yet developed expertise,” Finance said. “The majority of contractors and consultants are engaged to provide specialised skills and services to support the program, many of which are small to medium enterprises, particularly with respect to ICT labour.”GovERP has been funded for a further two years as part of the 2021-22 federal Budget, but the dollar amount has been listed in official documents as not for publication due to “commercial sensitivities”.LATEST FROM CANBERRA More

Image: Getty Images
The Japanese government will reportedly introduce new regulations across 44 sectors to bolster national cyber defence, partly in response to the Colonial Pipeline hack that occurred last week. The government plans to amend various laws governing each sector through passing an all-encompassing motion and a new law requiring each sector to be conscious of national security risks, Nikkei said in a report. The sectors that are expected to see the legislative changes include telecommunications, electricity, finance, railroads, government services, and healthcare, among others. Specifically, these sectors will reportedly be required to look into issues stemming from the use of foreign equipment or services, including cloud data storage and connections to servers located overseas. The government will also reportedly monitor companies for compliance and gain the power to prevent companies from using foreign equipment if they detect any major issues. Detailed standards will likely be outlined in future government ordinances and guidelines as well.Three years ago, Japanese government agencies agreed to stop procuring equipment that could pose national security risks, such as those from Huawei and ZTE. With the latest mandate, the Japanese government now wants to extend that level of stringency to the private sector.The move comes a week after Colonial Pipeline — one of America’s largest pipeline operators that provides roughly 45% of the country’s east coast fuel — suffered a ransomware attack. Due to the cyber attack, the company had to temporarily close down its operations, freeze IT systems to isolate the infection, and pay close to $5 million to decrypt locked systems. 

During the same week of the Colonial Pipeline hack, the culprits of the ransomware attack also hit Toshiba, although the impact of the ransomware attack was primarily in Europe rather than domestically.Other countries, like the US, have already imposed similar restrictions on tech-related procurement. In the US, companies — both domestic and foreign — are required to gain licensing approval in order to purchase technology built by Huawei and ZTE or sell goods to those Chinese companies if they contain certain US technology. North of the border, Canadian telcos have also effectively blocked Huawei out of their 5G network builds by signing deals with the Chinese giant’s rivals instead. The Chinese network equipment provider is also banned in Australia and Sweden, and it has not made inroads in New Zealand after GCSB prevented Spark from using Huawei kit in November 2018.  Meanwhile, UK mobile networks have been told they cannot buy any more 5G equipment from Huawei after the end of this year, and that they must remove the Chinese networking company’s technology from their 5G networks by the end of 2027. Related Coverage More

If you have held off buying any voice assistant as you are worried about them listening to far more than they let on, then you can finally enjoy your own custom voice assistant with the level of privacy you want.Deep learning voice AI assistants are appearing in everything from kitchen appliances to twerking teddy bears. But are people comfortable with always-listening devices in their homes?

Although 80 million US households do intend to buy a smart home device, adoption of smart speakers remains low with under 50% of respondents actually owning one.But does everyone actually need the ‘world-at-your-feet’ AI generalist, internet-based voice assistant? With over one in three feeling that voice assistants are harmful for safety these devices have a lot of trust issues to overcome. Now Santa Clara, CA-based voice AI company Sensory has announced its custom voice assistant that delivers total privacy for its users. This voice assistant does not even need an internet connection.One of the first devices to use the Sensory voice assistant is a new voice-enabled Farberware microwave oven that features a custom, private voice UI. The technology uses a custom domain specific voice assistant that runs on a Linux Rockchip RK3308 and can understand over 150 commands. You can ask the microwave ‘Voice Genie’ to open the door, or cook something, specify a time to cook, reheat or defrost. All commands are processed on the device so you do not need to connect the microwave to your Wi-Fi – or to the cloud.

The Sensory NLU (Natural Language Understanding) engine looks for “intents” within a limited vocabulary domain which makes a lot of sense for custom devices. You are hardly likely to ask the microwave oven what the weather is going to be like, or ask it to check your email, or calendar — so why would a voice assistant need that extra capability? The chance of being misunderstood is less than an off-the-shelf assistant which listens for a huge range of context words that would be meaningless to any device which is waiting for the simple command to defrost a pizza.Todd Mozer, CEO at Sensory, said: “People love the convenience of mainstream voice assistants, but privacy, accuracy, complicated setup, and connectivity issues continue to be a growing concern among users. These concerns have intensified the need for custom private voice assistants”.Custom voice assistants that are trained for specific domains such as washing machines, toasters, microwave ovens, robot vacuums, and lawnmowers could perform more accurately than generalist voice assistants.Devices such as Siri, or Alexa have to search through their entire knowledge base to give you a reasonably accurate answer to whatever questions you might ask.

Sensory said that most of its customers are brands wishing to give their customers voice controlled devices, but do not want to give up their data to the cloud. If you want to own one of these voice controlled microwave ovens, the Faberware FM11 VABK microwave is available for under $250 on Amazon at the moment. Should your robot vacuum have to be connected to the cloud to work? No it shouldn’t. Once configured through the app you should be able to control it if your internet connection fails. This should be true of other voice-controlled devices that have no reason at all to connect to the internet, spewing data for anyone to collect.Expect to see more private voice assistants popping up in other household appliances very soon. More

The HSE has now confirmed that a ransom has been sought by the attackers.
Getty Images/iStockphoto
Ireland’s Health Service Executive (HSE) has ruled out giving in to hackers’ demands as the country’s healthcare and social services continue to deal with the disruption caused by a significant ransomware attack that occurred a few days ago.   The HSE has now confirmed that a ransom has been sought by the attackers, although the exact amount is yet to be clarified. “Following an initial assessment we know this is a variant of the Conti virus that our security providers had not seen before. A ransom has been sought and won’t be paid in line with state policy,” the HSE said. Last week, the organization was targeted by a cyber-attack on its IT systems, which was described by government officials as possibly the ‘most significant’ case of cybercrime against the Irish State. Irish Taoiseach (Prime Minister) Micheál Martin also ruled out paying the gang, saying “We’re very clear we will not be paying any ransom or engaging in any of that sort of stuff,” according to broadcaster RTE.

The attack took the form of ransomware, which occurs when cyber criminals use a form of malware to encrypt networks, then demand payment in exchange for the decryption key.  In response, the HSE immediately shut down all of its computer systems – a precautionary measure to protect the organization’s networks from further attack.  This has inevitably affected the delivery of key services across the country. In its latest update, the HSE said that patients should expect cancellations of outpatient services, with x-ray appointments and laboratory services, in particular, to remain severely affected.    Patients will also see delays in getting their COVID-19 test results, and contact-tracing, while still operating as normal, will take longer than usual. 

COVID-19 vaccination appointments are going ahead as normal, maintained the health services, encouraging those booked in for a jab to attend their appointment as planned.   Emergency departments, sexual assault treatment units and the national ambulance service are still operating.   The impact of the attack varies across hospital and community services nationwide, with teams on the ground working to re-deploy staff and re-schedule procedures and appointments as needed, said the HSE.    The organization has been working with the National Cyber Security Centre (NCSC) and third-party cybersecurity experts like McAfee to investigate the incident. The attack was identified as a human-operated ransomware variant known as “Conti”, which has been on the rise in recent months.  Conti operates on the basis of “double extortion” attacks, which means that attackers threaten to release information stolen from the victims if they refuse to pay the ransom. The idea is to push the threat of data exposure to further blackmail victims into meeting hackers’ demands.  “We are dealing with this in accordance with the advice we received from cybersecurity experts and I think we’re very clear we will not be paying any ransom,” Micheál Martin, the prime minister of Ireland, said during a news briefing. “So the work continues by the experts.”  Instead, the NCSC has recommended a remediation strategy that involves containing the attack by isolating the systems that were hacked, before wiping, rebuilding and updated all the infected devices. The HSE should then ensure that antivirus is up to date on all systems, before using offsite backups to restore systems safely.  The HSE has confirmed that it is in the process of assessing up to 2,000 patient-facing IT systems, which each include multiple servers and devices, to enable recovery in a controlled way. There are 80,000 HSE devices to be checked before they can be brought back online.   Priority is given to key patient care systems, including diagnostic imaging, laboratory systems and radiation oncology, and some systems have already been recovered.  “Some progress has been made on getting servers cleaned, restored and back online. This is in line with the pace we had anticipated, and is a stepped, methodical process, to mitigate the risk of re-infection. We are also looking at interim solutions to get some servers back online in a proven safe way,” said the HSE.  But while it is clear that data on some servers has been encrypted, the organization conceded that the full extent of the issue is unknown at this point.  Earlier this year, Conti claimed responsibility for an attack against the Scottish Environment Protection Agency (SEPA), during which 1.2GB of data was stolen. Thousands of stolen files were published after the organization refused to pay the ransom.  The latest attack against Ireland’s HSE comes only days after one of the largest pipeline operators in the US paid close to $5 million to a ransomware group that had encrypted key systems, which forced the fuel giant to temporarily close down its IT operations and hugely affected supplies across the country.  More

The biggest security challenge in 10 years, according to Google Security VP Royal Hansen, will be “shifting the focus of security from the technical hygiene of code and configuration to self defending data will save time and resources while unlocking rapid and safe innovation.” Hansen is one of a handful of security experts from Google offering some insights and predictions about the next decade of security ahead of the annual RSA Conference. Hansen elaborated: “Defense in depth and the control design we have learned from engineering methodologies will finally catch up to the dynamic nature of software. The better analogieswill become biological – the immune system or the combination of organ systems like circulatory and respiratory.  Independent and constantly evolving but stronger operating together in the same superorganism.”Taking a step back to look at the bigger picture can be useful, as cybersecurity becomes an increasingly pressing issue. For most security officers, the threat landscape is concerning enough that they’re worried about getting through the next 12 months.You can click here to check out more predictions from Vint Cerf, Sunil Potti, Jeanette Manfra and others. More