Information Technology

Getty Images/iStockphoto
Google intends to ban and remove support from Chrome for digital certificates issued by Spanish certificate authority (CA) Camerfirma, the browser maker announced this week.

The ban will come into effect with the launch of Chrome 90, scheduled for release in mid-April 2021.
After the Chrome 90 launch, all websites that use TLS certificates issued by Camerfirma to secure their HTTPS traffic will show an error and will not load in Chrome going forward.
The decision to ban Camerfirma certificates was announced on Monday after the company was given more than six weeks to explain a string of 26 incidents related to its certificate-issuance process.
The incidents, detailed by Mozilla on this page, go back to March 2017.
Two of the most recent have taken place this month, January 2021, even after the company was made aware it was under investigation in December 2020.
The incidents paint a picture of a company that has failed to meet industry-agreed quality and security standards in regards to the process of issuing TLS certificates for website operators, software makers, and enterprise system administrators.
Just Chrome for now

Across the years, browser makers have often banded together to kick out certificate authorities that don’t follow these rules. Other CAs that have been banned from Chrome in the past include Symantec, DigiNotar, and WoSign and its subsidiary StartCom.
This led to companies like DigiNotar filing for bankruptcy and Symantec selling its CA business to DigiCert after their certificates became pariahs inside modern browsers.
At the time of writing, no other browser maker has announced a similar ban on Camerfirma certs but industry experts expect similar decisions from the other three (Apple, Microsoft, and Mozilla) in the coming weeks.
Nevertheless, just the Google ban alone is more than enough to cripple Camerfirma’s business. With a market share of around 60% to 70%, the Chrome ban is a de-facto death blow.
A Camerfirma spokesperson has not returned a request for comment. More

Technology has become a great enabler but it can also be a killer. In this case, it has literally proven so for India’s lower-income residents, thanks to unscrupulous Chinese operators who have used spurious loan apps and hired Indian underlings to bilk the most vulnerable.
In just 10 months since the pandemic began, at least $3 billion worth of scam microloan transactions have taken place with a bulk of that siphoned off. 
The targets of these scams are people who are largely marginalised by the banking sector. Factoring in pandemic-induced joblessness and pay cuts that have led to an urgent need for cash, the dire situation of these people exacerbated in 2020, making them ripe for exploitation.
Yet, this appears to be only the tip of the iceberg. The other problem arising from the actions of these relatively few bad actors is that it has threatened the dynamic Chinese tech ecosystem within India. The top smartphone sellers in the country like Xiaomi, Oppo, Vivo, RealMe, OnePlus all have significant investments in the country.
Countless startups, many that have now grown up, like Paytm and Ola, have been nourished by significant chunks of Chinese money — $4 billion worth — from companies like Tencent and Alibaba’s Ant Financial.
THE UNDERSERVED
Within the great revolution that the internet has ushered in, there have been big strides in areas such as transportation (Ola), e-commerce (Flipkart), and food-tech (Zomato), along with the advancement of a whole host of automation, logistics, and cloud services outfits that have begun to empower businesses and consumers.
One area that has held much promise is the booming fintech market, which provides solutions in the form of consumer credit, supply chain finance, digital payment, wealth management, and insurance.

In India, specifically, the poor in smaller towns and in the countryside have always been starved of banking avenues. Private sector banks, which took off in the early 2000s, had made the calculation long ago that it would not be profitable on a per account basis to expand to the hinterland.
The Indian digital payments revolution tried to alleviate this problem experienced by unbanked, but poor internet infrastructure has made it difficult for financial inclusion to become commonplace and smartphones are not yet ubiquitous in these parts.
As a result, moneylenders who have always held sway in rural and semi-urban parts have continued to ply their trade. Even scores of unbanked urban Indians in big cities have to resort to borrowing money from these unsavoury sources. Many of these moneylenders charge upwards of 300% interest, which is why, when marginalised Indians got wind of easy-and instant-loan approvals from an array of fintech apps, borrowing from them was a no-brainer. 
They just didn’t realise, however, that they were being taken for a painful if not devastating ride.
DATA AS COLLATERAL
This is how the scam essentially works for the majority of borrowers. For example, a lady takes a loan — mostly a small one, say Rs 3,500 ($1) from a digital lending app, such as My Bank. But within a few days, she notices something odd; Rs 26,000 is deposited into her account from 14 or so different lending apps that had never been downloaded onto her phone.
Before she is able to make sense of what is going on, the borrower has been suddenly assailed by collection agents from all of these apps for the repayment of Rs 44,000 — 10 times the amount they borrowed.
When this already severely cash-strapped person is unable to repay her loans, they are threatened by collection agents who then morph her face onto naked bodies to create pornographic images of her.
The images are then sent to all of her contacts which the loan app had already accessed as part of the loan agreement, as well as the person’s WhatsApp groups. Personal data, which the lending app made sure it collected, was essentially used as collateral.
This kind of public humiliation and shame has resulted in six suicides in the state of Telangana so far.
THE PHANTOM MENACE
When an Indian consumer collective, Cashless Consumer, decided to investigate these occurrences, it discovered the scale and the horror of what was going on.
All of the user data is apparently stored in China and out of the 1,050 instant loan apps it checked — Loan Gram, Cash Train, Cash Bus, AAA Cash, Super Cash, Mint Cash, Happy Cash, Loan Card, Repay One, Money Box, Monkey box, Rupee Day, Cash Goo, among many, many others — only 300 apps had websites, albeit with scant information. Meanwhile, only 90 had physical addresses. According to Cashless Consumer, many of these apps breach Indian rules on lending.
Traditionally, banks and other non-banking financial companies that hand out loans have a whole host of documents that have to be provided before a loan is issued. Making the cut is not easy.
Enter digital lending apps who more or less are not required to follow such requirements and can issue microloans with a much shorter repayment window and brutally high interest rates, most often 1% a day, which compounds every two weeks. It’s difficult to see how a person with a modest income, let alone a pandemic induced cashflow crisis, would be able to pay this back.When SaveIndia Foundation, a team of cybersecurity professionals, investigated instant loan apps operating in India, they discovered that hundreds of these accounts operated abroad and usernames and passwords were in Mandarin.
Further probing revealed that Chinese nationals were using Indian proxies as directors and used local chartered accountants to set up companies. In one instance, one such accountant helped Chinese investors float 40 companies, 12 of which were loan apps that now have criminal cases booked against them.
Police from four different states in India finally arrested seven Chinese nationals earlier this month for running the show with 35 Indian deputies, some of whom travelled to China for “training”. Several of these Indians were directors of multiple companies that have since been implicated in microloan scams based out of Bengaluru, Pune, Hyderabad, and Gurugram.
Payment gateways providing online wallets to these companies such as PayTM, Razorpay, and Cashfree have also contributed to the fiasco, say critics, and have been accused of being shoddy in their due diligence. A simple scrutiny of the appropriate identification documents, known in India as Know Your Customer, would have stopped many of these companies, according to critics.
THE FIX?
Without a firm government decree that requires stringent checks on money-related apps, more monumental digitally-enabled disasters are a certainty.
Moreover, app purveyors like Google should be forced to authenticate every loan app in their store. While the Google store has shut down a few dozen operators, the scale of the problem is immense. Hundreds of loan apps whose origins are dubious at best are still abound.
Another equally dire consequence is that details of individuals given for the 14 million transactions all include copies of the Aadhaar, or the national identity card, which is part of the pan-India database. That information, along with Indian citizens’ facial images, now sit comfortably on Chinese servers and many are calling it a national security issue.
It is ironic that just 15 years ago, a microfinance revolution had built a dynamic industry in the same exact spot that many of the loan scams have popped up — the state of Telangana, which was once part of Andhra Pradesh.
The industry ultimately collapsed because borrowers were strongly encouraged to take multiple loans which became simply unpayable. Many committed suicide and the industry collapsed.
It seems that history is destined to repeat itself if checks and balances are not urgently established.
Related Coverage More

Image: APH
The Office of the Australian Information Commissioner (OAIC) has declared the Department of Home Affairs does not have adequate governance and systems of accountability in place to comply with statutory time frames for processing freedom of information (FOI) requests for non-personal information.
Its findings were made following an investigation into the Peter Dutton-overseen department’s statutory processing periods specified under the Freedom of Information Act 1982.
“Over the past four financial years, more than 50% of the FOI requests to Home Affairs for non-personal information were processed outside of the statutory processing period,” the OAIC said.
Offering a handful of recommendations, the commissioner has suggested Home Affairs appoint an “information champion”.
“Senior support, in the form of a senior information champion who is a member of the department’s executive with sufficient seniority, such as the chief operating officer, who may be supported by an information governance board, will play a key role in promoting FOI Act compliance within the department,” the OAIC says in its report [PDF].
The OAIC has also recommended the creation of a manual, staff training, and compliance audits of performance moving forward.
In compiling its report, the commissioner provided a timeline for the steps the department has taken up until the OAIC probe, such as implementing modern FOI handling technology capabilities.

In 2017, Home Affairs launched an online form to assist applicants and a year later commenced use of HotDocs software for decision letters and other correspondence.
“The department has become primarily digital, eliminating the creation of paper records and has been in the process of digitising incoming mail and existing paper records,” the report adds.
In March 2020, the department published statistics on the General Skilled Migration program which reduced the frequency of FOI requests for this information, and a month later, it provided remote access to use Adobe Pro software to members of the FOI Section, coinciding with stay at home orders in response to COVID-19 measures.
In the same month, Home Affairs introduced FOI management dashboards to provide information on the status of FOI caseloads and individual requests and in May it provided temporary additional resourcing to process FOI requests for personal information.
The OAIC said such steps have improved compliance with statutory processing requirements.
Earlier this week, the OAIC ordered Home Affairs to cost up the amount owed for each individual and pay compensation for “mistakenly” releasing the personal information of 9,251 asylum seekers.
It was determined the former Department of Immigration and Border Protection at the time had “interfered” with the privacy of these individuals by accidentally publishing their full names, nationalities, locations, arrival dates, and boat arrival information on its website in 2014.
Following the publishing of their personal information, the asylum seekers launched legal action against the department. The asylum seekers in New South Wales, Western Australia, and the Northern Territory claimed the breach exposed them to persecution from authorities in their home countries.
A total of 1,297 applications were lodged as part of the legal case requesting that compensation be paid because those affected suffered loss or damage due to the data breach.
The commissioner said the compensation to be paid to participating class members would range from AU$500 to more than $20,000 and would be determined on a case-by-case basis by the department.
MORE FROM THE DUTTON SUPERMINISTRY More

The NSW Cyber Security Standards Harmonisation Taskforce has handed down a bunch of recommendations that ask for industry and government to consider if they want to move forward by being protected harmoniously.
The recommendations made in the taskforce’s report [PDF] cover seven themes: Cloud as a “digital backbone”, defence, education, the energy sector, financial services, health, and telecommunications and the Internet of Things (IoT).
When moving workloads to the cloud, the taskforce wants ISO or IEC standards followed as baseline requirements for information security, protective security, and supply chain security and risk management.
With the Australian Signals Directorate announcing in March it would be shuttering the current form of its cloud certification program, the taskforce has suggested that Australian governments, in relation to any new proposed cloud security requirements for services up to, and including, protected level, should consider a combination of compliance with ISO/IEC 27001, SOC 2, and potentially FedRAMP2 as part of a uniform security baseline.
Read more: Commonwealth entities left to self-assess security in cloud procurement
It also wants Standards Australia to work with government and industry to develop material, such as a handbook, on how to adopt globally recognised standards.
In addition, the taskforce is asking for an education sector-specific set of standards to be developed to ensure current risk management procedures are up to date.

Likewise, it’s recommending the development of material that clearly communicates any business benefits around the adoption and use of standards to improve cybersecurity posture in the energy sector. This includes ensuring boards and executives understand the severity of weak systems.
“This should include in relation to managing their legal obligations (for example, the Corporations Act, as well as energy-specific statutes) and the information should be rendered as clearly as possible,” the report said.
See also: Energy to join banking sector under Australia’s Consumer Data Right
Building on the finance sector’s Consumer Data Right obligations, the taskforce has suggested creating a new set of ISO standards that cover all of the sector’s regulatory requirements.
The health sector, meanwhile, should take a look at global peers and ensure that any future guidance on cloud that they develop or mandate, as foreshadowed by proposed critical infrastructure reforms, takes a maturity-based approach, which factors into consideration entity size in relation to risk profile.
“Australian governments … should explore the provision of additional support for market entrants to improve access to certification or standards advisory services in strategic areas, such as cyber readiness for Medtech, to support export growth,” the taskforce recommended.
“This might take the form of targeted vouchers or grants, or supported advisory programs. This support could be supported by a formalised assessment process that also takes into account expected return on investment.”
The taskforce has also asked the Australian government consider convening a multi-stakeholder IoT Working Party. It said Australian governments, in creating new digital policy documents and/or directives, should require agencies to explicitly consider cybersecurity considerations, including recognised standards, in development and later adoption.
“This might, for example, be prior to Cabinet or expenditure review committee consideration,” it added.
Stood up in June, the NSW Cyber Security Standards Harmonisation Taskforce was charged with addressing the risks posed by cyberspace, such as theft of an organisation’s intellectual property or the disclosure of sensitive information. To address such risks, the taskforce has been working towards the adoption and use of common standards.
The taskforce is a joint effort between the NSW government, Standards Australia, and AustCyber, the non-profit organisation charged with growing a local cybersecurity ecosystem and facilitating its global expansion.
While the taskforce was initiated by a state government minister, AustCyber CEO Michelle Price said she encourages industry and all levels of governments across the country to review and implement the recommendations outlined in the report.
“Ultimately, a globally competitive Australian cybersecurity sector will underpin the future success of every industry in the national economy,” she wrote in her foreword. “Together, let’s foster innovation and generate increased investment and jobs through the creation and commercialisation of cybersecurity products and services, utilising agreed standards to build a more secure Australia.”
RELATED COVERAGE More

Image: Apple
Apple CEO Tim Cook has said it is time to face the consequences of having algorithms push users towards more engagement at any cost.
Speaking at the Computers, Privacy, and Data Protection conference on Thursday, Cook said too many companies are asking what they can get away with, rather than what happens if they follow through on boosting metrics.
“At a moment of rampant disinformation and conspiracy theories juiced by algorithms, we can no longer turn a blind eye to a theory of technology that says all engagement is good engagement — the longer the better — and all with the goal of collecting as much data as possible,” he said.
“What are the consequences of seeing thousands of users join extremist groups, and then perpetuating an algorithm that recommends even more?”
Cook touched on the recent US Capitol riots in Washington, saying the time was over to pretend there are no costs to boosting conspiracy theories and incitements to violence simply because users get engaged.
“It is long past time to stop pretending that this approach doesn’t come with a cost — of polarisation, of lost trust and, yes, of violence,” he said.
“A social dilemma cannot be allowed to become a social catastrophe.”

The Apple CEO said his company might be naive, but the tech giant believes the best measure of technology is how it improves lives.
“Will the future belong to the innovations that make our lives better, more fulfilled and more human?” Cook queried.
“Or will it belong to those tools that prize our attention to the exclusion of everything else, compounding our fears and aggregating extremism, to serve ever-more-invasively-targeted ads over all other ambitions?”
Earlier on Thursday, Apple released a report that took a swipe at the ad industry and pointed out that apps, on average, have six trackers from other companies that “have the sole purpose of collecting and tracking people and their personal information”, and the industry collects $227 billion in revenue each year.
Apple will soon roll out its App Tracking Transparency measures which will prompt users when apps want to access advertising identifiers on Apple’s operating systems. Google said this week it is still working out how to handle this change.
“We are working hard to understand and comply with Apple’s guidelines for all of our apps in the App Store,” the search giant said.
Related Coverage More

Image via Thom
With the release of iOS 14 last fall, Apple has added a new security system to iPhones and iPads to protect users against attacks carried out via the iMessage instant messaging client.
Named BlastDoor, this new iOS security feature was discovered by Samuel Groß, a security researcher with Project Zero, a Google security team tasked with finding vulnerabilities in commonly-used software.
Groß said the new BlastDoor service is a basic sandbox, a type of security service that executes code separately from the rest of the operating system.
While iOS ships with multiple sandbox mechanisms, BlastDoor is a new addition that operates only at the level of the iMessage app.
Its role is to take incoming messages and unpack and process their content inside a secure and isolated environment, where any malicious code hidden inside a message can’t interact or harm the underlying operating system or retrieve with user data.

Image: Google Project Zero
The need for a service like BlastDoor had become obvious after several security researchers had pointed out in the past that the iMessage service was doing a poor job of sanitizing incoming user data.
Over the past three years, there had been multiple instances where security researchers or real-world attackers found iMessage remote code execution (RCE) bugs and abused these issues to develop exploits that allowed them to take control over an iPhone just by sending a simple text, photo, or video to someone’s device.

Don’t forget to see my #BHUSA talk on iMessage remotes! Tomorrow 2:40pm in Lagoon GHI
— Natalie Silvanovich (@natashenka) August 6, 2019

The latest of these attacks took place last year, over the summer, and were detailed in a report from Citizen Lab named “The Great iPwn,” which described a hacking campaign that targeted Al Jazeera staffers and journalists.
Groß said he was drawn to investigating iOS 14’s internals after reading in the Citizen Lab report that the attackers’ zero-days stopped working after the launch of iOS 14, which apparently included improved security defenses.
After probing around in the iOS 14 inner workings for a week, Groß said he believes that Apple finally listened to the security research community and improved iMessage’s handling of incoming content by adding the BlastDoor sandbox to iMessage’s source code.
“Overall, these changes are probably very close to the best that could’ve been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole,” Groß said in a blog post today.
“It’s great to see Apple putting aside the resources for these kinds of large refactorings to improve end users’ security.” More

A Hezbollah-affiliated threat actor known as Lebanese Cedar has been linked to intrusions at telco operators and internet service providers in the US, the UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the Palestinian Authority, and the UAE.

The year-long hacking campaign started in early 2020 and was discovered by Israeli cyber-security firm Clearsky.
In a report published today, the security firm said it identified at least 250 web servers that have been hacked by the Lebanese Cedar group.
“It seems that the attacks aimed to gather intelligence and steal the company’s databases, containing sensitive data,” ClearSky said today.
“In case of telecommunication companies, one can assume that databases containing call records and private data of clients were accessed as well,” the company added.
Attacks targeted outdated Atlassian and Oracle servers
Clearsky researchers said the attacks followed a simple pattern. Lebanese Cedar operators used open-source hacking tools to scan the internet for unpatched Atlassian and Oracle servers, after which they deployed exploits to gain access to the server and install a web shell for future access.
The Hezbollah-linked group then used these web shells for attacks on a company’s internal network, from where they exfiltrated private documents.

Image: Clearsky

For their attacks on internet-facing servers, Clearsky said the hackers used vulnerabilities such as:
CVE-2019-3396 in Atlassian Confluence 
CVE-2019-11581 in Atlassian Jira
CVE-2012-3152 in Oracle Fusion
Once they gained access to these systems, the attackers deployed web shells, such as ASPXSpy, Caterpillar 2, Mamad Warning, and an open-source tool named JSP file browser (which can also function as a web shell).
On internal networks, the attackers deployed a more powerful tool named the Explosive remote access trojan (RAT), a tool specialized in data exfiltration and which they also used in the past.
Clearsky said they were able to link the attacks to Hezbollah’s cyber unit because Explosive RAT was a tool that was until now exclusively used by the Lebanese Cedar group.
Some victim names made public
Furthermore, researchers also said that attackers made mistakes in their operation and often reused files between intrusions. This allowed Clearsky to track the attacks across the globe and link them to the group.
“The operation enabled us to fingerprint the targets of [the] Lebanese Cedar APT and categorize them based on sector and country of origin,” Clearsky said. “We identified 254 infected servers worldwide, 135 of them shared the same hash as the files we identified in [a] victim’ network during our [incident response] investigation.”
Based on these scans, below is a list of some of the group’s better-known victims, including the likes of Vodafone Egypt, Etisalat UAE, SaudiNet in Saudi Arabia, and Frontier Communications in the US.
For indicators of compromise and more technical details about the attacks, the ClearSky Lebanese Cedar report’s PDF contains additional data.

Image: Clearsky More

Cyber attacks where criminals threaten to overload a target’s network with Distributed Denial of Service (DDoS) attacks unless they’re paid off have more than doubled over the last year.
Analysis of cyber threats and criminal activity by security researchers at Neustar found that the number of ransom-related DDoS attacks (RDDoS) grew by 154 percent between 2019 and 2020. Financial services, telecommunications and government agencies are some of the sectors most targeted by the attackers.
One of the reasons ransom-related DDoS attacks are increasing in popularity is because they’re relatively simple to carry out, even for low-level cyber criminals.
Rather than having to rely on ransomware or other malware to hold a network hostage, DDoS attackers merely threaten their victims with the prospect of DDoS if the payment – usually demanded in bitcoin – isn’t received within a deadline. Criminals will often present a taster of what could come with a short-lived DDoS attack in an effort to coerce the victim into paying.
SEE: Network security policy (TechRepublic Premium)
All the RDDoS attacker needs is a botnet to overload the target systems with traffic – something which can be hired on underground forums for a relatively low cost – and the ability to threaten organisations with the prospect of an attack over email.
Some criminals behind DDoS ransom attacks will pretend to be notorious hacking groups such as Fancy Bear or other nation-state linked operations in their ransom notes in an effort to scare the victim into paying up – and many organisations are through fear of being taken offline even though there are many ways to mitigate such attacks.

However, despite the threats of being knocked offline, organisations are urged to not give into the demands of cyber criminals, so as to not encourage a further rise in ransom DDoS attacks.
“Organisations should avoid paying these ransoms. Instead, any attack should be reported to the nearest law enforcement field office, as the information may help identify the attackers and ultimately hold them accountable,” said Michael Kaczmarek, Vice President of Security Product Management at Neustar.
“Beyond this, organisations can prepare by setting up a robust DDoS mitigation strategy, including assessing the risks, evaluating available solutions, considering mitigation strategies and keeping their plan and provider up to date.”
MORE ON CYBERSECURITY More