Information Technology

Now that the world has completed a full circuit around the Sun with COVID as a passenger, it is possible to see which jurisdictions responded well, and which are still struggling to come to grips with the virus.

Two of the nations held up as exemplars of how to fight COVID were Taiwan and New Zealand, but the approaches were very different: One has locked down parts of its population multiple times, and the other with more experience of respiratory viruses, has avoided such approaches. A recent academic paper published in the Journal of the Royal Society of New Zealand examined the two nations and raised a number of questions that deserve to be considered in light of a year of lockdowns, contact tracing, outbreaks, and other restrictions on the movement of people. The central push of the paper is that as New Zealand has kept individual privacy as a paramount concern, this has led directly to the use of city or nationwide lockdowns, which it has labelled as a blunt instrument. “An approach not much more advanced than techniques to mitigate the Spanish Flu pandemic over a century ago,” the paper states. By contrast, the paper contests that Taiwan was more successful because it embraced technology, particularly big data analysis, and was able to prepare the population, following SARS and MERS, so it could use such tactics for the coronavirus pandemic. “This new strategy aimed to link real-time medical information, location [from cell towers], and contact data of infected individuals (confirmed or suspected) to assist curbing the spread of future diseases,” the paper states.

When someone entered Taiwan, an “electronic digital fence” system which monitored a person’s cell phone location was used to enable people to quarantine at home, rather than in a hotel quarantine system. “If a person in quarantine left their home, or their phone died and thus stopped transmitting a signal, local police and health or civil affairs agencies would be notified,” the paper said. “This system was complemented by random health-checks, community policing and phone calls from health officials and public authorities to ensure compliance. Individuals who did not have a cell phone capable of sharing location data were provided with one at the border.” See also: Living with COVID-19 creates a privacy dilemma for us all The system allowed people to have a degree of autonomy during quarantine, the paper said, at a cost to having their location tracked by the government. This system sounds particularly attractive as someone living in a country that has seen secondary lockdowns put in place, sometimes lasting 112 days, after breaches in hotel quarantine. The retort that mobile phone location tracking is an imposition holds little water when under current systems, people are locked in a hotel room for 14 days precisely so that the authorities know exactly where they are. While Taiwan has the legislation in place to enable it to combine disparate datasets for the purposes of fighting a health emergency, New Zealand health authorities have “less freedom” in that respect and the nation’s Privacy Act reigns supreme. This has led to NZ relying on an opt-in model for its QR code and Bluetooth-driven COVID Tracer app. And while the app has 3 million downloads in a country of 5 million people, that does not mean it is being used. Last month, on the other side of the Tasman, the Australian Digital Transformation Agency revealed that it has spent AU$6.7 million on a similarly opt-in app, that has only found 17 cases, and currently costs AU$100,000 a month to keep running.

Coronavirus

If there is one thing the past year has shown, it is that thinking a population will install and use an opt-in app for contact tracing is misplaced. “The reliance upon opt-in models and a consent model of privacy will not resolve many of the limitations found in the current New Zealand approach, as evidenced by the COVID-19 response,” the paper argues. “In fact, there are few, if any, examples globally where such models have been able to provide the level of accuracy found in Taiwan where the benefits have been seen in less strict (but nevertheless long term) social distancing rules and improved freedom of movement and association at the expense of aspects of personal privacy.” The paper contrasted the approaches when each nation was faced with outbreaks. After a visit from the Diamond Princess, which would end up being quarantined in Yokohama, Taiwan pulled together payment information, positioning data of shuttle busses from the ship, and CCTV footage to identify residents who might have been in contact with infected cruise ship passengers. “The data collated was then compared with the data of Taiwanese residents who had carried a mobile phone within 500 metres of the possibly infected individuals,” the paper states. “If they had been in these locations for more than five minutes they were classified as people possibly infected by the passengers of the cruise ship.” Meanwhile in New Zealand in August, after 100 days without the virus in the nation, it escaped. “NZ was reliant on manual contact tracing efforts, and potentially the COVID Tracer app (although reports suggest that it was only used in a few cases) and then had to turn to the blunt instrument of a lockdown when the contact tracing system could not keep up,” the paper said. “This lockdown was effective, but at great cost economically (and to civil liberties). “Taiwan’s greater use of personal information and data sharing appears to have allowed for COVID-19 to be contained with less disruption than experienced in New Zealand, using more ‘traditional’ mechanisms.” In the months since this column raised the privacy dilemma at the heart of living with COVID, most of Australia’s capital cities have seen lockdowns of various lengths, sometimes lasting only a handful of days when case numbers did not rise, and often accompanied by states other than New South Wales throwing up hard borders at a moment’s notice. Travelling interstate has now become a gambling-style decision that Australians think about, and the thought of how to get back home quickly is one that demands consideration. As the paper highlights, there is another approach that needs to be considered by authorities. The Taiwanese approach is particularly draconian on the individual privacy front, and while it would fail to get off the mark in an American context, it might be useful in the Australian one, for instance. Thanks to a combination of authoritarian inclinations and political cowardice, Australia already has a store of the location of every resident for two years, and the general public doesn’t seem to care about the privacy imposition. Given that access to that store has not been used primarily for severe crimes like terrorism, unlike the sales pitch and promises it arrived with, why not use the data retention system to enhance and speed up the response to COVID outbreaks? If the privacy of Australians is already under the pump, we might as well get some public good from it. The balance between privacy and emergency measures will be different for everyone. There is too much culture, history, and acceptance of things in one place that are unacceptable to others. But after more than a year, the least each nation can do is look to improve how they respond to the virus, rather than dealing with the same situation with the same playbook we walked into early 2020 with. As vaccines deployments progress, the end of the pandemic could be near, but as Taiwan has shown, the time we have could be used to prepare for the next emergency, and discuss what works for our societies. ZDNET’S MONDAY MORNING OPENER  The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America. PREVIOUSLY ON MONDAY MORNING OPENER:   More

Data of 553 million Facebook users including phone numbers, Facebook IDs, full names, birth dates and other information have been posted online. The data dump was Tweeted by Alon Gal, CTO of security firm Hudson Rock. Gal posted a list of affected users by country. According to his list, the US had 32.3 million affected users and UK had 11.5 million. The data was accessed via a Telegram bot. Other data points in the posting included gender, location and job status. Catalin Cimpanu, at The Record, also reported that he reviewed samples of the leaked data. The data is reportedly broken up into download packages by country. With the Facebook data out in the public it’s safe to expect it to be used for cybercrime.  Also: More

Organisations have had to adapt quickly to the realities of staff working remotely and that has come with a number of challenges, particularly surrounding cybersecurity.Businesses that previously relied on employees using work-issued computers and being protected behind a corporate firewall have had to deal with staff using their personal devices and their home internet connection.

And with indications that many organisations believe that, post-pandemic, we will see a switch to a hybrid model with a balance between working at the office and working from home, it’s important that employees are equipped with the right training and tools to keep business data and networks secure against cyberattacks.SEE: Network security policy (TechRepublic Premium)Account hijacking is one of the most common means for cyber criminals to gain access to corporate networks. These attacks can involve phishing emails that attempt to trick victims into handing over their username and password, providing criminals with login credentials they can use to gain access to accounts and the wider network.But sometimes, there isn’t even the need for attackers to use phishing emails, with brute force attacks enough to breach accounts. These are attacks involve the automated submission of common or simple passwords against accounts, in the hope that accounts are secured with common, weak passwords that are easily breached.People are often told that they should secure their accounts with long, complex passwords – but they can be difficult to remember, especially if people have many accounts. That can lead to password re-use, the use of simple passwords – or both.

“Human beings can’t remember more than four to five passwords, we get cognitive overload. That’s the way our brains are wired, it is difficult for us to remember passwords, so we can’t just keep loading on different passwords that are increasingly complex and expect people to remember them,” says Daisy McCartney, cybersecurity culture and behaviour lead at PwC UK.So while telling people to use, lengthy, complex passwords is good cybersecurity practice, it’s just not possible for people to remember many different passwords for many different accounts – something that can lead to using weak passwords that cyber attackers can exploit.

One answer to this is for organisations to issue employees with a password manager – software that manages passwords for users, allowing them to use complex passwords for every different account without needing to remember them each time they login. Another tool that can be used to keep corporate accounts of remote workers secure is two-factor authentication. This requires additional verification to log into an account, commonly in the form of an an alert on an app. This pops up when there’s an attempt to login to the account and the user will gain access after confirming the login attempt was legitimate.Two-factor authentication provides an extra layer of defence for accounts – and their users – because it prevents cyber attackers being able to gain access even if they’ve hacked or stolen the correct credentials because they also need access to the second element of the authentication, too. Such is the extent of that protection, Microsoft says two-factor authentication prevents 99.9% of attempted attacks, so all businesses that have remote – and non-remote – workers should apply it for additional cybersecurity.One of the big changes the move towards remote working has brought about is removing employees from the protection of the corporate firewall. Working from inside the office provides people with anti-virus and other protections that can help to filter out some attacks.SEE: Phishing: These are the most common techniques used to attack your PCNow, instead of this, many people are working from their own computer from their homes, where they may not have anti-virus at all – and their home router won’t provide a robust defence against attackers like a corporate firewall would.Criminals know this and are looking to take advantage with cyberattacks, especially when people – rushed off their feet while balancing working from home with the rest of their life – might unintentionally click on a phishing link or respond to a request that appears to come from a colleague but is actually a cyber criminal. “Humans are are ultimately fallible. Unfortunately it’s the organic matter behind the keyboard, which is often the vulnerable part of the loop,” says Troy Hunt, creator of HaveIBeenPwned and digital advisor to Nord Security.A VPN – short for Virtual Private Network – provides a protected network connection for remote connections, to the extent that even an ISP provider can’t see what websites are visited or what data is sent. It ultimately acts as something of a corporate firewall for while the employee is working remotely.And by providing remote workers with access to a corporate VPN, not only does it help keep data and communications secure, an organisation can also configure it so that while the VPN is active, action can be taken to prevent potentially dangerous activity, such as visiting phishing pages and other malicious websites.But it isn’t fair to put all of the responsibility of staying secure on employees. Enterprise IT and information security departments must continue to play a role in helping the organisation stay safe.For example, if an employee is suddenly logging in from a strange location or at a strange time and then they’re attempting to access parts of the network that usually aren’t of interest to them, that could indicate suspicious activity that needs to be investigated or blocked.”We need to have that balance of the education and the training, with the technology to back it up and help us out when things do go wrong,” says Hunt.SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)For many people, the last year was the first time they’d had to work from home and it hasn’t been an easy transition, especially when it happened so quickly, under the pressures of a global pandemic. “Navigating this really complex topic can be quite scary for people, we need to help them not feel so fearful about it,” says McCartney.There are also other steps that businesses can take to protect their data. They can make sure that data is encrypted on laptops or other devices so that, if they are lost or stolen, the information is not accessible. On laptops this may simply be a case of enabling encryption; on smartphones it may be a case of introducing some form of mobile device-management software to protect the whole device or the business data on a personal device. Getting staff to use cloud services to store data may be more secure than using USB devices (which can be an easy route to delivering malware to laptops).Without the right tools and training to help them stay secure, employees may not be confident about keeping secure – but with the right help and support from an employer, it’s possible to adapt to remote work while also keeping safe from cyber threats.MORE ON CYBERSECURITY More

Sit me down and ask me to tell you what I think is wrong with the iPhone, and I’ll rattle off a long list. A really long list.

But there’s one thing that Apple has that’s spot on — and that’s delivering patches to older handsets. A very serious vulnerability was discovered recently that affected the iPhone and iPad (along with the Apple Watch and iPod touch). Apple quickly pushed out a patch, not only for the current iOS 14 release, but also for older devices stuck on iOS 12. Devices getting the update include the iPhone 5s, iPad Air, and iPod touch (6th generation). That’s support going back to September 2013. Devices stuck on iOS 12 have seen a number of updates over the past year, including security updates and also the framework for COVID-19 exposure notifications.

And that’s very impressive. Apple did not update iOS 13 because devices running this version are all able to update to iOS 14 (iPhone 6s and later). However, if I have one complaint here, I wish Apple had released a specific patch for iOS 13 users (as it did with iOS 13.7 in order to bring COVID-19 exposure notifications to the platform). According to Apple, some 12% of devices in use run iOS 13, with another 8% running iOS 12 or earlier. If you’re running iOS 13, I strongly recommend updating, as the risk is real running an unsupported platform, especially if you keep important data on the device or use it for financial transactions.

ZDNet Recommends More

The Cybersecurity and Infrastructure Security Agency (CISA) has instructed US government agencies with on-premise Exchange systems to run Microsoft malware scanners and report results by April 5. CISA issued supplementary direction to its “ED 21-02” directive; the new request applies to any federal agency that had an Exchange server connected directly or indirectly to the internet at any point since January 1, 2021. 

Exchange attacks

The move follows the discovery of software flaws in on-premise versions of Microsoft Exchange Server being exploited by attackers. Exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.SEE: Network security policy (TechRepublic Premium)The new CISA orders are aimed at ensuring agencies use newly developed Microsoft tools to identify any compromises that remain undetected. They need to be followed even if all steps in the earlier directive were completed. “Since the original issuance of ED 21-02, Microsoft has developed new tools and techniques to aid organizations in investigating whether their Microsoft Exchange servers have been compromised. CISA also identified Microsoft Exchange servers still in operation and hosted by (or on behalf of) federal agencies that require additional hardening,” CISA says in the supplement. “By 12:00 pm Eastern Daylight Time on Monday, April 5, 2021, download and run the current version of Microsoft Safety Scanner (MSERT) in Full Scan mode and report results to CISA using the provided reporting template,” it notes. 

The Microsoft scanner can use up a lot of a server’s processing capacity, so CISA recommends running the scan during off-peak hours.The other tool agencies are instructed to run is the Test-ProxyLogon.ps1 script, which Microsoft released in mid-March. The script can be run as administrator to check Exchange and IIS logs to discover signs of attacker activity, such as files written to the server and the presence of web shell scripts used for persistence. “This script checks targeted exchange servers for signs of the proxy logon compromise described in CVE-2021-26855, 26857, 26858, and 27065,” CISA explains. CISA also issued hardening instructions for Exchange servers including applying software updates, ensuring that only a supported version of Exchange is being used, and to review permissions and roles. The hardening requirements need to be complete by Monday, June 28, 2021.”Exchange is, by default, installed with some of the most powerful privileges in Active Directory, making it a prime target for threat actors,” CISA warns. Agencies need to “enumerate accounts and groups that are leveraged by Exchange installations and review their permissions and roles.” They will also need to review membership in highly privileged groups such as Administrators, Remote Desktop Users, and Enterprise Admins” and “review sensitive roles such as Mailbox Import Export and Organization Management (e.g. using the Get-ManagementRoleAssignment cmdlet in Exchange PowerShell). Agencies must “ensure that no account on an Exchange server is a member of the Domain Admin group in Active Directory”. Finally, they must prevent the accounts that manage on-premises Exchange from having administrative permissions in any Microsoft Office 365 environment. More

Boardrooms still aren’t taking cybersecurity seriously, leaving organisations vulnerable to cyberattacks – with executives only paying attention after things have gone bad, according to the new National Cyber Security Centre (NCSC) boss Lindy Cameron.”I think in terms of what we want organisations to learn, it is that this is the kind of threat they need to think about. This is the kind of thing that should be as much a regular feature in risk conversations in board rooms as legal risk or financial risk – the CEO see the CISO as often as they see the financial director,” Cameron said. She said it should not be a simply a technical conversation with the IT department, but the kind of conversation that’s held in the boardroom itself.”I want organisations to learn how serious the impact can be when this goes wrong,” Cameron said. And even if an organisation thinks it has a plan in place, things can still go wrong if some basic elements aren’t taken care of.

“I’ve talked to organisations which have walked in on Monday mornings to find they can’t turn on their computers or phones, the backup plan was not printed out so they couldn’t find a phone number,” Cameron said.SEE: Security Awareness and Training policy (TechRepublic Premium)Organisations that fall victim to a cyberattack will often use it to re-prioritise their security strategy.”There’s no doubt that organisations that have experienced that have a much more visceral sense of what it feels like to experience a ransomware attack or cyberattack, and therefore they’re prepared better for that,” Cameron added.

The NCSC offers tools like Exercise-in-a-Box and cybersecurity guidance for boardrooms to help organisations think about cyberattacks. Exercise-in-a-Box, for example, allows organisations to test their network defences against real cyberattack scenarios and take lessons on how to improve their security from that.Meanwhile, boardrooms should be involved when it comes to contingency planning against cyberattacks – they’re more likely to understand the potential threats if they’re discussed not as a technical problem, but a problem with risk, in a similar way to how they’d consider financial risk or legal risk.”It’s the same as any sensible contingency planning. It’s worth thinking through what’s the worst possible scenario, what’s the thing that could go wrong that you need to manage,” she added.SEE: Ransomware: Why we’re now facing a perfect stormThat worst possible scenario depends on the organisation; it could be a data breach, it could be an interruption of services, or it could be disruption to cyber-physical systems. But the important thing is for organisations to think about the cyber risks out there and to have a plan to defend and mitigate against them – and if that happens, hands-on aid from the likes of NCSC won’t be necessary, because solid cybersecurity strategies are in place.”Ideally, more and more instances are handled well and handled without additional help,” said Cameron. MORE ON CYBERSECURITY More

An administrator for the DeepDotWeb (DDW) portal has pleaded guilty to receiving kickbacks for connecting buyers and sellers of illegal goods in the dark web. 

On Wednesday, the US Department of Justice (DoJ) said that Tal Prihar, a 37-year-old Israeli citizen living in Brazil, has admitted to operating DDW alongside co-owner Michael Phan since 2013.DDW, which was seized by law enforcement in 2019, was a portal for news and events surrounding the dark web. However, according to US prosecutors, the co-owners of the domain also received kickbacks for connecting buyers and sellers of illegal products.  The DoJ claims that Phan and Prihar earned themselves over $8 million for providing direct links to marketplaces selling products including firearms, heroin, fentanyl, malware, and stolen data record dumps. The referral links included listings for AlphaBay, Agora, Abraxas, Dream, and Valhalla. These websites are not indexed on the clear web or by typical search engines. DDW was one of a number of resources that provided lists of active underground marketplaces, together with their hidden link addresses that were accessible via the Tor network. To hide the kickbacks, which totaled roughly 8,155 Bitcoins (BTC), Prihar laundered the funds through cryptocurrency wallets and bank accounts registered in the name of shell companies.  Prihar has agreed to forfeit $8,414,173. The former website administrator has pleaded guilty to conspiracy to commit money laundering and he faces a maximum penalty of up to 20 years behind bars. 

Sentencing is due to occur on August 2. Phan faces the same charge.”Tal Prihar served as a broker for illegal Darknet marketplaces — helping such marketplaces find customers for fentanyl, firearms, and other dangerous contraband — and profited from the illegal business that ensued,” commented Acting Assistant Attorney General Nicholas McQuaid of the DoJ’s Criminal Division. “This prosecution, seizure of the broker website, and forfeiture send a clear message that we are not only prosecuting the administrators of Darknet marketplaces offering illegal goods and services, but we will also bring to justice those that aim to facilitate and profit from them.” In September, US law enforcement, together with Europol and other agencies, launched a coordinated takedown of illegal dark web vendors leading to 179 arrests. Dubbed “DisrupTor,” the operation also included the seizure of over $6.5 million and approximately 500kg in drugs such as fentanyl, heroin, cocaine, and ecstasy.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A North Korean hacking group known to have targeted security researchers in the past has now upped its game through the creation of a fake offensive security firm. 

The threat actors, believed to be state-sponsored and backed by North Korea’s ruling party, were first documented by Google’s Threat Analysis Group (TAG) in January 2021. Google TAG, specialists in tracking advanced persistent threat (APT) groups, said at the time that the North Korean cyberattackers had established a web of fake profiles across social media, including Twitter, Keybase, and LinkedIn.  “In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets,” Google said. “They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control.” When members of the group reached out to their targets, they would ask if their intended victim wanted to collaborate on cybersecurity research — before sending them a malicious Visual Studio project containing a backdoor. Alternatively, they may ask researchers to visit a blog laden with malicious code including browser exploits.  In an update posted on March 31, TAG’s Adam Weidemann said that the state-sponsored group has now changed tactics by creating a fake offensive security company, complete with new social media profiles and a branded website.  The fake company, dubbed “SecuriElite,” was set up on March 17 as securielite[.]com. SecuriElite claims to be based in Turkey and offers penetration testing services, software security assessments, and exploits. 

A link to a PGP public key has been added to the website. While the inclusion of PGP is standard practice as an option for secure communication, the group has used these links in the past as a means to lure their targets into visiting a page where a browser-based exploit is waiting to deploy.  In addition, the SecuriElite ‘team’ has been furnished with a fresh set of fake social media profiles. The threat actors are posing as fellow security researchers, recruiters for cybersecurity firms, and in one case, the HR director of “Trend Macro” — not to be confused with the legitimate company Trend Micro.  Google’s team linked the North Korean group with the usage of Internet Explorer zero-day back in January. The company believes that it is likely they have access to more exploits and will continue to use them in the future against legitimate security researchers.  “We have reported all identified social media profiles to the platforms to allow them to take appropriate action,” Google says. “At this time, we have not observed the new attacker website serve malicious content, but we have added it to Google Safebrowsing as a precaution.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More