Information Technology

Two in five businesses have experienced a cyber attack over the course of the last year, with one particular threat by far the most commonly faced.And the rise in remote working coupled with a slight drop in organisations using security monitoring tools to identify abnormal activity could mean that the actual number of organisations which have fallen victim to cyber crime is higher. They just don’t know they’ve been compromised yet.The figures are detailed in the annual Cyber Security Breaches Survey from the Department for Digital, Culture, Media and Sport (DCMS), which shows how businesses approach cybersecurity and the impact of attacks.The 2021 report comes following a year where organisations had to quickly adapt to remote working, potentially heightening cyber risk as employees were no longer protected behind corporate firewalls, but are rather working from their own homes.Over 80 percent of organisations which identified cyber attacks during the last year were targeted by phishing emails, with cyber criminals using malicious messages in efforts to drop malware or coerce people into clicking on malicious links. SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) Just over a quarter of organisations identified email attacks where attackers were impersonating people or businesses online – this could either be an attempt to steal credentials, or trying Business Email Compromise attacks, where cyber criminals attempt to trick employees into making large financial transfers, often pretending to be an important business deal or contract.

Email has long been a common means of conducting cyber attacks, but the shift towards remote work over the last year means people are more reliant on it for workplace collaboration. The report suggests that this could be why some businesses aren’t able to identify cyber attacks or data breaches.Just over one in twenty organisations say they’ve identified an attempted ransomware attack.While the majority of organisations which have identified a cyber attack have attempted to take action, including providing additional staff training, updating antivirus software, changing firewall configurations or installing other new software, just over a third didn’t take any action at all after detecting an incident.The report also notes that there’s been an increase in organisations which have taken out some form of cyber insurance in order to help cover the financial costs associated with cyber attacks.The report makes several recommendations to organisations in order ensure their networks are secure and resilient to cyber attacks. These include protecting accounts with multi-factor authentication and boosting staff awareness around cybersecurity issues with training. The report also recommends that organisations take more action around supply chain risk management, so there’s greater protection against attacks which might attempt to exploit the supply chain as a means of network access.”It is important for organisations, management boards and IT teams to recognise that good cyber security facilitates better business resilience. This has not always been appreciated during the pandemic, when the focus on short-term business and IT service continuity has sometimes overshadowed discussions on cyber security,” said the report.”When emerging from the pandemic, there may be an opportunity for cyber security teams to reframe these discussions, to show that cyber security is an integral component of business resilience,” it concluded. MORE ON CYBERSECURITY More

Cloudflare has launched a new web security offering to prevent Magecart-style attacks. 

Magecart is an umbrella term used to describe JavaScript-based, card-skimming attacks. Legitimate websites and e-commerce platforms containing vulnerabilities — such as in a back-end content management system (CMS) or third-party script dependencies — are exploited, JavaScript code is embedded in e-commerce-related pages, and then any payment card information submitted to these pages is harvested and sent to attackers. Countless companies have, and continue to, fall prey to Magecart attacks. Past victims include British Airways, Ticketmaster, Newegg, and Boom! Mobile.  “These attacks are challenging to detect because many application owners trust third-party JavaScript to function as intended,” Cloudflare says. “Because of this trust, third-party code is rarely audited by the application owner. In many cases, Magecart attacks have lasted months before detection.” To combat this issue, on Thursday, Cloudflare debuted Page Shield, a client-side security solution.  The Script Monitor feature, included in Page Shield, checks third-party JavaScript dependencies and records any new additions over time.  Script Monitor, currently in Beta and found under the Firewall section of customer dashboards, also adds a Content-Security-Policy-Report-Only header to content passing through Cloudflare’s network. 

When JavaScript attempts to execute, browsers will send reports back to the company which are checked to see if there are any new changes — and then customers are alerted so customers can “investigate and determine whether the change was expected,” Cloudflare says.  The company is also working with cybersecurity partners to obtain Magecart JavaScript samples. Eventually, it is hoped that Page Shield will be accurate enough to alert clients when dependencies appear to be malicious.  Business and Enterprise customers can now sign up to access the Page Shield closed beta. Earlier this week, the company introduced Cloudflare Browser Isolation, a zero-trust browser system for protecting the remote workforce — and the organizations they work for — from threats by creating a gap between active browsing sessions and end-devices.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft Teams has become a core platform in the new ‘work from home’ era and reflecting its growing importance, Microsoft has launched a bug bounty rewards program for researchers who find security flaws in desktop software. Microsoft is offering up to $30,000 to security researchers in its Teams bug bounty with “scenario-based awards for vulnerabilities” if they have a big impact on customer privacy and security. Rewards start at $6,000.

More on privacy

The top reward reflects the growing importance of Microsoft Teams, which has 115 million daily active users.SEE: Top 100+ tips for telecommuters and managers (free PDF) (TechRepublic)The bug bounty only applies to the Microsoft Teams desktop client, which is available for Windows 10, macOS and Linux. The bounty does not apply to the Teams app for desktop browsers or the native mobile apps for iOS and Android. The $30,000 reward is available for researchers who can clearly outline a remote code execution bug using native code in the context of the current user with no user interaction. Microsoft is also offering $15,000 for a bug that allows an attacker to obtain authentication credentials for other users, but phishing is excluded. 

It’s offering $10,000 for cross site scripting (XSS) flaws or other remote code injection that allows an attacker to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with no user interaction. The same amount is available for researchers who can demonstrate a way to elevate privileges in a way that hops over the Windows and user boundary. The $6,000 reward is available for researchers who find a XSS or other “code injection resulting in ability to execute arbitrary scripts in the context of teams.microsoft.com or teams.live.com with minimal user interaction.”Microsoft is also offering general bounty awards for the Teams desktop app that fall outside the scenario-based awards, with rewards ramping up to $15,000. SEE: Cybercrime groups are selling their hacking skills. Some countries are buyingTeams in the browser continues to fall under the Online Services Bounty Program.Teams rival Zoom last year revamped its own bug bounty program with Luta Security. More

It started out as a normal Thursday for Tony Mendoza, senior IT director at Spectra Logic, a data storage company based in Boulder, Colorado. And then the ransomware attack began. “We got some notifications of some system failings and it quickly turned into a lot of unrelated systems failing, which is really abnormal,” says Mendoza. He realised that the company was under attack – and that its files were being encrypted.

ZDNet Recommends

“When it hit, we ran to our server room and data centre and started pulling plugs out so it couldn’t propagate itself – which brought our entire infrastructure down,” he says.  SEE: What is cyber insurance? Everything you need to know about what it covers and how it works  In total, three-quarters of the production environment was compromised with ransomware. The hackers left a ransom note demanding a payment of $3.6 million in bitcoin in exchange for the decryption key.  “Figuring out what it was was fairly simple, because they tell you who they are, and they tell you where to send the money. It was NetWalker because it said so in the ransomware letter,” explains Mendoza.  Another problem: the attack came in May 2020, when many employees had just started to work remotely because of the COVID-19 outbreak, so there was no way of easily communicating what was going on outside the building.

Despite that, the IT team had to assess the damage that had been done and what the options were for getting data back – if it was going to be possible at all. There was some hope – the company had backups,  which were separate from the rest of the network and safe from the incident.  “We’re still under attack, we’re still trying to stop the bleeding, we still don’t know what the extent of the damage was – but we knew we had data to work with,” says Mendoza. Every organisation that falls victim to a ransomware attack ultimately has to face one major question – do they they give in to the ransom demand in order to retrieve their data? Cybersecurity companies and law enforcement agencies around the world argue against giving into extortion surrounding ransomware attacks, because not only does it hand over hundreds of thousands or even millions of dollars in bitcoin to criminals, it proves that the attacks work, which encourages ransomware attackers to continue with campaigns. However, some victims feel as if they’ve got no choice and they’ll pay the ransom, perceiving it to be the quickest and easiest way to get their data returned and the network back up and running – although that isn’t without issues. There are instances where attackers have either taken the money and ran, or taken the ransom then just returned with a second attack. Spectra Logic had cyber insurance, which could potentially have covered the cost of paying the ransom. That might have been the simpler short-term decision for restoring the network, but it was quickly decided that with the backups still available, Spectra Logic wouldn’t give in to the ransom demand. So instead of communicating with the cyber criminals at all, Mendoza contacted the FBI. “I went from being in a panic to being reassured by them that they’d seen it before, we’re not alone in this and they’re going to put tools in place to start protecting us. That was the biggest thing, getting protected,” he explained. The FBI also assigned a specialist team to help Spectra Logic deal with the immediate fallout from the attack over the course of the days that followed.  Attempting to restore the network turned out to be a 24/7 job for the small team over the course of the following week. For much of that time, people were sleeping at the office in order to have the most time possible to focus on restoring the network. “From the Thursday morning, we spent 24 hours everyday for the next five days working on this – we slept in shifts. Three of us would work through the night while two people slept for a few hours,” said Mendoza. “There was no leaving and coming back, it was go sleep on the couch in case we need you. It was five days of all hands on deck.” As well as this, he was having to provide the board with updates on the ongoing situation. They wanted answers about when the network was going to be restored and when business was going to be back to normal. “I’m dealing with leadership in the company and I don’t want to lie to them and say I know when it’ll be up – I had to tell them I don’t know what’s going on or when systems will be up,” he says.

It took days of working around the clock but eventually the IT department, with the aid of cybersecurity specialists, was able to restore some functionality to the network a week after the ransomware attack, without paying out to the attackers. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) “Our cybersecurity team provided us with the expertise and tools, monitoring and logging to get the threat out of our system. Monday morning they give us a green light; it’s done, they’ve stopped it and removed it,” Mendoza remembers. “The FBI told us we’re going the hard way, but the right way – and it ended up being the easy way when we came back and said we were back up eight days later; it was shocking for them,” he added. But it didn’t mean everything was immediately back to normal – it took weeks more to bring back systems that weren’t critical to the business, and during that whole time careful attention was required just to make sure the attackers hadn’t somehow managed to spread the ransomware again, which meant constantly monitoring all activity on the network for another month. A lot of ransomware attacks never become public knowledge, and examples of companies that go into detail about what happened are still few and far between. But Mendoza says it’s important to be transparent about dealing with a ransomware attack, because it’s important to show that it is possible to recover from an attack without lining the pockets of cyber criminals. “What we realised was we protected our data and there’s a way to thwart ransomware. We couldn’t find public information when we were looking for it, so we wanted to make it a common thing, that it’s okay to talk about being impacted by ransomware,” he said. So what is the key lesson Mendoza would say that other organisations need to take away from Spectra Logic’s experience? It’s backup your systems – and do so offline – so, if the worst happens and the organisation falls, you still have backups offline. “You’ve got to limit your attack blast radius. Backup your data in multiple locations on multiple mediums and the key is to air-gap it. Whether it’s physical air-gap or virtual air-gap, you’ve got to put a wall between an attack and your data,” he said. And how did the company end up falling victim to a ransomware attack in the first place? Analysis of the incident revealed a phishing email sent to an employee working from home was how hackers gained their initial access to the network. In the aftermath of the ransomware attack, Spectra Logic has worked to improve its cybersecurity culture, both on-site and for remote workers in an effort to learn from the incident. The company is now actively looking for potential cybersecurity threats that might have been missed before. “Initially after the attack, when the wounds were fresh, we talked about security. Six months later, we’re still concerned about security and we’re more aware of phishing attacks. We were kind of complacent before,” he says: now staff will notify him if a phishing email isn’t picked up by the malware system. “There’s more awareness now.” 

MORE ON CYBERSECURITY More

The Federal Trade Commission (FTC) has sent millions of dollars in refunds to students affected by allegedly false University of Phoenix ads claiming partnerships with major tech firms. 

According to the US regulator, the University of Phoenix (UOP), an online university, “falsely touted its relationships and job opportunities with companies such as AT&T, Yahoo!, Microsoft, Twitter, Adobe, and the American Red Cross” in allegedly “deceptive” advertisements.Furthermore, the FTC alleges that UOP, together with parent company, Apollo Education Group, claimed its curriculums were tailored with these partnerships in mind to give its students a better chance to secure a job with one of these companies.  According to the FTC, some ads specifically targeted “military and Hispanic consumers,” including veterans and military spouses. “In reality, these companies did not partner with UOP to provide special job opportunities for UOP students or develop curriculum,” the FTC claims. “Instead, UOP and Apollo selected these companies for their advertisements as part of a marketing strategy to drive prospective student interest.” So far, over 147,000 students have been sent close to $50 million in refunds.  Students enrolled in bachelor’s, master’s, or associate’s degrees between October 15, 2012, and December 31, 2016, could be eligible to claim if they paid more than $5,000 in fees and did not receive debt cancellation from the FTC’s prior settlement with UOP. 

The settlement, which in total has been agreed for $191 million, includes close to $141 million to settle unpaid balances owed by students eligible to have their debts cleared due to the lawsuit.  UOP and the FTC originally settled the allegations in 2019. The university was required to pay $50 million in cash — which is now on its way to students — as well as wipe existing student debt.  ZDNet has reached out to UOP and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Dark web takedowns and arrests are a crucial part of fighting cybercrime, but when one marketplace or malware operation gets disrupted by law enforcement, another is always likely to take its place.Emotet, one of the most prolific and most dangerous forms of malware – which served as a means for cyber criminals to deliver ransomware and other cyberattacks – was disrupted in a police operation earlier this year.

More on privacy

And while the disruption of such a big player in the malware space inevitably has an impact on cybercrime, it doesn’t just disappear – cyber criminals find new means of engaging in malicious online activity. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)”I’m a big geek for Jurassic Park, and there’s famous line that Jeff Goldblum says: ‘Life finds a way,'” Rick Holland, CISO at Digital Shadows, told ZDNet Security Update.”When I think about cyber-criminal takedowns – Emotet and others – there’s a long history of this as well; cybercrime finds a way. One set of operators gets arrested, goes to jail, but someone will fill their spot. It’s just like water flowing and it’s going to find a way”.In the case of the Emotet disruption, cyber criminals have quickly shifted to Trickbot and other trojans as a means of gaining access to networks for use in cyberattacks – either for deploying their own malware, or leasing out the backdoor for others to plant their own malware or ransomware.

And that’s despite an attempted takedown of Trickbot by a coalition of cybersecurity companies in October.But that doesn’t mean there isn’t a need to fight cybercrime with takedowns and arrests – because even if cyber criminals have to evolve and adapt their tactics, criminal hacking and malware will remain a threat. “I definitely think we need to continue the law enforcement takedowns, it does have an impact, but it is a whack-a-mole because someone will fill that gap,” said Holland. “There’s definitely some impact on the operators themselves if they go to to jail and things like that, but as far as the macro view versus the micro you know it’s going to continue,” he added.SEE: Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this toolHowever, when takedowns are successful, there’s a chance that some lower-level cyber criminals will be frightened off being involved due to the potential prospect of going to jail if they’re caught.”A lot of the bottom feeders, if you will, that are kind of rushing to make money, they’re new to cybercrime, they don’t have as much operational security or experience, so they can be vulnerable just because of a lack of experience that’s there,” said Holland. MORE ON CYBERSECURITY More

Image: Grumpy Turtle Creative
Due to the large geographical range of the Great Barrier Reef — roughly the same size as Italy — researchers have only collected data regularly from approximately 5-10% of the reef. In a bid to ramp up data collection, conservation organisation Citizens of the Great Barrier Reef launched the Great Barrier Reef census project in November. The project aimed to bring together stakeholders across tourism, including visitors and divers, science, research, and business to assist with capturing large-scale reconnaissance data from across the Great Barrier Reef. Phase one of the project saw over 14,000 images collected of about 170 reefs — double than what was originally anticipated — across 680 different sites from the tip of Cape York to the remote southern Swain Reefs. Of those images, approximately 6,000 were submitted by vessels fitted with a Dell device purpose-built to capture images of the reef. “If you put [the distance travelled] against the side of the US, it would go from above Seattle to below the border of Mexico. That’s the kind of range we’re talking about,” Citizens of the Great Barrier Reef CEO Andy Ridley told ZDNet. “We even found a shipwreck up in the north from the 1840s. That kind of gives you an idea of not only how big the place is, but even now you can find a shipwreck that’s been there for nearly 200 years.” Must read: How AI and drones are trying to save the Great Barrier Reef (TechRepublic)

Currently, those images are being analysed in real time as part of phase two of the census project. Involved in analysing the images are what the team described as “citizen scientists” — everyday people from around the globe — who are playing their part to support conservation and coral recovery. Users are encouraged to select a reef image and “colour-in” where they see key elements, such as a coral, sand, and rubble. On average, Citizen receives 1,500 unique visitors a day to its census website, over half from the US, followed by Australia, and then Europe and Asia. “Through a fairly novel analysis technique, we’re asking people to sort of trace around what they see in the image. We give them categories and say, ‘Is this coral a reef? Does it look like hard coral or soft coral?’ … and we collect polygon data from that,” Citizens of the Great Barrier Reef technologist Som Meaden said. “It helps give us a sense of the makeup of the reef, which is going to help us train a computer vision model to better recognise these types of images. “Traditional survey imagery is of very close-up one-by-one metre sort of transects. We’re trying to utilise seascape imagery that a tourist or somebody else might take and be able to get meaningful data from that. We’ve essentially baselined against research data, so we have a good sense of what that means.”
Image: Citizens of the Great Barrier Reef
To date, just over 6,000 analyses have been completed by the public so far, while half of the images uploaded have also been analysed by researchers. The goal is to have all images analysed by the end of April.”We’re relying on the general public to help us analyse all of them multiple times over and hopefully combined, that will give us a very good insight into what the images tell us but also how useful citizen science is in this regard,” Meaden said.”As people analyse an image, we’re sort of saying, is this something that’s been analysed by research before, and we can really grade the performance. As we increase trust as each people analyse images, we can build up a pretty good profile of who’s good at it, who’s not, and we can teach them about the reef at the same time.” Sending up a flareHelping to ensure the census project is always online is Cloudflare’s Project Galileo, which was established to help not-for-profit organisations and artistic groups fend of cyber attacks pro bono. “We’re a tiny team …  [of] five now. But there’s only one technology person, so there’s only so much we can do … we can run a project like census and have thousands of people hitting it a day, analysing images, and uploading images, and be extremely confident that we’re not going to run into any problems,” Meaden said. Meaden boasted that since March, through Project Galileo, the organisation has seen 360GB of data routed via Argo Tunnel with an average response of 75ms, more than 100 hours of video has been watched via Stream, 17,000 images have been secured and served to census participants through Workers, and multiple security events where there were more than 100 requests were blocked by Firewall. “It’s been a very useful [because] all of this has been done on a very insignificant budget,” he said.
Image: Christian Miller
Ridley emphasised that running a project like census needs to be scalable, highly efficiently, but it cannot “cost loads of money”.”The endeavour behind citizens is we’re trying to build a 21st century conservation organisation, so that requires that shared economy approach of how can you scale without needing billions and billions of dollars,” he said. “Although it’s only currently focused on reconnaissance data on reefs, underneath that you’re building infrastructure, so you’re actually building the capacity to do a lot more things across the Great Barrier Reef. “In theory, if you can get the model right, which includes the technical architecture as well, you can scale that beyond the Great Barrier Reef.” Citizens of the Great Barrier Reef plans to make the data, methodology, and technology developed through the project open-sourced at the end of the project.”Much of the world thinks that [the Great Barrier Reef is] already gone but it really hasn’t it; it’s a patchwork. You get some places that are so extraordinary and beautiful that you don’t know whether you should laugh or cry when you come to the surface…. then you get other places that have been hard hit by climate change, by bleaching, by runoffs,” Ridley said.”To be able to get a really broader picture of what’s going on and be able to talk about that, it’s actually very important because if the world thinks it’s gone, there’s not much to fight for.”Obviously, you’re trying to look at how you can build resilience in a system, like the Great Barrier Reef, but many of the lessons you learn here can be applied all around the globe. What we’re trying to do at Citizens is build stuff that can be scaled and shared around the world.” There are plans to launch a scaled-up census in October to survey at least 200 reefs on the Great Barrier Reef while testing the infrastructure’s ability to capture reconnaissance data for another habitat, such as sea grass. Other plans the organisation has its sights set on include trialling the model on reefs such as Ningaloo along the Western Australia coast or the Coral Triangle, a marine area in the western Pacific Ocean that includes waters of Indonesia, Malaysia, the Philippines, Papua New Guinea, Timor Leste, and Solomon Islands.  The Great Reef census project is being delivered in partnership with the Great Barrier Reef Marine Park Authority, the University of Queensland, and the Australian Institute of Marine Science, with support from James Cook University. The project is funded by the partnership between the Australian government’s Reef Trust and the Great Barrier Reef Foundation, the Prior Family Foundation, and the Reef and Rainforest Research Centre. RELATED COVERAGE Budget 2020: Keeping Australia at the forefront of weather and climate modelling The Australian Community Climate and Earth System Simulator quietly picked up AU$7.6 million in funding. Smart coral reefs: This underwater, fish-spotting AI helps protect the rainforest of the sea Intel and Accenture deployed artificial coral reefs equipped with AI to help researchers monitor the health of coral reefs. CSIRO and Microsoft to use AI to tackle man-made environmental problems Artificial intelligence is one technology the pair will be using to look at challenges such as illegal fishing and plastic waste, and to boost farming in Australia. IBM using AI to help prevent Australia’s beaches from washing away IBM and KWP are helping to preserve Australia’s iconic beaches, implementing artificial intelligence to allow scientists to put their time towards addressing coastal erosion, rather than on mapping it. More

The Australian Bureau of Statistics (ABS) has a little over four months to complete preparations for the 2021 Census, and hopes it will avoid the embarrassment that plagued the agency nearly five years ago.The 2021 Census will be built using the Amazon Web Services cloud through a contract awarded to PwC Australia.The change of approach is expected to counter any repeats of what occurred in 2016, when the ABS experienced a series of small denial-of-service (DDoS) attacks, suffered a hardware router failure, and baulked at a false positive report of data being exfiltrated which resulted in the Census website being shut down and citizens unable to complete their online submissions.The Census was run on on-premises infrastructure procured from tech giant IBM.Read more: Censusfail: An omnishambles of fabulous proportionsFacing Senate Estimates on Wednesday night, Deputy Australian statistician Teresa Dickinson said preparations for the next Census are well advanced. “Census day is the 10th of August, and we are on track. In our metrics, where we measure progress against the Census, many of the sub programs of work are ‘green’, there are a few that remain ‘amber’, and the reason is that we still have some testing and defect remediation to do on our technical work,” Dickinson said. “But we are on track to do that, by the time the form goes live.”

In response to the omnishambles that was the 2016 Census, there have been three reviews that made 36 recommendations, 29 of which were directed at the ABS and agreed upon. There was also a report prepared by the Australian National Audit Office (ANAO).”We had a number of reviews … which made quite a number of recommendations. All those recommendations have been actioned,” Dickinson said. “And as part of actioning those recommendations, we’ve done a great deal around cybersecurity.”She said the ABS has worked very closely with cybersecurity experts in building the completely new system. Further funding, she disclosed, was provided to the Bureau largely to “mitigate cybersecurity risk”.ANAO in November labelled the preparation for the 2021 Census by the ABS as “partly effective”.It said generally appropriate frameworks have been established to cover the Census IT systems and data handling, and the procurement of IT suppliers, but that the ABS has not put in place arrangements for ensuring improvements to its architecture framework, change management processes, and cybersecurity measures will be implemented ahead of the 2021 Census.”The ABS has been partly effective in addressing key Census risks, implementing past Census recommendations, and ensuring timely delivery of the 2021 Census,” the auditor added. “Further management attention is required on the implementation and assessment of risk controls.”Additionally, Dickinson confirmed it has over 50 suppliers and partners working on the Census.LATEST FROM CANBERRA More