Information Technology

Image: Getty Images
The Office of the Australian Information Commissioner (OAIC) has handed down its determination that Uber interfered with the privacy of over 1 million Australians in 2016.Australia’s Information Commissioner and Privacy Commissioner Angelene Falk on Friday said US-based Uber Technologies Inc and Dutch-based Uber B.V. failed to appropriately protect the personal data of an estimated 1.2 million Australian customers and drivers, when it was accessed from a breach in October and November 2016.It came to light in late 2017 that hackers had stolen data pertaining to 57 million Uber riders worldwide, as well data on more than 600,000 drivers. Instead of notifying those impacted, Uber concealed the breach for more than a year and paid a hacker to keep it under wraps.While Uber required the attackers to destroy the data and there was no evidence of further misuse, OAIC said its investigation focused on whether Uber had preventative measures in place to protect Australians’ data.Reach the full story here: Former Uber CSO charged for 2016 hack cover-upFalk found the Uber companies breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access and to destroy or de-identify the data as required. The tech giant also failed to take reasonable steps to implement practices, procedures, and systems to ensure compliance with the Australian Privacy Principles (APP), she said.

“Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability,” the determination says. “Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.”APP 11.1 requires companies to take reasonable steps to protect personal information against unauthorised access, while APP 11.2 requires reasonable steps to be taken to delete or de-identify personal information that is no longer needed for a permitted purpose. Also breached, the OAIC found, was APP 1.2, which requires companies to take reasonable steps to implement practices, procedures, and systems relating to the entity’s functions or activities, to ensure compliance with the APPs.In her determination, Falk said the Uber companies must not repeat those acts and practices.She has also requested that Uber prepare, within three months, a data retention and destruction policy that will, when implemented, enable and ensure compliance by the Uber companies with APP 11.2.Falk has also asked Uber to establish an information security program and appoint an individual to run its helm. The program must identify risks related to the security or integrity of personal information of Australian users collected and/or held by the Uber companies that could result in misuse, interference, or loss, or unauthorised access, modification, or disclosure of this information. It must also include refresher training for staff and boast rigid safeguards.The privacy commissioner also wants an incident response plan implemented by the company, which includes a clear explanation of what constitutes a data breach.Falk said the matter raised complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group.In this case, Australians’ personal information had been directly transferred to servers in the United States under an outsourcing arrangement, and the US-based company argued it was not subject to the Privacy Act.”Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group,” she added.To that end, her determination also included a request for an independent assessment of Uber’s adherence to the Australian Privacy Act.The commissioner has also ordered the Uber companies to appoint an independent expert to review and report on these policies and programs and their implementation, submit the reports to the OAIC, and make any necessary changes recommended in the reports.Uber in September 2018 agreed to pay $148 million in a US settlement over the incident, and a few months later was fined over £900,000 by UK and Dutch watchdogs in relation to the 2016 data breach.Two men pleaded guilty in October 2019 to the hack and Uber’s former chief security officer was charged in August 2020 by US authorities over the cover-up.In response to the OAIC’s determination, an Uber spokesperson told ZDNet it welcomed the resolution to the incident.”We learn from our mistakes and reiterate our commitment to continue to earn the trust of users,” they said. “We have made a number of technical improvements to the security of our systems, including obtaining ISO 27001 certification of our core rides business information systems and updating internal security policies, as well as making significant changes in leadership, since this incident in 2016. “We are confident that these changes in security and governance will address the determination made by the OAIC, and will work with a third-party assessor to implement any further changes required.”Updated 4:10pm AEST Friday 23 July 2021: Added statement from Uber spokesperson.MORE FROM UBER More

You’ve heard it before, you’ll hear it again. Once more with feeling, the internet is having real trouble as we move into July 22’s early afternoon on the US East coast.  According to reports on the Outages list, which is the central mailing list for ISP and network operators to report and track major internet connection problems, and numerous Reddit threads, the major Content Delivery Network (CDN) Akamai is the root of the problem. Specifically, people are reporting that when they try to reach sites that use Akamai to host their DNS CNAMEs they can’t reach them. The sites are fine. But, thanks to trouble on Akamai’s DNS edge servers, your web browser, game application, whatever, can’t reach the sites. They’re not getting the right addresses so your local program doesn’t know how to find them. Akamai has admitted it’s having trouble. In a notification, Akamai stated: We are aware of an emerging issue with the Edge DNS service. We are actively investigating the issue. If you have questions or are experiencing impact due to this issue, please contact Akamai Technical Support. In the interest of time, we are providing you the most current information available, which is subject to changes, corrections, and updates.Oops. Akamai only has 9.6% of the CDN market. But, its share is a very important one. Sites that depend on Akamai include Amazon Web Services, Microsoft, Delta Airlines, Oracle, Capital One, and AT&T. Yeah, you’ll notice when those sites and the services they provide are offline. There are reports that Akamai has a handle on the problem now. The status page site itself, as of 1:02 PM Eastern time, states that “This incident has been mitigated.” Since it takes time for both problems and fixes to appear in the global DNS service, you may still have trouble reaching some sites or services. For example, I’m still having trouble using my Delta airlines app.

So, be patient. By the end of the business day, Akamai, and your internet connection should be back to normal. Related Stories: More

Credit: Microsoft
On July 22, Microsoft began rolling out version 92 of its Chromium-based browser to the Stable Channel, meaning mainstream users. The new version includes a number of new features, including a new Password Health Dashboard. The Password Health Dashboard is meant to help users refrain from using the same password across multiple sites and to identify whether their passwords are strong enough. Microsoft already has a Password Monitor feature for detecting whether their credentials saved to autofill have been detected on the dark web and Password Generator, an option for auto-generating passwords . Edge 92 also will allow users to bring their saved credentials into other apps and browsers on their phones when using Edge on Mobile. Saved login information from the browser can be used to log into mobile apps like Instagram and Pinterest. According to Microsoft’s Edge release notes, other features that will be part of Edge 92 include natural language search for browser history on the address bar; MHTML files opening in default in Internet Explorer mode; synchronization of payment information across devices; the ability to manage extensions from the toolbar; and an option to navigate from HTTP to HTTPS on domains that support HTTPS. Officials also touted the availability of a new Microsoft Outlook Extension that will allow them to see  their most recent personal and/or work emails, to-do lists and calendars without having to open a new tab or app.  More

(Image: StackCommerce)
Ransomware extortion demands, as well as the downtime they cause, continue to steadily increase. Unsurprisingly, the result is that digital security costs are rising, as well. But there are regulations in place now that make the privacy and security of your data a matter of compliance which means the strongest protection is essential. A lifetime subscription to the Encrypt Office Business Plan will help you take control of your company’s data before someone gets to it.

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

Encrypt Office is a SAAS solution that is fast and easy to implement. It will turbocharge your company’s productivity, compliance, and security. It surrounds all of your data with a wall of encryption. FIPS 140-2 compliant TLS encryption is used when data is in transit, while data at rest is protected by AES 256 bit encryption with 1,024-bit key strength.Not only are your email and large file transfers encrypted, but you also get encrypted vaults that require three-factor authentication. These can be used to store files and receive files securely from anyone via a web browser.Data compliance is ensured because all of the sensitive digital assets that are stored and transmitted by your company are protected against theft, misuse, and loss. Encrypt Office also provides the full audit trail of all data interactions that are required for HIPPA compliance.This plan includes encrypted file transfers of up to 5GB. It offers cloud integration, as well, so you can use it with Google Drive, Dropbox, OneDrive, and more. Encrypt Office is customizable so that your administrators are able to set specific policies that are most appropriate for your company.Don’t pass up this opportunity to get strong protection that will permanently keep your business data safe. Get a lifetime subscription to the Encrypt Office Business Plan while it is on sale for just $59.99.

ZDNet Recommends More

Tech analyst firm Gartner reckons that hackers will have turned computer systems into weapons to the point that they could injure or kill humans by 2025, and that beyond the human tragedy it will cost businesses $50 billion to remediate across IT systems, litigation and compensation.  Past malware attacks, such as Stuxnet, which is believed to have been the work of the NSA, have demonstrated that malware create real world damage, not just scramble data. And cyber-attacks have long had real-world implications such as the ransomware attacks on organizations like Colonial Pipeline and hospitals in the US and Europe. The UK’s NHS struggled for days after the 2017 WannCry ransomware attack, which was blamed on North Korean state-sponsored hackers. Gartner reckons that by 2025, hackers will have weaponized operational operational technology (OT) environments to “successfully harm or kill humans”. By OT, Gartner means “hardware and software that monitors or controls equipment, assets and processes.” It also calls them cyber-physical attacks (CPS): examples of that might be attacks on electronic medical equipment or physical infrastructure.”In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” says Wam Voster, a senior research director at Gartner. More worrying Voster went on: “Inquiries with Gartner clients reveal that organizations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.”Gartner breaks down OT and cyber-physical threats into three categories: actual harm; commercial vandalism, which reduces output; and vandalism against an organization’s reputation, which renders unreliable and untrustworthy as a manufacturer.

Gartner expects that the financial impact of CPS attacks that kill or injure people will reach over $50 billion by 2023. The costs to organizations will be significant and include compensation, litigation, insurance, regulatory fines and reputation loss, Gartner says. However, it should be noted that this figure is small compared to overall global spending on IT, which Gartner expects to reach $4.2 trillion in 2021.  Fortunately, Gartner does have some practical advice for organizations that control operational technology, such as appointing an OT security manager for each facility, security training and awareness for staff, and testing incident response capabilities. Given the perennial threat of ransomware, it also urges organizations to implement adequate backup, restore and disaster recovery capabilities. It also recommends managing portable media, such as USB sticks, that may be connected to OT systems: “Only media found to be free from malicious code or software can be connected to the OT,” it says. Companies need to have a current inventory of IT and OT assets; real-time logs and detection capabilities; secure configurations, and a formal patching process.  More

More than 700 organizations were attacked with ransomware and had their data posted to data leak sites in Q2 of 2021, according to a new research report from cybersecurity firm Digital Shadows. Out of the almost 2,600 victims listed on ransomware data leak sites, 740 of them were named in Q2 2021, representing a 47% increase compared to Q1. The report chronicles the quarter’s major events, which included the DarkSide attack on Colonial Pipeline, the attack on global meat processor JBS, and increased law enforcement action from US and European agencies. But Digital Shadows’ Photon Research Team found that under the surface, other ransomware trends were emerging. Since the Maze ransomware group helped popularize the data leak site concept, double extortion tactics have become en vogue among groups looking to inflict maximum damage after attacks. Digital Shadows tracks the information posted to 31 Dark Web leak sites, giving them access to just how many groups are now stealing data during ransomware attacks and posting it online. Data from companies in the industrial goods and services sector were prevalent on Dark Web leak sites, according to the report. Construction and materials, retail, technology, and healthcare organizations also dominated the list of attacked organizations. The retail sector saw the biggest increase in ransomware attacks, with Digital Shadows researchers finding a 183% increase between Q1 and Q2. 

In terms of activity, the Conti group led the way followed by Avaddon, PYSA, and REvil.”This is the second consecutive quarter that we have seen Conti as the most active in terms of victims named to their DLS. Conti, believed to be related to the Ryuk ransomware, has consistently and ruthlessly targeted organizations in critical sectors, including emergency services,” the report said, noting the group’s devastating attack on Ireland’s healthcare system. But the report notes that on the wider ransomware market, a number of groups disappeared or emerged out of nowhere. In Q2, Avaddon, Babuk Locker, DarkSide, and Astro Locker ransomware groups all closed operations while groups like Vice Society, Hive, Prometheus, LV Ransomware, Xing, and Grief ransomware operations emerged with their own Dark Web leak sites, according to Digital Shadows.The report also notes that 60% of the victim organizations are based in the US, with only Canada seeing a reduction in ransomware attacks from Q1 to Q2. More than 350 US organizations were hit by ransomware in Q2 compared to 46 from France, 39 from the UK, and 35 from Italy. The researchers behind the report questioned whether Q3 would see more attacks resembling the Kaseya ransomware attack, where REvil operators used a zero-day vulnerability to compromise more than 40 Managed Service Providers. “Ransomware operations will likely continue to operate brazenly into the third quarter of 2021, giving limited thought to who they are targeting and more to how much money they might make,” the researchers wrote. More

Saudi Aramco — one of the largest oil companies in the world — has denied that their systems were breached by hackers after cybercriminals contacted ZDNet with a trove of files from the company. A threat actor going by ZeroX told ZDNet on Telegram that it had stolen 1T of “sensitive data” ranging from 1993 to 2020. The group said it hacked Saudi Aramco’s network, stealing information on refineries in Yanbu, Jazan, Jeddah, Ras Tanura, Riyadh, and Dhahran. The cybercriminals also contacted other news outlets like Bleeping Computer, which first reported the hack. The group provided samples of the data, which included documents covering project specifications, electrical and power systems, machinery at the refineries, analysis reports, unit prices, business agreements, network documents, company clients, invoices, and more.The group also said it stole information from about 14,254 employees, including names, photos, passports, emails, phone numbers, family information, ID numbers, and more. ZeroX shared the data through an “onion dark web link.”But in a statement to ZDNet, Saudi Aramco denied that they had been hacked.”Aramco recently became aware of the indirect release of a limited amount of company data which was held by third party contractors,” the spokesperson said. “We confirm that the release of data was not due to a breach of our systems, has no impact on our operations, and the company continues to maintain a robust cybersecurity posture.”Saudi Aramco has more than 270 billion barrels of crude oil reserves, the second largest in the world, and produces more oil on a daily basis than any other company in the world. 

The company brought in $204 billion in 2020. Bleeping Computer reported that ZeroX was auctioning the entire data dump for $5 million while also offering 1GB samples for about $2,000.Saudi Aramco dealt with a cyberattack in 2012 that damaged 30,000 workstations and the oil giant has routinely faced attacks ever since.  More

More than 1,000 GB of data and over 1.6 million files from dozens of municipalities in the US were left exposed, according to a new report from a team of cybersecurity researchers with security company WizCase. 

ZDNet Recommends

All of the towns and cities appeared to be connected through one product: mapsonline.net, which is owned by a Massachusetts company called PeopleGIS. The company provides information management software to local governments across Massachusetts, New Hampshire and Connecticut. Ata Hakçıl and his team discovered more than 80 misconfigured Amazon S3 buckets holding data related to these municipalities. The data ranged from residential records like deeds and tax information to business licenses and job applications for government positions. Due to the sensitive nature of the documents, many of the forms included people’s email address, physical address, phone number, driver’s license number, real estate tax information, license photographs and photos of property. The researchers shared redacted photos of the data available. “The data of these municipalities was stored in several misconfigured Amazon S3 buckets that were sharing similar naming conventions to MapsOnline. Due to this, we believe these cities are using the same software solution,” the report said. “Our team reached out to the company and the buckets have since been secured.”

Not every municipality had the same information exposed, and the report said the types of files leaked varied. The researchers were not able to provide an estimate on the number of people affected by the exposure because of how varied the forms were. The security company deployed a scanner that found 114 Amazon Buckets connected to PeopleGIS and named similarly. According to the report, 28 were configured correctly while “86 were accessible without any password nor encryption.”The researchers did not have a definitive reason for why some buckets were properly secured and others were not. They suggested that PeopleGIS simply “created and handed over the buckets to their customers (all municipalities), and some of them made sure these were properly configured.”Another theory involved a potential situation where different employees at PeopleGIS — without clear guidelines — created and configured each bucket. The third theory was that the municipalities themselves created the buckets with basic guidelines from PeopleGIS “about the naming format but without any guidelines regarding the configuration.”The researchers said this “would explain the difference between the municipalities whose employees knew about it or not.””The breach could lead to massive fraud and theft from citizens of those municipalities. The highly-sensitive nature of the data contained within a local government’s database, from phone numbers to business licenses to tax records, are highly susceptible to exploitation by bad actors,” the report said. “Much of this information is supposed to be only accessible by the government and the citizens, meaning someone could potentially defraud an individual by posing as a government official.”PeopleGIS did not respond to requests for comment.  More