Information Technology

Telegram has developed a feature that lets users bring across their old WhatsApp messages.
Image: Getty Images/iStockphoto
Telegram has launched a new feature to help people move their chat history from other apps including WhatsApp.
Telegram was one of the major beneficiaries of the public backlash against Facebook in January updating WhatsApp’s privacy policy, which would allow it to share more information with businesses. 

Innovation

Telegram claimed to have gained 25 million new users after initial reports about the new policy, pushing its user numbers beyond 500 million. 
SEE: Network security policy (TechRepublic Premium)
Security experts generally recommend Signal as the most secure chat app, which also gained a lot of users who were fleeing from WhatsApp. Other secure chat app options include Threema and Wickr, which offer end-to-end encryption by default. The developers of these apps have also released source code for third-party audits, whereas Telegram has not.   
According to Telegram, it gained 100 million new users in January and it’s now developed a feature that lets users bring across their old WhatsApp messages to Telegram. The chat migration feature also works for chat histories in Line and KakaoTalk. The migration feature works for individual and group chats.
The feature takes advantage of WhatsApp’s already available export chat option.    

“To move a chat from WhatsApp on iOS, open the Contact Info or Group Info page in WhatsApp, tap Export Chat, then choose Telegram in the Share menu,” Telegram explained. 
WhatsApp on iOS also lets users export chats directly from the chat list by swiping left on a chat, then choosing Export Chat.
In addition, Telegram announced a new feature that lets users report fake channels and groups that pose as famous people and organizations. Telegram says its moderators will investigate reports when users open a suspect profile page and tap Report > Fake Account. 
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
WhatsApp in mid-January decided to delay its privacy policy update due to confusion about what the update meant. It moved the deadline for accepting its new terms from February 8 to May 15. 
“We’re now moving back the date on which people will be asked to review and accept the terms. No one will have their account suspended or deleted on February 8,” WhatsApp said.  
“We’re also going to do a lot more to clear up the misinformation around how privacy and security works on WhatsApp. We’ll then go to people gradually to review the policy at their own pace before new business options are available on May 15.” More

Sophisticated attacks could put more tech suppliers at risk.
Image: Getty Images/iStockphoto
If you were hoping the SolarWinds hack was going to be a one-off, you’re out of luck. Expect more sophisticated and complicated attacks of the same type to come along sooner or later.
The SolarWinds hack – a supply chain attack that saw (most likely Russian state-backed) hackers use SolarWinds’ enterprise IT-monitoring software to deploy malware – hit a number of big-name US tech vendors. 

More on privacy

These include Microsoft, FireEye (which owns Mandiant), Mimecast, Palo Alto Networks, Qualys, Malwarebytes, and Fidelis. What really set this attack apart was that many of the targets were not just government agencies or businesses, but the security companies themselves.
SEE: Network security policy (TechRepublic Premium)
“What SolarWinds has taught us is that this landscape is more complex and more sophisticated. Is this a different attack? It is a really sophisticated attack,” Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity told ZDNet in an interview. 
“These attacks are going to continue to get more sophisticated. So we should expect that. This is not the first and not the last. This is not an outlier. This is going to be the norm. This is why what we do is more important than ever,” she said.
“I believe that SolarWinds is a moment of reckoning in the industry. This is not going to change and we have to do better as a defender community and we have to be unified in our responses. We have been out there, leading in this response.” 

Jakkal takes a similar line to Microsoft president Brad Smith. “While governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy,” said Smith in the wake of Microsoft’s disclosure about the attacks. 
“This is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency,” he said.
“It’s an unprecedented time. Full stop,” says Jakkal. “Cybersecurity vendors getting hacked – that is a moment of reckoning.” 
Microsoft is also looking at security as a key area of growth. Microsoft CEO Satya Nadella announced at this week’s second-quarter earnings report that commercial cloud sales were through the roof and that Microsoft’s overall security business was now worth $10 billion a year in revenues.  
To put that in context, Microsoft’s cybersecurity business is worth about 14% of the $66.8 billion annual revenue run rate that the entire Microsoft cloud business is expected to make this year.
Microsoft’s security portfolio is vast. There’s Microsoft Defender for Mac, Windows and Linux endpoints, Defender for email and Defender for Office 365. Microsoft calls this business XDR or the extended detection and response portfolio, which has been bolstered by its security information and event-management (SIEM) platform, called Sentinel. 
SEE: How do we stop cyber weapons from getting out of control?
Jakkal is still upbeat about the prospects of the US cybersecurity and broader software industry rising to the threat demonstrated by the SolarWinds hack. She argues that by going after so many tech security providers, the hackers have shown that the industry needs to act as one.
“And we have come together. I’m really impressed to see how the cybersecurity industry – FireEye, Microsoft – how we can get together across private and public sectors to discuss how we can share more information between organizations.
“These are things we are considering. This is why it is a moment of reckoning, a moment of pause,” says Jakkal.  More

Electronic health records (EHR) provider Athena has agreed to pay $18.25 million to settle claims the company was involved in an illegal kickback scheme. 

Athenahealth Inc., an EHR vendor based in Watertown, Massachusetts, was accused of conducting kickback deals in order to promote the sale of athenaClinicals by whistleblowers.
AthenaClinicals a web-based EHR portal for accessing medical documentation, patient records, and exchanging data between care sites. The software is touted as a means for healthcare professionals to “focus on delivering care.”
On Thursday, the US Department of Justice (DoJ) said that Athena’s settlement will lay accusations of violating the False Claims Act and the Anti-Kickback Statute (AKS) to rest. 
US prosecutors allege that between 2014 through September 2020, Athena provided kickbacks to healthcare providers and other EHR vendors to induce them into purchasing AthenaClinicals software. 
According to the complaint, three marketing programs were used to allegedly facilitate the scheme. Prospective and existing clients were invited to complimentary, all-expenses-paid “Concierge Events” providing entertainment — including entry to the Masters Tournament and NFL games — and a “Lead Generation” program paid clients up to $3,000 for each new physician signed up “regardless of how much time, if any, the existing customer spent speaking to or meeting with the new client,” the DoJ said.
In addition, Athena allegedly entered into deals with competing vendors that were planning to exit the EHR industry and paid them for referrals that converted into new clients. 

“By offering and paying this illegal remuneration in cash and in kind, Athena submitted and caused its EHR clients to submit to federal health care programs false or fraudulent claims that resulted from violations of the AKS,” the US agency says. 
The lawsuit, together with a separate claim, were both filed under the whistleblower provisions of the False Claims Act in 2017 and later consolidated. These provisions allow citizens to sue on behalf of the US government. 
The individuals that flagged Athena’s reported kickback scheme may be entitled to compensation from the government, but figures are yet to be determined. 
In total, $9.12 million out of the $18.25 million settlement has been staked as “restitution” for the United States.
“This resolution demonstrates the department’s continued commitment to hold EHR companies accountable for the payment of unlawful kickbacks in any form,” commented Acting Assistant Attorney General Brian Boynton for the DOJ’s Civil Division. “EHR technology plays an important role in the provision of medical care, and it is critical that the selection of an EHR platform be made without the influence of improper financial inducements.”
ZDNet has reached out to Athena for comment and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Getty Images/iStockphoto
Google intends to ban and remove support from Chrome for digital certificates issued by Spanish certificate authority (CA) Camerfirma, the browser maker announced this week.

The ban will come into effect with the launch of Chrome 90, scheduled for release in mid-April 2021.
After the Chrome 90 launch, all websites that use TLS certificates issued by Camerfirma to secure their HTTPS traffic will show an error and will not load in Chrome going forward.
The decision to ban Camerfirma certificates was announced on Monday after the company was given more than six weeks to explain a string of 26 incidents related to its certificate-issuance process.
The incidents, detailed by Mozilla on this page, go back to March 2017.
Two of the most recent have taken place this month, January 2021, even after the company was made aware it was under investigation in December 2020.
The incidents paint a picture of a company that has failed to meet industry-agreed quality and security standards in regards to the process of issuing TLS certificates for website operators, software makers, and enterprise system administrators.
Just Chrome for now

Across the years, browser makers have often banded together to kick out certificate authorities that don’t follow these rules. Other CAs that have been banned from Chrome in the past include Symantec, DigiNotar, and WoSign and its subsidiary StartCom.
This led to companies like DigiNotar filing for bankruptcy and Symantec selling its CA business to DigiCert after their certificates became pariahs inside modern browsers.
At the time of writing, no other browser maker has announced a similar ban on Camerfirma certs but industry experts expect similar decisions from the other three (Apple, Microsoft, and Mozilla) in the coming weeks.
Nevertheless, just the Google ban alone is more than enough to cripple Camerfirma’s business. With a market share of around 60% to 70%, the Chrome ban is a de-facto death blow.
A Camerfirma spokesperson has not returned a request for comment. More

Technology has become a great enabler but it can also be a killer. In this case, it has literally proven so for India’s lower-income residents, thanks to unscrupulous Chinese operators who have used spurious loan apps and hired Indian underlings to bilk the most vulnerable.
In just 10 months since the pandemic began, at least $3 billion worth of scam microloan transactions have taken place with a bulk of that siphoned off. 
The targets of these scams are people who are largely marginalised by the banking sector. Factoring in pandemic-induced joblessness and pay cuts that have led to an urgent need for cash, the dire situation of these people exacerbated in 2020, making them ripe for exploitation.
Yet, this appears to be only the tip of the iceberg. The other problem arising from the actions of these relatively few bad actors is that it has threatened the dynamic Chinese tech ecosystem within India. The top smartphone sellers in the country like Xiaomi, Oppo, Vivo, RealMe, OnePlus all have significant investments in the country.
Countless startups, many that have now grown up, like Paytm and Ola, have been nourished by significant chunks of Chinese money — $4 billion worth — from companies like Tencent and Alibaba’s Ant Financial.
THE UNDERSERVED
Within the great revolution that the internet has ushered in, there have been big strides in areas such as transportation (Ola), e-commerce (Flipkart), and food-tech (Zomato), along with the advancement of a whole host of automation, logistics, and cloud services outfits that have begun to empower businesses and consumers.
One area that has held much promise is the booming fintech market, which provides solutions in the form of consumer credit, supply chain finance, digital payment, wealth management, and insurance.

In India, specifically, the poor in smaller towns and in the countryside have always been starved of banking avenues. Private sector banks, which took off in the early 2000s, had made the calculation long ago that it would not be profitable on a per account basis to expand to the hinterland.
The Indian digital payments revolution tried to alleviate this problem experienced by unbanked, but poor internet infrastructure has made it difficult for financial inclusion to become commonplace and smartphones are not yet ubiquitous in these parts.
As a result, moneylenders who have always held sway in rural and semi-urban parts have continued to ply their trade. Even scores of unbanked urban Indians in big cities have to resort to borrowing money from these unsavoury sources. Many of these moneylenders charge upwards of 300% interest, which is why, when marginalised Indians got wind of easy-and instant-loan approvals from an array of fintech apps, borrowing from them was a no-brainer. 
They just didn’t realise, however, that they were being taken for a painful if not devastating ride.
DATA AS COLLATERAL
This is how the scam essentially works for the majority of borrowers. For example, a lady takes a loan — mostly a small one, say Rs 3,500 ($1) from a digital lending app, such as My Bank. But within a few days, she notices something odd; Rs 26,000 is deposited into her account from 14 or so different lending apps that had never been downloaded onto her phone.
Before she is able to make sense of what is going on, the borrower has been suddenly assailed by collection agents from all of these apps for the repayment of Rs 44,000 — 10 times the amount they borrowed.
When this already severely cash-strapped person is unable to repay her loans, they are threatened by collection agents who then morph her face onto naked bodies to create pornographic images of her.
The images are then sent to all of her contacts which the loan app had already accessed as part of the loan agreement, as well as the person’s WhatsApp groups. Personal data, which the lending app made sure it collected, was essentially used as collateral.
This kind of public humiliation and shame has resulted in six suicides in the state of Telangana so far.
THE PHANTOM MENACE
When an Indian consumer collective, Cashless Consumer, decided to investigate these occurrences, it discovered the scale and the horror of what was going on.
All of the user data is apparently stored in China and out of the 1,050 instant loan apps it checked — Loan Gram, Cash Train, Cash Bus, AAA Cash, Super Cash, Mint Cash, Happy Cash, Loan Card, Repay One, Money Box, Monkey box, Rupee Day, Cash Goo, among many, many others — only 300 apps had websites, albeit with scant information. Meanwhile, only 90 had physical addresses. According to Cashless Consumer, many of these apps breach Indian rules on lending.
Traditionally, banks and other non-banking financial companies that hand out loans have a whole host of documents that have to be provided before a loan is issued. Making the cut is not easy.
Enter digital lending apps who more or less are not required to follow such requirements and can issue microloans with a much shorter repayment window and brutally high interest rates, most often 1% a day, which compounds every two weeks. It’s difficult to see how a person with a modest income, let alone a pandemic induced cashflow crisis, would be able to pay this back.When SaveIndia Foundation, a team of cybersecurity professionals, investigated instant loan apps operating in India, they discovered that hundreds of these accounts operated abroad and usernames and passwords were in Mandarin.
Further probing revealed that Chinese nationals were using Indian proxies as directors and used local chartered accountants to set up companies. In one instance, one such accountant helped Chinese investors float 40 companies, 12 of which were loan apps that now have criminal cases booked against them.
Police from four different states in India finally arrested seven Chinese nationals earlier this month for running the show with 35 Indian deputies, some of whom travelled to China for “training”. Several of these Indians were directors of multiple companies that have since been implicated in microloan scams based out of Bengaluru, Pune, Hyderabad, and Gurugram.
Payment gateways providing online wallets to these companies such as PayTM, Razorpay, and Cashfree have also contributed to the fiasco, say critics, and have been accused of being shoddy in their due diligence. A simple scrutiny of the appropriate identification documents, known in India as Know Your Customer, would have stopped many of these companies, according to critics.
THE FIX?
Without a firm government decree that requires stringent checks on money-related apps, more monumental digitally-enabled disasters are a certainty.
Moreover, app purveyors like Google should be forced to authenticate every loan app in their store. While the Google store has shut down a few dozen operators, the scale of the problem is immense. Hundreds of loan apps whose origins are dubious at best are still abound.
Another equally dire consequence is that details of individuals given for the 14 million transactions all include copies of the Aadhaar, or the national identity card, which is part of the pan-India database. That information, along with Indian citizens’ facial images, now sit comfortably on Chinese servers and many are calling it a national security issue.
It is ironic that just 15 years ago, a microfinance revolution had built a dynamic industry in the same exact spot that many of the loan scams have popped up — the state of Telangana, which was once part of Andhra Pradesh.
The industry ultimately collapsed because borrowers were strongly encouraged to take multiple loans which became simply unpayable. Many committed suicide and the industry collapsed.
It seems that history is destined to repeat itself if checks and balances are not urgently established.
Related Coverage More

Image: APH
The Office of the Australian Information Commissioner (OAIC) has declared the Department of Home Affairs does not have adequate governance and systems of accountability in place to comply with statutory time frames for processing freedom of information (FOI) requests for non-personal information.
Its findings were made following an investigation into the Peter Dutton-overseen department’s statutory processing periods specified under the Freedom of Information Act 1982.
“Over the past four financial years, more than 50% of the FOI requests to Home Affairs for non-personal information were processed outside of the statutory processing period,” the OAIC said.
Offering a handful of recommendations, the commissioner has suggested Home Affairs appoint an “information champion”.
“Senior support, in the form of a senior information champion who is a member of the department’s executive with sufficient seniority, such as the chief operating officer, who may be supported by an information governance board, will play a key role in promoting FOI Act compliance within the department,” the OAIC says in its report [PDF].
The OAIC has also recommended the creation of a manual, staff training, and compliance audits of performance moving forward.
In compiling its report, the commissioner provided a timeline for the steps the department has taken up until the OAIC probe, such as implementing modern FOI handling technology capabilities.

In 2017, Home Affairs launched an online form to assist applicants and a year later commenced use of HotDocs software for decision letters and other correspondence.
“The department has become primarily digital, eliminating the creation of paper records and has been in the process of digitising incoming mail and existing paper records,” the report adds.
In March 2020, the department published statistics on the General Skilled Migration program which reduced the frequency of FOI requests for this information, and a month later, it provided remote access to use Adobe Pro software to members of the FOI Section, coinciding with stay at home orders in response to COVID-19 measures.
In the same month, Home Affairs introduced FOI management dashboards to provide information on the status of FOI caseloads and individual requests and in May it provided temporary additional resourcing to process FOI requests for personal information.
The OAIC said such steps have improved compliance with statutory processing requirements.
Earlier this week, the OAIC ordered Home Affairs to cost up the amount owed for each individual and pay compensation for “mistakenly” releasing the personal information of 9,251 asylum seekers.
It was determined the former Department of Immigration and Border Protection at the time had “interfered” with the privacy of these individuals by accidentally publishing their full names, nationalities, locations, arrival dates, and boat arrival information on its website in 2014.
Following the publishing of their personal information, the asylum seekers launched legal action against the department. The asylum seekers in New South Wales, Western Australia, and the Northern Territory claimed the breach exposed them to persecution from authorities in their home countries.
A total of 1,297 applications were lodged as part of the legal case requesting that compensation be paid because those affected suffered loss or damage due to the data breach.
The commissioner said the compensation to be paid to participating class members would range from AU$500 to more than $20,000 and would be determined on a case-by-case basis by the department.
MORE FROM THE DUTTON SUPERMINISTRY More

The NSW Cyber Security Standards Harmonisation Taskforce has handed down a bunch of recommendations that ask for industry and government to consider if they want to move forward by being protected harmoniously.
The recommendations made in the taskforce’s report [PDF] cover seven themes: Cloud as a “digital backbone”, defence, education, the energy sector, financial services, health, and telecommunications and the Internet of Things (IoT).
When moving workloads to the cloud, the taskforce wants ISO or IEC standards followed as baseline requirements for information security, protective security, and supply chain security and risk management.
With the Australian Signals Directorate announcing in March it would be shuttering the current form of its cloud certification program, the taskforce has suggested that Australian governments, in relation to any new proposed cloud security requirements for services up to, and including, protected level, should consider a combination of compliance with ISO/IEC 27001, SOC 2, and potentially FedRAMP2 as part of a uniform security baseline.
Read more: Commonwealth entities left to self-assess security in cloud procurement
It also wants Standards Australia to work with government and industry to develop material, such as a handbook, on how to adopt globally recognised standards.
In addition, the taskforce is asking for an education sector-specific set of standards to be developed to ensure current risk management procedures are up to date.

Likewise, it’s recommending the development of material that clearly communicates any business benefits around the adoption and use of standards to improve cybersecurity posture in the energy sector. This includes ensuring boards and executives understand the severity of weak systems.
“This should include in relation to managing their legal obligations (for example, the Corporations Act, as well as energy-specific statutes) and the information should be rendered as clearly as possible,” the report said.
See also: Energy to join banking sector under Australia’s Consumer Data Right
Building on the finance sector’s Consumer Data Right obligations, the taskforce has suggested creating a new set of ISO standards that cover all of the sector’s regulatory requirements.
The health sector, meanwhile, should take a look at global peers and ensure that any future guidance on cloud that they develop or mandate, as foreshadowed by proposed critical infrastructure reforms, takes a maturity-based approach, which factors into consideration entity size in relation to risk profile.
“Australian governments … should explore the provision of additional support for market entrants to improve access to certification or standards advisory services in strategic areas, such as cyber readiness for Medtech, to support export growth,” the taskforce recommended.
“This might take the form of targeted vouchers or grants, or supported advisory programs. This support could be supported by a formalised assessment process that also takes into account expected return on investment.”
The taskforce has also asked the Australian government consider convening a multi-stakeholder IoT Working Party. It said Australian governments, in creating new digital policy documents and/or directives, should require agencies to explicitly consider cybersecurity considerations, including recognised standards, in development and later adoption.
“This might, for example, be prior to Cabinet or expenditure review committee consideration,” it added.
Stood up in June, the NSW Cyber Security Standards Harmonisation Taskforce was charged with addressing the risks posed by cyberspace, such as theft of an organisation’s intellectual property or the disclosure of sensitive information. To address such risks, the taskforce has been working towards the adoption and use of common standards.
The taskforce is a joint effort between the NSW government, Standards Australia, and AustCyber, the non-profit organisation charged with growing a local cybersecurity ecosystem and facilitating its global expansion.
While the taskforce was initiated by a state government minister, AustCyber CEO Michelle Price said she encourages industry and all levels of governments across the country to review and implement the recommendations outlined in the report.
“Ultimately, a globally competitive Australian cybersecurity sector will underpin the future success of every industry in the national economy,” she wrote in her foreword. “Together, let’s foster innovation and generate increased investment and jobs through the creation and commercialisation of cybersecurity products and services, utilising agreed standards to build a more secure Australia.”
RELATED COVERAGE More

Image: Apple
Apple CEO Tim Cook has said it is time to face the consequences of having algorithms push users towards more engagement at any cost.
Speaking at the Computers, Privacy, and Data Protection conference on Thursday, Cook said too many companies are asking what they can get away with, rather than what happens if they follow through on boosting metrics.
“At a moment of rampant disinformation and conspiracy theories juiced by algorithms, we can no longer turn a blind eye to a theory of technology that says all engagement is good engagement — the longer the better — and all with the goal of collecting as much data as possible,” he said.
“What are the consequences of seeing thousands of users join extremist groups, and then perpetuating an algorithm that recommends even more?”
Cook touched on the recent US Capitol riots in Washington, saying the time was over to pretend there are no costs to boosting conspiracy theories and incitements to violence simply because users get engaged.
“It is long past time to stop pretending that this approach doesn’t come with a cost — of polarisation, of lost trust and, yes, of violence,” he said.
“A social dilemma cannot be allowed to become a social catastrophe.”

The Apple CEO said his company might be naive, but the tech giant believes the best measure of technology is how it improves lives.
“Will the future belong to the innovations that make our lives better, more fulfilled and more human?” Cook queried.
“Or will it belong to those tools that prize our attention to the exclusion of everything else, compounding our fears and aggregating extremism, to serve ever-more-invasively-targeted ads over all other ambitions?”
Earlier on Thursday, Apple released a report that took a swipe at the ad industry and pointed out that apps, on average, have six trackers from other companies that “have the sole purpose of collecting and tracking people and their personal information”, and the industry collects $227 billion in revenue each year.
Apple will soon roll out its App Tracking Transparency measures which will prompt users when apps want to access advertising identifiers on Apple’s operating systems. Google said this week it is still working out how to handle this change.
“We are working hard to understand and comply with Apple’s guidelines for all of our apps in the App Store,” the search giant said.
Related Coverage More