Information Technology

Image: Getty Images/iStockphoto
The Australian Communications and Media Authority (ACMA) has issued formal notices to a trio of telcos after finding each had failed to validate customer details when moving between carriers. Medion Mobile, which powers Aldi Mobile and is owned by Lenovo, was caught out on 53 occasions, Telstra was found to have breached its obligations 52 times, and Optus was pinged for one violation. “Historically it has been too easy to transfer phone numbers from one telco to another. All a scammer needed to hijack a mobile number and access personal information like bank details was a name, address and date of birth,” ACMA chair Nerida O’Loughlin said. “We are cracking down on telcos that don’t follow the rules and leave customers vulnerable to identity theft.” ACMA said those who experienced mobile number fraud typically lost more than AU$10,000, and struggle to “regain control of their identities for long periods of time”. Since new rules on validating customer information came into effect early last year, the regulator said some telcos have reported the practice has stopped. ACMA said if a person believes they have fallen victim to such an attack, to contact their telco and bank, change passwords, report the act to the police, Scamwatch, and the Australian Cyber Security Centre.

As usual with telco rule breaches, the ACMA warned further violations could see a AU$250,000 fine per breach. Earlier in the week, Lycamobile paid a AU$600,000 fine levelled at it, after ACMA found what it called “prolonged and large-scale customer data failures, which could have put people in danger”. In its investigation, ACMA found 245,902 instances where the telco failed to pass on information to Telstra so it could maintain the Integrated Public Numbers Database (IPND) used by emergency services when responding to 000 calls, as well as the Emergency Alert Service. ACMA said there were 5,671 instances where Lycamobile did not upload data to the IPND for “between three days and nine years” after gaining a customer. It also did not upload complete and accurate information for 240,231 customers, with over 210,000 customers being listed as connected in the IPND when they were disconnected. Related Coverage More

Palo Alto Networks published better-than-expected third quarter financial results on Thursday and raised its outlook for the fiscal year. Non-GAAP net income for the quarter was $139.5 million, or $1.38 per diluted share. Revenue grew 24 percent year-over-year to $1.1 billion.Analysts were expecting earnings of $1.28 per share on revenue of $1.06 billion. “The work-from-home shift earlier in the year and recent cybersecurity issues have increased the focus on security,” chairman and CEO Nikesh Arora said in a statement. “Coupled with good execution, this has driven great strength across our business with Q3 billings growth accelerating to 27% year over year. In particular, we saw a number of customers make large commitments to Palo Alto Networks across our three major platforms. We are pleased to be raising our guidance for fiscal year 2021 as we see these trends continuing into our fiscal fourth quarter, bolstering our confidence in our pipeline.”Billings for the quarter reached $1.3 billion. Deferred revenue grew 30 percent year-over-year to $4.4 billion. For the fiscal fourth quarter 2021, the company expects total revenue in the range of $1.165 billion to $1.175 billion, representing year-over-year growth of between 23 percent and 24 percent.For the fiscal year 2021, the company now expects total revenue in the range of $4.20 billion to $4.21 billion, representing year-over-year growth between 23 percent and 24 percent.

Tech Earnings More

Three healthcare institutions in Canada, Ireland and New Zealand are in the midst of security incidents this week, highlighting the perilous cybersecurity landscape within some of the world’s most important organizations. 

ZDNet Recommends

Ireland’s Department of Health was attacked twice in the last week, eventually shutting down their entire IT system after a ransomware attack last Thursday. The same group also hit the Health Service Executive with a ransomware attack. Chief Operations Officer of the Health Service Executive Anne O’Connor told The Journal that the office had been hit by the Conti ransomware.  According to RTÉ and the BBC, dozens of outpatient services were cancelled, a vaccine portal for Covid-19 was shut down and the country has spent days trying to bring its healthcare IT system back online. Irish Foreign Minister Simon Coveney called it a “very serious attack” while Irish Minister of State Ossian Smyth said it was “possibly the most significant cybercrime attack on the Irish State.”The leaders of the Irish government met on Monday and said the National Cyber Security Centre had brought in Europol, private sector cybersecurity experts and hundreds of others to help solve the ransomware attack. The Journal reported that 85,000 computers were turned off once the attack was noticed and that cybersecurity teams are going through all 2,000 different IT systems one by one “Those who carried it out have no concern for the severe impact on patients needing care or for the privacy of those whose private information has been stolen. These ransomware attacks are despicable crimes, most especially when they target critical health infrastructure and sensitive patient data,” the government statement said. “The significant disruption to health services is to be condemned, especially at this time. Any public release by the criminals behind this attack of any stolen patient data is equally and utterly contemptible. There is a risk that the medical and other data of patients will be abused.”

Emergency services are still operating in the country but are now busy because of the IT outage. Many radiology appointments are cancelled, according to a government statement, and there are now delays in COVID-19 test result reporting as well as delays with issuing birth, death or marriage certificates. Pediatric services, maternity services, and outpatient appointments in certain hospitals have all been affected by the attack, according to The Journal. Dublin’s Rotunda Hospital, The National Maternity Hospital, St Columcille’s Hospital, Children’s Health Ireland (CHI) at Crumlin Hospital, The UL Hospitals Group have all reported varying levels of IT outages. Health Minister Stephen Donnelly added this week that the HSE payment system was downed by the attack and that the 146,000 people working in the healthcare industry will face issues with full payment. On Thursday, the Financial Times reported that the people behind the ransomware attack were demanding $20 million to restore the system and had already started leaking private information about patients online. Irish Prime Minister Micheál Martin previously told the BBC that the government would not pay the ransom. New Zealand is facing a similar issue, with IT services for their healthcare system reporting a cybersecurity incident that completely knocked out the entire system. Clinical services at hospitals in Waikato, Thames, Tokoroa, Te Kuiti and Taumarunui have all been affected by the attack. Even the landline phone services are down, and the government has said some outpatient appointments may need to be cancelled. More than 30 elective surgeries were cancelled in recent days due to the outage. In addition to the attacks on the Irish and New Zealand healthcare systems, Canadian insurer Guard.me, one of the world’s largest insurance carriers, is still dealing with a downed website following “suspicious activity was directed at the guard.me website.” The site is still down, with a lengthy message explaining that they took down their website as a cautionary measure. Guard.me provides students who study abroad with health coverage internationally and the company has already sent out a letter to students informing them of the attack, according to Bleeping Computer.  The letter admits that the “suspicious activity” they caught was actually someone gaining access to a database that contained the dates of birth, genders, phone numbers, email addresses, mailing addresses, passwords of students. Cybersecurity expert Mathieu Gorge, CEO of Ireland-based VigiTrust, said ransomware gangs and other cybercriminals have proven repeatedly through attacks on healthcare systems during the pandemic that they have little regard for human life or privacy.  

“What’s most worrying about this is that it has established a trend that you can attack critical infrastructure anywhere and everywhere,” Gorge said. “And these aren’t necessarily sophisticated attacks by nation-states; they are relatively low-skill attacks with huge consequences exploiting attack surfaces which frankly should be better protected.”Saryu Nayyar, CEO of cybersecurity company Gurucul, said ransomware gangs have now perfected the art of monetizing every aspect of an attack. On top of the ransoms they make from attacks, medical records, she said, hold highly sensitive personal data that can be used to socially engineer money from fragile patients who are not cyber savvy like the elderly, not to mention the obvious identity theft.”The fact that the Irish government will not give in to the attacker’s demands is a sign that they are confident they have backups to sufficiently restore their systems and data. But the cybercriminals will likely publicize their stash of sensitive patient health data just because they can and they’re evil,” Nayyar added.  “Usually, the ransom price is determined by the amount of cybersecurity insurance the victim organization has. Perhaps the Irish government doesn’t have cybersecurity insurance, but in this case it doesn’t matter since Conti is known to operate on the basis of ‘double extortion’ attacks, so the data would be made public anyway.”Zerto vice president of product marketing Caroline Seymour noted that even when organizations have backups or recovery systems, they can be days or weeks old, leading to inevitable gaps and data loss that can be highly disruptive as well as add significantly to the overall recovery cost. Many other experts noted that the rush to digitize hospital services across the world has left almost every country vulnerable to ransomware operators eager to hold critical arms of governments hostage. 

With the millions of dollars being made through ransomware, the gangs behind them have become more methodical and are now run like businesses with scalable campaigns, according to Hank Schless, senior manager at Lookout.”Historically, it was far more likely that attackers would try to brute force their way into the infrastructure and exploit any weak points in its defenses,” Schless explained. “Every day, hundreds if not thousands of users connect to corporate infrastructure from unmanaged devices and networks. They also expect to have seamless access to a mix of on-premises and cloud-based services in order to get their jobs done. Since this all takes place outside the safety of the traditional perimeter, it could open countless backdoors into your infrastructure.” More

Researchers have highlighted tactics used by fraudsters today in voice-based phishing campaigns. 

Phishing attempts involve fraudulent messages sent over email, social media networks, SMS, and other text-based platforms. They may appear to be from your bank, popular online services — such as PayPal or Amazon — or they may attempt to lure in victims with promises of tax rebates and competition prizes. These messages often contain malicious attachments designed to deploy malware, or they may try to direct victims to fake websites.  So-called “vishing” is a subset of phishing techniques that combines ‘voice’ and ‘phishing’. Victims may be cold-called or emails could contain phone numbers, voice notes, and messages — but the overall goal is the same: to swipe your personal data.  Scam artists can employ “spray and pray” techniques in campaigns and blast out thousands of emails in one go, and now, voice over internet protocol (VoIP) technology has allowed fraudsters to do the same, all while spoofing their caller IDs and identities.  In separate case studies published by Armorblox on Thursday, the team highlighted two Amazon vishing attacks intent on stealing customer credit card details — and how the use of voice messages can bypass existing spam filters.  The first example vishing attempt, tracked to roughly 9,000 email inboxes, was sent from a Gmail account and contained the subject line: “Invoice:ID,” followed by an invoice number and content containing color markers used by Amazon. 

This email says that an order for a television and gaming console had been placed — a purchase worth hundreds of dollars — and urges the recipient to contact them using a phone number if there are any errors. 
Armorblox
Armorblox called the ‘payload’ phone number and a person on the other end of the line answered, pretending to be from Amazon customer service. The scammer requested the order number, customer name, and credit card details before cutting the call and blocking the number.  According to the researchers, the use of a zero in “AMAZ0N TEAM” helped the message bypass existing spam filters, including Microsoft Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MSDO). A spam level of “1” was assigned to the email, which means that the message was not considered fraudulent. In the second example, which reached roughly 4,000 inboxes and was also able to circumvent EOP and MSDO, fraudsters impersonated Amazon via a spoofed email address — “no-reply@amzeinfo[.]com” — and used the subject line, “A shipment with goods is being delivered.” The email contained an order number, a payment amount of $556.42, and another phone number ‘payload’ for customers to make return requests. However, in this case, the researchers found that the scam appeared to have been shut down as the phone number was not in service. As the emails did not contain malicious attachments or links, this allowed the fraudsters to bypass spam filters. In both cases, the fraudsters used a combination of social engineering, brand impersonation, and emotive triggers — the apparent loss of hundreds of dollars — to induce victims into calling them. If successful, victims could end up handing over their personal data and credit card details, leading to consequences such as identity theft or fraudulent payments made on their behalf.  As many of us remain at home due to the pandemic and we’ve come to rely more heavily on online shopping, fraudsters will continue to try and exploit these trends. In August, the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning of an increase in vishing attacks against the private sector.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A top Apple exec has said that Mac malware has now exceeded Apple’s level of tolerance, and framed security as the reason for keeping iPhones locked to the App Store, during testimony defending Apple in a lawsuit with Fortnite maker Epic Games. Apple’s head of software engineering Craig Federighi told a court in California that Apple found current levels of malware “unacceptable”. 

ZDNet Recommends

“Today, we have a level of malware on the Mac that we don’t find acceptable,” he said in response to questions from Apple’s lawyers, as ZDNet sister site CNET reports.   SEE: Top 10 iPad tips (free PDF) (TechRepublic) Apple is defending its practices after Epic Games filed a US lawsuit against Apple because the iPhone maker kicked its Fortnight game off the App Store after Epic put in place a direct payment system for in-game currency, which would bypass the 30% fee charged by Apple to developers. Epic says Apple is too restrictive.  The Apple-Epic case commenced on May 3. Yesterday, App Store boss Phil Schiller emphasized the App Store was focused on security and privacy from the outset.  Federighi said that since last May, there have been 130 types of Mac malware – and one variant infected 300,000 systems. 

He added that Macs have a “significantly larger malware problem” than iPhones and iPads, comparing the Mac problem to an “endless game of whack-a-mole”.  Macs can install software from anywhere on the internet whereas iOS devices can only install apps from Apple’s App Store.   US security firm Malwarebytes, which sells Mac antivirus, reported that Mac malware was now outpacing Windows malware. But the company also noted that the threats to Macs, mostly adware, were not as dangerous as malware for Windows.   Per 9to5Mac, Federighi compared the Mac to a car whereas iOS was designed with safety for children in mind.  “The Mac is a car. You can take it off road if you want and you can drive wherever you want. That’s what you wanted to buy. There’s a certain level of responsibility required. With iOS, you wanted to buy something where children can operate an iOS device and feel safe doing so. It’s really a different product,” he said.  SEE: This malware has been rewritten in the Rust programming language to make it harder to spot Federighi also contended that, if Apple allowed iOS users to sideload apps, things would change dramatically.  “No human policy review could be enforced because if software could be signed by people and downloaded directly, you could put an unsafe app up and no one would check that policy,” he said.  

Apple Event More

Researchers analyzing Android apps have discovered serious cloud misconfigurations leading to the potential exposure of data belonging to over 100 million users. 

ZDNet Recommends

In a report published on Thursday by Check Point Research, the cybersecurity firm said no less than 23 popular mobile apps contained a variety of “misconfigurations of third party cloud services.” Cloud services are widely used by online services and apps today, perhaps even more so due to the rapid shift to remote working caused by the coronavirus pandemic. While useful in data management, storage, and processing, it only takes one access or authorization oversight to expose or leak records held.  Apps, in particular, will often integrate with real-time databases to store and synchronize data across different platforms. However, the developers of some of the apps examined failed to make sure authentication mechanisms were in place. According to CPR, the 23 Android apps examined — including a taxi app, logo maker, screen recorder, fax service, and astrology software — leaked data including email records, chat messages, location information, user IDs, passwords, and images.  In 13 cases, sensitive data was publicly available in unsecured cloud setups. These apps accounted for between 10,000 and 10 million downloads each.  While investigating the taxi service app, for example, the team was able to send one simple request to the app’s database and pull up messages sent between drivers and customers, names, phone numbers, and both pick-up and drop-off locations.

The cloud services providing backend data management for the screen recorder and fax apps, too, were not adequately secured. CPR was able to recover the keys to grant access to stored recordings and fax documents by analyzing the applications’ files.  Push notification keys were also found in the apps, left open to abuse. If push services are exploited, they can be used to send malicious alerts to app users.  The researchers say these security failures are due to developers failing to follow “best practices when configuring and integrating third party cloud services into their applications.” “This misconfiguration of real-time databases is not new, but [..] the scope of the issue is still far too broad and affects millions of users,” CPR says. “If a malicious actor gains access to this data it could potentially result in service-swipe (trying to use the same username-password combination on other services), fraud, and identity theft.” CPR informed the app developers of the misconfigurations prior to disclosure and several have tightened up their controls. Earlier this month, the researchers published an advisory on Qualcomm MSM data services and the discovery of a vulnerability that could theoretically be used to tamper with and inject malicious code into Android handset modems.  

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The chief executive of Colonial Pipeline has defended paying cybercriminals who launched a devastating attack on the company, calling it the “right thing to do for the country.”

more coverage

Speaking to the Wall Street Journal, Colonial Pipeline CEO Joseph Blount acknowledged that a $4.4 million ransom demand was paid after a ransom note was found by an employee on the firm’s systems on May 7. Alpharetta, Georgia-based Colonial Pipeline was forced to close down its pipeline operations and IT systems following a ransomware attack launched by DarkSide ransomware operators.  Colonial Pipeline says it provides approximately 45% of the East Coast’s fuel, including gasoline, diesel, and military supplies. The public disclosure of the incident prompted panic-buying in some cities across the United States, the price of gas rose, and despite pleas for customers not to panic, a number of gas stations reported themselves as running dry. It took the best part of a week for Colonial Pipeline to restore both main and small lateral fuel lines as the company worked to keep the hardest-hit areas supplied as best as it could.  As a core energy infrastructure asset of the US, the chief executive said that he authorized the $4.4 million payment due to “the stakes involved,” according to the WSJ. 

At the time, the company was not sure of the scope of the attack and how long the pipelines would be out of operation. DarkSide was a double-extortion group, in which confidential information is stolen at the time of a cyberattack and before systems are encrypted — which would alert victim organizations to their presence. The cybercriminals then threaten their victims if they refuse to pay for a decryption key with the public exposure of their information on a leak site.  Blount acknowledged that paying up was a “highly controversial” decision and not one to be “made lightly.” However, the CEO said it was the right thing to do considering the potential energy supply implications to the United States.  The FBI confirmed that a DarkSide operator was responsible for the attack.  DarkSide, a ransomware-as-a-service (RaaS) affiliate operation, has since lost control of its blog and servers, effectively closing down the criminal outfit — at least, in its current form.  According to Elliptic, DarkSide operators raked in over $90 million in cryptocurrency ransom payments from at least 47 victims.  US President Joe Biden has since signed an executive order to improve federal security requirements.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

ByteDance’s founder Zhang Yiming is stepping down from his CEO role and moving to a new role that focuses on “long-term strategy”. Co-founder and head of human resources Liang Rubo will take over the chief executive hat, as the two executives work on a transition slated to take place by end-2021. The parent company of video platform TikTok, ByteDance on Wednesday released an internal letter Zhang wrote to employees, explaining his decisions and stating his new role also would focus on corporate culture and social responsibility–areas in which he had hoped to achieve more than he currently had. He noted that stepping away as CEO would relieve him from having to manage day-to-day operations and better allow him to have a greater impact on initiatives that were long-term. it was the benefit of time that had enabled him to lay the foundation for ByteDance, which he cultivated between graduating from college and starting the company some nine years ago.

Zhang said: “I spent a lot of time thinking and learning about challenges like effectively disseminating information, using technology to improve products, and approaching the development of a company–much like one would a product: through constant re-evaluation, adjustment, and iteration.”He said innovation and success required years of exploration, noting that companies such as Telsa was 18 years old and had started out experimenting with laptop batteries to power its vehicles, while the early development days of Apple’s HomeBrew software management tool dated as far back as the 1970s.In efforts to scale and expand their business, he noted that entrepreneurs often ended up “overly central” and in the daily routine of listening to presentations, handling approvals, and making decisions reactively. This led to them depending on old ideas and being slow to develop new ones.”I believe I can best challenge the limits of what the company can achieve over the next decade, and drive innovation, by drawing on my strengths of highly-focused learning, systematic thought, and a willingness to attempt new things,” he said. 

Zhang also revealed that he lacked some skillsets that “an ideal manager” should have as well as the desire to manage people, preferring instead to analyse organisational and market principles and tapping these to reduce management work. He added that he was not sociable and would rather participate in “solitary activities” such as reading and listening to music.”I think someone else can better drive progress through areas like improved daily management,” he said. Pointing to Liang’s strengths in management and social engagement, he said his co-founder had assumed various roles in ByteDance, which included leading the company’s research and development efforts.He added that Liang had developed key recruitment and corporate policies as well as management systems. The two executives would use the next six months to ensure a smooth transition, Zhang said. His announcement comes weeks after ByteDance’s current CFO and Singaporean Chew Shou Zi was appointed TikTok’s new CEO, as part of a “strategic reorganisation”. Chew, who had assumed his CFO position in March. is based in Singapore. TikTok’s US operations had been poised to be sold to Oracle and Walmart, but the sale was “shelved indefinitely” following a review by the Biden administration to assess security risks of foreign-owned apps and software. The sale had been prompted by former president Trump’s executive orders banning the downloads of Chinese-owned social media apps WeChat and TikTok, alleging they posed threats to his country’s national security, foreign policy, and economy due to the data they collected.RELATED COVERAGE More