News round-up July 2020 — European court decision on international data transfers, software vulnerabilities, and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.


The round-up

This month saw some big plays in the world of privacy – most notably the striking down by a European Court of a mechanism for international data transfers. We look at the implications for Australia organisations coming out of the judgement. This month we’re also reminded of the inherent vulnerability of software via stories about backdoors in Chinese tax software, a flood of critical patches released for popular enterprise software products and, of course, more yarns about ransomware.

Key articles:

Chinese bank requires foreign firm to install app with covert backdoor

Summary: Tax software required to be used by organisations that conduct business in China has been found to have been infected with malware.

Key risk takeaway: This discovery by security researchers is a cautionary tale for any business with operations in China. Dubbed “GoldenSpy”, the backdoor in the tax software reportedly allowed the remote execution of commands on infected computers. A similar backdoor was later discovered in the other of the two Chinese-government authorised tax software products. Concerns have long been raised about the invasive security provisions levelled at western businesses by China, though the covert nature of this incursion is rather more sinister. The FBI warns that companies in healthcare, chemical and finance sectors are in particular danger. Echoing the FBI’s advice, businesses should ensure they patch critical vulnerabilities on their systems, monitor applications for unauthorised access and protect accounts through multi-factor authentication.

Tags: #cyberhygiene #cyberespionage


Europe’s top court strikes down flagship EU-US data transfer mechanism

Summary: The EU-US Privacy Shield, a key framework for regulating transatlantic data transfers, has been declared invalid by the Court of Justice of the European Union with immediate effect. Alternative international data transfer mechanisms remain valid subject to additional obligations imposed upon companies.

Key risk takeaway: Though primarily focused on transatlantic transfers, the Court’s judgement will also give pause to Australian organisations that use Standard Contractual Clauses (SCCs), a key tool for Australia-EU data transfers. Whilst confirming that SCCs remain a valid means for international data transfers under the GDPR, the Court’s judgement imposes an onus on companies relying on SCCs to undertake case-by-case determinations on whether foreign protections are adequate under EU standards and whether additional safeguards are required.

Tags: #privacy #GDPR


Apple Just Crippled IDFA, Sending An $80 Billion Industry Into Upheaval

Summary: Apple’s shift to requiring opt-in consent for IDFAs, a unique identifier which enables advertisers to track user behaviour across apps for targeting and attribution purposes, threatens to upend the mobile advertising ecosystem.

Key risk takeaway: Apple continues to brandish its privacy-centric approach as a key competitive asset and brand differentiator. This latest move was announced alongside a series of privacy-conscious updates and has been celebrated by privacy advocates as a fundamental step towards greater user transparency and control over use of their data. The change involves users now receiving explicit prompts requiring opt-in consent, as opposed to these controls being buried within Apple’s settings. The update has particular implications for both Facebook and Google, whose ad-tech services depend on aggregating large troves of data with IDFAs. Meanwhile, in another fillip for privacy advocates this month, the public broadcaster in the Netherlands has published data showing that it grew ad revenue after ditching ad trackers and moving to contextual ads.

Tags: #privacy #trust


Twitter partially shut down as hackers compromise 45 high profile accounts

Summary: In a coordinated attack, hackers gained control of dozens of high-profile Twitter accounts, including former US President Barack Obama, US presidential candidate Joe Biden, Amazon CEO Jeff Bezos, Elon Musk, Apple and many others.

Key risk takeaway: While the hackers’ motivations here appear to have been rather benign (to propagate a bitcoin scam message), their unprecedented access could have had much more serious consequences. Imagine a nation state with full control of these compromised accounts, intent on derailing an election. It should raise the question for any organisation – what damage could a hacker do with access to your internal tools? The methods behind the attack were also relatively standard: social engineering to gain access to an internal customer support tool, which they used to reset account passwords. No zero-day cyber-gymnastics here. The obvious lesson here is ‘back to basics’ – training and awareness and restricted privileges. The deeper concern is how Twitter and other social media have become so central to our democracies – failures of this kind cannot be allowed to happen.

Tags: #socialengineering #databreaches #geopolitics


2020 is on track to hit a new data breach record

Summary: Troy Hunt’s ‘Have I been Pwned’ database reaches 10 billion records, while a new report estimates that 8.4 billion records were exposed in the first quarter of 2020 alone.

Key risk takeaway: The internet is now awash with compromised credentials, making password re-use a greater threat than ever. If you’ve already used a given password before, the likelihood is it’s now out there somewhere and can be used to compromise your account. This threat to account security is compounded by the continued rise of phishing and social engineering attacks, particularly in the new COVID-19 normal. The rapid switch to remote working combined with the uncertainty of the pandemic have given rise to effective new phishing lures such as fake pandemic updates or notifications from popular remote working applications. And so, the parade of data breaches continues. From dating apps, to hotel chainsairlinestelcos and many others, news of data breaches have become part of the background hum of our industry.

Tags: #databreaches


Garmin confirms ransomware attack, keeps quiet on possible Evil Corp. involvement

Summary: Garmin said while there was no indication attackers accessed customer data, the attack did interrupt website functionality, customer support services, user apps and corporate communications. This was again one of many ransomware attacks this month.

Key risk takeaway: This particular attack draws attention to the incredibly precarious position ransomware victims find themselves in regarding ransoms. Enduring widespread disruption to services due to WastedLocker ransomware, Garmin reportedly was faced with a US$10 million ransom to decrypt its files. Reports also claim that Russian gang Evil Corp was behind the attack. The gang’s members have been sanctioned by the US government, making any dealings with them illegal. Services are now back online and Garmin has not confirmed whether it paid the ransom. We also learned this month that ransomware gangs are a patient bunch – spending long periods of time within the networks they have breached in order to gather as much information as possible to maximise leverage in ransom demands.

Tags: #ransomware


US cyber officials urge patching of bug affecting up to 40K SAP customers

Summary: A critical vulnerability in SAP applications could affect up to 40,000 customers.

Key risk takeaway: Patch your critical systems! The last month has seen a rash of patches released for serious vulnerabilities in widely used systems. In addition to the SAP bug, software company Citrix announced yet more bugs (but with fixes), as did Microsoft, Palo Alto Networks and F5 Networks products. Respected guidance such as the Australian Government’s Essential Eight strategies recommends timely patching as a foundational security practice. In practice, many organisations struggle to prioritise the many, many security fixes that increasingly require acting on. The last month will only have further compounded the headaches of systems administrators (and likely intensified their pleas for more attention to secure coding practices).

Tags: #vulnerabilitymanagement

News round-up June 2020 — PM’s cyber strategy announcement, ransomware attacks and email scammers

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.


The round-up

“Imagine if we could get the Prime Minister to yell ‘cyber’?”
Security leaders preparing to go cap-in-hand for FY21 budgets could only have dreamed of the platform their portfolios would get this month. In this month’s round-up we take a look at the PM’s announcement, and watch as ransomware and business email compromise jostle for the mantle of most damaging cyber threat.

News round-up May 2020 — Ransomware formally registered as business risk and security report on cyber attackers

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.


The round-up

In our latest round-up, we get a fresh angle on some familiar threats. The rise of ransomware over recent years has seen it elevated as a formally registered business risk, while new research seeks to explain why phishing continues to work so well. A new security report also gives us insight into what’s motivating cyber attackers, and into one of the fastest growing reasons that data breaches are occurring.

News round-up April 2020 — Privacy and security issues with COVID-19

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.


The round-up

COVID-19 is creating a heady and swirling vortex of news, information and disinformation. In this edition we cut through to the key privacy and security issues of the pandemic, including the Government’s contact tracing app and the new risks and scams that security leaders need to be thinking about. We also check in on how cybercriminals are attending to business-as-usual.

Key articles:

ACSC issues FUD-busting COVID-19 WFH guide

Summary: In light of new and more pronounced cyber security vulnerabilities brought on by the workforce’s wholesale transition to working from home, the Australian Cyber Security Centre issued its own official guidance.

Key risk takeaway: Security leaders in businesses right across the economy are responding to working arrangements and circumstances radically different to those for which they devised their risk mitigation strategies and activities. For the many professionals working from home, the ACSC’s tips include being aware of COVID-19 related cyber threats and scams (see next story), adopting strong passphrases and use of multi-factor authentication. Security teams also need to account for the different risk profile that results from a highly distributed workforce working in non-corporate environments. Risks to manage more closely include user adoption of unsanctioned video conferencing platforms and ensuring users connect to networks securely. Other emerging considerations include the need to revisit security provisions in technologies hastily purchased during the pandemic and sharpening governance over “shadow IT”, as workers install and use their own (non-sanctioned) applications to continue to perform their duties in non-standard conditions.

Tags: #securityhygiene #securityawareness #securityriskassessment


Continued widespread reports of COVID-19 malicious scams

Summary: Authorities and businesses around the world are observing a massive surge in internet scams related to the coronavirus pandemic. Says one security professional: “I’ve never seen this volume of phishing. I am literally seeing phishing messages in every language known to man.”

Key risk takeaway: It’s the pandemic edition of the usual refrain – humans are the critical front-line in defending against cyber-attacks. Businesses must take strong steps to make their employees aware of the explosion in COVID-19 themed scams and phishing attacks, which are being deployed to drop malware, steal information and facilitate financial fraud. Thousands of new coronavirus-themed web domains, which are used as phishing sites and to spread malware, are being registered every day. The Australian Signals Directorate is muscling up for the fight, as are US law enforcement authorities and even an army of volunteer cyber defenders.

Tags: #securityawareness


Australia launches COVIDSafe contact tracing app

Summary: The Australian Government launched an app to support health professionals perform contract tracing on individuals that test positive to coronavirus. The Government app faced intense scrutiny over the app’s handling of privacy and security considerations.

Key risk takeaway: The public’s heightened expectations of privacy and transparency in new technologies and services – particularly those involving sensitive information (such as health status) – are brought to the fore in the public conversation surrounding the COVIDsafe app. The Government’s previous mis-steps in adequately addressing privacy and security considerations in technology deployments (eg. Census, My Health Record) have demonstrably impacted this rollout, reflecting the importance of service providers building trust over an extended period. A privacy impact assessment on the app – which made 19 recommendations, the bulk of which were accepted – has helped in some part to ameliorate some of the privacy concerns (read elevenM’s Melanie Marks view of some of these privacy risks here). An auxiliary consideration for organisations will be how they deal with employee queries about the app, particularly in relation to installing it on work-issued mobile devices.

Tags: #privacy #privacyimpactassessment


Zoom bolsters software security in latest move to reassure users

Summary: Video conferencing platform Zoom has faced intense criticism over poor security and privacy practices, leading to “do not use” edicts from everywhere from governments to major corporations.

Key risk takeaway: When your startup’s moment finally comes, will a complacent attitude to privacy and security be your undoing? Widespread self-isolation has certainly been a godsend for video conferencing platforms like Zoom. But despite a massive surge in users, Zoom’s reputation has taken a thorough battering. Like Standard Chartered has done overseas, we’re aware of major Australian organisations issuing guidance to staff to refrain from using Zoom, especially for official business. Zoom has had to move fast to issue mea culpas and patch security and privacy holes. For major developers of digital services and budding start-ups alike, a more efficient and less painful strategy is to bake in good practices through approaches such as privacy-by-design and secure coding.

Tags: #privacybydesign #securecoding


IT services behemoth Cognizant suffers attack by Maze ransomware

Summary: While we’re all pre-occupied with COVID-19, one group (sadly) is carrying on as though everything is normal: ransomware gangs. In the past month foreign exchange business Travelex, insurer Chubb and technology consultancy Cognizant were all revealed to have been hit with ransomware.

Key risk takeaway: Ransomware might be overshadowed now by that other virus, but by no means has it gone away. We wrote in February of the havoc Maze ransomware gangs were already wreaking in 2020. And the fact that cybercriminals are now offering discounts on their services should remind us all that they’re determined to be a viable force throughout and beyond the pandemic. The Cognizant incident – in addition to reminding us of the importance of endpoint protection and detection tools, highlights a couple of considerations. First, the incident affected Cognizant clients, illuminating the issue of supplier risk. Organisations should consider quickly disabling system access for any infected supplier. Second, the particularly aggressive public extortion strategy used by Maze attackers – in which sensitive data is stolen before being encrypted, and its public release threatened if the victim doesn’t pay the ransom – highlights the need for a clear public communications strategy for cyber incidents.

Tags: #solvingransomware #crisiscommunications #crisiscommunications

News round-up March 2020 — COVID-19 influence on cyber security, privacy and digital risk

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.

The round-up

First and foremost, we wish all our clients and friends the best in these challenging times. We hope your families are well and that your businesses are finding a way to move forward through the current crisis.

Given the present saturation of COVID19-related news, we considered avoiding the topic altogether in this edition of the news roundup, as a way to help our readers step back from the crisis and dip back into business as usual.

The reality, as we’re all appreciating, is that our collective response to the pandemic is unprecedented. It dominates all spheres of our lives – work, home, socialising, shopping and parenting. “Business as usual”, as it used to be, doesn’t really exist at this moment.

So in this month’s round-up, which takes a slightly different form, we look at how COVID-19 is influencing the spheres of cyber security, privacy and digital risk.


Key themes:

Security and privacy at the heart of changed ways of working

COVID-19 has heralded an unparalleled change in working conditions, most strikingly marked by large volumes of staff working from home, in accordance with social distancing and isolation guidelines issued by authorities.

Working from home isn’t new, but the scale is unprecedented. IT and security teams have scrambled to ensure that the sizeable increase in numbers of staff working remotely – including many that haven’t done it before – doesn’t translate to an unpalatable increase in security and privacy risks.

Recommendations have been widely published online to promote secure working from home practices, including use of secure networking tools such as VPNs and access controls such as multi-factor authentication. Some also see the current circumstances as an opportunity to introduce stringent IT architectures that will promote greater security long after the crisis subsides.

While technical measures are critical, we can’t underscore how important it is for organisations to also speak to their staff. Issue clear advice about the need to maintain secure practices when working from home, and the continuing importance of protecting the information of customers and of the organisation. As executives increase their conversations with staff at this time about how their companies are handling the crisis, security and privacy teams must also strive to have security and privacy priorities included in these communications.

The highs and lows of humanity

The image of people fighting off the elderly for toilet paper crystallises how the pandemic has, sadly, illuminated some of the worst in human behaviour.

So it was in the cyber realm. Very quickly after the pandemic took hold, authorities observed a spike in COVID-19 themed phishing and scam emails. Also discovered were coronavirus health-apps laced with malwarehijacked routers steering users to malicious COVID-19 sites and the disrupting of online services that the public will increasingly come to rely on.

The expansion of cybercrime infrastructure – such as the registering of new domains, and burgeoning pool of potential money mules – further suggests we could face these new risks for a sustained period.

All the more reason for businesses to start educating their staff now, not least because a state of heightened fear, anxiety and constant desire for new information likely increases susceptibility to threats such as phishing.

For a while, it did seem that cyber-criminals might have an attack of conscience, with some peddlers of ransomware vowing to lay off health care companies. A series of hospital-related attacks showed that to be a false dawn.

While there may be no honour among cyber thieves, there is valour in our industry worth celebrating. Many security researchers are volunteering to support healthcare providers fighting hackers, while a number of security vendors are providing free tools to help their customers be more secure. Some professionals have even set up an online cyber school for flustered home-schooling parents to help teach their kids cyber security.

Cyber workers are essential

As healthcare staff fight valiantly on the frontlines of this pandemic, it’s not unlikely that many of us in professions far removed from hospitals and health clinics are second-guessing how important our jobs are today.

Of course, PM Scott Morrison has declared that all workers are “essential” workers. But for those wanting something more specific , US President Trump also issued guidance this month on exactly what roles make up the essential critical infrastructure workforce.

A number of cyber security roles were defined the list, including workers performing cyber security functions at healthcare facilities and energy providers. The inclusion of these roles in this list affirms that cyber security functions play a critical role in the functioning of society, even in the event of a pandemic-related lockdown.

A stoush between public health and privacy?

If the importance of cyber security was re-affirmed in the previous section, privacy may have taken a backseat, at least momentarily. Various governments, seeking to arm themselves with the information needed to contain the pandemic, have turned quickly to our personal data.

In some countries, like the US, this at least kicked up an ethical conversation. In other jurisdictions, like SingaporeTaiwan and Israel, the public health imperative appears to have overridden any appetite for discussion.

But one should never be too quick to declare privacy dead. Privacy was built for this. Principles such as necessity, proportionality, reasonableness and transparency are more important than ever for governments that will need to maintain public trust throughout a sustained state of emergency.

One of the first tasks for privacy advocates on the other side of this crisis will likely be to ensure that privacy concessions made in the name of necessity are rolled back as the emergency subsides (as signaled here). Beyond that, there will also be an opportunity to re-assess and refine prevailing attitudes to privacy and seek to reframe conversations where the discussion is framed as a choice between privacy and health.

News round-up February 2020 — Privacy priorities and on-selling data

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.

The round-up

In this edition, a well-known security vendor shuts down a subsidiary business that was on-selling user data, with the CEO admitting the practice wasn’t in line with the company’s “north star” and privacy priorities. Setting up a global privacy office looks to be one way that companies are seeking to avoid going astray on privacy – in this edition we highlight a major Australian bank doing just that. This roundup also examines the attacker tactics that lead to most security incidents.

Key articles:

Avast shuts down marketing analytics subsidiary Jumpshot amid controversy over selling user data

Summary: The seller of anti-virus software has wound down a subsidiary business found to be selling highly sensitive web browsing data.

Key risk takeaway: The financial implications of poor security and privacy practices are laid bare in this story, with Avast not only winding down a US $180m subsidiary company but also seeing its shares fall 11 percent in value in the wake of the revelations. It’s also a reminder that security tools are by design invasive and often require deep access to systems and data. In the case of this story, Avast’s software tracked its users’ clicks and movements across the web, repackaging that data and selling it on to clients that included Google, Yelp, Microsoft and Pepsi. As with any software supplier, organisations should seek assurances that security vendors will use their access to systems and data appropriately and in line with privacy regulations and expectations. Meanwhile, the effectiveness of security software against well-known attacks is to be evaluated by US non-profit agency MITRE, which produces the respected ATT&CK framework, a knowledge-base of attacker tactics and techniques.

Tags: #softwareassurance #privacy


NAB sets up a global privacy office

Summary: National Australia Bank has set up and is expanding a global privacy office under its chief data officer. The remit of the office is to safeguard customer data and champion privacy culture and data ethics.

Key risk takeaway: Establishment of global privacy offices under a chief privacy officer (CPO) continues to gather pace, offering organisations a means to provide greater focus on how they handle growing amounts of customer data. Whilst establishing a Chief Privacy Office is not necessarily a new thing (in some jurisdictions, it may even be required under the regulations) we are seeing an emerging trend to include data ethics as a limb of privacy management, with CPOs assigned accountability for advocating for customers’ data rights. As looks to be the case at NAB, organisations are using the establishment of a global privacy office to go beyond regulatory compliance and drive more ethical uses of data across their business.

Tags: #privacy #dataethics


Known bugs and predictable phishing are behind your average security incident, IBM says

Summary: An IBM analysis of 70 billion security incidents in 130 countries over the past year has determined that attackers typically used known vulnerabilities or stolen credentials to break into a victims’ networks.

Key risk takeaway: Too often, the first refrain of a company that has been breached is to lament the “sophistication” of attackers – when the truth (revealed again in this story) is that most incidents are the result of well-known and often preventable tactics. Failure to apply security patches has been shown to repeatedly allow attackers to “waltz” into corporate networks, while employees untrained about phishing risks give away corporate account credentials or aid attackers to get malware into a company’s environment. Along with an effective security awareness program, applying foundational security controls such as the Australian Government’s Essential Eight strategies can make life significantly more difficult for attackers.

Tags: #securityhygiene #securityawareness #essentialeight


Maze ransomware spree continues amid advisories from French, FBI officials

Summary: Attackers have used a strain of ransomware known as Maze to steal data from and disrupt a number of businesses including law firms, a grocery chain and healthcare facilities. Meanwhile Australian logistics company Toll Group, a US healthcare analytics firm and a US natural gas facility were also affected by ransomware attacks.

Key risk takeaway: Ransomware is already having a devastating impact in 2020, affecting businesses globally and across many industry sectors. We’ve written previously about the common ways organisations can prevent infection by ransomware, most notably educating users against phishing emails (a key delivery mechanism for ransomware), as well as deploying strategies to prevent it spreading. These stories highlight some adjacent considerations. Reporting of the Maze attacks highlight the aggressive, public extortion strategy used by attackers to try and force businesses into paying ransoms. This underscores the need for a proactive public response strategy to ransomware, alongside the deployment of technical measures. The method of attack on the US gas facility also highlights the importance of security detection and monitoring tools. Categorised as a “post-compromise ransomware incident”, in this case attackers’ first gained access to the company’s IT environment before deploying the ransomware, allowing them to first identify critical systems and disable security tools that might block the ransomware.

Tags: #ransomware #securityawareness


How 4 Chinese Hackers Allegedly Took Down Equifax

Summary: The US Government announced charges against four members of China’s People’s Liberation Army for hacking into credit reporting agency Equifax in 2017 and stealing personal information on 145 million Americans.

Key risk takeaway: The indictment against the Chinese hackers reminds us that growing volumes of information collected by private companies (especially financial institutions) will attract the attention of some foreign governments, particularly given its value for intelligence gathering. Exercises such as threat modelling help organisations identify their critical assets and data and the threat actors likely to target those assets. While the attack on Equifax is now being pinned to a highly capable nation state actor, the indictment nevertheless reveals that the attack succeeded largely due to basic security failings on the part of Equifax. These include failing to patch a known security vulnerability and failing to encrypt sensitive data.

Tags: #threatmodelling #securityhygiene