Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.
This month saw some big plays in the world of privacy – most notably the striking down by a European Court of a mechanism for international data transfers. We look at the implications for Australia organisations coming out of the judgement. This month we’re also reminded of the inherent vulnerability of software via stories about backdoors in Chinese tax software, a flood of critical patches released for popular enterprise software products and, of course, more yarns about ransomware.
Summary: Tax software required to be used by organisations that conduct business in China has been found to have been infected with malware.
Key risk takeaway: This discovery by security researchers is a cautionary tale for any business with operations in China. Dubbed “GoldenSpy”, the backdoor in the tax software reportedly allowed the remote execution of commands on infected computers. A similar backdoor was later discovered in the other of the two Chinese-government authorised tax software products. Concerns have long been raised about the invasive security provisions levelled at western businesses by China, though the covert nature of this incursion is rather more sinister. The FBI warns that companies in healthcare, chemical and finance sectors are in particular danger. Echoing the FBI’s advice, businesses should ensure they patch critical vulnerabilities on their systems, monitor applications for unauthorised access and protect accounts through multi-factor authentication.
Tags: #cyberhygiene #cyberespionage
Summary: The EU-US Privacy Shield, a key framework for regulating transatlantic data transfers, has been declared invalid by the Court of Justice of the European Union with immediate effect. Alternative international data transfer mechanisms remain valid subject to additional obligations imposed upon companies.
Key risk takeaway: Though primarily focused on transatlantic transfers, the Court’s judgement will also give pause to Australian organisations that use Standard Contractual Clauses (SCCs), a key tool for Australia-EU data transfers. Whilst confirming that SCCs remain a valid means for international data transfers under the GDPR, the Court’s judgement imposes an onus on companies relying on SCCs to undertake case-by-case determinations on whether foreign protections are adequate under EU standards and whether additional safeguards are required.
Tags: #privacy #GDPR
Summary: Apple’s shift to requiring opt-in consent for IDFAs, a unique identifier which enables advertisers to track user behaviour across apps for targeting and attribution purposes, threatens to upend the mobile advertising ecosystem.
Key risk takeaway: Apple continues to brandish its privacy-centric approach as a key competitive asset and brand differentiator. This latest move was announced alongside a series of privacy-conscious updates and has been celebrated by privacy advocates as a fundamental step towards greater user transparency and control over use of their data. The change involves users now receiving explicit prompts requiring opt-in consent, as opposed to these controls being buried within Apple’s settings. The update has particular implications for both Facebook and Google, whose ad-tech services depend on aggregating large troves of data with IDFAs. Meanwhile, in another fillip for privacy advocates this month, the public broadcaster in the Netherlands has published data showing that it grew ad revenue after ditching ad trackers and moving to contextual ads.
Summary: In a coordinated attack, hackers gained control of dozens of high-profile Twitter accounts, including former US President Barack Obama, US presidential candidate Joe Biden, Amazon CEO Jeff Bezos, Elon Musk, Apple and many others.
Key risk takeaway: While the hackers’ motivations here appear to have been rather benign (to propagate a bitcoin scam message), their unprecedented access could have had much more serious consequences. Imagine a nation state with full control of these compromised accounts, intent on derailing an election. It should raise the question for any organisation – what damage could a hacker do with access to your internal tools? The methods behind the attack were also relatively standard: social engineering to gain access to an internal customer support tool, which they used to reset account passwords. No zero-day cyber-gymnastics here. The obvious lesson here is ‘back to basics’ – training and awareness and restricted privileges. The deeper concern is how Twitter and other social media have become so central to our democracies – failures of this kind cannot be allowed to happen.
Tags: #socialengineering #databreaches #geopolitics
Key risk takeaway: The internet is now awash with compromised credentials, making password re-use a greater threat than ever. If you’ve already used a given password before, the likelihood is it’s now out there somewhere and can be used to compromise your account. This threat to account security is compounded by the continued rise of phishing and social engineering attacks, particularly in the new COVID-19 normal. The rapid switch to remote working combined with the uncertainty of the pandemic have given rise to effective new phishing lures such as fake pandemic updates or notifications from popular remote working applications. And so, the parade of data breaches continues. From dating apps, to hotel chains, airlines, telcos and many others, news of data breaches have become part of the background hum of our industry.
Summary: Garmin said while there was no indication attackers accessed customer data, the attack did interrupt website functionality, customer support services, user apps and corporate communications. This was again one of many ransomware attacks this month.
Key risk takeaway: This particular attack draws attention to the incredibly precarious position ransomware victims find themselves in regarding ransoms. Enduring widespread disruption to services due to WastedLocker ransomware, Garmin reportedly was faced with a US$10 million ransom to decrypt its files. Reports also claim that Russian gang Evil Corp was behind the attack. The gang’s members have been sanctioned by the US government, making any dealings with them illegal. Services are now back online and Garmin has not confirmed whether it paid the ransom. We also learned this month that ransomware gangs are a patient bunch – spending long periods of time within the networks they have breached in order to gather as much information as possible to maximise leverage in ransom demands.
Summary: A critical vulnerability in SAP applications could affect up to 40,000 customers.
Key risk takeaway: Patch your critical systems! The last month has seen a rash of patches released for serious vulnerabilities in widely used systems. In addition to the SAP bug, software company Citrix announced yet more bugs (but with fixes), as did Microsoft, Palo Alto Networks and F5 Networks products. Respected guidance such as the Australian Government’s Essential Eight strategies recommends timely patching as a foundational security practice. In practice, many organisations struggle to prioritise the many, many security fixes that increasingly require acting on. The last month will only have further compounded the headaches of systems administrators (and likely intensified their pleas for more attention to secure coding practices).