Both companies denied the claims. But we all know they would do that regardless of any merit.
A fuss over Chinese made phones was always going to happen.
The ball started rolling in 2018. For years before 2018 there were whispers circulating about Huawei’s ability to spy on conversations passing through its network equipment. Arguments ranged from rational and plausible to downright fanciful.
Whether any spying took place was immaterial. Western governments were concerned that critical network infrastructure could become a Chinese-owned monopoly. Or at least dominated by Huawei to the point where it might as well be a monopoly.
The giant had to be stopped before it was unstoppable.
With Huawei network equipment in the spotlight, attention turned to phone handsets. These also had spying potential.
It didn’t help that the US was fighting a trade war with China.
When this was going on, it was clear that if Huawei is a problem, you have to consider other Chinese network equipment and phone makers as risky. And while we are looking in that direction, questions were asked about Chinese factories making phones for western brands.
The jury remains out on whether Huawei is spying on customers.
It may not be related to these risks, but Chinese phones have taken a smaller share of New Zealand sales in recent years. Samsung and Apple continue to dominate.
IDC reports that for the first quarter of 2021 they accounted for 84 percent of the market. That figure measures units. If IDC measured dollars, the top pair would be more than 90 percent of the market.
Regardless of cybersecurity fears, readers would be well advised to stay away from Xiaomi and its regularly updated Chinese government approved blocklist of sites.
If nothing else, the company gets reports on your browsing activity. Your activity could end up on a database and land you in trouble if, say, you travelled to China.
The Reserve Bank breach happened when software which claims to be secure enough to move confidential information between banks was compromised.
Reports suggest other organisations caught up in the same attack paid ransoms to the attackers. We don’t know if the Reserve Bank paid up.
The attack breached the Reserve Bank’s security systems. As John Edwards, the Privacy Commissioner says, it “raised the possibility of systemic weakness in the Bank’s systems and processes for protecting personal information.”
A review of the Bank’s systems uncovered many areas where it has not complied with the Privacy Act’s Principal 5. This says agencies that hold personal information must have reasonable safeguards in place to protect personal privacy.
Yet, the press release from the Privacy Commissioner quotes Edwards saying: “We are heartened by the speed and thoroughness of the Bank’s response. We were notified as soon as the cyber-attack was identified, and they have been constructive and open throughout the compliance investigation process. We are pleased to see the positive way they’ve dealt with the aftermath of the attack.”
In other words, it was sloppy but ended up doing the right thing.
The press release quotes Reserve Bank governor Adrian Orr attempting unconvincing damage limitation.
Yet the whole point of the Act is to pre-empt online attacks. Organisations like the Reserve Bank should have robust protections in place before any private information is put at risk.
While the notice is real enough, this first one is something of a practice run for dealing with future compliance failures.
It turns out the Covid pandemic has been a golden age for the crooks targeting enterprise systems. Having people work from home has made it harder to contain security incidents.
Writing at ZDNet Charlie Osborne covers the annual IBM cost of a data breach report. It says a typical enterprise data breach costs the victim US$4.2 million per incident. That’s up 10 percent on a year earlier.
Typical data breaches are where 1000 to 100,000 records are involved. Higher up the scale, things are much worse. Companies where between 50 and 65 million records are exposed now face an average of US$400 million to resolve the incident.
Healthcare has been hit harder than any other sector.
There’s a real problem everywhere with a severe international shortage of skilled cybersecurity professionals. One report says there are 4 million unfilled security positions around the world. More than half of all large organisations say they don’t have the specialist security workers they need.
Yet that doesn’t meant this would be a good time for someone with tech skills to refocus on security. One of the reasons IBM identified for the security skills shortage is an unwillingness for employers to pay people the asking rate for their expertise. Going by the headline incident cost figures in the IBM report, paying for skills would be the cheaper option.
IBM research estimates that the average data breach now costs upward of $4 million.
Asia Internet Coalition, a Singapore-based lobby group says its members may leave Hong Kong if a new doxxing laws comes into force.
AIC members include tech giants Facebook, Google and Apple.
The group worry that legislation could make them criminally liable.
Doxxing is when people publish private details about online personalities. It can be as simple as identifying the real name of someone using a pseudonym.
It could also refer to revealing addresses, phone numbers or other details used to trace and identify people.
In recent years people have weaponised the practice in Hong Kong to the point where there are thousands of victims.
People have used doxxing to scare activists off pro-democracy protests. On the other side, protestors have revealed the names of police or court officials who acted against protestors. It has also been used against journalists.
When private details are published people may find themselves on the wrong end of threatening calls or other intimidating behaviour. Sometimes this includes attacks on family members. Doxxing can lead to identity theft.
Hong Kong’s courts have found the effects can be severe and long-lasting.
The proposed privacy law amendments aim to outlaw doxxing and force social media companies and websites to take down personal information.
The Hong Kong government proposes to change the existing data privacy legislation to include doxxing acts committed with the “intent to cause psychological harm”.
A conviction would be punishable by up to five years in prison and a fine of HK$1 million.
As things stand, Hong Kong’s officials can make employees of social media or other websites criminally liable.
The AIC objects to the definition of doxxing used in the proposed law. It also worries services like Facebook and Twitter might face liabilities when doxxing happens on their services.
In a letter, the AIC says the only way tech companies could avoid punishment would be by withdrawing their services from Hong Kong and ceasing to invest in the territory. It is not clear whether these companies make significant investments in Hong Kong.
For years we wondered. What use would humanity find for cryptocurrency? Now we know. It is not necessarily a force for good.
There have been other technologies which emerged before there were practical applications.
When the first laser was built in 1960 it was impressive. Scientists thought it may one day find use in spectrometry or even nuclear fusion.
Others thought it could be used as a ‘death ray’ military weapon. it didn’t help that the Pentagon funded early research into laser applications.
In time engineers found thousands of applications. Today it powers fibre communications networks. They are used to measure distances with incredible accuracy. Application include medicine, office printers and cutting objects for manufacturers.
The killer app
When the first PC arrived, it looked like it had potential. It could do lots of things, but it did one thing very well: spreadsheets. VisiCalc, an early spreadsheet was the first computer ‘killer app’.
Likewise, the graphically gifted Macintosh computer had its power unleashed by PageMaker. It was a desktop publishing program and another killer app.
In May criminals attacked Waikato DHB demanding a ransom in return for unlocking computers.
It wasn’t the only ransomware attack that month, nor was it the biggest or most disruptive. Ireland’s health computer system was also shut down. The pipeline moving oil to the US East Coast was shut down.
All of these ransomware attacks, and most other online crimes, have a common denominator. The criminals want ransoms paid in cryptocurrency. That’s because Bitcoin and the other cryptos are harder to trace than conventional forms of money.
Ransomware and cryptocurrency
Ransomware is crypto’s killer app.
Cryptocurrency remains a shadowy world. It is not that everyone involved in cryptocurrency is a criminal. It’s more a case of every online criminal uses crypto.
For many everyday folk, their first interaction with cryptocurrency is when they need to buy it to pay a ransom.
This is not an argument to ban cryptocurrencies. Although it could be. And the stories about the vast amounts of energy needed to ‘mine’ these new currencies are also a concern.
Part of the attraction of crypto is that it remains unregulated. That has to stop. The exchanges that deal with cryptocurrency have to face the same accountabilities as other financial institutions. It has to be made harder to move unaccounted funds from crypto into traditional banks.
There is more to stifling ransomware than regulating Bitcoin and its peers. Yet the ransomware epidemic now threatens online commerce. In cases like attacks on hospitals, it is potentially a literal ‘killer app’. Regulating cryptocurrency will save lives and jobs.
Ransomware is when online criminals take control of data, encrypt it, then demand payment before unlocking. Except they don’t always unlock the data. Or, if they do, they may strike again later.
Lindy Cameron, chief executive of the UK’s National Cyber Security Centre, says it is escalating and being increasingly professional. Criminal gangs make most of their money from large profitable businesses that can’t afford to lose data or suffer downtime.
The Guardian says:
Gangs often scout their targets and will tailor their demands to the size of the customer: there are examples of small firms such as hairdressers being targeted and payments of £1,500 being demanded. But most of the targets are large businesses, which are disabled by the attacks.
It reports Cameron calling for insurance companies to stop paying out for ransoms. At the moment paying is legal in the UK if there’s no link to terrorism.
Phishing and credential harvesting
In New Zealand, Cert’s biggest concerns are phishing and credential harvesting. For the first quarter of 2021 Cert recorded 652 phishing or credential harvesting incidents. In comparison, Cert recorded 12 ransomware cases.
It’s possible many New Zealand ransomware incidents go unreported. We know for sure some do.
Cert puts the ratio between the phishing and ransomware categories at over 500 to 1. You chance of a ransom demand is relatively small.
Given this ratio, why does the headline on this post say ransomware is ‘threat number one’?
That’s because when it hits the damage from ransomware can be devastating. Four weeks after the Waikato DHB attack, the health authority’s computer systems are not back to normal. Hospitals have cancelled surgeries. The DHB is not treating some sick people.
The attack caused chaos in the health system. Last month the Irish health system went through a similar incident. In the US ransomware attackers shut down a vital fuel pipeline.
Companies have gone out of business because of ransomware. The attacks are escalating. Criminals target organisations like hospitals knowing putting people’s lives at risks increases the pressure on victims to pay up.