web analytics

Bill Bennett


Tag: security

Technology has never been riskier. There are holes everywhere and ratbags only too keen to exploit them. Keeping informed about threats and issues is the key to staying safe online.

Red flag for Chinese phones

Lithuania’s Defence Ministry warns his nation’s citizens to throw away Chinese phones and not buy new ones.

The country’s National Cyber Security Centre tested Chinese made 5G mobiles. It then reported claims one Xiaomi phone had built-in censorship tools and a Huawei handset had security flaws.

Ars Technica reports:

“The Xiaomi phone includes software modules specifically designed to leak data to Chinese authorities and to censor media related to topics the Chinese government considers sensitive.

The Huawei phone replaces the standard Google Play application store with third-party substitutes the NCSC found to harbour sketchy, potentially malicious repackaging of common applications.”

Both companies denied the claims. But we all know they would do that regardless of any merit.

Not surprising

A fuss over Chinese made phones was always going to happen.

The ball started rolling in 2018. For years before 2018 there were whispers circulating about Huawei’s ability to spy on conversations passing through its network equipment. Arguments ranged from rational and plausible to downright fanciful.

Whether any spying took place was immaterial. Western governments were concerned that critical network infrastructure could become a Chinese-owned monopoly. Or at least dominated by Huawei to the point where it might as well be a monopoly.

The giant had to be stopped before it was unstoppable.


With Huawei network equipment in the spotlight, attention turned to phone handsets. These also had spying potential.

It didn’t help that the US was fighting a trade war with China.

When this was going on, it was clear that if Huawei is a problem, you have to consider other Chinese network equipment and phone makers as risky. And while we are looking in that direction, questions were asked about Chinese factories making phones for western brands.

The jury remains out on whether Huawei is spying on customers.

Chinese risk

If you don’t think China poses a cybersecurity risk, you haven’t been paying enough attention. There’s a Wikipedia page looking at the issue.

It may not be related to these risks, but Chinese phones have taken a smaller share of New Zealand sales in recent years. Samsung and Apple continue to dominate.

IDC reports that for the first quarter of 2021 they accounted for 84 percent of the market. That figure measures units. If IDC measured dollars, the top pair would be more than 90 percent of the market.

Regardless of cybersecurity fears, readers would be well advised to stay away from Xiaomi and its regularly updated Chinese government approved blocklist of sites.

If nothing else, the company gets reports on your browsing activity. Your activity could end up on a database and land you in trouble if, say, you travelled to China.

Reserve Bank gets NZ’s first privacy compliance notice

New Zealand’s Privacy Commissioner issued its first compliance notice to the Reserve Bank.

The notice follows an online attack on the bank’s systems in December 2020.

While the notice makes sense, a press release from the Commissioner’s office reads more bureaucratic procedure than a public shaming.

The Reserve Bank breach happened when software which claims to be secure enough to move confidential information between banks was compromised.

Reports suggest other organisations caught up in the same attack paid ransoms to the attackers. We don’t know if the Reserve Bank paid up.

Systemic weakness

The attack breached the Reserve Bank’s security systems. As John Edwards, the Privacy Commissioner says, it “raised the possibility of systemic weakness in the Bank’s systems and processes for protecting personal information.”

A review of the Bank’s systems uncovered many areas where it has not complied with the Privacy Act’s Principal 5. This says agencies that hold personal information must have reasonable safeguards in place to protect personal privacy.

Yet, the press release from the Privacy Commissioner quotes Edwards saying: “We are heartened by the speed and thoroughness of the Bank’s response. We were notified as soon as the cyber-attack was identified, and they have been constructive and open throughout the compliance investigation process. We are pleased to see the positive way they’ve dealt with the aftermath of the attack.”

In other words, it was sloppy but ended up doing the right thing.

The press release quotes Reserve Bank governor Adrian Orr attempting unconvincing damage limitation.

Yet the whole point of the Act is to pre-empt online attacks. Organisations like the Reserve Bank should have robust protections in place before any private information is put at risk.

While the notice is real enough, this first one is something of a practice run for dealing with future compliance failures.

Cost of an enterprise data breach now US$4.2 million

It turns out the Covid pandemic has been a golden age for the crooks targeting enterprise systems. Having people work from home has made it harder to contain security incidents.

Writing at ZDNet Charlie Osborne covers the annual IBM cost of a data breach report. It says a typical enterprise data breach costs the victim US$4.2 million per incident. That’s up 10 percent on a year earlier.

Typical data breaches are where 1000 to 100,000 records are involved. Higher up the scale, things are much worse. Companies where between 50 and 65 million records are exposed now face an average of US$400 million to resolve the incident.

Healthcare has been hit harder than any other sector.

There’s a real problem everywhere with a severe international shortage of skilled cybersecurity professionals. One report says there are 4 million unfilled security positions around the world. More than half of all large organisations say they don’t have the specialist security workers they need.

Yet that doesn’t meant this would be a good time for someone with tech skills to refocus on security. One of the reasons IBM identified for the security skills shortage is an unwillingness for employers to pay people the asking rate for their expertise. Going by the headline incident cost figures in the IBM report, paying for skills would be the cheaper option.


Average cost of an enterprise data breach

IBM research estimates that the average data breach now costs upward of $4 million.

Source: Enterprise data breach cost reached record high during COVID-19 pandemic | ZDNet

Hong Kong’s doxxing law spooks tech giants

Asia Internet Coalition, a Singapore-based lobby group says its members may leave Hong Kong if a new doxxing laws comes into force.

AIC members include tech giants Facebook, Google and Apple.

The group worry that legislation could make them criminally liable.

Doxxing is when people publish private details about online personalities. It can be as simple as identifying the real name of someone using a pseudonym.

It could also refer to revealing addresses, phone numbers or other details used to trace and identify people.

Doxxing victims

In recent years people have weaponised the practice in Hong Kong to the point where there are thousands of victims.

People have used doxxing to scare activists off pro-democracy protests. On the other side, protestors have revealed the names of police or court officials who acted against protestors. It has also been used against journalists.

When private details are published people may find themselves on the wrong end of threatening calls or other intimidating behaviour. Sometimes this includes attacks on family members. Doxxing can lead to identity theft.

Hong Kong’s courts have found the effects can be severe and long-lasting.

The proposed privacy law amendments aim to outlaw doxxing and force social media companies and websites to take down personal information.

Psychological harm

The Hong Kong government proposes to change the existing data privacy legislation to include doxxing acts committed with the “intent to cause psychological harm”.

A conviction would be punishable by up to five years in prison and a fine of HK$1 million.

As things stand, Hong Kong’s officials can make employees of social media or other websites criminally liable.

The AIC objects to the definition of doxxing used in the proposed law. It also worries services like Facebook and Twitter might face liabilities when doxxing happens on their services.

In a letter, the AIC says the only way tech companies could avoid punishment would be by withdrawing their services from Hong Kong and ceasing to invest in the territory. It is not clear whether these companies make significant investments in Hong Kong.

Cryptocurrency has a killer app

For years we wondered. What use would humanity find for cryptocurrency? Now we know. It is not necessarily a force for good.

There have been other technologies which emerged before there were practical applications.

When the first laser was built in 1960 it was impressive. Scientists thought it may one day find use in spectrometry or even nuclear fusion.

Others thought it could be used as a ‘death ray’ military weapon. it didn’t help that the Pentagon funded early research into laser applications.

In time engineers found thousands of applications. Today it powers fibre communications networks. They are used to measure distances with incredible accuracy. Application include medicine, office printers and cutting objects for manufacturers.

The killer app

When the first PC arrived, it looked like it had potential. It could do lots of things, but it did one thing very well: spreadsheets. VisiCalc, an early spreadsheet was the first computer ‘killer app’.

Likewise, the graphically gifted Macintosh computer had its power unleashed by PageMaker. It was a desktop publishing program and another killer app.

In May criminals attacked Waikato DHB demanding a ransom in return for unlocking computers.

It wasn’t the only ransomware attack that month, nor was it the biggest or most disruptive. Ireland’s health computer system was also shut down. The pipeline moving oil to the US East Coast was shut down.

All of these ransomware attacks, and most other online crimes, have a common denominator. The criminals want ransoms paid in cryptocurrency. That’s because Bitcoin and the other cryptos are harder to trace than conventional forms of money.

Ransomware and cryptocurrency

Ransomware is crypto’s killer app.

Cryptocurrency remains a shadowy world. It is not that everyone involved in cryptocurrency is a criminal. It’s more a case of every online criminal uses crypto.

For many everyday folk, their first interaction with cryptocurrency is when they need to buy it to pay a ransom.

This is not an argument to ban cryptocurrencies. Although it could be. And the stories about the vast amounts of energy needed to ‘mine’ these new currencies are also a concern.

Part of the attraction of crypto is that it remains unregulated. That has to stop. The exchanges that deal with cryptocurrency have to face the same accountabilities as other financial institutions. It has to be made harder to move unaccounted funds from crypto into traditional banks.

There is more to stifling ransomware than regulating Bitcoin and its peers. Yet the ransomware epidemic now threatens online commerce. In cases like attacks on hospitals, it is potentially a literal ‘killer app’. Regulating cryptocurrency will save lives and jobs.


Ransomware is online threat number one

RansomwareGCHQ cybersecurity boss sounds alarm over extortion by hackers who are mostly based in former Soviet states

The Guardian reports on a warning that Ransomware is biggest online threat the British face.

As far as Cert, the government’s cyber security team, is concerned, the incident report numbers show that’s not officially the case in New Zealand.

And yet, the severity of the recent ransomware attack on Waikato DHB suggests it causes widespread havoc.

Ransomware is when online criminals take control of data, encrypt it, then demand payment before unlocking. Except they don’t always unlock the data. Or, if they do, they may strike again later.

Professional ransomware

Lindy Cameron, chief executive of the UK’s National Cyber Security Centre, says it is escalating and being increasingly professional. Criminal gangs make most of their money from large profitable businesses that can’t afford to lose data or suffer downtime.

The Guardian says:

Gangs often scout their targets and will tailor their demands to the size of the customer: there are examples of small firms such as hairdressers being targeted and payments of £1,500 being demanded. But most of the targets are large businesses, which are disabled by the attacks.

Travelex, a UK-based provider of foreign exchange services, paid $2.3m last year to regain control after hackers shut down its networks. The company subsequently fell into administration and had to be restructured with the loss of 1,300 jobs.

It reports Cameron calling for insurance companies to stop paying out for ransoms. At the moment paying is legal in the UK if there’s no link to terrorism.

Phishing and credential harvesting

In New Zealand, Cert’s biggest concerns are phishing and credential harvesting. For the first quarter of 2021 Cert recorded 652 phishing or credential harvesting incidents. In comparison, Cert recorded 12 ransomware cases.

It’s possible many New Zealand ransomware incidents go unreported. We know for sure some do.

Cert puts the ratio between the phishing and ransomware categories at over 500 to 1. You chance of a ransom demand is relatively small.

Given this ratio, why does the headline on this post say ransomware is ‘threat number one’?


That’s because when it hits the damage from ransomware can be devastating. Four weeks after the Waikato DHB attack, the health authority’s computer systems are not back to normal. Hospitals have cancelled surgeries. The DHB is not treating some sick people.

The attack caused chaos in the health system. Last month the Irish health system went through a similar incident. In the US ransomware attackers shut down a vital fuel pipeline.

Companies have gone out of business because of ransomware.  The attacks are escalating. Criminals target organisations like hospitals knowing putting people’s lives at risks increases the pressure on victims to pay up.

Sonicwall, a security company, says there has been a 62 percent increase in ransomware attacks since 2019. One way to protect against ransomware is to make careful backups.