IT & Communications

Gokul Vasudev has over 18 years of experience in providing key IT security and assurance functions. In this article he explains what zero trust is (it isn't the same as "trustless" in crypto) and why is an effective approach to addressing risks in today's digital landscape.

Less than month after LastPass admitted a large scale breach of its much vaunted password manager, the old man of computer security, Norton, has said that its LifeLock password manager has also been breached. Is there an industry-wide problem?

There are many reports saying that this or that country is the source of the majority of spam, hacking or other internet harms.

But there is one dataset, open to all, that contains relevant and accurate information drawn from active websites all over the world and what that tells us is not what we think we know.

World Remit (www.worldremit.com) says that it has learned that there are at least two fake websites.

"Semantic Software Asia Pacific Limited (SSAP), an Australian research and development company based in Sydney, has released the first suite of its Semantic Computing Platform, Semantiro, described as a fundamental building block to achieving a complete cognitive environment."

That's what the company said in a press release so laden with buzzwords that we, honestly, have no idea what it's trying to tell us.

Australian regulators have other concerns and this morning ASIC obtained a Court Order to wind up the company and the appointment of provisional liquidators.

The reasons for the Order should be a warning for those buying mission-critical tech from unproven companies. Semantic was an artificial intelligence development company that based in North Sydney.

"So far this year scammers have stolen more than AUD7.2 million from Australians by gaining access to home computers, an increase of 184 per cent compared to the same period last year." So says the Australian Competition and Consumer Commission.

Contrary to the common "phishing e-mail" approach, many instances start with a phone call. And just to make it worse, they are targeting phones: you know, those things that contain your financial apps and are used as "tokens" or for SMS confirmations by your bank.

We had an e-mail this morning from Google about our Adsense account. That was a rabbit hole we thought we'd escaped from. But they said they owed us money so we thought we'd claim it.

That's when it all started to go very, very badly wrong.

A good thing used for bad purposes. Sometimes.

While Cobalt Strike is the market leader, it is far from the only threat assessment tool - and others are even easier for criminals to make use of - on every server, desktop and mobile platform except, it seems, Apple mobiles.

Law enforcement can move fast - when the criminal conduct involves the reputation of governments. Reveals gaping hole in US government e-mail security - and one that, with hindsight, seems blindingly obvious.

It's a telephone number and it's cropping up in all kinds of places, including a PayPal / Target / Apple iPhone scam that arrived in our own mailbox this morning.

Google is threatening to kill Android phones if users do not provide personal information.

There are several versions of the threat issued by Google where its persuasion has failed.

Google is facing two problems: first, its own message demands the information and then says it will be used to the customer's detriment and secondly, people no longer trust it.

One of the biggest reasons for migrating away from WhatsApp is privacy. It's been a problem ever since WhatsApp was launched. Indeed, I discussed it with the founders when it was new, ish, and they said that they had deliberately designed the system to create visibility between users. When I pointed out that a combination of various features compromised personal security, that was not something that concerned them... anyone can get your phone number, they said.

Media release: Australian Consumer and Competition Commission 26 Nov 2020.

The ACCC has today instituted Federal Court proceedings against Telstra (ASX:TLS) for admitted unconscionable conduct in the sale of post-paid mobile products to Indigenous consumers.

The USA's Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are reporting the large-scale re-emergence of the Emotet trojan. Since July 2020, CISA has seen increased activity involving Emotet-associated indicators. During that time, CISAs EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected roughly 16,000 alerts related to Emotet activity. CISA observed Emotet being executed in phases during possible targeted campaigns. Emotet used compromised Word documents (.doc) attached to phishing emails as initial insertion vectors. It spreads via links in e-mails and as macros in .doc files attached to e-mails.

One of the most persistent forms of fraud, now well over 100 years old, is directory fraud. In a recent iteration, there is at least something a little different.