Tech and Innovation | Telstra News |

Growing Australia’s digital economy out of COVID-19

By Andrew Penn June 26, 2020

When COVID-19 made many of us shut our doors, something happened. Digital doors opened in their place. We embraced technology like never before to keep businesses running, people working, kids learning and ourselves entertained.

We now have a growing digital economy – something I recently highlighted as a significant opportunity we as a nation should seize. With businesses reopening and social restrictions relaxing, (albeit with some constraints given the risk of increased infections), we should stop thinking about post-COVID-19 as only a “recovery”, but as an opportunity to grow the economy in the long term and put us in a better global position.

From the Industrial Revolution to the Great Depression, profound disruption has brought opportunities to be bold, to re-think conventional wisdom, and seek out new economic and social opportunities to help build a stronger future for everyone.

COVID-19 has proved change can be made and embraced quickly. During the height of the pandemic we saw a huge acceleration in digitisation – from telehealth to online learning, remote working and e-commerce – and the fast-tracking of numerous policy and regulatory changes to break down long-standing digital roadblocks.

As a nation we have achieved in a few months what might have taken us years to progress, and it is important that we now do not lose that momentum.

However, a single company, a single organisation or a single government cannot achieve this on its own. Through coalitions across the public and private sectors, we can affect change by removing barriers and incentivising growth so it is faster and more pervasive.

Over the past few weeks I have been Chairing the Business Council of Australia (BCA) Digital Economy and Telecommunications working group, and this is exactly our aim: to map out tangible ways we can put Australia at the forefront of a digital future – paperless, cashless and virtual – so we can come out of this stronger as a nation, not just bounce back.

This requires reform in five key areas: 

  1. Digital transition 
  2. Infrastructure 
  3. Regulation 
  4. Cyber Security 
  5. Skills  

1. Digital transition

Australia’s local businesses and enterprises pivoted quickly to ensure they could keep running – from working from home, to medical practitioners delivering telehealth consultations, we even saw interactive online cheese tasting sessions!

Technology was at the core of many businesses that adapted well. That said, a range of recent studies found that Australia’s small-to-medium enterprise sector could be substantially enhanced by a greater investment in digitising their internal processes and developing an effective web presence. Xero’s September 2019 Small Business insights indicate that businesses that boost technology spending the most grow revenue three times faster than those with the weakest technology spend.

Some options we are exploring include potential incentives and assistance to help the small business sector access the benefits of greater digitisation of business processes and an improved online presence.

2. Infrastructure

Connectivity is what powered many workers and businesses during the crisis, ensuring they could continue running.

For Australians to effectively participate in the digital economy, they need access to affordable, fast and reliable telecommunications services.

Telstra announced $500 million of capital expenditure planned for the second half of FY21 would be brought forward into the calendar year 2020, to increase capacity in our network, accelerate our roll-out of 5G, power more people with connectivity as well as provide a much needed economic boost.

With the completion of the nbn rollout nearing, there is now an opportunity for the Australian Government to develop its future vision for Australia’s digital economy and the telecommunications industry for the next decade – a vision that is technology agnostic and provides an environment that is pro-investment and pro-innovation.

3. Regulation

Governments and regulators play a significant role in enabling a digital nation, as well as ensuring as many Australians as possible can take advantage of the opportunity.

They took significant steps forward during the pandemic, including measures to help provide better access to telehealth, virtual AGMs, electronic execution of documents, and national electronic pharmacy scripts.

In the spirit of those last two initiatives, the BCA will be recommending a systematic review of regulation from federal to state to local, to eliminate barriers to a virtual and paperless society and a cashless economy.

4. Cyber Security

Last week was a timely reminder about the importance of strong cyber security, with the Prime Minister highlighting major cyber-attacks that are putting pressure on critical infrastructure and public services.

Cyber security is a large and growing area of risk for the security of the nation, and COVID-19 has increased that risk with so many people working and studying from home, away from traditional security measures.

Separately, I have been working with the Government chairing its industry advisory panel on the development of the 2020 Cyber Security Strategy. This will contain a number of significant initiatives to strengthen our collective cyber defences.

5. Skills

It was inspiring to see the flexible and innovative mindset many businesses adopted during the pandemic. This mindset needs to be deeply ingrained in Australian culture and to do this we need to invest in science, technology, engineering, arts, and mathematics (STEAM) skills.

We have partnered with five Australian universities to jointly develop critical skills and capabilities in areas such as network and software engineering, cyber security and data analytics. But we also need more people entering technology courses, and particularly more diverse talent, including female and Indigenous students.

We are also working on a suite of proposed improvements to the way industry and the education system collaborate, to ensure Australia’s school leavers have the foundation skills needed to succeed in the modern digital economy.

Australia’s opportunity to lead

The economic downturn caused by COVID-19 has left many businesses and families doing it tough and we need to do everything we can to build a stronger economy in the longer term in response.

Australia has been a world leader when it comes to protecting the nation’s health and economy during COVID-19, and now we can lead again. It will be important in so doing that this includes success for all of our communities.

I recently posed the question What type of historical moment will this turn out to be?. As life slowly begins to return to some type of normal, we are approaching a sliding doors moment.

We can go back to the way things were, or we can build on the innovative, can-do mindset that drove so many positive changes during the most significant disruption to daily life in a generation.

Cyber Security |

Watch out for COVID-19 phishing and malware

By Clive Reeves March 17, 2020

Cybercriminals are capitalising on Coronavirus (COVID-19) to send fake email and SMS phishing attacks that could infect computers or lead to the theft of logins and personal information.

An SMS-based phishing attack sent to Australians this week with the sender of “GOV” claimed the receiver had a “new message regarding the COVID-19 safetyline symptoms”. The subsequent message advised the location of local testing facilities.

People who followed the included link were directed to a website that would encourage Android device users to install an application. Anyone who visited the site from a non-Android phone such as an iPhone were directed to a benign government website instead.

The Australian Cyber Security Centre has recently warned the SMS and subsequent Android application could be used to steal banking credentials.

“The link in these text messages is not legitimate, and if clicked on, may install malicious software on your device, designed to steal your banking details,” it said.

Fake COVID-19 phishing message
Credit: Australian Cyber Security Centre

The steps to install the Android application required people to check a box to install apps from unknown sources in their device’s settings. They could not be infected by merely visiting the site.

It is unclear if the malware was caught by Android’s much-improved in-built security defences which are present on new devices, or those running supported versions of the mobile operating system.

Telstra has blocked the offending domain, protecting customers across mobile and broadband services from accessing the site. Google has also blocked the domain under its Google Safe Browsing Initiative.

However, the rapid nature of cybercrime means new copycat domains that potentially contain the same content are likely to surface.

We should all be vigilant and not respond to unexpected messages over any communications platform, especially those which request links be clicked on or attachments be opened.

Yet more phishing attacks are targeting COVID-19 remote workers around corporate Australia.

These phishing attacks – and dozens of others that promise information on COVID-19 –entice users to open malicious attachments (some containing dangerous malware) and follow links designed to steal logins.

The emails are part of a surge of COVID-19 themed phishing campaigns detected since January which include malicious messages purportedly sent on behalf of the Australian Medical Association (AMA) and global bodies including the World Health Organisation (WHO).

Cyber security vendor ProofPoint says criminals have written phishing emails that claim to be from organisations’ human resource departments and executives. The fake messages encourage victims to open and sign attached malicious documents.

We advise anyone who is working from home to avoid opening unexpected email document attachments and to report suspected phishing emails in-line with their companies’ cyber security policy or delete it.

Meanwhile, Check Point, a cyber security vendor, said 4,000 COVID-19 domains have been registered between January and 3 March of which it suspects 3%, or 120 domains, are suspicious.

“Coronavirus-related domains are 50% more likely to be malicious than other domains registered at the same period, and also higher than recent seasonal themes such as Valentine’s Day,” Check Point researchers said.

One of the first COVID-19 phishing emails sent in January targeted victims in Japan and contained purported advice about the virus outbreak.

At least one of the phishing documents claiming to contain COVID-19 advice unleashed the Trickbot malware when opened.

Trickbot is one of the worst cyber security threats facing organisations today. The malware can download additional malicious payloads including the Ryuk ransomware which has the capacity to down global businesses. It can also deploy capabilities that allow it to spread across networks and to new computers through hijacked user email accounts.

Other COVID-19 phishing emails have dropped the NanoCore remote access trojan which grants hackers control of infected systems.

Many more contain links that load malicious login pages that mimic the appearance of tech brands like Adobe and Microsoft Office 365.

We encourage everyone to be on alert for any unexpected emails that request users login to pages or download attachments. Looking for typos and poor grammar is a common but ultimately effective indicator of phishing.

Consumer | Cyber Security |

Keep your guard up: how to spot a scam online

By Blair Adamson March 11, 2020

Fraudsters are getting better and better at separating marks from their money online. But while scammer tactics may evolve, the foundations of scams are largely unchanged. Here’s how to see through the spin to spot a scam online.

We’re very aware that scammers impersonate our brand to dupe our customers. That’s why we’re always on the lookout for scams and work closely with our cyber security team to monitor and minimise the impact of these campaigns.

When we spot a new scam, we update our CrowdSupport page on known scams with the relevant details so everyone can stay informed.

Always stay vigilant online with the following tips on how to spot a scam, and report what you find to us if you’re ever unsure. Here’s what to look for.

Phishing

Phishing is one of the most common scams online, and scammers are getting better and better at pretending to be your bank, your telco or your energy company in order to extort money and personal details out of you.

As part of a phishing campaign, a scammer will often create an email designed to appear like a legitimate piece of communication from a trusted institution. These emails use legitimate logos, colour schemes and fonts to appear trustworthy. Targets will usually be encouraged to click on a button or link to change their login details, personal information or to confirm a transaction.

Once the button is clicked, the target is redirected to a webpage designed to mimic an online banking or service login page in order to capture login details. Once a target is tricked into entering those details, a scammer can use them, login for themselves to steal funds or transfer services, or sell the details for other parties to use.

Phishing scams can also take the form of an SMS where the scammer impersonates a bank or telco before again transferring the target to a fake webpage to steal their information.

As scammers improve their phishing materials, it can be hard to determine what’s legitimate, but several key tells will always give the bad guys away.

Scammers will often create a fake email address that doesn’t look quite right, such as @telstranet.co.biz. Furthermore, these phishing scams will direct you to a website that won’t look quite right, such as www.telstrabillsupdate.xyz. Always check the email address in the ‘from section’ of a message when checking for authenticity and browse the company’s webpage from Google or your bookmarks, rather than clicking on a link in an email.

Fraudulent emails and SMS messages will also often impose a time pressure or urgent call to action. This way, scammers can take advantage of their targets before they have time to think about whether or not it’s a scam. The emails and SMS phishing messages might falsely claim that your login details are vulnerable or need to be changed (e.g.: “your account is locked!”), or claim that a large transaction is being made without your knowledge, prompting you to login quickly in order to stop it. Keep an eye out for a false sense of urgency when reading your emails.

Pay close attention, as many – but not all – of these messages might look legitimate in their graphics but may contain poor spelling and grammar or unusual language, serving to tip you off that it’s not from the real company. Make sure you read all correspondence carefully, ensuring that you have your guard up at all times.

Remember, if you receive an email or SMS message you’re unsure about, contact your institution to confirm the legitimacy of the communications before interacting.

Consumer | Cyber Security |

Beware of Google Chrome extensions hiding advertising fraud

By Darren Pauli March 4, 2020

Up to 1.7 million people have installed Google Chrome extensions that security researchers have found hide complex advertisement fraud, phishing, and malware networks.

Extensions and plug-ins give Chrome and other browsers third-party functionality such as the ability to easily save web pages, find discount coupons, and share content to social media. Malicious code hidden in extensions and plugins inevitably slips past security checks run by major browser developers including Google and Mozilla.

Independent security researcher Jamila Kaya, together with Duo Security hacker Jacob Rickerd, found 500 extensions on Google’s marketplace that hid complex, highly dynamic advertising networks that siphoned data and slung malware behind a veneer of retail promotions.

Victims are bounced rapidly between as many as 30 advertisements in a manner designed to defraud legitimate advertisers who pay for consumer views. Some of these bounces, or redirects, ultimately land victims on phishing pages or domains that contain malware.

“A large portion of these [networks] are benign ad streams, leading to ads such as Macy’s, Dell, or Best Buy,” the researchers said.

“Some of these ads could be considered legitimate; however, 60 to 70 percent of the time a redirect occurs, the ad streams reference a malicious site.”

Extensions and plugins have been long regarded with suspicion in security circles. Thousands have been found littered with dangerous vulnerabilities that expose otherwise secure browsers, revealed to have dubious privacy and data handling policies, or caught outright stealing user data.

The browser additions also often decrease the performance of browsers.

Kaya and Rickerd said their work demonstrated the “increasing real-world risk of Chrome extensions” and urged users to regularly audit their extensions and remove those they no longer use or recognise.

“Being more mindful and having access to more easily accessible information on extensions can help keep both enterprises and users safe,” they said.

Google thanked the researchers and said it will use the extension violations to train its security tools and teams.

Cyber Security | Enterprise |

The unassuming threat of IoT devices in Australian workplaces

By Gerhard Loots February 21, 2020

When thinking of objects in a business that pose a data security risk, a fridge or fish tank wouldn’t likely come to mind.

IoT continues to grow more and more ubiquitous, fuelled by the promise of greater efficiency and advanced insight. The idea of cyber-attack may prompt images of server rooms being hacked or company laptops being stolen, but the reality is with the rise of IoT connected devices, mundane objects pose one of the biggest risks for businesses’ IT security.

A recent 2019 Report explores key issues in data security and has identified the huge threat that the growth of IoT poses to businesses of all kinds. With an estimated 29 billion connected devices by 2022, it is imperative we understand the problem that these devices pose.

The weakest link

Through the research it became clear the number one challenge for security professionals for 2019 continues to be detecting and responding to incidents in a timely fashion. This is complicated by the increasingly important task of managing the impact of new technologies such as IoT. The report found that Australian businesses are failing to improve their security, with 89 per cent having had breaches go undetected, up 12 per cent since 2018. These new technologies are being neglected; the Security Report noted only 43 per cent of Australian businesses are currently protecting their IoT security.

With the prevalence of cyber security attacks, the focus is on well-established aspects of security that seem more dangerous. From pacemakers in hospitals to vehicles in fleets and the company watercooler, more and more ordinary objects are being outfitted with IoT capabilities. As this technology continues to disrupt industries, the mad sprint to stay connected is arriving at the expense of security.

In 2016 we saw this play out in spectacular fashion with the Mirai botnet. This botnet took a huge toll on the East Coast of the United States’ internet. The culprit of this unprecedented outage was simple – IoT enabled cameras. In a similar incident in 2017, a North American casino was hacked through their IoT connected fish tank. While having access to a fish tank may initially seem like an absurd threat, it is through these unassuming objects that cyber criminals are able to successfully infiltrate other businesses’ critical systems. A study by Qualys, referenced in the Cisco 2018 Annual Cybersecurity Report, found that 83 per cent of IoT devices now carry critical vulnerabilities and this weakness is an open door for an attack.

Cyber security team

Mind the gap

A key reason this figure is so high is external vendors are often needed to update devices. In many cases, there are no clear indications of who is responsible for securing IoT connected objects. As more devices and ‘things’ connect to the internet, managing potential backdoor breaches frustratingly grows in importance and equally in difficulty.

Many businesses fail to realise a high proportion of internet-enabled devices are sold without in-built security. Some even lack an operating system that can support the installation of security software. Gaping vulnerabilities are often built-in weaknesses known as ‘backdoors’ that allow remote access maintenance, as well as stock passwords that are readily available online. Consequently, criminals can easily install malware on these devices and program them for future use or enlist them in a global army of bots with minimal investment. To make matters worse, the recent 2019 Report revealed 22 per cent of APAC organisations either don’t have or don’t know if they have an incident response plan to address breaches.

Update required

One example of how these issues are being addressed at the federal level is in the UK. The UK government recently introduced new laws to curb this issue of IoT device security. The new regulations will introduce IoT guidelines for manufacturers of connected devices, with a mandatory labelling system to determine the security level of an IoT enabled device. If an item falls short of these standards, it may be prohibited from sale. Regulation of this kind represents a big step forward in managing IoT security and has the potential to set global precedence.

IoT devices are on average more vulnerable than traditional IT endpoints. To beef up IoT security companies should look to employ basic endpoint security features like anti-malware, intrusion prevention and antivirus to secure networks against the barrage of attack. Another option is device authentication for IoT devices. Digital certificates or two-factor authentication ensure nobody can gain unauthorised entry to a device. Endpoint hardening can even be as easy as upgrading a product or deploying basic security patches, as many devices are built totally unpatched. The benefits of connected devices are numerous and are a necessary tool for businesses to succeed in the future marketplace. Businesses need to ensure they are vigilant in monitoring devices coming into the workplace and understanding how secure they really are.


This article first appeared on CSO Australia Online in January 2020.