HOTTEST
Image: Getty Images
Australia’s electoral body has launched a new disinformation register to debunk misleading and deceptive information regarding how elections are run to protect the integrity of the country’s upcoming federal election.The new register comes in response to an uptick of election conspiracy theories circulating online in recent months due to it being a federal election year. According to the Australian Electoral Commission (AEC), the disinformation register is a regularly updated database containing examples of disinformation and misinformation that has circulated online from late 2021 onwards. The AEC explained that each piece of disinformation discovered by the commission would be presented in the register with information about which platform it was spread on, the timing, the factual information regarding the matter, and the actions taken by the commission to correct the record. “We’re not messing around,” AEC chief Tom Rogers said.”The Australian vote belongs to all Australians and there is freedom of political communication. However, if you spread incorrect information about the processes we run — deliberately or otherwise — we’ll correct you.”Examples of disinformation flagged in the AEC disinformation register.
Image: Australian Electoral Commission
Examples of disinformation that have already been added to the register are that people will only be eligible to vote if they are fully vaccinated and that pencil marks are erased in the counting process. Both of these pieces of information are mistruths, the register states.Beyond the disinformation register tool, the AEC has been working more closely with social media platforms to quickly remove election misinformation and disinformation. As part of this, all major social media platforms have given “assurances” that they will allocate more resources for monitoring election disinformation and misinformation for the upcoming Australian federal election.”For this election, we’re getting assurances from all of them that they will be expanding their hours of service, including having not just expanded hours of service here in Australia but then actually having staff in other parts of the world so that they can try and get as close to 24/7 coverage — so they’re not confined by the business hours of the staff here in Australia,” deputy electoral commissioner Jeff Pope said last month.RELATED COVERAGE MoreMicrosoft has revealed it has awarded security researchers $13.7m for reporting bugs in Microsoft software since July last year.
Microsoft’s bug bounties are one of the largest source of financial awards for researchers probing software for flaws and, importantly, reporting them to the relevant vendor rather than selling them to cybercriminals via underground markets or exploit brokers who distribute them to government agencies.Windows 10
The Redmond company has 15 bug-bounty programs through which researchers netted $13.7m between July 1, 2019 and June 30, 2020. That figure is triple the $4.4m it awarded in the same period the previous year.
“The researchers who devote time to uncovering and reporting security issues before adversaries can exploit them have earned our collective respect and gratitude,” said members of the Microsoft Security Response Center in a blogpost.
Flaws reported to Microsoft and other vendors via bug bounties can help reduce the number of so-called zero-day exploits that attackers can use to compromise systems before a vendor supplies a security patch to block them. Providing patches to users also helps protect systems from attacks after the vulnerability has been disclosed.Microsoft’s total annual bug-bounty payouts are now much larger than Google’s awards for security flaws in its software, which totaled $6.5m in calendar year 2019. That figure was double the previous year’s payouts from the ad and search giant, which called it a “record-breaking year”.
Microsoft’s larger expenditure on bug-bounty payouts could be justified, according to new data released by Google’s bug hunting squad, Google Project Zero or GPZ.
GPZ this week revealed that there have been 11 zero-day vulnerabilities exploited in the wild in the first half of the year. The discovery of these exploits is rare: Microsoft patched 115 vulnerabilities in March alone. But Microsoft software made up four of the 11 exploits that Google discovered were being used in the wild in 2020.
The Microsoft flaws included the bug in Internet Explorer, CVE-2020-0674, that Microsoft patched in February. Then there were three more Windows memory-corruption bugs that were exploited before Microsoft’s patches released this year.
In 2019, according to GPZ statistics, 11 of the 20 zero-days under attack that year affected Microsoft products, which was much higher than exploited zero-days from any other vendor, including Google.
However, Google noted that there was detection bias towards Microsoft because there are more security tools specialized in detecting Windows bugs.
Microsoft says the higher total payouts this year is because it launched six new bounty programs and two new research grants. These attracted over 1,000 eligible reports from over 300 researchers.
Microsoft also suggests COVID-19 social distancing prompted an uptick in security research activity.
“Across all 15 of our bounty programs we saw strong researcher engagement and higher report volume during the first several months of the pandemic,” Microsoft said.
The Microsoft bounties that Microsoft launched during the period included:
Microsoft Dynamics 365 Bounty Program, launched July 2019
Azure Security Lab, launched August 2019
Microsoft Edge on Chromium Bounty Program, launched August 2019
Election Guard Bounty Program, launched October 2019
Xbox Bounty Program, launched January 2020
Azure Sphere Security Research Challenge, launched May 2020 MoreUpdates have been released for UpdraftPlus, a WordPress plugin with over 3 million installations, after a vulnerability was discovered by security researcher Marc Montpas. In a blog post, the Wordfence Threat Intelligence team explained that the vulnerability allows any logged-in user, including subscriber-level users, to download backups made with the plugin. Backups are a treasure trove of sensitive information, and frequently include configuration files which can be used to access the site database as well as the contents of the database itself, the WordPress security company explained. The researchers examined the patch and were able to create a proof of concept. In an original version of the blog, Wordfence said the attacker would need to begin their attack when a backup was in progress, and would need to guess the appropriate timestamp to download a backup. But it was later updated to say Wordfence found that it is possible to obtain a full log containing a backup nonce and timestamp at any time, “making this vulnerability significantly more exploitable.”UpdraftPlus patched the vulnerability on Thursday in version 1.22.3 and they urged users to check their website to make sure they were running the latest version. “UpdraftPlus is a popular back-up plugin for WordPress sites and as such it is expected that the plugin would allow you to download your backups. One of the features that the plugin implemented was the ability to send back-up download links to an email of the site owner’s choice. Unfortunately, this functionality was insecurely implemented making it possible for low-level authenticated users like subscribers to craft a valid link that would allow them to download backup files,” Wordfence explained. “The attack starts with the WordPress heartbeat function. The attacker needs to send a specially crafted heartbeat request containing a data[updraftplus] parameter. By supplying the appropriate subparameters, an attacker is able to obtain a backup log containing a backup nonce and timestamp which they can then use to download a backup.”
The company said the issue revolves around the UpdraftPlus_Options::admin_page() === $pagenow check. Attackers can can fool the $pagenow check into thinking that the request is to options-general.php, while WordPress still sees the request as being to an allowed endpoint of admin-post.php, according to Wordfence. Wordfence added that in order to exploit the vulnerability, the hacker would need an active account on the target system.”As such it is likely only to be used in targeted attacks. The consequences of a successful targeted attack are likely to be severe, as they could include leaked passwords and PII, and in some cases site takeover if the attacker is able to obtain database credentials from a configuration file and successfully access the site database,” Wordfence said. “As such we urge all users running the UpdraftPlus plugin to update to the latest version of the plugin, which is version 1.22.3 as of this writing, as soon as possible, if you have not already done so, since the consequences of a successful exploit would be severe.”Netenrich’s John Bambenek told ZDNet that WordPress represents one of the largest backends of websites on the Internet and the security problems come from its vast ecosystem of plugins that run the gamut from capable developers to hobbyists. “Access to the backups and database will likely first be used for credential theft but there are many possibilities for attackers to take advantage of the information,” Bambenek said. Vulcan Cyber engineer Mike Parkin suggested creating a firewall rule to mitigate this vulnerability until the patch is applied More
The parents of two teenagers allegedly responsible for stealing $1 million in Bitcoin are being sued.
According to court documents obtained by Brian Krebs, Andrew Schober lost 16.4552 in Bitcoin (BTC) in 2018 after his computer was infected with malware, allegedly the creation of two teenagers in the United Kingdom. The complaint (.PDF), filed in Colorado, accuses Benedict Thompson and Oliver Read, who were minors at the time, of creating clipboard malware. The malicious software, designed to monitor cryptocurrency wallet addresses, was downloaded and unwittingly executed by Schober after he clicked on a link, posted to Reddit, to install the Electrum Atom cryptocurrency application. During a transfer of Bitcoin from one account to another, the malware triggered a Man-in-The-Middle (MiTM) attack, apparently replacing the address with one controlled by the teenagers and thereby diverting the coins into their wallets. According to court documents, this amount represented 95% of the victim’s net wealth at the time of the theft. At today’s price, the stolen Bitcoin is worth approximately $777,000. “Mr. Schober was planning to use the proceeds from his eventual sale of the cryptocurrency to help finance a home and support his family,” the complaint reads.
The pair, tracked down during an investigation paid for by Schober, are now adults and are studying computer science at UK universities. The mothers and fathers of Thompson and Read are named in the complaint. Emails were sent to the parents prior to the complaint requesting that the teenagers return the stolen cryptocurrency to prevent legal action from being taken. The letter reads, in part: “As his parents, I am appealing to you to first give him the chance to make this right, without involving law enforcement. Your son is obviously a very intelligent young man. I do not wish for him to be robbed of his future.” However, the requests, sent in 2018 and 2019, were met with silence. Schober’s complaint claims that the parents “knew or reasonably should have known” what their children were up to, and that they also failed to take “reasonable steps” in preventing further harm. In response (.PDF), the defendants do not argue the charge, but rather have requested a motion to dismiss based on two- and three-year statutes of limitation. “Despite his knowledge of his injury and the general cause thereof, Plaintiff waited to file his lawsuit beyond the two and three years required of him by the applicable statutes of limitations,” court documents say. “For this reason, Plaintiff’s claims against Defendants should be dismissed.” However, Schober’s legal team has argued (.PDF) that the teenagers were not immediately traced, and roughly a year passed between separately identifying Read and Thompson. Schober’s lawyers have requested that the motion to dismiss is denied. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More
In a report published today, cyber-security firm Lookout said it found evidence connecting Android malware that was used to spy on minorities in China to a large government defense contractor from the city of Xi’an. Lookout’s 52-page report [PDF] details a years-long hacking campaign that has primarily targeted the Uyghur ethnic minority, living in western […] More
Internet of Things
Samsung Spotlights Next-generation IoT Innovations for Retailers at National Retail Federation’s BIG Show 2017
That’s Fantasy! The World’s First Stone Shines And Leads You to The Right Way
LG Pushes Smart Home Appliances To Another Dimension With ‘Deep Learning’ Technology
The Port of Hamburg Embarks on IoT: Air Quality Measurement with Sensors