Image: Getty Images
The federal government’s big-ticket tech item in last night’s annual Budget was its proposed AU$9.9 billion injection into Australia’s cybersecurity and intelligence capabilities. Chief among the objectives of that injection would be the creation of 1,900 jobs at the Australian Signals Directorate (ASD) over the next decade.While Australia’s tech industry has welcomed the increased cybersecurity spending, it’s unclear whether those jobs can be filled due to Australia’s digital skills shortage, RMIT University cybersecurity professor Matt Warren told ZDNet. Due to the ASD being a government agency, only Australian citizens can be hired for these new jobs, which means the federal government and Australian organisations need to develop talent with sovereignty in mind to fill these roles.”A key issue is that only Australian citizens can work for the Commonwealth and with the current cyber security skills shortage, it may be difficult to fill the 1,900 new security roles,” Warren explained.”In terms of how the cyber industry works, they poach off each other — so industry poaches off government. So I think part of the discussion is how to develop cybersecurity skills into the future from a sovereignty perspective.”Read more: Australian Budget 2022 delivers AU$9.9 billion for spicy cyberLast week, Australian Prime Minister Scott Morrison made similar remarks, warning organisations about the need to prioritise trust over costs and efficiency when it comes to cybersecurity.”We see that in the most terrible events, whether it’s in Ukraine or the stresses that are being placed on our own country here in the Indo-Pacific, when it comes to your data security you’ve got to be dealing with someone you trust and so words like sovereign really mean something,” Morrison said last Friday at the opening of Macquarie Telecom’s new Sydney-based data centre.According to recruitment firm Hays, survey results of nearly 3,500 organisations from last year indicated that 68% of the local technology industry is suffering from skills shortages. The findings by Hays around skills shortages in the tech sector mirrored those uncovered by Seek in 2020.With the skills shortage being a key chokepoint for filling any large influx of cyber jobs, Warren said the federal government’s next steps need to be focused on establishing a national coordinated plan for making sure Australia can develop its future cyber workforce.”What Australia needs is not just one or two initiatives,” the RMIT professor said.Cybersecurity software firm BlackBerry said Australia’s cybersecurity private sector also has a role to play in addressing the skills shortage, explaining that the growing number of cyberthreats cannot be solely alleviated by government.”As the breadth of malicious cyber activity increases, public and private sectors must work together to rapidly up-skill the Australian and invest in complementary automation, including AI/ML-driven security technologies to help security professionals protect the government and other enterprises,” said Graeme Pyper, BlackBerry APAC channels director.Depending on the upcoming federal election’s outcome, which is expected for May, the jobs announced last night may not come to fruition if the Coalition loses the federal election. Regardless of the outcome, Warren said both the Coalition and Labor parties have committed to backing increased cybersecurity spending due to the growing cyberthreat landscape around the world.”Whether there is a change in government, I don’t see the cybersecurity strategies changing in the future. Both parties are committed to protecting Australia against future security risks, whether they’re physical, cyber, or space-based,” Warren said.RELATED COVERAGE More

Apple has released security updates for macOS that patches a flaw in its privacy preferences and “may have been actively exploited”, according to Apple and which could have allowed malicious apps to record a Mac’s screen It’s a rather large update addressing 73 vulnerabilities, including one in Transparency Consent and Control (TCC) framework, which allows malware to bypass system privacy controls.  Apple addressed the TCC bypass in macOS Big Sur version 11.4.

ZDNet Recommends

“Apple is aware of a report that this issue may have been actively exploited,” it said of the bug CVE-2021-30713 affecting TCC. SEE: Network security policy (TechRepublic Premium)TCC provides the dialog prompts for security and privacy sensitive actions, such as an application recording a computer’s screen, or when giving apps access to the webcam and microphone.Security firm Jamf has posted a report on the bug and says it found the bypass being actively exploited while analyzing the XCSSET malware. “The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions,” it said.

In August, Trend Micro found XCSSET was targeting Mac developers via infected Xcode projects.The malware finds an app on the system and piggybacks on it, inheriting its permissions. “During Jamf’s testing, it was determined that this vulnerability is not limited to screen recording permissions either. Multiple different permissions that have already been provided to the donor application can be transferred to the maliciously created app,” Jamf noted.”The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent – which is the default behavior.”Apple also released security fixes in the iOS 14.6 update for iPhones and iPads, which included 30 security fixes.SEE: This malware has been rewritten in the Rust programming language to make it harder to spotThe UK’s National Cyber Security Centre (NCSC) contributed one vulnerability report for the bug CVE-2021-30715, which allowed a maliciously crafted message to create a denial of service on an iOS device. Apple’s May 24 updates include Safari 14.1.1, which fixes 10 security flaws that could be exploited by malicious websites.    More

Over the past two years, cybercrime groups have used quite an assortment of tricks to hide credit card stealing code (also known as web skimmers or Magecart scripts) inside various locations of an online store for the purpose of avoiding getting detected.
Places where web skimmers have been found in the past include inside images such as those used for site logos, favicons, and social media networks; appended to popular JavaScript libraries like jQuery, Modernizr, and Google Tag Manager; or hidden inside site widgets like live chat windows.
The latest of these odd places is, believe it or not, CSS files.
Standing for cascading style sheets, CSS files are used inside browsers to load rules for stylizing a web page’s elements with the help of the CSS language.
These files usually contain code describing the colors of various page elements, the size of the text, padding between various elements, font settings, and more.
Web skimmer gang experiments with CSS
However, CSS is not what it was in the early 2000s. Over the past decade, the CSS language has grown into an incredibly powerful utility that web developers are now using to create powerful animations with little to no JavaScript.
One of the recent additions to the CSS language was a feature that would allow it to load and run JavaScript code from within a CSS rule.

Willem de Groot, the founder of Dutch security firm Sanguine Security (SanSec), told ZDNet today that this CSS feature is now being abused by web skimmer gangs.

Image: SanSec
De Groot says that at least one group is using malicious code added inside CSS files to load skimmers on online stores that record payment card data when users are completing checkout forms.
“It was […] a fairly standard keystroke logger,” de Groot told ZDNet when we asked him to describe the code he found today.
“It seems to have been taken offline in the last hour, since our tweet,” he added.

“We found a handful of victim stores with this injection method,” the SanSec founder also told ZDNet.
“However, the infrastructure has been in place since September and was previously used for several dozen more traditional attacks. This CSS disguise looks like a recent experiment.”
Most skimmers are invisible
But while this technique of loading skimmer code by using CSS rules as proxies is certainly innovative, de Groot says that this is not what shop owners and online shoppers should be worried about.
“While most research concerns JavaScript skimming attacks, the majority of skimming happens on the server, where it is completely invisible,” de Groot said.
“About 65% of our forensic investigations this year found a server side skimmer that was hidden in the database, PHP code or a Linux system process.”
As ZDNet explained in a piece on Monday about another of SanSec’s findings, the simplest way shoppers can protect themselves from web skimmer attacks is to use virtual cards designed for one-time payments.
Provided by some banks or online payment services, they allow shoppers to place a fixed sum of money inside a virtual debit card that expires after one transaction or a small period of time. In case the card’s details get stolen by attackers, the card data is useless once the virtual card expires. More

The UK government has criticized social media networks for not taking a stronger stance against conspiracy theories connecting the coronavirus outbreak to 5G technologies.  Conspiracy theorists claim that the next-generation wireless technology, currently being rolled out across the UK, has a detrimental impact on our health as it lowers our immune systems. As COVID-19 spreads […] More

Microsoft’s first report from its Detection and Response Team (DART), which helps customers in deep cyber trouble, details the case of a large customer with six threat actors simultaneously on its network, including one state-sponsored hacker group that had been stealing data and email for 243 days.  The company announced DART in March 2019 as […] More