Cloudflare has launched a new web security offering to prevent Magecart-style attacks. 

Magecart is an umbrella term used to describe JavaScript-based, card-skimming attacks. Legitimate websites and e-commerce platforms containing vulnerabilities — such as in a back-end content management system (CMS) or third-party script dependencies — are exploited, JavaScript code is embedded in e-commerce-related pages, and then any payment card information submitted to these pages is harvested and sent to attackers. Countless companies have, and continue to, fall prey to Magecart attacks. Past victims include British Airways, Ticketmaster, Newegg, and Boom! Mobile.  “These attacks are challenging to detect because many application owners trust third-party JavaScript to function as intended,” Cloudflare says. “Because of this trust, third-party code is rarely audited by the application owner. In many cases, Magecart attacks have lasted months before detection.” To combat this issue, on Thursday, Cloudflare debuted Page Shield, a client-side security solution.  The Script Monitor feature, included in Page Shield, checks third-party JavaScript dependencies and records any new additions over time.  Script Monitor, currently in Beta and found under the Firewall section of customer dashboards, also adds a Content-Security-Policy-Report-Only header to content passing through Cloudflare’s network. 

When JavaScript attempts to execute, browsers will send reports back to the company which are checked to see if there are any new changes — and then customers are alerted so customers can “investigate and determine whether the change was expected,” Cloudflare says.  The company is also working with cybersecurity partners to obtain Magecart JavaScript samples. Eventually, it is hoped that Page Shield will be accurate enough to alert clients when dependencies appear to be malicious.  Business and Enterprise customers can now sign up to access the Page Shield closed beta. Earlier this week, the company introduced Cloudflare Browser Isolation, a zero-trust browser system for protecting the remote workforce — and the organizations they work for — from threats by creating a gap between active browsing sessions and end-devices.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Stefan Schranz
The personal and health information of more than 16 million Brazilian COVID-19 patients has been leaked online after a hospital employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub this month.

Among the systems that had credentials exposed were E-SUS-VE and Sivep-Gripe, two government databases used to store data on COVID-19 patients.
E-SUS-VE was used for recording COVID-19 patients with mild symptoms, while Sivep-Gripe was used to keep track of hospitalized cases.
The two databases contained sensitive details such as patient names, addresses, ID information, but also healthcare records such as medical history and medication regimes.
The leak came to light after a GitHub user spotted the spreadsheet containing the passwords on the personal GitHub account of an employee of the Albert Einstein Hospital in the city of Sao Paolo.
The user later notified Brazilian newspaper Estadao, which analyzed the data and notified the hospital and the Brazilian Ministry of Health.
Estadao reporters said that data for Brazilians across all 27 states was included in the two databases, including high profile figures like the country’s president Jair Bolsonaro, the president’s family, seven government ministers, and the governors of 17 Brazilian states.

The spreadsheet was ultimately removed from GitHub while government officials changed passwords and revoked access keys to resecure their systems.
Since the onset of the COVID-19 pandemic, several governments and government contractors have had problems securing their COVID-19-related apps and databases.
Vulnerabilities and leaks were discovered in COVID-19 apps and systems used in Germany [1, 2], Wales, New Zealand, India, and others.
According to research published by Intertrust this September, around 85% of COVID-19 contact tracing apps leak data in one way or another. More

Image: Getty Images Cybersecurity professionals are “reaching their breaking point” as ransomware attacks increase and create new risks for people and businesses. A global study of 1,100 cybersecurity professionals by Mimecast found that one-third are considering leaving their role in the next two years due to stress and burnout. The report found that rising rates […] More

Legislation will enter Parliament later this year that will allow non-government entities to provide digital identification services to Australians.The Digital Transformation Agency (DTA) has been working on Australia’s digital identity system for a number of years, going live with myGovID — developed by the Australian Taxation Office — and accrediting an equivalent identity service from Australia Post in 2019.myGovID and the Australia Post Digital ID are essentially just forms of digital identification that then allow the user to access certain online services, such as the government’s online portal myGov.The digital identity system is touted by the government as a simple, safe, and secure way to verify identity online, as well as one allowing for better interaction with government services. But it also believes digital ID can “enable innovative digital sectors of the economy to flourish”.See also: More privacy conscious and not Australia Card 2.0: DTA defends digital identity playWhile the DTA has developed the Trusted Digital Identity Framework (TDIF), which sets out the operating model for digital identity, it is a set of rules that only Australian government entities can follow — it can’t be applied to states and territories, or to the private sector. This is why legislation is required.”It is important to note, today we’re using myGovID, but into the future, you’ll be able to use a choice of identity provider, there’ll be additional providers … it could be a bank, it could be a state and territory identity provider,” DTA CDO Peter Alexander said during Senate Estimates in October. “So individuals and businesses dealing with the Australian government and national services will be able to make a choice.”

Instead of listening to researchers recommending the Australian government abandon its existing digital identity system and start again from scratch, after highlighting again security flaws in two of the systems already accredited, the government has opened a second round of consultation, this time on the development of legislation.Highlighting eight “key” elements, the government wishes to discuss with those interested in the structure of the legislation, scope and interoperability of the system, governance, privacy and other consumer safeguards, trustmarks, liability and redress options, penalties and enforcement, and the administration of the scheme.The purpose of the legislation, the government states [PDF], is to allow for independent oversight of the system, by formalising the powers and governance arrangements of the oversight authority; enable expansion of the system to state and territory governments and the private sector; provide privacy protections, consumer safeguards, and security requirements to build trust in the system; provide for a legally enforceable set of rules that set the standards for participating in the Digital Identity system, including the TDIF rules; and allow for entities to be TDIF accredited for their activities whether they are on the system or not.It is expected the legislation will consist of primary legislation with privacy and consumer safeguards and rules and policies, including accreditation standards. The government believes the legislation will leverage existing laws, not duplicate them.The legislation, it said, will have a “clearly defined scope”.It said the legislation will not limit a person to having one digital identity with one provider, nor will it be intended to regulate all digital identities and digital identity systems. It said entities decide whether they will use the system or provide services on the system.The legislation will also require entities generating, transmitting, managing, using, and reusing digital identities to provide a “seamless user experience with the digital identity system”.Rules will be enforced by the oversight authority and Information Commissioner. The oversight authority will be extended powers to suspend or revoke accreditation and access to the system, and issue directions for remedial action to address a breach.On privacy and consumer safeguards, the legislation is hoping to “protect personal information” and “ensure accessibility” for all.It will prohibit the creation of a single identifier used across the system and all government services and create a voluntary system giving users the right to create and use a digital identity, including the right to deregister and not use a digital identity at any time.It will require individuals to expressly consent before their attributes are shared with a relying party.With the DTA flagging previously its biometric testing with regards to the digital ID, the legislation is expected to limit the system to one-to-one biometric matching only and prohibit anyone other than those involved in proofing or authentication from collecting or using biometric information. It will also aim to prevent biometric information being sent to third parties not required to perform or proofing or authenticate a person and require biometric information to be deleted once it has been used for its intended purpose. However, the legislation will contain a caveat to allow users to consent to their biometric information being accessed for fraud or security investigations.The government is hoping to also prevent “data profiling”.Must read: Human Rights Commission calls for a freeze on ‘high-risk’ facial recognition”Prohibit the collection, use, and disclosure of information about a user’s behaviour on the system except to verify their identity, assist them to receive a digital service, allow them to view their own behaviour (for example, a dashboard), or support identity fraud management,” the government writes.It will also enforce record-keeping of metadata and activity logs for a minimum seven years to maintain the system’s integrity, and to allow for fraud or criminal investigations. With talk around the digital ID’s use in verifying an individual is of age before accessing online services such as pornography, the legislation will set a minimum age of 15 years for the use of a digital identity.Meanwhile, a liability and redress framework will aim to ensure accredited participants are not liable for loss or damage suffered “provided they were acting in good faith, and complied with the legislative rules and requirements relating to the system”.It will also establish a mechanism available to users affected by a cybersecurity incident, identity theft, inappropriate disclosure of information, or system failure.Submissions to the consultation close 15 July 2021.Elsewhere in Canberra, the government has funded an additional 51 projects, totalling AU$27 million, in the latest round of the Regional Connectivity Program (RCP).The funding contributes to co-funding from the applicant, and from other levels of government, as well as industry and other organisations. The first tranche of the RCP funded, in theory, 81 projects.The program, previously pinned at AU$60 million available, formed part of the government’s response to the 2018 Regional Telecommunications Review.”The federal government’s total contribution of AU$117.4 million (GST inclusive) towards round 1 RCP projects will deliver total new investment of more than AU$232 million (GST inclusive) together with co-contributions from the funding recipients, state and territory governments and other third parties, including local governments, regional businesses, and community development organisations,” a statement from Minister for Communications, Urban Infrastructure, Cities and the Arts Paul Fletcher and Minister for Regional Health, Regional Communications and Local Government Mark Coulton said.HERE’S MORE ON DIGITAL IDResearchers want Australia’s digital ID system thrown out and redesigned from scratchResearchers find myGovID is subject to an easily-implemented code proxying attack, while the digital identity solution from Australia Post does not possess a fundamental requirement for accreditation.Minister says law enforcement to be denied access in new digital ID legislationAlso flags privately-owned PharmacyID and payments company Eftpos as eager to provide identity services once the Bill becomes law.Canberra considers its digital ID for use in verifying age before accessing pornThe Australian government has said the Digital Transformation Agency is well placed to explore extending the digital identity program to online age verification to access things such as pornography. More

Costco has confirmed a card skimming attack that forced them to send out notification letters to victims last week. In a statement to ZDNet, the global retail giant said that in August, they discovered five card skimmers on payment card devices in four of their Chicago-area warehouses. 

“We promptly removed the skimmers, notified law enforcement, and engaged a forensics firm to analyze the devices,” a Costco spokesperson said. “It appears that these skimmers had the ability to capture information on the magnetic stripe of a payment card, including name, card number, expiration date, and CVV. We identified the members who conducted swipe payment card transactions on the affected devices during the relevant time period and notified them individually. We also offered them complimentary credit monitoring and identity theft-related services,” the company added.  The spokesperson said less than 500 customers were affected by the situation and that all of the customers were notified by letter on November 5.The company believes the attack took place in August but did not answer questions about how long they believe the card skimmers were active. Costco inspectors did not find similar card skimmers at any other locations, according to their spokesperson. Costco is the fifth largest retailer in the world and fourth largest in the US, with 810 stores worldwide.

Multiple people from across the globe took to social media over the past few weeks to complain about fraudulent charges tied to their Costco credit cards or accounts. Others said they began to see the charges after using their cards at Costco locations, particularly Costco gas stations. “Noticed a fraudulent charge on my credit card, so I called to get it handled. The guy on the phone asked if I pay at the pump usually for gas, and I said yes. Apparently, skimmers for information are common on pay at pump systems and car washes,” one Reddit user wrote. “That was the only place he saw in my history that was likely to have stolen my information. He recommended paying inside, but Costco doesn’t even have that option. Just a reminder to always check your credit card statements and watch for fraudulent charges!”The letter Costco sent to the hundreds of victims they believe were affected by the card skimming attack advises the victims to call their bank to “discuss possible options for avoiding potential problems in case” their card was inappropriately used. Costco is offering victims IDX identity theft protection services which include 12 months of credit monitoring, a $1 million insurance reimbursement policy, and ID theft recovery services. More