ZDNETAmazon has partnered with Microsoft to bring the Xbox app to the Fire Stick TV 4K Max. And with this Prime Day bundle deal More

Three weeks after Google released the May 2021 Android security update, the Google Project Zero team has revealed that four of the vulnerabilities patched were already under attack. “There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation,” Google said in a note on its May 2021 bulletin, which was published on May 1.  SEE: Network security policy (TechRepublic Premium)Google Project Zero security researcher Maddie Stone flagged that these were zero-day or previously unknown flaws in a tweet. The four flaws affect Qualcomm’s GPU (CVE-2021-1905, CVE-2021-1906) and the Arm Mali GPU (CVE-2021-28663, CVE-2021-28664). 

Android has updated the May security with notes that 4 vulns were exploited in-the-wild. Qualcomm GPU: CVE-2021-1905, CVE-2021-1906ARM Mali GPU: CVE-2021-28663, CVE-2021-28664https://t.co/mT8vE2Us74— Maddie Stone (@maddiestone) May 19, 2021

As Project Zero notes in its “0day ‘in the wild'” spreadsheet, the Arm bugs allow an attacker to write to read-only memory in the Mail GPU and a use-after-free memory flaw in the GPU. The Qualcomm bugs include improper error handling and a use-after-free flaw in the GPU.  Google copped flack from security reporter Dan Goodin for saying the bugs “may be under limited, targeted exploitation” because it was “vague to the point of being meaningless”. 

Shane Huntley from Google’s Threat Analysis Group (TAG), who in November revealed three zero-day flaws in Apple’s iOS, defended Google’s phrasing, highlighting that Google doesn’t always have the information at hand to say whether a vulnerability is under attack. TAG also discovered and disclosed the zero-day flaws in Apple’s WebKit browser that prompted Apple to issue the emergency iOS 14.4.2 update in March. Apple even updated older iOS devices to version 12.5.2 to address those issues.

Google I/O 2021

“I understand the frustration sometimes that people aren’t always getting the IOCs and details they want but I can maybe shed a little more light here,” he wrote, referring to indicators of compromise (IOC).  “Firstly not all “In The Wild” reports mean that we know exactly the target set. “In The Wild” could mean that the exploit was discovered on the black market or a hacker forum or reported to us from a source that wished to remain anonymous. In those cases the IOCs or targeting isn’t available or known.SEE: This malware has been rewritten in the Rust programming language to make it harder to spot”We strongly believe that there’s a difference between exploits found ourselves or reported through coordinated disclosure and ones we know to be in the hands of attackers. Flagging the latter helps with prioritization.”We are working to provide more information where possible on what we observe but it is a trade off and sometimes either don’t have the details or can’t reveal all the info that some people want. We still think there’s value releasing what we can.”Qualcomm says in its advisory that CVE-2021-1905 was reported to on 17 November 2020 and rates it as a high-severity flaw. CVE-2021-1906 is a medium-severity flaw reported to it on 7 December 2020.  The flaws affect an enormous number of Qualcomm chipsets but require local access to be exploited, according to the chip maker. Samsung only yesterday started rolling out the May 2021 Android security patch to flagship Galaxy S21 phones, as Sammobile reports. But Samsung’s hugely popular A-series smartphones have not received this update yet. More

Service NSW has revealed that the personal information of 186,000 customers was stolen because of a cyber attack earlier this year on 47 staff email accounts.  
Following a four-month investigation that began in April, Service NSW said it identified that 738GB of data, which compromised of 3.8 million documents, was stolen from the email accounts.
The one-stop-shop agency assured, however, there was no evidence that individual MyServiceNSW account data or Service NSW databases were compromised during the cyber attack.
“This rigorous first step surfaced about 500,000 documents which referenced personal information,” Service NSW CEO Damon Rees said.
“The data is made up of documents such as handwritten notes and forms, scans, and records of transaction applications.
“Across the last four months, some of the analysis has included manual review of tens of thousands of records to ensure our customer care teams could develop a robust and useful notification process.
“We are sorry that customers’ information was taken in this way.”
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia  
Service NSW said it would now progressively notify affected customers by sending personalised letters via registered post containing information about the data that was stolen and how they could access support, including access to an individual case manager to help with possibly replacing some documents. The agency expects to complete notifying customers in December.
“Our focus is now on providing the best support for approximately 186,000 customers and staff we’ve identified with personal information in the breach,” Rees said.
Service NSW also revealed that NSW Police is currently carrying out an investigation into the incident, which has been labelled as a “criminal attack”. 
A review by the NSW auditor-general into Service NSW’s cybersecurity defences, practices, systems, and education is also underway.
Service NSW said in light of the incident, it has added additional security measures to protect against future attacks, such as partnering with IDCare that will provide the agency with additional “cyber support”.
“We have accelerated our cybersecurity plans and the modernisation of legacy business processes to keep customer information as safe as possible,” it said.  
Last week, it was revealed information on thousands of New South Wales driver’s licence-holders was breached, with reports indicating a cloud storage folder that had over 100,000 images was mistakenly left open. 
Cyber Security NSW confirmed a commercial entity was responsible for the breach of scanned driver’s licence images. It said it was the responsibility of the commercial entity to investigate this matter and notify any customers if their data had been breached.  
In June, the New South Wales government committed AU$240 million to bolster the government’s cybersecurity capabilities, including investments towards protecting existing systems, deploying new technologies, and increasing the cyber workforce. 
Alongside this, the state government announced intentions to stand up a sector-wide cybersecurity strategy and is calling for industry submissions to help shape it. 
“The 2020 NSW Cyber Security Strategy will ensure the NSW government continues to provide secure, trusted, and resilient services in an ever-changing and developing environment,” Minister for Customer Service Victor Dominello said.
“The new strategy will be delivered through an integrated approach to prevent and respond to cyber security threats and safeguard our information, assets, services, businesses, and citizens.”
Related Coverage
NSW pledges AU$60m to create cyber ‘army’
As part of the New South Wales government’s AU$240 million commitment to all things cyber.
New South Wales to implement sector-wide cybersecurity strategy
With help from industry, the new document will supersede the 2018 strategy.
Australian government pledges 10-year, AU$1.35 billion cyber kitty
AU$470 million will be used to create 500 cyber-related jobs within the Australian Signals Directorate. More

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has recommended for the Bill that would provide government with step-in powers whenever an organisation suffers from a cyber attack to be swiftly passed.”The committee received compelling evidence that the complexity and frequency of cyber attacks on critical infrastructure is increasing globally. Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure,” committee chair Senator James Paterson said.The Bill in question, the Security Legislation Amendment (Critical Infrastructure) Bill 2020, as currently drafted seeks to provide government with powers to step in and provide “assistance” to entities in response to significant cyber attacks on Australian systems, create enhanced cybersecurity obligations for those entities most important to the nations, and introduce sector-specific positive security obligations (PSO) for critical infrastructure entities.The PJCIS noted in an advisory report [PDF], however, that only portions of the Bill that focus on government assistance mechanisms and mandatory notification requirements should be passed, with the “less urgent” aspects of the Bill to be introduced under a second, separate Bill following further consultation.The PJCIS believes this two-step approach would enable the quick passage of laws to counter looming threats against Australia’s critical infrastructure, while giving businesses and government additional time to co-design a regulatory framework that provide long-term security for the country’s critical infrastructure.Along with this main recommendation, the advisory provided other recommendations detailing how the Bill should be split.The powers that the PJCIS wants to see passed immediately are the government assistance mechanisms, colloquially termed as “last resort” powers, which entail giving government powers to direct an entity to gather information, undertake an action, or authorise the Australian Signals Directorate (ASD) to intervene against cyber attacks. This also includes the proposal for software to be installed that the Department of Home Affairs claims would aid providers in dealing with threats.

It also wants one of the PSOs in the current Bill, which seeks to require organisations to formally notify government if they experienced a cyber attack, to be immediately passed.While the PJCIS supports the introduction of the “last resort” powers, tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with them, saying more clarity is needed regarding how and when those powers can be exercised.Meanwhile, Google believes the assistance mechanisms would only provide more problems.”I do not believe that there is a situation where installing ASD software on our networks or our systems, especially in the heat of an incident, is actually going to cause anything except more problems, and it’s not going to help the solution and it’s not going to help the problem at hand,” Google threat analysis group director Shane Huntley said in July.    “The committee acknowledges that affected entities will still have reservations with the enablement of the assistance measures, especially within the technology sector. However, the committee recognises that the potential threat faced to critical infrastructure assets is too great to stall introduction of these essential measures for any longer,” the committee wrote in response to those concerns.Among the less urgent powers that the PJCIS would like to see introduced in a later Bill are the enhanced cybersecurity obligations and remaining PSOs in the current Bill. These PSOs are adopting and maintaining an all-hazards critical infrastructure risk management program, and providing ownership and operational information to the Register of Critical Infrastructure Asset.The PJCIS said this second Bill should be drafted through consultation with industry.Since the Bill’s introduction into Parliament at the end of last year, the Department of Home Affairs has repeatedly requested for it to be rushed through, saying the sector-specific rules could be nutted out later.MORE ON THE BILL More

Jason Hiner/ZDNETFollow ZDNET: Add us as a preferred source More