Eliana Willis

The US Department of Justice (DoJ) is forming a new task force to deal with the “root causes” of ransomware.

In an internal memo, the DoJ outlines the creation of a new initiative that will bring together current efforts in federal government to “pursue and disrupt” ransomware operations.As noted by CNN, this could include the takedown of command-and-control (C2) servers used to manage ransomware campaigns, as well as the legal seizure of “ill-gotten gains” generated by such schemes.  Popular ransomware strains include Petya, Locky, Maze, and CryptoLocker. These forms of malware encrypt drives on infected machines and operators then demand a ransom payment in return for a decryption key. Depending on the victim’s worth, blackmail demands can reach millions of dollars.  Over the past year or so, double-extortion tactics have also been put into play more widely, in which sensitive data is stolen before encryption begins. If a victim refuses to pay up, they may be threatened with the leak of this information to the public.  Recent examples of these tactics include the REvil ransomware gang’s targeting of Acer and Apple supplier Quanta.  The memo added that the new task force will also reach out to private sector organizations to gain more intelligence on ransomware threats and trends. Links between ransomware operations and state-sponsored threat actors will also be examined. 

Furthermore, the federal government intends to pour more resources into training. In light of the SolarWinds breach and Microsoft Exchange Server disaster, President Biden’s administration appears to be taking cybersecurity seriously. Earlier this week, the White House revealed a 100-day plan to tackle threats to the US electricity grid.  Acting Deputy Attorney General John Carlin said 2020 was the “worst year” to date when it comes to ransomware and extortion attempts.  “If we don’t break the back of this cycle, a problem that’s already bad is going to get worse,” Carlin told the Wall Street Journal.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Australian Information Commissioner has issued Services Australia with a notice to pay a customer AU$19,890 as atonement for breaching her privacy.The woman was in receipt of Centrelink benefits administered by the Department of Human Services, now Services Australia. At the time, she lived with her then-partner, and as such, her entitlements were calculated by taking his income into consideration as their respective online accounts were linked.”One effect of ‘linking’ records meant that if the complainant were to update her address using her online account, her partner’s address on his online account would also be updated to reflect the change, and vice versa,” the commissioner’s finding detailed. “The agency’s practice was to continue to keep such records linked unless and until it verified any claimed separation on the part of one of the linked individuals.”An Apprehended Violence Order (AVO) was taken out against the then-partner in December 2015, which the man was later imprisoned for breaching. The woman shortly after attempted to lodge a “Claim for Crisis Payment: extreme circumstance and domestic violence” form with the agency, seeking what is referred to as a crisis payment. The agency denied this claim for payment on the basis that the complainant continued to reside at the original address, that the AVO did not exclude the former partner from returning to the original address, and that the complainant was still in a relationship with the partner, the commissioner’s finding explains.A “separation details form” was then filed, but it was marked as incomplete by the agency and the woman’s details, six months later, were still not updated.

In September 2016, the woman moved to a new address and claimed that she had notified the agency of this change by attending an office in person. The following month, the new address was entered as an update to her online account and was submitted, however, the change was not processed by the agency at that time — it wasn’t until January 2017 that the agency processed the change of address.The former partner’s online account was also updated to the new address at this time.Her marital status was also finally changed to reflect she was single.Subsequently, the former partner posted a screenshot of the new address to a social media platform used by the complainant with a comment “change your myGov”, the information commissioner said.The AU$19,980 Services Australia has been asked to pay comprises AU$10,000 for non-economic loss, AU$8,000 for reasonably incurred legal expenses, and AU$1,980 for reasonably incurred expenses in preparing a medical report.The agency denies that it interfered with the woman’s privacy, but it does not dispute that it disclosed the new address to the former partner and that when it was disclosed, it amounted to the complainant’s personal information.The agency said it “was unable to accept that claim in the absence of full address details for referees who could verify the separation”.The commissioner found the agency failed to ensure the complainant’s personal information of her separation status was kept accurate and up-to-date in breach of Australian Privacy Principle (APP) 10, similarly that her address was not accurate and up-to-date. It was also found the agency’s disclosure of the complainant’s personal information to the former partner breached APPs 6 and 11.”I find that the agency has breached APP 11 by failing to take reasonable steps to protect the complainant’s personal information, being her new address, from the unauthorised disclosure that breached APP 6,” the commissioner wrote.The agency has now updated its form to provide more protections from potential domestic violence situations.The commissioner has also directed the agency to engage an independent auditor within three months to assess its policies, procedures, and systems against the requirements of APP 11.In a second case, the commissioner has asked the agency to pay AU$1,000 for loss caused by the interference with the complainant’s privacy.The complainant contends that his privacy was breached by the agency when it provided his personal information to an external debt collection agency for the purposes of debt recovery due to the debts being “unlawful”. Due to this, the complainant is arguing that the disclosure of his information was not authorised under APP 6. He also claims that the agency breached APP 10 by disclosing the existence of the debts to the collection firm.The commissioner declared the agency engaged in conduct constituting an interference with the privacy of the complainant and must not repeat that conduct.IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527RELATED COVERAGEServices Australia among those found breaching privacy lawsComplaint against the government department revealed it disclosed bank statements to someone the complainant took a Family Violence Order out on.Services Australia reported 20 security incidents to the ACSC in 2019-20Across Social Services, the NDIS, Veteran’s Affairs, and its own operations, Services Australia says no breach of Australian citizen data has occurred.Accidental personal info disclosure hit Australians 260,000 times last quarter85 cases of human error resulted in 269,621 instances of Australians having their personal information disclosed accidentally. More

Facebook has published new findings that unveil two Palestinian organisations have been running cyberespionage campaigns against government officials, student groups, and security forces.The two groups both used fake and compromised social media accounts posing primarily as young women, and also as Fatah or Hamas supporters, various military groups, journalists, and activists to build trust with people in order to trick them into installing malicious software.According to Facebook, one group dubbed as Arid Viper has been linked to the cyber arm of Hamas. Meanwhile, the other is linked to the Palestinian Preventive Security Service (PSS), one of the security arms of Palestine, where the current president is a member of the Fatah party. Fatah and Hamas have been engaged in a civil war since 2006.Publishing a threat report [PDF] of Arid Viper’s activity, Facebook said the threat actor used fully functional custom iOS surveillanceware that was capable of stealing sensitive user data from iPhones without requiring the devices to be jailbroken. The surveillanceware, labelled as Phenakite, was trojanised inside fully functional chat applications that used the open-source RealtimeChat code for legitimate reasons. This malware could also direct victims to phishing pages for Facebook and iCloud in order to steal credentials for those services. As this process used legitimate developer certificates, iOS devices did not need to be jailbroken to be surveilled. While Phenakite did not require a jailbreak for installation, once on a device, it needed to adhere to the usual operating system security controls that prevent access to sensitive information from unauthorised applications. To circumvent that, Phenakite came bundled with the publicly available Osiris jailbreak and the Sock Port exploit, which meant that Phenakite was capable of using Osiris to jailbreak all 64-bit devices on iOS 11.2 to 11.3.1 or the Sock Port exploit to extend this to devices running iOS 10.0 to 12.2 If the Osiris jailbreak was successful, Phenakite could then retrieve photos from the camera roll, take images with the device camera, retrieve contacts, silently record audio, access documents and text messages, and upload WhatsApp data.

The Android malware deployed by Arid Viper, meanwhile, required victims to install apps from third-party sources on their devices. The group used hundreds of attacker-controlled sites, along with the aforementioned fake social media accounts, to create the impression that the apps were legitimate in order to convince victims into installing them. The trojanised chat applications in both Android and iOS were primarily pretending to be dating apps. Examples of the trojanised chat applications.
Image: Facebook
In all instances, the successful installation of these tools did not require any exploits, which the report said suggests that Arid Viper operators heavily relied on social engineering to distribute their malware. Of particular concern to Facebook was that Arid Viper’s use of custom surveillanceware demonstrated that this capability was becoming increasingly attainable by adversaries even if they are not as technologically sophisticated. “As the technological sophistication of Arid Viper can be considered to be low to medium, this expansion in capability should signal to defenders that other low-tier adversaries may already possess, or can quickly develop, similar tooling,” Facebook said. Meanwhile, PSS used similar tactics of utilising social engineering to coerce their targets into installing Android and Microsoft malware, Facebook said. PSS malware, once installed onto devices, collected information such as device metadata, call logs, location, contacts, and text messages. In rare cases, it also contained keylogger functionality.Rather than targeting pro-Fatah individuals, the PSS used its malware to targets various groups, including people opposing the Fatah-led government, journalists, human rights activists, and military groups including the Syrian opposition and Iraqi military.According to Facebook, these findings are the first public reporting of this particular cyberespionage activity conducted by PSS.   Following the investigation into the conduct of Arid Viper and PSS, Facebook has released a set of indicators addressing such activity. The indicators include 10 Android malware hashes, two iOS malware hashes, eight desktop malware hashes, and 179 domains.Facebook has also notified targeted individuals and industry partners, which led to Arid Viper’s developer certificates being revoked and various accounts and websites being blocked or removed. Last month, Facebook said it disrupted a network of hackers tied to China that were attempting to distribute malware via malicious links shared under fake personas. The malware allegedly targeted around 500 users.Related Coverage More

Image: SIgnal
Phone scanning and data extraction company Cellebrite is facing the prospect of app makers being able to hack back at the tool, after Signal revealed it was possible to gain arbitrary code execution through its tools. Cellebrite tools are used to pull data out of phones the user has in their possession.”By including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures,” Signal CEO Moxie Marlinspike wrote.”This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.” Usually, when vulnerabilities of this type are found, the issue is disclosed to the maker of the software to fix, but since Cellebrite makes a living from undisclosed vulnerabilities, Marlinspike raised the stakes. “We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future,” he said. The Signal CEO said that Cellebrite contains “many opportunities for exploitation” and he thought they should have been more careful when creating the tool.

For instance, Cellebrite bundles FFmpeg DLLs from 2012. Since that year, FFmpeg has had almost 230 vulnerabilities reported. Marlinspike also pointed out that Cellebrite is bundling two installers from Apple to allow the tools to extract data when an iOS device is used. “It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users,” he said. In a video dripping with references to the movie Hackers, Marlinspike showed an exploit in action, before rattling a sabre in the direction of Cellebrite. “In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software,” he said. “We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.” Marlinspike said he was incredibly lucky to have found a Cellebrite tool package laying on the ground while going for a walk. In December, Marlinspike lashed out at Cellebrite claims that it could crack Signal’s encryption. “Cellebrite posted something with a lot of detail, then quickly took it down and replaced it with something that has no detail,” Marlinspike wrote at the time. “This is not because they ‘revealed’ anything about some super advanced technique they have developed (remember, this is a situation where someone could just open the app and look at the messages). They took it down for the exact opposite reason: it made them look bad. “Articles about this post would have been more appropriately titled ‘Cellebrite accidentally reveals that their technical abilities are as bankrupt as their function in the world.'” Related Coverage More

Advertisers want to be effective in the content they push to consumers, but the latter must be given the ability to opt-out if they do not want personalised advertisement. This remains essential even as the debate over Google’s Federated Learning of Cohorts (FLoC) rages on. Marketers typically would want to reach out to segments of their audience, rather than just a single consumer. This was what cohorts set out to do, said Acquia’s chief science officer Omer Artun, in a video call with ZDNet. Acquia offers tools that enable brands to create and track cohorts, as well as analyse their performance so they had the insights to improve their marketing campaigns. Snapshots of cohorts also could be captured to monitor how these audience segments evolved after the cohort was created. This allowed marketers to identify changes and trends in customer behaviour, and tweak their marketing activities to improve sales of items that were not selling well, for instance. 

Artun likened it to doctors treating an illness. Their primary goal here was not to know who the patients were, but to flush out the symptoms so they could identify the illness and decide on the treatment. Google’s use of cohorts, however, had drawn strong criticism mainly for how the tech giant would share a summary of recent browser history with marketers. It had said FLoC removed the need for individual identifiers whilst still enabling brands to reach people with relevant content and ads by targeting clusters of people with common interests. Google last week began testing the feature for Chrome users in several countries, including India, Australia, Indonesia, and Japan, but not in markets where the European Union’s GDPR (General Data Protection Regulation) was in place. Electronic Frontier Foundation (EFF) said in a post last month that the core design of FLoC involved sharing new information with advertisers that created new privacy risks. It pointed to browser fingerprinting as one key issue, as it gathered discrete pieces of information from a user’s browser a unique identifier for that browser. “If a tracker starts with your FLoC cohort, it only has to distinguish your browser from a few thousand others–rather than a few hundred million,” EFF said, adding that it would be easier for trackers to establish a unique fingerprint for FLoC users. 

The non-profit organisation added that FLoC also would share new personal data with trackers that could already identify users. “For FLoC to be useful to advertisers, a user’s cohort will necessarily reveal information about their behaviour,” it said. “Moreover, as your FLoC cohort will update over time, sites that can identify you in other ways will also be able to track how your browsing changes. Remember, a FLoC cohort is nothing more, and nothing less, than a summary of your recent browsing activity. You should have a right to present different aspects of your identity, in different contexts.”A few Chromium-based browsers including Vivaldi and Brave stepped up to say they had removed FLoC from their platforms over privacy concerns. WordPress also was considering blocking the Google feature from its blogging system. Search engine DuckDuckGo also released an extension that blocked FLoC. Asked for his comments over the latest developments, Artun told ZDNet there would be critics “to anything, anybody” with regards to advertising. “The idea is to create an efficient system of advertising while protecting privacy,” he said. “If you don’t want any advertising to be personalised, then opt-out [or] use another browser.”These alternative browsers operated to address a portion of the population that did not want advertising, he said. “FLoC is a good way to hide specific user information, but at the same time, group interests,” he added. Artun noted that if advertisers were rendered “blind”, then ads would be inefficient and consumers would end up paying more for whatever they wanted to purchase. Consumers should be able to control their own dataHe said several issues also remained unclear, such as whether first-party data could be matched with FLoC identifiers, hence, giving more information about users than was available today. He expressed confidence that such issues would be addressed in future that balanced privacy and ad targeting. He reiterated that anyone still could opt out of and that this process should be made easy for those who wished to do so. Artun further advocated the need for “a Delete option”, which would allow users such as him to view the cohorts they were segmented into and remove themselves from cohorts they did not want to be part of. “I should be able to go to a digital marketer’s platform and delete it,” he said. “Imagine if you can control the data and delete anything related to it. You don’t have that option right now. To be able to see the data and be able to erase or control the data is what I think will be the nirvana [for consumers].”He also called for more transparency on what online platforms such as Google and Amazon were doing with consumers’ data. Giving users control over their data was, in itself, personalisation, he added. “Transparency and control–there are the two things that are missing right now,” he noted. RELATED COVERAGE More

Cybersecurity firm Rapid7 said it has signed a deal to acquire Velociraptor, makers of open-source framework used for endpoint monitoring, digital forensics, and incident response. The financial terms of the deal were not disclosed.

Rapid7 said the Velociraptor technology is designed to help SecOps teams hunt for new threats quicker through community-driven technology, allowing for incidents and detections to be easily shared across the broader security industry.”The Velociraptor standalone offering allows incident response teams to rapidly collect and examine artifacts from across a network, and deliver forensic detail following a security incident,” Rapid7 wrote in a blog post. “In the event of an incident, an investigator controls the Velociraptor agents to hunt for malicious activity, run targeted collections, perform file analysis, or pull large data samples. The Velociraptor Query Language (VQL) allows investigators to develop custom hunts to meet specific investigation needs.”Rapid7 said it does not plan to make Velociraptor a commercial offering; however, the company does plan to integrate the technology in its detection and response portfolio, including the Rapid7 Insight platform.Rapid7’s purchase of Velociraptor comes on the heels of its acquisitions of Alcide in January and DivvyCloud in April 2020. The company said both acquisitions are meant to bolster its ability to provide customers with a cloud-native security platform for managing risk and compliance.RELATED STORIES: More