Information Technology

Screenshot: Asha Barbaschow/ZDNet
Australia Post on Thursday experienced a handful of failures across its business, with reports people were receiving parcels not addressed to them and the addressees unable to redirect the delivery online.
The postal service’s online portal went down, with a message reading, “We’re updating this right now. Won’t take too long. Please try again later.” when customers attempted to track the status of their delivery.
The notice was later updated to confirm technical issues were behind the downing of its parcel tracking system.  
Customers were reporting problems with Australia Post since just after 10:00am AEST.
On Twitter, Australia Post said it was aware of issues across its tracking website and associated apps and that it was “working hard to get the tracking back up and running as soon as possible and apologise for the inconvenience caused”.
“We’re currently experiencing technical issues which are impacting parcel tracking. We are working hard to resolve this issue as quickly as possible,” a notice on the government-owned entity’s website reads.
“We will provide updates as details are confirmed and apologise for the inconvenience.”
Australia Post has not responded to ZDNet’s request to comment further.
Earlier on Thursday, the organisation published its financial results, seeing group profits before tax climb 30% to AU$53.6 million.
Revenue also increased over last year by 7% to reach AU$7.5 billion. Australia Post said its revenue increase was boosted by further e-commerce growth during COVID-19, accounting for growing losses in its letters business.
Domestic Australia Post branded parcels rose 25% to just over AU$2.4 million.
“In the second half of the year parcel revenues were boosted by the continued growth of e-commerce as consumer demand grew as families adapted to lock down restrictions and more businesses went online as their physical stores hibernated,” Australia Post said in delivering its results.
“And while the growth in e-commerce has been a strong driver behind this year’s financial result, we have had to make changes to ensure our workforce and network can operate as efficiently and safely as possible. The pandemic has also severely impacted our ability to deliver across the country on time.”
The postal service was previously labelled by the Australian National Audit Office (ANAO) as not effectively managing cybersecurity risks, with a report highlighting weaknesses in its implementation of a risk management framework.
Since the recommendations were made, chief information security officer Glenn Stuttard said Australia Post has taken a number of steps to rectify this, such as conducting maturity level assessments against the Essential Eight controls for mitigating cyber attacks, reconfirming its critical application list and control scope for assessment of business critical and security ranked critical applications, and conducting reviews internally.
In May, Australia Post said it had seen around 300 cyber incidents since January, but that none were enough to cause it to suffer the same fate as the likes of Toll.
See also: Toll attacker made off with employee data and commercial agreements
Stuttard at the time said from January 1 to March 30, the organisation had no incidents that were considered to be of “extremely high” impact.
“But we did respond to over 300 individual cyber incidents that we see in our systems and most of those come from things like SMS phishing campaigns,” he said. “Text messages that bad actors might send to you try and get you to click on a link and give up your credentials and similarly through email phishing campaigns, so we’re dealing with these types of things on a daily basis, and defending those.”
He said it was quite a substantial number and that the postal service didn’t have any “high” or “extreme” impacts over that period of time.
Stuttard said Australia Post has not specifically seen any evidence in the past few years of state actors attempting to “hack” or “attack” its systems. But he did say there would be a substantial disruption to its functions should it fall victim to a serious attack.
MORE FROM THE POSTAL SERVICE More

For the past weeks, a criminal gang has launched DDoS attacks against some of the world’s biggest financial service providers and demanded Bitcoin payments as extortion fees to stop their attacks.
Just this week, the group has attacked money transfer service MoneyGram, YesBank India, PayPal, Braintree, and Venmo, a source involved in the DDoS mitigation field has told ZDNet.
The New Zealand stock exchange (NZX), which halted trading for the third day in a row today, is also one of the group’s victims.
The attackers have been identified as the same hacker group mentioned in an Akamai report published on August 17, last week.
The group uses names like Armada Collective and Fancy Bear — both borrowed from more famous hacker groups — to email companies and threaten DDoS attacks that can cripple operations and infer huge downtime and financial costs for the targets unless the victims pay a huge ransom demand in Bitcoin.
Such types of attacks are called “DDoS extortions” or “DDoS-for-Bitcoin” and have first been seen in the summer of 2016.
Over the past years, such attacks have come and gone. Some DDoS extortionists groups delivered on their threats and attacked victims, but the vast majority of these extortion attempts only served empty threats.
However, the group active this month is one of the most dangerous seen since the beginning of this trend in 2016.
Some attacks peaked at 200 Gb/sec
In an update to its report added this Monday, on August 24, Akamai confirmed that the group launched complex DDoS attacks that, in some cases, peaked at almost 200 Gb/sec.
Our source, who requested anonymity for this article due to ongoing business relations, also confirmed that some of the attacks launched this week reached 50 to 60 Gb/sec.
The source also described the group as having “above-average DDoS skills.”
While previous DDoS extortionists would often target their victims’ public websites, this new group has repeatedly targeted backend infrastructure, API endpoints, and DNS servers — which explains why some of the DDoS attacks this week have resulted in severe and prolonged outages at some of their targets.
For example, in the case of NZX, the group has repeatedly targeted Spark, the stock exchange’s hosting provider, which has also resulted in downtime for the provider’s other customers.
Furthermore, the group also showed its sophistication by often changing the protocols that were abused for the DDoS attacks, keeping defenders on their toes as to how the next attack would take place, and the protections they needed to roll out.
DDoS mitigation providers recommend that companies do not give in to these types of extortion attempts, and instead of paying the attackers, companies should reach out and contract their services instead. More

Australian IT vendor Data#3 informed the ASX on Thursday that it had experienced what it dubbed as a “cyber incident”.
“Data#3 Limited advises that it has experienced a cybersecurity network incident, involving an overseas third party, which is currently under investigation,” the company said.
“Data#3 has made direct and proactive contact with the 28 customers who have been impacted. Pending the outcome of the investigation, Data#3 may need to take further steps in response to the incident.”
In addition to the notice saying the company had contacted the 28 customers that were impacted by the event, it said it was working with a forensic investigator to report on the incident.
Data#3 added its current advice said the event did not need reporting to the Office of the Australian Information Commissioner, as required by Australia’s Notifiable Data Breaches (NDB) scheme for breaches that are likely to result in “serious harm”. However, the incident was clearly deemed significant enough to inform the stock market.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
A fortnight ago, Australian job site Seek said it suffered an “internal technical issue” which resulted in users seeing details from other users when logged in.
“We identified an internal technical issue that occurred during a 23-minute period on Monday 10 August 2020,” the company told ZDNet at the time.
“During that time period, due to a cache error, incorrect information such as career history and education was able to be viewed across profiles logged in at that time.”
Seek said that no names, contact details, or resumes of candidates in Seek profiles were impacted. It added the error impacted fewer than 2,000 Seek profiles, as well as 206 job applications that were being submitted during the period.
The job site said it did not view the incident as a notifiable data breach.
Earlier in the month, Data#3 reported for the full year to June 30 that it saw strong growth in public cloud and software licensing revenues. For the fiscal year, the company reported net profit after tax of AU$23.6 million, up 30.5% from last year’s AU$18 million, and earnings before interest and tax being up 32.3% to AU$34 million.
Revenue increased by 15% to AU$1.63 billion, which included AU$581 million of public cloud revenue that lifted by 60.4% from AU$362 million, and AU$985 million of software revenue, which increased by 25% for the period.
Related Coverage
Seek apologises for ‘internal technical issue’ that exposed user details
But it has no intention of reporting the issue as a notifiable data breach to the Office of Australian Information Commissioner.
1,050 data breaches reported to Australian commissioner in 12 months
As health continues to hold crown as most breached sector in Australia.
Put privacy protections in IPO agreements if Australia hands data to other nations: OAIC
Should an agreement between Australia and a nation without similar privacy protections be struck under the IPO Bill, the OAIC wants clauses added to bring the lagging nation forward.
Lion faces further ‘setbacks’ as it recovers from ransomware attack
ZDNet understands data purporting to be from Lion is available on the ‘dark web’.
Toll’s stolen data finds itself on the ‘dark web’
Follows the company in January revealing it would revert to manual processes following a ransomware incident. More

Social media research group Graphika said today it identified a Twitter botnet of around 3,000 bots that pushed pro-Chinese political spam, echoing official messaging released through state propaganda accounts.
Graphika said it was able to identify the botnet due to a quirk shared by the vast majority of bot accounts, most of which used quotes from Bram Stoker’s Dracula book for the profile description and the first two tweets.
Image: Graphika
Graphika said the Dracula botnet, as they named this cluster of fake accounts, exhibited multiple similarities to past Twitter botnets that were part of Spamouflage — a codename the company has given to the Chinese government’s social media influence operations, which Graphika had previously exposed in September 2019, April 2020, and August 2020.
However, unlike previous operations, the Graphika team discovered this botnet early, with the botnet only managing to amass 3,000 accounts, and with the oldest accounts dating back only one month, to July 2020.
Graphika said the accounts were not dangerous in themselves, as they appeared to be automated, either quoting Dracula or replying to each other’s tweets. However, the company said the accounts were used to amplify tweets and get predetermined topics trending, topics that could have been used to promote Chinese state propaganda, usually depicting a skewed view of reality, favorable to Beijing’s international affairs.
The botnet has been down since August 20, according to Ben Nimmo, a Graphika investigator.
In a blog post today, Nimmo said Twitter intervened and suspended the vast majority of Twitter Dracula botnet accounts, while also marking the others that were not taken down as “restricted,” preventing them from posting new content.
At the time of writing, it remains unclear if the accounts were suspended programmatically by Twitter’s algorithm, or if Twitter’s staff had also spotted the same botnet and manually intervened. A Twitter spokesperson did not return a request for comment seeking additional details and an official statement. More

Social media research group Graphika said today it identified a Twitter botnet of around 3,000 bots that pushed pro-Chinese political spam, echoing official messaging released through state propaganda accounts.
Graphika said it was able to identify the botnet due to a quirk shared by the vast majority of bot accounts, most of which used quotes from Bram Stoker’s Dracula book for the profile description and the first two tweets.
Image: Graphika
Graphika said the Dracula botnet, as they named this cluster of fake accounts, exhibited multiple similarities to past Twitter botnets that were part of Spamouflage — a codename the company has given to the Chinese government’s social media influence operations, which Graphika had previously exposed in September 2019, April 2020, and August 2020.
However, unlike previous operations, the Graphika team discovered this botnet early, with the botnet only managing to amass 3,000 accounts, and with the oldest accounts dating back only one month, to July 2020.
Graphika said the accounts were not dangerous in themselves, as they appeared to be automated, either quoting Dracula or replying to each other’s tweets. However, the company said the accounts were used to amplify tweets and get predetermined topics trending, topics that could have been used to promote Chinese state propaganda, usually depicting a skewed view of reality, favorable to Beijing’s international affairs.
The botnet has been down since August 20, according to Ben Nimmo, a Graphika investigator.
In a blog post today, Nimmo said Twitter intervened and suspended the vast majority of Twitter Dracula botnet accounts, while also marking the others that were not taken down as “restricted,” preventing them from posting new content.
At the time of writing, it remains unclear if the accounts were suspended programmatically by Twitter’s algorithm, or if Twitter’s staff had also spotted the same botnet and manually intervened. A Twitter spokesperson did not return a request for comment seeking additional details and an official statement. More

Pros
✓Excellent day and night vision
✓Solar panel charger
✓Pan, tile, and zoom functionality

Cons
✕Flimsy plastic camera mounting bracket

The Reolink Argus PT security camera is nice and compact, and just the thing you need for your small office security. It can pan up to 355 degrees to give you almost complete coverage and tilt 140 degrees vertically to give the optimum view of your space.
The camera is solid and well built and heavy in the hand. It looks rugged and is rated at IP65 is weather-proof for all the rain or dust storms that the weather can throw at it. 
Eileen Brown
The camera can be mounted upside down or on a wall and delivers good 1080p images even in dim light with its Starlight image CMOS sensor.
I found the plastic mounting bracket to be really flimsy and the plastic would bend if I flexed it.
I am sure that a blow with something solid would easily remove the camera from its plastic mount.
I did not trust the mount, so I fashioned a flat piece of aluminum bar and used a standard tripod mount thread to fix it securely to the wall.
Top ZDNET Reviews

The solar panel for the Argus PT camera comes in a different box.
At just over 7 inches in length and 4.5 inches wide, it is reminiscent of an iPad mini. It has a long cable with a micro USB plug to connect to the camera and a mount.
The solar panel mount is metal and very well constructed — a far higher standard than the Argus PT mount itself. It mounts on any surface using the reasonably sized screws provided in the box.
Undo the locking collar, adjust the solar panel in any direction to catch the maximum sun rays, and tighten up the collar on the mount to secure the panel. If it needs to use its onboard 6500mAh battery, it will still record images after several dull days with little solar charge.

Eileen Brown
It was really simple to connect the camera to the app. Like the Netvue cameras, install the Reolink app, scan the QR code on the bottom of the camera, and connect to Wi-Fi.
Place the QR code generated on the app near the camera and connect the camera to the app. If you prefer, you can download the desktop software directly from Reolink for your desktop device.
The camera uses motion detection to preserve its battery. It is not switched on permanently.
Depending on the sensitivity settings, it will view movement up to 33ft with low sensitivity, 40ft on medium, and 52ft on high.
You can reduce false alarms by turning the camera away from bright lights, moving cars, air conditioner outlets, and foliage that will flutter in strong winds.
Unlike the Netvue Vigil camera, you can not set zones that the camera will ignore. Instead, you need to pan and tilt the camera to make sure that these areas are not captured by the camera.
When the camera detects movement, it saves an image and alerts you that there is movement in the area. You can define a schedule so you will not be alerted when you are out and about during the day.
The app lets you talk through the camera, pan, tilt and zoom, and playback the video. You can view 8,15, and 30 seconds of video notification.
All in all, the Reolink Argus PT security camera is a neat, well put together camera with a range of cool features. It is well worth the sub $160 price tag for peace of mind.

ZDNet Recommends More

A browser fingerprinting script is a piece of JavaScript code that runs inside a web page and works by testing for the presence of certain browser features.
Today, browser fingerprinting is commonly used by online advertisers as a next-gen user tracking mechanism. Advertisers run different types of fingerprinting operations, create one or more “fingerprints” for each user, and then use them to track the user as he/she accesses other sites on the internet.
Because of the privacy-intrusive way that online advertisers are currently using browser fingerprinting, several browser makers like Firefox, Chrome, Opera, Brave, and the Tor Browser, have deployed features to detect and block these types of malicious code.
10% of the Top 100,000 Alexa sites use fingerprinting scripts
In an academic paper published earlier this month, a team of academics from the University of Iowa, Mozilla, and the University of California, Davis, has analyzed how popular browser fingerprinting scripts are used today by website operators.
Using a machine learning toolkit they developed themselves and named FP-Inspector, the research team scanned and analyzed the top 100,000 most popular websites on the internet, according to the Alexa web traffic ranking.
“We find that browser fingerprinting is now present on more than 10% of the top-100K websites and over a quarter of the top-10K websites,” the research team said.

Image: Iqbal et al.
However, the research team also points out that despite the large number of websites that are currently using browser fingerprinting, not all scripts are used for tracking. Some fingerprinting scripts are also used for fraud detection since automated bots tend to have the same or similar fingerprints, and fingerprinting scripts are a reliable method of detecting automated behavior.

Image: Iqbal et al.
Academics discover new fingerprinting techniques
But the research team also analyzed which browser or JavaScript API features the scripts were trying to fingerprint.
“Our key insight is that browser fingerprinting scripts typically do not use a technique (e.g., canvas fingerprinting) in isolation but rather combine several techniques together,” researchers said.
Researchers said they identified clusters with recurring fingerprinting techniques but also clusters that contained new techniques, which were previously unreported as potential fingerprinting avenues, suggesting that companies are actively investing in discovering new ways to track users based on their browser’s footprint.
Below is a summary of some of the new fingerprinting techniques researchers discovered:
Permissions fingerprinting- Researchers said some websites probed the browser Permissions API to determine whether a permission was granted or denied by the user. Academics said they found specific cases were fingerprinting scripts had probed if the user had granted a website Notification, Geolocation, and Camera access, and were using this information to track the user.
Peripheral fingerprinting – Researchers said they also found scripts probing if websites had received access to connect to gamepads and virtual reality devices, and were using this info to track users. In other cases, some websites were fingerprinting users via their keyboard layout, typically exposed via the browser’s getLayoutMap function.
API fingerprinting – Researchers said that some websites probed if the user’s browser had specific APIs enabled. For example, some fingerprinting scripts checked for the AudioWorklet API (specific to Chromium browsers only), while others checked if certain JavaScript functions like setTimeout or mozRTCSessionDescription were overridden by extensions.
Timing fingerprinting – Researchers said they also found that some fingerprinting scripts measured the time that took for certain functions to execute. For example, some websites used the Performance API to track when events like domainLookupStart, domainLookupEnd, domInteractive, and msFirstPaint were taking place during a predefined operation.
Animation fingerprinting – This category is one of the most common fingerprinting methods today, but researchers said they found new ways that websites were abusing the AudioContext API.
Sensors fingerprinting – Just like web animation-related functions, sensors have been heavily abused in fingerprinting scripts, but the research team said they found websites that probed for the little-known userproximity sensor.
Additional details about the team’s research can be found in a paper named “Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors,” set to be presented at the IEEE Symposium on Security and Privacy, next year, in May 2021.
The research team also said it reported the list of domains that hosted fingerprinting scripts discovered via FP-Inspector to Easylsit/EasyPrivacy and Disconnect, two projects that manage so-called “blocklists,” which are list of domains that can be loaded inside ad blockers.
Users who consider this research paper concerning can block fingerprinting scripts by enabling anti-fingerprinting protections in their respective browser settings or by installing an ad blocker extension. More

Security firm Bitdefender said it discovered what appears to be a new hacker group that is currently targeting companies across the globe with malware hidden inside malicious 3Ds Max plugins.
3Ds Max is a 3D computer graphics application developed by software giant Autodesk and is an app commonly installed and used by engineering, architecture, gaming, or software companies.
Earlier this month, on August 10, Autodesk published a security alert about a malicious plugin named “PhysXPluginMfx” that abused MAXScript, a scripting utility that ships with the 3Ds Max software.
The security advisory warned users that, if loaded inside 3Ds Max, the PhysXPluginMfx plugin would run malicious MAXScript operations to corrupt 3Ds Max settings, run malicious code, and propagate and infect other MAX files (*.max) on a Windows system, and help the malware spread to other users who received and opened the files.
Bitdefender, which took a closer look at this exploit in a report published today, said the purpose of this plugin was, in reality, to deploy a backdoor trojan that hackers could use to scour infected computers for sensitive files and later steal important documents.
Image: Bitdefender
The Romanian cybersecurity firm also said it investigated and was able to confirm attacks against at least one target, an international architectural and video production company, currently engaged in architectural projects with billion-dollar luxury real-estate developers across four continents.
Information gathered during this investigation revealed that hackers used a malware command and control (C&C) server that was located in South Korea.
“When looking at our own telemetry, we found other samples that communicated with the same C&C server, which means that the group was not limited to only developing samples for the victim that we investigated,” Liviu Arsene, Bitdefender Senior E-Threat Analyst, told ZDNet in an email.
Per Bitdefender, these additional malware samples initiated connections to the C&C server from countries such as South Korea, United States, Japan, and South Africa, suggesting that the hacker group might have also made other unconfirmed victims in these countries as well.
These connections go back for at least one month, but as Arsene told ZDNet, this doesn’t mean the hacker group started operating one month ago, and hackers could have very easily used another server for older operations.
“If the sophistication of this investigated attack is any indication, they seem to have a firm grasp of what they’re doing and could have been flying under the radar of security specialists for some time,” Arsene said.
While details about the group’s entire operations and hacking spree are still shrouded in mystery, Bitdefender researchers appear to believe that this group is yet another example of a sophisticated hacker-for-hire mercenary group that is renting its services to various actors, for the purpose of industrial espionage.
While the Bitdefender report doesn’t contain the information to support this assessment, if true, this would make this group the third hacker-for-hire group exposed this year after Dark Basin (Indian company BellTrox; targeted politicians, investors, and non-profits) and DeathStalker (previously named Deceptikons; targeted European law firms).
The Bitdefender report is also the second report where hackers created malware for an Autodesk software program. In November 2018, security firm Forcepoint discovered an industrial espionage hacker group who targeted companies in the energy sector with AutoCAD-based malware. Arsene said Bitdefender was not able to find any evidence linking these two hacking campaigns/groups. More