Information Technology

The sector most heavily impacted by the Spring4Shell Java flaw is technology, according to security firm Check Point.Spring4Shell is a bug worth paying attention to and could be a software supply chain threat: Microsoft this week urged customers to patch the critical flaw in a widely-used framework for Java applications. The flaws include CVE-2022-22947, which affected VMware’s Tanzu products, as well as CVE-2022-22963 and CVE-2022-22965, affecting Java applications. Check Point said it continues to see exploit attempts against these vulnerabilities, and has data which suggests 16% organisations worldwide have seen attempts to exploits the flaws. Most of the targeted customers were based in Europe. In the first weekend of since the vulnerability was found, Check Point said it had seen around 37,000 attempts to allocate the Spring4Shell vulnerability.”The most impacted industry is software vendor where 28% of the organization were impacted by the vulnerability,” it said. This was followed by education/research and insurance/legal.”Organizations using Java Spring should immediately review their software and update to the latest versions by following the official Spring project guidance,” Check Point says. Java is widely-used for building enterprise software applications. Microsoft advises customers using Windows 11 to monitor registry keys through mobile device management (MDM) policies to ensure that security settings have not been changed. It also recommends use the built-in Windows Defender Application Control (WDAC) to mitigate kernel level attacks.   Microsoft said that it has “been tracking a low volume of exploit attempts across our cloud services” for these vulnerabilities.  More

Zoom has awarded $1.8 million to researchers who submitted bug bounty reports over 2021. 

Bug bounty programs, whether private and available to invitees-only or public, where anyone can submit a vulnerability report, have become a critical method for organizations to improve their security posture. The industry is beset with talent shortages. Estimates suggest that there will be approximately 3.5 million unfilled job openings by 2025 in the US alone, and until there are more specialists available, companies often can’t just rely on in-house security teams, who have more than enough of a workload.  This is where bug bounties come in: external researchers and bug hunters can perform tests on software and services, report any severe security issues, and receive credit and/or financial rewards in return.  The popularity of Zoom’s teleconferencing video software exploded overnight due to COVID-19 and lockdowns, with many of us forced to work from home. However, the rapid increase in users also highlighted security problems that had to be addressed quickly. Hence, a bug bounty program was one of the firm’s initiatives for improving the situation.  Zoom’s main program is private, but the platform actively recruits security researchers. Over 800 researchers participate in the program, which HackerOne hosts.  Over 2021, the software vendor has paid out over $1.8 million across 401 reports. In addition, since the program’s launch, over $2.4 million has been awarded. 
Zoom
Recent updates to the program include extending the bug bounty reward range on offer, with up to $50,000 per report for the most severe vulnerabilities and $250 for low-hanging fruit. The company also launched a public Vulnerability Disclosure Program (VDP) and a VIP bug bounty program for licensed software.  “While Zoom tests our solutions and infrastructure every day, we know it’s important to augment this testing by tapping the ethical hacker community to help identify edge-case vulnerabilities that may only be detectable under certain use cases and circumstances,” Zoom commented.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The European Court of Justice (ECJ) has effectively banned the general use of telecommunications data retention for combating crime across the European Union.In a judgment delivered by the ECJ’s Grand Chamber on Tuesday, the court ruled that when the objective is combating crime, “the general and indiscriminate retention of traffic and location data exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society”.”Criminal behaviour, even of a particularly serious nature, cannot be treated in the same way as a threat to national security.” Traffic data is defined in EU law as “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof”. Location data is “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”. This is more or less the same as what has been called “metadata” in Australia’s data retention debate. The now-invalid Irish Communications (Retention of Data) Act 2011 required telecommunications providers to retain all metadata for two years, and make it available to the Gardaí, the Irish national police, following a “disclosure request” issued by an officer ranked chief superintendent or above. A disclosure request could be issued for “(a) the prevention, detection, investigation or prosecution of a serious offence, (b) the safeguarding of the security of the State, [or] (c) the saving of human life.'” A “serious offence” was defined as one which is punishable by five years or more in jail, or one listed in a schedule to the Act. Metadata is “no less sensitive” than the content”In view of the sensitive nature of the information that traffic and location data may provide, the confidentiality of those data is essential for the right to respect for private life,” the court wrote.

The Charter of Fundamental Rights of the European Union guarantees both “the right to respect for his or her private and family life, home and communications” and “the right to the protection of personal data concerning him or her”. While the Charter protects all personal data, the ECJ noted that traffic and location data is particularly sensitive. “[Such] data may reveal information on a significant number of aspects of the private life of the persons concerned, including sensitive information such as sexual orientation, political opinions, religious, philosophical, societal or other beliefs and state of health.” This information enjoys special protection under EU law, for historical reasons which should be obvious. “Taken as a whole, those data may allow very precise conclusions to be drawn concerning the private lives of the persons whose data have been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them,” the court wrote. “In particular, those data provide the means of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications.” The ECJ judgment does not prevent data retention to address threats to national security, however. These threats include such things as “protecting the essential functions of the State and the fundamental interests of society through the prevention and punishment of activities capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the State itself, such as terrorist activities”. “Unlike crime, even particularly serious crime, a threat to national security must be genuine and present, or, at the very least, foreseeable, which presupposes that sufficiently concrete circumstances have arisen to be able to justify a generalised and indiscriminate measure of retention of traffic and location data for a limited period of time.” A decision to implement data retention should be “subject to effective review” by a court or an independent administrative body, the court said. Convicted murderer Graham Dwyer may now be set freeThe ECJ decision relates to the 2015 conviction in Ireland of Graham Dwyer for the August 2012 murder of Elaine O’Hara, a childcare worker. As the Guardian put it, Dwyer had killed O’Hara after “grooming her for sadomasochistic fantasies that included stabbing women during sex”. “He committed what prosecutors called ‘very nearly the perfect murder’ but was caught and sentenced to life in prison after police tracked his movements through texts and phone data. There were no witnesses or physical evidence,” the Guardian wrote. “Dwyer appealed on the grounds the retention and accessing of his mobile phone data breached EU law.” According to the Irish Examiner, families of homicide victims are saying some murders could now go unsolved. They said it was “common sense” that the protection of life should take precedence over rights to privacy. But as the ECJ noted, “the effectiveness of criminal proceedings generally depends not on a single means of investigation but on all the means of investigation available to the competent national authorities for those purposes.” Dwyer is not yet free, however. His lawyers must now convince the Irish Supreme Court that the ECJ decision applies retroactively. European decision gives ammunition to Australian privacy advocates Australia’s mandatory data retention scheme is similar to the now-discredited Irish system. Australian telcos must retain metadata for two years. Officers from a range of agencies above a certain rank may request the retained data to investigate crimes punishable by three years or more in jail — a lower threshold than in Ireland. In the 2020-2021 financial year, more than 314,000 requests for telco data were made under this system. The ECJ’s judgment now gives ammunition to Australian digital rights campaigners who have long objected to data retention. “Australia’s data retention regime is essentially the same as the one the ICJ has found to be unlawful. It should be dismantled immediately,” said Justin Warren, chair of Electronic Frontiers Australia. “Surveillance is not safety. If Australia wishes to continue to claim to be a democratic society, we must abandon the reflexive surveillance set up to assuage the authoritarian desires of law enforcement and certain political actors. Our individual and collective privacy must be restored,” he told ZDNet. “Australia needs to decide what sort of country it wants to be. We can either be a liberal democracy or a country that uses indiscriminate mass-surveillance. We cannot be both.” However unlike the EU, and unlike other liberal democracies, Australia lacks a charter or bill of rights, the document which underpinned the ECJ decision. In December 2021, the Department of Home Affairs started work on a complete overhaul of Australia electronic surveillance laws. The creation of a new Electronic Surveillance Act was a key recommendation of a comprehensive review of Australia’s intelligence community. It aims to unravel the tangle of surveillance laws. Public submissions on that discussion paper closed on 11 February. An exposure draft of the proposed electronic surveillance legislation is planned to be released for public comment in late 2022. Related Coverage More

High-ranking Israeli officials are being catfished in a new cyberespionage campaign launched by AridViper. AridViper, also known as APT-C-23, Desert Falcon, and Two-tailed Scorpion, is a politically-driven advanced persistent threat (APT) group active in the Middle East.In the past, AridViper has conducted spear-phishing attacks against Palestinian law enforcement, military, and educational establishments, as well as the Israel Security Agency (ISA). In February, Cisco Talos researchers uncovered AridViper attacks against activists associated with the Israel-Palestine conflict. On Thursday, Cybereason’s Nocturnus Research Team published new findings on the APT’s latest activities. Dubbed “Operation Bearded Barbie,” the latest campaign targets “carefully chosen” Israeli individuals to compromise their PCs and mobile devices, spy on their activities, and steal sensitive data. The researchers say the AridViper group, alongside MoleRATs, are subset APTs of the Hamas cyberwarfare division and are working to benefit the Palestinian political group. The operation’s victims include individuals working in Israel’s defense, law enforcement, and emergency service sectors. According to Cybereason, the first step in AridViper attacks relies on social engineering: after conducting reconnaissance on a victim, the group creates fake Facebook social media accounts, makes contact, and tries to entice the target to download Trojanized message apps. In some cases, the catfish profiles are created to appear to be young women.Chats move from Facebook to WhatsApp, and from there, the catfish suggests a more ‘discrete’ messaging service. Another attack vector is the lure of a sexual video packaged up in a malicious .RAR achive. The APT has also upgraded its cyber weaponry. In particular, two new tools — Barb(ie) Downloader and BarbWire Backdoor — and a new implant variant, VolatileVenom, are worth exploring. Barb(ie) Downloader is delivered through the lure video and is used to install the BarbWire backdoor. The malware will perform several anti-analysis checks, including a scan for virtual machines (VMs) or the presence of sandboxes, before going ahead with the backdoor installation. Barb(ie) will also collect basic OS information and send it to the attacker’s command-and-control (C2) server. The BarbWire Backdoor is described as a “very capable” malware strain with high levels of obfuscation achieved through string encryption, API hashing, and process protection. BarbWire performs various surveillance functions, including keylogging, screen capture, and audio eavesdropping & recording. In addition, the malware variant can maintain persistence on an infected device, schedule tasks, encrypt content, download additional malware payloads, and exfiltrate data. The backdoor will specifically look for Microsoft Office documents, .PDF files, archives, images, and videos on the compromised machine and any connected external drives. 

Cybereason also spotted new VolatileVenom variants. VolatileVenom is Android malware served during the installation of the ‘discrete’ messaging app and has been designed to perform surveillance and theft. VolatileVenom can compromise an Android device’s microphone and audio functions, record calls and tests made over WhatsApp, read notifications from WhatsApp, Facebook, Telegram, Instagram, Skype, IMO, and Viber; read contact lists, and steal information including SMS messages, files, and app credentials. In addition, the malware can extract call logs, use the camera to take photos, tamper with WiFi connections, and download files to the device.”The “tight grip” on their targets attests to how important and sensitive this campaign was for the threat actors,” Cybereason commented. “This campaign shows a considerable step-up in APT-C-23/AridViper capabilities, with upgraded stealth, more sophisticated malware, and perfection of their social engineering techniques which involve offensive HUMINT capabilities using a very active and well-groomed network of fake Facebook accounts that have been proven quite effective for the group.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Visuals6x — Shutterstock
Losses from Australians to investment scams increased by 90% to AU$103 million from the start of the year to March 20, with the Australian Competition and Consumer Commission saying payments made to scammers are most often made in cryptocurrency.”In relation to scamwatch, we see a number of scams relating to investment schemes, and we are now seeing that the payments in relation to those are now more often by way of cryptocurrency than by way of bank transfer,” newly-minted ACCC chair Gina Cass-Gottlieb told Senate Estimates on Thursday.Executive general manager for consumer and fair trading Rami Greiss said while the increase in crypto use tracked its growing popularity, it has facets that lend itself to be used by scammers.”It’s also the fact that it’s an unregulated product, so there are no controls. There are no institutions that can be roped in to assist,” Greiss said.”So really, it’s the fact that it’s the wild west.”Greiss further pointed out that only 12% of scams were reported, and therefore could not be taken as absolute gospel.Referencing its current court action against Meta for allegedly publishing scam advertisements featuring prominent Australian public figures, Greiss said people were falling for scams through multiple channels.”The heart of that [action], factually, is about scammers posting cryptocurrency advertisements and capturing people. Also, it’s just the fact that people are drawn into these scams through other means,” he said.”So people might meet someone through a dating or friendship site and then be drawn into a crypto-scam that way. So it’s really multi-channel, I don’t think there’s one particular area that they can target you; it’s across the board.”The Australian government recently announced it would create a crypto badge of approval to licence intermediaries such as exchanges.Minister for Digital Economy Jane Hume said on Wednesday that the licence will include a “fit and proper person” test, and could include anti-hawking measures to prevent cold calling. Hume also explicitly ruled out a ban.”It’s not government’s role to ban investments in cryptocurrency, we don’t think that that’s a good idea,” she said.One area where the ACCC is seeing scams go down is in phone-based call scams — decreasing by 50%.”We believe that’s in part because of disruption by the telecommunications companies … and with information that Scamwatch is providing them,” Cass-Gottlieb said.On Thursday, Telstra announced it had switched on a new SMS filter in an effort to block scam texts before they hit user devices.”We know the number of scam text messages on our network is on the rise — in 2021 we had more than 11,000 reports of malicious texts to Android devices compared to 50 reports in 2020,” outgoing Telstra CEO Andy Penn said. After an internet trial, the telco said it has rolled out a scam filter to every customer on its network.”Whether you’re on a consumer plan, a managed device through your company, or you’re signed up to another provider that uses the Telstra network like Belong — you’re now better protected from millions of scam text messages sent every day,” Penn said.To tune the filter, Penn said potential scam messages are viewed by Telstra staff, but the details of recipients are blocked. The telco will, however, not block messages from banks and other large businesses, government departments, emergency alerts, and Telstra’s own messages.Customers can opt out of the service by texting FILTER OFF to 0438214682, and get it re-enabled by texting FILTER ON. More

Image: Getty Images
The 1,900 new jobs promised in the federal government’s new AU$ 9.9 billion cyber program will not solely be in the areas of cybersecurity and IT, Australian Signals Directorate chief Rachel Noble said yesterday afternoon.”We will need cybersecurity specialists, data science scientists, engineers, linguists, analysts, ICT people, but also policy people, HR people, psychologists, security, compliance lawyers, and people who are experts in communications,” Noble told Senate estimates.In clarifying what jobs will be funded by the Resilience, Effects, Defence, Space, Intelligence, Cyber and Enablers (REDSPICE) program, she dismissed concerns put forth by experts that there may not be enough people to bolster Australia’s cybersecurity, although she did not comment on whether the country’s workforce contains enough people with those skillsets.”We are positioned through REDSPICE to train, invest in, and develop those people. I would imagine that our efforts in that regard will greatly benefit the national security community writ large,” she said. Noble explained the ASD received 9,000 job applications last year and has 700 people that are set to be onboarded into the agency. She added that 600 new employees joined the ASD last year, which amounted to an overall growth of more than 330 new employees after accounting for staff turnover. Speaking to when the REDSPICE jobs will be rolled out, Noble provided a year-on-year timeline, with the jobs under the program to start being offered from the 2022-23 financial year. For that first year, 400 new jobs will be created within ASD; for 2023-24, ASD will add 600 roles; 500 new roles will be added in 2024-25; 2025-26 will see 200 new jobs; 2026-27 will see another 130 jobs, after which the agency will start tapering its hiring spree.As part of the hiring spree, Noble also said a significant number of those roles will be based in Brisbane, Melbourne, and Perth. Currently, most ASD roles are based in Canberra. To support that expansion, the agency plans to have new buildings in Brisbane, Melbourne, and Perth by financial year 2024-25.During Noble’s Senate estimates appearance, she also clarified how funding of the Defence Department’s Integrated Investment Programs (IIP) has been impacted by the REDSPICE program as Defence officials confirmed on Friday that a AU$1.3 billion SkyGuardian drone project, which fell under the IIP program, was scrapped to fund the spicy cyber. Defence officials also said on Friday that other IIP commitments to ASD projects were subsumed within REDSPICE.Explaining the subsumption of those IIP-ASD projects into REDSPICE, Noble said none of those projects, three in total, were cancelled due to the new cyber program. “None of them have been cancelled. What happened was there was already funding in the IIP for three ASD projects,” Noble said.”What has actually happened is that all of the capability that was sitting in those three programs remain funded but are being brought forward in time to be delivered sooner.”The three programs consist of one for building ASD’s capability in signals intelligence mission systems, another for offensive cyber, and one is for components of the Cyber Enhanced Situational Awareness and Response (CESAR) program.Related Coverage More

Image: Jam Sta Rosa/AFP via Getty Images
Vietnamese blockchain game company Sky Mavis and makers of the play-to-earn game Axie Infinity have announced a $150 million fundraising round to help reimburse those impacted by the recent Ronin network attack.

Last month, the company revealed it had 173,600 in Ethereum (ETH) and 25.5 million USD coins drained from its Ronin network, something Sky Mavis created to get around Ethereum network congestion. At the time, the crypto assets were valued at over $600 million.For the attack to occur, the attacker gained control of the four validators operated by Sky Mavis, and one operated by Axie DAO. “The attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator,” the Ronin Network explained last month. “This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.” In response, the Ronin bridge and Katana Dex exchange were halted, the number of validators increased to eight, and security teams at major crypto exchanges were contacted. On Wednesday, Sky Mavis said it was now increasing the number of validators to 21 in the next three months. “The new round, combined with Sky Mavis and Axie balance sheet funds, will ensure that all users are reimbursed. The Ronin Network bridge will open once it has undergone a security upgrade and several audits, which can take several weeks,” Sky Mavis said. Leading the funding round was Binance, which will also be allowing ETH withdrawals and deposits for Axie Infinity users. “The 56,000 ETH compromised from the Axie DAO treasury will remain undercollateralized as Sky Mavis works with law enforcement to recover the funds. If the funds are not fully recovered within two years, the Axie DAO will vote on next steps for the treasury,” the company said. “We believe that Axie will go down in history as the first game to imbue players with true digital property rights and recent events have only strengthened this conviction.” Also joining the funding round were Animoca Brands, a16z, Dialectic, Paradigm and Accel Related Coverage More

Third-party entities go out of their way to collect data from you. In your web browser they use tracking cookies extensively and nearly every browser on the market goes to great lengths to offer tools and features to protect you from the collection of that data.But did you know there’s a really sneaky way to collect your data from within an email client? The method in question uses invisible pixels (called tracking pixels) in an email to not only help a company see which emails you interact with but how you interact with them. 

What are tracking pixels?

A tracking pixel is a 1px by 1px square image that is created from a simple line of code, inserted into a message and is invisible to users because they are usually transparent and located somewhere innocuous (such as the header or footer of the email). These pixels help companies (especially marketing firms) measure open/click rates, discover traffic sources, track conversions, and gather other data points. Specifically, tracking pixels empower companies with the following types of information:How many people open emails and click-through links.Provide a general success rate of an email campaign.Devices used to read email.Which email providers a recipient uses.What region a recipient is located in. Sounds like something many privacy-conscious users don’t want or need. Fortunately, some email client developers are catching on to this tactic and have made it possible to protect yourself against them. One such client is Apple Mail.Let me show you how to enable that protection, so you can avoid the dreaded tracking pixel.

How to block tracking pixelsI’m demonstrating with Apple Mail 15.0. This new feature is built into macOS Monterey, so if you’re using an older version of macOS, you’ll want to upgrade as soon as possible (which you should do anyway).To enable tracking pixel protection, open Apple Mail and click Mail > Preferences. Click the Privacy tab in the menu bar (Figure A).Figure AThe Apple Mail Preferences window gives you quick access to a number of important configuration options.In the resulting window (Figure B), click the check box associated with Protect Mail Activity.Figure BProtecting yourself from tracking pixels is but a check box away.When you enable the feature, you’ll notice that Hide IP Address and Block All Remote Content both are greyed out. That doesn’t mean those features will be disabled but if want to enable either of those options, do so before clicking Protect Mail Activity.There’s no need to restart Apple Mail, as the change will take effect immediately.With this option enabled, you no longer have to worry about tracking pixels collecting your data that can, in turn, be used by companies in the same way tracking cookies are used within a web browser.Welcome to a more private email experience in macOS. More