Information Technology

Image: Shutterstock
A slew of Australia’s critical infrastructure service providers and union groups have lambasted the federal government’s critical infrastructure cyber laws due to it requiring organisations to install third-party software onto their systems if they are deemed to not be “technically capable” of managing cyberthreats. Roger Somerville, Amazon Web Services’ (AWS) ANZ public policy head, said the need for new cybersecurity laws was apparent and AWS supported the Bill, but he remained critical of the software installation scheme contained within it. The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 contains outstanding elements of cyber laws passed by the Parliament last year, per recommendations from the parliamentary committee that is currently reviewing the laws. Among these outstanding elements are requirements for entities deemed “most important to the nation” to adhere to enhanced cybersecurity obligations, such as potentially installing third-party software. Addressing the parliamentary committee that is reviewing the Bill, Somerville said there is a lack of clarity on how the software installation scheme would operate, and that the federal government saying it would only be used as a “last resort” is not sufficient. “We do acknowledge that the Australian government has told us that those sorts of powers would be more relevant for less sophisticated cyber security entities than ourselves. But from our perspective, I think we’re very concerned that we still do need to see clear, practical guidance on how this would work,” Somerville said. Somerville added that if the federal government was adamant in pushing ahead with establishing the software installation scheme, a technical support body that exists as an independent statutory office holder should be created to oversee the scheme’s operation. “This body would also perhaps create an avenue for contestability of those decisions, particularly on the questions of technical feasibility,” he said. AWS was not alone in sharing its concerns, as Palo Alto Networks ANZ public policy head Sarah Sloan, who also appeared before the committee, said the software installation scheme introduces unnecessary security risks into critical infrastructure environments. This security concern was echoed by Communications Alliance CEO John Stanton, who provided an example of how the scheme could be dangerous. “The danger is probably more when information is combined with other information sources, so we don’t necessarily hold a list of the people’s names behind IP addresses, but other organisations do. So if you combine data [from critical infrastructure entities] with telecommunications service providers data, because they know who the service providers are of those IP addresses then you’re able to effectively put together personal information,” Stanton said. Software Alliance COO Jared Ragland, meanwhile, noted that the security issues with the scheme did not stop there as the installation of the software could lead to more issues across critical infrastructure supply chains. “In addition to concerns about what kind of information might have legitimate access to the software, a real concern is that if the software is installed at each stage along this chain and it operates improperly, then there could be accidental problems. Perhaps it could be data leakage, but it could also be operational interruptions of other sorts,” Ragland explained.For each of these organisations, trust appeared to be a core issue in their opposition to the software installation scheme. To address this lack of trust, not-for-profit advocacy group Internet Association of Australia (IAA) said the federal government should amend the proposed cyber laws to allow critical infrastructure entities to heavily test code. “It’s highly, highly important that we need to have to trust the type of software that goes on to manage this. And we need the opportunity to be able to read the code, assess the code, test the code against other things,” IAA CEO Narelle Clark said. The federal government’s critical infrastructure reforms sit alongside the ransomware action plan as being its primary regulatory efforts for bolstering Australia’s cybersecurity posture. Labelled by Home Affairs Secretary Mike Pezzullo last month as the government’s defence against cyber threats, the federal government is hoping the second trance of cyber laws will create a standardised critical infrastructure framework for Australia’s intelligence agencies. Related CoveragePezzullo frames Critical Infrastructure Bills as ‘defence’ and ransomware plan as ‘offence’Home Affairs believes the second critical infrastructure Bill would create a common framework for preventing cyber attacks.MacTel warns critical infrastructure reforms create gaps in government data protectionThe cloud and data provider also sees a potential future where critical infrastructure providers and their suppliers shift data stores and processing functions offshore to avoid being regulated.Home Affairs releases second Critical Infrastructure Bill with leftover obligationsThis new Bill contains obligations that were excluded from the Security Legislation Amendment (Critical Infrastructure) Act 2021. More

Logo: Kaspersky Lab // Composition: ZDNet
Kaspersky has responded to an advisory issued against it by the German Federal Office for Information Security (BSI) saying users should replace its products by claiming the warning is politically motivated.”We believe this decision is not based on a technical assessment of Kaspersky products — that we continuously advocated for with the BSI and across Europe — but instead is being made on political grounds,” the security company said on Wednesday.”We believe that peaceful dialogue is the only possible instrument for resolving conflicts. War isn’t good for anyone.”One does not need to look much further than a classic Clausewitz quote to realise that war and politics are very much linked.As the BBC reported, the BSI said the advisory was made due to the Russian invasion of Ukraine.”A Russian IT manufacturer can carry out offensive operations itself, be forced against its will to attack target systems, or be spied on as a victim of a cyber operation without its knowledge or as a tool for attacks against its own customers,” BBC translated the warning as saying.Kaspersky said its data processing was shifted to Switzerland in 2018, and its customers can “run a free technical and comprehensive review” including source code reviewing and rebuilding.”Beyond our cyberthreat-related data processing facilities in Switzerland, statistics provided by users to Kaspersky can be processed on the Kaspersky Security Network’s services located in various countries around the world, including Canada and Germany,” the company added.

Ukraine Crisis More

Image: Getty Images
A defamation law expert has slammed the federal government’s so-called anti-trolling Bill, accusing it of changing Australia’s defamation laws for no adequate reason and through misleading means.”My colleagues and I think that this legislation is misconceived and should not proceed,” barrister Sue Chrysanthou SC said on behalf of some of Australia’s preeminent defamation law experts.”Not one person who supports this legislation has given an adequate reason, to my knowledge or the knowledge of my colleagues, as to why it should be changed … this Bill is a violent assault on the tort of defamation by the Commonwealth, for which no rational basis or reason has been provided.”Barrister Sue Chrysanthou SC made those comments before a Senate legal and constitutional affairs committee hearing on Tuesday afternoon, which is currently conducting an inquiry looking into the Bill. She added that the Bill does nothing to address online abuse or trolling.At its core, the Bill seeks to remove the liability held by owners of social media pages for any defamatory material posted on those pages. If passed, it would also create the requirement for social media companies to identify people if they post potentially defamatory material.  The Bill was established shortly after a High Court judgment ruled media outlets were considered publishers of third-party comments on their social media pages.The anti-trolling legislation has already received flak from senators, online abuse victims, and government agencies, with Australia’s eSafety commissioner having already criticised the legislation due to it containing no mention of the word “troll”. “One of our objections to this Bill is that it is piecemeal. It will increase legal costs and cause confusion because of its inconsistency with the state and territory laws,” Chrysanthou told the committee.Liberal Senator and committee chair Sarah Henderson, who has claimed she was defamed on Twitter, dismissed Chrysanthou’s arguments as the barrister has not run a case against Twitter before.”This Bill is all about Facebook. This Bill is all about Instagram. It’s all about Twitter. It’s about unmasking the anonymous abusers, about giving redress,” Henderson said. In response to Henderson’s comments, Chrysanthou said in her experience there has not been a need to sue Twitter or Facebook on defamatory grounds as yet. “Any client I’ve had that sued over a tweet or Facebook post, the persons who made those tweets or Facebook posts have been identifiable. It is large part of my practice — acting for people who sue over social media posts. So far there hasn’t been a need to deal with Twitter or Facebook,” she said.Earlier in the day, Twitter appeared before the committee to call out Australia’s anti-trolling laws as an extreme risk to the privacy of Australians, particularly minority communities. “We’ve seen a number of people both from a whistleblower space to even domestic violence situations, people that identify within the LGBTQIA community, utilising anonymous or synonymous accounts as ways and basically entry points into conversations about important matters,” Twitter director for public policy Australia Kara Hinesley said.”We do think that there are potential safety concerns which would be the opposite result of the stated intention of the Bill.”RELATED COVERAGE More

Image: Getty Images
Twitter has joined other social media companies to call out Australia’s anti-trolling laws as an extreme risk to the privacy of Australians, particularly minority communities.Kara Hinesley, Twitter Australia’s director for public policy, appeared before a Senate legal and constitutional affairs committee hearing on Tuesday afternoon to speak about its privacy concerns regarding the federal government’s anti-trolling Bill.The Bill, currently before Parliament, seeks to remove the liability held by owners of social media pages for any defamatory material posted on those pages. If passed, it would also create the requirement for social media companies to identify people if they post potentially defamatory material.”Under this bill, online platforms choose between facing liability in court or turning over private sensitive information about users without a legal determination as to whether the content is in fact defamatory under the law,” Hinesley said.Hinesley added the requirement to identify people, even those using anonymous accounts, would adversely affect minority communities.”We’ve seen a number of people both from a whistleblower space to even domestic violence situations, people that identify within the LGBTQIA community, utilising anonymous or synonymous accounts as ways and basically entry points into conversations about important matters,” Hinesley said.”We do think that there are potential safety concerns which would be the opposite result of the stated intention of the Bill.”Twitter senior public policy director Kathleen Reen, meanwhile, said the anti-trolling Bill would not help social media companies protect users and that the platform was unsure whether it could meet the Bill’s information collection requirements. Liberal Senator and committee chair Sarah Henderson was not convinced by Twitter’s argument, however, with the Senator referring to her own ongoing dispute with Twitter as evidence that the anti-trolling legislation is required.”Obviously, I’ve experienced this personally, where a police search warrant issued by Victorian Police has been met with a brick wall from Twitter,” Senator Henderson said.”And you’re now saying that Twitter is re-examining the way the data was held, and it tends to make data held offshore available under circumstances where an end-user disclosure order is issued against Twitter, requiring them to hand over identifying information.”Twitter’s concerns echoed those of Meta, who told the committee last Thursday it would be extremely difficult, even for online companies as large as Meta, to collate content to meet the Bill’s requirements.”It might not actually be possible to maintain a constantly updated contact list of both email and phone numbers of all Australians and all people who might be visiting Australia,” said Mia Garlick, Meta APAC policy director.RELATED COVERAGE More

Behind almost all Linux firewalls tools such as iptables; its newer version, nftables; firewalld; and ufw, is netfilter, which controls access to and from Linux’s network stack. It’s an essential Linux security program, so when a security hole is found in it, it’s a big deal. 

Nick Gregory, a Sophos threat researcher, found this hole recently while checking netfilter for possible security problems. Gregory explains in great detail his bug hunt, and I recommend it for those who want insight into finding C errors. But, for those of you who just want to cut to the chase, here’s the story.This is a serious bug. Specifically, it’s a heap out-of-bounds write problem with the kernel’s netfilter. Gregory said it’s ” exploitable to achieve kernel code execution (via ROP [return-oriented programming]), giving full local privilege escalation, container escape, whatever you want.” Yuck!This problem exists because netfilter doesn’t handle its hardware offload feature correctly. A local, unprivileged attacker can use this to cause a denial-of-service (DoS), execute arbitrary code, and cause general mayhem. Adding insult to injury, this works even if the hardware being attacked doesn’t have offload functionality! That’s because, as Gregory wrote to a security list, “Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don’t have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails.”Also: The best Linux distros for beginners: You can do this!This vulnerability is present in the Linux kernel versions 5.4 through 5.6.10. It’s listed as Common Vulnerabilities and Exposures (CVE-2022-25636), and with a Common Vulnerability Scoring System (CVSS) score of 7.8), this is a real badie. How bad? In its advisory, Red Hat  said, “This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat.” So, yes, this is bad.Worse still, it affects recent major distribution releases such as Red Hat Enterprise Linux (RHEL) 8.x; Debian Bullseye; Ubuntu Linux, and SUSE Linux Enterprise 15.3. While the Linux kernel netfilter patch has been made, the patch isn’t available yet in all distribution releases.If you don’t have a patch yet, you can mitigate the problem in the RHEL family with the commands:# echo 0 > /proc/sys/user/max_user_namespaces# sudo sysctl –systemAnd, in the Debian/Ubuntu family with the command:$ sudo sysctl kernel.unprivileged_userns_clone=0So, here we are again. I’ve not seen a good exploit of this, but I have seen one that works about half the time. If you don’t want to see your Linux servers stolen out from underneath you or just knocked off the net, it’s time to either patch your system or lock it down to avoid trouble.See also More

Cybersecurity company SentinelOne plans to acquire Attivo Networks for its identity-based threat detection technology, the companies said Tuesday. The cash and stock transaction, valued at $616.5 million, is expected to close in SentinelOne’s upcoming fiscal second quarter.

In a statement, SentinelOne COO Nicholas Warner said Identity Threat Detection and Response (ITDR) “is the missing link” in XDR (extended detection and response) — an approach to security that collects and correlates data across layers, including email, endpoints, servers, cloud workloads, and networks.”The shift to hybrid work and increased cloud adoption has established identity as the new perimeter, highlighting the importance of visibility into user activity.in holistic XDR and zero trust strategies,” Warner said. “Our Attivo acquisition is a natural platform progression for protecting organizations from threats at every stage of the attack lifecycle.” The demand for cybersecurity products has driven huge levels of investment in the market, with mergers and acquisitions in cybersecurity reaching $77.5 billion in 2021. In June of last year, SentinelOne debuted on the New York Stock Exchange, raising $1.2 billion at an implied valuation of $8.9 billion — making it the highest-valued cybersecurity IPO ever.Attivo Networks, meanwhile, was founded in 2011 and is based in Fremont, California. It counts more than 300 global enterprises as customers, including Fortune 500 companies. The acquisition should expand SentinelOne’s total addressable market by $4 billion, the companies said. Attivo’s products will be incorporated into SentinelOne’s Singularity XDR platform for autonomous protection. That includes: Attivo’s identity suite, which protects in real time against credential theft, privilege escalation, lateral movement, data cloaking, identity exposure and more, supporting conditional access and zero trust cybersecurity. Attivo’s identity assessment tool, which provides instant Active Directory visibility of misconfigurations, suspicious password and account changes, credential exposures, unauthorized access and more.  Attivo’s network and cloud-based deception suite, which lures attackers into revealing themselves. More

There’s been a big rise in phishing attacks designed to specifically target smartphones as cyber criminals look to exploit our increased reliance on these tiny screens.Previously, many phishing websites were device agnostic, set up to steal usernames and passwords regardless of whether the user was clicking the link from a computer or mobile. But cybersecurity researchers at Zimperium have analysed hundreds of thousands of phishing websites and found that there’s been a significant rise in websites designed specifically for mobile phishing attacks, now making up three quarters of all phishing sites. The smaller screens of smartphones and other mobile devices make it more challenging for users identify phishing emails and malicious websites.  For example, the sender address is more prominent on a desktop browser than on mobile, meaning that unless a user really examines the email, they might not notice it’s being sent from a phoney address.  It’s also more difficult to see the address of links on mobile devices. When using a laptop or desktop computer, the user can hover the mouse curser over the hyperlink, which can reveal the URL – potentially alerting them to it being malicious, particularly if it features poor spelling or large strings of random text. It’s much less intuitive to do this to check links on smartphones, making users less likely to check where the email has really come from and more likely to click through if the lure is convincing.  While many phishing attacks arrive by email, targeting mobile devices also offers cyber criminals with an expanded variety of attack vectors including SMS messages, messaging applications, in-app chat links and more, all of which can be used to direct victims to malicious sites. SEE: Cybersecurity: Let’s get tactical (ZDNet special report) Many of these mobile phishing websites are designed to look indistinguishable from the brand they’re imitating. Some of the top brands most commonly imitated by phishing websites include Microsoft, Amazon, Facebook and PayPal, as well as a string of delivery companies related to the region being targeted. “Distributed and hybrid workforces, ever-connected devices, high speed 5G connectivity, and increased critical data access from remote locations have spread enterprises worldwide,” said Shridhar Mittal, CEO of Zimperium. “Today’s cybersecurity was not built to support these environments – and attackers know it. Organizations need to come to terms with how to effectively secure this new reality,” he added. Users can help to protect themselves from mobile phishing attacks by being cautious about what links they follow. If an email alert or text message claims to come from a particular brand, rather than clicking the link in the email, it’s often wiser to go to the actual website of the brand in your browser and login to your account from there. For businesses, it can be helpful to roll-out security protections to smartphones used by employees to help detect and prevent threats. The use of multi-factor authentication should also be encouraged, because it provides an additional barrier to compromised usernames and passwords being exploited. Anyone who suspects that one of their accounts has fallen victim to a phishing attack should immediately change their password. MORE ON CYBERSECURITY More

As Russia’s invasion of Ukraine continues for the third week, researchers have explored how cloud technologies are contributing to the conflict — at least, on the virtual battleground. 

When Russia crossed into Ukraine in February, this triggered action online. Ukraine had already experienced multiple attacks leading to website defacement, Distributed Denial-of-Service (DDoS) outages, and the use of destructive wiper malware. Anonymous hacktivists then became involved, and Ukraine’s government called for volunteers with cybersecurity skills to help protect critical infrastructure. By March, Ukraine had started forming what officials called an “IT army” tasked with network defense — as well as offensive counterattacks against Russian threat actors.   According to new research conducted by Aqua Security’s Team Nautilus, cloud technologies now play a role in the digital side of the conflict.  The team has tracked code and tools in public repositories, including Docker container images, code libraries, and popular software packages such as PyPI, npm, and Ruby. Team Nautilus searched for names, guides, and tools promoted for use in cyberattacks by either side. In total, roughly 40% of these public repositories were “related to denial-of-service activity aimed to disrupt the network traffic of online services,” according to the researchers. 
Aqua Security

Aqua Security
Two container images, “abagayev/stop-russia:latest” and “erikmnkl/stoppropaganda:latest,” were of particular interest to the team. Both are DDoS tools that contain how-to guides, expanding the potential of website disruption through cloud deployment to audiences without technical expertise. 

Ukraine Crisis

Financial and multiple service providers in Russia are on the target list. “Both container images also included attack tools that initiate DNS flood carried out over the UDP protocol, sending a large number of DNS requests to UDP in port 53, and aimed against Russian banks,” the team noted.  Honeypots deployed by Team Nautilus, set to gather data on IP addresses related to Russia and Ukraine, revealed that 84% of DDoS targets were affiliated with Russian IP addresses, whereas 16% were linked to Ukraine.  Overall, network and media organizations were attacked most often.  “As technology advances, experienced threat actors can create and distribute simple automated tools allowing less skilled individuals to join and participate in cyberwar,” the researchers say. “It also allows individuals and organized hacking groups to influence the conflict, using their knowledge and resources. We can see how emerging technologies are relevant in these efforts and can help make an impact.” In related news, Google’s Threat Analysis Group (TAG) has taken down a “coordinated influence operation” linked to Belarus, Moldova, and Ukraine, and account protections have been ramped up for Ukrainian users suspected of being at higher risk of compromise due to the invasion.  Ukraine’s Computer Emergency Response Team for Ukraine (CERT-UA) previously warned that the Ghostwriter Belarusian threat group, also tracked as UNC1151, is actively spreading anti-NATO material and is involved in a number of phishing campaigns.  On March 11, the agency said malicious droppers, hosted in Discord servers, were also being served to victim organizations by UAC-0056. According to Palo Alto Networks, one victim was an energy company in Ukraine.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More