Information Technology

Crypto trading platform BitMart released an update on the devastating security breach that caused about $200 million in losses, writing on Monday that the breach was “mainly caused by a stolen private key that had two of our hot wallets compromised.”

On Saturday, the platform said a security breach allowed hackers to withdraw $150 million worth of cryptocurrency. Blockchain security company PeckShield said the losses were actually around $196 million, with about $100 million in various cryptocurrencies coming from Ethereum blockchain and $96 million coming from currencies on the Binance Smart Chain. BitMart suspended withdrawals on December 4 after securing the affected Ethereum and Binance Smart Chain hot wallets.”Other assets with BitMart are safe and unharmed. BitMart will use our own funding to cover the incident and compensate affected users. We are also talking to multiple project teams to confirm the most reasonable solutions such as token swaps,” the company said on Monday. “No user assets will be harmed. We are now doing our best to retrieve security set-ups and our operation. We need time to make proper arrangements and your kind understanding during this period will be highly appreciated. In terms of asset deposit and withdrawals, we are confident that deposit and withdrawal functions will gradually begin on December 7, 2021.” BitMart CEO Sheldon Xia will hold a press conference on Monday night to discuss the breach and how those affected will be compensated. CNBC reported that the hackers behind the attack used 1inch and Tornado Cash to exchange the stolen coins for other cryptocurrencies and make it more difficult to be tracked.   

Hackers have repeatedly attacked cryptocurrency and DeFi platforms over the last year. Just last week, cybercriminals stole about $120 million from DeFi platform Badger. 

Paul Bischoff, privacy advocate with Comparitech, told ZDNet that the BitMart hack is the sixth-largest cryptocurrency heist of all time by amount of funds lost and the second big crypto heist this month that made the top 10. Several headline-grabbing hacks have taken place this year, including thefts of more than $600 million from Poly in August and $34 million from Cream Finance in September.Comparitech keeps a running list of attacks on cryptocurrency platforms and DeFi companies, which include the 2018 hack on Coincheck that involved $532 million and the Mt. Gox attack involving $470 million. In May, about $200 million was stolen from the PancakeBunny platform. “Although blockchains are reasonably secure and reliable, the same isn’t always true for the exchanges where people buy, sell, and trade crypto. Exchanges, even though they function like banks, are not insured (e.g. by the FDIC). If the exchange loses assets that belong to its customers via an external hack or inside job, customers might have no recourse to recover their funds,” Bischoff said.”It’s difficult for customers to know which exchanges have sufficient security and make an informed choice. An exchange that operates 10 years without a security incident can still be crippled and put out of business by a single large-scale heist.”The Record also keeps a tally of cyberattacks on cryptocurrency platforms, noting recent attacks on Liquid, Cream Finance, EasyFi, bZx and many other platforms. 

Tech Earnings More

On Thursday, the Department of Homeland Security (DHS) released new rules for the US’s freight railroad and passenger rail transit industry. The rules make it mandatory for companies to have a cybersecurity coordinator, report cybersecurity incidents to CISA, complete a cybersecurity self-assessment and create a cyber-incident response plan.

ZDNet Recommends

DHS officials repeatedly said the new rules were made after consultation with industry experts and meetings with rail companies. They added that the rules were pushed by the Transportation Security Administration (TSA) after CISA informed them of legitimate threats facing the rail industry. The government agency has faced backlash this year from companies in a variety of industries — as well as senior Republican lawmakers — for cybersecurity rules that some have called onerous and unnecessary. In October, Senators Roger Wicker, John Thune, Cynthia Lummis, Todd Young, Deb Fischer — all Republican leaders on the Committee on Commerce, Science and Transportation — slammed DHS’ use of emergency authority to push new rules for US railroad and airport systems, questioning whether they were “appropriate absent an immediate threat.”The Republican lawmakers said the “prescriptive requirements” rolled out by TSA “may be out of step with current practices” and may “limit affected industries’ ability to respond to evolving threats, thereby lessening security.” They also claimed the rules will impose “unnecessary operation delays at a time of unprecedented congestion in the nation’s supply chain.””Rather than prescriptive requirements that may not enhance capabilities to address future threats, TSA should consider performance standards that set goals for cybersecurity while enabling businesses to meet those goals,” the senators wrote. “If a determination is made to proceed with specific mandates, the notice and comment process would at least allow for thoughtful consideration of industry practices and concerns.” The senators additionally claimed that current practices are “working well.”

When asked about the latest regulations handed down by TSA for the rail industry, many cybersecurity experts involved in the rail industry expressed concern about how the new rules would work in practice.Jake Williams, CTO at BreachQuest, told ZDNet that at a high level, the directives seem reasonable. But a closer look at the new rules raised questions about how CISA would handle the deluge of incident reporting that is now required. “Section B.2.b of the Enhancing Rail Cybersecurity directive mandates the reporting of the discovery of malicious software on any IT system within 24 hours of discovery. It is hard to imagine how TSA will benefit from knowing about every malicious software discovery on every IT system,” Williams said. “Taken at face value, railway operators would have to report every piece of commodity malware that is discovered in the environment, even if antivirus or EDR prevented that malware from ever executing. Even if railway operators were properly staffed to create these reports, the TSA will likely miss significant reports buried in the noise. The onerous reporting requirements will likely reduce railway security, at least in the short term, as understaffed teams dedicate resources to reporting rather than network security.”Williams added that these policy language issues are typically discovered during the public comment period, which TSA chose to forego. “There are likely other significant issues in the two railway cybersecurity directives released by TSA without a public review period,” Williams noted. Ron Brash, vice president at ICS/OT software security firm aDolus Technology, echoed Williams’ concerns about the reporting requirements, explaining that most organizations lack the skill and resources to comply. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“Currently, beyond the obvious attacks such as ransomware, the majority of organizations have trouble differentiating between accidental and malicious events. For example, a forklift may clip a utility pole, and a fibre optic run is severed — connectivity may degrade or come to a full halt. Legislation such as this may result in overzealous behaviors because coordinators may jump to immediately claiming everything is cyber-related if the clock is fiercely ticking away, or conversely potentially result in the opposite of the intended effect: organizations may avoid reporting and improving infrastructure visibility altogether” Brash noted. “I hope neither occurs as that is counterproductive to the spirit of the objective and may discourage proactive action. If Biden’s XO for SBOMs and supply chain transparency overflow into rail and transportation, organizations will need accelerated security program growth and maturity yesterday. This is both a good thing and a bad thing because infrastructure resiliency certainly may increase, but bad because the overall amount of foundational catch up may lead to overanalysis paralysis or poor budget allocation.” He also said overly prescriptive approaches may result in too rigid of a structure and focus on the wrong elements, leading to a checkbox ticking exercise versus actual efforts to reduce cybersecurity risk.Amir Levintal, CEO of rail cybersecurity company Cylus, said the rail industry has made significant technological advances in the last decade, with digitization helping companies improve service, efficiency, comfort, communications, and more. But these efforts have also expanded the rail industry’s threat landscape for hackers, Levintal said.  “The TSA’s new directives, which require railways to bolster their cybersecurity measures, come as a direct response to the innovations the rail industry has onboarded recently and the resulting threats, and these regulations — along with similar ones in the EU — will only evolve as new technologies continue to be adopted across the planet,” Levintal explained. Despite the concerns about the new reporting requirements, some experts said the rail industry’s cybersecurity risks outweighed worries about overzealous reporting. Coalfire vice president John Dickson said that the potential for disruption is high given existing supply chain bottlenecks and the nature of rail networks. He noted that one or two key rail lines service entire regions of North America that are vulnerable to disruption and might cripple the US economy like the Colonial Pipeline event almost did. “We have not witnessed a rail industry event on the level of Colonial Pipeline, but a ransomware disruption, let alone a targeted attack, is a plausible scenario. Ransomware specifically, and malware automation generally, has lowered the bar so significantly for attackers that DHS CISA should be concerned and is well served to push the industry more,” Dickson said. “The railroad industry, particularly the freight portion of the railroad industry, is generally not considered to be on the bleeding edge of cybersecurity. It’s doubtful that without a regulatory ‘nudge’ from the Federal government, they are likely to not increase their cybersecurity hygiene on their own accord.”Padraic O’Reilly, chief product officer of CyberSaint, called the new rules a “good and timely development” that is “long overdue” because the rail industry is a vulnerable piece of the US critical infrastructure.With the 24-hour reporting requirement as the baseline, the industry will be moved on to the right track, O’Reilly explained, adding that it was good that government agencies had consulted groups like the Association of American Railroads (AAR) before releasing the regulations. The AAR said they and other rail industry groups had been consulting with Secretary of Homeland Security Alejandro Mayorkas and the TSA since October to “revise provisions that would have posed challenges in implementation.”The group said that with the latest regulations, “a number of the industry’s most significant concerns have been addressed.” All Class I railroad and Amtrak, as well as many commuter and short line carriers, already have chief information security officers and cybersecurity leads who will serve as the required cybersecurity coordinators, according to the AAR.Many companies also conduct cybersecurity assessments on a recurring basis and have been reporting some cyber threats to CISA through AAR’s Railway Alert Network (RAN). “For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats,” said AAR President and CEO Ian Jefferies. “Let there be no mistake — railroads take these threats seriously and value our productive work with government partners to keep the network safe.”  More

A cyber attack has forced supermarket chain Spar to close some of its UK stores.The retailer, which has 2,600 locations in the UK, said has been hit by what it describes as an “online attack” leaving some stores without the ability to take payments by card.”There has been an online attack on our IT systems which is affecting stores’ ability to process card payments, meaning that several Spar stores are currently closed. We apologise for any inconvenience, we are working as quickly as possible to resolve the situation,” Spar UK said in a tweet sent to customers asking why branches of the store in areas of the country, including Yorkshire and Lancashire, were closed.Some stores appear to have been suffering issues since Sunday, meaning that this is a multi-day incident and one customer commented that stores with accompanying petrol stations were closed.It’s currently unclear what sort of “online attack” has forced the stores to close but a Spar spokesperson confirmed that a number of stores have been affected by a cyber attack against James Hall & Co Ltd, a business which supplies Spar stores across the North of England.”James Hall & Company are currently aware of an online attack on it’s IT system. This has not affected all SPAR stores across the North of England, but a number have been impacted over the past 24 hours and we are working to resolve this situation as quickly as possible,” said a Facebook post by Spar Oswaldtwistle. ZDNet has attempted to contact James Hall & Co but hasn’t received a response at the time of publication. The website of the company is also down at the time of writing. 

“We are aware of an issue affecting Spar stores and are working with partners to fully understand the incident,” an NCSC spokesperson told ZDNet. “The NCSC has published guidance for organisations on how to effectively detect, respond to, and resolve cyber incidents.”MORE ON CYBERSECURITY More

A Russian-government back hacking group linked to the SolarWinds supply chain attack has developed new malware which has been used to conduct attacks against businesses and governments in North America and Europe in a campaign designed to secretly compromise networks, steal information, and lay down foundations for future attacks.  The attacks also involve the compromise of multiple cloud and managed service providers as part of a campaign designed to enable the hackers to gain access to clients downstream from the vendors in supply chain attacks.  The wide-ranging campaign has been detailed by cybersecurity researchers at Mandiant who’ve linked it to two hacking groups they refer to as UNC3004 and UNC2652.   Mandiant associates these groups with UNC2452 – also known as Nobelium in reports by Microsoft – a hacking operation that works on behalf of the Russian Foreign Intelligence Service and behind the cyber attack against SolarWinds. However, while each of these hacking operations works out of Russia and appear to share similar goals, researchers can’t say for certain that they’re all part of one unit.  “While it is plausible that they are the same group, currently, Mandiant does not have enough evidence to make this determination with high confidence,” said the report.  The newly detailed campaigns include the use of a custom-developed malware downloader which researchers have called Ceeloader. 

Written in the C programming language, the malware decrypts shellcode payloads to be executed in the memory of the victim Windows machine, enabling the distribution of further malware. Ceeloader hides from detection with the use of large blocks of junk code which makes the malicious code undetectable to anti-virus software.   “An obfuscation tool has been used to hide the code in Ceeloader in between large blocks of junk code with meaningless calls to the Windows API. The meaningful calls to the Windows API are hidden within obfuscated wrapper functions that decrypt the name of the API and dynamically resolve it before calling,” the report said. SEE: A winning strategy for cybersecurity (ZDNet special report)  It isn’t clear how Ceeloader is distributed, but it provides a stealthy gateway for further malicious activity.  Other tactics which the attackers use include the abuse of the legitimate penetration testing tool Cobalt Strike to place a backdoor on the compromised system which can be used to execute commands and transfer files, as well as providing a keylogger that can be used to steal usernames and passwords.  In addition to the deployment of malware, the attackers have compromised targets via cloud services.  Like other Russia-linked hacking campaigns, these attacks also target remote desktop protocol (RDP) log-in credentials.  But no matter how the network was compromised, the organisations under attack appear to align with those targeted in previous campaigns attributed to the Russian state.  “We have seen this threat actor ultimately target government entities, consulting organisations, and NGOs in North America and Europe who directly have data of interest to the Russian government. In some cases, they first compromised technology solutions, services, and reseller companies in North America and Europe that have access to targets that are of ultimate interest to them,” Douglas Bienstock, manager of consulting at Mandiant told ZDNet.   For the attackers, targeting cloud service providers via the new and existing methods of compromise detailed by the report remains one of the key methods of compromising a wide range of organisations. By compromising the supplier, they have the potential to gain access to systems of customers.  Incidents like the SolarWinds supply chain attack attributed to the Russian state, plus cybercriminal activities like the Kaseya supply chain compromise and ransomware attack have demonstrated what a powerful tool this can be for hostile cyber campaigns – which is why cloud providers and their services remain a prominent target.  “By compromising the environment of a single cloud service provider, the threat actor may be able to access the networks of multiple organisations they are interested in that are customers of that provider. In this way, the threat actor can focus their efforts on a small number of organisations and then reap large rewards,” said Bienstock.  Mandiant researchers say they’re aware of a few dozen organisations who’ve been impacted by campaigns in 2021 and in cases where they’ve been compromised by any attackers, steps have been taken to notify them.  It’s expected that the Russia-linked hackers – and other offensive cyber operations – will continue to target organisations, supply chains, and cloud providers around the world. Mandiant has previously released advice on hardening networks against attacks, which includes enforcing multi-factor authentication across all users. 
MORE ON CYBERSECURITY More

In its latest annual Data Breach Industry Forecast released Monday, credit bureau and information services company Experian said that it has identified five areas it believes cybercriminals will find opportunities to exploit in 2022. The findings were made based on the observation that as people throughout the world become more digitally connected online than ever before, thanks in part to the global pandemic, so too is the potential for institutions, infrastructures, and personal lives to be more exposed to cybercriminals. “Big institutions remain vulnerable, despite spending millions on security, and cybercriminals have plenty of opportunities to exploit weak technologies,” the report said.

Experian identified five top data breach trends to expect in 2022: 1. Digital assets Digital assets, such as cryptocurrencies and non-fungible tokens, or NFTs, will become greater targets of attack as society accepts them as legitimate parts of the financial and technological landscape. This prediction couldn’t have come at a better time as crypto-currency exchange BitMart reported over the weekend that hackers sole about $150 million worth of tokens from its so-called “hot wallets.” Blockchain security and data analytics company PeckShield, which first noticed the breach, estimated that BitMart’s loss was closer to $200 million: $100 million on Ethereum and $96 million on Binance Smart Chain.2. Natural disasters Natural disasters will prompt people to donate more to aid organizations online, resulting in both donors and people in distress becoming more prone to phishing attempts from groups disguised as charitable organizations. To complicate things further, Experian said unreliable global supply chains will make the sourcing of emergency goods more difficult, which will provide another opportunity for online thieve to take advantage.3.  Remote workers Remote workers will be targets of data thieves who are looking to hack into businesses and institutions. The report said that because home wireless networks are more vulnerable than many business VPNs, companies will need to focus more on security compliance from their employees. “Employees will need training on matters like how to spot a phishing attempt, or how to respond to a ransomware attack,” according to the report.4. Physical infrastructure landmarks 

Physical infrastructure landmarks, such as electrical grids, dams, and transportation networks, will be greater targets by hackers, both foreign and domestic, who will attempt to steal some of the trillions of dollars Congress approved under the Biden infrastructure bill. Experian said that these bad actors will attempt to steal during the process of fund disbursement using a variety of scams from phishing to CEO fraud. “The sums are so large, and their distribution involves so many institutions and processes – from Treasury vendors to banks, to individual contractors – that hackers will be probing for weaknesses in the money supply chain,” the report said.5. Online gambling scams

As online sports betting becomes legalized in more states, phishing scams will target online gamblers, especially those who are new to online betting. And as online gambling becomes more legal, online scammers will be harder to detect. Experian predicts that common forms of thievery will include gambling using stolen credit card info, hijacking an account either through hacking or correctly guessing a password, or impersonating a legitimate online casino. Experian also noted that as cryptocurrency becomes more popular in online gambling, and more sites incorporate it for ease of use, hackers will attempt to break into digital wallets.Data breaches remain a strong threat. In a recent report by the Identity Theft Resource Center, there have been 1,291 data breaches in 2021, as of September 30, 17% more than the 1,108 breaches reported during all of 2020.”Cybercriminals have honed in on pandemic disruptions this past year so security professionals need to shore up security protocols and have data breach response plans in place – especially for ransomware – should a breach occur,” said Michael Bruemmer, global vice president of Experian Data Breach Resolution who published the report. “Businesses must increase their focus and move past simply catching up to the ‘new normal in how they operate,” he added. More

Firms in Australia’s financial market have continued to be resilient against cyber threats, with improvement rates in cyber resiliency remaining steady, the Australian Securities and Investment Commission (ASIC) reported on Monday.This finding was published in the corporate regulator’s latest report [PDF], which compiled trends from self-assessment surveys completed by financial markets firms. The report, titled Cyber resilience of firms in Australia’s financial markets: 2020–21, is an update to a similar cyber resilience report published by ASIC two years ago.In both 2020 and 2021, ASIC asked participants to reassess their cyber resilience against the National Institute of Standards in Technology (NIST) Cybersecurity Framework. The NIST Framework allows firms to assess cyber resilience against five functions: Identify, protect, detect, respond, and recover, using a maturity scale of where they are now and where they intend to be in 12-18 months.In the new report, ASIC identified that cyber resiliency among firms operating within Australia’s financial market increased by 1.4% overall, but this fell short of the 14.9% improvement targeted for the period. It was also lower than the 15% improvement that was achieved between 2017 and 2019. ASIC attributed the shortfall to a combination of reasons including overly ambitious targets, a rise in the cyber threat environment, and disruptions caused by the COVID-19 pandemic, which resulted in organisations directing resources towards enabling secure remote working and ensuring products and services could be delivered to customers as supply chains were burdened with growing cyber activists. Improvement in cyber resilience preparedness between cycles (by function).
Image: ASIC
Overall, 2021 saw improvements in the management of digital assets, business environment, staff awareness and training, and protective security controls.”Firms operating in Australia’s markets continue to be resilient against a rapidly changing cyber threat environment. The COVID-19 pandemic has increased opportunities for threat actors to target remote workers, and access remote infrastructure and supply chains critical to the delivery of products and services. However, the response from firms has been robust,” ASIC commissioner Cathie Armour said.

The report said 90% of firms strengthened user and privileged access management, 88% of firms ensured users were trained and aware of cyber risks, and 86% had mature cyber incident response plans in place. Other key findings from the report included the gap between large firms and small to medium-sized enterprises (SMEs) continued to close, with an overall improvement of 3.5%. In contrast, larger firms reported a slight drop in confidence of 2.2%, ASIC said.”This comes off a strong base and can be attributed to large firms reassessing their response and recovery capabilities in light of: Increased complexity of their business operating models [and] a significant increase in threats to critical products and services reliant on third parties and supply chains,” the corporate regulator said. ASIC also highlighted the greatest gaps between larger firms and SMEs continued to be in supply chain risk management where 40% of SMEs indicated weak supply chain risk management practices, but a majority of firms identified that this would be an ongoing priority over the next period. Investment in cyber resiliency by credit rating agencies increased during the period, ASIC said, triggered by the 2017 Equifax incident, while investment banks continued to set high targets for all NIST Framework categories.The release of the reports follows ASIC recently putting forward a recommendation for market operators and participants to simulate outages and recovery strategies to improve resiliency. It was off the back of an investigation into the Australian Securities Exchange (ASX) software issues that arose when the refresh of its trade equity platform went live in November last year, causing the exchange to pause trade.MORE FROM ASIC More

Image: Getty Images
Ride hailing app Didi announced it was preparing to leave the New York Stock Exchange in a small note released on Friday. “[Didi Global] today announced that its board of directors has authorized and supports the company to undertake the necessary procedures and file the relevant application(s) for the delisting of the company’s ADSs [American Depositary Shares] from the New York Stock Exchange, while ensuring that ADSs will be convertible into freely tradable shares of the Company on another internationally recognized stock exchange at the election of ADS holders,” it said. “The company will organize a shareholders meeting to vote on the above matter at an appropriate time in the future, following necessary procedures. “The board has also authorized the company to pursue a listing of its class A ordinary shares on the main board of the Hong Kong Stock Exchange.” Didi announced its IPO on Wall St at the end of June, and opened trading at $14. It closed on Friday at $6.07 after opening the day at $7.56 per share. In July, Didi found its app removed from app stores in China following a government edict. The Cyberspace Administration of China said at the time that Didi breached regulations governing the collection and use of personal data. It instructed the removal of the app from local app stores and Didi to rectify “existing problems” and “effectively protect” users’ personal data. The government agency did not disclose any details on what these issues were and how they violated local laws.

The move hit 25 apps operated by Didi in China. “The company expects that the app takedown may have an adverse impact on its revenue in China,” it said. Didi also confirmed a week later the authorities in China were conducting a cybersecurity review, and denied reports the company was going private. Related Coverage More

Image: Getty Images
New South Wales’ iVote online voting system failed on Saturday during the state’s local government elections, with an unknown number of voters unable to exercise their democratic rights. In a media statement released on Saturday evening, the NSW Electoral Commission (NSWEC) blamed “the increased volume of people using the iVote system”. “Almost triple the number of voters have used iVote at these elections than any previous election,” NSWEC said. “At the 2019 NSW State elections 234,401 votes were cast using iVote. At close of applications at 1pm today [Saturday] 652,983 votes had been cast using the system since it opened on 22 November.” Voting is compulsory in Australia. However NSWEC said any eligible voter who “applied to use iVote” but was unable to cast their ballot would be excused from paying the AU$55 penalty. “The Electoral Commissioner may also determine, after the elections have finished, that other categories of electors should be excused for having a sufficient reason,” NSWEC said. Curiously, the state’s Local Government Act was amended earlier this year specifically to allow iVote to be used for council elections. This was directly in response to “the challenges of COVID-19”.

These elections had been postponed twice due to the pandemic, from the original date in September 2020, to September 4 this year, and then to December 4. One might wonder, therefore, why iVote couldn’t cope with traffic levels a mere three times above the previous state election. Surely it should have been clear that the pandemic might cause many, many more people to vote online? In response to ZDNet’s questions, an NSWEC spokesperson said that the iVote system was prepared based on the usage at previous state elections. “As a contingency the system was planned and tested for a capacity of 500,000 votes — double the capacity required for the 2015 and 2019 NSW State elections,” they said. “There were 283,699 users in 2015 and 234,401 users in 2019. Use of iVote is subject to strict eligibility criteria and criteria for this election were substantially the same as those previous elections. More than 671,000 votes were cast via iVote at this election.” Where possible, NSWEC had introduced additional capacity as volumes increased but could not meet demand on election day, they said. Dr Vanessa Teague, a cryptographer with a particular interest in privacy and election security, isn’t surprised by the failure. Starting in 2015, she and her colleagues have found numerous flaws in iVote, problems which NSWEC has often downplayed. “Every serious investigation of iVote found serious problems,” Teague tweeted on Saturday. That even includes a review [PDF] commissioned by NSWEC itself as recently as July. “What happened today should surprise nobody,” Teague said. “[NSWEC] apologises to voters not able to vote as a result of the outage; no apology to candidates who may or may not have failed to get elected as a consequence of their supporters being excluded.” As Teague noted, local government elections often have narrow margins. “Of course the really important point is: where is the evidence of eligible voter intent in any of those 650,000 votes, when we know the system that received them had serious IT problems?” she asked. “We may simply not have enough information to determine who deserved to be elected.” ‘Sometimes people insist on shoving beans up their nose’ Australian election authorities have traditionally pushed back against criticism of their software systems. At the federal level, in March this year the Australian Electoral Commissioner Tom Rogers made it clear that external system audits are not welcome. “We work with a range of partners, including the Australian Signals Directorate, the Australian Cyber Security Centre, we’ve had our internal code audited and checked,” Rogers told a Senate committee. “And not being rude, I’m sure that Dr Teague is a wonderful person, but we’ve had sufficient checks in place to assure ourselves that that system is running smoothly.” Justin Warren, chief analyst at PivotNine, continues to be amused by this resistance — not only in electoral matters but right across government. “We keep trying to help governments to be good at computers, but they are remarkably resistant to being helped,” Warren told ZDNet. “One thing I’ve learned from consulting is that sometimes people insist on shoving beans up their nose and there’s nothing you can do to stop them. You have to wait patiently until they ask for help getting them out.” NSWEC is required by law to release a full report on the conduct of the election by May 2022. Readers may like to consider whether that’s soon enough. Related Coverage More