Information Technology

Image: Getty Images
Every now and then, someone in power has a sook about a bad experience on social media. Then, as regular as a cuckoo clock, there’s a call for every social media user to be identified, because they reckon anonymity is the problem. Right now the cuckoo is the Australian government, and boy are they ramping up the rhetoric. Last Thursday, Prime Minister Scott Morrison and two other senior ministers called on the tech giants to identify their users, telling them that if they didn’t do so then they were no longer platforms, immune from prosecution. They would be publishers, subject to Australia’s tough defamation laws. Social media is a “coward’s palace”, Morrison said. First out the little wooden door had been Deputy Prime Minister Barnaby Joyce who was, quite understandably, angry that rumours about his daughter had been published. Joyce told ABC Radio that the government and others around the world now have the motivation to say, “We’ve had enough, you can’t treat us like fools”. “We spend billions of dollars in Australia on mental health issues — Facebook, Twitter and other online platforms make billions of dollars profit from selling a product that I believe in many instances, if it was a food product, it would be taken off the shelf,”

Then on Sunday, the baton was handed to Communications Minister Paul Fletcher. “We expect a stronger position from the platforms,” Fletcher told ABC TV’s Insiders on Sunday. “For a long time, they’ve been getting away with not taking any responsibility in relation to content that’s posted on the sites,” he said. The attorneys-general around Australia are already leading an “existing process” to look at these issues. “Commonwealth Attorney-General, my colleague Michaelia Cash, just this week wrote to the state attorneys-general wanting to accelerate that process,” Fletcher said. “Tell me who you are” is a flexing of power Back in March, forcing social media users to identify themselves was one of the 88 recommendations in a report by a parliamentary inquiry into family, domestic and sexual violence. “In order to open or maintain an existing social media account, customers should be required by law to identify themselves to a platform using 100 points of identification, in the same way as a person must provide identification for a mobile phone account, or to buy a mobile SIM card,” it said. The platforms would have to provide those details when requested by the eSafety Commissioner, law enforcement, or as directed by a court. But while anonymity is certainly used as a cover for abusive behaviour, at least some of the time, would demanding ID actually solve the problem? According to Elise Thomas, an open-source intelligence analyst at the Institute for Strategic Dialogue, that’s far from clear. After all, Facebook for one already has a real-names policy. “A cursory glance through Facebook comments on any controversial topic will indicate that many people are only too happy to make cruel comments under their own names,” Thomas wrote at The Strategist. “It’s not clear how a requirement to provide a driver’s licence or other ID to open an account would change that behaviour.” Nor would it necessarily be a “proportionate or effective” policy response. “A high bar for evidence of necessity, safety and effectiveness should be required before the government asks Australians to accept a measure which almost no other country has imposed,” Thomas said. As she notes, there have been criticisms that real-names policies disproportionately impact marginal communities and endanger victims of domestic violence and stalking. In the US, the Electronic Frontiers Foundation has documented a variety of harms that real-names policies can cause. It’s sometimes argued that while the platforms could demand ID, the users could still post under a pseudonym. But the platforms would hardly push back against demands from government, or from powerful people with expensive lawyers. Shielding users’ privacy against legal demands costs money and antagonises governments that are already keen for tighter regulation. Moreover, just as in every other aspect of society, the platforms are more likely to respond to complaints from the powerful and the privileged, rather than the marginalised. Just ask any woman who’s been the subject of abuse, or a person of colour, or someone from the LGBTQI+ communities. As always, “I need to know your name” only works to allow the powerful to exert power. Thomas also noted the human rights aspects of all this. Concerned about election misinformation, South Korea in 2004 demanded ID before posting on election websites. That was later extended to all sites with more than 300,000 daily visitors. “Studies show that during the time the policy was in operation, there was no significant decrease in online abuse,” she wrote. “What did happen, however, was a massive hack in which 35 million South Koreans national identification numbers were stolen.” South Korea’s policy was ruled unconstitutional. Anonymity, or using a pseudonym, allowed people to “voice criticism on majority opinion without giving into external pressure,” the court said. Meanwhile in Europe, a German court ruled Facebook’s policy illegal. “In 2021, the only country imposing a requirement for government identification on social media users is China, where privacy rights and the effects on democratic free speech are clearly not a concern,” Thomas wrote. That should tell you something. Logical fallacies, and another Morrison government rush job Like so much of the government’s internet-related policy, this demand for identification feels like another instance of that old logical fallacy: Something must be done. This is something, therefore this must be done. Joyce said that if social media companies were smart enough to make so much money, then they were smart enough to make their products safer. That’s a bit like saying that if you’re smart enough to design an apartment building then you’re smart enough to perform open-heart surgery. Or turn lead into gold. Then there’s the sudden rush, with multiple ministers on the message within days. Fletcher was pushing the message that efforts to regulate Facebook and Twitter would be like the News Media Bargaining Code, where work started back in 2018 and led to a result. Joyce, however, is as usual on a different page. “This time, something’s going to happen,” he said, legislation would be coming “soon”. Victims of anonymous abuse who have been calling for action might be happy, but they might also wonder “Why now?” That’s easy to explain. The attack on Joyce’s daughter kicked them in the politicals, and there’s an election coming up. Related Coverage More

Quest Diagnostics has informed the SEC about a ransomware attack in August that hit ReproSource, a fertility clinic owned by the company. The ransomware attack led to a data breach, exposing a significant amount of health and financial information for about 350,000 ReproSource patients. In a statement to ZDNet, Quest said ReproSource provided notice that it experienced a data security incident in which an unauthorized party may have accessed or acquired the protected health information and personally identifiable information of some patients. “On August 8, 2021, an unauthorized party accessed the ReproSource network. ReproSource discovered ransomware on the morning of August 10, and in less than an hour severed all network connection activity and contained the incident,” a company spokesperson explained.”ReproSource immediately launched a comprehensive investigation to determine the cause and scope of the incident. ReproSource retained leading cybersecurity experts to assist with our investigation, confirmed containment of the ransomware, and quickly and securely recovered operations. Additionally, ReproSource promptly notified law enforcement.” Quest added that ReproSource began sending out breach notification letters to victims on September 24. The letters tell victims that the personal information leaked during the ransomware attack includes names, addresses, phone numbers, email addresses, dates of birth and billing information.

A trove of health information was also leaked during the attack, including CPT codes, diagnosis codes, test requisitions and results, test reports and/or medical history information, health insurance or group plan identification names and numbers and other information provided by individuals or by treating physicians. The company admitted that an undisclosed number of people also had driver’s license numbers, passport numbers, Social Security numbers, financial account numbers, and/or credit card numbers leaked in the attack.News of the breach came to light after a regulatory filing by Quest, which said the larger company was not affected by the incident at ReproSource but confirmed that it was a ransomware attack. Quest noted that it has cybersecurity insurance and does not believe it will have a severe effect on the company’s finances as other ransomware attacks have. ReproSource is providing victims with free credit and identity monitoring services from Kroll but did not say how long these services would last. ReproSource is the second fertility clinic this year to send out breach notifications after a ransomware attack. Georgia-based Reproductive Biology Associates, and its affiliate My Egg Bank North America, notified about 38,000 patients that their medical information and other data like social security numbers had been accessed by cybercriminals during a ransomware attack in April.Healthcare facilities continue to face the brunt of ransomware attacks across the world, specifically because of the sensitive data they are forced to collect on patients, employees and visitors. Hundreds have been attacked this year and the problem has shown no signs of slowing down. “Like with other critical infrastructure, healthcare systems face unique vulnerability from ransomware attacks because the exposed data affects not only patients’ privacy, but also their choices about medical treatment. Fertility treatments are a perfect example of this, as they can require up to tens of thousands of dollars in investments from prospective parents, making this sector a perfect target for bad actors looking for a profit,” said Tim Eades, CEO at cybersecurity company vArmour. “It’s a reality that ransomware will continue to target fertility clinics and other health systems for their valuable data.” More

Ransomware is the most significant cybersecurity threat facing organisations ranging from critical national infrastructure providers and large enterprises to schools and local businesses – but it’s a threat which can be countered.In a speech at the Chatham House Cyber 2021 Conference, Lindy Cameron, CEO of the UK’s National Cyber Security Centre (NCSC) warned about several cybersecurity threats facing the world today, including supply chain attacks, the threat of cyber espionage and cyber aggression by hostile nation-states and cybersecurity exploits and vulnerabilities being sold to whoever wants to buy them. But it’s ransomware which is “the most immediate danger to UK businesses and most other organisations” said Cameron, who warned that many businesses are leaving themselves vulnerable because “many have no incident response plans, or ever test their cyber defences”. Drawing on examples of high-profile ransomware attacks around the world including the Colonial Pipeline ransomware attack, the ransomware attack against Ireland’s Health Service Executive and those closer to home like the ransomware attack against Hackney Council, Cameron detailed the “real world impact” that these cyber attacks have had over the last year as cyber criminals encrypt networks and attempt to demand ransom payments of millions for the decryption key. And one of the reasons why ransomware is still so successful is because some victims of the attacks will pay the ransom, perceiving it to be the best way to restore the network as quickly as possible – despite warnings not to pay. SEE: A winning strategy for cybersecurity (ZDNet special report)”We expect ransomware will continue to be an attractive route for criminals as long as organisations remain vulnerable and continue to pay. We have been clear that paying ransoms emboldens these criminal groups – and it also does not guarantee your data will be returned intact, or indeed returned at all,” said Cameron, who also detailed how many ransomware groups are now stealing data and threatening to leak it if the ransom isn’t paid. 

“Their intention is clear: to increase pressure on victims to pay,” she said. In recent months, the impact of ransomware has become so great that world leaders have discussed it at international summits.  “We should not view ransomware as a risk we have to live with and can’t do anything about.  We’ve seen this issue become a leader level G7 topic of conversation this year. Governments have a role, and we are playing our part,” said Cameron. “We are redoubling our efforts to clamp down and deter this pernicious and spreading crime, standing firm with our global counterparts and doing our best to turn this into a crime that does not pay,” she added. But while governments, law enforcement and international bodies have a role to play in helping to fight back against ransomware attacks, businesses and other organisations can also examine their own defences and what plans they have in place, should they fall victim to a ransomware attack. “But victims also have agency here too. Do you know what you would do if it happened to you? Have you rehearsed this? Have you taken steps to ensure your systems are the hardest target in your market or sector to compromise? And if you would consider paying a ransom, are you comfortable that you are investing enough to stop that conversation ever happening in the first place,” said Cameron. Actions like applying security patches and updates promptly and using multi-factor authentication can help protect networks from cyber attacks – and the NCSC has published much advice on how businesses can help protect their networks, emphasising that cybersecurity must be a board level issue. “One of the key things I have learnt in my time as NCSC CEO is that many – in fact the vast majority –  of these high-profile cyber incidents can be prevented by following actionable steps that dramatically improve an organisation’s cyber resilience”, said Cameron. “Responsibility for understanding cyber security risks does not start and end with the IT department. Chief executives and boards also have a crucial role,” she said. “No chief exec would get away with saying they don’t need to understand legal risk because they have a general counsel. The same should be true of cyber risk”. MORE ON CYBERSECURITY More

Ransomware is one of the biggest cybersecurity issues facing the world today with gangs routinely breaking into enterprise networks to encrypt files and networks. Often, victims only realise that they’ve been compromised when files, servers and other systems have been encrypted and they’re presented with a ransom note demanding a payment in cryptocurrency for the decryption key. But even if cyber criminals are already inside the network it’s not necessarily too late to prevent a ransomware attack; if an organisation has a good threat hunting strategy, they can detect strange or suspicious activity and counter the threat before ransomware becomes a major problem.  That’s because criminals can spend weeks in the network before triggering a ransomware attack – and even if protections designed to prevent them from entering the network have failed, this delay can provide an opportunity for preventing a full-blown ransomware attack.  The US Department of Commerce’s National Institute of Standards and Technology (NIST) cybersecurity framework (CSF) lists Identify, Protect, Detect, Respond and Recover as the five functions of securing networks. But many organisations are still attempting to rely on the ‘protect’ aspect as the main line of defence, without a clear strategy, if they have one at all, on how to detect and respond to threats which bypass protections. “When you think about the CSF framework, I think we spend so much in the protect bucket and not enough in detect respond and recover,” said Jason Lewkowicz, Global CISO for Cognizant, speaking during a panel discussion on ransomware at VMware’s VMworld 2021 conference. See also: A winning strategy for cybersecurity (ZDNet special report).

If criminals have already been able to breach the network, it might be difficult to believe that all is not lost, but the way attacks work means it’s still possible to cut them off and prevent a ransomware incident.   For example, it’s common for cyber criminals to gain access to networks and install malware to help examine the environment they’ve compromised – then they’ll often follow a standard routine of actions during the days or weeks they’re in the network. It’s possible to identify this activity and if it’s identified, there’s the opportunity to stop the attackers. “Detection can actually be part of preventing ransomware. There’s a classic ransomware chain of events and it’s almost gut wrenching because it’s predictable and we see it every day,” said Katie Nickels director of intelligence at Red Canary.    “My team will see an initial malware family like QBot – then the adversaries will look around the environment, do some reconnaissance and then they install a tool called Colbalt Strike, then they move laterally. It’s the same playbook – ransomware is coming”. If organisations have a good knowledge of their own network and a threat hunting team which can take knowledge of how these hands-on ransomware attacks work and use it to detect threats, they can be identified, removed and remediated before the problem grows to become a full-scale ransomware attack.  “If you can detect these things – these are very detectable predictable behaviors – if you could detect them early you can actually prevent the encryption, the exfiltration or a really bad outcome,” said Nickels. “It’s interesting, because everyone thinks about prevention and protection, but early detection is actually prevention of ransomware,” she added. Smaller businesses or those without a significant IT or information security budget could struggle to engage in threat hunting themselves, but it can be useful for helping to prevent a ransomware attack and much less costly than falling victim.”It’s so important to have threat hunting capabilities on the team – if you don’t have that in your organization partner up within the ecosystem – because threat hunting really helps to identify those and profile that activities,” said Amelia Estwick, director of threat research at VMware. Being able to find out if cyber criminals have compromised the network can play a major role in actually preventing an incident from taking place, or at least ensuring that the impact is reduced. Keeping a ransomware attack restricted to one part of the network is still better than letting it spread around the entire enterprise environment. It can also help cybersecurity teams learn to prevent additional attacks in future. “We already know they’re in there, so let’s figure out how to do batten down the hatches and how are they moving throughout the system, so we can learn to better provide and develop tools to detect and prevent this from occurring again,” said Estwick. More on cybersecurity: More

A brand of malware that has previously gone undetected is being used in targeted attacks against Linux systems. 

According to researchers from cybersecurity firm ESET, the malware, named FontOnLake, appears to be well-designed and while under active development already includes remote access options, credential theft features, and is able to initialize proxy servers. FontOnLake samples first appeared on VirusTotal in May 2020 but the command-and-control (C2) servers linked to these files are disabled, which the researchers say may be due to the uploads.  The researchers added that Linux systems targeted by the malware may be located in areas including Southeast Asia.   ESET believes the operators are “overly cautious” about being caught and their activities exposed as almost all samples obtained use different C2 server addresses and a variety of ports. Furthermore, the malware’s authors make use of C/C++ and a number of third-party libraries such as Boost and Protobuf.  FontOnLake is modular malware that harnesses custom binaries to infect a machine and to execute malicious code. While ESET is still investigating FontOnLake, the firm says that among its known components are trojanized apps which are used to load backdoors, rootkits, and to collect information.”Patches of the applications are most likely applied on the source code level, which indicates that the applications must have been compiled and replaced the original ones,” the team says. 

In total, three backdoors have also been connected to FontOnLake. The backdoors are all written in C++ and create a bridge to the same C2 for data exfiltration. In addition, they are able to issue “heartbeat” commands to keep this connection active.  FontOnLake is always joined with a kernel-mode rootkit to maintain persistence on an infected Linux machine. According to Avast, the rootkit is based on the open source Suterusu project.  Tencent and Lacework Labs have also published research on what appears to be the same strain of malware. ESET has also released a technical whitepaper (.PDF) examining FontOnLake.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The FBI and the Naval Criminal Investigative Service (NCIS) have arrested an engineer and his wife for trying to sell confidential military data. 

On Sunday, the US Department of Justice (DoJ) named Jonathan and Diana Toebbe, of Annapolis, Maryland, as the suspects in a plot to sell information to a foreign government.According to the complaint, for close to a year, Jonathan — with the assistance of his wife — attempted to sell Restricted-class data in exchange for cryptocurrency.  Jonathan served as a nuclear engineer for the US Navy. During his time with the Navy, the 42-year-old worked on the Naval Nuclear Propulsion Program and had secured high-level national security clearance.  “Toebbe worked with and had access to information concerning naval nuclear propulsion including information related to military sensitive design elements, operating parameters, and performance characteristics of the reactors for nuclear-powered warships,” US prosecutors say.  On April 1, 2020, Jonathan allegedly sent a sample pack of information relating to the nuclear program to an unnamed foreign government, together with a letter that alleged read: “I apologize for this poor translation into your language. Please forward this letter to your military intelligence agency. I believe this information will be of great value to your nation. This is not a hoax.”  The DoJ has accused the engineer of then forming a relationship over email with someone he believed was part of this government. 

ProtonMail was used for back-and-forth exchanges over the course of several months under the names “Alice” and “Bob.” By June 8, the contactee had sent Toebbe a $10,000 payment in Monero cryptocurrency in “good faith,” and several weeks later, the engineer allegedly acted.  The husband and wife traveled to West Virginia to an agreed drop location. While Diana assumed the role of a lookout, Jonathan then placed half a peanut butter sandwich at the drop site — and contained within was an SD storage card containing stolen nuclear reactor program information.  The SD card was then retrieved by the contactee — who happened to be an undercover FBI agent, who sent Toebbe a further $20,000 in cryptocurrency.  After the second payment was made, the engineer emailed the agent the decryption key required to access the information contained in the SD card.  The FBI was then able to verify the legitimacy of the data and a second drop was arranged for the price of $70,000. This time, Toebbe smuggled the SD card into a chewing gum package.  Among the stolen data was schematics for the Virginia-class submarine, a $3 billion design of which vehicles are in active service and are expected to remain so until at least 2060. It was almost time for law enforcement to act and so they arranged for yet another package of data to be exchanged — and in the next drop zone, the pair were arrested.  The Toebbes were arrested on October 9 and they are due to appear in a Martinsburg, West Virginia federal court on October 12 to faces accusations of conspiracy to communicate restricted data and communicating restricted data as violations of the Atomic Energy Act. The FBI and the NCIS are continuing to investigate.  “The complaint charges a plot to transmit information relating to the design of our nuclear submarines to a foreign nation,” commented Attorney General Merrick Garland. “The work of the FBI, Department of Justice prosecutors, the Naval Criminal Investigative Service, and the Department of Energy was critical in thwarting the plot charged in the complaint and taking this first step in bringing the perpetrators to justice.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Australian industry group advocating for tech giants, including Facebook, Google, TikTok, and Twitter, has expanded its voluntary code for addressing misinformation online after the Australian and US government made fresh calls last week for tougher social media regulation.The group, Digital Industry Group Inc (DiGi), said the expansion entails creating a new independent committee to police the voluntary code for misinformation and disinformation.These independent members will work with signatories, through an administration sub-committee, to oversee the various actions taken by signatories to meet their obligations under the code, DiGi said.The updated voluntary code will also see DiGi create a new complaints portal. The new portal will accept complaints from the Australian public where they believe a signatory has breached the code’s commitments. Signatories of the voluntary code are Apple, Adobe, Facebook, Google, Microsoft, Redbubble, TikTok, and Twitter.DiGi created the code in February, which consists of signatories committing to releasing an annual transparency report about their efforts to address disinformation and misinformation, and providing a way for users to report content with disinformation and misinformation. The code also calls for signatories to be cognisant of the Universal Declaration on Human Rights when developing proportionate responses to disinformation and misinformation.

Australian Communications and Media Authority chair Nerida O’Loughlin said in a statement that the updated voluntary code mechanisms were “an important step” in reducing online misinformation and disinformation.O’Loughlin did note, however, that she was still concerned about the voluntary and opt-in nature of the code.”We will be watching how this works in practice and whether expanding the committee’s remit will be necessary,” she said.Reset Australia, a democracy advocate, took a firmer position, with its director of tech policy Dhakshayini Sooriyakumaran labelling the code as “laughable” due to its voluntary and opt-in nature.”The DiGi code is voluntary and opt-in, with no enforcement and no penalties. Clearly, self regulation does not work,” she said.”DiGi’s code is not much more than a PR stunt given the negative PR surrounding Facebook in recent weeks.”The changes come as the Australian and US government have criticised the efforts of social media platforms to address misinformation and disinformation, with a Facebook whisteblower last week accusing the social network of intentionally hiding vital information from the public for profit.During a testimony to the Senate, the whisteblower Frances Haugen labelled the company as “morally bankrupt” and that “the choices being made inside of Facebook” were “disastrous for our children, our privacy, and our democracy”.Days later, Australian Prime Minister Scott Morrison criticised tech giants for the conduct that occurs on their platforms, stating that social media platforms like Facebook have become a “coward’s palace” for trolls.”The companies that [do not] say who they are, well, they’re not a platform anymore. They’re a publisher, and you know what the implications of that means in terms of those issues. So people should be responsible for what they say in a country that believes in free speech.” Morrison said at a press conference.Meanwhile, Minister for Communications, Urban Infrastructure, Cities, and the Arts Paul Fletcher said last Wednesday that there was “no question that misinformation or disinformation is a problem on social media”.Fletcher said the government would keep the voluntary code “under close scrutiny” and did not rule out the possibility of further regulation for social media platforms.  “If we don’t think the voluntary code is sufficient then we will certainly consider more direct regulatory action,” he said.RELATED COVERAGE More

McAfee Enterprise and FireEye completed their merger on Friday, closing the $1.2 billion, all cash transaction that merges the two cybersecurity giants. FireEye announced the sale of its FireEye Products business to a consortium led by Symphony Technology Group (STG) in July, separating the company’s network, email, endpoint and cloud security products from Mandiant’s software and services. In March, McAfee sold its enterprise security business to STG in a deal worth $4 billion, paving the way for the two to be merged. The two companies now boast a combined customer base of 40,000, about 5,000 employees and almost $2 billion in revenue. “Aligning McAfee Enterprise’s device-to-cloud cybersecurity solutions with FireEye’s robust portfolio of products presents an extraordinary opportunity for helping keep customers everywhere safe and secure,” STG managing partner William Chisholm said. Bryan Palma, CEO of the new combined company, said the McAfee Enterprise and FireEye teams will be able to develop an integrated security platform powered by artificial intelligence and automation. In an interview, Palma told ZDNet that the sophistication of threats and the deficit of cybersecurity talent means companies will need to rely more on automation, artificial intelligence and machine learning. 

“There’s just no way that people can keep up, and we’re seeing that. We’ve got nation-states now involved in making attacks and that’s very concerning because they obviously have very strong capabilities. But what we’re seeing is some of the techniques that were traditionally used by nation-states are now being used by criminal groups and hackers,” Palma said. “We also see these supply chain attacks, which we were obviously directly involved in at FireEye with everything that happened with SolarWinds. There are so many zero-days still out there and that’s still an entry point for many hackers. There’s ransomware and still good old-fashioned phishing. There’s a combination of really new, sophisticated threats that I think have raised the bar and then the traditional ways that hackers come after organizations.”Palma joined FireEye in February 2021, at the height of outrage and scrutiny over the SolarWinds scandal that is still being unraveled by the US government.  Palma added that there isn’t much overlap between the two companies, allowing each side to bring different things to the table. He said the merger will allow both companies to provide more robust endpoint services, cloud protection and security operations. For the future, Palma said the new company is focusing on leading the way with XDR and statistical models to help address the sophistication of adversaries. “Now that cybersecurity has gotten hot, there are a lot of what I’ll call ‘software companies’ out there. We’re a true, grounded security company and that’s what the people in our company are concerned about.” Palma said. “We really have a great bench of people with expertise who are very skilled in this area and very experienced.”When asked what the new company will be named, Palma explained that the companies will finish the fiscal year under the Mcafee Enterprise and FireEye names before deciding on what the new merged name will be.He said the company doesn’t own the McAfee Enterprise name beyond the end of 2021, so they will have to come up with something new for 2022. 

Tech Earnings More