Information Technology

Australia’s parliamentary body that scrutinises Australia’s security agencies has backed the Inspector-General of Intelligence and Security (IGIS) taking on more intelligence oversight responsibilities. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) in an advisory report this week said it supports the passing of new intelligence oversight laws that would extend the IGIS’s oversight role to the Australian Transaction Reports and Analysis Centre (AUSTRAC) and the Australian Criminal Intelligence Commission (ACIC). The IGIS already has existing oversight arrangements with six agencies within Australia’s national intelligence community (NIC), including the Office of National Intelligence, Australian Security Intelligence Organisation, Australian Secret Intelligence Service, Australian Signals Directorate, Australian Geospatial-Intelligence Organisation, and Defence Intelligence Organisation. The intelligence oversight Bill’s passage would also see the PJCIS’ own back be scratched as it would see the committee’s powers be expanded to have oversight functions with ACIC too. The PJCIS believes the Bill should provide even more oversight powers to itself, however, as the committee recommended it should also have oversight responsibilities over AUSTRAC and the Australian Federal Police.”The committee further considers that it is necessary to extend oversight to the specialised intelligence functions of the AFP. Accordingly, the committee considers legislation governing both the PJCIS and the IGIS should be amended to support this,” the PJCIS wrote in its report. The committee explained that further expansion made sense for Australia’s oversight of intelligence agencies, as the committee is already overseeing the administration and expenditure of the intelligence agencies, while the Inspector-General acts as an independent statutory officer who reviews the agencies’ operational activities. The Bill was introduced into Parliament at the end of 2020 based on recommendations from the Richardson review, which examined the effectiveness of the legislative framework which governs the NIC. The review found that the core intelligence functions performed by AUSTRAC and the ACIC were suited to specialised intelligence oversight by the IGIS.

While the committee and IGIS would get new powers if the Bill becomes law, it noted the additional responsibilities could stretch the resources of both entities. In making this point, the committee said it hoped additional funding would be allocated to alleviate these concerns. “Extending oversight to the NIC agencies would place a significantly higher workload onto these bodies, which could have the unintended consequence of diluting oversight rather than strengthening it,” the report said. “As the agencies themselves grow, and their work becomes more complex as technologies and methodologies change, the oversight of that work will also grow more challenging and complex. Staffing for the oversight agencies will need to be considered to ensure that it can be conducted to the standard necessary.” In a separate report that was also released this week, the PJCIS called for the relationship between government and the nation’s telco providers to be formalised as it believes reliance on the current voluntary processes are now insufficient. “The regulatory concept of providers ‘doing their best’ to secure their networks in the national interest has served the Telco Act and the Telecommunications Sector Security Reforms up until now, but the committee can not be assured that a reliance on industry alone to counter threats is sustainable, nor that the Telco Act as a whole can continue to uphold the security requirements for the industry,” the report said. Related Coverage More

Image: Signal
Signal has announced it will allow its users to change the phone number associated with a Signal account. Previously, getting a new number would mean users needed to start again with messages and groups. The messaging service said users would retain their messages, profile information, and groups. To initiate a move, users will need to head into account settings, hit the change phone number option, and complete a form with the old and new phone numbers. Signal warns in a support note that users will not be able undo the shift. Contacts of the shifting user will see an alert that states the user’s phone number has changed. If a Signal user does not have access to the old number, Signal suggests the old process of deleting the account to wipe message history, registering a new account with the new number, and messaging contacts to tell them about the new number. When someone registers will the old number, the message history should be blank, Signal said. “Your contacts will also be made aware of a safety number change if they start messaging with the old number,” Signal stated. The company said the new feature was built “using the foundation of more exciting features to come”.

Last month, Signal founder and CEO Moxie Marlinspike announced his resignation with WhatsApp co-founder Brian Acton to be interim CEO. Marlinspike will remain on the Signal board. Related Coverage More

The Washington State Department of Licensing reported a cyber incident last week that may have exposed the sensitive information of more than 250,000 professionals in the state. The agency said in a statement that it “became aware of suspicious activity involving professional and occupational license data” during the week of January 24.   The Professional Online Licensing and Regulatory Information System (POLARIS) system that was affected stores information ranging from social security numbers, dates of birth and driver license numbers to other personally identifying information. “We immediately began investigating with the assistance of the Washington Office of Cybersecurity. As a precaution, DOL also shut down the Professional Online Licensing and Regulatory Information System (POLARIS) to protect the personal information of professional licensees. At this time, we have no indication that any other DOL data was affected, such as driver and vehicle licensing information. All other DOL systems are operating normally,” the agency said. “If our investigation concludes that your personal information has been accessed, DOL will notify you and provide you with further assistance.”State Sen. Reuven Carlyle told The Seattle Times that he has been briefed on the issue, with the agency telling him that the Office of Cybersecurity became concerned after someone on the dark web claimed to have accessed the data. By the afternoon of January 24, the agency decided to shut down the licensing system entirely. The agency said it is working with the state’s Office of Cybersecurity to protect the licensing data and bring POLARIS back online. The department issues licenses for 39 types of businesses and professions, including cosmetology, real estate brokers, bail bondsmen, architects and more. The licenses are processed, issued and renewed in POLARIS.

A call center has been created for businesses trying to renew their licenses and the agency said it will not fine companies trying to renew their license during the outage. The state Attorney General’s Office keeps a running tally of the data breaches exposing information from citizens of the state. The website shows that in the attacks reported in 2022, more than 21,500 Washingtonians have been affected.  More

The US Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Win32k privilege escalation vulnerability to its Known Exploited Vulnerabilities Catalog, ordering federal civilian agencies to patch the issue by February 18. CISA said it added the vulnerability “based on evidence that threat actors are actively exploiting” it. Cybersecurity company DeepWatch said in a blog last week that proof-of-concept code was publicly disclosed and that threat actors with limited access to a compromised device “can utilize this vulnerability to quickly elevate privileges, allowing them to spread laterally inside the network, create new administrator users, and run privileged commands.””According to the security researcher credited with disclosing the vulnerability to Microsoft, the vulnerability has already been exploited by advanced persistent threat (APT) actors. deepwatch Threat Intel Teams assess with high confidence that threat actors are likely to use the publicly available exploit code for CVE-2022-21882 to escalate privileges on systems in which they have already initially compromised,” the deepwatch Threat Intel Team explained. “Given the vulnerability affects Windows 10, the deepwatch Threat Intel Team advises customers to install updates as soon as possible, prioritizing vulnerable internet-exposed systems.”The vulnerability has a CVSS score of 7.0 and affects Microsoft Windows 10 versions 1809, 1909, 20H2, 21H1, and 21H2 as well as Microsoft Windows 11. Microsoft Windows Server 2019 and Microsoft Windows Server 2022 are also affected. The issue was heavily discussed by cybersecurity experts on Twitter, one of which said they discovered it two years ago. Others confirmed the exploit works. 

Regarding the just-fixed CVE-2022-21882: win32k privilege escalation vulnerability,CVE-2021-1732 patch bypass,easy to exploit,which was used by apt attacks— b2ahex (@b2ahex) January 12, 2022

Microsoft acknowledged RyeLv (@b2ahex) for discovering the issue and confirmed that it has been exploited. The issue is related to another vulnerability — CVE-2021-1732 — that Microsoft released a patch for in February 2021. Bugcrowd founder Casey Ellis said what stood out most to him was that most of the other vulnerabilities covered by 2022-01 provide initial access to systems. “This one is useful for increasing the power of marginal initial access, after it has already been achieved. The significance of this is that it shifts the prevention focus from ‘prevent intrusion’ to ‘assume and contain intrusion,'” Ellis explained. Privilege escalation bugs are the bane of any operating system, according to BluBracket head of product Casey Bisson. Bisson added that every successful OS vendor or community prioritizes fixes for them.”OS bugs can be very serious because they affect such large numbers of systems, but that also triggers a strong and rapid response,” Bisson said. “However, application-level vulnerabilities are often riskier because they can result in similar levels of access, but lack the same attention that OS-level risks often receive.” More

The Internal Revenue Service (IRS) announced on Monday afternoon that it will no longer be using ID.me facial recognition software, adding in a statement that it will “transition away from using a third-party service for facial recognition to help authenticate people creating new online accounts.” The agency said the transition will take place over the coming weeks “in order to prevent larger disruptions to taxpayers during filing season.” The IRS plans to create “an additional authentication process” that does not involve any form of facial recognition and will work with other agencies on the effort. “The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” said IRS Commissioner Chuck Rettig. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”The statement comes after an avalanche of criticism directed toward the IRS from privacy activists as well as Democrats and Republicans in Congress. This morning, two separate groups of Democrats sent letters demanding an end to the IRS use of ID.me’s facial recognition. One congressman introduced legislation that would ban the IRS from using facial recognition at all on Friday. The IRS has defended itself by arguing facial recognition was needed to deal with fraud. The Washington Post reported on Monday that IRS officials met with members of Congress on Friday and said they were looking into alternatives to ID.me that would not use facial recognition. 

This is big: The IRS has notified my office it plans to transition away from using facial recognition verification, as I requested earlier today. While this transition may take time, the administration recognizes that privacy and security are not mutually exclusive. https://t.co/jw7OR7dNo0— Ron Wyden (@RonWyden) February 7, 2022

The IRS signed an $86 million contract with ID.me, according to the Washington Post. More than 70 million Americans who filed for unemployment insurance, pandemic assistance grants, child tax credit payments, or other services have already had their faces scanned.

In November, the IRS announced that by the summer of this year, taxpayers will need to have an ID.me account in order to access certain IRS online resources. In order to check on the status of a return, view balances and payments received, obtain a transcript, and enter into an online payment agreement, people will need to create an ID.me account and give the private company either a government ID, passport, birth certificate, W-2 form, social security card, a bill of some kind, or a “selfie,” among a host of other private documents they may ask for.Several civil rights groups — including Fight for the Future, Algorithmic Justice League, the Electronic Privacy Information Center, and others — started a protest movement last week designed to stop the IRS plan.Caitlin Seeley George, campaign director at Fight for the Future, said the IRS’ plan to use facial recognition on people who are trying to access their tax information online “was a profound threat to everyone’s security and civil liberties.” Seeley George noted that despite the news, several other agencies use ID.me facial recognition. The company’s facial recognition tools are already used by 27 states for their unemployment benefits systems, according to CyberScoop, while 30 states and 10 federal agencies also use the system for other government services.”We’re glad to see that grassroots activism and backlash from lawmakers and experts has forced the agency to back down. But several other Federal agencies are still using ID.me’s discriminatory and insecure software, including the Veterans Affairs Administration and Social Security Administration, as well as 30 states that use it on people trying to access unemployment benefits,” she said.”No one should be coerced into handing over their sensitive biometric information to the government in order to access essential services. The lawmakers who led the charge against the IRS use of this technology should immediately call for an end to other agencies’ contracts, and there should be a full investigation into the Federal government’s use of facial recognition and how it came to spend taxpayer dollars contracting with a company as shady as ID.me.” More

Multiple members of Congress have come out against a plan from the Internal Revenue Service (IRS) to incorporate facial recognition provider ID.me into its processes this summer. The White House continues to ignore requests for comment, but Congressman Ted Lieu, Congresswoman Anna Eshoo, Congresswoman Pramila Jayapal, and Congresswoman Yvette Clarke sent a letter to IRS Commissioner Charles Rettig on Monday demanding the agency “halt its plan to employ facial recognition technology and consult with a wide variety of stakeholders before deciding on an alternative.” 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“Any government agency operating a face recognition technology system — or contracting with a third party — creates potential risks of privacy violations and abuse. We urge the IRS to halt this plan and consult with a wide variety of stakeholders before deciding on an alternative,” the Congress members wrote. Like the letter sent by numerous Senate Republicans last week, the House members question the new biometric requirements that will be necessary for accessing a wide array of vital tools the IRS provides. They note the cybersecurity ramifications of the IRS partnership with ID.me as well as the racial implications of using a flawed technology for IRS services. An ID.me spokesperson even told The Washington Post that there was “variation across demographic groups and skin color” with its facial recognition algorithm, additionally claiming that the variations are “incredibly small.”Questions were also raised by House members about the IRS process that led to ID.me being chosen as well as ID.me’s previous lies about its technology. “Furthermore, the IRS’s Privacy Impact Assessment neglects to mention ID.me is even using this technology on Americans. Given these issues, it is simply wrong to compel millions of Americans to place trust in this new protocol,” the letter said. 

On Monday morning, Senator Ron Wyden released his own letter calling for an end to the IRS plan. Wyden acknowledged the IRS goal of stopping fraud through the facial recognition effort but said it is “simply unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online.” 

“It is also alarming that the IRS and so many other government agencies have outsourced their core technology infrastructure to the private sector. Quite simply, the infrastructure that powers digital identify, particularly when used to access government websites, should be run by the government,” Wyden said. The senator went on to question why the IRS and other agencies were not using Login.gov instead of ID.me, adding that the federal government needs to expand the effort internally to create a product that could match faces to photos held by the Department of Motor Vehicles and the Social Security Administration. “The IRS should redouble its efforts to remind taxpayers that facial recognition scanning is not now and has never been necessary to file taxes or receive a refund, as well as educate taxpayers on ways to access other IRS services without the use of facial recognition technology,” Wyden said. “Second, as a stopgap measure, the IRS should promptly revert its decision to require use of ID.me to transact online through the IRS’ website, delay the phase out of IRS.gov accounts created prior to the implementation of ID.me and restore the ability of taxpayers to create new IRS.gov accounts, which foes not use facial recognition. And finally, in the longer term, the IRS should migrate away from third-party identity verification services and utilize GSA’s government-wide login-gov service.”Senators Roy Blunt and Jeff Merkley sent their own letter last week making many of the same requests of the IRS. In November, the the IRS announced that by the summer of this year, taxpayers will need to have an ID.me account in order to access certain IRS online resources. 

In order to check on the status of a return, view balances and payments received, obtain a transcript, and enter into an online payment agreement, people will need to create an ID.me account and give the private company either a government ID, passport, birth certificate, W-2 form, social security card, a bill of some kind, or a “selfie,” among a host of other private documents they may ask for. The IRS signed an $86 million contract with ID.me, according to the Washington Post. More than 70 million Americans who filed for unemployment insurance, pandemic assistance grants, child tax credit payments, or other services have already had their faces scanned.Since the IRS announced the effort in November, there has been widespread backlash within Congress and among privacy advocates who continue to raise several issues with the effort. The Washington Post reported on Monday that IRS officials met with members of Congress on Friday and said they were looking into alternatives to ID.me that would not use facial recognition. ID.me is already used by 27 states for their unemployment benefits systems, according to CyberScoop, while 30 states and 10 federal agencies also use the system for other government services. Fight for the Future, Algorithmic Justice League, EPIC, and other civil rights organizations launched a website last week — called Dump ID.me — allowing people to sign a petition against the IRS plan. According to Fox Business, Rep. Bill Huizenga introduced a bill on Friday that bans the IRS from using any facial recognition in its processes. Caitlin Seeley George, campaign director at Fight for the Future, said the legislative response has shown that this is a bipartisan issue. “Facial recognition technology and the collection of peoples’ biometric data puts everyone in danger. I also think that in addition to the IRS (and other government agencies) canceling its contract with ID.me, there are a number of questions that legislators have sent to the IRS about how it landed on this tool,” Seeley George said. “It’s critical that we get answers to these questions, and hopefully use them to drive forward legislation to rein in the use of facial recognition and other biometric tools moving forward.”

Government More

Credit: Microsoft
Starting in early April, Microsoft plans to make it tougher to enable VBA macros that are downloaded from the internet in several of its Office apps. The effect, the company hopes, will be to eliminate a popular way for malware to perpetuate. Microsoft plans to block by default VBA macros obtained from the internet in Office on devices running Windows. This will impact Access, Excel, PowerPoint, Visio, and Word, according to a February 7 blog post from the Office product group. The change will begin rolling out in the Current Channel (preview) of Office on Windows and will prevent users from enabling these kinds of macros with a single click. Over time, Microsoft will move beyond the Current Channel with this change and apply it to other Office distribution channels, like the Monthly Enterprise and Semi-Annual Enterprise Channels. This change also will be applied to the Long Term Servicing Channel version of Office, including Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013.

UK cybersecurity expert (and former Microsoftie) Kevin Beaumont tweeted that “this is potentially a game changer for the cybersecurity industry, and, more importantly customers,” as macros account for about 25 percent of all ransomware entry — a figure he called “deeply conservative.”  A message bar noting that a particular downloaded VBA is not trusted will note: “Security Risk: Microsoft has blocked macros from running because the source of this file is untrusted” next to a Learn More button. The Learn More button will take users to an article about the security risk of bad actors using macros, ways to prevent phishing and malware, and instructions for enabling these macros by saving the file and removing the Mark of the Web (MOTW). The MOTW is added to files by Windows when they’re from an untrusted location (internet or Restricted Zone).This article from Microsoft has more information for IT pros/admins about the coming change in macro behavior. More

Google Cloud has announced a new security feature designed to hunt down instances of cryptojacking.On Monday, the tech giant said the public preview of Virtual Machine Threat Detection (VMTD) is now available in the Security Command Center (SCC). The SCC is a platform for detecting threats against cloud assets by scanning for security vulnerabilities and misconfigurations. 

Timothy Peacock, Product Manager at Google Cloud, said that as organizations continue to migrate to the cloud, workloads are often handled with VM-based architectures.  Cloud environments are also a prime target for cyberattackers seeking out valuable data, as well as those intending to execute cryptocurrency mining malware.  Cryptocurrency miners such as XMRig are legitimate programs for mining coins. When in the hands of threat actors, cryptominers can be abused, however, and used without permission on cloud systems.  In what is known as cryptojacking attacks, miners are deployed on compromised systems to steal the victim’s compute resources. Cryptocurrency including Monero (XMR) is often mined by cybercriminals in this way and coins are sent to wallets controlled by the malware’s operators.  According to Google’s latest Threat Horizons report (.PDF), out of a sample of compromised instances, 86% were used for cryptocurrency mining and 10% were used to perform scans for other vulnerable instances.

To combat the specter of cryptojacking attacks against VMs operating in Google Cloud, the company’s VMTD solution will provide “agentless memory scanning” inside SCC. “Traditional endpoint security relies on deploying software agents inside a guest virtual machine to gather signals and telemetry to inform runtime threat detection,” Peacock said. “But as is the case in many other areas of infrastructure security, cloud technology offers the ability to rethink existing models.” Google’s approach is to instruct the hypervisor to collect signals that may indicate infection. VMTD will start as a means to detect cryptocurrency mining, but as it hits general availability, the system will be integrated with other Google Cloud functions.  Users can choose to try out VMTD by enabling it in SCC settings. The service is opt-in and customers can choose the scope of the scanner.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More