Information Technology

StackCommerce
The world is opening up again to travel, but while you’re researching all the best travel tech you’ll need to take with you, don’t forget to grab a VPN subscription before you go. Not only will you want to stay safe on public WiFi in all those neat cafes, but you may want to pass the time in airports watching some of your favorite content from back home and it could be restricted in your location. A good VPN is key to your security and a big help with entertainment, so take a look at some of the bargains on offer at the moment.

FastestVPN: Lifetime subscription (10 devices)Get the utmost privacy and protection on up to 10 devices with military-grade encryption, NAT firewall, strict no-logging policy, and a kill switch. With 200 high-speed servers and unlimited bandwidth, you can access unrestricted content, and USA Netflix is supported.For a limited time only, get FastestVPN: Lifetime Subscription (10 Devices) for $17.49 (reg. $1200) with code ANNUAL30.Ivacy VPN: Lifetime subscriptionEnjoy powerful 256-bit encryption, completely anonymous P2P file-sharing and unrestricted access to bufferless HD video all at blazing fast speeds with over 1,000 servers in more than 100 worldwide locations. Also defeat port blocking and ISP speed throttling, log in onto up to five devices simultaneously.For a limited time only, get Ivacy VPN: Lifetime Subscription for $27.99 (reg. $1194) with code ANNUAL30.SurfShark VPN: Two-year subscriptionThis is the only VPN that allows you to connect an unlimited number of devices simultaneously, as well as use unlimited data and unlimited bandwidth. You also get ultimate protection and privacy with military-grade encryption, IPv6 leak protection, zero-knowledge DNS and a kill switch. Over 1,200 torrent-friendly servers let you bypass geo-restrictions to enjoy unrestricted content.For a limited time only, get SurfShark VPN: 2-Yr Subscription for $39.89 (reg. $290) with code ANNUAL30.BulletVPN: Lifetime subscription

Enjoy an enhanced browsing, content viewing, and gaming experience thanks to the premium grade carrier lines that provide the fastest possible speed on hundreds of highly encrypted servers. Unblock the top video sites such as Netflix, Amazon Prime Video, Hulu, BBC iPlayer and more.For a limited time only, get BulletVPN: Lifetime Subscription for $27.29 (reg. $540) with code ANNUAL30.Disconnect VPN Premium: Lifetime subscriptionKeep your data safe while increasing the speed of your internet connection. Block tracking and mask your location to access geo-restricted content. This is the New York Times anti-tracking tool of choice.Get Disconnect VPN Premium: Lifetime Subscription for $13.99 (reg. $300) with code ANNUAL30.SlickVPN: Lifetime subscriptionWith more than 125 gateways located in over 45 countries, SlickVPN uses connections with bank-grade 256-bit encryption to mask your traffic from everyone and provide HYDRA protection to keep you safe no matter where you are. Yet, you will still enjoy unthrottled speed while accessing your favorite content without geo-restrictions.For a limited time only, get SlickVPN: Lifetime Subscription for $13.99 (reg. $1200) with code ANNUAL30.KeepSolid VPN Unlimited: Lifetime subscriptionGet ultimate privacy and protection with military-grade AES 256-bit encryption and a zero log policy, with 24/7 customer support and no limits on speed or bandwidth. Enjoy the convenience of over 400 servers in more than 80 locations across the globe, as well as features such as Favorite Servers, Trusted Networks and more.For a limited time only, get KeepSolid VPN Unlimited: Lifetime Subscription for $27.99 (reg. $199) with code ANNUAL30.VPN.asia: 10-year subscriptionUsing high-strength 256-bit encryption, VPN.asia protects your data and hides your location while running in the background so it won’t slow down your internet connection. Best of all, it can easily be used on a wide variety of devices, including Amazon Firestick, Android TV and much more.For a limited time only, get VPN.asia: 10-Year Subscription for $55.99 (reg $290) with code ANNUAL30.NordVPN: Two-year subscription + $10 store creditThis is the service that was rated a perfect 5 out of 5 stars by PCMag, CNET and TrustPilot. It offers bulletproof security with double encryption (double data SSL-based 2048-bit encryption), a strict zero-logs policy and automatic kill switch. And you can still enjoy unrestricted instant high-speed access to your favorite content.For a limited time only, get NordVPN 2-Yr Subscription + $10 Store Credit for $62.30 (reg. $286) with code ANNUAL30.Private Internet Access VPN: Two-year subscription + $15 store creditGet access to more than 10,000 servers in over 70 countries and enjoy unlimited bandwidth at lightning-fast speeds on up to 10 devices simultaneously. Your privacy is secured by the no-logging policy and powerful encryption provided by the impressive Blowfish CBC algorithm protects your data.For a limited time only, get Private Internet Access VPN 2-Yr Subscription + $15 Store Credit for $48.97 (reg. $268) with code ANNUAL30.

ZDNet Recommends More

Microsoft is warning that the BazarCall (or Bazacall) call center malware operation is actually more dangerous than first thought, with initial attacks potentially leading to ransomware attacks within 48 hours.   The group had been targeting Office 365/Microsoft 365 customers with phishing email regarding ‘expiring’ bogus trial subscriptions that dupe the target into calling a call center to chat with an operator, who then try to trick the victim into installing the Bazacall backdoor. The Microsoft 365 Defender Threat Intelligence Team spotlighted the group in June, as ZDNet reported at the time, and in a new post it outlines how it’s a more dangerous threat than previously reported, allowing the attackers to distribute ransomware or steal data within 48 hours of infection.     “Apart from having backdoor capabilities, the BazaLoader payload from these campaigns also gives a remote attacker hands-on-keyboard control on an affected user’s device, which allows for a fast network compromise,” the Microsoft team says. “In our observation, attacks emanating from the BazaCall threat could move quickly within a network, conduct extensive data exfiltration and credential theft, and distribute ransomware within 48 hours of the initial compromise.”The BazaCall group has apparently teamed up with group behind the Ryuk ransomware, which has made about $150 million in Bitcoin from its attacks.   A few notable differences with the BazaCall group’s tactics include that they don’t use phishing links or send malicious attachments, helping avoid classic detection systems. The technique is closer to call center fraudsters and victims are also connected to a human operator. 

“Hands-on-keyboard control further makes this threat more dangerous and more evasive than traditional, automated malware attacks,” Microsoft warns.The call center and email outreach parts of the operation seem reasonably well-organized. While subject lines in emails are repeated, each email is tagged with unique alpha-numeric string, creating a user ID or transaction code, in order to identify the victim across multiple calls. The initial call center operator discusses the expiring subscription and then recommends the victim visit a faked website where they can supposedly cancel the subscription to avoid future monthly fees.Microsoft has provided additional details regarding the group’s use of malicious macros in Excel files to download the Cobalt Strike penetration testing kit and gain ‘hands-on-keyboard’ control of a victim’s machine and the ability to search a network for admin and domain administrator account info to exfiltrate data or deploy Ryuk or Conti, a related ransomware. The agent instructs the victim to navigate to the account page and cancel the subscription by download a file, which turns out to be a macro-enabled Excel document. The call center agent instructs the victim to enable content on Microsoft’s default warning in Excel that macros have been disabled. The group is, according to Microsoft’s description, using relatively sophisticated ‘living-off the-land’ (or misusing legit software tools) for nefarious network activities.     If the attacker finds a high-value target, they use 7-Zip to archive intellectual property — such as information about security operations, finance and budgeting — for exfiltration.In cases where ransomware was deployed after compromise, the attacker used high privilege compromised accounts with Cobalt Strike’s PsExec functionality to distribute Ryuk or Conti ransomware on network devices, according to Microsoft.  More

Image: Getty Images/iStockphoto
The Attorney-General’s Department (AGD) has been conducting a review of Australia’s 33-year-old Privacy Act, considering, among other things, the current definition of personal information.The department in October released an issues paper for public consultation. AGD transparency and criminal law branch assistant secretary Autumn Field said about 200 submissions to the consultation were received and it was in the process of finalising a discussion paper, which is set to be released for public consultation in the coming weeks.”That discussion paper will talk about the kinds of themes that we picked up from the submissions, and will also raise some possible options for reforming the Privacy Act. And the ideas that will be put forward are basically the ones that we feel warrant some further public discussion,” she told the Select Committee on Foreign Interference Through Social Media on Friday.”After we’ve publicly consulted on that discussion paper, we’ll review all of its submissions, and formulate a final report for government’s consideration.”The review was meant to occur last year, but as previously claimed, COVID is to blame for the delay.But in addition to work on reforming the Privacy Act 1988, Field said AGD was also working on a further legislative instrument targeted towards social media companies operating in Australia.”In addition to the Privacy Act review, we are also separately working on exposure draft legislation that will specifically target social media companies and certain other online platforms with similar themes in terms of ensuring that there’s greater transparency about how personal information is being used, and how consent is obtained, particularly for young people,” she told the committee.

“We’re in the process of finalising that legislation at the moment, and that will also be released for public discussion as well.”See also: Prime Minister declares Australians should be in charge, not tech giantsField was asked if the amount of legislation in the works surrounding social media and other technology companies highlighted the “extraordinary power that needs to be addressed by regulation and accountability”.”In terms of the review of the Privacy Act, it’s really a process of making sure that the current settings are appropriately calibrated, and that there is the correct balance between protecting individual’s personal information, and still ensuring that we can operate in a very digital economy,” she said in response. “The purpose of the review is to flush out those issues and to work out how the Privacy Act could be improved.”Earlier this year, Facebook, Google, Microsoft, Redbubble, TikTok, and Twitter committed to the Australian Code of Practice on Disinformation and Misinformation, which is a voluntary code the signatories have vowed to follow on their respective platforms.Appearing alongside Field was Pauline Sullivan, who is the first assistant secretary of the Department of Infrastructure, Transport, Regional Development and Communications. Sullivan was asked why the government agreed to a voluntary code that was developed by the social media companies. She told the committee the platforms worked in a timely fashion to get a code in play and they have provided transparency reports on time. Sullivan said advice has been provided to the minister for further consideration.MORE FROM THE PRIVACY ACT REVIEW More

Image: Getty Images/iStockphoto
Representatives from Google have told an Australian Parliamentary committee looking into foreign interference that the country has not been the target of coordinated influence campaigns.”We’ve not seen the sort of foreign coordinated foreign influence campaigns targeted at Australia that we have with other jurisdictions, including the United States,” Google director of law enforcement and information security Richard Salgado said.”Some of the disinformation campaigns that originate outside Australia, even if not targeting Australia, may affect Australia as collateral … but not as a target of the campaign.”We have found no instances of foreign coordinated influence campaigns targeting Australia.”While acknowledging campaigns that reach Australia do exist, he reiterated they have not specifically targeted Australia.”Some of these campaigns are broad enough that the disinformation could be, sort of, divisive in any jurisdiction in which it is consumed, even if it’s not targeting that jurisdiction,” Salgado told the Select Committee on Foreign Interference Through Social Media.”Google services, YouTube in particular, which is where we have seen most of these kinds of campaigns run, isn’t really very well designed for the purpose of targeting groups to create the division that some of the other platforms have suffered, so it isn’t actually all that surprising that we haven’t seen this on our services.”

Appearing alongside Salgado on Friday was Google Australia and New Zealand director of government affairs and public policy Lucinda Longcroft, who told the committee her organisation has been in close contact with the Australian government as it looks to prevent disinformation from emerging leading up the next federal election.Additionally, the pair said that Google undertakes a “constant tuning” of the artificial intelligence and machine learning tech used. It said it also constantly adjusts policies and strategies to avoid moments of surprise, where Google could find itself unable to handle a shift in attacker strategy or shift in volume of attack.No money made from your GPay transactionsAppearing earlier in the week before the Parliamentary Joint Committee on Corporations and Financial Services, Google VP of product membership and partnerships Diana Layfield said her company does not monetise data from Google Pay in Australia.”I suppose you could argue that there are non-transaction data aspects — so people’s personal profile information,” she added. “If you sign up for an app, you have to have a Google account. So, by and large, we would have that personal profile information; we may have slightly more generalised data about a user from their signing up for Google Pay, but we do not monetise transaction data or payments data from within the app in Australia.”The committee questioned Layfield’s claims, citing remarks from the Reserve Bank of Australia, as one example, that because Google’s business model is about collecting data not transaction fees, it does not charge for Google Pay.”One narrow version of ‘monetise’ is that you take the transaction data and sell it. You say you don’t do that. But another way of understanding it may be that that transaction data goes into the general pool of understanding the customer and their preferences, being able to give them a psychographic profile and monetising that profile, which is a well-known aspect of your business model,” Labor MP Julian Hill asked.”I buy a pair of shoes online, you’re not going to tell anyone else about the shoes that I buy, but it may go into my profile that you then may monetise elsewhere.”Layfield said that while that would be true for Google’s other products, that it was not the case for Google Pay.”In the case of Google Pay, if you were to make a payments transaction and you were to buy a pair of shoes, that transaction data that might give us that information does not leave the Google Pay environment. We don’t use transaction data for ads, for example,” she explained. “Our ads monetisation, which is, as you say, our primary monetisation route, does not receive that data from Google Pay.”She said the transaction data, such as address, name, and profile data, is used both for fraud purposes and for the purposes of updating a user’s overall Google account.THIS WEEK FROM GOOGLE More

Image: Kon Karampelas
Facebook global head of security policy Nathaniel Gleicher has detailed the new disinformation paradigm his platform is battling, with an influx of adversaries using public relations or marketing firms to do their bidding.Gleicher told the Select Committee on Foreign Interference Through Social Media that, last October, Facebook removed a network that was linked to marketing firms based in the UAE, Nigeria, and Egypt. The network targeted public debate around the world, primarily in the Middle East and Africa, but with some focus in Australia.”[There is] an increasing use of marketing firms or PR agencies that are essentially running disinfo-for-hire businesses: You hire them and they run your disinformation campaign,” he said on Friday morning. “We’ve seen these around the world, we’ve seen a couple of them as far back as 2018 … but we’ve seen more use of them lately.”See also: Countering foreign interference and social media misinformation in AustraliaGleicher said Facebook has seen this approach play out in two ways, with the first seeing actors that otherwise wouldn’t have the resources or the skills to run an influence operation, hiring a firm to do that for them. “We’ve seen smaller local campaigns, for example, not long ago in the Mexican election, a number of operations linked to smaller and local campaigns run by these firms,” he said.

The second, he said, was the more sophisticated threat actors using PR firms as a way to launder their identity. “When we investigate a CIB operation, our teams work to understand who’s behind it. We can’t always identify who’s behind it, obviously, that can be challenging, but we have a number of tools to use to expose, for instance, a government is running it or an actor is behind it,” he explained.”But if a government or a bad actor hires a PR firm, they pay them not on Facebook, and they don’t communicate with them on our platforms. We may be able to track it back to the PR firm, but we won’t be able to make the connection to the actor behind it.”He said the late 2019 operation that targeted Australia had links to three separate marketing firms. “I think we should expect more actors to use PR firms and other intermediaries to hide their identity,’ he added. Discussing coordinated inauthentic behaviour (CIB) targeting Australia, Gleicher said Facebook has seen three other instances, in addition to the disinformation-for-hire campaigns.In August last year, Facebook was used by an operation that acted primarily in English and Chinese and targeted a number of countries, including Australia, and engaged with users on a range of topics such as COVID-19.Another occurred in March 2019, with Gleicher saying there was an operation that appeared to be a financially motivated operation originating from Macedonia and Kosovo, targeting users around the world, including Australia. The final CIB instance was a domestic operation in March 2019. “That was linked to some local political actors in New South Wales,” Gleicher said. Elsewhere, Gleicher said another CIB technique Facebook has seen being increasingly used, particularly by actors linked to Russia and Iran, is getting groups to directly reach out to reporters and try to trick them into writing stories for them. “The idea being, of course, if you can get a reporter to write your false narrative, you already get a whole bunch of public awareness,” he said. “And we’ve seen this be successful in the United States.”He said there have also been instances of people being tricked into working for one of these campaigns. “We’ve seen Russian actors run false media organisations … and they hired local reporters or freelancers who didn’t know any better to write for them, trying to make the voices appear more authentic, trying to have more impact,” he added. MORE FROM THE INQUIRY More

Chinese video surveillance manufacturer Hikvision has reported it generated 6.48 billion yuan in total profit, a 40% increase from last year’s 4.62 billion yuan for the first half of 2021 financial year.For the period to 30 June, the company also experienced a near 40% year-on-year uplift in operating income that came in just shy of 34 billion yuan. Of the total, sales of products and services accounted for more than 80%, or 28 billion yuan, an increase from last year’s 21.5 billion yuan. The rest was made up of its smart home and robotic businesses, as well as “other innovative” businesses, made of a number of subsidiaries including EZVIZ, HikRobot, HikAuto, HikMicro, HikStorage, HikImaging, HikFire, HikRayin, and their related business or products.”With solid accumulation of algorithm and strong hardware and software development capabilities, Hikrobot focused on mobile robot and machine vision business, and continued to help the development of global intelligent manufacturing,” Hikvision said.”Other innovative businesses continued to develop rapidly and gradually opening up new opportunities. The innovative businesses, as a whole, accounted for 16.46% of the company’s revenue in the first half year of 2021 and is gradually becoming a new driving force for the company’s further development.”The company’s revenue in overseas markets amounted to 9.47 billion yuan, following a 25.5% increase year-on-year. During the half-year, Hikvision said it continued to expand its investment in R&D, investing a total of 3.88 billion yuan, which accounted for just over 11% of total operating income.

“In terms of hardware, the company continued to strengthen its dominant position in the field of video products, and actively implemented intellectualised upgrade of non-video products,” the company said.”In terms of software, the company continued to build its supporting capacities for large system software so as to support the rapid development and iteration of industry applications. Hikvision continues to improve its technology system with IoT perception, artificial intelligence, and big data as the core, and its comprehensive competitiveness is further enhanced.”The company also cited R&D remained a priority due to challenges faced by the company arising from the COVID-19 pandemic and political conflict. Hikvision is among a collection of Chinese companies that have been blacklisted from trading in the United States.for its alleged involvement in the repression of Uyghur Muslims and other predominantly Muslim ethnic minorities residing in China. “In the first half year of 2021, some countries and regions continued to suffer periodical economic stagnation and recession as the outbreak of COVID-19 epidemic was not effectively controlled. At the same time, the US government continued to put pressure on Chinese science-and-technology enterprises, which further affected global supply chains and market conditions,” the company said.”In the face of the conflicts and changes in the global environment, the company has always taken technological innovation as the most important means for its survival and development, and has continued to promote its sound development.”The company further added that in a bid to further adhere to its own so-called business philosophy of “professionalism, integrity, and honesty”, it has been making shifts to improve its internal compliance system. “Facing external pressure, the company has strengthened its cost control and optimisation efforts and strived to improve its internal operation. Meanwhile, the company continues to promote the construction of a global compliance system to further drive internationalisation of the company’s governance system and control level, and to ensure a healthy and sustainable business development,” it said.Related Coverage More

Andrew Windsor and Chris Neal, researchers with Cisco Talos, have seen new activity from Solarmarker, a .NET-based information stealer and keylogger that they called “highly modular.”The researchers explained that the Solarmarker campaign is being conducted by “fairly sophisticated” actors focusing their energy on credential and residual information theft. Other clues, like the targeted language component of the keylogger, indicate that the cyberattacker has an interest in European organizations or cannot afford to process text in any languages other than Russian, German and English. “Regardless, they are not particular or overly careful as to which victims are infected with their malware. During this recent surge in the campaign, Talos observed the health care, education, and municipal governments verticals being targeted the most often,” the report said. “These sectors were followed by a smaller grouping of manufacturing organizations, along with a few individual organizations in religious institutions, financial services and construction/engineering. Despite what appears to be a concentration of victimology among a few verticals, we assess with moderate confidence that this campaign is not targeting any specific industries, at least not intentionally.” The report added that Microsoft researchers believe the Solarmarker campaign is using SEO poisoning in order to make their dropper files highly visible in search engine results, potentially skewing “what types of organizations are likely to come across the malicious files depending on what is topically popular at the time.”Talos researchers warned organizations to look out for the malware because the modules observed show that victims are vulnerable to “having sensitive information stolen, not only from their individual employees’ browser usage, such as if they enter their credit card number or other personal information, but also those critical to the security of the organization, particularly credentials.”

Cisco noted that the malware was previously used alongside “d.m,” but is now being used with the “Mars,” staging module. Researchers also discovered another module, previously unreported, that they named “Uranus.””Talos is actively tracking a malware campaign with the Solarmarker information-stealer dating back to September 2020, the report said. “Some DNS telemetry and related activity even point back to April 2020. At the time, we discovered three primary DLL components and multiple variants utilizing similar behavior.”According to the study, the attackers typically inject a stager on the victim host for command and control communications and further malicious actions before a second component called “Jupyter,” was observed being injected by the stager.When Cisco analysts examined the DLL module, named “Jupyter,” they found that it is able to steal personal information, credentials, and form submission values from the victim’s Firefox and Chrome installation and user directories.The module uses HTTP POST requests to send information to its C2 server. The attackers used a variety of measures — like including the “CurrentUser” flag for the data protection scope argument in the “Unprotect” method call — to complicate attempts to decrypt or analyze the raw data going between the victim and the C2 server.”The Jupyter information stealer is Solarmarker’s second most-dropped module. During the execution of many of the Solarmarker samples, we observed the C2 sending an additional PS1 payload to the victim host,” the report said. “Responses from the C2 are encoded in the same manner as the JSON object containing the victim’s system information. After reversing the base64 and XOR encoding, it writes this byte stream to a PS1 file on disk, runs it, and subsequently deletes the file. This new PowerShell script contains a base64-encoded .NET DLL, which was also injected through .NET’s reflective assembly loading.”The analysts observed that the stager has browser form and other information stealing capabilities. The attackers also use a keylogger called “Uran” that was discovered in older campaigns.”The staging component of Solarmarker serves as the central execution hub, facilitating initial communications with the C2 servers and enabling other malicious modules to be dropped onto the victim host,” the report explained. “Within our observed data, the stager is deployed as a .NET assembly named ‘d’ and a single executing class named ‘m’ (referred to jointly in this analysis as ‘d.m’). The malware extracts a number of files to the victim host’s ‘AppDataLocalTemp’ directory on execution, including a TMP file with the same name as the original downloaded file, and a PowerShell script file (PS1), from which the rest of the execution chain spawns.”The attack gets its name from the file write of “AppDataRoamingsolarmarker.dat,” which the report said serves as a victim host identification tag. The investigation led researchers to a “previously unreported second potential payload,” named “Uranus,” which they say is derived from the file “Uran.PS1” that is hosted on Solarmarker’s infrastructure at “on-offtrack[.]biz/get/uran.ps1.” The keylogger malware uses a variety of tools within the .NET runtime API to do things like capture the user’s keystrokes and relevant metadata.”For example, it will look for available input languages and keyboard layouts installed on the victim host and attach their two letter ISO codes as additional attributes to the keylogging data collected. Interestingly, in this case, the actor checks specifically for German and Russian character sets, before defaulting to an English label, the report said.”Extraction is set to occur every 10,000 seconds using a thread sleep call to delay Uranus’ event loop. This module also uses HTTP POST requests as its primary method of communications with Solarmarker’s C2 infrastructure.”The researchers noted that the general execution flow of Solarmarker has not changed much between variants. In most cases, attackers want to install a backdoor, but Talos researchers said that around the end of May, they began noticing “surges of new Solarmarker activity” in their telemetry.The latest version features a tweaked download method of the initial parent dropper as well as upgrades to a new staging component called “Mars.” “During our research on earlier campaign activity, Talos initially believed that victims were downloading Solarmarker’s parent malicious PE files through generic-looking, fake file-sharing pages hosted across free site services, but many of the dummy accounts had become inactive between the time we found the filenames used by Solarmarker’s droppers in our telemetry and attempting to find their download URLs,” Cisco researchers wrote.”This method of delivery was later corroborated by third-party malware analysts in their own reporting on Solarmarker. For example, we saw several download pages being hosted under suspicious accounts on Google Sites. These links direct the victim to a page offering the ability to download the file as either a PDF or Microsoft Word file. Following the download link sends the victim through multiple redirects across varying domains before landing on a final download page. This general methodology hasn’t changed, many of the parent file names found in our telemetry can be found on suspicious web pages hosted on Google Sites, although the actor has changed their final lure pages a bit.”The attackers made significant improvements to the final download page in an effort to make it look more legitimate.The latest version also includes a decoy program, PDFSam, which is “executed in tandem with the rest of Solarmarker’s initialization to act as misdirection for the victim by attempting to look like a legitimate document.”While there is some evidence in the report that Russian speakers created Solarmarker, the researchers said there is not enough evidence to assign high confidence to the attribution. The report suggests organizations educate users on the perils of downloading risky files as well as a host of other measures designed to limit or block Solarmarker’s numerous scripts from executing.”We expect the actor behind Solarmarker to continue to refine their malware and tools, as well as alternate their C2 infrastructure, in order to prolong their campaign for the foreseeable future,” the report added.  More

Department of Home Affairs Secretary Mike Pezzullo
Screenshot: Asha Barbaschow/ZDNet
The Department of Home Affairs has requested a rush for the passage of the country’s looming critical infrastructure Bill, saying the sector specific rules could be nutted out following Royal Assent.Among other things, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 would allow government to provide “assistance” to entities in response to significant cyber attacks on Australian systems. This includes the proposal for software to be installed that Home Affairs claims would aid providers in dealing with threats.It would also introduce a positive security obligation (PSO) for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements.The sector-by-sector PSO rules are yet to be written, but Home Affairs secretary Mike Pezzullo said these could come after the Bill becomes law. He called for the law to be passed first, saying there was an urgent need for the assistance powers to allow the Australian Signals Directorate (ASD) to act lawfully and assist entities struck by a cyber attack.”Those [are] measures that, frankly, I’d prefer to have on the statute books tonight,” Pezzullo told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Thursday.”The government assistance measures are the ones that … certainly keep me awake at night, the inability — with all of the powers and capabilities that the ASD, as well as the reach that they have into our military information warfare capability, cannot by law be deployed onto our networks, right as we speak, right now — that is the pressing urgency.”What I urge this committee to give clear and direct consideration to is the ability of Australia’s premier information operations agency, the Australian Signals Directorate, to be able to, in an emergency, render a more effective incident response than any company possibly could.”

Senators raised concern that the minister would be given the power to determine the rules, rather than the Parliament. Pezzullo said every Act of Parliament designates a decision maker, and in this instance it was the Minister of Home Affairs.He argued that the minister has to make their determination against thresholds and definitions laid out in legislation and made the case that it would be a gruelling process if each rule had to come back to the Parliament.”Would it be timely to have votes of the Parliament … in the instance where perhaps an obligation has to be moved quickly?” he asked. Refuting the suggestion that the Bill was “half-baked” Pezzullo also noted the rules were being shaped in a co-designed fashion.Consultation on the rules is already underway, with the department moving forward as if the law was passed. Pezzullo said each designated sector was unlikely to have their respective rules finalised at the same time. Part of the issue, Pezzullo said, was the engagement from the other side.”We’re in sort of a circular paradox until we understand what our legal obligations [are] going to be,” he said. “And not unreasonably, these are big companies that have got boards, they’ve got duties under corporations and other law … so we can turn up to meetings and we can say, ‘here is a draft rule, we’d like your comments’ and typically, the tracked changes come back not from the technicians but from the lawyers. “That’s entirely understandable … but what I’m saying is that for so long, as you’ve got that spiral of ‘we’re not quite sure’ and the government saying ‘yes, but we’d like your technical view’, arguably, the rules will never be satisfactory because at some point, you’ve got to say, ‘pens down, exam over’.”Without the Bill itself, however, the co-design processes would not be a legislative direction.Taking that into consideration, Pezzullo argued that the department’s inability to answer specific questions from a specific sector does not take away the need for either the Bill to pass or the rule to be set.Many submitters to the PJCIS are cautious that the Bill would duplicate existing legislative directions such as in telecommunications, health, and banking.”The Department of Home Affairs is the regulator under the Telecommunications Act, of the TSSR Scheme, in fact, it’s on my pen … I happen to be that officer, and I can tell you, the TSSR is inadequate for this purpose, I can absolutely assure you because we are the regulator,” he said.”If someone can assure me that whoever regulates those pharmacy agreements has got access to top secret code word information, that has got a deep understanding of the threat environment, and knows what defensive capabilities can be further mounted through ASD auspices, then I might come to a different view.”He said he would advise against the primary legislation capturing the level of specificity that would be required in the rules for each sector — not because Home Affairs wanted to make them up as it goes along, nor that it doesn’t understand each sector. “We have a strongly advanced view that we put respectfully to this committee about the relative balance that should be struck as to what’s in the primary legislation, and what should be available in the rulemaking process,” he reiterated.The likes of Amazon Web Services, Microsoft, Google, and Atlassian have all weighed in on the looming Bill, with the latter two companies telling the PJCIS last month that they did not need assistance from the Australian government and that the installation of software would do more harm than good.”The maturity and sophistication of the companies that we have heard from, my sort of immediate response is, well, I would hope not. That’s exactly what we hope their position is that they don’t need us to help them defend their networks,” ASD Director-General Rachel Noble told the PJCIS.”Our preferential experience is that we would only install software, which happens at the moment with entities who work with us collaboratively when that entity doesn’t have the capability to provide the technical telemetry or system information, in order to assist them with an incident response.”This sort of idea that ASD is going to run around and put software willy-nilly is a bit of a caricature. Our operational preference is that they can provide that to us without that needing to occur, and in many instances, it absolutely does.”Pezzullo said the government’s first preference was working collaboratively and in partnership with the entity.”However, the risks to Australia’s national interests, in the view of the government, are too great to not have a clear, established framework in place ahead of an incident to operate as a last resort in a national emergency, should an entity be unwilling or unable to do what is necessary,” he said.MORE ON THE BILL More