Information Technology

Australian Greens co-deputy leader Senator Nick McKim has told the Senate his party wants the pending Online Safety Act withdrawn, asking for it to be re-drafted to take into account a number of concerns that were raised but not addressed during the Bill’s short consultation and scrutiny period.Among other things, the Online Safety Bill 2021 extends the eSafety Commissioner’s cyber takedown function to adults, giving the power to issue takedown notices directly to the services hosting the content and end users responsible for the abusive content. The Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021, meanwhile, repeals the Enhancing Online Safety Act 2015 upon commencement of the new Online Safety Act.McKim, like many others, said the government has been “ramming these Bills through this Parliament without adequate consideration and without adequate scrutiny”.The Bill was introduced to Parliament on February 24, eight business days after consultation on the draft legislation closed and before the 400-something submissions to the consultation were published. It was handed to a Senate committee on February 25 and after holding one public hearing, the committee scrutinising its contents handed down its report.The government, McKim added, then sought to have the Bills “quickly and quietly waved through” and moved to exempt the Bills from the usual requirements that regulate how quickly Bills can be brought on for debate in the Senate.”And as an example of the indecent haste with which the government has operated, these Bills were so rushed that the government is needing to use amendments to fix typos in the original Bill,” he said, addressing the Senate on Wednesday.

“So these Bills which are intended to protect people from cyber bullies, from cyber abuse, from the non-consensual sharing of intimate images, and from violent and extremist materials — commendable objectives — are being rushed through this place.”The typo McKim referred to was the incorrect spelling of “bullying”.In the original Bill, there was no complaints mechanism; that has since been rectified somewhat, with the directive given to the eSafety Commissioner to stand one up.”In a way, the Parliament is being asked to sign a blank cheque in regards to the creation of that process. Because we have no possibility, as we stand here and debate this Bill today, to know what kind of process the eSafety Commissioner will establish,” he said.He also said that just because the incumbent commissioner might be trusted to not misuse her forthcoming sweeping powers, her successor may not behave the same.”It should be incumbent on Parliament to make sure that we legislate not just with one particular person in one particular position in mind, but with a clear-eyed focus on the need to make sure that protections will exist past the incumbency of any one person in any one particular position,” he said.It isn’t just the rushed nature of the Bills the Greens have taken issue with, as they’ve also raised concerns about the bias that may arise from algorithms that have been conjured up to tackle the requirements of the Bill too.”The Bills will also inevitably lead to online platforms resorting to automated processes based on algorithms and artificial intelligence to identify and remove content that could attract penalties,” he said.”The use of AI and algorithms in in similar circumstances in places like the US has been extremely controversial, to say the least, and we are concerned that the use of those technologies could lead to disproportionate outcomes like blanket bans, even if that is not the intent of the commissioner.”McKim said the use of algorithms and AI would also risk importing racial bias into the regulation of Australia’s online content ecosystem. “We know that that is a risk, because that is exactly what has happened in the US under similar controversial laws,” he said.Discrimination, he said, would also be faced by workers in the adult industry.”We are concerned about the unintended consequences that could be both harmful to sex workers and adult businesses and to the broader community,” he said. “Under the Bills, as argued by Scarlet Alliance, sex workers will become more vulnerable as they potentially lose access to income safety tools and strategies and to vital peer connections. We’re also concerned that the Bills failed to provide to promote the maximum safety and privacy protections that they could. “The Greens absolutely commend the stated objectives of these Bills to keep women children and the broader Australian community safe in online environments …. but we need to make sure that we don’t protect one set of rights by trampling over other rights.”He said Bills this significant and targeted at problems so complex should receive full and proper scrutiny.”And that is what the government, unfortunately, is seeking to deny.”MORE ON THE BILLProtecting women in the cloud: eSafety hopes the Online Safety Act will do just thatThe commissioner said a lot of online abuse is rooted in misogyny and intended to silence women’s voices. She hopes the new Online Safety Act will go some way to prevent such abuse.Australia’s eSafety and the uphill battle of regulating the ever-changing online realmThe eSafety Commissioner has defended the Online Safety Act, saying it’s about protecting the vulnerable and holding the social media platforms accountable for offering a safe product, much the same way as car manufacturers and food producers are in the offline world.eSafety prepares for Online Safety Act with AU$3m software pilot and 20 new staffThe eSafety Commissioner has only been able to action 72 of the 3,600 adult cyber abuse complaints it has received, and it’s hopeful the new Online Safety Act will allow it to do more. More

Image: Google
Google announced a half dozen updates to Android on Tuesday, including the further rollout of earthquake alerts and end-to-end encrypted messages. Earthquake alerts were first announced in August, and uses smartphone accelerometers to detect sudden earth movements. If the phone detects an earthquake, it will send a signal to Google’s earthquake detection server, along with a course location of where the tremor occurred. The server will then combine the information it has received from multiple Android phones to figure out if an earthquake is happening. Eventually, if an earthquake is detected, the system will automatically send warning alerts to Android devices so people can find cover or safer ground. The system is already live in New Zealand and Greece, with Turkey, the Philippines, Kazakhstan, Kyrgyz Republic, Tajikistan, Turkmenistan, and Uzbekistan coming on board. “We are prioritising launching Earthquake Alerts in countries with higher earthquake risks, and hope to launch in more and more countries over the coming year,” the company said. For users of the in-built Messages app on Android, there is now a chance of having those messages encrypted.

“End-to-end encryption is available in one-on-one conversations between Messages users with chat features enabled,” the company said. A lock symbol at the top of the chat appears to be the visual feedback that a conversation is encrypted. In November, Google said it planned to automatically upgrade the security of chats where possible, but it would involve both participants having RCS chat features enabled. RCS is not compatible with Apple’s iMessage protocol.The company said it had introduced the ability for users to star messages, contextual Emoji Kitchen suggestions, given the option for voice control to only work when the user is looking at the screen, as well as better voice password input. Related Coverage More

The IRS and Government Accountability Office are locked in a dispute over data security, according to a letter sent by the GAO to Charles Rettig, commissioner of the IRS.On Monday, the GAO said that since May 2019 it has suggested the IRS “develop a governance structure or steering committee to coordinate all aspects of IRS’s efforts to protect taxpayer information while at third-party providers.”Since then, the IRS has said it agrees with the recommendation but does not believe it has the “explicit authority to establish security requirements for the information systems of paid preparers and others who electronically file,” according to the GAO report. “We continue to believe that IRS could implement this recommendation without additional statutory authority,” the GAO letter said. “Without this structure, it is unclear how IRS will adapt to changing security threats in the future and ensure those threats are mitigated.”Jessica Lucas-Judy, a GAO director overseeing work on the IRS, explained in the letter that the IRS continues to hold this view and reiterated their stance in January. Lucas-Judy added that the only way the IRS feels it could establish data safeguarding policies and implement strategies enforcing compliance with those policies would be through a “centralized leadership structure” that would need statutory authority clearly communicating the authority of IRS to do so. According to the IRS, beefing up data security would be “inefficient, ineffective, and costly use of resources” without the authority of a leadership structure. 

But Lucas-Judy said the IRS has seven different offices across the agency working on information security-related activities that “could benefit from centralized oversight and coordination.” “These activities include updating existing standards, monitoring Authorized e-file Provider program compliance, and tracking security incident reports,” Lucas-Judy wrote. The GAO report came just days after Intuit was forced to notify TurboTax users of a breach following a series of account takeover attacks earlier this month, according to Bleeping Computer. Attackers gained full access to the tax returns of an unknown number of people and Intuit was forced to disable the compromised accounts. “By accessing your account, the unauthorized party may have obtained information contained in a prior year’s tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver’s license number and financial information (e.g., salary and deductions), and information of other individuals contained in the tax return,” Intuit said in a breach notification letter obtained by TechRadar.The breach was discovered during a security review that was regularly scheduled. The company routinely notifies users whose accounts are accessed “by a third party using legitimate log-in credentials that Intuit believes were obtained from sources outside the company.” Intuit confirmed in this instance that it was not a “systemic data breach.”Yaniv Bar-Dayan, CEO of Vulcan Cyber, said the IRS needed to be more urgent about protecting itself against cyber threats considering the government is still dealing with the ramifications of the SolarWinds attack. “Unfortunately threat actors aren’t going to sit around and wait. The creation of a ‘governance structure’ from scratch isn’t necessary,” Bar-Dayan said. “The IRS should ride the coattails of cyber governance, risk and compliance frameworks that have already been successfully implemented by the largest public and private financial institutions in the world. Most importantly, take proactive steps now to protect IRS operations and taxpayer data and funds through risk remediation initiatives.” More

CISA has released a new ICS advisory about a vulnerability found in a widely-used ThroughTek tool that gives attackers access to audio and video feeds as well as other sensitive information.  On top of the potential for data and video leakage, the company admitted that the vulnerability allows attackers to not just spoof a device but hijack a device’s certificate. CISA gave the vulnerability a score of 9.1 out of 10 on the CVSS vulnerability severity scale. ThroughTek software components are used broadly by security camera and smart device vendors. Their tools are incorporated into millions of connected devices ranging from IP cameras to baby and pet monitoring cameras as well as robotic and battery devices. It is also an integral part of the supply chain for multiple original equipment manufacturers of consumer-grade security cameras and IoT devices. Security company Nozomi Networks Labs discovered the vulnerability in ThroughTek’s P2P SDK and sent a notice about it to ThroughTek. The notice prompted CISA to release its own statement saying the vulnerability was remotely exploitable and was not complex to attack. The P2P functionality allows users to look at audio and video streams through the internet. The vulnerability is present in versions 3.1.5 and prior, SDK versions with nossl tag, device firmware that does not use AuthKey for IOTC connection, device firmware using the AVAPI module without enabling DTLS mechanism, and device firmware using P2PTunnel or RDT module.”ThroughTek P2P products do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds,” CISA said in the release. In a statement, ThroughTek said they “discovered” that some of their customers were implementing the company’s SDK “incorrectly” or had “disregarded” their SDK version updates. They noted that the vulnerability was addressed in SDK version 3.3 and onwards in 2020 but was still a problem for anything up to and including version 3.1.5.

ThroughTek said any original equipment manufacturers running SDK 3.1.10 and above should enable Authkey and DTLS. If SDK is below 3.1.10, the library needs to be upgraded to 3.3.1.0 or 3.4.2.0 and the Authkey/DTLS needs to be enabled. CISA added that generally, users should minimize their risks by reducing network exposure for all control system devices and ensuring none are accessible from the internet. IT administrators should locate control system networks and remote devices behind firewalls, and isolate them from the business network, according to CISA. P2P component flaws have long been cited as one of the gravest risks to the use of IoT devices. In 2019, a vulnerability with iLnkP2P left more than two million IoT devices at risk of compromise.  More

Nokia Deepfield has discovered a 100% increase in daily DDoS peak traffic between Jan 2020 and May 2021.Nokia’s IP network and data analytics arm was able to conduct a fingerprint and origin analysis of network traffic through their work with global service providers, webscale companies and digital enterprises. Craig Labovitz, CTO of Nokia Deepfield, unveiled the findings of the global DDoS traffic analysis at NANOG82 this week. The analysis found that there has been a massive increase in high-bandwidth, volumetric DDoS attacks, the majority of which originate from just a few dozen hosting companies. Labovitz told ZDNet that conventional wisdom generally says that DDoS attacks originate from all over the Internet, and that DDoS is impossible to block at the source.”But conventional wisdom is wrong. We can stop the vast majority of DDoS within these 50 companies (e.g. if the hosting companies block bad customers) or by actions taken within the 10-15 internet service providers that connect these hosting companies to the Internet,” he said. Researchers also discovered evidence of DDoS attacks with a threat potential “over 10 Tbps, up to five times higher than the largest reported current attacks.” The largest reported DDoS attack, according to Labovitz, has been about 2 Tbps. Google said in October that in 2017, it dealt with a 2.54 Tbps attack launched by a state-sponsored group from China, the largest reported attack ever. 

The size of attacks was increasing, according to Nokia Deepfield, in part because of a “growing number of open and insecure internet services and IoT devices.” Just six weeks ago, a DDoS attack took down 200 government and university websites across Belgium.Labovitz added that the DDoS growth curve is exponential because of the explosive growth of IoT and Cloud, which are both dramatically increasing the number of servers and devices that can be co-opted into DDoS attacks. “The second main point of my presentation today is that the exponential DDoS growth curve represents an existential threat to the Internet. This is due to the expanding number of servers (that can be exploited for launching DDoS) and a large number of IoT devices with sub-standard or default security (therefore, open to hijacking and botnet-control),” Labovitz said. “My take is that it is just sheer luck, bugs in the attacks, etc., on why reported DDoS so far falls significantly below the 10+ Tbps (and perhaps much larger) DDoS potential.”The company also found that over the last 15 months, there has been an expansion of DDoS for hire services available to attacks looking to cause extensive damage to individual and large-scale connectivity and service availability.Throughout 2020, as communities across the world instituted lockdowns as part of the effort to contain COVID-19, Nokia Deepfield said there was a 50% increase in DDoS traffic.”The continued increases in intensity, frequency and sophistication of DDoS attacks have resulted in a 100% increase in the ‘high watermark level’ of DDoS daily peaks – from 1.5 Tbps (January 2020) to over 3 Tbps (May 2021),” the company said.It is important for every participant in the network security ecosystem — end users, vendors, service providers, cloud builders, regulators and governments — to understand the dangers DDoS poses to the availability of internet content, applications and critical connectivity services, Labovitz added. More

Linux is more secure than Windows. We all know that. But that doesn’t mean it has perfect security. Nothing does. CloudLinux is helping to improve Linux’s operational security with the release of UChecker. The company is best-known for its Red Hat Enterprise Linux (RHEL)/CentOS server clone, CloudLinux, and its CentOS fork.

This newly open-sourced program, part of the company’s TuxCare security services, scans Linux servers for out-of-date libraries both on disk and in memory. Unlike other such tools, it can also find false negatives by reporting on vulnerable libraries running in memory that might be missed by other scanners. It works with all modern Linux server distros and is licensed under the GPLv2. UChecker, which is an abbreviation for “userspace checker,” works with all modern Linux distributions, not just the RHEL family. It provides detailed actionable information on which application is using which vulnerable library. The program will also present you with the relevant process ID and process name. Armed with this information you can see which libraries need to be updated.This program can be integrated with tools like Nagios or other monitoring, logging, and management tools to provide better security defenses for your servers. UChecker got its start at kernelcare.com. This set of programs provides live patching for Linux kernels and its common shared libraries such as Glibc and OpenSSL.The program works with all modern Linux distributions under the GNU General Public License and can be downloaded here.After running UChecker from the shell, you have two options for updating your libraries. First, there’s the old-school way. In this, you’ll update your libraries with your packaging system and reboot the servers. Or, you can just restart all the processes since even with UCherker you can’t be sure which processes may still use the outdated libraries.

Or you can use TuxCare LibraryCare service’s live patching capability to apply security patches to OpenSSL and Glibc libraries without having to reboot the server. TuxCare services are CloudLinux’s umbrella security and support offering. It include live patching for Linux stack critical components from the kernel all the way to widely-used shared libraries. It eliminates the need for lengthy and costly service disruptions while servers or services are restarted to install the latest security patches, and no longer requires a disruptive maintenance window.TuxCare LibraryCare, of course, isn’t the only Linux program that enables you to live patch your Linux kernel or other important files. These include Oracle Ksplice; Red Hat and CentOS Kpatch; Canonical Livepatch; and SUSE Kgraft. All of these, however, only work with their vendor’s Linux distro. So, for example, you can’t use Livepatch on RHEL nor Kpatch on Ubuntu. CloudLinux’s programs, however, support CentOS, Red Hat, Oracle, Debian, Ubuntu, and others. You can run this Python/shell program to see if it will work with your favorite Linux. CloudLinux also promises that TuxCare Linux Support Services provides regular patches and updates for all components of enterprise Linux systems, as well as 24/7 incident support, even when systems are past their End-of-Life (EOL). So, if you run a variety of Linux distros and some of them are old, this service is well worth looking into.After all, as Jim Jackson, CloudLinux’s president, said ordinarily “some patches require reconfigurations and reboots of servers that are difficult to take offline for very long. Time is critical because hackers look to exploit vulnerabilities so it’s always a race for IT teams to apply security patches.” Anything that can help you spot and patch potentially insecure libraries as fast as possible is always a good thing.Related Stories: More

Deloitte has made another acquisition in the cybersecurity space, announcing Tuesday that it has scooped up Baltimore-based digital risk protection company Terbium Labs. The tax and auditing giant said Terbium Labs’ services — which include a digital risk protection platform that aims to helps organizations detect and remediate data exposure, theft, or misuse — will join Deloitte’s cyber practice and bolster its Detect & Respond offering suite.

Terbium Labs’ digital risk platform leverages AI, machine learning, and patented data fingerprinting technologies to identify illicit use of sensitive data online. Deloitte said that adding the Terbium Labs business to its portfolio would enable the company to offer clients another way to continuously monitor for data exposed on the open, deep, or dark web.”Finding sensitive or proprietary data once it leaves an organization’s perimeter can be extremely challenging,” said Kieran Norton, Deloitte Risk & Financial Advisory’s infrastructure solution leader, and principal. “Advanced cyber threat intelligence, paired with remediation of data risk exposure requires a balance of advanced technology, keen understanding of regulatory compliance and fine-tuning with an organization’s business needs and risk profile.” Terbium Labs is Deloitte’s third cyber-related acquisition in 2021 as the company aims to bolster its existing cybersecurity offerings that aid clients in threat management and intelligence. Deloitte previously bought cyber threat hunting provider Root9B and cloud security posture management provider CloudQuest. Deloitte stands as one of the largest private companies in the US, selling tax, auditing, consulting, and cybersecurity advisory services to major governments and large Fortune 500 multinationals. The financial terms of the Terbium Labs deal were not disclosed.

Digital transformation More

Researchers have warned that thousands of internet-facing VMWare vCenter servers still harbor critical vulnerabilities weeks after patches were released. 

The vulnerabilities impact VMWare vCenter Server, a centralized management utility.  VMWare issued patches for two critical bugs, CVE-2021-21985 and CVE-2021-21986, on May 25.  The first security flaw, CVE-2021-21985, impacts VMware vCenter Server and VMware Cloud Foundation and has been issued a CVSS score of 9.8. This bug was found in a vSAN plugin, enabled by default in the application, that allows attackers to execute remote code execution (RCE) if they have access to port 443. VMWare said in a security advisory that this severe bug can be exploited so threat actors can access “the underlying operating system that hosts vCenter Server” with “unrestricted privileges.” The bug impacts vCenter Server 6.5, 6.7, and v.7.0, alongside Cloud Foundation vCenter Server 3.x and 4.x. The second vulnerability, CVE-2021-21986, is present in the vSphere Client (HTML5) and the vSphere authentication mechanism for a variety of plugins: Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability. 

Considered less critical with a CVSS score of 6.5, this flaw still permits attackers with access to port 443 to “perform actions allowed by the impacted plug-ins without authentication.” It appears that thousands of internet-facing servers are still exposed and vulnerable to both CVE-2021-21985 and CVE-2021-21986.  On Tuesday, researchers from Trustwave SpiderLabs said an analysis of VMWare vCenter servers revealed 5,271 instances of VMWare vCenter servers that are available online, the majority of which are running versions 6.7, 6.5, and 7.0, with port 443 the most commonly employed. After using the Shodan search engine for further examination, the team was able to pull data from 4969 instances, and they found that a total of 4019 instances — or 80.88% — remain unpatched.  The remaining 19.12% are likely to be vulnerable, as they are old versions of the software, including versions 2.5x and 4.0x, that are end-of-life and unsupported.  At the time the vendor issued the security fixes, VMWare said the vulnerabilities demanded the “immediate attention” of users. As previously reported by ZDNet, the patches may break some third party plugins, and if applying the fixes aren’t possible, server owners are asked to disable VMWare plugins to mitigate the threat of exploit.  It is recommended that these types of critical bugs are tackled, or mitigated, as quickly as possible.  Proof-of-Concept (PoC) code has been released for CVE-2021-21985. The issue is severe enough that the US Cybersecurity and Infrastructure Security Agency (CISA) has alerted vendors to patch their builds. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More