Information Technology

Gaming giant Electronic Arts has been hacked and the cyberattackers are now selling access to the company’s games and servers, according to screenshots of underground hacking forums obtained by Motherboard. Messages found on the hacking forums indicate the attackers took 780 GB of data from the company and have full access to FIFA 21 matchmaking servers, FIFA 22 API keys and some software development kits for Microsoft Xbox and Sony. They also purport to have much more, including the source code and debugging tools for Frostbite, which powers EA’s most popular games like Battlefield, FIFA, and Madden.”You have full capability of exploiting on all EA services,” one attacker’s message said, noting that there are hundreds of million of registered EA users around the world and nearly nine million FIFA users. The messages included samples of what was stolen and indicate that the attackers are selling the batch of data and access for $28 million. In a statement to ZDNet, an EA spokesperson said it was not a ransomware attack and claimed a “limited amount of game source code and related tools were stolen” during the attack. The company said it does not expect any impact to its games or business. “No player data was accessed, and we have no reason to believe there is any risk to player privacy,” the EA spokesperson said. “We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation.” The cyber research and intelligence team for BlackBerry shared screenshots with ZDNet of the notes from someone behind the attack.
BlackBerry
Eric Milam, vice president of Research and Intelligence at BlackBerry, said EA was probably targeted because “saying you hacked EA is like saying you hacked Blizzard.” With the source code of multiple video games, the attackers could compile and sell a game before it comes out, as well as add their own backdoors to certain games. Something like this would “give them access to a lot of computers.”

“Source code allows for review of everything that’s there without the need to reverse engineer. The source code could also help them understand the type of security around information and payment exchanges,” Milam said. “The source code could contain hardcoded credentials, keys, etc which can be used elsewhere or allow additional remote code capabilities.”EA is far from the first gaming company to be hacked, with both Capcom and CD Projekt suffering from attacks in the last year. CD Projekt disclosed a ransomware attack in February and Capcom announced a hack in November that is now having far-reaching legal consequences for the company. EA itself was hacked in 2011 and had to deal with a slate of vulnerabilities discovered in 2019. Rajiv Pimplaskar, chief risk officer for cybersecurity company Veridium, said that like Capcom, there could be several downstream consequences such as loss of customer account credentials, biographic data, and more on top of the intellectual property losses.”EA makes over $2.7 billion from microtransactions or in-game purchasing. App developers today have a higher responsibility to protect consumers and need to increasingly incorporate digital identity, authentication and privacy measures at a code level for improving cyber defense and mitigating fallout from such forms of theft,” Pimplaskar added. Erich Kron, security awareness advocate at KnowBe4, told ZDNet it was strange that the attackers did not attempt to ransom the data back to EA before selling it on the open market. He noted that the proprietary information found in the leak may be valuable to competitors or may include information or vulnerabilities that could be used in future attacks against EA products or customers with installed EA games. Many experts added that the theft of game source code was particularly damaging for a company like EA, which has popular brands like FIFA, Madden, Battlefield, Star Wars: Jedi Fallen Order, The Sims, and Titanfall. “Game source code is highly proprietary and sensitive intellectual property that is the heartbeat of a company’s service or offering. Exposing this data is like virtually taking its life,” said Saryu Nayyar, CEO of Gurucul. “The heartbeat has been interrupted and there’s no telling how this attack will ultimately impact the life blood of the company’s gaming services down the line.” More

At a time when data loss can be damaging to businesses, and penalties for breaching GDPR, FISMA, FERPA and HIPAA harsh, having a way to keep information safe and secure when on the move is more important than ever. The Aegis Secure Key 3NXC was first introduced in July 2020 and was the only hardware-encrypted flash key that was compatible with USB-C without needing a USB-A to USB-C adapter. It built on Apricorn’s Secure Key 3z and Aegis Secure Key 3NX, taking the same proven form-factor and physical keypad but making it compatible with modern devices.Today, the drive received FIPS 140-2 level 3 validation (certification #3943) by NIST, certifying its use in industries and institutions such as healthcare, finance, and defense, and that it complies with the most stringent data security regulations.The drive really is a one-stop solution. Because there are no drivers to install, the drive is totally OS agnostic and perfectly at home on Windows, Linux, Mac, Android, Chrome, iPadOS on the iPad Pro, and embedded systems, as well as other equipment equipped with a powered USB port and storage file system.Must read: I just found my lost AirTag… you’ll never guess where it went

AEGIS SECURE KEY 3NXC TECH SPECS:No software, which means there’s nothing to hackComplete cross platform compatibilityBuilt-in keypadBrute force attack protectionAll authentication takes place within the deviceAll data, passwords and encryption keys are 256-bit encrypted at restNo host computer is involved in setup, authentication or encryptionNo default PINs IP68 rated against water and dust damage.Separate administrator and user accessRead-only options that can be enforced by the administrator or set by the user if allowed by policyHighly configurable with policy such as time out values, data recovery PINs, and programmable PIN lengthsAbility to automatically configure multiple devices remotely using Apricorn’s Aegis Configurator tool.Prices from $59 for 4GB storage

View Now at Amazon

“Our research has shown that sixty percent of IT professionals agree that remote work conditions have created data security issues within their organizations,” said Kurt Markley, U.S. Managing Director, Apricorn. “One of the fastest, most economical safeguards they could put in place quickly is the 3NXC. Both the NX and NXC were designed to accommodate smaller next-gen devices — like mobile phones, laptops, and tablets — that employees are using more and more to access privileged data while working remotely. It remains the first and only USB-C hardware-encrypted flash drive on the market and is now the only one to carry FIPS validation.”
When I started using Aegis hardware, my main concern was that the unique built-in keypad would wear out over time. However, in my experience, the polymer-coated buttons are incredibly wear-resistant. I have this and other similar drives that have been in regular usage for two years, and the keypads on all of them are still like new.

The 3NXC comes in a broader range of capacities, ranging from 4GB to 128GB. This translates into savings for those who don’t need high-capacity storage drives, and prices range from $59 to $179. More

Researchers from Toshiba have successfully sent quantum information over 600-kilometer-long optical fibers, creating a new distance record and paving the way for large-scale quantum networks that could be used to exchange information securely between cities and even countries. Working from the company’s R&D lab in Cambridge in the UK, the scientists demonstrated that they could transmit quantum bits (or qubits) over hundreds of kilometers of optical fiber without scrambling the fragile quantum data encoded in the particles, thanks to a new technology that stabilizes the environmental fluctuations occurring in the fiber.  This could go a long way in helping to create a next-generation quantum internet that scientists hope will one day span global distances.  The quantum internet, which will take the shape of a global network of quantum devices connected by long-distance quantum communication links, is expected to enable use-cases that are impossible with today’s web applications. They range from generating virtually un-hackable communications, to creating clusters of inter-connected quantum devices that together could surpass the compute power of classical devices. 

Quantum Computing

But in order to communicate, quantum devices need to send and receive qubits – tiny particles that exist in a special, but extremely fragile, quantum state. Finding the best way to transmit qubits without having them fall from their quantum state has got scientists around the world scratching their heads for many years. One approach consists of shooting qubits down optical fibers that connect quantum devices. The method has been successful but is limited in scale: small changes in the environment, such as temperature fluctuations, cause the fibers to expand and contract, and risk messing with the qubits.  This is why experiments with optical fiber, until now, have typically been limited to a range of hundreds of kilometers; in other words, nowhere near enough to create the large-scale, global quantum internet dreamed up by scientists. 

To tackle the instable conditions inside optical fibers, Toshiba’s researchers developed a new technique called “dual band stabilization”. The method sends two signals down the optical fiber at different wavelengths. The first wavelength is used to cancel out rapidly varying fluctuations, while the second wavelength, which is at the same wavelength as the qubits, is used for finer adjustments of the phase. Put simply, the two wavelengths combine to cancel environmental fluctuations inside the fiber in real time, which according to Toshiba’s researchers, enabled qubits to travel safely over 600 kilometers. Already, the company’s team has used the technology to trial one of the most well-known applications of quantum networks: quantum-based encryption. Known as Quantum Key Distribution (QKD), the protocol leverages quantum networks to create security keys that are impossible to hack, meaning that users can securely exchange confidential information, like bank statements or health records, over an untrusted communication channel such as the internet. During a communication, QKD works by having one of the two parties encrypt a piece of data by encoding the cryptography key onto qubits and sending those qubits over to the other person thanks to a quantum network. Because of the laws of quantum mechanics, however, it is impossible for a spy to intercept the qubits without leaving a sign of eavesdropping that can be seen by the users – who, in turn, can take steps to protect the information. Unlike classical cryptography, therefore, QKD does not rely on the mathematical complexity of solving security keys, but rather leverages the laws of physics. This means that even the most powerful computers would be unable to hack the qubits-based keys. It is easy to see why the idea is gathering the attention of players from all parts, ranging from financial institutions to intelligence agencies. Toshiba’s new technique to reduce fluctuations in optical fibers enabled the researchers to carry out QKD over a much larger distance than previously possible. “This is a very exciting result,” said Mirko Pittaluga, research scientist at Toshiba Europe. “With the new techniques we have developed, further extensions of the communication distance for QKD are still possible and our solutions can also be applied to other quantum communications protocols and applications.” When it comes to carrying out QKD using optical fiber, Toshiba’s 600-kilometer mark is a record-breaker, which the company predicts will enable secure links to be created between cities like London, Paris, Brussels, Amsterdam and Dublin.  Other research groups, however, have focused on different methods to transmit qubits, which have enabled QKD to happen over even larger distances. Chinese scientists, for example, are using a mix of satellite-based transmissions communicating with optical fibers on the ground, and recently succeeded in carrying out QKD over a total distance of 4,600 kilometers. Every approach has its pros and cons: using satellite technologies is more costly and could be harder to scale up. But one thing is for certain: research groups in the UK, China and the US are experimenting at pace to make quantum networks become a reality. Toshiba’s research was partially funded by the EU, which is showing a keen interest in developing quantum communications. Meanwhile, China’s latest five-year plan also allocates a special place for quantum networks; and the US recently published a blueprint laying out a step-by-step leading to the establishment of a global quantum internet.  More

A recently-discovered advanced persistent threat (APT) group is targeting diplomats across Africa and the Middle East. 

Revealed on Thursday by ESET researchers, the state-sponsored group, dubbed BackdoorDiplomacy, has been linked to successful attacks against Ministries of Foreign Affairs in numerous African countries, the Middle East, Europe, and Asia — alongside a smaller subset of telecommunications firms in Africa and at least one charity outfit in the Middle East.BackdoorDiplomacy is thought to have been in operation since at least 2017. The cross-platform group targets both Linux and Windows systems and seems to prefer to exploit internet-facing, vulnerable devices as an initial attack vector.  If web servers or network management interfaces are found which have weak points, such as software vulnerabilities or poor file-upload security, the APT will strike. In one case observed by ESET, an F5 bug — CVE-2020-5902 — was used to deploy a Linux backdoor, whereas, in another, BackdoorDiplomacy adopted Microsoft Exchange server bugs to deploy China Chopper, a webshell.  Once they have obtained entry, the threat actors will scan the device for the purposes of lateral movement; install a custom backdoor, and deploy a range of tools to conduct surveillance and data theft.  The backdoor, dubbed Turian, is thought to be based on the Quarian backdoor — malware linked to attacks used against diplomatic targets in Syria and the US back in 2013. The main implant is capable of harvesting and exfiltrating system data, taking screenshots, and also overwriting, moving/deleting, or stealing files. 

Among the tools used is network tunnel software EarthWorm; Mimikatz, NetCat, and software developed by the US National Security Agency (NSA) and dumped by ShadowBrokers, such as EternalBlue, DoublePulsar, and EternalRocks.  VMProtect was used in most cases to try and obfuscate the group’s activities.  Diplomats may have to deal with sensitive information handed over through removable drives and storage. To widen the scope of its cyberespionage activities, BackdoorDiplomacy will scan for flash drives and will attempt to copy all files from them into a password-protected archive which is then whisked off to a command-and-control (C2) center via the backdoor.  While BackdoorDiplomacy has been registered as an APT in its own right, there do appear to be other links, or at least, common threads, with other threat groups.  The network encryption protocol used by the APT is almost identical to that used by the Calypso group’s Whitebird backdoor, and this malware was deployed against diplomatic targets in Kazakhstan and Kyrgyzstan during 2017 – 2020. In addition, ESET believes there are commonalities with CloudComputating/Platinum, which has targeted diplomatic, government, and military organizations across Asia in previous years.  Other coding and mechanism clues are similar to Rehashed Rat and MirageFox/APT15.  In other research this month, Check Point Research discovered a novel backdoor developed by Chinese threat actors over the course of three years. The malware, dubbed VictoryDll_x86.dll, was used to compromise a network belonging to a Southeast Asian government’s Ministry of Foreign Affairs.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Amazon’s data practices are to become subject to UK scrutiny in a new antitrust probe planned by regulators. 

Amazon Business

According to sources speaking to the Financial Times, the UK’s Competition and Markets Authority (CMA), a business innovation and antitrust watchdog, intends to launch a formal investigation into the e-commerce giant’s data management and usage.  The FT says that the agency has been watching and analyzing Amazon’s business “for months,” and in particular, has focused on data collection and merchant ranking.  The investigation will seek to answer queries relating to merchant favoritism — and whether or not the platform pushes merchants up the rankings when they use Amazon’s logistics and delivery services.  The “buy box” white panel, critical for consumer purchases and used when there are multiple sellers for the same item, is reportedly of particular interest to the CMA — and whether any anti-competitive behavior exists in how Amazon decides which merchants have access to it.  Amazon describes the buy box as a ‘best-fit’ feature based on customer feedback and service.  “When there are multiple sellers for a product, we feature the best of those offers prominently on the product page, in what’s sometimes referred to as “the buy box,”” the company says. “All of the Amazon retail and independent sellers’ offers compete to be one of the featured offers based on the same criteria, such as low price (inclusive of delivery), fast delivery, a track record of good customer service, and reliability in meeting its delivery promises.”

The CMA is yet to announce a potential probe into Amazon. However, should it launch, it will follow investigations launched by the European Commission (EC) last year.  The EC said that as Amazon acts as both an online marketplace and retailer, it has access to third-party seller data — and may unfairly use this to its advantage, such as in strategic business decisions.  In addition, the commission opened a second investigation into the buy box and any preferential treatment for vendors that use logistics or delivery services provided by Amazon.  “While we can’t comment on any alleged investigation, we continue to work hard to deliver great value and low prices for customers and support the tens of thousands of UK small and medium-sized enterprises that account for more than half of everything we sell in our online store,” an Amazon spokesperson told ZDNet.  The CMA told us that it “cannot speculate as to which cases it may or may not investigate.” In May, the European Data Protection Supervisor (EDPS) announced an investigation into the use of technology vendor products by the bloc’s major agencies and how citizen data is managed, stored, and protected.  These products include Amazon AWS and Microsoft Azure cloud services. Separately, the agency is also analyzing data protection law compliance and the use of Microsoft Office 365 by European authorities. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Global meatpacker JBS USA has paid $11 million in Bitcoin to cyberattackers that encrypted its files and disrupted operations in the US and Australia with ransomware, the company has said. JBS USA chief Andre Nogueira confirmed the company had made the payment to the attackers.

ZDNet Recommends

While the FBI discourages ransomware victims to pay ransoms because it emboldens criminals, JBS said it made the decision to pay the attackers in consultation with third-party cybersecurity experts “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”SEE: Security Awareness and Training policy (TechRepublic Premium)”This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, CEO, JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.” Last week, the FBI pinned the JBS attack on the actors behind the REvil ransomware, who are believed to be based in Russia. JBS is the world’s largest meat supplier. REvil, also known as Sodonikibi, is known for targeting organizations, including hospitals, schools and charities, rather than individuals, and demanding ransoms as much as $50 million. 

JBS said it was able to quickly resolve the issues resulting from the attack because of its cybersecurity protocols, redundant systems and encrypted backup servers. It highlighted that it spends around $200 million annually on IT and employs more than 850 IT professionals globally.The REvil gang runs as a ransomware as a service (RaaS) business, selling its encryption software to other criminal groups. The JBS incident comes after the attack on Colonial Pipeline, the fuel distribution firm that brings oil from Texas to US states on the east coast. The firm provides roughly 45% of the east coast’s fuel, including gasoline, diesel, home-heating oil, jet fuel, and military supplies. SEE: This new ransomware group claims to have breached over 30 organisations so farColonial fell victim to attackers using Darkside RaaS and confirmed it paid $4 million to decrypt affected files. However, the FBI announced this week that it had recovered over half of the ransom paid to the attackers. The FBI and Justice Department used the Bitcoin public ledger to track the payments to an address that the FBI had a ‘private key’ for. Ransomware has plagued organizations for the past decade, but the scale and severity of attacks has transformed in the past three years. In 2017, the WannaCry and NotPetya ransomware attacks impacted hundreds of firms, but high-profile ransomware attacks more recently have targeted specific companies and have been accompanied by high ransoms. The Colonial attack raised national security concerns for the US, with many attacks levied by Russia-based criminal groups that are willing to target critical infrastructure operations. US President Joe Biden is expected to raise the issue of Russian criminal hacking with Russian President Vladimir Putin at a June 16 summit in Geneva. More

Image: ASD
The Australian Signals Directorate published a sobering The Commonwealth Cyber Security Posture in 2020 report on Thursday, with one of the bright spots being the use of scanning by the Australian Cyber Security Centre (ACSC). Under its Cyber Hygiene Improvement Programs (CHIPs), the ACSC was able to identify vulnerable, internet-exposed MobileIron systems across Commonwealth, state and territory, and local governments. “The ACSC notified all government entities operating vulnerable devices of the device details, the critical vulnerability and the urgent need to patch or otherwise mitigate the risk,” the report said. “This timely and actionable information from the ACSC allowed some government entities to pre-empt adversary exploitation of their MobileIron devices, in one case by hours.” The report said the 2020 MobileIron and Citrix vulnerabilities had some of the quickest turnarounds before exploitation attempts began to appear. “Reporting showed adversaries attempting to exploit these vulnerabilities within days of proof-of-concept codes being publicly released,” it said. “Organisations that cannot patch their internet-facing services in a very timely manner, especially legacy VPNs and websites, must improve their patching capability. Adopting software-as-a-service or platform-as-a-service cloud approaches to internet-facing services may assist.” This is bad
Image: ASD

Elsewhere, the report said while in absolute terms the cyber posture of Commonwealth entities was improving, the shift was glacial in 2020. For instance, the report said entities were improving application hardening, but only 12% of entities got better. Similarly, 10.5% were doing application control properly, and 9.5% more entities could say they were restricting admin privileges properly. The blame for the slow pace was placed with entities continuing to use obsolete and unsupported operating systems and applications, not embracing cloud services, organisations not having fast or flexible modernisation strategies, a cyber skills shortage, and organisations continuing to “misunderstand, misinterpret and inconsistently” the Essential Eight. In a government response tabled on Wednesday, the government is considering making the Essential Eight essential for its entities. This is very, very bad
Image: ASD
Restricting adherence to merely the Top Four of the Essential Eight showed 11% of organisations self-reported at the lowest level of compliance, followed by 55% at the second step of the four step system, with 33% at the third level, and only 1% being fully compliant. The policy with the lowest level of maturity was “safeguarding information from cyber threats”. On the plus side, CHIPs is now able to track “cyber hygiene indicators” across 71,300 active Commonwealth government domains, an improvement of 54,300 domains in the year from February 2020, and covers the sites of 187 entities. Across 2020, CHIPs gained the ability to scan for encrypted email use; whether government sites were running up-to-date software, displaying default websites or using expired certificates; scanning for critical vulnerabilities; and advising government entities at all levels on services they have open to the wider internet. During the year, ACSC created a Protective Domain Name System that blocks domains associated with malware, ransomware, phishing attacks, and other malicious content. “Under the pilot, the ACSC processed approximately 2 billion queries from eight Commonwealth entities over the period from April to December 2020 — and blocked 4683 unique malicious cyber threats, preventing over 150,000 threat events,” the report said. “In 2021–22, the capability will be offered to all Commonwealth entities.” Australia is so bad at cyber
Image: ASD
The report stated approximately one quarter of entities are now using DMARC to prevent email spoofing. Across the year, ACSC said it responded to 434 cyber incidents, of which 46% were self-reported and the remainder were found through “ACSC investigations, reporting from international partners and third parties, and analysis of a variety of classified and open-source material”. The next report will be handed to government in November 2022 and cover from January 2021 to June 2022. From 2023, the reports will focus on cyber posture across a single financial year. Related Coverage More

Legislation will enter Parliament later this year that will allow non-government entities to provide digital identification services to Australians.The Digital Transformation Agency (DTA) has been working on Australia’s digital identity system for a number of years, going live with myGovID — developed by the Australian Taxation Office — and accrediting an equivalent identity service from Australia Post in 2019.myGovID and the Australia Post Digital ID are essentially just forms of digital identification that then allow the user to access certain online services, such as the government’s online portal myGov.The digital identity system is touted by the government as a simple, safe, and secure way to verify identity online, as well as one allowing for better interaction with government services. But it also believes digital ID can “enable innovative digital sectors of the economy to flourish”.See also: More privacy conscious and not Australia Card 2.0: DTA defends digital identity playWhile the DTA has developed the Trusted Digital Identity Framework (TDIF), which sets out the operating model for digital identity, it is a set of rules that only Australian government entities can follow — it can’t be applied to states and territories, or to the private sector. This is why legislation is required.”It is important to note, today we’re using myGovID, but into the future, you’ll be able to use a choice of identity provider, there’ll be additional providers … it could be a bank, it could be a state and territory identity provider,” DTA CDO Peter Alexander said during Senate Estimates in October. “So individuals and businesses dealing with the Australian government and national services will be able to make a choice.”

Instead of listening to researchers recommending the Australian government abandon its existing digital identity system and start again from scratch, after highlighting again security flaws in two of the systems already accredited, the government has opened a second round of consultation, this time on the development of legislation.Highlighting eight “key” elements, the government wishes to discuss with those interested in the structure of the legislation, scope and interoperability of the system, governance, privacy and other consumer safeguards, trustmarks, liability and redress options, penalties and enforcement, and the administration of the scheme.The purpose of the legislation, the government states [PDF], is to allow for independent oversight of the system, by formalising the powers and governance arrangements of the oversight authority; enable expansion of the system to state and territory governments and the private sector; provide privacy protections, consumer safeguards, and security requirements to build trust in the system; provide for a legally enforceable set of rules that set the standards for participating in the Digital Identity system, including the TDIF rules; and allow for entities to be TDIF accredited for their activities whether they are on the system or not.It is expected the legislation will consist of primary legislation with privacy and consumer safeguards and rules and policies, including accreditation standards. The government believes the legislation will leverage existing laws, not duplicate them.The legislation, it said, will have a “clearly defined scope”.It said the legislation will not limit a person to having one digital identity with one provider, nor will it be intended to regulate all digital identities and digital identity systems. It said entities decide whether they will use the system or provide services on the system.The legislation will also require entities generating, transmitting, managing, using, and reusing digital identities to provide a “seamless user experience with the digital identity system”.Rules will be enforced by the oversight authority and Information Commissioner. The oversight authority will be extended powers to suspend or revoke accreditation and access to the system, and issue directions for remedial action to address a breach.On privacy and consumer safeguards, the legislation is hoping to “protect personal information” and “ensure accessibility” for all.It will prohibit the creation of a single identifier used across the system and all government services and create a voluntary system giving users the right to create and use a digital identity, including the right to deregister and not use a digital identity at any time.It will require individuals to expressly consent before their attributes are shared with a relying party.With the DTA flagging previously its biometric testing with regards to the digital ID, the legislation is expected to limit the system to one-to-one biometric matching only and prohibit anyone other than those involved in proofing or authentication from collecting or using biometric information. It will also aim to prevent biometric information being sent to third parties not required to perform or proofing or authenticate a person and require biometric information to be deleted once it has been used for its intended purpose. However, the legislation will contain a caveat to allow users to consent to their biometric information being accessed for fraud or security investigations.The government is hoping to also prevent “data profiling”.Must read: Human Rights Commission calls for a freeze on ‘high-risk’ facial recognition”Prohibit the collection, use, and disclosure of information about a user’s behaviour on the system except to verify their identity, assist them to receive a digital service, allow them to view their own behaviour (for example, a dashboard), or support identity fraud management,” the government writes.It will also enforce record-keeping of metadata and activity logs for a minimum seven years to maintain the system’s integrity, and to allow for fraud or criminal investigations. With talk around the digital ID’s use in verifying an individual is of age before accessing online services such as pornography, the legislation will set a minimum age of 15 years for the use of a digital identity.Meanwhile, a liability and redress framework will aim to ensure accredited participants are not liable for loss or damage suffered “provided they were acting in good faith, and complied with the legislative rules and requirements relating to the system”.It will also establish a mechanism available to users affected by a cybersecurity incident, identity theft, inappropriate disclosure of information, or system failure.Submissions to the consultation close 15 July 2021.Elsewhere in Canberra, the government has funded an additional 51 projects, totalling AU$27 million, in the latest round of the Regional Connectivity Program (RCP).The funding contributes to co-funding from the applicant, and from other levels of government, as well as industry and other organisations. The first tranche of the RCP funded, in theory, 81 projects.The program, previously pinned at AU$60 million available, formed part of the government’s response to the 2018 Regional Telecommunications Review.”The federal government’s total contribution of AU$117.4 million (GST inclusive) towards round 1 RCP projects will deliver total new investment of more than AU$232 million (GST inclusive) together with co-contributions from the funding recipients, state and territory governments and other third parties, including local governments, regional businesses, and community development organisations,” a statement from Minister for Communications, Urban Infrastructure, Cities and the Arts Paul Fletcher and Minister for Regional Health, Regional Communications and Local Government Mark Coulton said.HERE’S MORE ON DIGITAL IDResearchers want Australia’s digital ID system thrown out and redesigned from scratchResearchers find myGovID is subject to an easily-implemented code proxying attack, while the digital identity solution from Australia Post does not possess a fundamental requirement for accreditation.Minister says law enforcement to be denied access in new digital ID legislationAlso flags privately-owned PharmacyID and payments company Eftpos as eager to provide identity services once the Bill becomes law.Canberra considers its digital ID for use in verifying age before accessing pornThe Australian government has said the Digital Transformation Agency is well placed to explore extending the digital identity program to online age verification to access things such as pornography. More