Information Technology

Image: Asha Barbaschow/ZDNet
Australia’s eSafety commissioner Julie Inman Grant was questioned by senators on Tuesday morning about the efficacy of the recently enacted Online Safety Act, which expanded the commissioner’s takedown powers to cover more cyberbullying content – including those targeting adults — intimate images of someone that was shared without their consent, abhorrent violent material, and restricted content. The grilling arose in response to a letter written by Western Australia Police Minister Paul Papalia to Federal Communications Minister Paul Fletcher that called for the Online Safety Act powers to be used more expeditiously. Papalia wrote the letter after a TikTok video surfaced online of a stolen vehicle occupied by boys aged 11 and 12, and a girl aged 13, ramming a police car into a tree in Broome, injuring two police officers. The video was posted by the children shortly before they crashed the vehicle.Explaining the aftermath, Inman Grant said her agency was not aware of the TikTok content until Papalia’s letter was published by a media outlet on Sunday evening. After becoming aware of the letter, the eSafety commissioner said her agency contacted the WA Police, Snapchat, and TikTok to ascertain what actions were being taken.Prior to the eSafety commissioner’s office reaching out to WA Police, however, the police agency had made no contact with the commissioner about the incident. The WA Police has also not filed any complaints to the agency as yet either. When asked about the various ways WA Police can work with the eSafety commissioner to exercise the latter’s powers, Inman Grant conceded that a memorandum of understanding (MoU) with WA Police covering the new Online Safety Act capabilities was not yet in place. Inman Grant noted, however, that an MoU is not necessary for law enforcement to report harmful content to her agency.

She also said her agency recently hired new law enforcement liaison staff that would be specifically tasked with updating its MoUs with federal and state law enforcement agencies. “[MoUs] help guide protocol, but if a police agency came to us needing help with removal we wouldn’t require an MOU to do that,” Inman Grant said. Minister for Superannuation, Financial Services and the Digital Economy Jane Hume, who appeared alongside Inman Grant before Senate Estimates, then laid the blame of the Online Safety Act not being exercised for this incident at Papalia’s feet, saying he was “entirely aware that it was a cybercrime well in advance, so he could have made the complaint”. In response to this revelation, Labor Senator Louise Pratt criticised the eSafety commissioner’s job in providing awareness on how to make use of the Online Safety Act’s takedown powers due to the agency’s media campaign so far being focused on updating the eSafety website. “If the creative is ready, surely they should spend it here and now rather than saving the expenditure of that creative. Frankly, when prices escalate because there’s more competition for a media buy during an election campaign,” Pratt said. At the time of writing, the eSafety website’s home page did not have a direct link to the page for reporting harmful content. On online search engines, meanwhile, results of the eSafety website contained a sub-result displaying the reporting page. The eSafety commissioner did not respond directly to Pratt’s critique, saying: “We have been the eSafety regulators since 2015. Not every single citizen or organisation may be aware of us; we do whatever we can in our power to let as many people know and we’ll continue to do that. I’m not sure what more I can say.” “I think this is like any public health campaign. Behavioural change takes a really long time,” she said. Providing an update of the Online Safety Act’s powers since it came into force three weeks ago, Inman Grant said her agency has handled more than 200 complaints from Australian adults experiencing abuse and harassment online. Representing an 85% increase compared to the same period a year ago, these complaints have focused on explicit instructions and encouragement to commit suicide, threats of murder, and the menacing publication of personal details online. RELATED COVERAGE More

Taiwanese electronics manufacturing giant Foxconn and Indian conglomerate Vedanta have signed a memorandum of understanding to form a joint venture that will manufacture semiconductors in India.Under the MoU, Vedanta will hold the majority in the JV, while Foxconn will be a minority shareholder. Vendanta chairman Anil Agarwal will also be the chairman of the new joint venture, the companies said. “This first-of-its-kind joint venture between the two companies will support Indian Prime Minister Narendra Modi’s vision to create an ecosystem for semiconductor manufacturing in India,” the companies added.The location for the new chip plant is still being finalised with a number of state governments in India, according to the companies.At the end of last year, the Indian government announced a plan that will see the nation put ₹2,30,000 crore, around $30 billion, behind a plan to turn India into a semiconductor manufacturing powerhouse. The government added it would be putting ₹55,392 crore, around $7.5 billion, behind its electronics manufacturing schemes, which include large scale electronics manufacturing, IT hardware, promotion activities, and electronics manufacturing clusters.  Establishing a semiconductor facility comes during a time when electronic makers continue to struggle with the global chip shortage, which has been predicted to last up until early 2023.

Also in India, the union government has issued a ban on an additional 54 Chinese apps, including those owned by Tencent and Alibaba. The enforcement was issued by the Ministry of Electronics and IT under section 69a of the Information Technology Act, as reported by Economic Times.”The 54 apps have already been blocked from being accessed in India through the [Google] Play Store,” an official told ET.”Many of the apps from the stable of Tencent and Alibaba, have changed hands to hide ownership. They are also being hosted out of countries like Hong Kong or Singapore, but the data was ultimately going to servers in Chinese destinations.” This latest ban by the Indian government is in addition to the 59 Chinese apps that have been barred from the subcontinent since June 2020. Those affected apps included TikTok, Weibo, and WeChat.MORE FROM INDIA More

Image: snjivo — Shutterstock
The US Securities and Exchange Commission (SEC) has found that crypto lender BlockFi operated for 18 months as an unregistered investment company. The company offered BlockFi Interest Accounts (BIAs) — where users lent crypto assets back to BlockFi for a variable monthly interest payment — which the SEC found were securities, and therefore the BlockFi needed to register with the regulator. Along with the findings, BlockFi has agreed to pay a $50 million penalty to settle with the SEC and another $50 million to settle similar charges in 32 states. The company will also halt offering unregistered products, seek registration of a new lending product, and has 60 days to bring its business into compliance. BlockFi was also found to have made a false and misleading statement for over two years on its site related to the level of risk in loan portfolio and lending activity. “This is the first case of its kind with respect to crypto lending platforms,” SEC chair Gary Gensler said. “Today’s settlement makes clear that crypto markets must comply with time-tested securities laws, such as the Securities Act of 1933 and the Investment Company Act of 1940. It further demonstrates the Commission’s willingness to work with crypto platforms to determine how they can come into compliance with those laws.” The SEC added that the rest of the crypto lending ecosystem should “take immediate notice of today’s resolution” and comply with US securities laws.

BlockFi framed the announcement as being the first company under a “new regulatory framework for crypto sector”. “From the day we started BlockFi, we have always known that strong engagement with regulators would be critical for the adoption of financial services powered by cryptocurrencies. Today’s milestone is yet another example of our pioneering efforts in securing regulatory clarity for the broader industry and our clients, just as we did for our first product — the crypto-backed loan,” CEO and founder Zac Prince said. “We intend for BlockFi Yield to be a new, SEC-registered crypto interest-bearing security, which will allow clients to earn interest on their crypto assets.” The company added that existing customers will keep their accounts, but they cannot add to it, and users will be shifted across to the Yield product unless they tell the company not to. Users outside the US can continue using BIAs as they always have. Related Coverage More

Activists in Myanmar have released troves of data linking the country’s military dictatorship to a company that will be purchasing a majority stake in Telenor Myanmar — a subsidiary of Norwegian telecom giant Telenor that controls the personal data of 18 million Myanmar subscribers. Telenor, which is owned and controlled by the Norwegian government, has faced significant backlash for weeks after it announced a decision to sell its telecom business in Myanmar to a notorious Lebanese company called M1 Group for $105 million. News outlets in Myanmar have reported that M1 is already telling regulators in the country that it plans to sell 80% of Telenor Myanmar to Shwe Byain Phyu, a company with deep, longstanding ties to the country’s brutal military, according to local activist group Justice for Myanmar. Telenor has defended the sale by repeatedly saying it is selling the business to M1 and not a military-owned company.Myanmar’s military took control of the country in a violent coup that began last year, arresting the country’s elected leader — Aung San Suu Kyi — and disbanding her government. Since February, the military has arrested and killed thousands, sparking a revolt that has now spread throughout the country. Activists have expressed fears that once Telenor Myanmar is fully controlled by a government-backed company, the military will not only have access to troves of past data on almost all of the country’s citizens but will also be able to install surveillance tools giving them even more access to phone calls, texts, and other personal data. Telenor has already admitted that they initially rebuffed military efforts to install surveillance equipment on their systems, according to Myanmar Now. The company also said it has already complied with at least 200 requests from the military to hand over customer information in the last year.

Justice for Myanmar, a local group dedicated to exposing the business ties of the country’s brutal military dictatorship, accused Telenor of participating in a cover-up due to their refusal to acknowledge M1’s public plan to sell most of the business to Shwe Byain Phyu.Justice For Myanmar released information showing Shwe Byain Phyu has a long history of working with the Myanmar military and its conglomerates. Shwe Byain Phyu is a group of companies founded and owned by Thein Win Zaw, his wife and two children.The group provided concrete evidence showing Shwe Byain Phyu’s ties to military-controlled companies in the petroleum, telecommunications, mining, and forestry industries. “Shwe Byain Phyu is a conglomerate with deep and longstanding ties to the Myanmar military, including with the previous military junta, military conglomerates and sanctioned entities and individuals. The Norwegian government has been turning a blind eye as Telenor Group, a company they control, proceeds to transfer Telenor Myanmar to Shwe Byain Phyu, together with the historical metadata of more than 18 million people,” Justice For Myanmar spokesperson Yadanar Maung said. “This could amount to complicity in crimes against humanity, by handing the military a potent weapon they can use to track down, arrest, torture and murder civil society activists and journalists. The grave risks that the sale of Telenor Myanmar poses to the lives of Myanmar people are glaringly clear. Telenor must stop fabricating a narrative about how their current course of action is based on human rights considerations and immediately suspend the sale.”Telenor’s responseThe Norwegian government did not respond to requests for comment, but a Telenor spokesperson told ZDNet that the company is in a difficult position when it comes to Telenor Myanmar. Cathrine Stang Lund, director of communications for Telenor Group Asia, said the situation in Myanmar has “developed in a direction where we are currently in a conflict between local laws on the one hand and our values, international law and human rights principles on the other.” “This makes it impossible for Telenor to remain in Myanmar. In a severe and volatile security situation, there are no simple solutions. We have to balance several difficult considerations and have come to the conclusion that a sale is the least detrimental solution for our employees, customers and the community,” Lund claimed. “In the sales process, assessments of human rights, privacy and the safety of our employees have been key considerations.”When pressed about reports that M1 planned to sell most of its stake to a company heavily tied to the military dictatorship, head of Telenor Group Communications Gry Rohde Nordhus said the sales agreement between Telenor and M1 “does not prevent M1 from transferring a majority of the shares after the transaction is concluded.”Nordhus explained that Telenor Myanmar is required by local law to store customer data for several years and that the local business would continue to do so once it changes ownership to M1. “We understand that this creates reactions, but the company is obliged by law to do so. To violate or not comply with the laws that apply in Myanmar would result in completely unacceptable consequences for our employees that neither Telenor Myanmar nor we as owners are willing to live with,” Nordhus said. “After the military take-over in February 2021, the circumstances in Myanmar has dramatically changed. The country is currently controlled by a military council, and large parts of the country is under martial law. Breaking or not complying with local laws and directives in this situation can have serious and unacceptable consequences for our employees. This is the reality our employees are facing, and these are the conditions Telenor Myanmar is operating under.”ZDNet asked Nordhus what Telenor will tell the millions of people in Myanmar affected by the company’s decision to sell their data to a military accused of numerous human rights violations. Nordhus acknowledged that the people of Myanmar “are enduring an extremely difficult situation” but said the company had no choice but to simply abandon the business and the data it has spent years collecting. “Telenor cannot operate in a regime that entails violations of international law, human rights principles and our values,” Nordhus said. “We have turned every stone and considered every option, and our assessment is still that a sale is the least detrimental solution for employees, customers, and the broader society.” More

You can now verify your identity with more than just your username and password with this user-centric authentication mechanism. Your online accounts tend to be linked to your username and password, with an added layer of SMS verification to provide two-factor authentication. However, these types of accounts can be compromised by phishing or social engineering to gain access to your accounts.To solve this issue, New York-based ID authentication company Nametag has launched “Sign in with ID” to access online accounts using its multifactor authentication technology combined with biometric identity verification.
Nametag
There are four steps to signing in with ID: scan a QR code on a website, which invokes the Nametag sign in screen; scan your ID (when you first use Nametag, you must upload your official ID); take a selfie; and tap to confirm and share what information is necessary for the transaction. You do not have to download an app; Nametag pops up whenever ID is requested.If you use iOS, the Nametag app will match the uploaded government-issued ID to the selfie. This means you only need to confirm your identity once — or every time you sign in. The company says that this mechanism is a more secure way for companies to authenticate users online by verifying people. To keep Nametag secure, Nametag uses advanced encryption in transit and at rest to protect data on its platform.

The company says it has also completed steps necessary for AICPA SOC2 Type 1 certification and is currently undergoing a SOC2 Type 1 examination with an independent auditor, with a planned completion date of March 2022.

Nametag is primarily funded by two large, US-based institutional inventors: Glasswing Ventures & Village Global. The Nametag product is priced per use for one-time scenarios, such as employee account recovery or transaction authorization for bank transfers. It is also priced and per user for continuous account access to a website or app.The product uses the face matching technology of hyperscale cloud providers, benefiting from their investments in recognition accuracy. Cosmetic appearance changes, such as gaining/losing weight, do not impact matching.Nametag has also built the product to accommodate gender, name, address, and other factors — confident that it maintains security and matching. A user is never locked out even if they lose their phone, access to their email, or get a new driver’s license. Its multi-layer approach to logging in is similar to Starling Bank, which uses government ID, face, and fingerprint recognition, along with a video clip to authenticate users logging in to the banking app on their deviceAaron Painter, CEO of Nametag, said, “Sign in with ID is the evolution of a more secure internet and password-less future. The key step in fulfilling this vision is knowing the real identity of someone online — this is the missing link needed to keep accounts protected and reduce fraud.”Currently, Nametag is US-centric. It accepts government-issued forms of identification across all 50 US states, but it anticipates adding additional international document types later in Q1. With the rise of successful phishing attacks plaguing companies, authentication methods need to evolve to keep one step ahead of the bad actors. Incorporating more safeguards can only be a good thing. More

Mergers and acquisitions in cybersecurity grew to $77.5 billion in 2021, according to research from cybersecurity consultancy Momentum. In a report on 2021, the firm said 83 cybersecurity company capital raises surpassed $100 million. There were fourteen $1 billion mergers and acquisitions, including deals involving McAfee, Augh0, Mimecast, Thycotic, Proofpoint, and Avast. 

ZDNet Recommends

Proofpoint was acquired in August 2021 for $12.3 billion in cash, while NortonLifeLock merged with Avast PLC in a $8.4 billion deal. Okta acquired Auth0 for $6.4 billion, and Symphony Technology Group bought McAfee’s enterprise security business for $4 billion. There were more than 1,000 financing deals involving cybersecurity companies and 286 mergers and acquisitions. There were five cybersecurity IPOs in 2021 — KnowBe4, DarkTrace, SentinelOne, Riskified, and Forgerock — with an average IPO raising $467 million.The numbers far surpassed 2020, which saw 728 deals with cybersecurity companies and $19.7 billion in mergers and acquisitions activity. 
Momentum
The top categories for financing, mergers, and acquisitions include security consulting/MSSP, risk and compliance, cloud security, data security, and threat intel/incident response. The top categories for VC financing ranged from risk and compliance to data security, network security, and infrastructure security. Dave DeWalt, founder of late-stage cybersecurity VC firm NightDragon and a contributor to the report, told ZDNet that the industry is in the midst of a perfect storm of factors that are causing the greatest level of cybersecurity risk that we have ever seen. 

“This includes factors like geopolitical tensions and crises, increasing digitization of technology, work from home, spread of IoT devices, cloud and more. The cybersecurity industry must innovate to match these new trends, and we are seeing a significant increase in funding to fuel that growth,” DeWalt said.”We are entering a new era of cyber ubiquity, where cybersecurity needs to be a piece of every technology and service available, from the cars we drive, to our corporate networks to our mobile devices. I expect we will see cybersecurity investment continue to increase for at least the next decade as we evolve into this new era.”
Momentum
Bob Ackerman, founder of VC firm AllegisCyber Capital, added that the venture ecosystem “has a herd mentality” and will tend to over-capitalize sectors they believe have tremendous promise.  Investment capital is flooding into the cybersecurity ecosystem, driven largely by explosive demand for cyber defense, according to Ackerman. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“The level of investment is a pure reflection of both the need and the opportunity. In cyber, the stakes are incredibly high; the consequences of getting it wrong — unacceptable; the landscape complex; and the pace of change hard to fathom. You cannot over-invest in cutting edge innovation in this environment. That said, you can over-invest in commodity capabilities and under-invest in essential next generation innovation,” he explained. “The digitization of the Global Economy has fueled explosive growth in the cyber attack surface. Seeking to exploit this environment, the entire spectrum of bad human behavior at every level is also digitizing. The consequence is that every aspect of our lives — business, education, healthcare, critical infrastructure, government, travel, finance, etc. is at extreme risk. Cyber is truly one of the existential risks of the 21st century. The stakes could not be higher, and that drives the demand for effective cyber defenses, which in turn fuels investment in cyber innovation.”The report comes amid news that Microsoft was considering acquiring Mandiant and that Cisco was mulling a $20 billion deal for Splunk. 

Tech Earnings More

Adobe has released an emergency patch to tackle a critical bug that is being exploited in the wild. 

On February 13, the tech giant said that the vulnerability impacts Adobe Commerce and Magento Open Source, and according to the firm’s threat data, the security flaw is being weaponized “in very limited attacks targeting Adobe Commerce merchants.” Tracked as CVE-2022-24086, the vulnerability has been issued a CVSS severity score of 9.8 out of 10, the maximum severity rating possible.  The vulnerability is an improper input validation issue, described by the Common Weakness Enumeration (CWE) category system as a bug that occurs when a “product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.” CVE-2022-24086 does not require any administrator privileges to trigger. Adobe says the critical, pre-auth bug can be exploited in order to execute arbitrary code.  As the vulnerability is severe enough to warrant an emergency patch, the company has not released any technical details, which gives customers time to accept fixes and mitigates further risks of exploit.  The bug impacts Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions. 

Adobe’s patches can be downloaded and manually applied here.  Earlier this month, Adobe issued security updates for products including Premiere Rush, Illustrator, and Creative Cloud. The patch round tackled vulnerabilities leading to arbitrary code execution, denial-of-service (DoS), and privilege escalation, among other issues.  Last week, Apple released a fix in iOS 15.3.1 to squash a vulnerability in Apple’s Safari browser that could be exploited for arbitrary code execution. In February’s Patch Tuesday, Microsoft resolved 48 vulnerabilities including one publicly-known zero-day security flaw. 
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
At the end of last year, Australia’s Security Legislation Amendment (Critical Infrastructure) Act 2021 became law to give government “last resort” powers to direct an entity when responding to cyber attacks, which included introducing a cyber-incident reporting regime for critical infrastructure assets. Those laws were originally drafted to be wider in scope, with Home Affairs proposing other obligations for organisations within critical infrastructure sectors. Provisions seeking to enshrine those obligations were eventually set aside, however, with the federal government deciding to follow a recommendation made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) to have those omitted aspects introduced under a second Bill. That second Bill, Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, was introduced into Parliament by Home Affairs Minister Karen Andrews last week. In this second Bill, the federal government is seeking to introduce risk management programs for critical infrastructure entities and enhanced cybersecurity obligations for those entities most important to the nations, which include providing reports of system information and risk assessments to the Australian Signals Directorate (ASD). The risk management program obligation, if it were to become law, would apply to entities within the 11 sectors classified as critical infrastructure sectors in the first Bill. The enhanced cybersecurity obligations, meanwhile, would apply to a smaller subset of entities that hold assets that are classified as systems of national significance. Appearing before Senate Estimates on Monday morning, Home Affairs Secretary Mike Pezzullo said the Bill before Parliament would create a standardised critical infrastructure framework to enable the ASD to approach cyber attacks in a precautionary fashion due to the additional information it would receive.

“Up until now, we haven’t had common nomenclature, we haven’t had common reporting cadences, we haven’t had common reporting thresholds. Should the second Bill pass, obviously, we’re in the hands of the Parliament, what that will do is provide a standardised framework for both regulating and operating across the 11 designated sectors,” Pezzullo said. He also likened the pair of critical infrastructure legislation to being Australia’s “defence” against cyber attacks, whereas the national ransomware plan acts as the “offence”. “You’ve got to go on the offence, which is where the government ransomware action plan takes you. We’ve also got to play defence, that is to say, you’ve got to mitigate the risk as much as you can because today the attack vector is ransomware. The criminal and state actors who use ransomware will, once [it’s been thwarted], will then find another way,” he said. Home Affairs also made a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), which commenced a new inquiry to scrutinise the Bill on the same day it was introduced into Parliament. In the submission, Home Affairs said the cost for each entity to run the risk management program, on average, would consist of a one-off AU$9.7 million for setting it up and an annual ongoing cost of AU$3.7 million. Due to the cost and additional regulatory burden that the Bill would place onto these critical infrastructure entities, which includes universities, Home Affairs said it has been working closely with industry experts and stakeholders from across the designated sectors for how best to handle that regulatory burden. Home Affairs said the program was drafted following over 100 engagement with those experts and stakeholders.  Later in the day, another Home Affairs representative provided Senate Estimates with more information about its search for a vendor to perform work on the country’s identity-matching services. Home Affairs National Resilience and Cybersecurity deputy secretary Marc Ablong said his department’s search is for a vendor to manage the country’s identity-matching services and the underlying infrastructure.”It’s not about moving forward on the identity matching services beyond what we currently have approval for,” Ablong said.  The country’s identity-matching services currently consist of three components, with one being the DVS, a national online service used to check in real time whether a particular evidence-of-identity document is authentic, accurate, and up to date. The other two are a face-matching services hub and a national driver licence facial recognition solution.”[Home Affairs] does not collect the images, nor do we have a database of those images. They are all kept within the state registry,” he added, when explaining the department’s remit for these services.Other Home Affairs movements included confirmation that a version of the Digital Passenger Declaration (DPD) would be released tomorrow, which will be the first use case to be built on the Permissions Capability Platform. When the DPD was first announced, the federal government said the DPD would replace the current Australia Travel Declaration (ATD) and the paper-based incoming passenger card. For tomorrow’s launch, however, the DPD will only replace the COVID-19 ATD for the moment, with the transition of replacing the incoming passenger card to come at a later date. Functionally, the DPD will link with a person’s QR code vaccination certificate and capture essential information up to 72 hours prior to a person boarding a plane. While the DPD will be launched tomorrow, travellers will still have to submit their travel declarations using the ATD until the end of this week with the new form of submission to be available from February 18 onwards.Updated at 6:23pm AEST, 14 February 2022: added information about DPD release.Related CoverageHome Affairs releases second Critical Infrastructure Bill with leftover obligationsThis new Bill contains obligations that were excluded from the Security Legislation Amendment (Critical Infrastructure) Act 2021.Critical Infrastructure Bill should be split to swiftly give government step-in powers: PJCISAmong the measures the PJCIS wants to have introduced immediately are step-in powers and mandatory reporting requirements.PJCIS concerned TSSR’s ‘do your best’ requirements are not enough anymoreCommittee recommends an Australian telecommunications security working group be established as it says the Telco Act is not enough to secure the nation.PJCIS backs expansion of intelligence oversight powers for IGIS and itselfThe PJCIS wants its intelligence oversight responsibilities to eventually expand to the Australian Federal Police and AUSTRAC.Home Affairs seeking support to build out Australia’s identity-matching systemA government tender has been published seeking new components to build, deploy, and host the country’s identity-matching services. More