Information Technology

ABS Census Collector toolkit in July 1981
Image: Getty Images
More than 130,000 malicious IP addresses were blocked to ensure no breaches or interruptions were experienced during what was deemed a successful Census 2021, according to Amazon Web Services (AWS).In a blog post, AWS Oceania technology and transformation director Simon Elisha explained that AWS, together with PwC Australia and the Australian Bureau of Statistics (ABS), undertook “extensive DDoS tests” prior to Census 2021 to ensure all data would be secured, in addition to building a web getaway so that each Census form was validated before it was passed along to the ABS processing environment. “This included an independent security and compliance assessment against the Australian Government’s Information Security Manual, through an Information Security Registered Assessors Program (IRAP) assessment,” he said. “All information collected in the digital 2021 Census service was securely stored in the AWS Sydney Region. It was also encrypted end-to-end, which means the information was scrambled and could not be read without the decryption keys, which were controlled solely by the ABS.”PwC Australia was contracted to build 2021 Census on AWS cloud to avoid any embarrassing repeat of what occurred during Census 2016, when the ABS experienced a series of small DDoS attacks, suffered a hardware router failure, and baulked at a false positive report of data being exfiltrated which resulted in the Census website being shut down and citizens unable to complete their online submissions.At the time, Census was running on-premises infrastructure procured from tech giant IBM. Other testing the service underwent included ensuring it could meet extreme user demand at more than 2,000 times the expected peak workload, Elisha said. He said this allowed the platform to manage the 2.5 million people who submitted their forms on 2021 Census day, including when it hit peak period online at 8:06pm and about 142 online submissions were received per second and there were 249 logins per second.

Elisha also boasted that by building a cloud-based contact centre for ABS, it saved over 394,000 people from calling the Census contact centre to request a paper form. Instead, people who called were prompted by an automated agent to enter details such as their Census ID number and their postcode to be verified.  “The Census Digital Service achieved high levels of security, reliability, and scale thanks to the serverless architecture built on AWS. The most important benefit of working with AWS is that ABS doesn’t have to worry about building and operating the underlying infrastructure, and ABS can focus on delivering a simple and easy experience for the people of Australia,” ABS CIO Steve Hamilton said.Related Coverage More

Image: Getty Images
The Quadrilateral Security Dialogue, better known as the Quad, has announced various non-military technology initiatives aimed at establishing global cooperation on critical and emerging technologies, such as AI, 5G, and semiconductors.The various technology initiatives were announced after the leaders of Quad countries — comprised of Australia, India, Japan, and the US — met on Friday, which marked the first time the group has come together in person.Among the initiatives announced by the security bloc was the intention to develop new global cybersecurity standards across various technology sectors.”With respect to the development of technical standards, we will establish sector-specific contact groups to promote an open, inclusive, private-sector-led, multi-stakeholder, and consensus-based approach,” the Quad said in a joint statement.As part of work to be undertaken towards establishing these global technology standards, the Quad said it would publish a Quad Statement of Principles, which will be a guide for implementing responsible, open, high-standards innovation.”We are working to make cyberspace and emerging and critical technologies trusted and secure, in open societies, solving problems, and addressing the supply chain challenges that in many ways hold the keys to our security and our prosperity and our environment in the 21st century,” Australian Prime Minister Scott Morrison said.A new Quad Senior Cyber Group will also be established. The group will consist of “leader-level experts” who will meet regularly to advance work between government and industry to drive the adoption and implementation of shared cyber standards; development of secure software; growth of the tech workforce; and promotion of scalability and cybersecurity of secure and trustworthy digital infrastructure.

The security bloc will also begin cooperation focused on space and combatting cyber threats, promoting resilience, and securing critical infrastructure together, the countries said.For space specifically, the Quad nations will identify new collaboration opportunities and share satellite data for peaceful purposes such as monitoring climate change, disaster response and preparedness, sustainable uses of oceans and marine resources, and on responding to challenges in shared domains.Other technology initiatives announced by the Quad over the weekend was a new fellowship that will be established together with industry. The fellowship will provide 100 graduate fellowships to science, technology, engineering, and mathematics graduate students across the four countries.New initiatives to improve semiconductor supply chains, 5G deployment and diversification, and monitor biotech scanning trends were also announced.In announcing these new initiatives, the Quad sledged China, although China was not named, by jointly saying: “We will continue to champion adherence to international law … to meet challenges to the maritime rules-based order, including in the East and South China Seas”.”We affirm our support to small island states, especially those in the Pacific, to enhance their economic and environmental resilience,” the Quad added.The movements from Quad countries follow various international pacts coming to the fore in recent weeks, with Quad members, Australia and the US, joining the UK to establish the AUKUS security pact.AUKUS, made public a fortnight ago, was established by the three governments to address defence and security concerns posed by China within the Indo-Pacific region. The trilateral security pact’s focus has so far been military-heavy unlike the Quad’s new initiatives, with AUKUS’ first initiative being to help Australia acquire nuclear-powered submarines. Meanwhile, both China and Taiwan have formally applied to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), one of the world’s largest trade pacts. RELATED COVERAGE More

Image: Shutterstock
Losses related to cryptocurrency investment scams made up over a quarter of the total scams reported to the Australian Competition and Consumer Commission (ACCC) from the start of the year to the end of August. In a response to a question on notice from the Senate Select Committee on Australia as a Technology and Financial Centre, the ACCC revealed it received 3,007 reports that totalled losses of AU$53.2 million. This represented 55% of all losses due to investment scams, and 48% of all investment scam reports. Broken down by state, New South Wales had 860 reports for AU$20.6 million in losses, Victoria had 563 reports for AU$12.6 million in losses, Queenslanders lost AU$8.2 million and made 485 reports, while Western Australia made 268 reports on AU$3.8 million in losses. By age, those in the 55-64 bracket lost over AU$12.6 million and made 365 reports, those over 65 accounted for AU$10.7 million in losses and filed 356 reports, while those aged 44-54 made 352 reports and lost AU$8.7 million. As age decreased, so did the losses, with those aged 35-44 making 627 reports for losses of AU$7.6 million. 25-34-year olds lost AU$7 million and made 570 reports. Beyond cryptoscams, those labelled “traditional scams” — such as pre-IPO, share, and foreign exchange scams — accounted for AU$21 million in losses from 411 reports, the other category had 2,590 reports for AU$11.7 million in losses, and ponzi schemes had 110 reports for only AU$239,000 lost. The grand total lost to all investment scams to August 31 was AU$96.6 million. Broken down by state, New South Wales had 1,864 reports for AU$33 million in losses, Victoria had 1,316 reports for just shy of AU$23 million in losses, Queenslanders lost AU$20 million and made 1,060 reports, with Western Australia making 580 reports on AU$7.7 million in losses. On Monday, the ACCC said from the start of 2021 to September 19, Australian losses to all scams had passed AU$175 million.

“While the proportion of reports involving a financial loss has dropped this year, the people who do lose money are losing bigger amounts. The average loss so far this year is about AU$11,000 compared to AU$7,000 for the same period in 2020,” ACCC deputy chair Delia Rickard said. The ACCC said it had seen a 261% increase in phishing scams, 144% involving remote access, and 234% in identity theft. The consumer watchdog said it had been passing scammer phone numbers onto Australian carriers, and working with banks to “raise awareness with their customers” who could have been hit by Android malware known as Flubot. Related Coverage More

Eftpos has become the first accredited non-government operator of a digital identity exchange under the federal government’s Trusted Digital Identity Framework (TDIF).By becoming an accredited operator, Eftpos connectID can now facilitate online transactions requiring a digital identity from Australians. Eftpos sent connectID live in June as a fully-owned subsidiary of the organisation and as a standalone fintech company. It’s been set up to act as “broker” between identity service providers and merchants or government agencies that require identity verification, such as proof of age, address details, or bank account information.It has been designed to work within the federal government’s Trusted Digital Identity Framework (TDIF) and the banking industry’s TrustID framework.Although the Australian government has its own digital identity solution with myGovID, Eftpos has previously said its solution could provide a “smoother, faster, and more secure onboarding experience, including for government services”.Eftpos has also assured that connectID does not store any identity data.”A safe, thriving digital economy is the best way we can grow the Australian economy. A safe, thriving digital economy is not possible without digital identity — that is, a safe, secure, and convenient way for Australians to prove their identity online,” Minister for Employment, Workforce, Skills, Small and Family Business Stuart Robert said.

“Through accreditation, we make sure Australians and Australian businesses can have trust and confidence that their personal information is safe and secure.”As an accredited provider, Eftpos has demonstrated that connectID is trustworthy, safe, and secure and has met strict usability and accessibility requirements. I congratulate Eftpos for being the first private identity exchange to be accredited under the TDIF.”Eftpos applied for accreditation in May. The federal government’s myGovID was the first to be granted a TDIF accreditation, followed by Australia Post’s Digital ID. Last month, OCR Labs became the first accredited non-government operator to provide digital identity services to the private sector.”TDIF accreditation is a big step forward for Eftpos and industry to help bring the benefits of digital identity to more sectors of the economy. It is a significant and tangible milestone in the rollout of Australia’s digital identity ecosystem and comes after months of rigorous assurance evaluations and privacy and security testing,” Eftpos CEO Stephen Benton said. Since last year, Eftpos has been piloting connectID with 20 “well-known” Australian brands, including Australia Post and Yoti.According to Eftpos digital identity managing director Andrew Black, the company is looking to use connectID to help businesses address issues in areas such as commerce onboarding, recruitment, responsible gaming, anti-money laundering and identity verification.The news follows Mastercard and the Digital Transformation Agency (DTA) announcing plans to scope out how the former’s digital identity service could enable Australians to digitally verify their age and identity.Mastercard is also seeking accreditation under the TDIF. If granted, Mastercard said it would enable consumers to create a reusable digital identity using official identity documents, such as passports, driving licences, as well as protect digital identity data using encryption and facial biometrics.In June, the Australian government published a consultation paper on digital identity that indicated legislation would enter Parliament later this year to allow non-government entities to provide digital identification services to Australians.Under the TDIF, the set of rules can only be applied to Australian government entities — it can’t be applied to states and territories, or to the private sector – which is why legislation is required.The Digital Identity Legislation is hoping to ensure privacy safeguards are in place, such as limiting access to biometric information, but it will include the ability for users to consent to their biometric information being accessed for fraud or security investigations.RELATED COVERAGE More

Image: Apple
For most of 2021, a security researcher going by the name of illusionofchaos has been engaged in an unfruitful conversation with Apple to fix a number of vulnerabilities that allow apps to make API calls to pull down user information that they should not be able to. On Friday, the researcher went public with their findings, which contained one vulnerability fixed in iOS 14.7 and three unpatched vulnerabilities. The fixed bugs involved Analyticsd and allowed apps to access logs containing medical information, device usage information, application crashes, and information on device accessories. The unpatched vulnerabilities included the gamed service not properly checking game-center permission and allowing access to the Core Duet database that contains all contacts from Mail, SMS, iMessages, and some attachments; Apple ID email, full name, and authentication tokens allowing access to access at least one apple.com endpoint; and read access to speed dial database and address book.  A vulnerability in Nehelper allowed for an app to check whether any other app was installed, and another Nehelper bug allowed for unauthorised access to Wi-Fi information. The researcher said when Apple fixed the Analyticsd issue, they were not credited, with Apple saying in July that credit was forthcoming. By September, the researcher was still waiting. For each vulnerability, the researcher published proof-of-concept code on GitHub.

On Saturday, the researcher received a response from Apple, which said it had seen the blog post and apologised for the delay. “We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance,” Apple said. ZDNet asked Apple for comment on Friday, but we are still awaiting a response. Over the weekend, a blind developer complained that Apple had labelled as spam an update to make an accessible version of Hangman run on iOS 15. “My app is made for the blind and that all the other hangman games I have seen on the app store are half playable and … this is a bugfix update and already existing users who have paid for the app are unable to play using iOS 15,” Oriol Gómez sentís wrote. “To my horror, they replied saying that yes, ‘we understand that your app has voiceover’, hello? My app has voiceover? But unfortunately the rejection is still in place.” By the early hours of Monday morning, the developer said Apple had approved the update, but the app remained in violation of App Store guidelines. Related Coverage More

AU$6.1 million worth of seized cash.
Image: Australian Federal Police
Australian Federal Police (AFP) has so far seized over AU$31 million of assets through Operation Ironside, the message decryption sting operation that was labelled as the country’s “most significant operation in policing history”.The update was provided as part of an AFP announcement that it made its first multi-million cash forfeiture as part of the sting operation, confiscating AU$6 million of cash from a Western Australian man. The man, who was a member of a criminal syndicate, has pleaded guilty to various criminal offences and will face five years of imprisonment.The AU$6 million in cash will be redistributed from the confiscated assets account by Home Affairs Minister Karen Andrews to support crime prevention, law enforcement, and related community initiatives, the AFP said.The operation, dubbed as Project TrojanShield by the Federal Bureau of Investigation (FBI), is a global sting operation that was commenced by the US agency after it recruited a confidential human source to provide access to the Anom platform, an encrypted communications product used by transnational criminal organisations. Read more: How the FBI and AFP accessed encrypted messages in TrojanShield investigationThe AFP contributes to the sting operation by providing its “technical capability” in decrypting those messages. In Australia, intelligence and law enforcement agencies can request or demand assistance from communications providers to access encrypted communications. Europol is also involved in the operation.

The AU$31 million figure only accounts for the assets confiscated by the AFP, and does not include those seized by law enforcement agencies outside of Australia.When the global investigation was first unveiled in June, the FBI, AFP, and Europol jointly said the operation at the time led to 525 search warrants, 224 individuals being charged, 525 charges in total, six clandestine labs being taken down, and 21 threats to kill being averted. It also said at the time that 3.7 tonnes of drugs, 104 firearms and weapons, and over AU$45 million in assets had been seized.RELATED COVERAGE More

Image: Getty Images
Huawei CFO Meng Wanzhou’s extradition lawsuit wrapped up over the weekend, ending a near three-year saga that saw her placed under house arrest for almost the entirety of that period. On the same day, two Canadians who were detained in China for over 1,000 days were similarly released and returned to Canada. Meng was allowed to return to China after she reached an agreement with United States prosecutors to admit to misleading global financial institutions. “In entering into the deferred prosecution agreement, Meng has taken responsibility for her principal role in perpetrating a scheme to defraud a global financial institution,” Eastern District of New York Acting Attorney-General Nicole Boeckmann said in a statement. “Her admissions in the statement of facts confirm that, while acting as the chief financial officer for Huawei, Meng made multiple material misrepresentations to a senior executive of a financial institution regarding Huawei’s business operations in Iran in an effort to preserve Huawei’s banking relationship with the financial institution.” The admission entails agreeing to a four-page statement of facts accepting that she knowingly communicated false statements to financial institutions. In January 2019, the United States government unsealed a pair of indictments against Huawei, with the first being against the company and Meng, and the second alleging Huawei conspired to steal intellectual property from T-Mobile and subsequently obstructed justice. For the indictment issued against Meng, she was accused of misrepresenting Huawei’s ownership and control of Iranian affiliate Skycom to banks to launder money via the international banking system, which breached United Nations, United States, and European Union sanctions. Meng was detained and arrested by Canadian authorities on the United States’ behalf just prior to the charges being unsealed.

By making those allegations, the United States wanted to extradite Meng to the United States to face those charges locally. This led to an extradition battle within Canada to determine whether Canadian authorities should pass Meng to the United States. Throughout the extradition proceedings, Meng was released on bail and placed under house arrest in Vancouver. Meanwhile, the Chinese government detained two Canadian citizens, Michael Kovrig and Michael Spavor, shortly after Meng’s arrest, accusing them of spying and stealing state secret secrets from China. By entering into the agreement, Meng admitted only to misleading global financial institutions, and did not plead guilty to the various fraud charges imposed against her. Huawei in a statement said it was happy to see “Meng Wanzhou returning home safely to be reunited with her family”. The company also continued to deny the allegations made by the United States in the statement, saying it would continue to defend itself in court as the indictments are still ongoing. China’s Foreign Ministry spokesperson Hua Chunying said the allegations were “political persecution against a Chinese citizen and its aim is to suppress Chinese high-tech companies”, according to a Chinese state media outlet. Meng and the two Canadians arrived back in their respective countries on Saturday, with Canadian Prime Minister Justin Trudeau posting pictures of Kovrig and Spavor’s return on Twitter. “Welcome home, Michael Kovrig and Michael Spavor. You’ve shown incredible strength, resilience, and perseverance. Know that Canadians across the country will continue to be here for you, just as they have been,” he tweeted. Huawei looking to fill $40 billion hole in revenue from handset businessSpeaking on Friday, Huawei rotating chair Eric Xu said other areas of the business have not compensated for the loss of revenue due to the company being added to the US Entity List in 2019.When a company is on the Entity list, US companies are banned from transferring technology to them unless the US company has received licence approval from the US government.In its latest yearly financial results, Huawei posted net profit of 64.6 billion yuan, but its growth in markets outside of China grounded to a halt. The company sold off its Honor business at the end of 2020, and has been focusing on increasing the use of 5G in areas such as mining.”Other areas [are] certainly not compensate for the revenue loss of the handset business. Not just in one year, even those revenues throughput 10 years combined cannot compensate for the decline in revenue,” Xu said through an interpreter.”It will take a rather long time for us to compensate for the $30-40 billion loss applying 5G and other technologies to other industry sectors.”Related Coverage More

Mastercard and the Digital Transformation Agency (DTA) are working together to see how the former’s digital identity service could enable Australians to digitally verify their age and identity.As part of the collaboration, Mastercard said it would work with the DTA to examine a series of private sector-led pilots and the impact its digital verification service could have on retailer and consumer experiences and expectations online.”Australians are increasingly expecting no disruptions between their online and physical lives, and identity is an area that must keep pace with those expectations. Public-private pilots have the potential to make it easier to use these verified identities securely, everywhere they travel,” Mastercard Australasia division president Richard Wormald said.Last year, Mastercard announced the quiet expansion of the trial for its digital identification service, following the successful completion of phase one with partners Deakin University and Australia Post.Announced in December, the three parties kicked off two trials: The first for an identity verification process of student registration and digital exams at Deakin’s Burwood and Geelong campuses in Victoria, and the second integrating Mastercard’s digital ID solution with the one the postal service has been working on.The pilot saw students create a digital identity in Australia Post’s Digital ID app and use it to gain access to Deakin University’s exam portal. Mastercard said the ID successfully orchestrated the sharing of verified identity data between the two parties, sending only the specific personal information required to permit entry using its network.The three organisations expanded the trial to verify students taking exams online.

The second phase of the trial built on work to integrate the Mastercard and Australia Post services, connecting with other third-party platforms to “extend the value and use of the service” to more providers and partner organisations in Mastercard’s ID network.A partnership with Optus was also launched around the same time. Under that trial, Optus customers could use Mastercard’s ID service to prove their identity online and in-store. “Connecting with trusted third-party digital identity platforms is key to scaling digital identity more broadly. Without interoperability, it’s very hard to build beyond local deployments,” Wormald said.”This is why Mastercard continues to collaborate with like-minded organisations, giving citizens new ways to verify their identity without having to hand over any physical documents or surplus information.”Additionally, Mastercard announced it has applied for accreditation under the Trusted Digital Identity Framework (TDIF), which sets out the operating model for digital identity in Australia. If granted, Mastercard said it would enable consumers to create a reusable digital identity using official identity documents, such as passports, driving licences, as well as protect digital identity data using encryption and facial biometrics.In June, the Australian government published a consultation paper on digital identity that indicated legislation would enter Parliament later this year to allow non-government entities to provide digital identification services to Australians.Under the TDIF, the set of rules can only be applied to Australian government entities — it can’t be applied to states and territories, or to the private sector – which is why legislation is required.The Digital Identity Legislation is hoping to ensure privacy safeguards are in place, such as limiting access to biometric information, but it will include the ability for users to consent to their biometric information being accessed for fraud or security investigations.Related Coverage More