Information Technology

CISA has released an alert about a slate of BlackBerry products affected by the BadAlloc vulnerability, which was spotlighted by Microsoft researchers earlier this year. On Tuesday, BlackBerry released an advisory explaining that its QNX Real Time Operating System — which is used in medical devices, cars, factories and even the International Space Station — can be affected by BadAlloc, which is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. BlackBerry recently boasted that the QNX Real Time Operating System is used in 200 million cars. CISA added that IoT devices, operational technology and some industrial control systems have incorporated QNX Real Time Operating System, making it urgent for measures to be taken to protect systems. BlackBerry released a full list of the affected products. “A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices. BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions,” CISA’s alert said. “At this time, CISA is not aware of active exploitation of this vulnerability. CISA strongly encourages critical infrastructure organizations and other organization developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible.”The alert goes on to explain that the vulnerability involves an “integer overflow vulnerability affecting the calloc() function in the C runtime library of multiple BlackBerry QNX products.”For threat actors to take advantage of the vulnerability, they need to already have “control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation.”

Network access would allow an attacker to remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet, CISA added. The vulnerability affects every BlackBerry program with a dependency on the C runtime library.CISA warned that since many of the devices affected by the vulnerability are “safety-critical,” the potential for exploitation could risk giving cyberattackers control of systems that manage infrastructure or other critical platforms. “CISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible,” the alert said. “Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch. Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code,” CISA explained, adding that some organizations may have to create their own software patches. Some software updates for RTOS require removing devices or taking them to an off-site location for physical replacement of integrated memory, according to CISA. BlackBerry said in its own release that they had not yet seen the vulnerability used. The company suggested users of the product ensure that “only ports and protocols used by the application using the RTOS are accessible, blocking all others.” “Follow network segmentation, vulnerability scanning, and intrusion detection best practices appropriate for use of the QNX product in your cybersecurity environment to prevent malicious or unauthorized access to vulnerable devices,” BlackBerry’s notice said. There are no workarounds for the vulnerability, according to BlackBerry, but they noted that users can reduce the possibility of an attack “by enabling the capability for ASLR to randomize process segment addresses.”The notice includes a number of updates BlackBerry has released to address the vulnerability. Microsoft said in April that BadAlloc covers more than 25 CVEs and potentially affects a wide range of domains, from consumer and medical IoT to Industrial IoT.On Tuesday, Politico reported on the behind-the-scenes dispute between BlackBerry and US government officials since the BadAlloc vulnerability was disclosed in April. BlackBerry allegedly denied that the vulnerability affected their products and resisted government attempts to release public notices about the problem. BlackBerry didn’t even know how many organizations were using the QNX Real Time Operating System when asked by government officials, forcing them to go along with government efforts to publicize the vulnerability. CISA officials coordinated with affected industries and even the Defense Department on the security notice about the QNX system, according to Politico, which noted that CISA will also brief foreign officials on the vulnerability as well. BlackBerry said in June that the QNX royalty revenue backlog has increased to $490 million at the end of its first quarter of fiscal year 2022. The company boasted that it is used in millions of cars made by Aptiv, BMW, Bosch, Ford, GM, Honda, Mercedes-Benz, Toyota and Volkswagen. More

Fortinet has patched a vulnerability that attackers could have leveraged to take complete control of a device with the highest possible privileges, according to a report from cybersecurity company Rapid7.

Rapid7 researcher William Vu was credited with discovering the issue, which centers around an OS command injection vulnerability in FortiWeb’s management interface, particularly in version 6.3.11 and prior. The vulnerability allows a remote, authenticated attacker “to execute arbitrary commands on the system, via the SAML server configuration page.””This is an instance of CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), and has a CVSSv3 base score of 8.7,” the report said.Vu added that the vulnerability appeared to be tied to CVE-2021-22123 and was patched by Fortinet in June. Fortinet FortiWeb is a web application firewall that is built to identify both known and unknown exploits targeting protected web applications before they have a chance to execute, according to Rapid7. Vu discovered the vulnerability in June and Fortinet quickly acknowledged the disclosure and patched the issue. 

Rapid7 released a detailed report about how the attack works, noting that a hacker who has already been authenticated to the management interface of the FortiWeb device could then “smuggle commands using backticks in the ‘Name’ field of the SAML Server configuration page.””An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges. They might install a persistent shell, crypto mining software, or use the compromised platform to reach into the affected network beyond the DMZ,” the report said.  “Note that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication bypass issue, such as CVE-2020-29015.”If users are not able to patch their devices, Rapid7 suggests disabling the FortiWeb device’s management interface from untrusted networks, which they said “includes the internet.””Generally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway — instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection,” the Rapid7 report explained. Fortinet has invested heavily in security features over the last year but that has done little to stop widespread concern about multiple vulnerabilities found in their products over the last six months. The FBI and CISA have released multiple alerts warning Fortinet users about insecure products being exploited by hackers. The FBI issued a flash alert in May after a local government office was attacked through Fortinet vulnerabilities. That alert came just weeks after another report was released by US agencies warning that advanced persistent threat groups are exploiting Fortinet FortiOS vulnerabilities to compromise systems belonging to government and commercial entities. More

The acronym VPN stands for virtual private network. Those three words tell a lot about how a VPN works.Let’s start with network. VPNs provide network connections, meaning they move data to and from your device. Private means they make that movement private, helping prevent hackers from seeing what you’re sending. And virtual means that you’re doing it all in software. You’re not running a new set of wires. Instead, you’re creating a software-based network connection that then moves data over the physical connection (whether that’s wireless or wired). Also: ExpressVPN review: A fine VPN service, but is it worth the price? What a VPN actually does is take data that you’re sending out over the internet and encrypt it before it leaves your machine. That encrypted data is sent to the VPN provider’s servers, where it’s decrypted, and then sent on to, say, Google or Netflix. ExpressVPN, which is the service we’re talking about in this guide, has more than 3,000 servers in 160 locations. On the flip side, a VPN takes data from a server on the internet, encrypts it on one of ExpressVPN’s servers, sends that encrypted data to your computer, which decrypts it when it arrives. This is what provides protection against, in particular, Wi-Fi snoops at airports, hotels, and schools. By virtue of your data leaving the VPN provider’s server (which, for ExpressVPN, can be in your choice of 94 countries), your actual location can be hidden, and the final server sees as your location what’s actually the location of your provider’s server. Also: ExpressVPN vs. Surfshark vs. NordVPN: Which is best?

That’s how VPNs obfuscate your location. Although it’s sometimes illegal, many people use this capability to change their apparent region to watch blacked-out sports or region-locked TV. Far more important is that activists and those concerned about stalkers use it to hide their location for their personal security. OK, so with that introduction into how VPNs, and specifically ExpressVPN works, let’s look at how to set up and install ExpressVPN. We’re going to do this on a Windows machine, but the practice is very similar for Macs, Linux, and mobile devices.

Locations: 160Countries: 94Simultaneous connections: 5Kill switch: yesLogging: noPrice: $12.95 per month, or 12 months for $99.95Trial: 30-day refund guaranteeSupported platforms: iOS, Android, MacOS, Windows, Linux, game consoles, smart TVs, routers

Installing ExpressVPN The first thing you’re going to want to do is point your browser at ExpressVPN’s website and click the Get ExpressVPN button. You’ll want to pick a plan that suits your budget, buy it, and set up an account. Once you have an ExpressVPN account, we’ll move on. Log into your account dashboard. Generally, you’ll want to hit the Download button. If your platform isn’t correct, click Setup Other Devices. Here, you’ll want to do two things. First, make a note of your activation code and click the Open file link. Next, give Windows permission to do its thing. I went ahead and closed my browser window. ExpressVPN will take a minute to install. Starting ExpressVPN Now that you’ve installed ExpressVPN, it’s time to log in. This is the same account you used to create your account, get your activation code, and download ExpressVPN. Once again, you’ll need to let Windows know you approve of this install. Next, enter the activation code you saved off from before. If you misplaced it, just open a browser tab, go to ExpressVPN.com, click the Account button, and copy it again. Go ahead and set things up to launch ExpressVPN on login. You don’t have to initiate a VPN connection when you log in, but it will be nice to have the software ready when you are. And, if you are traveling, you’ll want the VPN to come on immediately on login to protect your data. The next option is entirely your choice. I tend to hover between “Hell, no!” and “Why not?” depending on my mood. And there you are. Checking ExpressVPN’s settings Here’s the main screen for ExpressVPN. Before hitting connect, click the hamburger menu on the upper left. Next, choose Options. This is one of the most important tweaks you’ll make. We’re not going to dig into a lot of settings options, but it’s very important you make sure “Stop all internet traffic if the VPN disconnects unexpectedly” is checked. This is what VPNs call a kill switch. It means that, if the VPN disconnects, you won’t be sending traffic unprotected. You should also check “Allow access to devices on the local network (such as printers or file servers)” so you can connect to local devices. Hit OK and you’re all set up. Using ExpressVPN If you hit the big power now, you’ll connect to the nearest server. I live in the US Pacific Northwest, so that’s why Seattle is displayed. But, if you want to connect to another country, click the three little dots. I went ahead and chose the UK Once I hit the big power button, I was connected. In fact, to servers on the internet, I no longer appear to be in the US Pacific Northwest, I appear to be in Blackwall in East London. To disconnect, hit the big power button again. If you can’t find that window because you minimized it or it’s obscured behind your browser, go down to your system tray. There, you’ll find a small menu that launches and operates ExpressVPN. ExpressVPN’s cool speed test ExpressVPN has a very cool speed test feature. It will, in one shot, allow you to test all of the company’s servers and see how they all perform. Launch it from the hamburger menu. Just hit the Run Test button. Give it a few minutes and you’ll get the results of the entire ExpressVPN network. So, there you go. That’s how to use ExpressVPN. Let us know what you think in the comments below. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

Google and Microsoft, which now both contribute to the Chromium project, apparently share concerns about the Just-In-Time (JIT) compiler in Chrome’s V8 JavaScript engine.  Microsoft’s Edge Vulnerability Research (VR) team last week announced the start of testing Microsoft’s Super Duper Secure Mode (SDSM) for Edge, which works by removing Just-In-Time (JIT) compilation from the V8 processing pipeline. 

see also

The best browsers for privacy

If you’re like most people, you’re probably using Google Chrome as your default browser. It’s hard to fault Google’s record on security and patching but privacy is another matter for the online ad giant.

Read More

Google’s V8 JavaScript engine for Chrome was a key turning point for web applications in the history of browsers, Microsoft’s creator of TypeScript (a superset of JavaScript) acknowledged in an interview with ZDNet last year.Per MS Poweruser and Reddit users, unstable Edge Canary now includes a flag that enables SDSM in Edge. That is, JIT compilation in V8 in Edge is disabled by going to edge://flags/#edge-enable-super-duper-secure-mode. Microsoft is not alone in taking new approaches to the V8 engine’s JIT compilers. Google Project Zero is also exploring how to tackle vulnerabilities surrounding JIT compilation in V8, but with a different solution — namely, creating a custom sandbox for V8.   As Microsoft’s browser vulnerability researchers noted, JITs exist to optimise JavaScript performance. Disabling JIT would remove half of the V8 bugs that must be fixed, they argue, and go on to note that Microsoft’s tests found that disabling JIT results in virtually no changes to browser performance across memory, page load and startup times, and power consumption.   Since Microsoft Edge is based on Chromium and Google Chrome is the most widely used browser on Windows, there is a mutual area of concern for both firms.

With V8’s JIT compilation turned off, Microsoft could enable Edge memory and hardware-based protections — such as the hardware-based Control-flow Enforcement Technology (CET) from Intel, and Windows’ Arbitrary Code Guard (ACG) and Control Flow Guard (CFG) — that were previously incompatible with JIT. Google is not unaware of this, but some within Google believe that the benefits of these hardware-based protections might not be as effective as believed. Interestingly, in May, Google’s Chrome team opted to enable Intel’s CET mitigations for Chrome on Windows 10 to mitigate return-oriented programming (ROP) attacks. Earlier this month, Google Project Zero researcher Samuel Groß outlined a sandbox approach to tackle JITs within the context of V8. He warned that his proposal had many hurdles to cross. Those hurdles could come from other teams within Google, such as the Chrome team, from Microsoft, or from other interested parties. Groß explained that the problem with V8 stems from JIT compilers that can be used to trick a machine into emitting machine code that corrupts memory at runtime. “Many V8 vulnerabilities exploited by real-world attackers are effectively 2nd order vulnerabilities: the root-cause is often a logic issue in one of the JIT compilers, which can then be exploited to generate vulnerable machine code (e.g. code that is missing a runtime safety check). The generated code can then in turn be exploited to cause memory corruption at runtime,” Groß said. “This appears to be a somewhat natural problem of JIT compilers for dynamic languages, as one of their major purposes is to remove (redundant) runtime checks that would otherwise be performed by the interpreter.” He’s less confident in the technologies that Microsoft researchers highlight would be enabled by switching JIT compilers off — and hence why the better approach may be to create a custom sandbox for V8. As Groß also noted, CPU side-channel vulnerabilities, and the potency of V8 vulnerabilities, mean that “upcoming hardware security features such as memory tagging will likely be bypassable most of the time.” Also see Microsoft tests Super-Duper Secure Mode for Edge Edge Super Duper Secure Mode turns off the JavaScript JIT compiler for extra security Google Project Zero testing 30-day grace period on bug details to boost user patching More

(Image: Shutterstock)
IPVanish sells itself short. This VPN service offers a lot more capability than it promotes on its home page. If you visit the IPVanish website, you’ll see all the usual stuff that you’d expect from a VPN provider. There’s the claim that it’s “the world’s best VPN;” information about the advantages of secure browsing; a list of testimonials from media outlets and customers; pricing and a list of apps. In other words, the same stuff you’re going to see when you visit the websites of most other VPN providers.What IPVanish doesn’t tell you is that it’s rich with options and information. While its app certainly makes it easy to just click-and-go, if you want to make an informed server choice, choose protocols, protections, and options, IPVanish gives you that capability.The thing is, you only discover this wealth of options and browsing controls once you’ve created an account and downloaded and installed the app. For users new to VPNs, it makes sense to hide the power behind a bunch of tabs. But IPVanish might attract more informed users (and influencers who recommend software to others) by providing a tab on its website about the options and power it provides to users who dig a little deeper.

IP Addresses: 40,000+Servers: 1,900+Locations: 75+Simultaneous connections: unlimited (terms of service apply)Kill switch: yesLogging: noPrice: $10.99 per month, or $44.99 per yearBest deal: $44.99 for one full year (renewals thereafter at $89.99/year)Trial: 30-day money-back guaranteeSupported platforms: iOS, Android, MacOS, Windows, Linux, routers, Amazon Fire devices, any Android-based media device

Server selection optionsI like how IPVanish provides the opportunity for VPN geeks to dig deeper into its connection settings. At the basic level, there’s a Quick Connect option that allows you to just push a Connect button and be up and running. But if you want to explore more deeply, you can hit the Server List tab. I like the Map tab the best, because it shows both the cities where servers are located and the number of servers in each city. The list view allows you to search for a location, and then sort by a variety of criteria. Filter combines both country specification and required latency. I chose More

StackCommerce
It looks like remote or hybrid models will be the new normal well into the future for both work and education. But while most people think their home network is utterly secure, that really isn’t always the case. Not to mention, a great many people will often be tempted to work in a variety of locations, which means using public WiFi networks that are notoriously vulnerable to hackers. Why take chances with your privacy and the security of your data when a lifetime of powerful protection from iProVPN is so affordable?

iProVPN includes several features to provide bulletproof protection to your privacy and your sensitive personal information. There is military-grade AES 256-bit Encryption to scramble your data so third parties can’t get anywhere near it. You also have a kill switch to immediately cut your connection to the internet if there is any disruption to your VPN server connections.But iProVPN also makes your experience a top priority, so your VPN service does not slow down your connection speeds. It also utilizes split tunneling, so that only selected traffic will actually pass through the VPN servers, allowing you to continue enjoying native content.While it will be a huge relief not to have to worry any longer about your identity, data, and online activities being exposed, iProVPN gives you the freedom to watch whatever you want no matter where you are, as well. You can instantly switch between more than 250 servers in over 20 countries, so you will easily bypass any geo-restrictions you might encounter on up to 10 devices simultaneously. Also, since iProVPN allows completely unlimited bandwidth, you can enjoy speedy downloading and high-quality streaming without having to worry about buffering or hitting any data caps.iProVPN has been featured on Engadget, MSN, Forbes, TNW, and more. And the service has garnered an extremely impressive average rating of 4.8 out of 5 stars on Trustpilot.Don’t miss this chance to get a lifetime of ultimate protection for your privacy and your most confidential personal data, as well as have access to high-quality content worldwide. Get iProVPN: Lifetime Subscription today while it’s currently available for only $39.99.

ZDNet Recommends More

Security vulnerabilities in millions of Internet of Things (IoT) devices, including connected security cameras, smart baby monitors and other digital video recording equipment, could allow cyber attackers to compromise devices remotely, allowing them to watch and listen to live feeds, as well as compromise credentials to prepare the ground for further attacks.The vulnerabilities in IoT devices that use the ThroughTek Kalay network have been disclosed by cybersecurity company Mandiant in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and ThroughTek.  

ZDNet Recommends

It’s tracked as CVE-2021-28372 and carries a Common Vulnerability Scoring System (CVSS) score of 9.6 — classifying it as a critical vulnerability. Upgrading to the latest version of the Kalay protocol (3.1.10) is highly recommended to protect devices and networks from attacks.  SEE: A winning strategy for cybersecurity (ZDNet special report)While Mandiant hasn’t been able to compile a comprehensive list of all the affected devices, ThroughTek’s own figures suggest that 83 million connected devices are connected through the Kalay network. Previous research by Nozomi Networks also found vulnerabilities in ThroughTek, but the new vulnerabilities disclosed by Mandiant are separate and allow attackers to execute remote code on devices. Researchers were able to combine dissembling ThroughTek libraries via official apps from both the Google Play Store and Apple App Store with developing a fully functional implementation of ThroughTek’s Kalay protocol. This allowed key actions to be taken, including device discovery, device registration, remote client connections, authentication, and the processing of audio and video (AV) data. 

By writing an interface for creating and manipulating Kalay requests and responses, researchers could identify logic and flow vulnerabilities in the Kalay protocol — most notably, the ability to identify and register devices in a way that allows attackers to compromise them.Attackers achieve this by obtaining a Kalay-enabled client device’s uniquely assigned identifier, which can be discovered via web APIs such as mobile applications. Once they’ve obtained the UID of a device, they can register it, which causes Kalay servers to overwrite the existing device, directing attempts to connect to the device into the path of the attacker. By doing this, attackers can obtain the username and password needed to access the device, which they can then use to access it remotely — complete with the ability to monitor audio and video data in real time. “Once an attacker obtained UIDs, they could redirect client connections to themselves and obtain authentication materials to the device. From there, an attacker could watch device video, listen to device audio, and potentially compromise the device further depending on device functionality,” Erik Barzdukas, manager of proactive services at Mandiant Consulting, told ZDNet. Not only is this a massive privacy violation for the users, particularly if the cameras and monitors are installed inside their own homes, but compromised devices in enterprise settings could allow attackers to snoop on sensitive discussions and meetings, potentially providing them with additional means of compromising networks.There’s also the potential for devices to be recruited into a botnet and used to conduct DDoS attacks. “This vulnerability could potentially allow for remote code execution on the victim device, which may be used maliciously in a variety of its own ways, like potentially creating a botnet out of the vulnerable devices or further attacking devices on the same network as the victim device,” said Barzdukas.Exploiting CVE-2021-28372 is complex and would require time and effort from an attacker. But that doesn’t make it impossible, and the vulnerability is still considered critical by CISA.  SEE: The cybersecurity jobs crisis is getting worse, and companies are making basic mistakes with hiringMandiant is working with vendors who use the Kalay protocol to help protect devices from the vulnerability, and recommends that no matter the manufacturer, IoT users should regularly apply patches and updates to devices to ensure they’re protected against known vulnerabilities. “Regardless of whether you own one of the impacted devices, Mandiant strongly recommends consumers and businesses with smart devices keep their devices and applications up to date,” said Barzdukas. “Consumers and businesses need to set aside time — at least once a month — to check if their smart devices have any updates to install,” he added. “As an IoT solution provider, we are continuously upgrading sufficient software and cloud service to provide higher security mechanisms to apply in devices, connections, and client app. Although we cannot limit what API/function that developers will use in our SDK, ThroughTek will strengthen our educational training and make sure our customers use it correctly to avoid a further security breach,” a ThroughTek spokesperson told ZDNet. “Also, we have been working with CISA to mitigate this vulnerability,” they added.Mandiant’s security disclosure thanks ThroughTek — and CISA — “both for their cooperation and support with releasing this advisory and commitment to securing IoT devices globally”. MORE ON CYBERSECURITY  More

Australian-based OCR Labs has become the first accredited non-government operator that provides digital identity services to the private sector under the federal government’s Trusted Digital Identity Framework (TDIF).By becoming an accredited provider, OCR Labs now ensures its private sector customers, such as those in banking, finance, and telecommunications that are using its identity services can “trust that their identity information can be verified, and is protected”, Minister for Employment, Workforce, Skills, Small and Family Business Stuart Robert said.”We want Australians to have confidence that their information is private and secure, regardless of who holds it. It has become increasingly important in this digital age to be able to establish trust, particularly online,” he said.OCR Labs applied for accreditation in February and was required to undergo a series of evaluations to ensure it met the TDIF standards, rules, and guidelines that set out best practices for digital identity services.OCR Labs satisfied 262 TDIF requirements, including protective security, privacy assurance, risk management, usability, and accessibility, and demonstrated it met the applicable requirements of the fourth iteration of the TDIF, which was published in May 2020. The company will be required to continually demonstrate it meets the TDIF obligations by undertaking annual assessments. OCR Labs intends to further enhance its TDIF accreditation to Identity Proofing Level 2 Plus before the end of 2021.

“Digital Identity underpins the government’s Digital Economy Strategy that will allow Australian businesses like OCR Labs, and in particular small business, to capitalise on the opportunities that digital technologies are creating, enabling them to grow and create jobs as part of Australia’s economic recovery,” Robert said. The federal government’s myGovID was the first to be granted a TDIF accreditation, followed by Australia Post’s Digital ID. Eftpos said it has also applied for its ConnectID to become TDIF accredited.Elsewhere, the federal government announced it has transitioned to the Australian Immunisation Register (AIR) to source all information related to the nation’s COVID-19 vaccine rollout.Previously, data was a mix between self-reported information about the number of doses administered by each jurisdiction, and the aged care and disability sector, and AIR for primary care. The transition to AIR will now include information about doses administered by the Australian Defence Force, Department of Foreign Affairs and Trade, and Australian Institute of Sport (AIS), which vaccinated the Australian Olympic Team as part of primary care, as well as the total number of doses for each jurisdiction from all channels and data derived from AIR, plus metrics on people with at least one dose and people who are fully vaccinated. The Department of Health touted the move as one that would provide access to more “comprehensive and consistent data”.  “Transitioning to AIR reporting ensures data is consistent and aligned across all reporting,” it said.”Jurisdictions have access to AIR so all governments in Australia have the same information base. The update of vaccination information into AIR is generally within 24 hours of the vaccination taking place.”Collating COVID-19 vaccination data comes off the back of Australia’s Data and Digital ministers agreeing on Friday to a national data sharing work program, following the signing of the Intergovernmental Agreement on Data Sharing by all Australian governments at the National Cabinet in early July. The agreement to work on a data-sharing work program was first raised during a meeting between the ministers back in April.According to the communique from the latest meeting, the ministers have agreed to take action to address national priority data sharing areas. These initial areas will include natural hazards and emergency management, waste management, and road safety, with plans that future priority data sharing areas will include family, domestic, and sexual violence, closing the gap, and veterans’ health. Further, the ministers agreed to reform the federal and state and territory data sharing system under the work program by developing an Australia Data Network, standardising operating procedures for data sharing activities, improving data discoverability through machine-readable metadata for data sharing priorities, and adopting a share-once use-often model for aggregate de-identified administrative data. “The intergovernmental agreement on data sharing recognises data is a shared national asset and aims to maximise the value of data to deliver outstanding policies and services for citizens. The agreement commits all jurisdictions to share data as a default position, where it can be done securely, safely, lawfully, and ethically,” the communique said.The communique also detailed that the ministers discussed opportunities to explore possibilities of how digital birth certificates could be used for “future interoperability to support citizens’ engagement with governments”.In April, the New South Wales government announced it was working on the development of a national digital birth certificate. The NSW government said it is looking into how to incorporate it with the federal government’s myGov. Related Coverage More