Information Technology

The Australian Information Commissioner has issued Services Australia with a notice to pay a customer AU$19,890 as atonement for breaching her privacy.The woman was in receipt of Centrelink benefits administered by the Department of Human Services, now Services Australia. At the time, she lived with her then-partner, and as such, her entitlements were calculated by taking his income into consideration as their respective online accounts were linked.”One effect of ‘linking’ records meant that if the complainant were to update her address using her online account, her partner’s address on his online account would also be updated to reflect the change, and vice versa,” the commissioner’s finding detailed. “The agency’s practice was to continue to keep such records linked unless and until it verified any claimed separation on the part of one of the linked individuals.”An Apprehended Violence Order (AVO) was taken out against the then-partner in December 2015, which the man was later imprisoned for breaching. The woman shortly after attempted to lodge a “Claim for Crisis Payment: extreme circumstance and domestic violence” form with the agency, seeking what is referred to as a crisis payment. The agency denied this claim for payment on the basis that the complainant continued to reside at the original address, that the AVO did not exclude the former partner from returning to the original address, and that the complainant was still in a relationship with the partner, the commissioner’s finding explains.A “separation details form” was then filed, but it was marked as incomplete by the agency and the woman’s details, six months later, were still not updated.

In September 2016, the woman moved to a new address and claimed that she had notified the agency of this change by attending an office in person. The following month, the new address was entered as an update to her online account and was submitted, however, the change was not processed by the agency at that time — it wasn’t until January 2017 that the agency processed the change of address.The former partner’s online account was also updated to the new address at this time.Her marital status was also finally changed to reflect she was single.Subsequently, the former partner posted a screenshot of the new address to a social media platform used by the complainant with a comment “change your myGov”, the information commissioner said.The AU$19,980 Services Australia has been asked to pay comprises AU$10,000 for non-economic loss, AU$8,000 for reasonably incurred legal expenses, and AU$1,980 for reasonably incurred expenses in preparing a medical report.The agency denies that it interfered with the woman’s privacy, but it does not dispute that it disclosed the new address to the former partner and that when it was disclosed, it amounted to the complainant’s personal information.The agency said it “was unable to accept that claim in the absence of full address details for referees who could verify the separation”.The commissioner found the agency failed to ensure the complainant’s personal information of her separation status was kept accurate and up-to-date in breach of Australian Privacy Principle (APP) 10, similarly that her address was not accurate and up-to-date. It was also found the agency’s disclosure of the complainant’s personal information to the former partner breached APPs 6 and 11.”I find that the agency has breached APP 11 by failing to take reasonable steps to protect the complainant’s personal information, being her new address, from the unauthorised disclosure that breached APP 6,” the commissioner wrote.The agency has now updated its form to provide more protections from potential domestic violence situations.The commissioner has also directed the agency to engage an independent auditor within three months to assess its policies, procedures, and systems against the requirements of APP 11.In a second case, the commissioner has asked the agency to pay AU$1,000 for loss caused by the interference with the complainant’s privacy.The complainant contends that his privacy was breached by the agency when it provided his personal information to an external debt collection agency for the purposes of debt recovery due to the debts being “unlawful”. Due to this, the complainant is arguing that the disclosure of his information was not authorised under APP 6. He also claims that the agency breached APP 10 by disclosing the existence of the debts to the collection firm.The commissioner declared the agency engaged in conduct constituting an interference with the privacy of the complainant and must not repeat that conduct.IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527RELATED COVERAGEServices Australia among those found breaching privacy lawsComplaint against the government department revealed it disclosed bank statements to someone the complainant took a Family Violence Order out on.Services Australia reported 20 security incidents to the ACSC in 2019-20Across Social Services, the NDIS, Veteran’s Affairs, and its own operations, Services Australia says no breach of Australian citizen data has occurred.Accidental personal info disclosure hit Australians 260,000 times last quarter85 cases of human error resulted in 269,621 instances of Australians having their personal information disclosed accidentally. More

Facebook has published new findings that unveil two Palestinian organisations have been running cyberespionage campaigns against government officials, student groups, and security forces.The two groups both used fake and compromised social media accounts posing primarily as young women, and also as Fatah or Hamas supporters, various military groups, journalists, and activists to build trust with people in order to trick them into installing malicious software.According to Facebook, one group dubbed as Arid Viper has been linked to the cyber arm of Hamas. Meanwhile, the other is linked to the Palestinian Preventive Security Service (PSS), one of the security arms of Palestine, where the current president is a member of the Fatah party. Fatah and Hamas have been engaged in a civil war since 2006.Publishing a threat report [PDF] of Arid Viper’s activity, Facebook said the threat actor used fully functional custom iOS surveillanceware that was capable of stealing sensitive user data from iPhones without requiring the devices to be jailbroken. The surveillanceware, labelled as Phenakite, was trojanised inside fully functional chat applications that used the open-source RealtimeChat code for legitimate reasons. This malware could also direct victims to phishing pages for Facebook and iCloud in order to steal credentials for those services. As this process used legitimate developer certificates, iOS devices did not need to be jailbroken to be surveilled. While Phenakite did not require a jailbreak for installation, once on a device, it needed to adhere to the usual operating system security controls that prevent access to sensitive information from unauthorised applications. To circumvent that, Phenakite came bundled with the publicly available Osiris jailbreak and the Sock Port exploit, which meant that Phenakite was capable of using Osiris to jailbreak all 64-bit devices on iOS 11.2 to 11.3.1 or the Sock Port exploit to extend this to devices running iOS 10.0 to 12.2 If the Osiris jailbreak was successful, Phenakite could then retrieve photos from the camera roll, take images with the device camera, retrieve contacts, silently record audio, access documents and text messages, and upload WhatsApp data.

The Android malware deployed by Arid Viper, meanwhile, required victims to install apps from third-party sources on their devices. The group used hundreds of attacker-controlled sites, along with the aforementioned fake social media accounts, to create the impression that the apps were legitimate in order to convince victims into installing them. The trojanised chat applications in both Android and iOS were primarily pretending to be dating apps. Examples of the trojanised chat applications.
Image: Facebook
In all instances, the successful installation of these tools did not require any exploits, which the report said suggests that Arid Viper operators heavily relied on social engineering to distribute their malware. Of particular concern to Facebook was that Arid Viper’s use of custom surveillanceware demonstrated that this capability was becoming increasingly attainable by adversaries even if they are not as technologically sophisticated. “As the technological sophistication of Arid Viper can be considered to be low to medium, this expansion in capability should signal to defenders that other low-tier adversaries may already possess, or can quickly develop, similar tooling,” Facebook said. Meanwhile, PSS used similar tactics of utilising social engineering to coerce their targets into installing Android and Microsoft malware, Facebook said. PSS malware, once installed onto devices, collected information such as device metadata, call logs, location, contacts, and text messages. In rare cases, it also contained keylogger functionality.Rather than targeting pro-Fatah individuals, the PSS used its malware to targets various groups, including people opposing the Fatah-led government, journalists, human rights activists, and military groups including the Syrian opposition and Iraqi military.According to Facebook, these findings are the first public reporting of this particular cyberespionage activity conducted by PSS.   Following the investigation into the conduct of Arid Viper and PSS, Facebook has released a set of indicators addressing such activity. The indicators include 10 Android malware hashes, two iOS malware hashes, eight desktop malware hashes, and 179 domains.Facebook has also notified targeted individuals and industry partners, which led to Arid Viper’s developer certificates being revoked and various accounts and websites being blocked or removed. Last month, Facebook said it disrupted a network of hackers tied to China that were attempting to distribute malware via malicious links shared under fake personas. The malware allegedly targeted around 500 users.Related Coverage More

Image: SIgnal
Phone scanning and data extraction company Cellebrite is facing the prospect of app makers being able to hack back at the tool, after Signal revealed it was possible to gain arbitrary code execution through its tools. Cellebrite tools are used to pull data out of phones the user has in their possession.”By including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures,” Signal CEO Moxie Marlinspike wrote.”This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.” Usually, when vulnerabilities of this type are found, the issue is disclosed to the maker of the software to fix, but since Cellebrite makes a living from undisclosed vulnerabilities, Marlinspike raised the stakes. “We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future,” he said. The Signal CEO said that Cellebrite contains “many opportunities for exploitation” and he thought they should have been more careful when creating the tool.

For instance, Cellebrite bundles FFmpeg DLLs from 2012. Since that year, FFmpeg has had almost 230 vulnerabilities reported. Marlinspike also pointed out that Cellebrite is bundling two installers from Apple to allow the tools to extract data when an iOS device is used. “It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users,” he said. In a video dripping with references to the movie Hackers, Marlinspike showed an exploit in action, before rattling a sabre in the direction of Cellebrite. “In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software,” he said. “We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.” Marlinspike said he was incredibly lucky to have found a Cellebrite tool package laying on the ground while going for a walk. In December, Marlinspike lashed out at Cellebrite claims that it could crack Signal’s encryption. “Cellebrite posted something with a lot of detail, then quickly took it down and replaced it with something that has no detail,” Marlinspike wrote at the time. “This is not because they ‘revealed’ anything about some super advanced technique they have developed (remember, this is a situation where someone could just open the app and look at the messages). They took it down for the exact opposite reason: it made them look bad. “Articles about this post would have been more appropriately titled ‘Cellebrite accidentally reveals that their technical abilities are as bankrupt as their function in the world.'” Related Coverage More

Advertisers want to be effective in the content they push to consumers, but the latter must be given the ability to opt-out if they do not want personalised advertisement. This remains essential even as the debate over Google’s Federated Learning of Cohorts (FLoC) rages on. Marketers typically would want to reach out to segments of their audience, rather than just a single consumer. This was what cohorts set out to do, said Acquia’s chief science officer Omer Artun, in a video call with ZDNet. Acquia offers tools that enable brands to create and track cohorts, as well as analyse their performance so they had the insights to improve their marketing campaigns. Snapshots of cohorts also could be captured to monitor how these audience segments evolved after the cohort was created. This allowed marketers to identify changes and trends in customer behaviour, and tweak their marketing activities to improve sales of items that were not selling well, for instance. 

Artun likened it to doctors treating an illness. Their primary goal here was not to know who the patients were, but to flush out the symptoms so they could identify the illness and decide on the treatment. Google’s use of cohorts, however, had drawn strong criticism mainly for how the tech giant would share a summary of recent browser history with marketers. It had said FLoC removed the need for individual identifiers whilst still enabling brands to reach people with relevant content and ads by targeting clusters of people with common interests. Google last week began testing the feature for Chrome users in several countries, including India, Australia, Indonesia, and Japan, but not in markets where the European Union’s GDPR (General Data Protection Regulation) was in place. Electronic Frontier Foundation (EFF) said in a post last month that the core design of FLoC involved sharing new information with advertisers that created new privacy risks. It pointed to browser fingerprinting as one key issue, as it gathered discrete pieces of information from a user’s browser a unique identifier for that browser. “If a tracker starts with your FLoC cohort, it only has to distinguish your browser from a few thousand others–rather than a few hundred million,” EFF said, adding that it would be easier for trackers to establish a unique fingerprint for FLoC users. 

The non-profit organisation added that FLoC also would share new personal data with trackers that could already identify users. “For FLoC to be useful to advertisers, a user’s cohort will necessarily reveal information about their behaviour,” it said. “Moreover, as your FLoC cohort will update over time, sites that can identify you in other ways will also be able to track how your browsing changes. Remember, a FLoC cohort is nothing more, and nothing less, than a summary of your recent browsing activity. You should have a right to present different aspects of your identity, in different contexts.”A few Chromium-based browsers including Vivaldi and Brave stepped up to say they had removed FLoC from their platforms over privacy concerns. WordPress also was considering blocking the Google feature from its blogging system. Search engine DuckDuckGo also released an extension that blocked FLoC. Asked for his comments over the latest developments, Artun told ZDNet there would be critics “to anything, anybody” with regards to advertising. “The idea is to create an efficient system of advertising while protecting privacy,” he said. “If you don’t want any advertising to be personalised, then opt-out [or] use another browser.”These alternative browsers operated to address a portion of the population that did not want advertising, he said. “FLoC is a good way to hide specific user information, but at the same time, group interests,” he added. Artun noted that if advertisers were rendered “blind”, then ads would be inefficient and consumers would end up paying more for whatever they wanted to purchase. Consumers should be able to control their own dataHe said several issues also remained unclear, such as whether first-party data could be matched with FLoC identifiers, hence, giving more information about users than was available today. He expressed confidence that such issues would be addressed in future that balanced privacy and ad targeting. He reiterated that anyone still could opt out of and that this process should be made easy for those who wished to do so. Artun further advocated the need for “a Delete option”, which would allow users such as him to view the cohorts they were segmented into and remove themselves from cohorts they did not want to be part of. “I should be able to go to a digital marketer’s platform and delete it,” he said. “Imagine if you can control the data and delete anything related to it. You don’t have that option right now. To be able to see the data and be able to erase or control the data is what I think will be the nirvana [for consumers].”He also called for more transparency on what online platforms such as Google and Amazon were doing with consumers’ data. Giving users control over their data was, in itself, personalisation, he added. “Transparency and control–there are the two things that are missing right now,” he noted. RELATED COVERAGE More

Cybersecurity firm Rapid7 said it has signed a deal to acquire Velociraptor, makers of open-source framework used for endpoint monitoring, digital forensics, and incident response. The financial terms of the deal were not disclosed.

Rapid7 said the Velociraptor technology is designed to help SecOps teams hunt for new threats quicker through community-driven technology, allowing for incidents and detections to be easily shared across the broader security industry.”The Velociraptor standalone offering allows incident response teams to rapidly collect and examine artifacts from across a network, and deliver forensic detail following a security incident,” Rapid7 wrote in a blog post. “In the event of an incident, an investigator controls the Velociraptor agents to hunt for malicious activity, run targeted collections, perform file analysis, or pull large data samples. The Velociraptor Query Language (VQL) allows investigators to develop custom hunts to meet specific investigation needs.”Rapid7 said it does not plan to make Velociraptor a commercial offering; however, the company does plan to integrate the technology in its detection and response portfolio, including the Rapid7 Insight platform.Rapid7’s purchase of Velociraptor comes on the heels of its acquisitions of Alcide in January and DivvyCloud in April 2020. The company said both acquisitions are meant to bolster its ability to provide customers with a cloud-native security platform for managing risk and compliance.RELATED STORIES: More

Lessons learned from responses to the SolarWinds and Microsoft Exchange cyber incidents will be used to coordinate action against future cybersecurity and hacking incidents, the White House has said.Both incidents required the United States to react to cyber attacks by nation-state hacking operations affecting thousands of organisations across the country – Russian intelligence compromised SolarWinds in a supply chain attack, while Chinese operatives targeted Microsoft Exchange. The campaigns aren’t related, but both were able to gain access to a number of networks, with attackers remaining under the radar for a significant period of time before they were discovered.The US administration convened two Unified Coordination Groups (UCGs) to drive the government response to the SolarWinds and Microsoft Exchange incidents. Both are now being stood down due to the increase in security patches being applied to prevent the attacks and a reduction in the number of victims.But the way they operated and what was learned will be used to guide future responses to additional cyber incidents in future. SEE: Network security policy (TechRepublic Premium)Lessons learned include ‘integrating private sector partners at the executive and tactical levels’ and involving private sector organisations in the response in order to help deliver fixes smoothly, like Microsoft one-click tool to simplify and accelerate victims’ patching and clean-up efforts, as well as sharing relevant information between firms.

“This type of partnership sets precedent for future engagements on significant cyber incidents,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology.The partnerships also enabled the FBI and Department of Justice to identify the scale of the incidents and determine which organisations were affected, gain a better understanding of who was being targeted and determine the best response.The White House also pointed to the methodology created by CISA to track trends in patching and exposed Exchange servers that enabled the UCG to quantify the scope of the incident.It’s hoped that by learning the lessons of what happened with SolarWinds and Microsoft Exchange, the White House can improve how it responds to significant cybersecurity incidents”While this will not be the last major incident, the SolarWinds and Microsoft Exchange UCGs highlight the priority and focus the administration places on cybersecurity, and at improving incident response for both the U.S. government and the private sector,” said Neuberger.MORE ON CYBERSECURITY More

Instagram’s appeal lies in the ability to share images; indeed, some users known as “influencers” have been able to build businesses purely on these types of posts — but the popular platform, and its users, are not exempt from abuse. 

In the same way as Facebook — which acquired Instagram in 2012 — users are able to communicate privately through direct messages (DMs), rather than just comment on public posts.  For most users, this is nothing more than a useful feature to stay in contact with friends and fans. For others, however, it is an additional conduit to conduct abuse and harassment. If you have an account set to private, you may receive message requests for review. Existing contacts can be blocked from messaging you if conversations turn sour or if they are abusive.  However, this doesn’t stop someone from signing up for a new account and reaching out again and again — a problem Instagram hopes to tackle with new measures preventing users from seeing abusive DMs in the first place.  Users can already set a block for an individual’s account, but soon, they will also be able to pre-emptively select a further block that will try to catch any new accounts the same abusive person creates in the future.   “This is in addition to our harassment policies, which already prohibit people from repeatedly contacting someone who doesn’t want to hear from them,” Instagram says. “We also don’t allow recidivism, which means if someone’s account is disabled for breaking our rules, we would remove any new accounts they create whenever we become aware of it.”

Another new feature is a filter to cover message requests containing “racist, sexist, homophobic, or any other kind of abuse.” Just seeing these types of messages can be upsetting, and while trying to prevent it completely is likely impossible, Instagram’s tool could limit the amount of abuse we see in our inboxes.  Offensive words, phrases, and emojis can automatically be blanketed when they are detected in DM requests.  “Because DMs are private conversations, we don’t proactively look for hate speech or bullying the same way we do elsewhere on Instagram,” the firm says. “[The tool] will work in a similar way to the comment filters we already offer, which allow you to hide offensive comments and choose what terms you don’t want people to use in comments under your posts.” Due to be enabled under Privacy settings and “Hidden Words,” if this feature is turned on, ‘offensive’ terms can be filtered in upcoming DM requests and you will need to proactively open the hidden requests folder to view the message and tap the content to uncover it.  Instagram is keen to emphasize that using the tool won’t send message content back to the firm’s servers, nor share the content directly with Instagram unless users report the account holder.  Lists of offensive terms are being created with the help of anti-discrimination and anti-bullying organizations. Users will also be able to create their own custom lists if they so choose. Instagram’s tools will be rolled out in the coming weeks to a handful of countries before expanding over the next few months to additional areas.  The company is also refining its algorithms for detecting abusive comments. If users choose to disallow ‘offensive’ words in comments made on their content, Instagram is also starting to hide common misspellings of these words.  “We know there’s still more we can do, and we’re committed to continuing our fight against bullying and online abuse,” Instagram says.  Earlier this month, Facebook’s VP of Integrity, Guy Rosen, said that users of both Facebook and Instagram are now able to appeal content left up — including posts, status updates, photos, videos, comments, and shares — through the Oversight Board. The idea behind the board is to maintain a balance between free speech and rights, and is made up of individuals ranging from activists to lawyers. Facebook will have to uphold or reverse content decisions based on the board’s reviews, and the group will also make recommendations to both Facebook and Instagram concerning content policies.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

SonicWall is urging customers to apply patches to resolve three zero-day vulnerabilities in its email security solution that are being actively exploited in the wild. 

In a security alert on Tuesday, the US company said fixes have been published to resolve three critical issues impacting “hosted and on-premises email security products.”SonicWall ES is a solution designed to protect email traffic and communication, such as by preventing phishing emails and business email compromise (BEC) attempts.  There is at least one known case of active exploitation in the appliance that has been recorded.  “It is imperative that organizations using SonicWall Email Security (ES) hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade to the respective SonicWall Email Security version listed,” SonicWall says.  The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above. CVE-2021-20021: CVSS 9.4, “Unauthorized administrative account creation”: Crafted HTTP requests sent to a remote host can allow the unauthorized creation of administrator accounts due to an improperly secured API endpoint. CVE-2021-20022: CVSS 6.7, “Post-authentication arbitrary file upload”: Post-authenticated attackers can upload arbitrary files to a remote host prompted by an issue in “branding” functionality. CVE-2021-20023: CVSS 6.7, “Post-authentication arbitrary file read”: Attackers can also read arbitrary files on a remote host, also caused by the “branding” feature. FireEye’s Mandiant team discovered and disclosed the bugs to the SonicWall Product Security Incident Response Team (PSIRT) through an investigation of post-exploitation web shell activity on a client’s system that pointed to SonicWall ES as the original source of compromise.  

According to Mandiant researchers Josh Fleischer, Chris DiGiamo, and Alex Pennino, the vulnerabilities have been exploited in an attack chain to obtain administrative access and to execute code on vulnerable ES products, including the installation of a backdoor, file exposure, and to achieve lateral network movement.  The team added that the explicit case shows “intimate knowledge of the SonicWall application.” CVE-2021-20021 and CVE-2021-20022 were reported privately on March 26, acknowledged on March 21, and a hotfix was applied on April 9. CVE-2021-20023 was reported on April 7, leading to a patch becoming available on April 19.  SonicWall is urging customers to update their Email Security builds to version 10.0.9.6173 (Windows) or 10.0.9.6177 (Hardware/ESXi Virtual Appliance), which contain hotfixes for the vulnerabilities.  Clients signed up for SonicWall Hosted Email Security (HES) products do not need to take further action as patches have been automatically applied in version 10.0.9.6173.  However, the vendor says the critical vulnerabilities also impact SonicWall ES versions 7.0.0-9.2.2, which are end-of-life, legacy products not entitled to security updates. For users of these versions, SonicWall also urges an immediate upgrade.  SonicWall has provided a step-by-step guide for applying security upgrades.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More