Information Technology

A new Android Trojan has been identified by cybersecurity firm Zimperium, which released a report on Monday explaining how the malware has been able to hit more than 10,000 victims in 144 countries. The trojan — named FlyTrap by Zimperium researchers — has been able to spread through “social media hijacking, third-party app stores, and sideloaded applications” since March. Zimperium’s zLabs mobile threat research teams first identified the malware and figured out that it uses social engineering tricks to compromise Facebook accounts. The malware hijacks social media accounts by infecting Android devices, allowing attackers to collect information from victims like Facebook ID, location, email address and IP address as well as cookies and tokens tied to your Facebook account.”These hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility through personal messaging with links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details,” the Zimperium researchers wrote. “These social engineering techniques are highly effective in the digitally connected world and are used often by cybercriminals to spread malware from one victim to another. The threat actors made use of several themes that users would find appealing such as free Netflix coupon codes, Google AdWords coupon codes, and voting for the best football (soccer) team or player.”The researchers attributed the malware to groups based in Vietnam and said they are able to distribute it using Google Play and other app stores. Google was sent a report about the malware, verified it and removed all of the applications from the store. But the report notes that three of the applications are still available on “third-party, unsecured app repositories.”

Once victims are convinced to download the app through deceptive designs, the app urges users to engage and eventually asks for people to enter their Facebook account information in order to vote on something or collect coupon codes. Once everything is entered, the app takes victims to a screen that says the coupon has already expired. The researchers explained that the malware uses a technique called “JavaScript injection” which allows the app to open legitimate URLs inside a “WebView configured with the ability to inject JavaScript code.” The app then extracts information like cookies, user account details, location, and IP address by injecting malicious JS code.Zimperium suggests Android users find ways to check if any applications on their device have FlyTrap and noted that these breached accounts could be used as a botnet for other purposes like boosting the popularity of certain pages or sites. “FlyTrap is just one example of the ongoing, active threats against mobile devices aimed at stealing credentials. Mobile endpoints are often treasure troves of unprotected login information to social media accounts, banking applications, enterprise tools, and more,” Zimperium researchers said. “The tools and techniques used by FlyTrap are not novel but are effective due to the lack of advanced mobile endpoint security on these devices. It would not take much for a malicious party to take FlyTrap or any other Trojan and modify it to target even more critical information.”Setu Kulkarni, vice president at NTT Application Security, said FlyTrap was a “nifty combination” of a handful of vulnerabilities and took advantage of the abundance of meta-data open to access, like location, as well as the implicit trust that can be gained by clever yet dubious associations with companies like Google, Netflix and others. “This is not even the most concerning bit — the concerning bit is the network effect this type of trojan can generate by spreading from one user to many. Moreover, as the summary of Zimperium’s findings state — this trojan could be evolved to exfiltrate significantly more critical information like banking credentials,” Kulkarni said. “The what-if scenarios don’t end there unfortunately. What-if this type of trojan is now offered as-a-service or what-if this transforms quickly into ransomware targeting 100s of thousands of users. The bottom line does not change. It all begins with a user who is enticed to click a link. This begs the question – shouldn’t Google and Apple be doing more to address this for their entire customer base?” More

Our digital selves, more and more, are becoming part of our full identity. The emails we send, the conversations we have over social media — both private and public — as well as photos we share, the videos we watch, and the websites we visit all contribute to our digital personas.

There are ways to prevent a government agency, country, or cybercriminals from peeking into our digital lives. Virtual private networks (VPNs), end-to-end encryption and using browsers that do not track user activity are all common methods. Sometimes, however, surveillance is more difficult to detect — and closer to home. Also: Best ethical hacking certifications  This guide will run through what spyware is, what the warning signs of infection are, and how to remove such pestilence from your mobile devices. For those with little time, check out the abridged version below:

What is nuisanceware?

At the bottom of the pile, you have nuisanceware, which often comes in software bundles together with legitimate, free programs. Also known as Potentially Unwanted Programs (PUP), this sort of software may interrupt your web browsing with pop-ups, change your homepage settings by force, and may also gather your browsing data in order to sell it off to advertising agencies and networks.Although considered malvertising, nuisanceware is generally not dangerous or a threat to your core privacy and security.

What is spyware and stalkerware?

Spyware and stalkerware are types of unethical software can result in the theft of data including images and video, and may allow operators — whether fully-fledged cybercriminals or your nearest and dearest — to monitor emails, SMS and MMS messages sent and received, intercept live calls for the purpose of eavesdropping across standard telephone lines or Voice over IP (VoIP) applications, and more.Stalkerware is the next step up from spyware and has become an established term in its own right, coined after a series of investigations conducted by Motherboard.

Whereas spyware rarely singles out individuals, unless it is in the hands of law enforcement or unscrupulous government agencies, stalkerware is software that anyone can buy in order to spy on those closest to them.

Stalkerware enables stealing images and text messages, eavesdropping on phone calls, and covertly recording conversations made over the internet. Stalkerware may be able to also intercept app communications made through Skype, Facebook, WhatsApp, and iMessage. Both terms, spyware and stalkerware, relate to similar malicious software functions. However, the latter is deemed more personal in use. In order to avoid potential legal issues and alienating clients, many spyware solutions providers will market their offerings as services for parents seeking a way to monitor their child’s mobile device usage or for business owners to keep an eye on their staff’s online activities during work hours.  However, anyone willing to pay for the software can acquire it. Retina-X, makers of PhoneSheriff, marketed their spyware software solution, for example, as “parental control for mobile.” PhoneSheriff, developed for the Google Android operating system, permitted location monitoring via GPS, recorded calls, enabled access to text messages, and logged websites visited. The spyware was also able to block contacts, websites, and apps. The company, which also developed TeenShield, SniperSpy, and Mobile Spy, closed its doors after a hacktivist said they would “burn them to the ground.” Retina-X stopped taking orders for the software and offered pro-rated refunds to contracted users. When these types of software are used at home, there are few reasons which do not lean towards toxic relationships. With the evolution of technology, so too has domestic abuse changed. Sometimes, stalkerware is used to monitor partners and spouses covertly, or occasionally with the full knowledge of the victim. Spyware and stalkerware are found less commonly in the enterprise although some software solutions are marketed for companies to keep track of employee mobile devices and their activities. The lines here can be blurry, but if a mobile device belongs to a company and is used by a staff member in full knowledge that it is tracked or monitored, then this may be considered acceptable. In these cases, employees should keep their private lives, social media, and emails on their own smartphone or tablet and off company property.

What kinds of spyware and stalkerware apps are still out there?

SpyPhone Android Rec Pro: This £143 spyware claims to offer “full control” over a smartphone’s functions, including listening in to the background noise of calls and recording them in their entirety; intercepting and sending copies of SMS and MMS messages sent from the victim’s phone, sending activity reports to the user’s email address, and more.FlexiSpy: One of the most well-known forms of stalkerware out there is FlexiSpy, which markets itself using the slogan: “It takes complete control of the device, letting you know everything, no matter where you are.” FlexiSpy is able to monitor both Android smartphones and PCs and is willing to deliver a device with the malware pre-installed to users. The spyware is able to listen in on calls, spy on apps including Facebook, Viber, and WhatsApp, turn on the infected device’s microphone covertly, record Android VoIP calls, exfiltrate content such as photos, and intercept both SMS messages and emails. At the time of writing, marketing seems to be geared — at least, publicly — towards parents. The first image you see on the service’s website shows a teenager on her handset, with a message, “My dad’s not here. Meet me at 10.”

mSpy: Another stalkerware app which markets itself as a service for parents, mSpy for the iPhone allows users to monitor SMS messages, phone calls, GPS locations, apps including Snapchat and WhatsApp, and also includes a keylogger to record every keystroke made on the target device. PhoneSpector: Designed for both Android and iOS handsets, PhoneSpector claims to offer “undetectable remote access.” While a disclaimer says that the service is designed for parents and businesses seeking to track company-owned devices used by employees only, the implementation of the software is made through common tactics used by malware and phishing campaigns. “All you have to do is text or email the OTA (over-the-air) link to the target device and our automated system will set up data transfer protocol and the necessary info for you to monitor the device,” the company proclaims. “Just tap a few buttons, then login to your online account! You can be viewing texts, calls, GPS and more within a few short minutes!”MobileTracker, FoneMonitor, Spyera, SpyBubble, Spyzie, Android Spy, and Mobistealth are a few more examples of stalkerware which offer similar features, among many, many more in what has become a booming business. It is also worth noting that you can be tracked by legitimate software which has been abused. Whether or not GPS is turned on, some information recovery apps and services designed to track down a handset in the case of loss or theft can be turned against victims to track their location instead.

What are the the warning signs of spyware?

If you find yourself the recipient of odd or unusual social media messages, text messages, or emails, this may be a warning sign and you should delete them without clicking on any links or downloading any files. To catch a victim unaware, these messages — known as phishing attempts — will attempt to lure you into clicking a link or executing software which hosts a spyware/stalkerware payload. Should stalkers employ this tactic, they need you to respond to it. In order to ensure this, messages may contain content designed to induce panic, such as a demand for payment, or they could potentially use spoofed addresses from a contact you trust.There’s no magic button to send spyware over the air; instead, physical access or the accidental installation of spyware by the victim is necessary.In the case of potential physical tampering, it can take mere minutes for spyware to be installed on a device. If your mobile or laptop goes missing and reappears with different settings or changes that you do not recognize, or perhaps has been confiscated for a time, this may be an indicator of compromise.

How do I know when I’m being monitored?

Surveillance software is becoming more sophisticated and can be difficult to detect. However, not all forms of spyware and stalkerware are invisible and it is possible to find out if you are being monitored.Android: A giveaway on an Android device is a setting which allows apps to be downloaded and installed outside of the official Google Play Store. If enabled, this may indicate tampering and jailbreaking without consent. Not every form of spyware and stalkerware requires a jailbroken device, however. There is an app available in the Play Store called Root Checker that can check for jailbreaking on your behalf.This setting is found in modern Android builds in Settings  > Security  > Allow unknown sources. (This varies depending on device and vendor.)You can also check Apps  > Menu  > Special Access  > Install unknown apps to see if anything appears which you do not recognize, but there is no guarantee that spyware will show up on the list.Some forms of spyware will also use generic names to avoid detection. If a process or app comes up on the list you are not familiar with, a quick search online may help you ascertain whether it is legitimate.iOS: iOS devices, unless jailbroken, are generally harder to install with malware. However, the presence of an app called Cydia, which is a package manager that enables users to install software packages on a jailbroken device, may indicate tampering unless you knowingly downloaded the software yourself.If you think your PC may have been infiltrated, check below:Windows: On Windows machines, double-checking installed program lists — possible through the start bar — and running processes under “Task Manager” may help you identify suspicious programs.Mac: On Apple Mac machines, you can do the same by clicking “Launchpad,” “Other,” and “Activity Monitor” to check the status of running programs. You can also reach Activity Monitor quickly through Spotlight.An antivirus scan is also a recommended way to remove spyware and PUP.In the cases of Android and iOS devices, you may also experience unexpected battery drain, as well as unexpected or strange behavior from the device operating system or apps — but in the latter case, many users of stalkerware will try not to play their hand.As with most things in life, trust your instincts. If you think something is wrong, it probably is — and you should take steps to seize control of the situation.

How can I remove spyware from my device?

This is where things get difficult. By design, spyware and stalkerware are hard to detect and can be just as hard to remove. It is not impossible but may take some drastic steps on your part.When removed, especially in the case of stalkerware, some operators will receive an alert warning them that the victim device is clean. In addition, should the flow of information suddenly cease, this is a clear indicator that the malicious software has been eradicated.Run a malware scan: On both mobile and PCs there is a variety of mobile antivirus solutions available which may be able to detect and remove basic forms of spyware. This is the easiest solution available but may not prove effective in every case.Change all of your passwords: If you suspect account compromise, change every password on every important account you have. Many of us have one or two central accounts, such as an email address, which will act as a hub for other accounts and password recovery. Begin there.Enable two-factor authentication (2FA), in which account activity and logins require further consent from a mobile device, can also help protect individual accounts.Consider creating a new email address, known only to you, which becomes tethered to your main accounts.Update your OS: It may seem obvious, but when an operating system releases a new version which often comes with security patches and upgrades, this can — if you’re lucky — cause conflict and problems with spyware. In the same way as antivirus solutions, keep this updated.Protect your device physically: A PIN code, pattern, or enabling biometrics can protect your mobile device from future tampering. If all else fails, factory reset: Performing a factory reset and clean install on the device you believe is compromised may help eradicate some forms of spyware and stalkerware. However, make sure you remember to back up important content first. On Android platforms, this is usually found under Settings  > General Management  > Reset  > Factory Data Reset. On iOS, go to Settings  > General  > Reset.Unfortunately, some stalkerware services claim to survive factory resets. So, failing all of that, consider throwing your device in the nearest recycling bin and starting afresh.

Removal of different brands FlexiSpy removal: FlexiSpy may masquerade on Android devices under the name “SyncManager.” If you find this app on your phone, try to uninstall it directly, and then restart your phone. However, it may also appear under another generic name, and so before deleting any apps, perform a search on the app name first. mSpy: To remove mSpy, instructions are here as long as you have physical access to the device. On the iPhone, you need to access Cydia, search “Installed” and look for “IphoneInternalService.” Press modify and remove. Additional options to try are explained here. So, what are Google and Apple doing about the problem? Both Google and Apple are generally quick off the mark if spyware or other forms of malicious apps manage to circumvent the privacy and security barriers imposed for applications hosted in their respective official app stores.  In July 2019, Google removed seven apps from the same Russian developer from the Play Store. While marketed as employee and child trackers, the tech giant took a dim view of their overreaching functions — including GPS device tracking, access to SMS messages, the theft of contact lists, and potentially the exposure of communication taking place in messaging applications.  When it comes to Apple, the iPad and iPhone maker began a crackdown on parental control apps April 2019, citing privacy-invading functions as the reason for some iOS apps to be removed from the App Store. In some cases, Apple requested developers to remove functions, whereas, in others, the apps were simply removed. The company offers its own parental device control service called Screen Time for parents that want to limit their children’s device usage. Surveillance without consent is unethical and in domestic situations causes a severe imbalance in power. If your sixth sense says something is wrong, listen to it. A physical object is not worth sacrificing your privacy for. Should your device become compromised, take back control of your right to privacy — whether or not this means replacing your handset entirely. More

Bad passwords are easy to remember, but also easy to guess — and that can give an attacker access to your online accounts. That’s why the UK’s National Cyber Security Centre (NCSC) has explained why it is still recommending users pick three random words for a password rather than meeting complex requirements, such as an alphanumeric string, that could permit the creation of bad passwords like “pa55word”. 

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

The NCSC’s past warnings against password complexity requirements have been aimed at admins responsible for protecting IT systems. NCSC has called on organizations previously to ditch password-expiry policies because they encourage users to pick slight variations on existing passwords; Microsoft in 2019 dropped its recommendation for expiring passwords on Windows 10 because the policy was obsolete and unhelpful. See: Cloud security in 2021: A business guide to essential tools and best practicesNCSC is also critical of advice that passwords must be memorized and not stored. NCSC encourages people to store them in a password manager, a browser, or on a piece of paper. The main reason it’s encouraging three random words is to address the fact that people are poor at memorizing things — especially long, complex passwords — and that password manager adoption remains “very low”. Its three random words suggestion is also aimed at those who aren’t aware of or don’t want to use password managers. 

But there are other reasons why NCSC vouches for three random words, including that they produce longer passwords, it’s an easy-to-explain and understands password strategy, and because it’s usable and practical. The other key reason is that three random words help increase password diversity, which makes it harder for attackers to use search algorithms to discover passwords cheaply and then compromise accounts. “Currently, complexity requirements are actively working against password diversity (for all the reasons mentioned above). This has led to a convergence in strategies and a reduction in password diversity,” explains Kate R, the people team lead for NCSC’s Sociotechnical Security Group.”To increase diversity, we need to encourage people to use other password construction strategies (such as ‘three random words’), that use length rather than character sets to achieve the desired strength.”See: This is how fast a password leaked on the web will be tested out by hackers

ZDNet Recommends

While NCSC endorses the use of password managers and believes they also increase password diversity, it’s encouraging three random words until the uptake of password managers is more widespread. The three random words advice roughly aligns with Google’s recommendations for protecting Google Accounts. To make passwords longer but also memorable, Google recommends using a lyric from a song or poem, a meaningful quote from a movie or speech, a passage from a book, a series of words that are meaningful to the user, or creating an acronym from a sentence. NSCS acknowledges there are search algorithms that are optimized for three random words, but Kate R argues that more password diversity raises the cost for attackers since they must try several algorithms. She also notes that NCSC hopes more people will adopt password managers and that this will also increase password diversity, so the three random words recommendation still makes sense until password manager adoption is universal.  More

Carrying around unsecured data on flash drives is a bad idea.

One mistake on your part — or on the part of the weakest link in your organization — and that data can be in the hands of anyone.If that data is sensitive, then you’re going to have some serious headaches, along with the potential for legal troubles and fines.Must read: Apple broke the bad news to iPhone fansFar better to have that data properly secured and encrypted when it’s on a physical device, and as a tool that makes that as simple as possible is the Apricorn Aegis Padlock SSD.This SSD drive is small enough to fit into the palm of your hand or slip into a pocket and comes in capacities ranging from 240GB to a whopping 4TB. Having this range of options is great because it means that you can buy the capacity you need, and no more, which saves money.

The drive itself is rugged and reliable. The aluminum enclosure complete with the wear-resistant keypad is rated to IP66 dirt, and dust resistant is crushproof to 6,500 lbs, shock and vibration resistant, unaffected by high humidity, and works in extreme temperatures from -40°F to 158°F (-40°C to 70°C).It’s a rugged drive. While on first blush, it might seem like the membrane keyboard is a weak point, having been using these drives for years, I’ve found them to be very reliable.From a security point of view, the Aegis Padlock SSD conforms to FIPS 140-2 hardware data protection and features real-time hardware AES-XTS 256-bit encryption. No host software is required on any device to run access the data so that this drive can run on pretty much any system.In addition to PIN codes for access, you can add an admin PIN, PINs for read-only access, and even a self-destruct PIN. It also features built-in hardware brute-force protection for added security.Another great feature is that this drive is 100% bus-powered, so there are no power supplies to carry and no internal batteries to keep charged up. The drive also features a rugged built-in USB-A cable.This drive is also no performance slouch and is capable of reading and write speeds up to 230MB.

On top of all that, you get a three-year warranty.

Prices start at $177.

ZDNet Recommends More

Google’s Unattended Project Reminder feature has moved to a public preview. It aims to improve cloud utilization and address security issues caused by forgotten old cloud-computing projects that shouldn’t be around anymore. Unattended Project Reminder, a part of Google Cloud’s Active Assist, could be useful in reducing security risks by finding those old initiatives, such as a prototyping project, that no longer require network access, cloud resources, or supported APIs. 

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

Google has developed the feature through 2021 as part of a prototype aimed at cleaning up internal projects that were unattended. See: Google’s new cloud computing tool helps you pick the greenest data centers.According to Google Cloud, Google’s internal security team had the issue of unattended projects on the radar for some time. Hence, the two units started searching for unattended cloud projects within the “google.com” organization.    Despite being a good idea, Google ran into detection problems because it was difficult to use signals — such as API, network and user activity — to tell the difference between an actually unattended project and a project that intentionally has a low level of activity. Risks here include correctly identifying unattended projects and accidentally deleting a component that was essential to a production workload, thus inadvertently causing permanent data loss. But benefits include reducing cloud bills for unnecessary resources and reducing configuration issues, such as open firewalls or privileged service account keys that attackers can exploit to get a hold of your cloud resources for cryptocurrency mining or to steal data.

“These security risks tend to grow over time because the latest best practices and patches are usually not applied to unattended projects,” Googe said.To address these issues, it worked with customers using real-life data to find thousands of unattended projects.Key signals that Unattended Project Reminder uses include API activity (such as service accounts with authentication activity and API calls consumed), networking activity, billing activity, user activity, and cloud services usage (such as active VMs, BigQuery jobs, and storage requests). “Based on these signals, it can generate recommendations to clean up projects that have low usage activity (where “low usage” is defined using a machine learning model that ranks projects in your organization by level of usage), or recommendations to reclaim projects that have high usage activity but no active project owners,” explain Google Cloud product managers, Dima Melnyk and Bakh Inamov. See: Attacks on critical infrastructure are dangerous. Soon they could turn deadly, warn analysts.Insights and recommendations can be sent automatically via email or chat messages to project owners.  Admins have a recovery option for accidentally removed projects: the recovery period is 30 days. However, Google notes some resources, such as Cloud Storage or Pub/Sub resources, are deleted before the 30-day period ends and may not be fully recoverable.French sporting goods retail giant Decathlon used the feature to delete 775 projects. “And no one complained,” said Adeline Villette, Decathlon’s cloud security officer. French utility Veolia and US file storage firm Box trialled the technology to reduce the number of unattended projects they were respectively supporting. More

Image: Google
Google last week announced extending its COVID Card feature to Australia, allowing Android users to access vaccination information on their device. Google said it worked with Services Australia to give “a convenient and secure way to view, save, and show your vaccination status and information, straight from your smartphone”.The information will show in the vaccination passport once a second dose has been administered.According to Google, vaccine information is only stored on the user’s device and not stored by Google.  However, when adding the certificate to Google Pay, users are prompted to confirm they agree to their data being stored offshore.”If you add your COVID-19 digital certificate to Google Pay, others with access to this device will be able to view the certificate. It’s your responsibility to keep your certificate secure,” the prompt says.”By selecting ‘Accept’, you provide consent for the Australian government to share the information contained in your COVID-19 digital certificate with Google for Google Pay who will store it on servers outside of Australia.

“A copy of your certificate may also be stored on servers outside of Australia if you have other cloud applications stored on your device to backup your data.”When asked about the storing of data offshore, Services Australia said the COVID-19 digital certificate would be entirely optional for Australians. “Once provided to the individual, it is their choice as to how they use and store it,” a spokesperson for Minister Linda Reynolds told ZDNet. “This includes accessing the certificate via government apps, or downloading it to their phone, or storing it in their digital wallet.”The spokesperson confirmed the certificate was accessible without using the digital wallet storage option.”We know Australians are increasingly using digital wallets so people can choose to store their certificate in this way, if it suits them,” they continued. “Users are informed that the Apple or Google digital wallet utilises offshore storage before agreeing to use the service.”In its Secure Cloud Strategy, the Digital Transformation Agency (DTA) said entities operating in Australia must comply with Australian Privacy Principles (APP) when storing data on Australians. “The Privacy Act does not prevent an Australian Privacy Principle (APP) entity from engaging a cloud service provider to store or process personal information overseas. The APP entity must comply with the APPs in sending personal information to the overseas cloud service provider, just as they need to for any other overseas outsourcing arrangement,” it said. When asked if it had any concerns with the certificate information being stored offshore, the DTA said it was a question for Services Australia. Google is also yet to return a comment.Users can access their vaccination certificate via the Express Plus Medicare app or via the Medicare portal of the MyGov website, with the option to select “view your COVID-19 digital certificate” and “Save to Phone” to do just that.”For added convenience, you can access your vaccine information even when you’re offline, which means you do not need mobile or Wi-Fi connection,” Google added. “If you have the Google Pay app on your Android phone, you can also access the certificate from the same place where you access your other cards and other passes.”Every time a user accesses their certificate, they will be asked for the password, PIN, or biometric method that has been set up.As of 9pm AEST 8 August 2021, there were just over 4,700 active cases of COVID-19 in Australia, with a total of 36,330 cases since January 2020. Stay-at-home orders continue to be in place around the country, with a majority of the population of New South Wales under lockdown since June 25.In a bid to speed up the process of checking into venues and managing check-in history, the NSW government on Monday announced a new COVID-19 check-in card, as well as updates to the Service NSW app.Minister for Digital and Customer Service Victor Dominello said customers would soon be able to register for a COVID-19 check-in card which they could present to supermarkets and other essential retail businesses to scan as a faster and safer way to complete the self-service webform check-in or paper sign-in currently used by customers without a smartphone.Customers can download and print their COVID-19 check-in card or have a plastic card mailed to them. Their contact details will be  stored within the QR code, which will prepopulate the webform when scanned by the business. As the Service NSW app gives users the option for face biometrics to be used when logging in — a task made difficult with mandatory mask requirements — the government has also extended the log-in period to four hours.   MORE COVID IN AUSTRALIACOVIDSafe uploaded 1.65m ‘handshakes’ and was only used by NSW and VictoriaThe Australian government says its COVIDSafe app identified 2,827 potential close contacts from 37,668 encounters in NSW and Victoria. Only 17 cases in NSW were identified separately to manual contact tracing efforts, however.Auditor finds WA Police accessed SafeWA data 3 times and the app was flawed at launchWA Health released SafeWA check-in information for purposes other than COVID-19 contact tracing, with six requests being made by the police despite government messaging that the information would only be used to support contact tracing.Australia pins clearer idea of who got vaccinated on new portalMore than 100 days since Australia’s vaccine rollout started, the federal government is launching a portal that will provide information on who exactly has received the jab. More

Image: Getty Images
The Australian Electoral Commission (AEC) has gone to tender for an “end-to-end” digital ballot scanning solution, hoping to have something in place for the 2021/22 election.Specifically, the AEC said it requires a solution to digitise all Senate ballot papers, which includes capturing the preferences and metadata, completed in a federal election. “It is estimated this will be in the order of 16 million ballot papers for the 2021/2022 event and will grow by 5 to 10% for each federal electoral event after that,” it adds in the market notification published over the weekend. “Given the size and complexity of the project and operational phase, the AEC’s preference is to purchase an end to end solution.”Senate ballot paper digitisation must be completed by no later than 27 calendar days after election day and the first ballot papers will be available for scanning from the Tuesday after election day. The Senate ballot papers must be processed in the state for which the Senate ballot paper has been returned.”The process for the digitisation of Senate ballot papers will start once the division has finished their processing of the Senate ballot papers,” it said. “AEC is open to solutions as suggested by the provider as to the location(s) of the digitisation solution in each state and territory.”As detailed in the market notification, the successful provider must design, develop, test, build, implement, and support an accurate and secure digitisation solution for the AEC to facilitate the count of Senate ballot papers for an electoral event in compliance with the Commonwealth Electoral Act 1918.The solution must be able to process and export the data from approximately 16 million ballot papers within 27 days from election day.

As part of the end-to-end mandate, the provider will be responsible for the development and implementation of the solution, including project management, business analysis, design, and build. The digitisation solution, the AEC said, must protect all data when it is at rest and when it is in transit, and adhere to all security requirements as outlined by the Australian Cyber Security Centre (ACSC).The AEC in 2018 handed Fuji Xerox Businessforce a two-year, AU$27 million contract to provide a ballot scanning system for the then-upcoming federal election. The solution was a “very similar” solution to the one used for the 2016 federal election, which the Australian National Audit Office (ANAO) called out for lacking on the security front.In particular, the ANAO said AEC ditched compliance with Australian government IT security frameworks and said insufficient attention was paid to assuring the security and integrity of the data generated both during and after operation, as the focus was on delivering a Senate scanning system by polling day — 12 weeks out from the election.AEC commissioner Tom Rogers said he was satisfied with the risks that the AEC accepted ahead of its go-live.  One of the concerns raised with Rogers was that Fuji Xerox Businessforce was handed the contract not through conducting a public tender, but rather the AEC used an existing standing deed of offer with Fuji Xerox.During Senate Estimates in May, Rogers was questioned on the ballot scanning process.”The process is that data is manually entered, and that’s matched with the automated process,” he said. “All paper is scanned when it first arrives, and, from that image, which is an image, that data is then entered, and then the data from the scan is then compared with that to make sure that they match. Where they don’t match, we undertake further processes.”It captures an image, Rogers said, and that image is then presented to the data entry operator, who enters the data from that image.”At the same time, the data-capture process — as part of capturing the image — is then compared with that manual process. Where that matches, that’s taken to be an accurate match and it’s included in the count. Where it doesn’t match, we undertake further processes,” he continued. The AEC was asked about its security posture at the Senate Estimates prior, with Rogers dismissing the proposal to allow a non-government researcher to conduct a security audit on its systems.At the time, he said the AEC works with a range of partners, including the ACSC, and that the agency has had its internal code audited and checked to assure that its systems are running smoothly.Closing day for indication of interest is 16 August 2021.See also: Australian Electoral Commission wants VR but thankfully only for educationThe Department of Foreign Affairs and Trade (DFAT) has also approached the market this week, seeking the delivery of a threat intelligence platform and cyber threat intelligence services.”The procurement is to include strategic, operational, and tactical cyber threat intelligence products/services to be integrated into the provided Threat Intelligence Platform, to allow the department to detect and manage threats posed by malicious actors against the government sector and the department itself; enable the department to search, explore, and investigate threats and vulnerabilities, including its IP addresses, domains, brands, supply chain or technology stack; and request custom threat intelligence products on an ad hoc basis,” it wrote in the request for quote.For the threat intelligence platform, DFAT is seeking a vendor to provide a service, either cloud-based or on-premise, for the purposes of ingesting cyber threat intelligence feeds, with the intention of using it for the management of cyber threat intelligence. The tender closes 27 August 2021.LATEST FROM CANBERRA More

An NBN FttN node getting a Nokia line card installed
Image: Corinne Reichert/ZDNet
The Australian Competition and Consumer Commission (ACCC) began proceedings in Federal Court on Monday against the nation’s three biggest telcos: Telstra, Optus, and TPG. The consumer watchdog is alleging the trio made false representations to consumers over being able to test lines to determine the maximum speed on fibre-to-the-node connections, notify the customer of test results, and offer remedies if a line was performing below the speed the telco sold it as. The ACCC also said it was alleging that the trio “wrongly accepted payments” from customers for NBN plans when they could not receive promised speeds. It has put the number of impacted customers in the “hundreds of thousands” range. The watchdog said the telcos did not have “adequate systems” in place to complete the speed tests, notifications, and remedies process. “Telstra, Optus and TPG each promised to tell consumers within a specific or reasonable timeframe if the speed they were paying for could not be reached on their connection. They also promised to offer them a cheaper plan with a refund if that was the case,” ACCC chair Rod Sims said. “Instead, we allege, they failed to do these things, and as a result many consumers paid more for their NBN plans than they needed to.” The statements made by the telcos were on telco websites and emails from the start of April 2019 to the end of April 2020 for Telstra and TPG, and covering calendar year 2019 for Optus.

The investigation kicked off after Telstra self-reported parts of its conduct to the ACCC. “It is important that internet providers like Telstra, Optus and TPG give their customers accurate information so they can make an informed choice about the service that best suits their needs and budget,” Sims said. “We are pleased that Telstra, Optus and TPG have promised to compensate consumers even before the court case is finalised.” The ACCC said it would be asking the court for orders including declarations, injunctions, pecuniary penalties, publication orders, and the implementation of compliance programs. TPG said in a statement it would be “making things right” with its impacted customers who never received a maximum attainable speed notice. “For the oversight, we are sorry,” a company spokesperson said. “There were two key contributing factors to this issue. The first was failure by NBN Co to provide timely and accurate speed information to TPG Internet. The second was anomalies in TPG Internet’s legacy processes in place since 2017, and these have been fixed post-merger.” TPG added its intent was not to avoid obligations, and of its 2 million customers, “only a small percentage” did not receive information. OAIC opens investigation into Optus White Pages privacy breach The Office of the Australian Information Commissioner (OAIC) has opened an investigation into Optus, following concerns the company breached the data of individuals by publishing their information in the White Pages. The OAIC is investigating Singtel Optus Pty Ltd (Optus) under the Privacy Act 1988. It said the investigation follows preliminary inquiries by the OAIC into data breaches involving publication of Optus customer details in the White Pages, when individuals had asked for their details not to be published. “The public disclosure of personal information against the wishes of individuals may have the potential to cause harm,” it wrote. In 2019, Optus confirmed that customer details were published on Sensis White Pages. Around 50,000 customers were told by the telco that their name, address, mobile, and home phone numbers were published. Optus at the time said around 40,000 were new customers who already listed. “The majority of the affected customers’ details were already listed with Sensis prior to joining Optus,” a spokesperson told ZDNet at the time. “As a priority, Optus arranged for Sensis to remove customer details from their online website directory, operator-directory assistance, and any future printed editions of directories.”The company said it had “notified and apologised” to impacted customers.   The breach was discovered by Optus during a routine audit of 10 million customers. The OAIC accepted an enforceable undertaking from ARC Mercantile back in 2016 following a breach of personal customer data which occurred when an ARC employee posted a spreadsheet of customers owing money to Optus on Freelancer.com. “Optus takes the protection of customer data and privacy seriously,” an Optus spokeswoman told ZDNet in a statement at the time. On Friday, Australian Information Commissioner and Privacy Commissioner Angelene Falk had her post extended for another three years. “Since her appointment in 2018, Ms Falk has effectively led the Office of the Australian Information Commissioner,” a statement from Australia’s Attorney-General said. “She has worked to increase the Australian public’s trust and confidence in the protection of personal information by promoting the understanding of privacy issues and effectively resolving privacy complaints and investigations.” RELATED COVERAGE More