Information Technology

Swinburne University of Technology has confirmed personal information on staff, students, and external parties had inadvertently made its way into the wild.It said it was advised last month that information of around 5,200 Swinburne staff and 100 Swinburne students was available on the internet.This data, Swinburne said, was event registration information from multiple events from 2013 onwards. The event registration webpage is no longer available.The information made available was name, email address, and, in some cases, a contact phone number.”We took immediate action to investigate and respond to this data breach, including removing the information and conducting an audit across other similar sites,” the university said in a statement on Friday.”We sincerely apologise to all those impacted by this data breach and for any concerns this has caused.”Swinburne said it is currently in the process of contacting all individuals whose information was made available to apologise to them and offer appropriate support.

“We are also contacting around 200 other individuals not connected to Swinburne who had registered for the event and whose information was also made available,” it said.The breach has been reported to the Office of the Australian Information Commissioner (OAIC), the Office of the Victorian Information Commissioner (OVIC), the Tertiary Education Quality and Standards Agency (TESQA), and the Victorian Education Department.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaThe higher education sector in Australia could soon find itself considered as systems of national significance, with the government ready to enforce an “enhanced framework to uplift security and resilience” upon universities via the Security Legislation Amendment (Critical Infrastructure) Bill 2020.The Group of Eight (Go8) — comprising eight Australian universities — believe the government has in fact not yet identified any critical infrastructure assets in the higher education and research sector and, therefore, does not feel higher education and research should be included as a critical infrastructure sector, given the regulatory ramifications.”The Go8 considers the catch-all nature of the legislation as proposed for the higher education and research sector to be highly disproportionate to the likely degree and extent of criticality of the sector,” it said in February.The Go8 comprises the University of Adelaide, the Australian National University, the University of Melbourne, Monash University, UNSW Sydney, the University of Queensland, the University of Sydney, and the University of Western Australia.Swinburne made its own views available to the committee probing the Bill, in February saying that the cost of positive security obligations and enhanced cybersecurity measures for assets deemed to be systems of national significance would be difficult for universities to absorb, given the current funding situation and decrease in income from international student enrolments.”Therefore, the Commonwealth must ensure that universities are adequately funded to meet their responsibility of providing quality education and respond to these new security requirements,” it wrote [PDF].”While security from foreign interference is of paramount importance, equally important is the economic security provided by having a robust tertiary sector. We recommend that the government work closely with the sector to ensure that the legislation has minimal impact on essential university operations.”The Australian National University (ANU) in late 2018 suffered a massive data breach that was discovered in May 2019, and revealed two weeks later in June.The hackers gained access to up to 19 years’ worth of data in the system that houses the university’s human resources, financial management, student administration, and “enterprise e-forms systems”.Then there was Melbourne’s RMIT University, which in February responded to reports it fell victim to a phishing attack, saying progress was slowly being made in restoring its systems.At a recent Parliamentary Joint Committee on Intelligence and Security (PJCIS) hearing on the national security risks affecting the Australian higher education and research sector, discussions around the two security incidents were used by Home Affairs representatives to justify the inclusion of higher education and research in the Critical Infrastructure Bill.AUSTRALIA ALSO BLAMES RUSSIA FOR SOLARWINDS HACKElsewhere, the Australian government has joined international partners in holding Russia to account for its cyber campaign against US software firm, SolarWinds.Hackers working for the Russian foreign intelligence service are behind the SolarWinds attack, cyber espionage campaigns targeting COVID-19 research facilities, and more, according to the United States and the United Kingdom.  The US accusation comes in a joint advisory by the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation, which also describes ongoing Russian Foreign Intelligence Service exploitation of five publicly known vulnerabilities in VPN services.The UK has also attributed the attacks to the Russian intelligence service.  “In consultation with our partners, the Australian government has determined that Russian state actors are actively exploiting SolarWinds and its supply chains,” a statement from Minister for Foreign Affairs Marise Payne, Minister for Defence Peter Dutton, and Minister for Home Affairs Karen Andrews said.”Over the past 12 months, Australia has witnessed Russia use malicious activity to undermine international stability, security, and public safety. Australia condemns such behaviour.”The supply chain attacks targeting IT management software company SolarWinds represented one of the biggest cybersecurity incidents in recent years, with hackers gaining access to the networks of tens of thousands of organisations around the world, including several US government agencies, as well as cybersecurity companies.”Russia’s campaign has affected thousands of computer systems worldwide. Australia acknowledges the high costs borne by the US private sector,” Australia’s statement continued.Updated 16 April 2021 at 3:20pm AEST: Added Australian attribution of SolarWinds breach to Russia.RELATED COVERAGE More

Image: Getty Images
Google Project Zero will be shifting from a fairly hard 90-day deadline to a new model that incorporates a new 30-day grace period to gives users time to install patches before technical details are revealed. The project is keeping its famous 90-day disclosure period intact for vulnerabilities that remain unpatched, however, if a patch appears within the disclosure period, the technical details will appear 30 days after the patch is released. For in-the-wild exploits, disclosure will occur a week after notification, along with technical details if unfixed. If a patch is released in the 7-day notification window, the technical details will appear 30 days later. Vendors will now be able to ask for a 3-day grace period In rare instances where Project Zero has granted vendors a fortnight’s grace on disclosure, or a new 3-day period for in-the-wild exploits, that period will use up part of the 30-day grace on technical details. Last year, Project Zero introduced a policy where it gave vendors a complete 90-day window before it disclosed exploits. That shift was also made in an effort to boost user patching, but it was far from successful. “The idea was if a vendor wanted more time for users to install a patch, they would prioritise shipping the fix earlier in the 90-day cycle rather than later,” Project Zero manager Tim Willis wrote.

“In practice, however, we didn’t observe a significant shift in patch development timelines, and we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch. In other words, the implied timeline for patch adoption wasn’t clearly understood.” Willis said the new 90+30-day system will start to be dialled down in the future, but the policy would need to start with deadlines that can be met by vendors. “Based on our current data tracking vulnerability patch times, it’s likely that we can move to a ’84+28′ model for 2022 (having deadlines evenly divisible by seven significantly reduces the chance our deadlines fall on a weekend),” he said. “Moving to a ’90+30′ model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks. “Disclosure policy is a complex topic with many trade-offs to be made, and this wasn’t an easy decision to make.” Related Coverage More

If you’re a pro Mac user, you’ll likely know the OWC name. OWC has been the go-to place to go for RAM and storage upgrades, or for docks and external storage devices.Today, OWC announced that it would make Acronis True Image OEM software available on OWC storage solutions that include SoftRAIDRead more: Who do I pay to get the ‘phone’ removed from my iPhone?
The addition of Acronis True Image OEM will make sure that when users make a backup of their system onto an OWC external storage system, a reliable copy of data is made ready in case it is needed for a speedy recovery.But making and maintaining a backup means making sure that malware doesn’t make it onto the system. “OWC has partnered with Acronis to bring the number one personal backup software to your workflow along with industry-leading antimalware protection,” said Larry O’Connor, CEO and Founder of OWC. “Adding Acronis True Image Technology to our OWC storage solutions is truly amazing. This partnership will tremendously add to our customers feeling their data is safe and protected for years to come.”You also want to make sure that your backup doesn’t fall victim to ransomware and cryptojacking. To combat this, Acronis True Image OEM features AI-enhanced anti-ransomware technology, called Acronis Active Protection, which uses behavioral heuristics to be on the lookout for ransomware and cryptojacking attacks in real-time.

The solution is battle-tested, stopping more than 600,000 ransomware attacks last year alone.Acronis True Image OEM will be shipped with OWC storage solutions on MacSales.com.

ZDNet Recommends More

Credit: Microsoft
Microsoft is rolling out its latest version of its new Edge browser to mainstream users today, April 15 — the same day Google is rolling out Chrome 90. Microsoft’s Edge 90 includes a number of new features, including new history-search options and Kids Mode, which have been in testing for the last few months. Password Monitor, which is meant to protect users’ passwords by notifying them if their credentials have been compromised, also is considered part of the Edge 90 rollout. Microsoft began rolling out Password Monitor in January 2021 as part of Edge 88, but as of Edge 90, it is now available to all usersOther new features that are part of Edge 90, according to Microsoft’s Edge “What’s Next” page,  include support for TLS token binding for policy-configured sites; a “current page” option for printing PDF documents; the ability to bulk-delete passwords; improvements to font rendering; and synced browser-history support for history search. As of version 90, Edge also now supports easier search terms so customers can search their browsing history in their own words with terms like “news articles from last week,” officials said. Kids Mode is a browsing mode designed specifically for kids ages five to eight and nine to 12. This new mode includes “guardrails” meant to steer kids away from inappropriate content via a built-in allow list and Bing SafeSearch and tracking prevention automatically set to Strict. Parents can review and make changes in the allowed content from their Edge Settings. More

Hackers working for the Russian foreign intelligence service are behind the SolarWinds attack, cyber espionage campaigns targeting Covid-19 research facilities and more, according to the United States and the United Kingdom. The US accusation comes in a joint advisory by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), which also describes ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities in VPN services. The UK has also attributed the attacks to the Russian intelligence service.   The supply chain attacks targeting IT management software company SolarWinds represented one of the biggest cybersecurity incidents in recent years, with hackers gaining access to the networks of tens of thousands of organisations around the world, including several US government agencies, as well as cybersecurity companies including FireEye and Mimecast. Now the US has publicly attributed the SolarWinds attacks to Russian Foreign Intelligence Service (SVR) actors — also known as APT29, Cozy Bear, and The Dukes by cybersecurity researchers — along with additional campaigns, including malware attacks targeting facilities behind Covid-19 vaccine development. The five vulnerabilities being targeted by cyber attackers are: Security patches are available to fix each of the vulnerabilities and organisations yet to apply them to their network are urged to do so as soon as possible in order to prevent further attacks.

SEE: The best free VPNs: Why they don’t exist  “NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” said the cybersecurity advisory. Sanctions The attribution of the SolarWinds attack comes as the Biden administration issued sanctions against Russia in response to what’s described as “harmful activities by the Government of the Russian Federation”. The financial sanctions specifically mention “malicious” cyber activities by Russian actors, including the SolarWinds cyber attack.   The UK has also called out the attacks targeting SolarWinds, and is urging organisations to take note, with the National Cyber Security Centre (NCSC)  assessing that it’s highly likely the SVR was responsible for gaining unauthorised access to SolarWinds ‘Orion’ software. “The UK and US are calling out Russia’s malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action,” said Foreign Secretary Dominic Raab.   A recent alert by the UK’s National Cyber Security Centre (NCSC) warned users who hadn’t yet applied the security patch to the Fortinet FortiGate vulnerability — which was released in 2019 —  to assume their network has been compromised by cyber attackers and to take the appropriate action necessary.

MORE ON CYBERSECURITY More

After bringing support for the systems programming language Rust to Android, Google is now looking to bring it to the Linux kernel to reduce security flaws. As Google explained last month, Rust — a language that emerged from Mozilla — provides memory safety guarantees to the Android operating system, which has historically been written in C and C++. Google is targeting Rust at new Android code, rather than rewriting the millions of lines of existing code in Rust.

Now it’s time to move onto the Linux kernel that underlies Android. As ZDNet’s open source authority Steven J. Vaughan-Nichols reported last month, Linux kernel developers think it makes sense to write new parts of the kernel in Rust rather than rewriting the entire Linux kernel, which contains over 30 million lines of code largely written in C. SEE: 10 ways to prevent developer burnout (free PDF) (TechRepublic) “We feel that Rust is now ready to join C as a practical language for implementing the kernel. It can help us reduce the number of potential bugs and security vulnerabilities in privileged code while playing nicely with the core kernel and preserving its performance characteristics,” explains Wedson Almeida Filho of Google’s Android Team. Filho notes that the density of memory safety bugs in the Linux kernel is quite low. However, when they do occur, the Android security team generally considers them high-severity flaws. To show where Rust can benefit Linux kernel developers, Google has developed an example driver called ‘semaphore’. 

“How Rust can assist the developer is the aspect that we’d like to emphasize,” notes Filho. “For example, at compile time it allows us to eliminate or greatly reduce the chances of introducing classes of bugs, while at the same time remaining flexible and having minimal overhead.” Linux kernel developer Miguel Ojeda this week released a request for comments (RFC) to the Linux mailing list outlining a proposal for a second language in the kernel along with several patches for the Linux kernel written in Rust.  Ojeda also set up the Rust for Linux group, which Google’s Android Team has also joined.  “We know there are huge costs and risks in introducing a new main language in the kernel. We risk dividing efforts and we increase the knowledge required to contribute to some parts of the kernel,” writes Ojeda. “Most importantly, any new language introduced means any module written in that language will be way harder to replace later on if the support for the new language gets dropped. Nevertheless, we believe that, even today, the advantages of using Rust outweighs the cost.” SEE: Developer: Rust programming language is being used for bigger projects As noted by Phoronix, Linux kernel creator Linus Torvalds has already raised some concerns with Rust, although he also said that “on the whole I don’t hate it.” However, Torvalds added that “the ‘run-time failure panic’ is a fundamental issue”. Filho explained that, since Rust is new to the kernel, there is an opportunity to improve processes and documentation.  “For example, we have specific machine-checked requirements around the usage of unsafe code: for every unsafe function, the developer must document the requirements that need to be satisfied by callers to ensure that its usage is safe; additionally, for every call to unsafe functions (or usage of unsafe constructs like dereferencing a raw pointer), the developer must document the justification for why it is safe to do so,” writes Filho.  Rust, which only reached 1.0 in 2015, appears to be gaining traction with developers. AWS, Huawei, Google, Microsoft, and Mozilla are backing the Rust Foundation, which launched in February. It’s believed Shane Miller, AWS senior engineering manager, has been elected the first chairperson of the foundation. 

Open Source More

Google has just released Chrome version 90, bringing a privacy update that automatically adds HTTPS to a URL when it is available. Chrome engineers flagged the HTTPS feature in February and Google has been testing it in Chrome 90 previews in the Canary and Beta channels. Additionally, Chrome 90 blocks downloads from HTTP sources if the page URL is HTTPS.

Google explained in a blogpost last month that the HTTPS default should help when users type “example.com” instead of “https://example.com”. Chrome previously used http:// as the default protocol, but now defaults to https://. SEE: Security Awareness and Training policy (TechRepublic Premium) It should also speed up page loads, since Chrome connects directly to the HTTPS endpoint without needing to be redirected from http:// to https://. Chrome 90 also brings the first ‘on/off’ controls for Google’s Privacy Sandbox, which includes as part of its design Google’s controversial FLoC identifier replacement for third-party cookies that rival browsers Brave and Vivaldi have disabled.   “With the Chrome 90 release in April, we’ll be releasing the first controls for the Privacy Sandbox (first, a simple on/off), and we plan to expand on these controls in future Chrome releases, as more proposals reach the origin trial stage, and we receive more feedback from end users and industry,” Google announced in January. 

Besides these updates, Chrome 90 includes 37 security fixes. External researchers reported six high-severity issues, 10 medium-severity flaws, and three low-severity flaws. This release of Chrome also ships with the AV1 encoder with better support for WebRTC video-conferencing applications, like Duo, Meet, and Webex. Google notes that AV1 offers better screen-sharing capabilities than VP9 and other codecs. It also enables video for users on low-bandwidth networks, for example at 30kbps and lower. More

The federal government has said it is taking a comprehensive approach to cyberbullying by pursuing a range of measures, and considers that education, victim support, and civil avenues are just as important as recourse to criminal law to effectively address cyberbullying.The comments were made in its response to a report on the adequacy of existing cyberbullying laws tabled by the Senate Legal and Constitutional Affairs Committee on 28 March 2018.The report [PDF] made nine recommendations.Three years later, the government “supported in principle” five of them, “supported” a further three, and the remaining one was “noted”.The committee was charged with looking into the adequacy of existing offences in the Commonwealth Criminal Code and of state and territory criminal laws to capture cyberbullying. Among its recommendations was the request that social media platforms be held to more account by the Australian government than they were in 2018.In its response [PDF], the government focused on existing measures, and education, as being sufficient enough to tackle the issue of cyberbullying. “Early intervention measures such as education, harm minimisation, and encouraging the safe and responsible use of technology are proactive measures that can prevent cyberbullying conduct escalating to criminal behaviour and prevent or minimise the harm resulting from cyberbullying incidents,” it wrote.

“The targets of online abuse and bullying should not be forced offline. Instead, technology platforms, governments, and other users must all play a part in making the internet safe.”The government was asked by the committee to consult state and territory governments, non-government organisations, and other relevant parties with the goal of developing a clear definition of cyberbullying.In its response, it pointed to a definition decided on by the Council of Australian Governments (COAG) Bullying and Cyberbullying Senior Officials Working Group:Bullying is an ongoing and deliberate misuse of power in relationships through repeated verbal, physical and/or social behaviour that intends to cause physical, social and/or psychological harm. It can involve an individual or a group misusing their power, or perceived power, over one or more persons who feel unable to stop it from happening. Bullying can happen in person or online, via various digital platforms and devices and it can be obvious (overt) or hidden (covert). Bullying behaviour is repeated, or has the potential to be repeated, over time (for example, through sharing digital records). Bullying of any form or for any reason can have immediate, medium and long-term effects on those involved, including bystanders. Single incidents and conflict or fights between equals, whether in person or online, are not defined as bullying.The Working Group recommended this definition be used by all schools and promoted to relevant stakeholders, it said.The second recommendation asked the government to approach cyberbullying primarily as a social and public health issue. At the same time, it asked the government consider how it can further improve the quality and reach of preventative and early intervention measures, including education initiatives to reduce the incidence of cyberbullying among children and adults.The government pointed to the Keeping our Children Safe Online package overseen by the eSafety Commissioner as addressing this concern, as well as the Online Safety Act and a probe of the use of mobile devices in schools.Another recommendation made by the committee, and supported by the government, is the consideration of increasing the maximum penalty for using a carriage service to menace, harass, or cause offence under section 474.17 of the Criminal Code Act 1995 from three years’ imprisonment to five years’ imprisonment. The Online Safety Bill increases this threshold.”Cyberbullying, sexting, and other anti-social online behaviours are increasingly engaged in by children and young people. As a result, there is a risk that any new offences or penalties for cyberbullying will disproportionately apply to children, while not necessarily addressing the underlying causes of cyberbullying, or preventing the harm that it causes to victims,” the government wrote.”Criminal sanctions for minors, in particular, should generally be an option of last resort.”Further, it said Section 474.17 of the Criminal Code has been successfully applied to the prosecution of cyberbullying, including behaviour such as: Posting offensive and abusive comments on Facebook tribute pages of deceased children; sending taunting and abusive messages on social media, and posting photos on Instagram with offensive commentary concerning a victim; and, in the context of underage grooming, posting inappropriate commentary and manipulative and threatening comments on Facebook accounts of underage girls.The Australian House of Representatives last month agreed to the country’s new Online Safety Act that would hand the eSafety Commissioner powers to order the removal of material that seriously harms adults and hold platforms accountable to a set of yet to be determined basic online safety expectations.The Online Safety Bill 2021 contains six key priority areas: A cyberbullying scheme to remove material that is harmful to children; an adult cyber abuse scheme to remove material that seriously harms adults; an image-based abuse scheme to remove intimate images that have been shared without consent; basic online safety expectations for the eSafety Commissioner to hold services accountable; an online content scheme for the removal of “harmful” material through take-down powers; and an abhorrent violent material blocking scheme to block websites hosting abhorrent violent material. Waved through simultaneously, the Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021, meanwhile, repeals the Enhancing Online Safety Act 2015 upon commencement of the new Online Safety ActThe Bill was given the nod despite testimony from tech companies and civil liberties groups that the legislation was “rushed”.IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527MORE ON THE NEW SAFETY BILL More