Information Technology

Microsoft says that 92% of Exchange servers vulnerable to a set of critical vulnerabilities have now been patched or mitigations have been applied.  The Redmond giant’s Security Response team said there is “strong momentum” in patches or mitigation tools being applied to internet-facing, on-prem servers and the latest data shows a 43% improvement worldwide in comparison to last week.  Microsoft cited telemetry from RiskIQ, which is working with the tech giant to manage the fallout of the security incident, in a tweet posted on Monday.  Microsoft released emergency patches for Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 on March 2. At the time, the company said that four zero-day vulnerabilities which could lead to data theft and overall server hijacking were being actively exploited in “limited, targeted attacks.”However, it was not long before multiple advanced persistent threat (APT) groups began to join in Exchange Server-based campaigns and it is estimated that thousands of systems belonging to organizations worldwide have been compromised. Alongside the emergency patches, Microsoft has also published a mitigation guide and created a one-click mitigation tool including a URL rewrite for one of the vulnerabilities to stop an attack chain from forming.  In addition, Microsoft Defender Antivirus has been upgraded to include automatic mitigation capabilities for the zero-day vulnerabilities. 

The issue with these vulnerabilities, however, is that applying a patch or mitigations will not remove existing infections. F-Secure says “tens of thousands” of servers have already been breached and others “[are] being hacked faster than we can count.” While patches and mitigations are being applied at a fast rate, IT administrators must check their systems for indicators of compromise (IoCs) and perform security audits to see if their servers have been exploited prior to security updates being applied.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

 
The founder of ProtonVPN, Andy Yen, has jumped onto a soapbox to lambaste Apple over a decision to block an update of the app over its description. “Whether it is challenging governments, educating the public, or training journalists, we have a long history of helping bring online freedom to more people around the world,” stated the text an Apple app reviewer had an issue with. The reviewer suggested the text be modified to not “encourage users to bypass geo-restrictions or content limitations”. Yen used the rejection to claim Apple was stymieing rights in Myanmar, which is in the midst of a brutal crackdown following a coup last month. The founder said the company had used the description for months already. “Actions have consequences, and Apple’s actions are actively hampering the defense of human rights in Myanmar at a time when hundreds of people are dying,” Yen said. See also: Fastest VPN in 2021 Never mind that Apple challenges governments when it suits it — unless it is Beijing calling the shots.

It’s a far cry from its famous 1997 ad when the company said the following words over the top of a montage of government resisters: “Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo.” Last week, Wired reported that Apple had agreed to begin showing Russian users a phone setup screen where they could install a set of Moscow-approved apps. “Apple’s priority is to preserve access to markets and maintain its profits, so it almost never challenges the policies of dictators or authoritarian regimes,” Yen said. “By giving in to tyrants, Apple is ignoring internationally recognised human rights and preventing organisations such as Proton from defending those in need. What is also troubling is that Apple requested the removal of this language in ALL countries where our app is available. “By doing so, Apple is helping spread authoritarian laws globally, even in countries where freedom of speech is protected.” Apple said in a submission to the Australian Competition and Consumer Commission recently that it was surprised developers took issue with its app review process. “The main purpose of the App Review process is to protect consumers from fraudulent, nonfunctioning, malicious, or scam apps,” Apple said. “Central to the App Review process is the protection of our consumers’ privacy and security.” Related Coverage More

  An example of SmartBlock (right) in action.
Image: Mozilla
Mozilla has launched Firefox 87, with the latest version of the browser boasting “SmartBlock”, a new privacy feature touted as intelligently fixing web pages that are broken by tracking protections, without compromising user privacy.SmartBlock aims to bolster Firefox’s built-in content blocking feature — available across both private browsing and strict tracking protection modes for the past six years — which blocks third-party scripts, images, and other content from being loaded from cross-site tracking companies reported by Disconnect. Explained in a blog post, by blocking these tracking components, Firefox’s private browsing windows prevented these companies from watching users as they browse the internet. Doing so, however, risked blocking components that were essential for some websites to function properly.”This can result in images not appearing, features not working, poor performance, or even the entire page not loading at all,” Mozilla explained. “To reduce this breakage, Firefox 87 is now introducing a new privacy feature we are calling SmartBlock.”SmartBlock does this by providing local stand-ins for blocked third-party tracking scripts. “These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact,” the blog said.”We believe the SmartBlock approach provides the best of both worlds: strong protection of your privacy with a great browsing experience as well.”

Over on Chrome, from version 90, the browser’s address bar will use “https://” by default, unless otherwise specified.”Users often type ‘example.com’ instead of ‘https://example.com’ in the address bar. In this case, if it was a user’s first visit to a website, Chrome would previously choose http:// as the default protocol. This was a practical default in the past, when much of the web did not support HTTPS,” the Chromium blog explained.It touted that the move would improve the initial loading speed of sites supporting HTTPS, in addition to being a privacy improvement.This change will roll out initially on Chrome Desktop and Chrome for Android in version 90, with a release for Chrome on iOS to follow soon after.RELATED COVERAGEGoogle Chrome: It’s time to ditch the browserWe created the monster that Google Chrome has become. Only we can destroy it.What about Firefox?Is there a place for the plucky underdog browser any longer?Too many browser tabs? This impressive extension is my favorite solutionIf you regularly find yourself opening so many browser tabs that you can’t keep track of them all, you’re not alone. There are plenty of extensions that promise to conquer tab overload, but my favorite, Workona, offers a feature set that others can’t match. More

Image: AEC
The Australian Electoral Commissioner Tom Rogers has dismissed the proposal to allow a non-government researcher to conduct a security audit on its systems.The prospect of security researcher Vanessa Teague, who has experience in finding holes in electoral systems, was raised by One Nation Senator Malcolm Roberts during Senate Estimates on Tuesday night. Rogers said “frankly” that Teague would not be welcome to perform an audit on the AEC systems. “We work with a range of partners, including the Australian Signals Directorate, the Australian Cyber Security Centre, we’ve had our internal code audited and checked,” he said. “And not being rude, I’m sure that Dr. Teague is a wonderful person, but we’ve had sufficient checks in place to assure ourselves that that system is running smoothly.” Roberts subsequently pushed for the commissioner to give a “resounding guarantee of the cyber integrity” of the system, to which Rogers refused. See also: Tech-augmented democracy is about to get harder in this half-baked world “No one would sit in this chair and give an unequivocal guarantee about that issue,” he said. “I would be cheapening the guarantee by giving it.”

Rogers repeated that the AEC and government cyber agencies were satisfied with the systems’ security and that they followed the prescribed Commonwealth guidelines, but since cybersecurity involves unknown factors, a guarantee could not be made. “But I am very, very, very confident that we’ve got an incredibly robust system in place that’s worked well and continues to work and we continue to assess it, we continue to work with our partner agencies, we comply with all Commonwealth guidelines, cybersecurity guidelines, and I think it’s a fantastically secure system,” he said. “I don’t think anyone would give an unequivocal guarantee about anything, there are factors that I’m not aware of.” The AEC chief also told Estimates that it would be rolling out more electronic certified lists as a way to mark off voters at polling stations, and would push the “vanishingly small” number of people voting multiple times even lower. During the 2019 Australian election, Rogers put the number of apparent multiple voters in the entire country at around 2,000 people, or 0.01% of the voting population. Related Coverage More

The Attorney-General’s Department (AGD) has said the reason for the delay in moving forward with a rework of the Australian Privacy Act 1988 was that staff needed to work on the COVIDSafe legislation, which entered Parliament in May last year.During Senate Estimates on Tuesday night, senators raised concerns regarding declarations made by Attorney-General Christian Porter, who is currently on leave, back in March 2019 that tougher penalties for misuse of Australians’ personal information were on their way, as no such protections have been put in place.”The team that works on the legislation and the Privacy Act review, has also dealt with other priorities. For example, the COVIDSafe legislation … that took quite a significant effort to deal with some of those issues,” deputy secretary for the Integrity and International Group in the AGD, Sarah Chidgey, said in response.See also: Attorney-General urged to produce facts on US law enforcement access to COVIDSafeThe department is currently in the midst of reviewing the Privacy Act. Since October, it has been calling for all interested parties to provide their two cents. Chidgey said an exposure draft was on its way.”We have been working on an exposure draft inside the Privacy Act review and expect that that would be released shortly, alongside the further discussion paper in the review of the Privacy Act,” she said, noting there has been “a lot of work on it”. “We’ve used submissions we’ve received through the Privacy Act review to better inform the development of that exposure draft legislation.”

Australian Information and Privacy Commissioner Angelene Falk said she welcomed any additions to her regulatory toolkit that would come with an updated Privacy Act.Her submission to the review included recommendations such as considering international developments, such as Europe’s General Data Protection Regulation, as well as adapting global schemes to suit Australia.”I think the digital platforms inquiry that was conducted by the ACCC (Australian Competition and Consumer Commission) certainly brought to public attention the extent of data handling practices … and a number of recommendations were made by that inquiry, some of which accorded with my own submissions to that inquiry, that there ought to be some amendments to the Privacy Act to ensure that it’s able to regulate data handling practices over the next decade,” she said.”I welcome any changes and improvements to the regulatory toolkit that I currently have. And I’m looking forward to both the legislation that goes to these matters and also the progress of the review that’s more broadly going to be conducted or is being conducted by the department at present.”PRIVACY IMPACT ASSESSMENTS UNDER REVIEWFalk was asked about the requirement for all Australian government agencies to keep a register of privacy impact assessments that are conducted. Greens co-deputy leader Senator Nick McKim pointed specifically to a project the Department of Home Affairs has underway regarding its travel exemption portal that is used to grant people permission to enter or leave Australia.While Falk isn’t aware of the project, McKim said individuals are currently being encouraged by Home Affairs to provide information such as banking details, financial assets, social media information, personal communications between them and their partners, private health and medical information, personal photographs to prove relationships, and medical reports to support any medical claims they have been making, including mental health reports.”I think there’s some difficulty in me commenting on a specific [project] … but the principle is that where a department is handling personal information in changed ways, or a new project that involves handling personal information in a way that could be considered to be high risk, then they ought to conduct a privacy impact assessment,” she said. “Many departments also conduct a preliminary assessment to decide whether or not that threshold is in fact, met. And I understand that that is usually the way in which many of the big departments and I think the Department of Home Affairs, does, in fact, undertake those preliminary assessments to decide whether or not to conduct a full privacy impact assessment.”Falk has powers under the Privacy Act to direct an agency to conduct a privacy impact assessment, but that power has not been exercised. She said her office is currently looking into how many agencies do have privacy impact assessment registers in place.”Notwithstanding that, we do think that we would expect Australian government agencies to have noted on their website a place where those documents could be found,” she added. MORE FROM THE PRIVACY ACT REVIEW More

Australian eSafety Commissioner Julie Inman Grant is hopeful the country’s new Online Safety Act will go some way to protecting women and girls in the online world as people grapple with how to do exactly that in the offline world.”You wouldn’t be surprised that 70% of the reports of all forms of abuse that come into our office are from women and girls,” Inman Grant told senators on Tuesday night. “That even applies to child sexual abuse where 90% of the perpetrators are men and 84% of the victims are girls. “That applies to image-based abuse, that applies to youth-based cyberbullying, and certainly to adult cyber abuse.”There are a handful of programs Inman Grant said that “cover the continuum of women and the spectrum of harms”. One receiving a lot of attention from her office is a program aiming to help women experiencing domestic and family violence.”One, of course, where women are particularly vulnerable, are women that are experiencing domestic and family violence, where technology-facilitated abuse is present as an extension of that coercion control and surveillance in 99.3% of these cases, and they deserve special protections,” she said. The commissioner is also concerned about women in the public sphere, pointing to the experience recently recounted by Liberal MP Nicole Flint as one example.  “We know that women are three times more likely to receive online abuse, but the tenor and tone of the abuse is very different too, it tends to be sexualised, violent, will target things like your fertility or appearance,” Inman Grant said.

“It’s rooted in misogyny, and it’s meant to silence women’s voices. We know from women that they self-censor, or they will get off social media altogether.”Social media did promise to be a great leveller. In terms of promoting women’s voices, we need to do a better job at protecting those voices online.”Senators pointed to the work underway by Sex Discrimination Commissioner Kate Jenkins, asking Inman Grant if the contents of the Online Safety Act would help protect women.”I think they will immeasurably, and in the end, as I say, particularly with the serious adult cyber abuse scheme, we’ll continue with our prevention programs … and the proactive and systemic change work that we do, including the work we’re doing around technology, challenges, and trends,” she said.”Of course, we know that a lot of trolls will use the veil of anonymity to try and abuse women with impunity. So all of these things I think, will come together and give us some important potent new tools to help us — a lot of this abuse that we see is rooted in misogyny, in racism, in hate that is surfaced by social media. “And this abuse online, targeting women, reinforces the gender inequality that already exists in our societies and our institutions. So we really need to protect women in the cloud as well.”See also: Three women in tech keeping the gender conversation goingBanter won’t qualify for interventionWith the new proposed law extending the cyber takedown function to adults, eSafety will have the power to issue takedown notices directly to the services hosting the content and end users responsible for the abusive content.Inman Grant clarified that the takedown directive — which is slashed from 48 to 24 hours under the new legislation — would only apply in serious situations.”The adult cyber abuse scheme is set at a very high threshold because adults are more resilient,” she said, noting it’s on par with the Criminal Code, which uses the terminology “to use a carriage service provider to menace, harass, or cause offence”. She also said the term “offensive” is sometimes taken out of context. “This is a very, very high threshold, where we have to make out intent to cause serious harm directed to a specific Australian individual. The second part of the test is an objective test that would ask those questions,” she added.”I do think we need to set expectations so that people — when they come to us, that it’s not just going to be banter or opinions or mean statements, that there’s a very, very high bar that has to be met before we can before we would recommend removal of that content.”The commissioner also addressed concerns of the overreaching powers that eSafety is set to receive with the legislation. “I can’t speculate about future safety commissioners and how they might use the power. All I would say is that, in my 30 years in working in technology, I’ve learned that you can’t anticipate the creative and myriad ways that people will misuse technology. And it requires us to have a broad toolkit,” she said. “I think the lines were carefully drawn on to make sure that there wasn’t suppression of free speech, and that there are a number of transparency and accountability provisions available.”She said beyond the AAT review, there’s also potentially judicial review and involvement from the Commonwealth Ombudsman, in addition to amendments currently being drafted around an internal review process.”And I’d say also that there was a pretty rigorous merit-based process that was involved for me landing this role. I fully anticipate that the government would be looking at people who have experience at the intersection of technology, policy, and social justice and would assess any concerning ideological events that might influence their decision making,” Inman Grant said. “I’m influenced by how do I minimise the risk to online citizens and I would expect the future eSafety Commissioner would hold those same values.”IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527MORE ON THE NEW SAFETY BILL More

A multinational manufacturer of Internet of Things (IoT) devices has halted production after falling victim to a ransomware attack.Canadian IoT maker Sierra Wireless says it suffered a ransomware attack against its internal IT systems on March 20, which has led to production being halted at its manufacturing sites. Internal operations have also been disrupted by the attack and at the time of writing, the company website is down, stating that it’s “under maintenance”.The company says the impact of the attack is limited to internal Sierra Wireless systems and customer-facing products haven’t been affected by the incident because the networks of internal IT systems and services designed for customers are separated. It’s currently unknown when production facilities and other systems will return to normal, but Sierra Wireless believes it has addressed the attack and operations will resume “soon”.After falling victim to attack, the company says it implemented counter-measures to mitigate it in accordance with “established cybersecurity procedures” developed alongside third-party cybersecurity advisors, who’ve also been involved in investigating the attack.”Sierra Wireless asks its customers and partners for their patience as it seeks to remediate the situation,” the company said in a statement.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

It’s currently unknown what kind of ransomware Sierra Wireless has fallen victim to or how it was able to infiltrate the network. ZDNet contacted Sierra Wireless to clarify what has happened, but was told that the company isn’t sharing additional information about the ransomware attack at this time.Ransomware remains an issue for organisations across the world and a recent report detailed it as the biggest cybersecurity concern for chief information security officers (CISOs) and chief security officers (CSOs).MORE ON CYBERSECURITY More

There’s been a spike in ransomware attacks targeting schools, colleges and universities, the UK’s National Cyber Security Centre (NCSC) has warned.The alert by the cyber security arm of GCHQ says it has dealt with a significant increase in the number of ransomware attacks targeting education over the course of the last month, a time in which schools were preparing to resume in-person lessons.Ransomware attacks encrypt servers and data, preventing organisations from providing services. In this case, cyber criminals are hoping that the need for schools and colleges to provide teaching will result in victim organisations giving into extortion demands and paying a ransom in bitcoin in exchange for the decryption key required to restore the network.”In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing,” the agency said.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) It’s likely that the attempted targeting of sensitive information is an effort to engage in double-extortion ransomware attacks, where cyber criminals threaten to publish stolen data if they’re not paid the ransom.”Any targeting of the education sector by cyber criminals is completely unacceptable,” said Paul Chichester, director of operations at the NCSC.

“This is a growing threat and we strongly encourage schools, colleges, and universities to act on our guidance and help ensure their students can continue their education uninterrupted”.Cybersecurity recommendations for schools, colleges and universities to protect their networks from ransomware attacks include having an effective strategy for vulnerability management and applying security patches, securing remote online services with multi-factor authentication and installing and enabling anti-virus software.It’s also recommended that organisations have up-to-date and tested offline back-ups, so if the network is taken down by a ransomware attack, it can be restored without paying criminals.”I urge all education and research institutions to act swiftly to ensure their systems and data are robustly protected,” said Steve Kennett, director of e-infrastructure at the higher education support body Jisc, “Jisc has been helping many colleges and universities recover from ransomware attacks recently, so we have seen what a devastating impact this crime has on the sector”.The NCSC previously put out a warning about ransomware attacks targeting universities in September, but this particular form of cyber crime shows no sign of slowing down.MORE ON CYBERSECURITY More