Information Technology

China has released draft laws that will require, amongst others, mobile apps to be licensed if they provide news and go through a security assessment if they can influence public opinion. They also must adhere to cybersecurity guidelines and not endanger national security. The Cyberspace Administration of China (CAC) on Wednesday unveiled proposed legislation to further regulate services provided via mobile apps and ensure these operated alongside the country’s other laws, including the Personal Information Protection Law (PIPL) and Data Security Law.Under the draft laws, operators that provided news services through mobile apps would have to obtain the licence to do so. They also must deliver such services within the scope of the licence and as permitted under the licence. The CAC, however, did not elaborate on what exactly the licence would cover. 

Operators of apps that provided news, instant messaging, and other related services must require their users to register based on their mobile number and identification card number. Users who refused to do so or who used fraudulent identification data should not be permitted to use the app. App operators were expected to put in place the necessary mechanisms and tools to manage user registration and accounts as well as review information and monitor usage. Registered users who breached service agreements and laws must be issued warnings and access restricted or blocked, where necessary. In addition, mobile app operators that introduced technologies and functions that could potentially influence public opinion or mobilise the population, must carry out security assessments according to specifications laid out by CAC. The government agency, though, did not provide details on what these might entail. Operators also should not use their apps to facilitate activities that were illegal and that endangered national security or disrupted social cohesion. 

They must further comply with requirements stipulated in the country’s cybersecurity law. Should they uncover security flaws or other risks in their mobile app, they must take immediate steps to plug the security holes and notify users in a timely fashion. The relevant authorities also should be notified of the security flaw. If passed, the draft legal framework would apply to various media including text, picture, voice, and video, and information platforms delivered via the mobile app, including instant messaging, FAQs, and community forums. CAC said public feedback on the proposed law would close on January 20. It added that the regulation was slated to be passed later this year. The draft laws are the latest in China’s efforts to stem what the government perceives as problems within the digital economy, such as poor management of personal data.CAC last May called out 33 mobile apps for collecting more user data than it deemed necessary to offer their service. CAC said these companies, which included Baidu and Tencent Holdings, had breached local regulations and gathered personal information without consent from their users. RELATED COVERAGE More

Image: Cameron Spencer/Getty Images
During Australia’s federal Budget Estimates last year, Services Australia was grilled by senators about various initiatives under its remit, from the COVID-19 digital certificate rollout to the bungled robo-debt scheme. Of concern to Labor Senators Tim Ayres and Nita Green was the alleged lack of security of Australia’s COVID-19 digital certificates, with both of them criticising the certificate for being easily forged through man-in-the-middle cyber attacks. Providing responses to the senators’ concerns, Services Australia said it was aware of reports concerning man-in-the-middle cyber attacks via the Medicare Express Plus app, but brushed off the concerns by merely saying such attacks “require significant knowledge and expertise”. It added that there are currently no vulnerability disclosure programs in place nor any future plans to implement such a program for the digital vaccination certificates. This is despite security researcher Richard Nelson last year detailing the difficulty for the private sector and the public in reporting vulnerabilities about the certificates to government, which was referenced by Ayres during Budget Estimates. Services Australia also said the Digital Transformation Agency (DTA) had no plans to consider establishing bounty programs. “Services Australia takes the integrity of the Medicare system and the Australian Immunisation Register extremely seriously,” Services Australia said in its response to questions on notice. “Full cyber assessments are undertaken several times a year and we work closely with the Australian Signals Directorate and Australian Cyber Security Centre on potential vulnerabilities on mobile applications.”

As of the end of October, over 12.3 million Australians have downloaded COVID-19 digital certificates, the agency said in another response. For Australia’s other federal COVID-19 product, COVIDSafe, the DTA provided an update that monthly costs to run the app have been around what it expected of around AU$60,000 a month since it took over responsibility for the app. As of early October, there are 7.7 million COVIDSafe registrations, DTA added.The DTA had also been asked by Labor Senator Marielle Smith during Budget Estimates on how many people had downloaded the app and then deleted it, but the agency said it does not track that data. In regards to questions about Service Australia’s progress in refunding wrongly issued robo-debts, the agency provided more information about the people who are still yet to receive a refund. The agency said there are now around 8,500 people who are yet to receive a refund. Of these, 501 are deceased estates, 280 are incarcerated, 539 are indigenous, and 106 had a vulnerability indicator on their customer record at the time they were last in receipt of payment. Services Australia explained that these refunds had not been processed yet as the victims have not provided bank details to the agency in order to receive the payment. A Senate Committee inquiring into the robo-debt system is still awaiting for Services Australia and Minister for Government Services, Linda Reynolds, to provide documents about the legal advice Services Australia received in implementing robo-debt. Both have refused to provide that information under claims of public interest immunity. Related Coverage More

Image: Kevin Frayer/Getty Images
China on Tuesday evening confirmed it will increase oversight on how local tech companies operate their platforms both locally and overseas through two new sets of rules. The first set of rules, set to be enforced on February 15, is focused on cybersecurity reviews and will require local tech companies with personal information on over 1 million users to undergo a security review before being allowed to list onto overseas stock exchanges. Announced by the Cyberspace Administration of China (CAC), the rules did not specify whether cybersecurity reviews would be required for companies that list in Hong Kong.As part of a cybersecurity review process, the Chinese government can urge tech companies to make organisational changes to fulfil their commitments to the cybersecurity review.The CAC said the new listing requirement was established to address the risk of key infrastructure, data, and personal information being used maliciously by foreign actors. The new listing requirement adds another layer of uncertainty for Chinese companies looking to expand overseas, as Chinese companies like China Telecom have already received the stock exchange boot from the US. The US Securities and Exchange Commission last month also gained powers to ban foreign companies listed in the US from trading if their auditors do not comply with requests for information from American regulators.Looking at the rest of the cybersecurity review measures, the CAC said any companies that carry out data processing activities that affect or may affect national security will also be required to undergo a cybersecurity review, although the Cyberspace Administration of China did not provide definitions on what activities would meet that threshold.

The second set of rules announced by the CAC, set to come into effect in March, target the use of algorithm recommendations by tech companies and require them to establish algorithm mechanism reviews, user registration reviews, and programs protecting minors. All online platforms will also be required to provide users with the option to turn off or modify how they access algorithm recommendation services, as well as provide users with information on how their personal data is used in the provision of such services.Both sets of rules follow a big year of tech crackdowns in China, when new laws came into force around data protection, online gaming for minors, gig economy rights. Along with new legislation, the Chinese government also slapped big penalties against tech giants, such as removing Didi from app stores and fining Alibaba 18.2 billion yuan. Just prior to the new year, China’s internet security regulator also suspended all of its contracts with Alibaba Cloud after one of its security engineers discovered the Log4J vulnerability and reported it to Apache. The Ministry of Industry and Information Technology suspended its contracts with Alibaba Cloud as it “did not effectively support the Ministry of Industry and Information Technology to carry out cyber security threats and vulnerability management”, according to local media outlets.RELATED COVERAGE More

Image: perinjo/ GETTY
The United States Federal Trade Commission has issued a warning that it will chase companies that do not remedy the vulnerability in the Java logging package Log4j.”The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” the agency said on Tuesday.”Failure to identify and patch instances of this software may violate the FTC Act.”The agency cited its $700 million settlement with Equifax in 2019 as an example of what could happen if customer data is exposed.”The Log4j vulnerability is part of a broader set of structural issues. It is one of thousands of unheralded but critically important open-source services that are used across a near-innumerable variety of internet companies,” the FTC said. ”These projects are often created and maintained by volunteers, who don’t always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy.”This overall dynamic is something the FTC will consider as we work to address the root issues that endanger user security.”

Earlier on Tuesday, Microsoft said people might not be aware of how widespread the Log4Shell issue is in their environments, and warned that attempts to exploit it remained high to the end of 2021.”At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments,” the software giant said. “Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.”Cloudflare warned last month it had detected activity related to the remote code exploit as early as December 1, which meant the vulnerability was in the wild for at least nine days before it was publicly disclosed.

more Log4j More

Oregon-based venue operator McMenamins said employee data was accessed during a ransomware attack that occurred on December 12. In a statement, the company explained that even though they managed to “block” the attack, employee information dating back to 1998 was compromised. 

The employee files included standard information (name, address, phone number, date of birth, race, disability status, and more) as well as sensitive information (Social Security numbers, bank account information, health insurance plans, income amount, and disciplinary notes). Breach notification letters were sent to anyone who worked for the company between July 1, 2010 and December 12, 2021, while those employed from January 1, 1998 and June 30, 2010 were only provided with a notice on the company website about options for support. The hackers gained access to business records, human resources data, and payroll data files, encrypting the data for employees at the company between 1998 and 2010. McMenamins released the public notice on its website because it has lost access to the contact information for those that worked for the company between those years. The company was able to recover the files from 2010 to 2021 and send breach notification letters to those victims. The Oregonian reported that McMenamins told the Oregon Department of Justice that 14,861 people were sent breach notification letters, while up to 30,000 people may have had their information involved in the breach. “As soon as we realized what was happening, we blocked access to our systems to contain the attack that day. It appears that cybercriminals gained access to company systems beginning on December 7 and through the launch of the ransomware attack on December 12. During this time, they installed malicious software on the company’s computer systems that prevented us from using or accessing the information they contain,” the company said in a notice on their website. 

The company — which runs dozens of hotels, bars, movie theaters, concert venues, restaurants, and more across the Pacific Northwest — said it is offering victims one year of identity theft protection and credit monitoring services. McMenamins is still recovering from the attack and noted on their website that email systems are still down. They contacted the FBI, local law enforcement, and the Attorney Generals of Oregon and Washington to notify them of the attack. The company has already hired a cybersecurity firm to help with the recovery process. The company’s properties are still open, but their credit card processing and hotel reservation system was affected. Guests at their hotels have been asked to call them to manage bookings. No customer or partner data was involved in the attack, according to the company. They said it is unclear when their systems will be fully back up and running. Bleeping Computer reported in December that the Conti ransomware group was behind the attack on McMenamins. Both CISA and the FBI said in September that they have seen more than 400 attacks involving Conti’s ransomware targeting US organizations as well as international enterprises.”We’re devastated our people need to do so, but we’re urging them to vigilantly monitor their accounts and healthcare information for anything unusual. They should immediately notify their financial institutions or health providers if they see anything out of sort,” said company founder Brian McMenamin.  More

Google announced on Tuesday that it is acquiring Israeli cybersecurity startup Siemplify for a reported $500 million. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Google Cloud Security vice president Sunil Potti said Siemplify is a leader in the security orchestration, automation and response (SOAR) field. Their platform will be integrated into Google Cloud’s security team “to help companies better manage their threat response.””In a time when cyberattacks are rapidly growing in both frequency and sophistication, there’s never been a better time to bring these two companies together. We both share the belief that security analysts need to be able to solve more incidents with greater complexity while requiring less effort and less specialized knowledge. With Siemplify, we will change the rules on how organizations hunt, detect and respond to threats,” Potti said. “Providing a proven SOAR capability unified with Chronicle’s innovative approach to security analytics is an important step forward in our vision. Building an intuitive, efficient security operations workflow around planet-scale security telemetry will further realize Google Cloud’s vision of a modern threat management stack that empowers customers to go beyond typical security event and information management (SIEM) and extended detection and response (XDR) tooling, enabling better detection and response at the speed and scale of modern environments.”Potti explained that Siemplify’s platform was built to help streamline the tasks of SOC analysts and assist them in responding to cyber threats. According to Potti, the acquisition is part of Google’s larger investment in SOAR capabilities.Siemplify CEO Amos Stern added that Chronicle’s “security analytics and threat intelligence” will be able to help many security operations centers.”We’re excited to join Google Cloud and build on the success we’ve had in the market helping companies address growing security threats,” Stern said.

In his own blog post, Stern said that since the company’s founding in 2015, they have acquired customers ranging from Fortune 500 companies to MSSPs. Calcalist, the first to report the $500 million price tag, noted that Siemplify currently has about 200 employees based in the US, UK and Israel. In October, Google Cloud partnered with Israeli cybersecurity firm Cybereason on an effort to provide Extended Detection and Response (XDR) tools to organizations looking for protection of their endpoints, networks, clouds and workspaces.  More

Credit: Lenovo
In November 2020, Microsoft took the wraps off its Pluton security chip, with the goal of bringing it to all Windows 10 PCs. It wasn’t until today, January 4, that any of Microsoft’s OEMs announced their first Pluton-powered PCs. At CES, Lenovo unveiled its Ryzen-6000-based ThinkPad Z series laptops running Windows 11, which will integrate the Microsoft Pluton processor. The coming ThinkPad Z series laptops will begin shipping in May 2022. Thanks to Pluton, these devices will be able to receive updated firmware using Windows Update. In the ThinkPad Z13 and Z16, Pluton will help protect Windows Hello credentials, according to Microsoft, by further isolating them from attackers. These new ThinkPads will use Pluton as their TPMs to protect encryption keys from physical attacks, Microsoft officials said. Microsoft pioneered Pluton first in Azure Sphere, its Linux-based microcontroller, and in Xbox. In a January 4 blog post, Microsoft officials noted that Pluton can be configured in three ways: As the Trusted Platform Module (TPM); as a security processor for non-TPM scenarios like platform resiliency; or inside a device where OEMs have opted to ship with the chip turned off. Windows will be able to use Pluton to securely integrate with other hardware security components in a way that gives Windows users and IT admins resiliency signals that can be used for zero-trust conditional access, officials added. At some point in the future, these signals will be reported to services like Intune through the Azure Attestation service, officials said. Microsoft’s blog post said that “in the future” there will be additional support from OEM partners for Pluton. More

Microsoft has warned Windows and Azure customers to remain vigilant after observing state-sponsored and cyber-criminal attackers probing systems for the Log4j ‘Log4Shell’ flaw through December.  Disclosed by the Apache Software Foundation on December 9, Log4Shell will likely take years to remediate because of how widely the error-logging software component is used in applications and services.  Microsoft warns that customers might not be aware of how widespread the Log4j issue is in their environment. Over the past month, Microsoft has released numerous updates, including to its Defender security software, to help customers identify the issue as attackers stepped up scanning activity.  LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW  “Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” the Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center (MSTIC) said in a January 3 update.  Microsoft said customers should “assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments.” Hence, it’s encouraging customers to utilize scripts and scanning tools to assess their risk and impact.  “Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,” Microsoft added. 

The flaw likely left some security teams without much of a break over Christmas and prompted warnings from the UK’s NCSC to beware of burnout among staff responsible for remediation.  Just ahead of New Year’s Day, Microsoft rolled out a new Log4j dashboard for threat and vulnerability management in the Microsoft 365 Defender portal for Windows 10 and 11, Windows Server, and Linux systems. This system aims to help customers find and fix files, software and devices affected by Log4j vulnerabilities. CISA and CrowdStrike also released Log4j scanners ahead of Christmas.  LOG4J FLAW COVERAGE – HOW TO KEEP YOUR COMPANY SAFE  CISA officials believe hundreds of millions of devices are affected by Log4j. Meanwhile, major tech vendors such as Cisco and VMware continue to release patches for affected products.  The Log4Shell vulnerabilities now include the original CVE-2021-44228 and four related flaws, the latest of which was CVE-2021-44832. However it was only a moderate severity issue addressed in the Log4j version 2.17.1 update on December 28. The Apache Software Foundation has details about each of the Log4j vulnerabilities in its advisory covering CVE-2021-44228, CVE-2021-45105, and CVE-2021-45046.  More