Information Technology

Australian eSafety Commissioner Julie Inman Grant is hopeful the country’s new Online Safety Act will go some way to protecting women and girls in the online world as people grapple with how to do exactly that in the offline world.”You wouldn’t be surprised that 70% of the reports of all forms of abuse that come into our office are from women and girls,” Inman Grant told senators on Tuesday night. “That even applies to child sexual abuse where 90% of the perpetrators are men and 84% of the victims are girls. “That applies to image-based abuse, that applies to youth-based cyberbullying, and certainly to adult cyber abuse.”There are a handful of programs Inman Grant said that “cover the continuum of women and the spectrum of harms”. One receiving a lot of attention from her office is a program aiming to help women experiencing domestic and family violence.”One, of course, where women are particularly vulnerable, are women that are experiencing domestic and family violence, where technology-facilitated abuse is present as an extension of that coercion control and surveillance in 99.3% of these cases, and they deserve special protections,” she said. The commissioner is also concerned about women in the public sphere, pointing to the experience recently recounted by Liberal MP Nicole Flint as one example.  “We know that women are three times more likely to receive online abuse, but the tenor and tone of the abuse is very different too, it tends to be sexualised, violent, will target things like your fertility or appearance,” Inman Grant said.

“It’s rooted in misogyny, and it’s meant to silence women’s voices. We know from women that they self-censor, or they will get off social media altogether.”Social media did promise to be a great leveller. In terms of promoting women’s voices, we need to do a better job at protecting those voices online.”Senators pointed to the work underway by Sex Discrimination Commissioner Kate Jenkins, asking Inman Grant if the contents of the Online Safety Act would help protect women.”I think they will immeasurably, and in the end, as I say, particularly with the serious adult cyber abuse scheme, we’ll continue with our prevention programs … and the proactive and systemic change work that we do, including the work we’re doing around technology, challenges, and trends,” she said.”Of course, we know that a lot of trolls will use the veil of anonymity to try and abuse women with impunity. So all of these things I think, will come together and give us some important potent new tools to help us — a lot of this abuse that we see is rooted in misogyny, in racism, in hate that is surfaced by social media. “And this abuse online, targeting women, reinforces the gender inequality that already exists in our societies and our institutions. So we really need to protect women in the cloud as well.”See also: Three women in tech keeping the gender conversation goingBanter won’t qualify for interventionWith the new proposed law extending the cyber takedown function to adults, eSafety will have the power to issue takedown notices directly to the services hosting the content and end users responsible for the abusive content.Inman Grant clarified that the takedown directive — which is slashed from 48 to 24 hours under the new legislation — would only apply in serious situations.”The adult cyber abuse scheme is set at a very high threshold because adults are more resilient,” she said, noting it’s on par with the Criminal Code, which uses the terminology “to use a carriage service provider to menace, harass, or cause offence”. She also said the term “offensive” is sometimes taken out of context. “This is a very, very high threshold, where we have to make out intent to cause serious harm directed to a specific Australian individual. The second part of the test is an objective test that would ask those questions,” she added.”I do think we need to set expectations so that people — when they come to us, that it’s not just going to be banter or opinions or mean statements, that there’s a very, very high bar that has to be met before we can before we would recommend removal of that content.”The commissioner also addressed concerns of the overreaching powers that eSafety is set to receive with the legislation. “I can’t speculate about future safety commissioners and how they might use the power. All I would say is that, in my 30 years in working in technology, I’ve learned that you can’t anticipate the creative and myriad ways that people will misuse technology. And it requires us to have a broad toolkit,” she said. “I think the lines were carefully drawn on to make sure that there wasn’t suppression of free speech, and that there are a number of transparency and accountability provisions available.”She said beyond the AAT review, there’s also potentially judicial review and involvement from the Commonwealth Ombudsman, in addition to amendments currently being drafted around an internal review process.”And I’d say also that there was a pretty rigorous merit-based process that was involved for me landing this role. I fully anticipate that the government would be looking at people who have experience at the intersection of technology, policy, and social justice and would assess any concerning ideological events that might influence their decision making,” Inman Grant said. “I’m influenced by how do I minimise the risk to online citizens and I would expect the future eSafety Commissioner would hold those same values.”IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527MORE ON THE NEW SAFETY BILL More

A multinational manufacturer of Internet of Things (IoT) devices has halted production after falling victim to a ransomware attack.Canadian IoT maker Sierra Wireless says it suffered a ransomware attack against its internal IT systems on March 20, which has led to production being halted at its manufacturing sites. Internal operations have also been disrupted by the attack and at the time of writing, the company website is down, stating that it’s “under maintenance”.The company says the impact of the attack is limited to internal Sierra Wireless systems and customer-facing products haven’t been affected by the incident because the networks of internal IT systems and services designed for customers are separated. It’s currently unknown when production facilities and other systems will return to normal, but Sierra Wireless believes it has addressed the attack and operations will resume “soon”.After falling victim to attack, the company says it implemented counter-measures to mitigate it in accordance with “established cybersecurity procedures” developed alongside third-party cybersecurity advisors, who’ve also been involved in investigating the attack.”Sierra Wireless asks its customers and partners for their patience as it seeks to remediate the situation,” the company said in a statement.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

It’s currently unknown what kind of ransomware Sierra Wireless has fallen victim to or how it was able to infiltrate the network. ZDNet contacted Sierra Wireless to clarify what has happened, but was told that the company isn’t sharing additional information about the ransomware attack at this time.Ransomware remains an issue for organisations across the world and a recent report detailed it as the biggest cybersecurity concern for chief information security officers (CISOs) and chief security officers (CSOs).MORE ON CYBERSECURITY More

There’s been a spike in ransomware attacks targeting schools, colleges and universities, the UK’s National Cyber Security Centre (NCSC) has warned.The alert by the cyber security arm of GCHQ says it has dealt with a significant increase in the number of ransomware attacks targeting education over the course of the last month, a time in which schools were preparing to resume in-person lessons.Ransomware attacks encrypt servers and data, preventing organisations from providing services. In this case, cyber criminals are hoping that the need for schools and colleges to provide teaching will result in victim organisations giving into extortion demands and paying a ransom in bitcoin in exchange for the decryption key required to restore the network.”In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing,” the agency said.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) It’s likely that the attempted targeting of sensitive information is an effort to engage in double-extortion ransomware attacks, where cyber criminals threaten to publish stolen data if they’re not paid the ransom.”Any targeting of the education sector by cyber criminals is completely unacceptable,” said Paul Chichester, director of operations at the NCSC.

“This is a growing threat and we strongly encourage schools, colleges, and universities to act on our guidance and help ensure their students can continue their education uninterrupted”.Cybersecurity recommendations for schools, colleges and universities to protect their networks from ransomware attacks include having an effective strategy for vulnerability management and applying security patches, securing remote online services with multi-factor authentication and installing and enabling anti-virus software.It’s also recommended that organisations have up-to-date and tested offline back-ups, so if the network is taken down by a ransomware attack, it can be restored without paying criminals.”I urge all education and research institutions to act swiftly to ensure their systems and data are robustly protected,” said Steve Kennett, director of e-infrastructure at the higher education support body Jisc, “Jisc has been helping many colleges and universities recover from ransomware attacks recently, so we have seen what a devastating impact this crime has on the sector”.The NCSC previously put out a warning about ransomware attacks targeting universities in September, but this particular form of cyber crime shows no sign of slowing down.MORE ON CYBERSECURITY More

Lurking on underground forums has revealed insight into the methodology behind cyberattacker targets — as well as what criminals say to do if, or when, they are caught. 

Released on Monday, research conducted by the Digital Shadows cybersecurity team on dark web forums explored the discussions between black hat hackers and the exchanges made in how to avoid jail, what do to when they are on law enforcement radars, and the bullish nature of many when it even comes to the prospect of arrest. In February, in an interview between a lone LockBit ransomware operator and Cisco Talos, the cybercriminal said that the “best country” to be in for this occupation is Russia, but “underappreciation and low wages drove him to participate in unethical and criminal behavior.” While trawling Russian-speaking underground forms, Digital Shadows was able to obtain further insight into this idea, in which law enforcement “will not care” if the US or EU are targeted — but the moment any former Soviet Union nations are involved, they will “hunt you down.” When it comes to foreign travel, forum users believe this apparent peace deal only lasts as long as you don’t cross the border. One poster said: “[Cybercriminals] live peacefully in Russia, decided to go on holiday abroad — and that’s it, they don’t even make it out of the airport without the cuffs on.” Operational security (OPSEC) practices are also widely discussed, with forum users exchanging ways to avoid arrest and stay anonymous. Numerous threads mention everything from virtual to physical security options, but one common topic of discussion, in particular, is widely debated.  Hard drive encryption or deletion is sometimes cited as a way to stop law enforcement investigations in their tracks. However, not every forum user is so sure, with one saying, “if it were all as simple as that then major cases would never be solved.”

Early mistakes in criminal careers also appear to be causing some sleepless nights, with poor OPSEC when starting out being a difficult issue to remedy. “Many a threat actor’s downfall stemmed from poor OPSEC practices when they first decided to don the black hat, such as using a spouse’s email address, forgetting to mask their IP, or letting their real name and address slip,” the researchers say. “And once you realize your mistake, it might be too late.” In addition, discussions have taken place over collaboration. While many believe that other dark web forum users will “sell out” each other, others say that forging ties with others in the criminal industry can push threat actors up the pecking order.  Digital Shadows noted that allegations are flying thick and fast that English-speaking criminal forums and marketplaces are becoming little more than police honeypots. Some forum users said that “sooner or later,” law enforcement will obtain information on them, and others relayed concerns over potential police violence on arrest. Others appear, at least online, to have a rather bullish attitude to the prospect of prosecution at all. Laws worldwide are still catching up with the evolution of cybercrime, and for some, corrupting law enforcement and saving enough to pay bribes and avoid prosecution is a possibility. As one forum user quipped, “a good lawyer knows the law, a better one knows the judge.”  “Cybercriminals, just like the organizations they target, must always have one eye on their security practices,” the researchers say. “There are so many things for them to worry about and ways they can slip up..It must be pretty tiring. Threat actors must keep looking over their shoulders, fixing past mistakes, and coming up with new ways to beat the technology used to track them. ” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

UK taxpayers have been connected to a reminder system used by councils that potentially exposed their sensitive data online. 

An investigation conducted by The Register found that a debt-chasing service “freely exposed to the public thousands of taxpayers’ names, addresses, and outstanding debts” via bulk SMS messages sent to remind residents of unpaid bills. The system was developed by Telsolutions who acted on behalf of an estimated dozen UK councils.  Debt defaulters were sent text message reminders containing a URL leading to a basic web page showing a council resident’s personal data and outstanding bill. However, if you changed alphanumeric characters contained in the web address, this could reveal records belonging to others — including those living in different council areas.  The publication says that no authentication or security checks were in place in a few cases. While some councils did require a postcode as a verification method, this is far from enough to stop a determined individual from collecting private, sensitive information on a target.   Telsolutions told The Register they have since resolved the issue and have “further increased security and introduced new measures to prevent malicious intent.”  A number of the councils contacted said they took security “seriously” and while one said their Data Protection Officer had been informed, others either pointed to the fact the majority of links are never accessed, or that they were now investigating the issue. 

In 2019, Gateshead council admitted to a slew of data breaches including when a list containing the details of 53 individuals who owed the council money was sent to a resident and the upload of medical data to an online forum. Last week, Birmingham council allegedly exposed the details of children deemed vulnerable by accidentally uploading them to a taxpayer service.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cloudflare has debuted a new zero-trust tool designed to help protect remote employees from cyberattacks. 

When the COVID-19 pandemic forced many of us out of the traditional office and into hastily-created home setups, instead, we — and the organizations we work for — were suddenly required to rely on either personal or company on-loan devices to continue performing our jobs. When it comes to cybersecurity, this means that the potential attack surface for threat actors increased due to remote and end-user devices that needed to connect to corporate resources.  According to Reboot Online, 44% of businesses in the UK alone have experienced a security breach since stay-at-home orders were imposed, a 20% increase year-over-year.  Working from home, whether as a permanent option or as part of hybrid models, may become standard, and so the corporate world needs to consider how best to keep their networks protected whilst also catering to a remote workforce.  To this end, Cloudflare has contributed a new zero-trust solution for browser sessions. On Tuesday, the web security firm launched Cloudflare Browser Isolation, software that creates a “gap” between browsers and end-user devices in the interests of safety. Instead of employees launching local browser sessions to access work-related resources or collaborative tools, the service runs the original, requested web page in the cloud and streams a replica to the end-user. 

Cloudflare says that tapping into the firm’s global network to run browser sessions circumvents the usual speed downgrades and potential lag caused by typical, pixel-based streaming.  As there is no direct browser link, this can mitigate the risk of exploits, phishing, and cyberattacks. In addition, Cloudflare automatically blocks high-risk websites based on existing threat intelligence.  The solution has now been made available through Cloudflare for Teams.  “Everyone uses a web browser, and that makes it the perfect target for attackers all over the world,” commented Matthew Prince, Cloudflare CEO. “We don’t believe that the most effective protection to these attacks should be restricted to a handful of large companies with huge IT teams. Cloudflare Browser Isolation can be deployed by anyone in just a few clicks and automatically protects against the majority of threats people face online.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals are sending over three billion emails a day as part of phishing attacks designed to look like they come from trusted senders. By spoofing the sender identity used in the ‘from’ field in messages, cyber criminals attempt to lure potential victims into opening emails from names they trust. This could be the name of a trusted brand like a retailer or delivery company, or even, in more sophisticated attacks, the name of their CEO or a colleague.

More on privacy

These phishing attacks might sound simple, but they work – and that’s why so many of these messages are distributed by cyber criminals. And according to a report by email security company Valimail, over three billion spoofing messages are sent every day, accounting for 1% of all email traffic. SEE:  A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  One of the reasons why email remains such a common attack vector is because of the rise of remote working. Employees are dealing with an increase in corporate communications being conducted over email, while the reality of working from home means that it’s harder for people to ask if an email is legitimate. All of this combined means that phishing emails are putting people and organisations at risk of cyberattacks, including credential theft, malware and ransomware. However, it’s possible for organisations to help defend against spoofed emails by applying DMARC (Domain-based Message Authentication, Reporting & Conformance), which is an email authentication protocol that, when implemented, means only authorized senders can send email using the domain, preventing spam emails being sent. It also contains a reporting function for ongoing improvement and protection.

DMARC enforcement helps prevent spoofed emails from being delivered in the first place, with analysis by Valimail finding that 1.9% of email from domains without DMARC enforcement is suspicious, while just 0.4% of email from domains with DMARC enforcement is suspicious. SEE: Cybercrime groups are selling their hacking skills. Some countries are buying Ultimately, domains without DMARC applied are almost five times more likely to be the target of phishing emails than domains that do have it applied, so organisations can help make the internet a safer place by protecting domains with it. “Privacy laws already exist in Europe and parts of the United States, and if a company does any business in those areas, a DMARC policy at enforcement is essential,” said Alexander García-Tobar, CEO and co-founder of Valimail. “By having valid email authentication in place, companies protect themselves and their customers from privacy violations. Without it, emails are sent without permission, fines are issued, confidential information is obtained and reputations sink.”

MORE ON CYBERSECURITY More

Shell has disclosed a data breach involving stakeholders that exposed personal information records. 

The oil and gas company said an unknown threat actor managed to gain access to “various files” during the time of intrusion which included personal data and information “from Shell companies and some of their stakeholders.”Shell has not disclosed how many individuals are involved in the security incident beyond saying that impacted parties have been contacted, alongside law enforcement agencies and regulators.  The firm added that it does not appear core IT systems have been compromised, as the route of access was isolated from the rest of Shell’s central infrastructure.  However, the data breach has been connected to Accellion’s File Transfer Appliance (FTA), enterprise software used to transfer large files — and a solution linked to a string of security incidents in December 2020 and January 2021.  Accellion FTA, a legacy product that has now been formally retired, contained a zero-day vulnerability that was patched within three days of the vendor being made aware of active attacks utilizing the security flaw.  However, thousands of organizations worldwide rely on the appliance, leading to a string of attacks against high-profile corporations and government entities. 

The first case was reported by the Reserve Bank of New Zealand. Organizations including the Australian Securities and Investments Commission (ASIC), Singtel, and Qualys soon followed.  FireEye’s Mandiant team was pulled in to conduct an assessment of the Accellion FTA vulnerability, finding two further vulnerabilities — albeit accessible only by authenticated FTA users — and all bugs, as of now, have been resolved in FTA. If systems remain unpatched, however, they also remain vulnerable to exploit.  The companies said in February that threat group FIN11 has been connected to the FTA zero-day exploit activity. “Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack,” Accellion said. “Within this group, fewer than 25 appear to have suffered significant data theft.”CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104 have now been reserved to track associated vulnerabilities. Users of Accellion FTA are recommended to switch to Kiteworks.  “We will continue to monitor our IT systems and improve our security,” Shell says. “We regret the concern and inconvenience this may cause the affected parties.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More