Information Technology

The Australian Criminal Intelligence Commission (ACIC) decommissioned the National Firearms Licensing Registration System user interface in 2018-19, requiring law enforcement across the country to transition to the Australian Firearms Information Network (AFIN), which has been touted as a more sophisticated system that holds richer, higher quality data. ACIC CEO Mike Phelan told senators on Monday that access to accurate data has been a problem the organisation has faced in transitioning to AFIN and that given the mismatch of state, territory, and Commonwealth laws, end-to-end security could not be assured.As AFIN data is sourced from partner agencies, data quality is a local management issue. Phelan was asked how the ACIC was ensuring data consistency.”There’s no consistency in terms of any of the systems that we run when you run states and territories and a Commonwealth system. And that’s the difficulty of trying to run hybrid systems,” he said. The AFIN is not governed by the federal government’s Information Security Manual as it has no jurisdiction or management authority for partner agency’s local IT systems. Phelan was asked to comment on certain jurisdictions being “less than careful with the details of their own licenced firearm owners”.”I know from time to time … private information leaks out of databases. That’s why we have an Information Commissioner, Privacy Commissioners, all these sorts of things — these things unfortunately happen,” he said. “But systems themselves, we try to make as tight as they possibly can.”The reasons for disclosure of info, and I’m not just specifically saying firearms here, but the reasons for disclosure of information, depending on its character vary from state to state. And whilst it might seem self-evident that what you can disclose in Victoria, same piece of information should be disclosed in New South Wales, that is not the case and we’re running into that.”

There are currently around 3 million firearms registered in systems across Australia. Phelan said there’s a data cleansing process that intends to clean as much of the data the ACIC gets from states and territories as it can, and provide them with information in relation to their own holdings. “That itself is not an easy task to do,” he said. “And you can clean up the data as much as you can — everybody wants the data clean, so that you can make good tactical decisions if you need to, at the operational level rather than having to look at multiple pieces of information to make some sort of subjective judgement.”Phelan said ACIC and its law enforcement partners are working through similar issues at the moment with the development of the National Criminal Intelligence System (NCIS).The government has previously described the NCIS as a system that “will provide law-enforcement and intelligence agencies with a national repository of criminal intelligence and information”.”It’s actually the jurisdictions that place on it the caveats of the information as to whether or not it can be used and accessed by individuals … and then we decide who gets it,” Phelan said. “It’s whoever provisions the information decides the restrictions upon that information and how it can be distributed. And then we handle the information management system.”He said such a practice is consistent with all systems the ACIC monitors.”Everything that we hold goes back out to the jurisdictions and then the jurisdictions determine their own assessment and their own assessment as to who has access to those informations based upon the need to know principle or the need to use that information and it varies across states and territories,” he continued.Although they have respectively provided data into AFIN, Victoria Police and the Australian Federal Police (AFP) are yet to begin using the system. Phelan said he was “fair dinkum” that VicPol’s timeline was pushed back due to COVID-related issues requiring the state police force to focus on other IT systems.RELATED COVERAGE More

Researchers have uncovered a slew of critical vulnerabilities in remote monitoring software — an incident made worse as it could impact student safety and privacy. 

On Monday, McAfee disclosed the existence of multiple security holes in Netop Vision Pro, popular monitoring software adopted by schools for teachers to control remote learning sessions. The software is marketed for teachers to keep control of lessons. Features include viewing student screens and sharing the teachers’, implementing web filters, pushing URLs, chat functions, and freezing student screens.  “Adding technology to the classroom allows you to give your students a multitude of new resources, but it can also add more distractions,” the vendor says. “Classroom management software helps you scaffold your students’ learning while still keeping them on track. In the classroom or during remote learning, Vision’s simple features allow you to manage and monitor your students in real-time.” According to McAfee’s Advanced Threat Research (ATR) team, Netop Vision Pro contained vulnerabilities that “could be exploited by a hacker to gain full control over students’ computers.” After setting up a virtual ‘classroom’ made up of four devices on a local network, the researchers realized that all network traffic was unencrypted and there was no option to enable encryption during configuration.  In addition, students that began connecting to the classroom “would unknowingly begin sending screenshots to the teacher,” according to the report. 

“Since there is no encryption, these images were sent in the clear,” McAfee says. “Anyone on the local network could eavesdrop on these images and view the contents of the students’ screens remotely.” As a teacher begins a session, they send a network packet prompting students to join. It was possible to modify this data and for the team to masquerade as the teacher host. Attackers could also perform local elevation of privilege (LPE) attacks and ultimately gain System privileges. Chat function in the software saved files sent by a teacher into a ‘work’ directory while running as System, it was possible for an interloper to overwrite existing files and send malicious content to students without any input from them — such as malware that would ultimately compromise their PCs.  “Netop Vision Pro student profiles also broadcast their presence on the network every few seconds, allowing an attacker to scale their attacks to an entire school system,” McAfee noted. “Because it is always running, even when not in use, this software assumes every network the device connects to could have a teacher on it and begins broadcasting.” Overall, four critical vulnerabilities in the software were assigned CVEs and are tracked as CVE-2021-27192, CVE-2021-27193, CVE-2021-27194, and CVE-2021-27195: an incorrect privilege assignment problem, a default permissions error, the cleartext transmission of sensitive information, and authorization issues. Overall, the security flaws allowed for privilege escalation and Remote Code Execution (RCE) attacks within a compromised network.  “If a hacker is able to gain full control over all target systems using the vulnerable software, they can equally bridge the gap from a virtual attack to the physical environment,” the researchers added. “The hacker could enable webcams and microphones on the target system, allowing them to physically observe your child and their surrounding environment.” The insecure design principles and security flaws found in Netop’s software were privately disclosed to the vendor on December 11. The latest software release, 9.7.2, has addressed some of the issues, such as LPE bugs and the encryption of credentials. Mitigations have also been added to chat-based read/write issues.  Netop intends to roll out network encryption in the near future.  Last week, the FBI warned of increasing rates of attack against US and UK schools and universities. Law enforcement agencies have tracked a spike in attack attempts leveraging PYSA ransomware, used to exfiltrate data before encryption in order to extort payment.  ZDNet has reached out to Netop and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Acer has reportedly been hit by a REvil ransomware attack, with the culprits demanding $50 million from the company. According to Bleeping Computer, the ransomware gang reportedly breached Acer and shared some images of allegedly stolen files as proof on its website over the weekend. The leaked images showed documents that include financial spreadsheets, bank balances, and bank communications, the report said, with the attack possibly coming from a Microsoft Exchange exploit.  It is not confirmed whether Acer has paid the ransomware group. After reaching out to Acer for comment, the company did not acknowledge whether it had suffered a ransomware attack. Instead, the company remained scant on the details, only stating that it “routinely monitors its IT systems”. “Acer routinely monitors its IT systems, and most cyberattacks are well defended. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries,” an Acer spokesperson said in an emailed statement. “Acer discovered abnormalities from March and immediately initiated security and precautionary measures. Acer’s internal security mechanisms proactively detected the abnormality, and immediately initiated security and precautionary measures.”

The operators of the REvil ransomware extorted a New York-based law firm in May last year, threatening to release sensitive files on the company’s celebrity clients unless the firm paid a $42 million ransom demand. Prior to that, the group hit Travelex during the 2020 New Year’s Eve, which resulted in the company’s online services being put offline two weeks following the incident.  Updated at 2:58pm AEST, 22 March 2021: Acer spokesperson sent through an inaccurate statement, the correction is that Acer discovered the abnormalities from March rather than early March.Related Coverage More

Australian Federal Police (AFP) Commissioner Reece Kershaw has detailed to the Senate Legal and Constitutional Affairs Committee that the powers contained within the new “hacking Bill” will help it better uncover, identify, and target those profiting from online crime.The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 will hand the AFP and the Australian Criminal Intelligence Commission (ACIC) three new computer warrants for dealing with online crime. The first of the warrants is a data disruption one; the second is a network activity warrant; and the third is an account takeover warrant.”In some circumstances, we’ll be able to disrupt or frustrate online offending with reduced harm and better outcomes for would be victims in the community,” Kershaw said, noting also the proliferation of the theft and sale of Australians identities and financial information on the “dark web”. See also: Australian law enforcement used encryption laws 11 times last year”Sadly, every kind of crime that you can think of, is being committed on the dark web,” he later added. “It is a criminal marketplace. It’s also a way of communicating using encryption and obviously, being able to be anonymous, and unidentifiable, so there’s lots of activity that happens — drugs, child abuse, again, the list goes on, terrorism, most of them are living in that marketplace.”

He said use of the dark web is growing, but he believes it’s only for nefarious reasons.”There is not anyone, in my view, that is on the dark web for a lawful reason except police,” Kershaw declared.Pointing to the arrest of an Australian man in Germany earlier this year for his involvement in the now shuttered DarkMarket marketplace, Kershaw said tracking him down was a combination of great work and lucky breaks.”That was some great work from some detectives that had some pretty lucky breaks, but otherwise, technically, very difficult to track down people on the dark web,” he said”Encryption … is like a shield and then anonymity is part of their sword — the fact that they’re able to operate anonymously using encryption, and other methods to stay and evade law enforcement.”AFP deputy commissioner Ian McCartney added the new Bill would help the AFP tackle outlaw motorcycle clubs, with estimates that close to 95% of their communications are encrypted.”The challenge for us is operating in the dark, understanding those crime groups, and the criminality that’s involved in those crime groups,” he said. “And obviously, for us it’s an important piece of legislation that’s before Parliament … we would argue a game changer in terms of our fight against organised crime on the dark web, our fight against paedophilia and child protection on the dark web.”McCartney said the legislation will provide the AFP and its partner agencies with the tools to undertake such work.MORE ON THE ‘HACKING BILL’ More

Welcome to the new world.
Screenshot by ZDNet
Glimmers of optimism are beginning to invade the public debate.

more Technically Incorrect

And by public, I don’t just mean those progressive spring breakers fighting for their freedom on the beaches.Many businesses are now seriously considering a return to their office buildings, some abandoned a year ago.Things, of course, still won’t be quite the same.I was moved, then, by an entreaty from a company that claims it’s preparing offices, hotels, restaurants, and schools to screen anyone who enters.Multimedia Care insists its Heath Checkpoint will be the de rigueur method for keeping COVID-19 out of buildings. Or, as its website insists on describing it, this is a “one-stop wellness solution.” Because who wants to take two stops to wellness?With this Health Checkpoint, you stand and stare into a screen.

You get an automated squirt of hand sanitizer as you do. And then a “high-precision thermographic sensor” performs a dramatic two-stop. It checks your temperature while simultaneously detecting whether you’re wearing a mask.Perhaps without noticing, you may also have to take a foot bath. This, say the creators, sanitizes the soles of your shoes. I fear some soles may be past sanitizing, but this is a fascinating development. (There’s a rubber mat option, too.)You might wonder, though, that this won’t be an instant affair. You’ll be standing there, having your sole bathed, for a little time. Multimedia Care has some ideas about that.Among these, and I had to pause for breath at this point, is “a billboard-like advertising platform for partner branding, event rentals, charitable donations, and other revenue-generating opportunities.”Having your health checked means you’re a standing duck for a sales pitch? But of course.

[embedded content]

Some part of me wonders if a righteous company might force its employees to make a charitable donation every day before being allowed to enter. A great idea for Facebook, surely.At this point, I had to pause for spiritual oneness. You’re staring into a camera. Is all this health-consciousness an avenue for businesses to employ facial recognition technology?I only ask because Thomas Smith, CEO of Gado Images, wrote a pungent description of his experience being scanned by a health-screening InVidTech tablet at an office building. He discovered this was billed as an “HD temperature measurement and face recognition terminal.” This, apparently, recognizes faces in 0.5 seconds from up to 6.5 feet away. Which adds a troubling kink to the concept of social distancing.

Naturally, I asked Multimedia Care whether its foot-bathing affair also recorded your face for posterity.”The reason we steer clear of using the words ‘facial recognition’ is specifically because that denotes a database to compare against — hence, recognizing a specific face,” the company’s executive director Seth Rubenstein told me.Perhaps another reason might be that the words “facial recognition” incite tinges of nausea in many of those who hear it.But Rubenstein insisted: “Because we are not tied to the cloud and there is no local storage on the device itself, we use the terms ‘mask verification’ or ‘mask detection.’ The sensor is looking for facial definition below the eyes. If none can be read, it assumes there is a mask. If it can detect a nose and mouth, a voice gently reminds the guest to ‘please wear a mask.'”I know you’re relieved to hear the word gently. No one likes to be scolded in an aggressive manner. Rubenstein helpfully added that the gentle voice “can be substituted with that of a celebrity or well-known figure/voice in an organization, such as a CEO or spokesmodel.”Ah, imagine turning up to work and the first thing you hear is your CEO gently reminding you to wear a mask. Or, perhaps at some point in the future, to comb your hair. Or will your CEO leave it to Meryl Streep?Clearly, this is a new world and new tech tools are being created to serve it. It’s always worth asking, though, what precisely the health-screening technology is doing. And what it can do.

Coronavirus More

The US Securities and Exchange Commission (SEC) has charged the co-founders of uBiome with fraud reaching an estimated $60 million.

On Thursday, the agency said that the co-founders of the medical testing startup, Jessica Richman and Zachary Apte, are being charged for “falsely portraying uBiome as a successful startup with a proven business model and strong prospects for future growth.”Founded in 2012 and based in San Francisco, uBiome claimed to be the developers of technology able to analyze fecal samples and microbiomes to understand how the bacterial makeup of a participant works — including how they tackle nutrient metabolization — and on a wider scale, the state of human microbiomes. Both gut and vaginal tests were on offer. However, the company went bankrupt in 2019 following an FBI raid of the startup’s offices for suspect billing practices.  According to the SEC’s complaint, filed in federal court in San Francisco, Richman and Apte marketed their startup as having a “strong track record” in the private medical testing space — but the agency says these claims were “false” as revenue generation numbers were based on “duping doctors into ordering unnecessary tests and other improper practices.” In some cases, insurers received bills for close to $3,000 for a test. These “improper” practices would have led to insurers refusing to pay up, if known, and to inflate numbers further, the SEC alleges that prior and backdated claims were also issued to insurers together with “misleading” medical records. 

The SEC alleges that the co-founders directed employees to hide shady business practices from both investors and insurers.  Two fundraising rounds, Series B and C, were launched by uBiome and also raised suspicion as the co-founders reportedly sold shares during the same time periods in order to rake in $12 million in profit.  “Ultimately, Richman and Apte’s efforts to conceal the practices unraveled, which led to uBiome suspending its medical test business and entering bankruptcy,” the complaint reads. “Richman and Apte were each enriched by millions through selling their own uBiome shares during the fraudulent fundraising round.” The US agency has charged Richman and Apte with violating antifraud provisions of federal securities laws and is seeking officer and director bans, disgorgement, and civil penalties.  The US Attorney’s Office for the Northern District of California has also separately filed criminal charges against the pair. A 33-page indictment alleges that between 2015 and 2019, Richman and Apte’s business submitted over $300 million in reimbursement claims, of which uBiome received over $35 million.  The Department of Justice (DoJ) is charging the pair with conspiracy to commit healthcare fraud and health care fraud, conspiracy to commit wire and securities fraud, wire fraud, aiding and abetting, fraud in connection with the purchase and sale of securities, and engaging in financial transactions linked to illegal activity.  In addition, US prosecutors have charged Richman and Apte with aggravated identity theft, a claim based on the suspected fraudulent use of healthcare provider names and personal data to create documents designed to be submitted to insurers.  Maximum statutory penalties for the charges carry between five and 20 years in prison per count.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new malicious app is making the rounds that pretends to be the sought-after Android version of Clubhouse. 

Clubhouse is an invitation-only audio chat app that allows users to listen in on conversations in real-time. Attention around the app exploded after Elon Musk tweeted about the app, but as a free service only currently available on iOS, Android device holders may be feeling somewhat left out. The startup is yet to launch an Android version of Clubhouse, but until then, fraudsters are hoping to fool users into downloading malicious software.  On Friday, ESET disclosed the discovery of an Android app that is being served from a clone of the Clubhouse website. While thankfully not found to have slipped the security net on Google Play — the official repository for Android applications — researcher Lukas Stefanko said the website uses a “Get it on Google Play” button to try and fool visitors into believing the app is legitimate. 
ESET
If downloaded and executed, the malicious .APK deploys BlackRock, a banking Trojan capable of extensive data theft. Discovered in May 2020, the BlackRock Trojan was traced back to Xerxes and LokiBot, the former of which had its source code leaked online a year prior.   “Xerxes’ source code was leaked, no new malware based on, or using portions of, such code was observed,” ThreatFabric said in an advisory last year. “BlackRock seems to be the only Android banking Trojan based on the source code of the Trojan at the moment.”

The Trojan is capable of intercepting and tampering with SMS messages, hiding notifications, redirecting users to their device’s home screen if they attempt to run antivirus software, and can be used to remotely lock screens.  When it comes to information theft, BlackRock is not only able to steal device/OS information and text messages. Instead, ESET says the malware is equipped to steal content from no less than 458 online services. When an unwitting victim opens the app service they want to access, an overlay attack is performed. This overlay will request the victim’s credentials which, once submitted, are then whisked away to the malware’s operator.  Target services include Facebook, Amazon, Netflix, Twitter, Cash App, Lloyds Bank, and a variety of other financial, retail, and cryptocurrency exchange platforms.  “Using SMS-based two-factor authentication (2FA) to help prevent anyone from infiltrating your accounts wouldn’t necessarily help in this case, since the malware can also intercept text messages,” ESET says. “The malicious app also asks the victim to enable accessibility services, effectively allowing the criminals to take control of the device.” While the use of a fake Google button may be a clever way to stop victims from realizing they are downloading a malicious .APK, navigating to the Google Play Store platform directly can mitigate the risk of being caught in this way. In addition, keeping device firmware up-to-date, monitoring the permissions you give to new apps, and using mobile antivirus software can help you stay protected.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

CISA, the US Cybersecurity and Infrastructure Security Agency, has released a new command-line tool to scan on-premises systems for traces of activity by the attackers behind the SolarWinds supply chain hack. 

SolarWinds Updates

CISA calls the forensics tool CHIRP, which stands for the CISA Hunt and Incident Response Program. “CHIRP scans for signs of APT compromise within an on-premises environment,” CISA says in the alert. SEE: Network security policy (TechRepublic Premium)CHIRP was built to look for signs of compromise related to SolarWinds Orion software, the widely used network monitoring software the hackers used to distribute the Sunburst/Solorigate backdoor to around 18,000 SolarWinds customers. Microsoft calls the threat actor Nobelium, while FireEye is tracking the same group as UNC2452. The new investigation tool is related to CISA’s previously released Sparrow, which was for detecting attacker activity on compromised accounts and applications within Azure and Microsoft 365 cloud environments.  CISA recommends that defenders use CHIRP to examine Windows event logs and the Windows Registry, as well as query Windows network artifacts and to apply YARA rules to detect malware, backdoors or implants. 

The tool has several plugins to search through event logs and registry keys. It also has a file with a list of indicators of compromise (IOCs) that the agency associates with activity in its previous AA20-352A (for Orion) and AA21-008A (Microsoft 365/Azure environments) alerts.  Only some of the 18,000 SolarWinds customers affected by the trojanized version of Orion were selected by the the hackers for deploying a second strain of malware, called Teardrop. The attackers then escalated access within a target’s cloud environment to breach Microsoft 365 infrastructure. CISA says CHIRP currently looks for: The presence of malware identified by security researchers as TEARDROP and RAINDROP;Credential dumping certificate pulls;Certain persistence mechanisms identified as associated with this campaign;System, network, and M365 enumeration; andKnown observable indicators of lateral movement.Microsoft recently detailed three additional pieces of malware related to the Sunburst intrusion, including Sibot, a tool designed for persistence on an infected machine to support the download and execution of a payload from a remote C2 server. CHIRP is available on GitHub as a compiled executable or as a Python script.FireEye in January also released a free tool on GitHub called Azure AD Investigator.  More