Information Technology

The Australian House of Representatives has agreed to the country’s new Online Safety Act that would hand the eSafety Commissioner powers to order the removal of material that seriously harms adults and hold platforms accountable to a set of yet to be determined basic online safety expectations.During a debate on the Bill on Tuesday, the federal opposition agreed with testimony from tech companies and civil liberties groups that the legislation was “rushed”.”We are concerned about a number of aspects of these Bills … firstly, there is the government’s delay and mismanagement of the process of getting a Bill for a new Online Safety Act before the Parliament here today, which has substantive consequences,” Shadow Assistant Minister for Cyber Security Tim Watts said.”Secondly, there is the government’s inability, after all of this time, to address key stakeholder concerns about serious, important, and legitimate issues enlivened by these Bills.”Labor, however, offered overall support for the Bill, with Watts highlighting his party is expecting “further changes” to address their concerns.”The safety of Australians online is of real importance, and Labor will work with the government to iron out these concerns in these Bills in time for the debate on this Bill in the Senate,” he said. “But, in the meantime, Labor will not oppose these Bills in the House of Representatives, and we will support passage through this place on the understanding that government amendments will be forthcoming.

“We have been in good-faith conversations with the government, and we expect those good-faith conversations to result in further changes.”The Online Safety Bill 2021 contains six key priority areas: A cyberbullying scheme to remove material that is harmful to children; an adult cyber abuse scheme to remove material that seriously harms adults; an image-based abuse scheme to remove intimate images that have been shared without consent; basic online safety expectations for the eSafety Commissioner to hold services accountable; an online content scheme for the removal of “harmful” material through take-down powers; and an abhorrent violent material blocking scheme to block websites hosting abhorrent violent material. Waved through simultaneously, the Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021, meanwhile, repeals the Enhancing Online Safety Act 2015 upon commencement of the new Online Safety ActThe Australian Greens said it opposed the Bill because it believed the legislation was poorly drafted and could lead to widespread, unintended consequences. Among other things, the party said it was concerned that people opposed to sex work, pornography, and sexual health for LGBTIQ+ people could abuse the complaints process to seek to have lawful online adult content removed. “If we had some basic digital rights enshrined in this country, then you could have a sensible debate about things like what the government is proposing, because people would know that their rights were protected,” Greens leader Adam Bandt said. “But at the moment we can’t know that. “Why does the government want to go beyond the stated intent and name of the Bill and start regulating, in an unacceptable way, what adults are able to do online? It is part of creeping moves to exercise greater power over our freedoms and responsibilities, and that’s why in its current form, unless it’s withdrawn and redrafted, the Bill cannot be supported.”  Over in the Senate, Liberal Senator Alex Antic has failed to have his motion to stand up a Select Committee on Big Tech Influence in Australia passed, with a 32-32 vote.The committee proposed by Antic would have been charged with inquiring into, and reporting on, activity by major international and domestic technology companies.Specifically, the senator wanted the committee to look into big tech’s management of disinformation, misinformation, and malinformation, including “shadow banning”, “de-platforming”, “no platforming”, and “demonetisation”; fake accounts and bots that engage in online campaigns; terms of service of their platforms, including user privacy settings and use of user data by the companies and third parties; and the extent of compliance with Australian laws.Labor Senator Katy Gallagher said the opposition was not in support of the committee due to the government’s own declaration that there are already too many select committees. Similarly, the Australian Greens withheld its support.”There is no doubt that we do need an inquiry into the influence of big tech in this country, particularly its impact on our democracy and our media and the way that big tech has allowed for the proliferation of far-right extremism on digital platforms in Australia,” Greens deputy leader Senator Nick McKim said.”However, this motion contains language which concerns the Greens. It is language which is used overwhelmingly by the far right, including terms like shadowbanning and deplatforming. While we won’t be supporting this motion today, we do remain open minded and of the view that we need to have a look at some of the impacts of the big tech sector.”MORE ON THE ONLINE SAFETY BILL More

CrowdStrike published fourth quarter financial results on Tuesday, after adding a record number of net new subscription customers in the quarter. The cybersecurity firm added 1,480 net new subscription customers in the quarter, helping it beat market expectations. Its annual recurring revenue (ARR) surpassed the $1 billion milestone.Looking at the top and bottom line: Crowstrike’s total revenue was $264.9 million, a 74 percent increase year-over-year. Non-GAAP net income was $31.6 million, or 13 cents per share. Analysts were expecting earnings of 8 cents per share on revenue of $250.44 million. “Our go-to-market engine has gained incredible momentum with both marquee enterprises and small businesses alike as we expand our partner ecosystem and leverage our frictionless sales motion and leading technology to deliver immediate value to our customers,” CrowdStrike co-founder and CEO George Kurtz said in a statement. “Combined with strong secular tailwinds, including digital transformation and an unprecedented threat environment, and our expanding technology portfolio, which now includes leading index-free data ingestion capabilities, we believe we are in an ideal position to further extend our leadership in the Security Cloud category we pioneered.”Subscription revenue in Q4 was $244.7 million, a 77 percent increase year-over-year. Annual Recurring Revenue (ARR) increased 75 percent year-over-year and grew to $1.05 billion as of January 31. Of that, $142.7 million was net new ARR added in the quarter. For the full fiscal 2021, non-GAAP net income was $62.6 million, or 27 cents per share. Total revenue was $874.4 million, an 82 percent increase. Subscription revenue was $804.7 million, an 84 percent increase.

With its additional 1,480 new subscription customers, CrowdStrike’s total subscription customers as of January 31 came to 9,896, representing 82 percent growth year-over-year.CrowdStrike’s subscription customers that have adopted four or more modules, five or more modules and six or more modules increased to 63 percent, 47 percent, and 24 percent, respectively, as of January 31.For the first quarter, CrowdStrike expects revenue in the range of $287.8 million to $292.1 million.

Tech Earnings More

Credit: Microsoft

Microsoft has published a preliminary root cause analysis of its March 15 Azure Active Directory outage, which took down Office, Teams, Dynamics 365, Xbox Live and other Microsoft and third-party apps that depend on Azure AD for authentication. The roughly 14-hour outage affected a “subset” of Microsoft customers worldwide, officials said.Microsoft’s preliminary analysis of the incident, published March 16, indicated that “an error occurred in the rotation of keys used to support Azure AD’s use of OpenID, and other, Identity standard protocols for cryptographic signing operations,” according to the findings published to its Azure Status History page. Officials said as part of normal security practices, an automated system removes keys that are no longer in use, but over the past few weeks, a key was marked as “retain” for longer than normal to support a complex cross-cloud migration. This resulted in a bug being exposed causing the retained key to be removed. Metadata about the signing keys is published by Microsoft to a global location, its analysis notes. But once the metadata was changed around 3 p.m. ET (the start of the outage, applications using these protocols in Azure AD started picking up the new metadata and stopped trusting tokens/assertions that were signed with the removed key. Microsoft engineers rolled back the system to its prior state around 5 p.m. ET, but it takes a while for applications to pick up the rolled-back metadata and refresh with the correct metadata. A subset of storage resources required an update to invalidate the incorrect entries and force a refresh. Microsoft’s post explains that Azure AD is undergoing a multi-phase effort to apply additional protections to the back-end Safe Deployment Process to prevent these kinds of problems. The remove-key component is in the second phase of the process, which isn’t scheduled to be finished until mid-year. Microsoft officials said the Azure AD authentication outage that happened at the end of September is part of the same class of risks that they believe they will circumvent once the multi-phase project is complete. “We understand how incredibly impactful and unacceptable this is and apologize deeply. We are continuously taking steps to improve the Microsoft Azure Platform and our processes to help ensure such incidents do not occur in the future,” the blog post said. A full root-cause analysis will be published once the investigation is complete, officials said. More

A cyber espionage campaign is targeting telecoms companies around the world with attacks using malicious downloads in an effort to steal sensitive data – including information about 5G technology – from compromised victims.Uncovered by cybersecurity researchers at McAfee, the campaign is targeting telecommunications providers in Southeast Asia, Europe and the United States. Dubbed Operation Diànxùn, researchers say the attacks are the work of a hacking group working out of China.The group, also known as Mustang Panda and RedDelta, has a history of hacking and espionage campaigns targeting organisations around the world – and now it appears to be focused on compromising telecoms providers.At least 23 telecommunications providers are suspected to have been targeted as part of the campaign which has been active since at least August 2020. It hasn’t been disclosed how many of the targets were successfully compromised by hackers.While the initial means of infection hasn’t yet been identified, it’s known that victims are directed towards a malicious phishing domain under the control of the attackers which is used to deliver malware to victims.According to researchers, the malicious web page masquerades as a Huawei careers site, which has been designed to look indistinguishable from the real thing. The researchers emphasised that Huawei itself isn’t involved in the cyber espionage campaign.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

When users visit the faked site, it delivers a malicious Flash application which is used to drop the Cobalt Strike backdoor onto the visiting machine, ultimately providing attackers with visibility on the machine and the ability to collect and steal sensitive information. The attacks appear to specifically be designed to target those who have knowledge of 5G and stealing sensitive or secret information in relation to the technology. Researchers have linked Operation Diànxùn to previous hacking operations by Chinese groups due to the attacks and the malware being deployed using similar similar tactics, techniques and procedures (TTPs) to previous campaigns publicly attributed to the group. Analysis of the attacks suggest that the campaign is still actively attempting to compromise targets in the telecommunications sector.”We believe the campaign is still ongoing. We spotted new activity last week with the same TTPs, meaning the actor and the campaign are still running,” Thomas Roccia, security researcher in the McAfee advanced threat research strategic intelligence team told ZDNet.With malicious domains playing such a significant role in this campaign, one way to help protect against attacks could be to train staff in being able to recognise if they’ve been directed towards a fake or malicious website – although given how cyber attackers have become very good at building highly accurate fake sites, this could be tricky.Having a robust strategy for applying security updates and patches in a timely manner can also help protect networks from cyber attacks, because a network with the latest updates applied is more robust when it comes to preventing hackers exploiting vulnerabilities.MORE ON CYBERSECURITY More

Looking for a password manager? There’s a lot of services out there to choose from, and next month there will be another kid on the block — Dropbox.

Starting April, Dropbox will begin offering a free, limited version of Dropbox Passwords to anyone who has a free Dropbox Basics plan.This free plan can be accessed from up to three devices.The catch?There’s a limitation.You can only store 50 passwords. Need to store more and you have two choices — go elsewhere, or subscribe to a Dropbox plan.

Another feature that Dropbox announced as “coming soon” is the ability to securely share any password with anyone. Not sure how useful a feature this will be (how often do you share a password?) but might come in handy for those Wi-Fi access codes or Netflix passwords. More

A years-old security vulnerability in Microsoft Office is still the most frequently exploited flaw by cyber criminals as a means of delivering malware to victims.Analysis of cyberattacks between October and December 2020 by cybersecurity researchers at HP shows that one exploit accounts for almost three-quarters of all campaigns that attempt to take advantage of known vulnerabilities.

More on privacy

The exploit is CVE-2017-11882, a memory corruption vulnerability in Microsoft Office’s Equation Editor, which was first disclosed in December 2017. When exploited successfully, it allows attackers to execute remote code on a vulnerable machine after the victim opens the malicious document – usually sent via a phishing email – used to run the exploit, providing them with an avenue for dropping malware. SEE: Network security policy (TechRepublic Premium)But despite a security update being available to protect against the vulnerability for over three years, it’s still the most frequent exploit used by cyber criminals to deliver malware via malicious Microsoft Office documents.”The enduring popularity of Equation Editor exploits such as CVE-2017-11882 may be due to home users and businesses not updating to newer, patched versions of Office. We commonly see this vulnerability being exploited by attackers who distribute easily-obtainable [remote access trojans],” Alex Holland, senior malware analyst at HP Inc, told ZDNet.The use of CVE-2017-11882 has dropped compared to the previous quarter, when it accounted for 87% of exploits used – but another vulnerability is gaining popularity, more than doubling in use in just the space of a few months.

CVE-2017-0199 is a vulnerability in Microsoft Word remote code execution, which first came to light in 2017. It allows attackers to download and execute PowerShell scripts on compromised machines, providing them with additional access.Analysis of attacks by HP found that 22% of campaigns attempting to take advantage of unpatched exploits used CVE-2017-0199 during the past three months of 2020 – something that could’ve been prevented if cybersecurity teams had patched against it when a security update was released in 2017. Email remains the key method for cyber criminals distributing malicious attachments in order to deliver malware – but there has been a slight change in the exact method of delivery.SEE: Cybercrime groups are selling their hacking skills. Some countries are buyingBefore the final quarter of 2020, malicious documents counted for just over half of files used to distribute exploits, but that dropped to just under a third. Meanwhile, the use of Excel Spreadsheets as a means of distributing exploits doubled in that period, rising from being used in one in ten instances detected to almost one in five.”Excel appeals to attackers because it supports a legacy macro technology called Excel 4.0 or XLM. These older macros have proven more difficult to detect than their Visual Basic for Application counterparts because security tools struggle to parse them,” said Holland.But no matter the type of file that cyber attackers are attempting to use to distribute malware, there’s a simple thing organisations can do to protect themselves from falling victim – apply the relevant security patches, especially if the updates have been available for many years already.MORE ON CYBERSECURITY More

The US Securities and Exchange Commission (SEC) has charged a Californian trader for allegedly using Twitter to hype up stocks before dumping them for a profit. 

The charges, unsealed on Monday and filed in federal court in the Central District of California on March 2, accuses Andrew Fassari of fraud through the spread of “false and misleading” information.
SEC has also obtained an emergency asset freeze and other emergency relief. 
According to SEC, Fassari, under the Twitter handle @OCMillionaire, used the microblogging platform to allegedly spread false tips relating to the stock of a company, Arcis Resources Corporation (ARCS). 
The Twitter handle is followed by roughly 13,000 users and was active as of March 8, 2021. 
SEC’s complaint says that on December 9, Fassari began purchasing over 41 million shares in the Nevada company before touting the stock on Twitter. 
Among the claims, documented in over 120 messages referencing $ARCS, was the expansion of operations, a CEO that had “big plans” for the company, exciting news was on its way, and the idea that investment could be a “life-changer.”

The US regulator alleges that while the share price rocketed by over 4000%, Fassari then sold his stake and secured profits of over $929,000.
On December 19, Fassari posted a screenshot to Twitter claiming that he had sold for a massive loss. The message read:

“$ARCS / Sold for a huge loss. I don’t care what anyone says about me. I back up what I say. I take my losses like a man. I don’t blame anyone for this. Everyone received the emails and saw their Twitter. This was either [a] calculated pump or a CEO who did things in the wrong order.”

However, some Twitter followers have questioned the authenticity of the trading screenshot.
On March 2, SEC issued a temporary trading ban on ARCS securities (.PDF).  
“We allege that Fassari profited by using social media to deceive investors,” commented Melissa Hodgman, Acting Director of SEC’s Division of Enforcement. “The SEC is committed to protecting investors by proactively monitoring suspicious trading activity tied to social media, and by charging those who use social media to violate the federal securities laws.”
The regulator is seeking a permanent injunction, disgorgement, prejudgement interest, and a civil penalty under charges of violating the antifraud provisions of federal securities law. 
Speaking to Reuters, a lawyer acting on Fassari’s behalf said, “it appears Mr. Fassari has been hit with fallout from the GameStop, Robinhood, Reddit controversy.”
Around the time when GameStop (GME) shares skyrocketed and some retail investors jumped on so-called ‘meme’ stocks, SEC issued an advisory warning of the risks associated with stock trades pumped on social media. 
SEC acknowledged that many may jump on stock options discussed across social media platforms, news aggregators, research websites, and forums, but cautioned that “following the crowd may lead to significant investment losses.”
In March, SEC charged a number of individuals allegedly involved in an Airborne Wireless Network pump-and-dump stock scheme. The agency claims that the publicly-traded firm’s controlling parties were concealed and cash was spent on hyping the stock, only for major holders to dump their stakes — defrauding other investors out of $45 million. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has released a one-click mitigation tool as a stop-gap for IT admins who still need to apply security patches to protect their Exchange servers. 

Released on Monday, the tool is designed to mitigate the threat posed by four actively-exploited vulnerabilities that have collectively caused havoc for organizations worldwide. 
Microsoft released emergency fixes for the critical vulnerabilities on March 2. However, the company estimates that at least 82,000 internet-facing servers are still unpatched and vulnerable to attack. 
The company previously released a script on GitHub that administrators could run in order to see if their servers contained indicators of compromise (IOCs) linked to the vulnerabilities. In addition, Microsoft released security updates for out-of-support versions of Exchange Server.
However, after working with clients and partners, Microsoft says there is a need for “a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premise Exchange Server.”
See also: Everything you need to know about the Microsoft Exchange Server hack
The Microsoft Exchange On-Premises Mitigation Tool has been designed to help customers that might not have security or IT staff on hand to help and has been tested across Exchange Server 2013, 2016, and 2019. 

It is important to note the tool is not an alternative to patching but should be considered a means to mitigate the risk of exploit until the update has been applied — which should be completed as quickly as possible.  
The tool can be run on existing Exchange servers and includes Microsoft Safety Scanner as well as a URL rewrite mitigation for CVE-2021-26855, which can lead to remote code execution (RCE) attacks if exploited. 
“This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching,” Microsoft says. 
In related news this week, Microsoft reportedly began investigating the potential leak of Proof-of-Concept (PoC) attack code supplied privately to cybersecurity partners and vendors ahead of the zero-day public patch release. The company says that no conclusions have yet been drawn over attack spikes related to the vulnerabilities. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More