Information Technology

The Office of Australian Information Commissioner (OAIC) has ordered the Department of Home Affairs, formerly the Department of Immigration and Border Protection, to determine the amount owed for each individual and pay compensation for “mistakenly” releasing the personal information of 9,251 asylum seekers.
The Australian Information Commissioner and Privacy Commissioner, Angelene Falk, determined that the federal government at the time had “interfered” with the privacy of these individuals by accidentally publishing their full names, nationalities, locations, arrival dates, and boat arrival information on its website in 2014.
Following the publishing of their personal information, the asylum seekers launched legal action against the department. The asylum seekers in New South Wales, Western Australia, and the Northern Territory claimed the breach exposed them to persecution from authorities in their home countries.
A total of 1,297 applications were lodged as part of the legal case requesting that compensation be paid because those affected suffered loss or damage due to the data breach.
The commissioner said the compensation to be paid to participating class members would range from AU$500 to more than $20,000 and would be determined on a case-by-case basis.
“This matter is the first representative action where we have found compensation for non-economic loss payable to individuals affected by a data breach,” she said.
“It recognises that a loss of privacy or disclosure of personal information may impact individuals and depending on the circumstances, cause loss or damage.”

The compensation process is expected to take up to 12 months to complete. It will involve ensuring that individuals agree to their compensated amount. If the department and the individual cannot agree on the compensation amount, there will be opportunities to re-assess the payable amount, the OAIC said.
The OAIC said it would also publish information about the determination in 21 languages to ensure all participating class members are informed about the process so they can finalise their claims. 
Last week, the OAIC requested for amendments to be made to the Privacy Act 1988 that would update its regulatory powers and remove exemptions such as for political parties. 
In a 150-page submission [PDF] to the Attorney-General’s review of the Act, the OAIC made a handful of recommendations, including enhancing its own ability to regulate, which it said would bring its powers in line with “community expectations”. 
The current Privacy Act positions the regulator to resolve individual privacy complaints through negotiation, conciliation, and determination. The OAIC has described this nearly 33-year-old function as outdated. 
“This reflects the context in which the Privacy Act was first introduced. In the digital environment, privacy harms can occur on a larger scale. While resolving individual complaints is a necessary part of effective privacy regulation, there must be a greater ability to pursue significant privacy risks and systemic non-compliance through regulatory action,” it said.
“While Australia’s current framework provides some enforcement powers, these need to be strengthened and recalibrated to deter non-compliant behaviour and ensure practices are rectified.” 
Related Coverage More

The Australian Securities and Investments Commission (ASIC) has said one of its servers was breached on January 15.
“This incident is related to Accellion software used by ASIC to transfer files and attachments,” the corporate regulator said in a notice posted on the evening before a public holiday.
“It involved unauthorised access to a server which contained documents associated with recent Australian credit licence applications.”
ASIC said while some “limited information” has been viewed, it did not see evidence that any application forms were downloaded or opened. The regulator said access to the server has been disabled and it was working on other arrangements.
“No other ASIC technology infrastructure has been impacted or breached,” it added.
“ASIC is working with Accellion and has notified the relevant agencies as well as impacted parties to respond to and manage the incident.”
Accellion was also used as the vector to breach the Reserve Bank of New Zealand (RBNZ) earlier this month.

“We have been advised by the third-party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised,” the Bank said at the time.
In an update posted last week, Bank Governor Adrian Orr said the cause of the breach was “understood and resolved”.
“Based on the results of our investigation and analysis to date we have been able to tell stakeholders which of their files on the File Transfer Application were downloaded illegally during the breach,” he said.
“There are some serious questions that have been answered by the team at the Bank and there are more for the supplier of the system that was breached. That is the subject of an independent review by KPMG that is now underway.”
RBNZ said it was already in the process of implementing a new secure file transfer system to be used with external stakeholders, and that work has been sped up.
For its part, Accellion said on January 12 that it had been aware of the vulnerability in its legacy File Transfer Application since mid-December, and had released a patch in 72 hours to the “less than 50 customers affected”.
“Accellion FTA is a 20-year-old product that specialises in large file transfers,” it said.
“While Accellion maintains tight security standards for its legacy FTA product, we strongly encourage our customers to update to kiteworks, the modern enterprise content firewall platform, for the highest level of security and confidence.”
Related Coverage More

Singapore repeatedly has emphasised the need for trust so the adoption of new technology can thrive, but its provision for widening business access to user data — amidst continuing security breaches and slips — poses worrying risks ahead. There is urgent need to ensure users have stronger control of their personal data, especially as the government itself will need to restore public trust following a major gaffe involving the country’s COVID-19 contact tracing efforts.
Singapore in recent years has been opening up access to citizen data as part of efforts to facilitate business transactions and ease workflow. Just last November, the Personal Data Protection Act (PDPA) was updated to allow local organisations to use consumer data without prior consent for some purposes, such as business improvement and research. 

Amongst the key changes is the “exceptions to the consent” requirement, which allows businesses to use, collect, and disclose data for “legitimate purposes”, business improvement, and a wider scope of research and development. In addition to existing consent exceptions that include for the purposes of investigations and responding to emergencies, these now include efforts to combat fraud, enhance products and services, and carry out market research to understand potential customer segments. 
Businesses also can use data without consent to facilitate research and development (R&D) that may not yet be marked for productisation. 
Concerns were raised that the amendments, specifically with regards to exceptions and deemed consent, were too broad and might be abused by organisations. “Legitimate interests”, for instance, can be viewed from an organisation’s perspective and its assessment subjective when considering whether these interests outweigh potential adverse effects on an individual, which is a requirement outlined in the amendment.
And while individuals still can withdraw consent after the opt-out period, how can they do so when they’re not even aware they’ve been opted in to begin with? Under the “exceptions to consent” rule, are businesses required to inform consumers their data will be used and how it will be used? 
Singapore’s Communications and Information Minister S. Iswaran has explained that data is a key economic asset in the digital economy as it provides valuable insights that inform businesses and generate efficiencies. It also empowers innovation and enhances products, and will be a critical resource for emerging technologies such as artificial intelligence.

I totally get that, after all, access to data is what powers APIs (application programming interfaces) and fuels market competition.
However, consumers need to be given the ability to decide who and how they want their own data to be accessed because for-profit businesses, when given a free buffet, will inevitably seek to grab as much as they can.
My bank, for instance, is planning to phase out use of its physical token as a two-factor authentication option and transition fully to digital tokens. This means customers like me will be forced to download the bank’s mobile app, with which the digital token is integrated, just to authenticate my identity and access any of its online banking services. 
The key frustration here is that the bank’s app wants a whole host of permissions including the ability to read my contacts details as well as access to my phone’s Bluetooth settings and location data. 
Any external access to my personal data should be restricted to a need-to-have-only basis. I deem this practice essential in mitigating my security risks, especially as cyber threats are increasingly sophisticated and data breaches seemingly inevitable. 
If major companies such as Lazada’s RedMart and Grab can overlook security loopholes that resulted in breaches and compromised customers’ data, what else are smaller businesses with much more limited resources failing to plug, even as they collect more of consumers’ personal information? 
And what happens when the companies decide to modify their data use and privacy policies? This can often occur when there’s an acquisition such as Facebook and WhatsApp, and we know these businesses don’t always keep their pledge to maintain status quo after a merger with regards to customer data.  Sure, users furious over WhatsApp’s privacy policy change can move to alternatives such as Signal and Telegram, but what happens when the alternatives get bought out by another market giant like Google, Apple, or Microsoft? 
Ill thought-out business decisions and security lapses can erode confidence and when consumers no longer trust that their personal data will be protected and used responsibly, they will pull back on adopting new digital services and technologies. And this can have adverse economic as well as social impact.
Lessons from TraceTogether privacy debacle
Singapore should know this best, since public trust took a severe hit when it was revealed the country’s COVID-19 contact tracing data could, in fact, be accessed for various purposes other than for its original intent. 
The government early this month admitted law enforcers could use the TraceTogether data to aid in their criminal investigations, contradicting previous assertions that contact tracing information would only be be accessed if the user tested positive for the virus. 
The revelation triggered much public outcry, with some threatening to circumvent the data collection by deactivating the TraceTogether app, turning off their phone’s Bluetooth connection, or placing their device including the TraceTogether token into an RFID-blocking pouch. 

Much already has been said about the whole saga so I won’t comment on it further, but there are important lessons here for everyone, especially the government. 
Topmost, it now must realise large sections of the local population do care enough about their personal data and privacy, and will choose to defend it when they’re able to. This should send a strong signal that serious, rather than token (pardon the pun), consideration is needed with regards to how citizens data is treated before policies are rolled out. 
There clearly needs to be a mindset change in how the government operates and works on nationwide projects. A multi-ministry taskforce had been set up to deal with the COVID-19 pandemic, with contact tracing efforts often taking centrestage and focus. Yet, months had passed — since TraceTogether was launched — without any one of the ministries or even the police, that presumably would be more familiar with the Criminal Procedure Code, raising the alarm that public statements made repeatedly about the use of contact tracing data had failed to consider exceptions to criminal investigations. 
At worst, this could be perceived — even if wrongly — as a deliberate attempt to deceive the public. At best, it would indicate gross carelessness and lack of communication between the different ministries and government agencies tasked to work on critical national initiatives, such as the COVID-19 pandemic.
The TraceTogether privacy saga further demonstrates the need for users to have stronger ownership of their own data, so they can continuously ask questions about how their personal information is collected, stored, and used, as well as take active steps to safeguard their own cyber hygiene. 
Because if they don’t, it’s clear that businesses as well as the government should not be expected to be able do so, effectively, on their behalf. What other loopholes and potential security gaps have been overlooked that can potentially lead to serious data breaches down the road?
Such risks can be better mitigated if users were let in on efforts to manage their own data and empowered to decide for themselves whether businesses should, or should not, have access to all or some of their personal data. 
In addition, every announcement about new policies that involve access to citizens’ data should be accompanied by a security factsheet detailing exactly how access will be protected and data stored and safeguarded. Declarations about the need to secure data should be more than lip service and go beyond brief one or two liners, uttered merely as ‘business as usual’ attempts to address security concerns.
“People, Process, Technology.” Isn’t that the basic framework oft cited by businesses and governments as critical to successful adoption? Establishing the processes and technology will mean nothing if users aren’t properly equipped to help defend their own data.
RELATED COVERAGE More

Application security pioneer F5 Networks this afternoon reported fiscal Q1 revenue and profit that topped analysts’ expectations, and forecast this quarter’s revenue higher, but profit a bit below, sending its shares sharply lower in late trading.
Revenue in the three months ended in December rose to $625 million, yielding EPS of $2.59. 
Analysts had been modeling $623 million and $2.45 per share. 
Also: F5 to acquire multi-cloud security software maker Volterra for $500 million, raises financial outlook 
The results compare to a raised forecast for $623 million to $626 million in revenue offered two weeks ago, when the company announced it would acquire privately held, Volterra of Santa Clara, California, a maker of distributed multi-cloud application security and load-balancing software.
For the current quarter, the company sees revenue in a range of $625 million to $645 million, higher than the consensus for $621 million; and EPS in a range of $2.32 to $2.44, slightly below consensus for $2.41. 
F5 shares are down about 3% at $203 in after-hours trading and had initially dropped as much as 6%.

Also: F5 Networks tops third quarter earnings targets

Tech Earnings More

Apple has released today security updates for iOS to patch three zero-day vulnerabilities that were exploited in the wild.

All three zero-days were reported to Apple by an anonymous researcher.
One impacts the iOS operating system kernel (CVE-2021-1782), and the other two are in the WebKit browser engine (CVE-2021-1870 and CVE-2021-1871).
The iOS kernel bug was described as a race condition bug that can allow attackers to elevate privileges for their attack code.
The two WebKit zero-days were described as a “logic issue” that could allow remote attackers to execute their own malicious code inside users’ Safari browsers.
Security experts believe the three bugs are part of an exploit chain where users are lured to a malicious site that takes advantage of the WebKit bug to run code that later escalates its privileges to run system-level code and compromise the OS.
However, official details about the attacks where these vulnerabilities were used were not made public, as is typical with most Apple zero-day disclosures these days.

The three bugs today come after Apple patched another set of three iOS zero-days in November last year. The November zero-days were discovered by one of Google’s security teams.
News of another set of iOS zero-days also came to light in December when Citizen Lab reported attacks against Al Jazeera staff and reporters earlier in 2020. These iOS zero-days were inadvertently patched when Apple released iOS 14, an iOS version with improved security features. More

file photo
As most experts predicted last month, the fallout from the SolarWinds supply chain attack is getting bigger as time passes by, and companies had the time to audit internal networks and DNS logs.
This week, four new cyber-security vendors — Mimecast, Palo Alto Networks, Qualys, and Fidelis — have added their names to the list of companies that have installed trojanized versions of the SolarWinds Orion app.
Mimecast hack linked to SolarWinds software
The most important of this week’s announcements came from Mimecast, a vendor of email security products.
Two weeks ago, the company disclosed a major security breach during which hackers broke into its network and used digital certificates used by one of its security products to access the Microsoft 365 accounts of some of its customers.
In an update on its blog today, Mimecast said it linked this incident to a trojanized SolarWinds Orion app installed on its network.
The company has now confirmed that the SolarWinds hackers are the ones who abused its certificate to go after Mimecast’s customers.
Palo Alto Networks discloses Sep & Oct 2020 incidents
Another major security vendor who came forward to disclose a SolarWinds-related incident was Palo Alto Networks, a vendor of cyber-security software and network equipment.

Speaking to Forbes investigative reporter Thomas Brewster this week, Palo Alto Networks said it detected two security incidents in September and October 2020 that were linked to SolarWinds software.
“Our Security Operation Center […] immediately isolated the server, initiated an investigation and verified our infrastructure was secure,” Palo Alto Networks told Forbes on Monday.
However, the company said it investigated the breaches as separate solitary incidents and didn’t detect the broader supply chain attack, which would be spotted only months later when hackers breached fellow security vendor FireEye.
Palo Alto Networks said the investigation into the September and October SolarWinds-linked intrusions didn’t yield much and concluded that “the attempted attack was unsuccessful and no data was compromised.”
Qualys: It was only a test system
But the Forbes report also cited the findings of Erik Hjelmvik, founder of network security company Netresec, who published on Monday a report detailing 23 new domains that were used by the SolarWinds hackers to deploy second-stage payloads into infected networks they deemed as high value.
Two of these 23 new domains were “corp.qualys.com,” suggesting that cybersecurity auditing giant Qualys might have been targeted by the attackers.
However, in a statement to Forbes, Qualys said that the intrusion was not as big as it appears, claiming that its engineers installed a trojanized version of the SolarWinds Orion app inside a lab environment for testing purposes, separate from its primary network.
A subsequent investigation did not find any evidence of further malicious activity or data exfiltration, Qualys said.
However, some security researchers are not buying the company’s statement, suggesting that the “corp.qualys.com” domain suggested that hackers did get access to its primary network and not a laboratory environment, as the company claims.
Fidelis also discloses second-stage targeting
The fourth and latest major disclosure came today from Fidelis Cybersecurity in the form of a blog post from the company’s CISO, Chris Kubic.
The Fidelis exec said they, too, had installed a trojanized version of the SolarWinds Orion app in May 2020 as part of a “software evaluation.”
“The software installation was traced to a machine configured as a test system, isolated from our core network, and infrequently powered on,” Kubic said.
Fidelis said that despite efforts from the attacker to escalate their access inside the Fidelis internal network, the company believes that the test system was “sufficiently isolated and powered up too infrequently for the attacker to take it to the next stage of the attack.”
This week’s disclosures bring the total number of cyber-security vendors targeted by the SolarWinds hackers to eight. Previous disclosures came from FireEye (initial intrusion which uncovered the entire SolarWinds supply chain attack in the first place), Microsoft (intruders accessed some of the company’s source code), CrowdStrike (failed intrusion), and Malwarebytes (attackers accessed some of the company’s email accounts).

SolarWinds Updates More

Image: Mozilla
Mozilla has released today Firefox 85 to the stable channel, a new version of its beloved browser that removes support for the Adobe Flash Player plugin but also boosts privacy protections by adding more comprehensive defenses against “supercookies.”

The removal of the Flash plugin comes after Mozilla announced its intention to drop Flash in July 2017 as part of a coordinated industry-wide Flash deprecation and End-of-Life plan, together with Adobe, Apple, Google, Microsoft, and Facebook.
The EOL date was set to Dec. 31, 2020, a date after which Adobe agreed to stop providing updates for the software.
Firefox now joins Chrome and Edge, both of which removed support for Flash earlier this month with the release of Chrome 88 and Edge 88.
Network partitioning and supercookies protection
But even if Firefox 85 is the first version that ships without the much-maligned Flash plugin, the bigger feature in this release is “network partitioning.”
First reported by ZDNet last month, the network partitioning feature works by splitting the Firefox browser cache on a per-website basis, a technical solution that prevents websites from tracking users as they move across the web.
In a blog post today, Mozilla said this new feature has effectively blocked the use of supercookies inside Firefox going forward.

“Supercookies can be used in place of ordinary cookies to store user identifiers, but they are much more difficult to delete and block,” Mozilla said today.
“Over the years, trackers have been found storing user identifiers as supercookies in increasingly obscure parts of the browser, including in Flash storage, ETags, and HSTS flags.
“The changes we’re making in Firefox 85 greatly reduce the effectiveness of cache-based supercookies by eliminating a tracker’s ability to use them across websites,” the browser maker said.
Mozilla said that while they expected a big impact on website performance after splitting the Firefox cache, internal metrics show that the impact was minimal.
“Our metrics show a very modest impact on page load time: between a 0.09% and 0.75% increase at the 80th percentile and below, and a maximum increase of 1.32% at the 85th percentile,” Mozilla said.
The browser maker viewed this performance impact as acceptable for improving overall user privacy.
Other changes
But other features shipped with Firefox 85 today. The first is a change in how bookmarks are saved inside Firefox.
Starting with this version, Firefox now remembers where users saved their last bookmark and saves all other bookmarks to the same location. 
Furthermore, Firefox has also added a bookmarks folder to the bookmarks toolbar. This last feature caused some problems last week, when some Firefox users saw it in their browsers, but without an easy way of disabling it. With Firefox 85, removing that folder from the bookmarks toolbar is possible via a right-click menu option.
In addition, Firefox 85 also ships with a button to remove all saved credentials, which could be a very useful feature in case users need to clear a Firefox installation and make it available for other users.
Other changes are detailed in the Firefox 85 changelog here, while security updates are listed here. More

Image: ZDNet
The South African Revenue Service has released this week its own custom web browser for the sole purpose of re-enabling Adobe Flash Player support, rather than port its existing website from using Flash to HTML-based web forms.
Flash Player reached its official end of life (EOL) on December 31, 2020, when Adobe officially stopped supporting the software.
To prevent the app from continuing to be used in the real-world to the detriment of users and their security, Adobe also began blocking Flash content from playing inside the app starting January 12, with the help of a time-bomb mechanism.
As Adobe hoped, this last step worked as intended and prevented companies from continuing using the software, forcing many to update systems and remove the app.
As SARS tweeted on January 12, the agency was impacted by the time-bomb mechanism, and starting that day, the agency was unable to receive any tax filings via its web portal, where the upload forms were designed as Flash widgets.

SARS is aware of certain forms not loading correctly due to Adobe Flash. We are currently working on resolving the matter and will advise once the problem has been resolved. We sincerely apologise for the current inconvenience.
— SA Revenue Service (@sarstax) January 12, 2021

But despite having a three and a half years heads-up, SARS did not choose to port its Flash widgets to basic HTML & JS forms, a process that any web developer would describe as trivial.
Instead, the South African government agency decided to take one of the most mind-blowing decisions in the history of bad IT decisions and release its own web browser.

Chrome, Firefox, Edge: Hey, we no longer support Adobe Flash Player due to security reasons.SARS: mxm okay, we’ll build our own browser ke! 🤡
— Monsieur Elon Masakhane (@VendaVendor) January 26, 2021

Released on Monday on the agency’s official website, the new SARS eFiling Browser is a stripped-down version of the Chromium browser that has two features.
The first is to re-enable Flash support. The second is to let users access the SARS eFiling website.
As Chris Peterson, a software engineer at Mozilla, pointed out, the SARS browser only lets users access the official SARS website, which somewhat reduces the risk of users getting their systems infected via Flash exploits while navigating the web.
But as others have also pointed out, this does nothing for accessibility, as the browser is only available for Windows users and not for other operating systems such as macOS, Linux, and mobile users, all of which are still unable to file taxes.

Do tell me about the Linux, iOS, Android and MacOS versions of this browser
— Stephan Eggermont (@StOnSoftware) January 26, 2021

Pressed for more answers on its decision to focus on a narrow-minded solution via its custom browser rather than port some forms on its website, a SARS spokesperson did not return a request for comment.
But in spite of its unexpected response to the Flash EOL, SARS is only an outlier in the grand scheme of things, as most companies have already moved operations away from Adobe Flash.
Sure, there are a few exceptions here and there that can grab headlines due to poor decisions, but most companies have known long in advance that this day was coming and have taken steps to avoid any downtime.
Another of these outlier cases that made headlines over the past week was the case of the local train station in the Chinese city of Dalian. Initial reports claimed that the rail station had to stop all rail traffic after its internal systems, built around Flash, stopped working.
This turned out to be false, and later reports from Chinese media clarified that railway traffic never stopped in Dalian because of the Flash EOL. However, the reports also admitted that there’s some truth in the original report and that, indeed, some internal traffic statistics system had stopped working at the rail station on January 12, when Adobe blocked Flash content from working.
That system was eventually upgraded to a Flash Player version that Adobe offers inside China only, which does not contain the January 12 time-bomb mechanism, allowing the system to continue working beyond the Flash EOL. More