Information Technology

The Australian Security Intelligence Organisation (ASIO) has been given a 10-year funding boost as part of the 2021 federal Budget.The AU$1.3 billion boost, the Budget documents [PDF] say, is to be invested into building ASIO’s ability to protect Australia and Australians from threats to security.Specifically, the cash will go towards enhancing Australia’s national security capabilities.”This will support ASIO’s technological capabilities, enhancing its ability to address threats to Australia’s national security,” the government said.Meanwhile, a further AU$51.8 million is being provided to support the Australian Criminal Intelligence Commission’s (ACIC) role in combatting “transnational, serious, and organised crime”.”This measure also includes funding to support enhanced collaboration and information sharing through the ongoing integration of Australian law enforcement agencies into the National Criminal Intelligence System,” it said.See also: ACIC believes there’s no legitimate reason to use an encrypted communication platform

Partial funding for this measure has already been provided by the government.”While we have been fighting COVID, other threats to our national security have not gone away,” Treasurer Josh Frydenberg said during his Budget speech.”To keep Australians safe from these threats, whether domestic or foreign, the government is providing an additional AU$1.9 billion over the decade to strengthen our national security, law enforcement, and intelligence agencies.”We also need to prepare for a world that is less stable and more contested.”The government is also providing AU$146 million over four years from 2021-22 for initiatives to prevent child sexual abuse, such as through building child safe capability in sporting organisations and delivering online safety education programs to prevent online harm and promote safe online practices for children and young people.In August, the federal government released a lacklustre refreshed Cyber Security Strategy. On Thursday, as part of its digital economy strategy, it added a handful of cyber funding and initiatives, including AU$31.7 million to secure future connectivity using 5G and 6G mobile networks; a pledge to improve standards for trusted identities that underpin the digital environment; a promise to strengthen Australia’s data security settings through the development of a National Data Security Action Plan; the piloting of Cyber Hubs that government hopes will see Canberra’s biggest IT shops help “improve resilience and cybersecurity maturity of government agencies”; and AU$16.4 million over three years for the Peri-Urban Mobile Program to improve mobile phone connectivity in the bushfire prone areas of the peri-urban fringe of Australia’s major cities.FUNDING FOR BILLS YET TO BE PASSEDThe Security Legislation Amendment (Critical Infrastructure) Bill 2020, currently before Parliament, introduces a government assistance regime that provides powers to protect assets during or following a significant cyber attack. This includes the power to authorise information gathering directions, action directions, and intervention requests.On Tuesday, the government announced it was providing funding to “improve security arrangements for critical infrastructure”.The government will provide AU$42.4 million over two years from 2021-22 to improve security arrangements for critical infrastructure assets, including those designated as systems of national significance, in accordance with the Bill, and to assist critical infrastructure owners and operators to respond to significant cyber attacks.   Another yet-to-be-passed Bill, the Telecommunications Legislation Amendment (International Production Orders) Bill 2020, which paves the way for Australia to obtain a proposed bilateral agreement with the United States for implementing the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act), has also been allocated AU$9.6 million.The government said it will provide the AU$9.6 million over four years from 2021-22 to support the bilateral exchange of information between Australia and the United States relating to the investigation of serious crimes. It has also earmarked AU$4 million over four years from 2021-22, and AU$1.1 million per year ongoing, to the Office of the Commonwealth Ombudsman and the Office of the Inspector-General of Intelligence and Security to support oversight of the use of surveillance, data access, and interception powers that will be provided to security agencies under the Telecommunications and other Legislation Amendment (Assistance and Access) Act 2018 and the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020.The Identify and Disrupt Bill — colloquially known as the “hacking” Bill — meanwhile, is still before Parliament.This measure will be offset by redirecting funding from the Department of Home Affairs, Budget documents say.Elsewhere, as part of an investment into critical frontline biosecurity resources, AU$25.5 million over four years from 2021-22 will be used for “modern technologies and diagnostic tools” to improve the speed and accuracy of pest and disease identification at the border.To modernise the country’s biosecurity IT systems, technology, and data analytics, AU$31.2 million over four years from 2021-22, and AU$1.5 million per year thereafter, will be used to deliver digital capability for biosecurity screening of incoming international mail through new technology.    The Australian government will also provide AU$98.8 million over four years from 2021-22, and AU$4.9 million ongoing per year from 2025-26, to establish an Office of Supply Chain Resilience to provide ongoing capacity to monitor and coordinate the government’s efforts to boost supply chain resilience and also to support the implementation of other government policy priorities, including its COVID-19 response and continuing Australian Public Service reforms.Elsewhere, Australia is set to receive a dedicated Freedom of Information Commissioner, a role currently filled by the Office of the Australian Information and Privacy Commissioner. The OAIC has been in need of further funding for extra hands for a while, and the AU$3.9 over four years has been allocated to the new role.  

Australian Budget 2021 More

One of the most anticipated — or hated if you are Facebook — features in iOS 14.5.1 has been the new app tracking transparency tool that means that developers must ask users for permission to use their data to track them for targeted advertising purposes.But the feature isn’t working for everyone. In fact, it was so broken that Apple rolled out a fix in iOS 14.5.1 to try to fix it.But even that didn’t fix it for some, leaving the setting greyed out.App Tracking Transparency feature greyed out even after updating to iOS 14.5.1.Must read: This is what happens when you lose an Apple AirTag
But there’s a solution that seems to help some people.And fortunately, it’s quite simple.First thing you need to do is to sign out of the App Store. To do this fire up the App Store, tap on the icon located at the top-right of the screen that represents you and then scroll down to the bottom of the screen and tap Sign Out.

With that done, reboot your iPhone. Go Settings > General and scroll down to Shut Down and tap to, well, shut down.Then, restart your iPhone and log back into the App Store. Fore up the App Store, tap the blue icon at the top-right of the screen, enter your Apple ID and password and click Sign In.Head over to Tracking (Settings > Privacy > Tracking) and see if that fixed the problem. This has worked for several people who have been in contact with me, so it’s well worth a try. Otherwise, you’re going to have to wait for iOS 14.5.2 in the hopes that fixes the problem.Have you had problems? Did this work for you? Let me know in the comments below! More

GitHub has announced support for security keys to prevent account compromise in SSH Git operations.

When you add a security key to SSH operations, you can use these devices to protect you and your account from accidental exposure, account hijacking, or malware, GitHub security engineer Kevin Jones said in a blog post on May 10.  Security keys, including the YubiKey, Thetis Fido U2F Security Key, and Google Titan Security Keys, are physical, portable dongles that implement an additional layer of security to your online services and accounts.  Strong passwords are still important but due to the prevalence of data leaks and cyberattacks, they are becoming less effective as a single security measure — leading to the creation of password managers that also monitor for credential exposure online, biometrics, and security keys.   GitHub, too, wants to move away from typical passwords and to more secure authentication standards. At present, users can now use a password, personal access token (PAT), or an SSH key to access Git — but the company intends to remove support for passwords later this year.  “We recognize that passwords are convenient, but they are a consistent source of account security challenges,” Jones commented. “We believe passwords represent the present and past, but not the future. […] By removing password support for Git, as we already successfully did for our API, we will raise the baseline security hygiene for every user and organization, and for the resulting software supply chain.” In order to make the transition, users need to log in and follow GitHub’s documentation on how to create a new key and add it to their account, and users will find the process somewhat similar to how you would add an SSH key to an account in the past. The same security key can be used for both web and SSH authentication. 

Remote Git operations — including push, fetch, and pull — will require an additional key tap in an attempt to prevent malware from initiating requests on your behalf. However, if you are already locally authenticated, you can still perform operations such as branch and merge without the need to go through this step again.  GitHub will also remove unused, inactive keys over time.  The organization was one of the first to support FIDO Universal 2nd Factor (U2F) authentication.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Antivirus vendor NortonLifeLock this afternoon reported fiscal Q4 revenue and profit that topped Wall Street’s expectations, and an outlook that was higher for this quarter and for the full year as well, and announced it intends to increase its revenue by “double digits” each year, over the next three to five years, and to generate $3 per share in non-GAAP earnings annually.  The company also declared a new share repurchase authorization of $1.5 billion, adding to an existing $274 million repurchase ability. The new authorization has no expiration date.The report and outlook sent NortonLifeLock shares up 4% in late trading. The long-term outlook was the centerpiece of NortonLifeLock’s first investor day meeting since it was separated from Symantec, the enterprise security business that was purchased by Broadcom in late 2019. CEO Vincent Pilette said the company is “sharing our long-term strategy and commitments to accelerate growth to realize our vision to protect and empower consumers to live their digital lives safely.”Added Pilette, “Our future is bright, and we’re excited about the endless opportunities ahead.”CFO Natalie Derse remarked that the company is “positioned to take it to the next level, and we are confident in our ability to continue to drive accelerating growth and achieve our long-term targets.

“We have a healthy business model and strong financial discipline. We intend to leverage all capabilities and resources in our relentless pursuit of our long-term commitments.”For the “long-term objectives 3-5 years,” said the company sees the following: Revenue growth of double-digitsEPS of approximately $3Annual free cash flow of approximately $1 billion to grow in-line with businessReturn 100% of free cash flow to shareholders, excluding acquisitionsFor the quarter just ended, revenue in the three months ended April 2nd rose 9.4%, year over year, to $672 million, yielding a net profit of 40  cents a share.Analysts had been modeling $659 million and 38 cents per share.For the current quarter, the company sees revenue of $680 million to $690 million, and EPS in a range of 40 cents to 42 cents. That compares to consensus for $657 million and a 39-cent profit per share.The company set a target for the current fiscal year, ending next April, of 8% to 10% growth. EPS is expected in a range of $1.65 to $1.75. That compares to consensus for 5.5% growth, and EPS of $1.63.

Tech Earnings More

“There are two people in a wood, and they run into a bear. The first person gets down on his knees to pray; the second person starts lacing up his boots. The first person asks the second person, “My dear friend, what are you doing? You can’t outrun a bear.” To which the second person responds, “I don’t have to. I only have to outrun you.” – The Imitation Game 

ZDNet Recommends

A ransomware attack hit a major US pipeline this weekend, leading to a shut down in operations for the past three days. Colonial Pipeline will remain shut down for an unknown amount of time, as the organization is ‘developing a system restart plan’ in real time. Critical infrastructure and pieces of the supply chain (which were already fragile due to the pandemic) continue to be taken down by ransomware attacks, either advertently or inadvertently. This has a number of downstream effects on the supply chain, which cause recovery times to grow even bigger as the many companies that these suppliers rely on also attempt to recover. Ransomware is ultimately about business disruption This attack comes at the heels of a crippling year of ransomware attacks across the globe, especially those targeting healthcare organizations. The name of the game: business disruption. Critical infrastructure providers are being targeted by ransomware actors because, when hit with ransomware, they need to choose between indefinite suspension of critical business processes or paying the ransom. Shutting down a crucial resource for an indeterminate amount of time is simply not a sustainable option for a business, and it backs affected providers into a corner where their only option is to pay up. Federal Policy Is Finally On The Table The pipeline operated by Colonial Pipeline delivers around 45% of the fuel consumed on the east coast, making it a massive supplier for the United States. This has elevated the attack to a potential national security threat, with the US government issuing a state of emergency for the length of the shutdown. This demonstrates the continued blurred lines between the public and private sector when it comes to the impact of a cyberattack on nation states. The Biden administration has made securing federal cybersecurity defenses a top priority and planned on passing legislation even before this attack occurred. As these attacks become more frequent, there’s some level of expectation that eventually this legislation could bleed into the private sector, especially critical sectors such as finance, pharmaceutical, energy and more that could be required to have a certain level of information security maturity (like the United States Department of Defense’s Cyber Maturity Model Certification, CMMC which is required for any contractors they currently utilize). What can you do about it right now? As the quote above and the title of this blog suggests, cybercriminals follow Occam’s razor; they are looking for the easiest way to make money. Even the attackers in this specific incident stated publicly, “our goal is to make money”. So what do security pros need to do right now to lower their risk in the face of future ransomware attacks? Outrun the guy next to you. 

Speaking to Chris Krebs’ valuable advice from this morning, security pros at every organization should implement these quick wins right now to limit the impact of a ransomware attack: 

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

Enforce strong passwords. No password12345 has any business in your being in your organization. Build a password policy that enforces strong passwords by default. Check your backups. Make sure you have working backups of data that your organization could not live without. Test whether your backups include what you care about and test whether they restore successfully. Backups are your last line of defense and are critical. Implement Multifactor Authentication (MFA) that’s easy to use and is ubiquitous. This should front the entry points into your infrastructure whether that’s a combination of your identity provider (Azure AD, ADFS, Okta, Ping, etc) and your VPN (Pulse Secure, Cisco AnyConnect, etc). MFA avoids the issue of stolen logins/credentials being easily used to siphon data and infect your organization. Secure privileged accounts immediately. In most of these attacks, we continue to see that domain administrator accounts or other types of privileged accounts are on almost every endpoint or have permission to critical applications giving the attackers an easy way to move laterally. Take inventory of those types of accounts and remove them where possible. Only give employees local administrative rights when necessary, it should never be by default. Update and test your incident response plan. Your response plan needs to include when you inevitably get infected with ransomware and what the plan is that includes both your technology and business departments. It also needs to include who you will contact for help when you’re inevitably hit, which could be your MSSP or another incident response organization that you have on retainer. Ensure that your endpoint protection and security policies on your endpoints are up to date, enforced, and the protection is turned on and working. Often we see organizations that have things like real-time protection disabled, the last time they updated their antivirus definitions was weeks ago, or they have cloud protection turned on, but it doesn’t work because it can’t get out to the internet. Talk to your endpoint protection vendor and ask them about the appropriate health checks to make sure these products are installed, turned on, and working as expected. Make sure that your devices are being patched regularly. Prioritize critical assets like externally facing devices such as VPN concentrators or servers sitting on a DMZ. Ultimately, your organization should be reducing the time that it takes to patch software and operating systems, as monthly patch cycles don’t address how quickly attackers are moving and the remote nature of work. Block uncommon attachment types at your email gateways. Your employees shouldn’t be receiving attachments ending in .exe, .scr, .ps1, .vbs, etc. Microsoft actually blocks a number of these by default in Outlook, but you should take a look at your email security solution and ensure they’re only allowed by exception. Longer term, we know that the way we’ve been doing things isn’t working. Focus on moving from a perimeter-based security architecture to one based on Zero Trust to effectively limit lateral movement and contain the blast radius of a multitude of types of attacks (phishing, malware, supply chain, etc.).  This post was written by Analysts Allie Mellen and Steve Turner, and it originally appeared here.  More

Multiple healthcare providers across the United States are reporting being impacted by a ransomware attack on CaptureRx, a San Antonio-based company providing drug-related administrative services.

ZDNet Recommends

At least three healthcare-related institutions — including UPMC Cole and UPMC Wellsboro in Pennsylvania, Lourdes Hospital and Faxton St. Luke’s Healthcare in New York, Gifford Health Care in Randolph, Vermont and a number of Thrifty Drug Stores — have reportedly had the health information of customers or patients exposed and stolen in the breach. The HIPAA Journal reported that at least 17,655 patients at Faxton St. Luke’s Healthcare, 6,777 patients at Gifford Health Care, and 7,400 at UPMC Cole and UPMC Wellsboro had their information accessed by the cyberattackers, but it is still unclear how many total patients were exposed and how many CaptureRx customers were affected. In a statement, CaptureRx said its team began investigating its systems after someone noticed “unusual activity involving certain of its electronic files” on February 6. By February 19, the company confirmed that patient files, including names, dates of birth, prescription information and medical record numbers, were accessed and stolen. From March 30 to April 7, the company began notifying all of the healthcare providers that had been breached and worked with the companies to contact everyone whose information had been stolen. The company statement urges those affected to monitor their accounts for any unexpected activity. Justin Fier, director of strategic threat and analysis at cybersecurity company Darktrace, said the healthcare sector will remain a prime target for ransomware attacks not only because of the vast amount of personal, and often sensitive, medical data available, but also because healthcare systems simply cannot afford downtime — meaning organizations like CaptureRx are more likely to pay a ransom. Fier added that the emergence of open-source tools and ransomware-as-a-service providers available on the dark web are spurring the increasing frequency of attacks in 2021, noting the recent attack on Swedish radiology software provider Elekta, which affected over 42 U.S. healthcare sites while also preventing cancer patients from receiving necessary radiation treatment. 

Many cybersecurity experts noted that healthcare organizations are particularly ripe targets for ransomware gangs because they carry troves of patient data that can be sold on the dark web or effectively sold back to healthcare organizations for ransom. Healthcare organizations also carry data that cannot be changed, like SSNs and other personal information. 

Flashpoint senior director of intelligence Ian Gray explained that some of the publicly reported high-profile attacks from the past year indicate that larger providers with thousands of downstream providers may have a higher willingness to pay to decrypt the data, or prevent it from being leaked on a ransomware site. Any breaches of personal health care information violate parts of HIPAA and generally trigger investigations by the U.S. Government’s Office of Civil Rights, according to Garret Grajek, CEO of YouAttest. Grajek added that in 2020, both Athen Orthopedic and LIfeSPan Health System were fined $1.5 million and $1.04 million respectively following breaches.Ransomware became such a problem for healthcare organizations in 2020 that the Center for Internet Security began offering a no-cost ransomware protection service for private hospitals in the U.S. that may not be able to afford a robust cybersecurity service. Saumitra Das, CTO at cybersecurity firm Blue Hexagon said the CaptureRx attack highlights the impact of the software supply chain. “Not only can you be breached due to a software you installed with high privilege internally (e.g Solarwinds) but you can also be breached due to your partners who handle your data being breached,” Das said. “Organizations need to look very closely at all their partners who have access to their important data, verify their security practices, and work with the least privilege when possible.” More

When speaking to a cybersecurity expert concerning the Microsoft Exchange Server vulnerabilities several months ago and its impact on thousands of organizations worldwide, they asked, “What could possibly be worse this year?”

Perhaps the situation the United States finds itself in now, with a major pipeline down due to ransomware, comes close. Colonial Pipeline, which supplies 45% of the East Coast’s fuel, revealed a ransomware outbreak on the company’s systems which forced the suspension of operations and some IT systems on Friday, as previously reported by ZDNet.  The attack took place on May 7, and at the time of writing, supply is yet to resume.  Data breaches and security incidents taking place at enterprise organizations are commonplace and hardly a week goes by when we don’t hear of yet another cyberattack on a well-known company — but when core, critical utilities and country infrastructure is involved, things take an even more serious turn.  Colonial Pipeline says that a system restart plan is being “developed” and some small lateral lines are back in service. However, it may be days before full functions are restored, and in the meantime, gasoline futures are rising and there is concern that some parts of the US may experience fuel shortages.  Gasoline futures jumped to their highest level in three years due to the cyberattack.

The USDOT Federal Motor Carrier Safety Administration (FMCSA) agency has issued a Regional Emergency Declaration to try and push back against the supply disruption through temporary exemptions for fuel transport on the road and the permissible hours that drivers are allowed to work for.  The FBI said on May 10 that the agency is working with Colonial to investigate the incident.  But who is responsible? According to the FBI, the DarkSide ransomware group. “The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks,” the law enforcement agency says. “We continue to work with the company and our government partners on the investigation.” DarkSide is a group believed to have been active since the summer of 2020. DarkSide’s malware is offered under a Ransomware-as-a-Service (RaaS) model, and once a system has been breached, ransomware payment demands can range from $200,000 to $2,000,000.  The group has previously been connected to “big game” hunting methods, in which large organizations are targeted — which would fit with the Colonial Pipeline incident.  Other cybercriminal organizations follow the same path, including Hades ransomware operators, which appear to specifically target companies with annual revenue of at least $1 billion.  DarkSide 2.0, the latest version of the ransomware, was recently released under an affiliates program.  DarkSide also employs double-extortion tactics — joining the likes of Maze, Babuk, and Clop, among others — to pressure victims into paying up. At the time of a cyberattack, confidential information may be stolen and threats made to publish this data on a leak site if the victim refuses to give into blackmail.  The leak site operated by DarkSide has gone so far as to create a press corner for journalists and ‘recovery’ firms to reach them directly.  On the leak site, the ransomware group claims to have a code of conduct that prevents attacks against funeral services, hospitals, palliative care, nursing homes, and some companies involved in the distribution of the COVID-19 vaccine.  DarkSide also seems to have gone to some lengths to portray themselves as a kind of Robin Hood. As noted by Cybereason, the group claims that part of ransomware payments go to charity. “Some of the money the companies have paid will go to charity,” DarkSide said in a forum post. “No matter how bad you think our work is, we are pleased to know that we helped change someone’s life.” According to the researchers, however, this attempt to seem like the good guys has fallen flat, with $20,000 in stolen Bitcoin (BTC) donations rejected by charities due to their criminal sources. See also: What is ransomware? Everything you need to know about one of the biggest menaces on the webIn direct contrast to the charity-giving group image, however, the cyberattack on Colonial Pipeline has caused intense disruption economically and socially — and this appears to be a situation the ransomware operators want to distance themselves from.  “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives,” DarkSide said in a statement dated May 10. “Our goal is to make money, and not creating problems for society. We [will] introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” And yet, the extortion continues, with countdowns on the leak site showing the next batch of dumped, stolen files belonging to other organizations due for release in a matter of hours, at the time of writing.   It should also be noted that when victim companies refuse to pay, DarkSide is willing to share insider information ahead of the publication of stolen data.  “If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares,” the group says. “Write to us in “Contact Us” and we will provide you with detailed information.” While cybercriminals like DarkSide profit, companies like Colonial Pipeline become collateral damage — and this organization is unlikely to be the final victim on the list. On May 10, Colonial Pipeline said the firm must take a “phased approach” in restoring supply and it is hoped that operations can fully resume by the end of the week. “While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach. This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week. The company will provide updates as restoration efforts progress.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Colonial Pipeline said Monday its goal is to substantially restore operational service “by the end of the week” following last week’s ransomware attack, which forced the company to shut down operations and has the potential to hamper fuel distribution for the Eastern US.In a statement, Colonial Pipeline said:Restoring our network to normal operations is a process that requires the diligent remediation of our systems, and this takes time. In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems. To restore service, we must work to ensure that each of these systems can be brought back online safely.While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach. This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week. The Company will provide updates as restoration efforts progress.Colonial Pipeline is responsible for supplying 45% of the East Coast’s fuel, including gasoline, diesel, jet fuel, home-heating oil, and fuel for the US military.The FBI confirmed Monday that the Russia-based hacker group DarkSide was behind the attack on Colonial Pipeline. The group runs a ransomware-as-a-service business and sells cybercrime tools to other malicious groups. DarkSide is known for encrypting data for ransom and also for stealing data and using the threat of its exposure as leverage for ransom payouts. In a press briefing, US President Joe Biden said there is no evidence currently that the Russian government was involved in the attack, though the threat actor’s ransomware clearly originates from the country. SEE: Ransomware just got very real. And it’s likely to get worse | What is cyber insurance? Everything you need to know about what it covers and how it works | Best cyber insurance 2021On Monday, DarkSide posted a statement to its website that addresses the attack and the Colonial Pipeline shutdown.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” the statement said. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”RELATED: More