Information Technology

Trump signs an executive order earlier in his presidency.
On his way out the door, outgoing and twice-impeached United States President Donald Trump has signed an executive order mandating that American cloud companies need to maintain records on foreign clients to help US authorities track down people committing cyber crimes.
Among the information to be retained, American cloud providers are expected to keep names, physical and email addresses, national identification numbers, means and sources of payment which could be credit card or bank account details, phone numbers, and IP addresses used to access services each time services are accessed.
“Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities,” Trump wrote in a letter to House Speaker Nancy Pelosi and Vice President Mike Pence in his role as President of the Senate.
“Foreign resellers of United States IaaS products make it easier for foreign actors to access these products and evade detection.”
Although the executive order and letter use the infrastructure as a service (IaaS) term, the order explains the definition also includes other cloud services.
“The term [IaaS] means any product or service offered to a consumer, including complimentary or ‘trial’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications,” it states.
“The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of ‘managed’ products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and ‘unmanaged’ products or services, in which the provider is only responsible for ensuring that the product is available to the consumer.

“The term is also inclusive of ‘virtualized’ products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (eg, ‘virtual private servers’), and ‘dedicated’ products or services in which the total computing resources of a physical machine are provided to a single person (eg, ‘bare-metal’ servers).”
The order gives the Secretary of Commerce the ability to restrict access to US cloud services if a country is deemed to have “any significant number of foreign persons offering United States IaaS products that are used for malicious cyber-enabled activities” or limit the access of certain foreigners. This section and the record-keeping obligations will kick in after 180 days.
In 120 days, the US government will need to consult on how to increase information sharing among cloud providers themselves, as well as with the government, to “deter the abuse of US IaaS products”. After 240 days, a report and recommendations will be presented to the President.
Earlier on Tuesday, US Secretary of State Mike Pompeo tweeted that China has been engaged in genocide and crimes against humanity against its Uyghur population and other minorities.
“These acts are an affront to the Chinese people and to civilized nations everywhere. The People’s Republic of China and the CCP must be held to account,” he said.
On a very active day of posting on Twitter for Pompeo, only three hours earlier, the outgoing Secretary of State decried the idea of multiculturalism.
“Woke-ism, multiculturalism, all the -isms — they’re not who America is. They distort our glorious founding and what this country is all about. Our enemies stoke these divisions because they know they make us weaker,” he posted.
Without a sense of irony over the US Capitol riots, Pompeo said visa restrictions were being introduced for those that were “involved in election interference in Tanzania”.
“There are consequences for interfering in the democratic process,” he said.
The issue of Uyghur forced labour in the tech industry has been slowly bubbling away for some time.
At the time of writing, just under 13 hours were left until Trump and Pompeo leave office, to be replaced by the Biden administration.
Related Coverage More

The Office of the Australian Information Commissioner (OAIC) has asked for amendments to be made to the Privacy Act 1988 that would update its regulatory powers and remove exemptions such as for political parties.
In a 150-page submission [PDF] to the Attorney-General’s review of the Act, the OAIC made a handful of recommendations, including enhancing its own ability to regulate, which it said would bring its powers in line with “community expectations”.
“Through strengthened enforcement powers and new regulator measures, including a direct right of action and statutory tort to provide individuals with greater control of their personal information,” the OAIC wrote.
It said legislative protections must be reinforced by a strong system of oversight that upholds individuals’ rights and holds entities to account.
“The privacy regulator needs the correct tools to respond efficiently and appropriately to new threats and regulate in line with community expectations,” the submission explained.
The current Privacy Act positions the regulator to resolve individual privacy complaints through negotiation, conciliation, and determination. The OAIC has described this nearly 33-year-old function as outdated.
“This reflects the context in which the Privacy Act was first introduced. In the digital environment, privacy harms can occur on a larger scale. While resolving individual complaints is a necessary part of effective privacy regulation, there must be a greater ability to pursue significant privacy risks and systemic non-compliance through regulatory action,” it said.

“While Australia’s current framework provides some enforcement powers, these need to be strengthened and recalibrated to deter non-compliant behaviour and ensure practices are rectified.”
It also said the regulator needed appropriate resources to proactively identify and address existing and emerging risks before serious, widespread, or societal harm occurs.
See also: Senators concerned OAIC will remain under-resourced despite hiring 31 staff
The commissioner has also asked that the emerging updated Act provides for global interoperability to allow data to be protected wherever it flows; privacy self-management, so individuals have choice and control; organisational accountability, such as implementing sufficient obligations on entities; and a contemporary approach to regulation, which would entail having the right tools to regulate.
“Strong data protection and privacy rights are both necessary to uphold our human right to dignity in the digital age, and a precondition for consumer confidence and economic growth,” the OAIC wrote.
“They are also critical to achieving other societal objectives such as the protection of health, safety, and security.”
Further recommendations made by the OAIC are aimed at addressing “declining levels of trust” and responding to the community’s desire for “more to be done to protect their privacy”. The OAIC said the Privacy Act must be supplemented with protections that create legal obligations aimed at achieving greater fairness and organisational accountability to address privacy risks and harms.
Flexibility and scalability of the existing principles-based approach should remain, the OAIC said, supported by enhanced abilities for the commissioner to make legally binding instruments.
It also asked for the implementation of stricter guidelines for privacy self-management tools in order to allow individuals to better understand how their information is handled and used. In addition, it wants requirements for regulated entities that ensure all collections, uses, or disclosures of personal information are fair and reasonable, and appropriate safeguards are maintained.
Additional organisational accountability measures were also requested by the OAIC, with the commissioner saying this would ensure entities have implemented actions and controls that demonstrate their compliance with the privacy regulatory framework.
Protections provided currently within the Privacy Act include exemptions in relation to small businesses, employee records, registered political parties and political acts and practices, and journalism.
The OAIC considers it no longer justifiable to exempt major parts of the economy from the operation of the Act.
“The OAIC therefore recommends removing the current exemptions in the Privacy Act … it is appropriate to consider more comprehensive privacy protections for all Australians … regardless of the type of entity that holds their information or particular purpose for which it is held,” it said.
Privacy and information commissioners from New South Wales, Queensland, and Victoria also provided submissions to the Attorney-General’s review, sharing the view that political exemptions must be removed, or at least reconsidered.
“It is the [Queensland Office of the Information Commissioner’s] view that the small business exemption, employee records exemption, and political parties exemption is becoming harder to justify and their relevance questioned in an increasingly digital world,” the Queensland commissioner wrote in its submission [PDF]
“Continuing the exemption creates the potential for increased cybersecurity risks as the small business may be the weakest links in the supply chain to attack larger more valuable information and data assets.
“In the interests of promoting public confidence in the political process, those who exercise or seek power in government should adhere to the principles and practices that are required of the wider community.”
Likewise, the Office of the Victorian Information Commissioner said [PDF] removing such protections would bring the Privacy Act more in line with community expectations, by “ensuring that individuals’ privacy is better protected in circumstances where there is currently little to no privacy protection”.
The NSW commissioner, meanwhile, said [PDF] they support consideration of whether these exemptions should be removed or narrowed in scope.
NSW to implement its own mandatory data breach reporting scheme
The Information and Privacy Commission New South Wales has provided an update on plans to implement a mandatory data breach reporting mechanism that it says will complement the existing Commonwealth mandate.  
Australia’s Notifiable Data Breaches (NDB) scheme came into effect in February 2018, requiring agencies and organisations in Australia that are covered by the Privacy Act to notify individuals, whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.  
Although it has coverage Australia-wide, the NSW commission said the NDB scheme is aimed primarily at federal government agencies and private sector organisations regulated by the Privacy Act. There are provisions that apply to NSW agencies, however.
“The Information and Privacy Commission has published guidance for NSW agencies to assist them in complying with their obligations to report data breaches, including under the NDB scheme,” it said in its submission. 
The Information and Privacy Commission currently operates a voluntary data breach notification scheme in parallel to the NDB.
“As a matter of best practice, NSW agencies are encouraged to voluntarily report data breaches to the Privacy Commissioner, and to affected individuals as appropriate,” it said.
“Building on these voluntary processes, I support the introduction of a mandatory data beach notification scheme in NSW.”
A draft model for a mandatory reporting scheme in NSW has been developed by a working group that comprises NSW agencies including the Department of Communities and Justice, the Department of Customer Service, the NSW Ministry of Health, and the Information and Privacy Commission.
“Any mandatory data breach notification scheme introduced in NSW would be designed to complement the existing Commonwealth Notifiable Data Breach (NDB) Scheme under the Privacy Act, particularly in areas of jurisdictional overlap,” the commission added.
In 2019-20, the commission received 41 voluntary breach notifications.
State government was accountable for 28, local government for 10, and public universities for three.
RELATED COVERAGE More

As 2021 gets underway, there has been significant elevation not only in the influence and importance of cybersecurity, but also in the human element of security. For example, human error is now recognized as a key contributor to the overall risk profile of an organization.  

Unfortunately, as an industry, we’re still struggling to manage this risk.  
Also: Best VPNs • Best security keys • Best antivirus
For years now, CISOs have done a remarkable job of training users to understand security risks by purchasing solutions with extensive content libraries, administrative features, and assessments measuring all manner of user failures. But this focus on creating awareness falls short of changing long-lasting behavior. And CISOs know they need to shift focus to humans on the receiving end of these programs. Many are also acutely aware that organizations with strong security cultures have employees who are educated, enabled and enthusiastic about their personal cybersafety and that of their employer.  
To move beyond perfunctory awareness and training programs to changing behavior and instilling a security culture (the ABC of security), you need to do the following: 

Build a human-centric security program. Move beyond tactics and create a multiyear, sustainable strategy via a four-step plan that includes: 1) Identifying key stakeholder and threat communities; 2) Defining your behavioral baseline and target state; 3) Creating the initiatives that will influence each stakeholder community; and 4) Measuring and continuously improving the plan. 

Focus culture efforts up, across, down, and outside your organization. Move away from point-in-time engagement activities by building a strong culture at four distinct levels within the organization, taking a different approach for each constituent. Advocate at the executive level to get security visibility; rationalize investments with business leaders to assure security buy-in; communicate with employees to create a consistently high level of awareness; and extend your reach by building trust with external stakeholders. 

Design transformative security awareness initiatives. Unless people feel positive about the topic of security, the capabilities of your team and you as a leader, you will struggle to get them to truly buy into the need for security. To do this, your initiatives need to be impactful to resonate with the audience and continuously influence and motivate the audience to behave securely. Consider design principles when creating your transformative security awareness initiatives.  

Start by improving the culture and influence of your own security team. The biggest obstacle to security leaders’ efforts today is the image of security itself. So transform your own team’s culture, create an environment of psychological safety for your organization, and extend your influence with a network of security champions. Above all, hire people with good human-centric skills. They are what’s desperately missing not only in your organization but in our profession. 

To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
This post was written by Principal Analyst Jinan Budge, and it originally appeared here.  More

Image: Malwarebytes
US cyber-security firm Malwarebytes today said it was hacked by the same group which breached IT software company SolarWinds last year.

Malwarebytes said its intrusion is not related to the SolarWinds supply chain incident since the company doesn’t use any of SolarWinds software in its internal network.
Also: Best VPNs • Best security keys
Instead, the security firm said the hackers breached its internal systems by exploiting an Azure Active Directory weakness and abusing malicious Office 365 applications.
Malwarebytes said it learned of the intrusion from the Microsoft Security Response Center (MSRC) on December 15.
At the time, Microsoft was auditing its Office 365 and Azure infrastructures for signs of malicious apps created by the SolarWinds hackers, also known in cyber-security circles as UNC2452 or Dark Halo.
Malwarebytes said that once it learned of the breach, it began an internal investigation to determine what hackers accessed.

“After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails,” said today Marcin Kleczynski, Malwarebytes co-founder and current CEO.
Malwarebytes products are not affected
Since the same threat actor breached SolarWinds and then moved to poison the company’s software by inserting the Sunburst malware into some updates for the SolarWinds Orion app, Kleczynski said they also performed a very thorough audit of all its products and their source code, searching for any signs of a similar compromise or past supply chain attack.
“Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments.
“Our software remains safe to use,” Kleczynski added.
After today’s disclosure, Malwarebytes becomes the fourth major security vendor targeted by the UNC2452/Dark Halo threat actor, which US officials have linked to a Russian government cyber-espionage operation.
Previously targeted companies include FireEye, Microsoft, and CrowdStrike.

SolarWinds Updates More

[embedded content]
There has been a growing movement away from social media giants such as Facebook and Twitter recently.
Users are getting fed up with relentless privacy violations, surveillance capitalism, political bias, targeting, and newsfeed manipulation by these companies.
MeWe
And other social media platforms are benefitting from this tidal wave. Los Angeles-based social media network MeWe, touted to be the ad-free future of social networking, is currently the No. 1 downloaded social app in the Google Play Store, and the No. 3 downloaded app out of all apps in the store.
The privacy-first “anti-Facebook” platform added 2.5 million new members in the last week.
Since launching in 2016, it surged to nine million users in October 2020, doubling its membership during each of the last three years.
The platform is currently sitting at 15.5 million members — 50% of whom are outside of North America.
MeWe is now translated into 20 languages and is currently the No. 1 social app in Hong Kong.

The company says that its membership spikes frequently — as people worldwide seek a social network that respects them as customers to be delighted, not with ‘data to share, target, or sell”.
MeWe claims to be the new mainstream social network with the features people love and no ads, no targeting, and no newsfeed manipulation.
MeWe is the most downloaded social app and No. 3 in the list of most downloaded apps as of Jan. 15, 2021.
It was knocked off the top slot by WhatsApp alternatives Signal and Telegram, which are benefitting from the brouhaha over WhatsApp’s data privacy changes.
Users are becoming disillusioned by the data gathering from platforms such as Facebook. MeWe gives users total control over their data along with privacy no ads, no targeting, no facial recognition, no data mining, and no newsfeed manipulation.
The main feed can become a little overwhelming at times, but you quickly learn to focus on the information you want to see.
I think that the platform will continue to grow as more and more users come to enjoy the freedom of the feed, and the ad-free look and feel.
MeWe Premium subscriptions will also enjoy steady growth across 2021 and its business pages ($1.99 per month) will be able to compete effectively in a decidedly un-crowded marketplace.
MeWe’s challenge will certainly be keeping up with the hardware needed to scale the platform to cope with this explosion of growth.
Hopefully, its investors have planned for this, and there is plenty of headroom to cope with the tidal flow of new users adopting the platform.
Newer platform users might not remember the Twitter fail whale web page, which appeared as the platform struggled to scale (usually at 8 am PT, as users logged on to find out what had happened overnight).
MeWe will have to ensure that it smoothly incorporates the scalable infrastructure as its membership continues to grow
Long may it continue, MeWe. I love what I’m seeing so far. An ad-free social media platform, with an option to pay for extra features, will surely come to dominate the ad-riddled freemium model we have come to hate.

Social Networking More

Google has released Chrome 88 today, permanently removing support for Adobe Flash Player and bringing an end to an internet era.

Flash reached its official end of life (EoL) on December 31, 2020, when Adobe officially stopped supporting the software. On January 12, Adobe also began blocking content from playing inside Flash, as part of its final nail in the coffin.
Google is not alone in its move to remove Flash. The decision was made together with Adobe and other browser makers such as Apple, Mozilla, and Microsoft, in 2017. Apple and Mozilla have also stopped supporting Flash, and Microsoft is scheduled to end support later this month.
Currently, according to web technology survey site W3Techs, only 2.2% of today’s websites use Flash code, a number that has plummeted from a 28.5% figure recorded at the start of 2011.
Speaking at a conference in February 2018, Parisa Tabriz, Director of Engineering at Google, said the percentage of daily Chrome users who’ve loaded at least one page containing Flash content per day went down from around 80% in 2014 to under 8% in early 2018, a number that has most likely continued plummet since.
FTP support is also gone
But today’s Chrome 88 release also comes with other features, deprecations, bug fixes, and security patches. One of the most important changes is the removal of support for accessing FTP links (ftp://) inside Chrome, a process that started back in Chrome 86:
Chrome 86 – FTP is still enabled by default for most users but turned off for pre-release channels (Canary and Beta) and will be experimentally turned off for one percent of stable users. In this version, you can re-enable it from the command line using either the –enable-ftp command line flag or the –enable-features=FtpProtocol flag.
Chrome 87 – FTP support will be disabled by default for fifty percent of users but can be enabled using the flags listed above.
Chrome 88 – FTP support will be disabled.
Chrome now blocks mixed, insecure downloads
In Chrome 88, Google has also finished a plan it began last year. With today’s release, Chrome now blocks certain HTTP file downloads.

Cases where Chrome will stop downloads include when a user is accessing a web page that starts with HTTPS, but the file is downloaded from an URL starting with HTTP. Chrome deems these cases as “mixed” and “insecure” downloads, and starting with Chrome 88 will block them completely for the users’ protection.

Image: ZDNet
Other changes
On top of this, Chrome 88 has also removed support for the old DTLS 1.0 protocol, used inside Chrome as part of its WebRTC support.
Furthermore, Chrome 88 will also include an origin trial for detecting idle state. When enabled by the user, the origin trial will allow websites to request the ability to query if users are idle on a browser, allowing messaging apps to direct notifications to the best device.
For some Chrome 88 users, Google will also test a new user interface for the permission drop-down panel, the UI through which websites request permissions to access various user systems, such as the microphone, file system, and others.
Users will also be able to search through all open tabs in Chrome 88.
In addition, Chrome 88 also drops support for OS X 10.10 (OS X Yosemite). Going forward, Chrome on Mac will require OS X 10.11 or later.
Chrome 88 will also block tab-nabbing attacks, as previously reported here by ZDNet, and the browser will also heavily throttle JavaScript timer operations in background tabs to improve performance and reduce CPU and RAM use.
Another major change is that Chrome 88 now also officially supports extensions built with Manifest v3 extension rules. Extensions built on this new controversial system can now also be uploaded to the Chrome Web Store.
And last but not least, single words entered in the URL bar will not be treated as intranet locations by default in enterprise versions of Chrome 88.
[embedded content]
But we only touched on the major Chrome 88 features. Users who’d like to learn more about the other features added or removed in this new Chrome release can check out the following links for more information:
Chrome security updates are detailed here [not yet live].
Chromium open-source browser changes are detailed here.
Chrome developer API deprecations and feature removals are listed here.
Chrome for Android updates are detailed here [not yet live].
Chrome for iOS updates are detailed here.
Changes to Chrome V8 JavaScript engine are available here.
Changes to Chrome’s DevTools are listed here. More

Image via Brave
With the release of Brave 1.19 today, Brave has become the first major browser maker to support IPFS, a peer-to-peer protocol meant for accessing decentralized or censored content.

Released in 2015, IPFS stands for InterPlanetary File System. It is a classic peer-to-peer protocol similar to BitTorrent and designed to work as a decentralized storage system.
Also: Best VPNs • Best security keys
IPFS allows users to host content distributed across hundreds or thousands of systems, which can be public IPFS gateways or private IPFS nodes. Users who want to access any of this content must enter an URL in the form of ipfs://{content_hash_ID}.
Under normal circumstances, users would download this content from the nearest nodes or gateways rather than a central server. However, this only works if users have installed an IPFS desktop app or a browser extension.
Brave says that with version 1.19, users will be able to access URLs that start with ipfs://, directly from the browser, with no extension needed, and that Brave will natively support ipfs:// links going forward.
Since some major websites like Wikipedia have IPFS versions, users in oppressive countries can now use Brave’s new IPFS support to go around national firewalls and access content that might be blocked inside their country for political reasons and is available via IPFS.

In addition, Brave also says that its users can also install their own IPFS node with one click with version 1.19 and help contribute to hosting some of the content they download to view.
A focus on privacy features
“We’re thrilled to be the first browser to offer a native IPFS integration with today’s Brave desktop browser release,” said Brian Bondy, CTO and co-founder of Brave. “Integrating the IPFS open-source network is a key milestone in making the Web more transparent, decentralized, and resilient.”
This marks the second decentralized browsing protocol that Brave now supports after integrating the Tor network and the Onion protocol in June 2018 in the form of a feature now known as “Tor Tabs.”
But Brave also said that work on its IPFS integration is also expected to expand in the coming future. The browser maker plans to support automatic redirects from DNSLink websites to their native IPFS versions, the ability to co-host an IPFS website, the ability to easily publish to IPFS, and more, in future versions.
Native IPFS support is just the latest in a long line of privacy-focused features that Brave has added to its product. Previous ones include support for a private video chat system, a built-in ad blocker, fingerprinting randomization, minimal telemetry, query parameter filtering, social media blocking, and others.
Brave, which launched in 2016 to great fanfare, is currently believed to have around 24 million monthly active users, after passing the 20 million mark last November. More

There’s been a significant rise in organisations encountering malware attacks on remote devices over the course of the last year as employees have been forced to work from home.
The ongoing coronavirus pandemic has resulted in more remote working than ever before and both organisations and employees have had to quickly adapt to this new environment and the additional challenges that come with it.
One of those challenges is cyber criminals attempting to take advantage of remote workers’ insecure PCs as an entry point into corporate networks.
As a result of this, there’s been a rise in malware attacks targeting remote workers and according to cybersecurity company Wandera’s Cloud Security Report 2021, over half of organisations – 52 percent – experienced a malware incident on a remote device. That’s up from just 37 percent of organisations experiencing malware attacks on remote devices during 2019.
In many instances, cyber criminals are taking advantage of known vulnerabilities in software to help deliver malware under the radar, as users struggle with software management and patch installation without the direct aid of a corporate IT team.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Remote workers are tricked into downloading malicious applications from phishing emails which install malware, but they believe they’re installing something which will help their productivity.

“More often than not, the offending apps were being downloaded and installed by the remote workers themselves,” Michael Covington, VP at Wandera told ZDNet.
“We saw a fairly large number of apps claiming to offer collaboration functionality, though in reality they were designed to steal private information like messaging content or trick the user into granting access to the camera and microphone, thus enabling a remote attacker to eavesdrop”.
Worryingly, of those devices compromised by malware, over a third of users continued to access corporate emails while one in ten continued to access cloud services – both potentially providing hackers with much wider access to the network than they’d initially gained by compromised one remote machine.
Securing remote employees is proving to be a challenge for information security teams, who themselves are are now also working remotely, making the job even more difficult.
However, engaging with remote employees to provide advice on how to work safely and securely can go a long way to keeping them – and the wider organisation – safe from cyber attacks, something which will be better for everyone in the long run.
“Continuously engaging with workers on the sign-in mechanisms they should use, the incident reporting they should follow, and the applications that are approved for work will help everyone do their part to protect the business and its assets,” said Covington.
MORE ON CYBERSECURITY More