Information Technology

The legislative framework that governs Australia’s intelligence community is “unnecessarily complex”. It leads to “unclear and confusing laws” for the intelligence officers who have to interpret and follow them.
So said the final report of the Comprehensive review of the legal framework of the National Intelligence Community in December 2019 — although the government didn’t publish it until a year later, in December 2020.
Comprehensive indeed: Even the unclassified version runs to more than 1,300 pages.
That review, conducted by former diplomat, public servant, and one-time ASIO chief Dennis Richardson, recommended that as far as electronic surveillance goes, Australia needs a whole new electronic surveillance Act.
As Richardson noted, when the core Telecommunications (Interception and Access) Act 1979 (TIA Act) was originally passed, it was just 19 pages long. But by the end of 2019, it had blown out to 411 pages.
“The TIA Act itself rests on outdated technological assumptions, and has become complex to the point of being opaque. We are not the first review to recommend its reform,” Richardson wrote.
“Technological change and convergence has resulted in telecommunications interception, covert access to stored communications and computers, and the use of optical and listening devices… becoming functionally equivalent.”

Currently, though, these activities are subject to “inconsistent limits, controls and safeguards” across the TIA Act, the Surveillance Devices Act 2004, and the Australian Security Intelligence Organisation Act 1979.
Richardson made dozens of recommendations for how such a new Act should work, and 203 recommendations in total.
It took an entire year for the government to respond, in part due to the COVID-19 pandemic’s impact on business, but eventually, in its formal response of December 2020, it agreed that such a reform was needed.
Indeed, the government agreed, or agreed in principle, to the vast majority of Richardson’s unclassified recommendations.
“The central area for reform is a new electronic surveillance Act, which will be a new landmark in Australia’s national intelligence legislation,” the government wrote.
“A new electronic surveillance Act will be generational in its impact. This legislation will require careful and detailed consideration, with extensive public consultation, to establish a framework that will support Australia’s intelligence collection and law enforcement agencies in the years to come.”
Which is all well and good, but it’ll take time. Five years and AU$100 million, according to the Richardson review.
That’s down to “the complexity of issues at play, the multitude of interested stakeholders at the Commonwealth, state and territory level and the controversy which attaches to what are, arguably, the most intrusive powers of the state”.
Indeed.
“A new Electronic Surveillance Act will take two-three years of very detailed work and drafting before being considered by Parliament, after which there will need to be a good two year implementation period to update IT systems, adjust procedures, and retrain staff,” Richardson wrote.
“It would also be possible for government to continue making ad hoc amendments to address individual challenges, as they arise. But kicking the can down the road will only make the reform exercise that much bigger and more complex when the time comes, as it surely will.”
At the start of 2021 it’s still all about ad hoc laws
Despite knowing about Richardson’s recommendations for a year, the government is still faffing about with a fat sack of ad hoc laws, most of which continue to be controversial.
Chief among them is the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, usually referred to as the TOLA Act or the AA Act.
The TOLA Act introduced that complicated regime with clumsy and confusing definitions through which intelligence and law enforcement agencies gained the ability to request or demand assistance from communications providers — all very broadly defined — to access encrypted communications.
A year later, the Labor opposition introduced its Telecommunications Amendment (Repairing Assistance and Access) Bill 2019, which goes part of the way to tidying up the mess, but in the view of your correspondent not far enough.
That Bill has yet to go anywhere, mostly because the Parliamentary Joint Committee on Intelligence and Security (PJCIS) was scheduled to conduct a review anyway.
PJCIS asked Australia’s then-Independent National Security Legislation Monitor (INSLM) Dr James Renwick to take a look.
His recommendations, made in a 316-page report [PDF], included setting up an independent body to oversee the approval of TOLA Act activities rather than agencies approving them themselves without judicial oversight.
PJCIS was supposed to complete its review by September 30, 2020, but there’s been no sign of it yet.
PJCIS is well behind schedule most of its other work too.
The committee’s review of Australia’s mandatory telecommunications data retention regime was due to report by 13 April 2020 but that report didn’t appear until October 28.
One of its recommendations was that the Department of Home Affairs “prepare national guidelines on the operation of the mandatory data retention scheme by enforcement agencies recommendations”. Because currently there aren’t any.
The recommended timeframe was a leisurely 18 months.
PJCIS is also reviewing the Telecommunications Legislation Amendment (International Production Orders) Bill 2020, which is all about exchanging telecommunications data with other countries.
There’s no sign of that report either, and no deadline has been given.
There’s yet another PJCIS review into the Telecommunications Sector Security Reforms (TSSR), which were all about “a regulatory framework to manage the national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities”.
Submissions to that review closed on 27 November 2020. No public hearings have been held yet, and once more there’s no deadline for the committee to report.
The Communications Alliance is worried about the potential for confusion because telcos’ requirements under TSSR overlap with those in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 which was introduced in December 2020.
There is, of course, another PJCIS review to deal with that, with submissions closing February 12 and a reporting deadline of April 11.
Finally, there’s the brand new Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 introduced in — you guessed it — December 2020.
This new law would hand a trio of new computer warrants to the Australian Federal Police and the Australian Criminal Intelligence Commission: A data disruption warrant, a network activity warrant, and an account takeover warrant.
There’s a PJCIS review into that Bill too, with submissions closing February 12, but again no deadline for the committee to report.
Then there’s the Identity-matching Services Bill 2019, which was all about sharing biometrics between federal and state agencies, which was so bad that PJCIS recommended a complete redraft. We’ve yet to see any progress on that.
A mess of the government’s own making
In hindsight it’s easy to see why Australia’s intelligence legislation is in such a mess: For nearly 20 years now, politicians on both sides have rushed through a series of ad hoc laws without proper oversight.
From the time of the terrorist attacks in the US on 11 September 2001, through to 1 August 2019, “Parliament passed more than 124 Acts amending the legislative framework for the NIC, making more than 14,500 individual amendments i.e. inclusive of the minor and technical,” Richardson wrote.
That’s more than one new Act every eight weeks and it’s fair to say that politics has often trumped good governance.
In December 2018, for example, despite all its bold speeches against the proposed TOLA Act, Labor caved in and passed it anyway.
“Let’s just make Australians safer over Christmas,” then-Labor leader Bill Shorten said.
“It’s all about putting people first.”
It was a decision for which they were subsequently roasted, and rightly so.
Laws, like puppies, aren’t just for Christmas.
10 years ago, when Labor was in government, the controversial Cybercrime Legislation Amendment Bill 2011, which was meant to being Australia into line with the Council of Europe Convention on Cybercrime, was found to be seriously flawed by the Joint Select Committee on Cyber-Safety.
The House of Representatives ignored nearly all of those recommendations. Instead, MPs rushed to correct a fatal flaw that would have seen the new law fail to achieve its stated purpose.
The current backlog of surveillance legislation, somehow simultaneously both rushed and delayed, seems unlikely to break from this pattern.
The Minister for Home Affairs, Peter Dutton, and his sprawling department seem either disinclined to, or incapable of, organising themselves in a way that provides both thoughtfully drafted legislation in a timely manner, and meaningful timeframes for public consultation.
Cutting judges out of the warrant process? Really?
Also concerning is Richardson’s recommendation to not strengthen judicial oversight of intelligence activities, but to lessen it.
“Recommendation 30: Ministers should continue to authorise ASIO and Intelligence Services Act agency activities. These authorisations should not also be subject to judicial or other independent authorisation,” he wrote.
The government agreed.
“Ministerial authorisations, together with IGIS [Inspector-General of Intelligence and Security] oversight, provide appropriate protections and accountability for intelligence warrants and authorisations, and should continue without additional judicial or other authorisation,” they wrote.
The Law Council of Australia has expressed “grave concern” about this.
“This would reinforce Australia”s status as a major outlier within the Five Eyes Alliance,” wrote Pauline Wright, the Law Council’s president.
“The United States, United Kingdom, Canada, and New Zealand all have judicial authorisation requirements for their intrusive intelligence collection-powers,” she wrote.
“For the public to have trust and confidence in covert activities it is essential the utmost independence and rigour applies when granting authorisations. Judicial authorisation is essential to creating and maintaining that state of trust.”
The Australian government’s challenge this year will be to unravel this tangle of laws. One might wonder whether they’re up for it.
Related Coverage More

Image: Optus
Optus has said that any changes made to Australia’s Privacy Act out of the review being conducted by the Attorney-General’s Department (AGD) should not focus on problems relating to the power of tech giants in Australia.
“Optus cautions against extrapolating the behaviour of global monopolistic companies to the behaviour of competitive firms across the wider Australian economy,” the Singaporean-owned telco said in a submission to the review.
“Optus submits that this review should be assessed within a competitive market framework. Any identified problem which gives rise to regulatory action must be a problem observable in effectively competitive markets. Problems arising from monopolistic behaviour are issues for competition law, not privacy law.”
The telco said any wholesale changes to the Act would lead to “substantial compliance costs and place a further drag on innovation and limit the benefits of digitalisation”, and therefore a high level of justification is needed.
One area where Optus said changes could be made was removing Part 13 of the Telecommunications Act — which prevents telcos from using the content of communications or personal information except in specified circumstance — as it has hamstrung local operators when competing against over-the-top (OTT) providers and tech giants.
“Telecommunications carriers are subject to greater obligations under these two telecommunications acts than under the general Privacy Act. However, these Acts do not apply to the dominant over-the-top providers such as Facebook, Google, Apple, etc. It is these OTT providers that have been subject to investigation by the ACCC and whose behaviour ultimately led to this review,” it said.
“Further, the favourable treatment of these multi-trillion dollar global companies over Australia-based and licensed telecommunications companies risks delaying the development of the Australian digital economy.”

Optus added that as Part 13 was written prior to the Privacy Act, and the wider economy now has privacy protections, it believes the section could now be removed.
In the October issues paper, AGD asked whether Australia has a “right to erasure”, which would be an analogue version to Europe’s right to be forgotten. On this point, Optus was firmly against it.
“There are significant technical hurdles to implement this for most sectors of the economy and much more research needs to be conducted,” the company said.
“Optus submits that the compliance cost of an express right to erasure in the Privacy Act is likely to far exceed the benefits that flow from the right. There is insufficient evidence of a problem which would justify the costs.”
Also in disagreement with the idea was Telstra. It said the existing Australia Privacy Principles meant companies were already required to delete data when it was no longer needed.
“The imposition of any obligation to automatically delete personal information may not always be practical or even possible, particularly considering the suggestion that technical information should be treated as personal information,” it said.
“Requiring network operators to routinely purge their networks of all technical information could also present operational risk if the information is needed for the proper functioning of those networks. Further, imposing an obligation to delete information may also create uncertainty for organisations who have legitimate reasons to retain what they have generated, such as to comply with other legal obligations (as is the case under the telco metadata retention regime) or in order to be able to effectively deal with and respond to customer queries and complaints.
“There are also cases where deletion of personal information of an individual would impact the accuracy or quality of personal information we hold about another individual, for example in the case of a joint account or transactions between individuals such as call records.”
Telstra further warned that if the review headed too far towards what the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry (DPI) recommended, then it would lead to increased regulatory burden with minimal benefit to consumers.
The incumbent Australian telco dismissed many of the changes the review was looking into, such as the definition of personal information; protections for de-identified, anonymised, or pseudonymised information; notification; or the introduction of a statutory tort or direct right of action.
“Information that has been de-identified should no longer be regarded as personal information and, therefore, should not be regulated under the Privacy Act as its use or disclosure should have no privacy-related consequences for any individual,” Telstra said.
“Any reforms intended to clarify this position should stop short of imposing a higher standard of ‘anonymisation’ whereby de-identified data may continue to be personal information until all possibility of re-identification has been eliminated. Given the practical challenges of achieving that standard, any such change could have a chilling effect on innovation whereby useful research and analytics currently carried out with very low risk to privacy could be prevented simply because it is not possible to absolutely eliminate all possibility of re-identification.”
In the opposing corner, security researcher Vanessa Teague said de-identification does not work.
“A person’s detailed individual record cannot be adequately de-identified or anonymised, and should not be sold, shared, or published without the person’s explicit, genuine, informed consent,” she said.
“Identifiable personal information should be protected exactly like all other personal information, even if an attempt to de-identify it was made.”
Elsewhere, the telcos agreed that current enforcement arrangements were theoretically sufficient, provided outfits like the Office of the Australian Information Commissioner (OAIC) and Telecommunications Industry Ombudsman were well resourced.
“A direct right of action has the capacity to divert consumers from OAIC’s complaint and investigative processes, which we believe are well-suited to complaints under the Privacy Act, and which already permit applications to the Federal Court of Australia by the OAIC and the consumer in appropriate circumstances,” Telstra said.
The telco said the average time to finalise a complaint to OAIC is under 5 months, while Federal Court action could take that long to hear a matter, let alone hand down a final decision.
Telstra added it would be good if state and federal privacy laws were harmonised, as well as surveillance device laws and health data records laws.
“Most individuals would expect the level of protection afforded to their personal information to be the same nationally,” it said. 
“Again, this harmonisation will make it easier for businesses to comply and for individuals to better understand their rights so they can exercise them. Alignment across jurisdictions would also provide wide ranging benefits including for industry as suppliers of systems that design and manage controls for these data across jurisdictions.”
Agreeing with the telco on the need to provide resourcing to OAIC, and little else, was the ACCC.
“At the heart of our submission is the view that, in order to protect consumers and address market failure, the Privacy Act requires fundamental redesign that goes beyond our DPI recommendations, so that it will better reflect the modern day realities of consumers’ increasing lives online,” the consumer watchdog said.
The ACCC said it was possible to create regulations for stronger privacy protections, consumer awareness, and obligations for business in such a way that the benefits would outweigh any compliance costs.
“The market failures and consumer protection issues related to privacy and consumer choice and control over data that we identified in the DPI are unlikely to be limited to digital platforms or the businesses and sectors we have since examined in our inquiries,” it said.
“A number of the DPI’s observations in relation to the data practices of digital platforms extend to businesses beyond search and social media digital platforms. This includes businesses in media and advertising services, customer loyalty schemes, and platforms providing online private messaging services. This informed our economy wide privacy reform recommendation in the DPI.”
Related Coverage More

The maintainers of OpenWRT, an open-source project that provides free and customizable firmware for home routers, have disclosed a security breach that took place over the weekend.

According to a message posted on the project’s forum and distributed via multiple Linux and FOSS-themed mailing lists, the security breach took place on Saturday, January 16, around 16:00 GMT, after a hacker accessed the account of a forum administrator.
“It is not known how the account was accessed: the account had a good password, but did not have two-factor authentication enabled,” the message reads.
The OpenWRT team said that while the attacker was not able to download a full copy of its database, the attack did download a list of forum users, which included personal details such as forum usernames and email addresses.
No passwords were included in the downloaded data, but citing an “abundance of caution,” OpenWRT administrators have reset all forum user passwords and API keys.
The project is now informing users that the next time they log into their accounts, they’ll need to go through the password recovery procedure. This process is also mandatory for those using OAuth tokens, who will need to re-sync their accounts.
Great phishing opportunity for supply chain attacks
Furthermore, OpenWRT admins are also warning forum users that they also might see an increase in email phishing attempts.

While some might argue about what’s so important about an OpenWRT forum account, the portal is often frequented by developers working for companies that sell OpenWRT-compatible routers or software.
Compromising a forum account on OpenWRT could be the first step towards escalating access into the internal networks of many hardware and software development companies.
As a result, the OpenWRT team is urging forum users not to click any links inside emails they receive claiming to come from its domain. Instead, users should type the forum’s URL (forum.openwrt.org) in their browser address bar by hand and access it this way instead.
OpenWRT admins said that only forum user data appears to have been compromised for now. The OpenWRT wiki, which provides official download links and information about how users could install the firmware on various proprietary router models, was not breached, based on current evidence. More

Hackers who stole information about COVID-19 vaccines in a cyberattack against the European Union’s medical agency and then published it online also manipulated what they found in order to spread disinformation designed to undermine trust in vaccines.
In the latest update on the cyberattack which was first disclosed last month, the European Medicines Agency (EMA) has revealed how hackers accessed confidential internal emails from November about evaluation processes for COVID-19 vaccines.
The ongoing investigation found that some of the contents of those emails has been manipulated by those behind the attack in what appears to be an attempt to create mistrust with disinformation about vaccines.
“Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines,” said the update from the EMA.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
It’s uncertain who the perpetrators of the EMA cyberattack are or why exactly they’ve manipulated the documents to spread disinformation in an effort to undermine trust in the vaccines. Anti-vax conspiracy theories about coronavirus have been a problem for social media and the wider world since the start of the pandemic.
A previous update from the EMA disclosed that hackers accessed and stole COVID-19 vaccine data during the December attack. The intruders, who were specifically targeting data relating to COVID-19 medicines and vaccines gained access to the formation by breaching an undisclosed IT application.

“The agency continues to fully support the criminal investigation into the data breach. Necessary action is being taken by the law enforcement authorities,” said the EMA statement.
The UK’s National Cyber Security Centre, Microsoft and the World Health Organisation are among those which have issued warnings over hacking groups targeting healthcare, pharmaceuticals, universities and other organisations involved in COVID-19 vaccine development and distribution.
MORE ON CYBERSECURITY More

Fingerprint readers are great. When they work.
One thing I’ve noticed since switching to an iPhone with Face ID instead of Touch ID is how much faster and more accurate using my face is than using my fingers.
Not only is fingerprint placement on the sensor critical, but people who work with their hands will find that their fingerprints can wear to the point where they become unreliable (but not enough for you to get away with crimes, in case you’re wondering).
If you work with your hands outdoors or as a technician or mechanic, this will be an issue, but it’s also an issue– if not a bigger issue — for people with demanding hobbies such as rock climbing or weight training.
Add to this the fact that if you are someone who works with your hands, chances are good that your hands aren’t always clean. Oil, dirt, and adhesives can all affect your prints (just today, I got some epoxy resin on my Mac’s fingerprint reader — fortunately for my wallet, it came off!).
I’ve come across four workarounds to this problem.
Must read: Switching to Signal? Turn on these settings now for greater privacy and security

Give your device the middle finger

Literally.
Use your middle finger as the default. Sure, it takes a little bit of getting used to, but I’ve found that the fingerprints on the middle finger takes less battle damage than other fingers, especially the index finger, and is yet dexterous enough to use (I’ve tried using the pinky, but it doesn’t want to play ball!).
I find using the middle finger particularly good for Android smartphones that have the fingerprint reader on the back, or the Touch ID pad on Macs.
Multiple identities
Another trick I find works well is to program in the same finger with Android or macOS several times over a period of time. This way, it learns to read your fingerprint through the random scuffs and scars.
This is useful for those who don’t want to change the finger they use to unlock their smartphone.
Go on the side
Rather than using the pads of the fingers (the parts that get fragged the most), use the sides, especially the thumb. Again, it’s a spot that takes less damage.
I find this works really well for smartphones with side-mounted fingerprint readers on Android smartphones.
Get comfortable
Enroll your fingerprint with the system the way you expect to be holding or using the device. With a new system, you might not know what this natural, comfortable way is until you’ve used it for a few days, so go through the process a second time if you feel like it’s not catching your prints accurately. I know that initially when I enrolled my fingerprints on my MacBook Pro, I was jabbing at them completely differently to the way I would use them in real life, and this affected accuracy a lot. More

I’d like to say that these last weeks have been like nothing we’ve ever seen before in America. But that’s not true. There have been numerous internally-driven insurrections against the American government. There was Shay’s Rebellion, the Whiskey Rebellion, Fries’ Rebellion, and even the formation of the State of Muskogee — and all of these were just in the first 25 years of the Republic. And, of course, there was the American Civil War.
But — make no mistake about it — there hasn’t been a direct assault anything like we saw in Washington on January 6 for a really long time. There have been protests and pushbacks against various pieces of legislation. There have certainly been issue-driven protests that turned violent. But armed attackers attempting to block an American election, entering America’s seat of government, forcing legislators to flee out of fear for their lives, and then causing the deaths of five Americans? No, that’s pretty new to any American alive today.
Also: Capitol attack’s cybersecurity fallout: Stolen laptops, lost data and possible espionage  
Unfortunately, it’s probably not over. The FBI has warned of possible armed protests and violent actions against individual state capitals and the US capital. This coming week is inauguration week, and tempers are running hot.
It’s not just lawmakers who are concerned. Businesses and enterprises are worried they might be victims of attack as well. Here are just a few examples of measures being taken: Starbucks in New York City is temporarily closing, as are businesses in downtown Madison, Wisconsin. Raleigh, North Carolina has an expanded police presence to protect people and property. Businesses in downtown Columbus, Ohio are bracing for attacks. Businesses in Denver are boarding up in preparation for inauguration protests and violence.
Even suburban Tigard, Oregon, home of my Apple Store and my local Rockler tool mecca, is dealing with rioting. Add to all that the chaos that’s occurred right here in Salem, Oregon’s state capital.
To say businesses are worried is an understatement.
How to prepare

Doing business safely is very important. Those of us fortunate enough to have jobs rely on business to help us put food on our tables. Communities rely on business as well. But managers and employees are scared. Some businesses have already been vandalized. Financial stress is very real, especially now.
While probably none of us are truly innocent, many businesses are just trying to get by. Business owners may feel that they are not directly contributing to the current unrest, and may even be actively working towards helping alleviate suffering.
Of course, much of how we do business — the coldness, the unfairness, the greed, the racism and sexism inherent in the system — has definitely contributed to conditions that are causing strife in America, but that’s a very big subject that’s outside of the scope of this column. Today, we’re just going to look at how to protect your company and your people. 
To protect your company, the Virginia Fusion Center (VFC) has some guidelines that might help. The mission of the Fusion Center is “to fuse together key counterterrorism and criminal intelligence resources from local, state, and federal agencies as well as private industries in a secure, centralized location, to facilitate information.”
The following guidelines were provided to InfraGard members with a request that we share this information with our constituencies. As such, much of the following is directly quoted from the VFC guidance for businesses concerned about dealing with civil unrest.
1. Stay informed – Depending on where you live, protest organizers are required to get a permit before demonstrating publicly. Most protesters advertise their events to garner more participation and coordinate the protest with police officials. Keep up to date on events in your community by contacting local officials or viewing your city’s website for posted information on upcoming events. Moreover, stay abreast of emergency protocols in your area.
2. Reduce building weaknesses – Determine what makes your storefront [or office or factory] more vulnerable. Are there dark alleys and large windows? A building should have adequate lighting at all entrances along with security cameras with alarms to capture intruders on tape and notify police automatically. Windowless doors made from steel and deadbolts help to deter vandalism.
3. Close your store [or office or factory] – Sometimes closing your store [during times of unrest] is the best decision to ward off losses. Your prime concern is the health and safety of employees and consumers, as well as preventing physical damage to property. You can also adjust store hours and reduce the number of employees who work based on city curfews. Gain guidance from governing officials as to the safest time to remain open.
4. Revise your schedule – If you expect deliveries, reschedule them for a different day or week. You also don’t want to be meeting with clients or staff when a protest is ongoing. Keep staff members informed of safety plans, so they know what to expect.
5. Call the police – If trespassers look suspicious and won’t leave your property, get police assistance immediately. It’s not advisable to take matters into your own hands or use firearms as a means to protect your premises.
6. Review your insurance policy – Make sure your business policy includes coverage for property damage incurred during a protest. You should meet with your insurance agent to verify what exactly your liability and property insurance policy covers.
Signs of terrorism
The Fusion Center recommends you keep an eye out for the following eight indicators of suspicious activity. If you find such activity, you can report it to your local police department, or to the Fusion Center directly. Here’s what to watch out for (again, quoted directly from the fusion center’s guidance):
1. Surveillance – Someone recording or monitoring activities. This may include the use of cameras, note taking, drawing diagrams, annotating on maps, or using binoculars or other vision-enhancing devices.
2. Elicitation – People or organizations attempting to gain information about military operations, capabilities, or people. Elicitation attempts may be made by mail, email, telephone, or in person. This could also include eavesdropping or friendly conversation. [Also, keep an eye out for any social engineering attempts. –DG]
3. Tests of Security – Any attempts to measure reaction times to security breaches, attempts to penetrate physical security barriers, or monitor procedures in order to assess strengths and weaknesses.
4. Funding – Suspicious transactions involving large cash payments, deposits, or withdrawals are common signs of terrorist funding. Collections for donations, the solicitation for money and criminal activity are also warning signs.
5. Supplies – Purchasing or stealing explosives, weapons, ammunition, etc. This also includes acquiring military uniforms, decals, flight manuals, passes or badges (or the equipment to manufacture such items) and any other controlled items.
6. Impersonation – People who don’t seem to belong in the workplace, neighborhood, business establishment, or anywhere else. This includes suspicious border crossings, the impersonation of law enforcement, military personnel, or company employees is also a sign.
7. Rehearsal – Putting people in position and moving them around according to their plan without actually committing the terrorist act. An element of this activity could also include mapping out routes and determining the timing of traffic lights and flow.
8. Deployment – People and supplies getting into position to commit the act. This is the person’s last chance to alert authorities before the terrorist act occurs.
In addition to your local police and the fusion center, you can contact the FBI. Contact the FBI’s Toll-Free Tipline at 1-800-CALL-FBI (1-800-225-5324) to verbally report tips. You may also submit any information, photos, or videos that could be relevant online at fbi.gov/USCapitol. You may also contact your local FBI office or the nearest American Embassy or Consulate.
Guidelines for reporters
Finally, if your job necessitates that you put yourself directly in harm’s way by attending the protests for the purpose of reporting on the events unfolding, keep in mind the following set of quick tips:
Make sure you know where the exit points are.
Consider leaving if the crowd seems to be getting out of control.
Wear closed-toe shoes and keep the laces tied to prevent tripping.
Avoid standing on or near structures that could collapse.
Walk around crowds rather than pushing through them.
Leave early or late to avoid the rush when the event is over.
If you’re caught in a moving crowd, walk sideways or diagonally across it to work your way out.
Keep your phone charged and on. Program it to vibrate as well as ring.
Final thoughts
Please be careful. As grandma used to say, an ounce of prevention is worth a pound of cure. Here’s to a happy 2021, because it’s already soooo much better than 2020.
What are you doing to protect your business? Have you implemented any technical solutions? Share with us in the comments below.
Disclosure: David Gewirtz is a member of InfraGard, a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Google Cloud’s first chief information security office (CISO) has revealed that Google’s cloud venture does use software from vendor, SolarWinds, but says its use was “limited and contained”. 
Google Cloud announced the hire of its first CISO, Phil Venables, in mid-December, just as the US was beginning to understand the scope of the Russian government’s software supply chain malware attack.
The hack affected US Treasury Department and the US Department of Commerce’s National Telecommunications and Information Administration (NTIA), the Department of Justice, Microsoft’s source code and many more. 
But Venables, a Goldman Sachs veteran, insists that no Google systems were affected by the attack. It’s an important message from Google at a time when hacks have undermined trust in known software suppliers, which in turn threatens Google’s $12bn-a-year cloud business. Google is set to announce its Q4 2020 FY financial results on Tuesday, February 2. 
“Based on what is known about the attack today, we are confident that no Google systems were affected by the SolarWinds event,” Venables said in a blogpost. 
“We make very limited use of the affected software and services, and our approach to mitigating supply chain security risks meant that any incidental use was limited and contained. These controls were bolstered by sophisticated monitoring of our networks and systems.”
Venables also shared some top tips that Google uses to protect itself and customers from software supply chain threats. This particular attack exposed how connected the entire software industry is, and how vulnerable the ecosystem is because of assumptions built into the systems that are used to receive updates from known and trusted suppliers. 

Hackers breached SolarWinds and planted malware inside software updates for Orion, which offered a beachhead from where attackers could move within networks of companies and government agencies. 
Researchers at Crowdstrike last week revealed a third piece of malware was used in the attack on SolarWinds’ customers via official software updates. SolarWinds last week disclosed that the attackers were testing malware distribution through Orion updates from at least September 2019, indicating the planning that went into the attack. 
Other organizations affected by this breach included the Department of Health’s National Institutes of Health (NIH), the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Agency (CISA), the US Department of State, the National Nuclear Security Administration (NNSA), the US Department of Energy (DOE), several US state governments, and Cisco, Intel, and VMWare.
According to Venables, Google uses secure development and continuous testing frameworks to detect and avoid common programming mistakes. 
“Our embedded security-by-default approach also considers a wide variety of attack vectors on the development process itself, including supply chain risks,” he says. 
He goes on to explain what trusted cloud computing means at Google Cloud, which comes down to control over hardware and software.  
“We don’t rely on any one thing to keep us secure, but instead build layers of checks and controls that includes proprietary Google-designed hardware, Google-controlled firmware, Google-curated OS images, a Google-hardened hypervisor, as well as data center physical security and services,” says Venables.  
“We provide assurances in these security layers through roots of trust, such as Titan Chips for Google host machines and Shielded Virtual Machines. Controlling the hardware and security stack allows us to maintain the underpinnings of our security posture in a way that many other providers cannot. We believe that this level of control results in reduced exposure to supply chain risk for us and our customers.”
Google also verifies that software is built and signed in an approved isolated build environment from properly checked-in code that has been reviewed and tested.
The company then enforces these controls during deployment, depending on the sensitivity of the code. 
“Binaries are only permitted to run if they pass such control checks, and we continuously verify policy compliance for the lifetime of the job. This is a critical control used to limit the ability of a potentially malicious insider, or other threat actor using their account, to insert malicious software into our production environment,” says Venables.  
Finally, Google ensures that at least one person beyond the author provably reviews code and configuration changes submitted by its developers.   
“Sensitive administrative actions typically require additional human approvals. We do this to prevent unexpected changes, whether they’re mistakes or malicious insertions.” More

The Scottish Environment Protection Agency (SEPA) has confirmed that it was hit by a ransomware attack last month and is continuing to feel the impact.
SEPA’s contact centre, internal systems, processes and internal communication have all been affected by the attack, which hit on Christmas Eve. The organisation, which is Scotland’s government regulator for protecting the environment, has also confirmed that 1.2GB of data has been stolen as part of the attack – including personal information relating to SEPA staff.

More on privacy

Despite the ransomware attack, SEPA’s ability to provide flood forecasting and warning services, as well as regulation and monitoring services, has continued.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
But while the infected systems have been isolated, SEPA’s latest update on the ransomware attack says that recovery will take a “significant period” and that a number of systems will “remain badly affected for some time” with entirely new systems required. SEPA has blamed the ransomware attack on “serious and organised” cyber criminals.
“Whilst having moved quickly to isolate our systems, cybersecurity specialists, working with SEPA, Scottish Government, Police Scotland and the National Cyber Security Centre, have now confirmed the significance of the ongoing incident,” said Terry A’Hearn, Chief Executive of SEPA.
“Partners have confirmed that SEPA remains subject to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.”

While the organisation itself hasn’t confirmed what form of ransomware it has fallen victim to, the cyber-criminal group behind Conti ransomware has published what it claims to be data stolen from the Scottish government agency.
Stealing data has become increasingly common for ransomware gangs. They use the stolen data to double-down on attempts at extortion by threatening to leak the information if the victim doesn’t give into the ransom demand of hundreds of thousands, or even millions, of dollars in bitcoin in exchange for the decryption key.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
SEPA hasn’t yet detailed how cyber criminals were able to break into the network to deploy ransomware and the investigation into the incident is still ongoing.
“We are aware of this incident affecting the Scottish Environment Protection Agency and are working with law enforcement partners to understand its impact,” an NCSC spokesperaon told ZDNet.
Ransomware has become one of the most disruptive and damaging cyberattacks an organisation can face and cyber criminals show no signs of slowing down ransomware campaigns because, for now at least, ransomware gangs are still successfully extorting large payments out of victims.
MORE ON CYBERCRIME More