Information Technology

Over the weekend at a Christian convention, Australian Prime Minister Scott Morrison declared social media could be used as a weapon by the “evil one” against young people.Answering questions following his address to the National Press Club (NPC) on Wednesday, former Opposition Leader Bill Shorten took the opportunity to expand on where he thinks Morrison should take such a remark.”I was interested to the reference to the ‘evil one’ in social media. What I’d like to do is take that fairly unspecified reference and — something I’ve been thinking about for a while, is that there are some evil things on the internet,” he said. “Children have too easy access to pornography in this country online … I think a lot of parents are oblivious.”According to Shorten, the average age that “little Australian boys” are exposed to porn online is 13. He said simply saying to parents, “Watch what your kid’s eyeballs are on the whole time” is a “tad unrealistic as we’ve created the iPad babysitter”.”I think that if Mr Morrison wants to perhaps materialise that general reference to evil, let’s make it harder for our Aussie kids to access pornography online — I’m not making a reflection about adults and pornography, I’m not a censor, I’m not going down that path at all, but children shouldn’t be getting their sex education from hardcore pornography — and it’s something that I know I’m going to take up and I’m sure others will,” the Shadow Minister for Government Services said.”This could be something that Mr Morrison could turn from Sunday service into seven days a week campaign.”Shorten pointed to work underway by the eSafety Commissioner Julie Inman Grant as helping thwart this “evil”.

The House of Representatives Standing Committee on Social Policy and Legal Affairs closed its inquiry into age verification for online wagering and online pornography last year, tabling a report [PDF] in February 2020.Making a total of six recommendations, the committee asked the Digital Transformation Agency (DTA), in consultation with the Australian Cyber Security Centre, to develop standards for online age verification for age-restricted products and services. It said these standards should specify minimum requirements for privacy, safety, security, data handling, usability, accessibility, and auditing of age-verification providers.It further asked the DTA extend its Digital Identity program to include an age-verification exchange for the purpose of third-party online age verification. This was despite eSafety saying on many occasions there are no “out of the box technology solutions” that will solve this issue and it is her opinion that age verification should not be seen as a panacea.The government is yet to provide a response to the report.RELATED COVERAGE More

The Commonwealth Ombudsman has confirmed that of the 1,713 individual accesses to location-based services (LBS) by ACT Policing between 13 October 2015 and 3 January 2020, only nine were fully compliant with the Telecommunications (Interception and Access) Act 1979 (TIA Act).In January 2020, the Australian Federal Police (AFP) identified compliance issues involving record-keeping, authorisation processes, and reporting of telecommunication requests relating to location-based services under Section 180(2) of the TIA Act, dated as back as far as 2007.Ombudsman Michael Manthorpe was engaged the following March.In particular, the Ombudsman’s investigation focussed on access to, and use of, one type of telecommunications data — LBS or “pings”.”While initial advice provided by the AFP to my Office was that the LBS obtained by ACT Policing was only used to locate someone to arrest them, we were unable to rule out the possibility that unlawfully obtained evidence, the LBS, may have been used for prosecutorial purposes,” the report [PDF] said. “Secondly, the privacy of individuals may have been breached.”Common compliance issues the Ombudsman identified in its assessment of the 1,713 instances include: Location accessed on an incorrect number, LBS accessed after an authorisation expired, additional LBS accessed that was not authorised, no time specified on an authorisation, and authorisations that were not signed.

Providing examples of where ACT Policing operated incorrectly, the report said there were instances where the LBS was unsuccessful, such as when a phone was switched off or was not subscribed to the relevant provider, and thus was determined as not requiring an authorisation. “We cannot be confident that the AFP’s available records of authorisations made reflect all accesses to LBS,” the report said.The Ombudsman said he could not be satisfied that the scope of the breaches has been fully identified by the AFP nor the potential consequences, and considers it possible that breaches have occurred in parts of the AFP other than ACT Policing. “The AFP and ACT Policing missed a number of opportunities to identify and address that ACT Policing was accessing LBS outside the AFP’s approved process earlier,” the report declared. “The internal procedures at ACT Policing and a cavalier approach to exercising the powers resulted in a culture that did not promote compliance with the TIA Act. This contributed to the non-compliance identified in this report.”ACT Policing in July 2019 confessed it found 3,249 extra times it accessed metadata without proper authorisation during 2015, on top of the 116 requests it disclosed earlier that year.The Ombudsman is concerned this means: The access was not reported to the Minister for Home Affairs and the records were not provided to the Ombudsman’s office to be considered for inspection; and that the risk of non-compliance with legislative requirements under the TIA Act was higher as the access occurred outside established processes approved by the AFP.”I want the community to be assured that we have changed our approach to requesting and approving access to mobile device locations, which my officers are implementing daily,” Chief police officer for the ACT Neil Gaughan said on Wednesday.He also said all location requests on mobile devices are now centralised through the AFP Covert Analysis and Assurance business area.The Ombudsman made a total of eight recommendations, all agreed to by ACT Policing.The first asks the AFP to ascertain whether other areas of the force have accessed LBS and determine the actual number of requests made for LBS, covering the period from 13 October 2015 to 31 January 2020. Manthorpe also asks the AFP to develop consistent processes and ensure training is thoroughly conducted, in particular that privacy intrusion is justified and proportionate.Another recommendation suggests the AFP seek legal advice on any implications arising from accessing prospective telecommunications data that has not been properly authorised.HERE’S MORE More

The coronavirus pandemic and working from home (WFH) requirements are causing a “significant” spike in attacks against financial entities, new research suggests. 

On Wednesday, BAE Systems Applied Intelligence released the COVID Crime Index 2021 report, which examined how the remote working model is impacting the banking and insurance industries. As the pandemic continues to have a widespread impact, the rapid transition to WFH models — in some areas — is being loosened, but many organizations are choosing to either continue allowing staff to work remotely or are adopting hybrid working practices.  HSBC and JP Morgan, for example, will allow thousands of their employees to stay home for the foreseeable future.  There are ramifications to WFH trends when it comes to staff satisfaction and productivity. A recent study found that 31% of employees believe they work better from home, but distractions, home life, and existing commitments were cited as issues when it comes to working effectively.  Security, too, has proven to be a challenge. According to BAE Systems’s report, 74% of banks and insurers have experienced a rise in cyberattacks since the start of the pandemic, and “criminal activity” detected by financial entities has risen by close to a third (29%).  The research is based on two surveys conducted with 902 organizations in financial services and fieldwork in both the US and UK markets, taking place over March 2021. 

The increased threats detected by IT teams are as follows:  Increase in botnet attacks: 35% Increase in ransomware: 35% Increase in phishing attacks: 35% Mobile malware: 32% COVID-related malware: 30% Insider threats: 29%The report also reveals that 42% of banks and insurers believe the working from home model has made their organizations “less secure” and 44% say remote models have led to visibility problems across existing networks.  The pandemic has prompted many companies to cut costs whenever they can, and when it comes to cybersecurity, average risk, anti-fraud, and cybersecurity budgets have been slashed by 26% — leading to 37% of organizations believing their customers are now at a greater risk of cybercrime and fraud. Financial losses, perhaps unsurprisingly, are increasing. According to the report, 56% of UK and US banks have experienced such losses, with an average cost of online criminal activity alone reaching $720,000 over the course of the pandemic. In a secondary study, BAE Systems focused on the pandemic’s cybersecurity ramifications for consumers. In the past year, 28% said they had been sent at least one covid-19-themed phishing email, 22% received scams over SMS, and overall, at least a fifth of consumers have been targeted over 2020 – 2021.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Stuart Robert during Question Time in the House of Representatives at Parliament House in March 2021
Image: Getty Images
The federal government might be finally letting go of its “every agency for itself when it comes to cybersecurity” mantra, signalling on Wednesday its intention to have Canberra’s bigger agencies provide support to others.”We know that certain agencies cannot compete for skills and resources in the marketplace and we must develop alternative ways for meeting their needs,” Minister for Employment, Workforce, Skills, Small and Family Business Stuart Robert said.The former Minister for Government Services revealed the government is looking to establish three “Cyber Hub” pilots that will see departments such as Defence, Home Affairs, and Services Australia provide cyber services for “those agencies that cannot match their breadth and depth of skills”.”We can see a future where such hub models may be established for other types of scalable services, not just cybersecurity,” he said. “This may include broader ICT functions — such as secure email, or corporate services — such as finance or HR.”The decisions will be informed by the Whole of Government Architecture and the Digital Review, which are both projects underway by the Digital Transformation Agency (DTA).The DTA, now back under the Department of Prime Minister and Cabinet and with the revised mandate to be responsible for “Whole of Government ICT governance, strategy, policy, architecture, processes, and procedures”, is going to provide Robert with a “complete picture of what we have, what we need, what we must invest in and by when” as part of the creation of the Whole of Government Architecture.”I have tasked the DTA with developing a Whole of Government Architecture that will map out all the strategic capabilities that we require as a government, including existing assets and any gaps we need to address,” he said.

“The Architecture will also account for the age and complexity of existing systems and allow us to start managing the lifecycle of projects.”Must read: There are 84 high-cost IT projects underway by the Australian governmentSimilarly, the DTA is conducting a Digital Review, which Robert touted as giving the government a clear picture of the capabilities of agencies, such as what levels of skill exist, at what levels of maturity, and how different agencies are currently performing in the delivery of their roles.”Once completed in the period ahead, we will have the ability to bring together the system view of the Whole of Government Architecture and the agency capacity view of the Digital Review, to understand how we start planning the future at enterprise scale across whole of government or whole of nation,” Robert believes.Meanwhile, the “Integrated Investment Approach”, he said, will enable the government to make the right investment decisions.”Right now, digital and ICT investment can be a bit like the hunger games, where government often finds itself with investment proposals that are presented as urgent or critical, but with limited opportunity to consider the broader strategic context of those proposals,” he said.Robert also took the opportunity to highlight his vision for myGov, the federal government’s online portal for accessing government services. “Our long-term vision for myGov is to ensure it evolves to become a world leading single national digital platform that delivers simple, helpful, respectful, and transparent services that meet the needs and expectations of all Australians,” he said, paying homage to the pipedream he delivered to the National Press Club in July.”We will progressively provide new functionality, delivering personalised information and services as we strive for an ever more integrated and improved customer experience.”We’re building the future front door for government — openly and transparently.”In March last year, myGov crashed when many Australians tried to determine if they qualified for support from the country’s Centrelink scheme.Robert was quick to claim the portal suffered a distributed denial of service (DDoS) attack while simultaneously blaming the outage on legitimate traffic that pushed past the 55,000 concurrent users limit set by government.The tech-savvy minister also took the opportunity to highlight his “big, hairy, audacious goals” — or “B-HAGs” as his speech writers declared.”Government, especially the federal government, delivers an enormous amount for Australians, but a lot of it is under the hood and a lot of it is tech based,” Robert said.”And it is not at all ‘sexy’.”Me and my colleagues’ job is to not make government ‘sexy’, but to make government services simple, helpful, respectful, and transparent.”Robert touched of the Digital Transformation Strategy, which has the goal of making all government services available digitally by 2025. He said that “significant progress both in delivery, as well as our capability and maturity” has been made as the halfway mark approaches.LATEST FROM CANBERRA More

Cloud cyber-security pioneer FireEye this afternoon reported Q1 revenue and profit that topped analysts’ expectations, and an outlook for this quarter, and the full year, higher as well. The company’s annualized recurring revenue rose 9%, year over year, to $643 million.The report sent FireEye shares up 2% in late trading. CEO and Kevin Mandia noted that growth in the quarter was “led by our Platform, Cloud Subscription and Managed Services category, which increased 26% year over year, and our Professional Services category, which increased 25% year over year.”Mandiant’s ARR from its Platform, cloud and subscriptions, combined, rose 22%, year over year, to $352 million, it said. CEO Mandia noted that the comany added new modules to its suite, to take advantage of “expertise and intelligence”: “Mandiant Automated Defense, which adds a powerful, multi-vendor XDR capability, and Mandiant Security Validation, which enables customers to manage, measure, and report on cyber security risk within their organization.”Revenue in the three months ended in March rose 10%, year over year, to $246 million, yielding a net profift of 8 cents a share, excluding some costs.

Analysts had been modeling $237 million and 6 cents per share.For the current quarter, the company sees revenue of $246 million to $250 million, and EPS in a range of 8 cents to 9 cents, excluding some costs. That compares to consensus for $244 million and an 8-cent profit per share.For the full year, the company sees revenue in a range of $1.01 billion to $1.03 billion, and EPS of 39 cents to 41 cents. That compares to consensus of $1 billion and a 36-cent profit per share.

Tech Earnings More

If you’re just catching up on this story, here’s the quick recap: University of Minnesota researchers deliberately submitted patches that would have put the Use-After-Free (UAF) vulnerability into the Linux kernel. When it appeared they were trying once more to put garbage patches into the kernel, Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, banned UMN developers from submitting to the kernel and pulled existing suspicious UMN patches. The Linux Foundation followed up with a list of requests for the UMN to comply with if they wanted to work with the Linux kernel again. Now, ZDNet has obtained a copy of UMN’s response to the Linux community. 

Open Source

According to Mats Heimdahl, UMN Professor and Department Head of the Department of Computer Science and Engineering, the school appreciates the Linux Foundation’s requests and they look forward to reaching “a mutually satisfactory resolution” and that re-engaging with each other “is the way to go.” Specifically, Heimdahl continued:  We currently are considering your requests, and are moving as quickly as we can to produce a substantive response that addresses them. In particular, the research group is preparing a letter to the Linux community and we are currently attempting to secure consent to release all information about the code submissions from the group. Once we have had an opportunity to look into the remaining issues, we would appreciate the opportunity to meet with you to discuss and move forward.This is in response to Mike Dolan, the Linux Foundation’s senior VP and general manager of projects, top request:Please provide to the public, in an expedited manner, all information necessary to identify all proposals of known-vulnerable code from any U of MN experiment. The information should include the name of each targeted software, the commit information, purported name of the proposer, email address, date/time, subject, and/or code so that all software developers can quickly identify such proposals and potentially take remedial action for such experiments.Finding the questionable code and associated documentation is difficult. The UMN researchers did a poor job of tracking their own research. As senior Linux kernel developer, Al Viro, commented: “The lack of data is a part of what’s blowing the whole thing out of proportion — if they bothered to attach the list (or link to such) of SHA1 of commits that had come out of their experiment, or, better yet, maintained and provided the list of message-ids of all submissions, successful and not, this mess with blanket revert requests, etc. would’ve been far smaller (if happened at all).”Dolan also asked on behalf of the Linux developer community that the paper coming from this research, “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits,” be withdrawn because the researchers, Qiushi Wu and Aditya Pakki, and their graduate advisor, Kangjie Lu, an assistant professor in the UMN Computer Science & Engineering Department, experimented on Linux kernel maintainers without their permission. Therefore, the paper should be withdrawn “from formal publication and formal presentation all research work based on this or similar research where people appear to have been experimented on without their prior consent. Leaving archival information posted on the Internet is fine, as they are mostly already public, but there should be no research credit for such works.” While Heimdahl didn’t address this point, the paper has been withdrawn. In a public note, Wu and Lu, but not Pakki, wrote: “We wish to withdraw our paper “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits” from publication in the 42nd IEEE Symposium on Security and Privacy.” The paper had already been accepted by this high-level conference.

They’re withdrawing it for two reasons: First, we made a mistake by not engaging in collaboration with the Linux kernel community before conducting our study. We now understand that it was inappropriate and hurtful to the community to make it a subject of our research and to waste its effort reviewing these patches without its knowledge or permission. Instead, we now realize that the appropriate way to do this sort of work is to engage with community leaders beforehand so that they are aware of the work, approve its goals and methods, and can support the methods and results once the work is completed and published. Therefore, we are withdrawing the paper so that we do not benefit from an improperly conducted study.  Second, given the flaws in our methods, we do not want this paper to stand as a model for how research can be done in this community. On the contrary, we hope this episode will be a learning moment for our community, and that the resulting discussion and recommendations can serve as a guide for proper research in the future. Therefore, we are withdrawing the paper to prevent our misguided research method from being seen as a model for how to conduct studies in the future. We sincerely apologize for any harm our research group did to the Linux kernel community, to the reputation of the IEEE Symposium on Security and Privacy, our Department and University, and our community as a whole.Between Heimdahl’s note and this public letter, it appears that the UMN has acceded to the Linux Foundation’s main requests. There are still fine details to be worked out, but it now appears that the UMN, the Linux Foundation, and the Linux kernel developer community should be able to quickly come to peace with each other. That done, the UMN can get back to doing research and the maintainers can return to doing their real work of improving the kernel rather than chasing down potentially bogus patches.Related Stories: More

Eileen Brown
MeWe seems to be breaking the mould for social media platforms – and increasing its user base as people turn away from ad-riddled social media platforms. The social media platform says it does not control your newsfeed, or fill your feed with third-party ads or content, and has grown almost 18 million members. The platform has raised over $23 million from high-net-worth investors including Kelly Slater (top surfer), Rick Smith (former NFL executive), Verdine White (Grammy Award winner, Earth Wind and Fire bassist), Mark Britto (founder of Boku), Marci Shimoff (NYT author), Rachel Roy (fashion designer), and Jack Canfield (founder of Chicken Soup for the Soul). MeWe’s membership grew by a whopping 36% in Q1 2021 and by an average of 173% per year for the last three years. The platform boasts that 50% of its traffic is outside of North America. Of course some of this US growth probably came from Amazon web hosting service dropping social network Parler as a customer in January along with Apple and Google bans of the app. MeWe is available in 20 languages and was recently the #1 downloaded social app in Hong Kong. In Hong Kong users started to migrate to the platform from Facebook after concerns about the way Facebook operates in China. Vice reckons that Hong Kong has become a testing ground for an Anti-Facebook movement.

MeWe says that it is for ‘authentic, real-life sharing’. Groups are a big thing on the platform — although it can seem overwhelming if you subscribe to too many common interest groups. You see your content in the correct timeline-ordered newsfeed meaning that you theoretically never miss a post from your groups and pages. Any member can join and create communities based on their interests, and the content appears as it is intended to be. Members have control of their newsfeeds and can decide what kind of content they want to see.Earlier this month, the company announced that it had appointed Hollywood/Tech exec Jeffrey Edell as its new CEO and joins its Board of Directors. Edell succeeds MeWe founder Mark Weinstein whose new role is Chief Evangelist. Edell previously held Chairman, CEO, and other C-level roles at Intermix Media (NASDAQ), the parent of MySpace; Soundelux Entertainment Group/Liberty Media; Cinedigm (NASDAQ); and DIC Entertainment. He helped lead the sale of MySpace to NewsCorp for about $600 million. Edell says: “People worldwide are migrating from Facebook, Instagram, and other major platforms to MeWe because it is the social network that respects its members as customers to serve and delight, not data to share, target, or manipulate. “MeWe has achieved remarkable growth with zero paid marketing or member acquisition costs. I am thrilled to lead the company as we position for rapid growth by expanding our marketing efforts and product offerings, bringing on the world’s most compelling content creators, and growing our team to welcome millions of new members in the months ahead.” Although MeWe offers a “free forever,” or freemium business model, members can upgrade to MeWe Premium for $4.99 per month to get features such as video journals, voice/video calling, cloud storage custom themes, and custom emoji and sticker packs.I reckon that more and more people are attracted to MeWe for brand pages because their content gets to all of their followers regardless of how often they post. On Facebook or Instagram content is throttled depending on how popular the user is. A brand like Samsung with 48 million users on Facebook reaches a tiny fraction of these users with every post. Savvy brands like Slashdot, controversial influencers like osteopathic physician Dr. Joseph Mercola, and Fox News’ Sean Hannity already use the MeWe platform. Perhaps the growth in users will tail off as the platform reaches saturation but MeWe user growth shows no sign of slowing down right now. I like MeWe’s simplicity, and lack of ads. My feed can appear a little crowded sometimes if I haven’t logged on for a few days, but pruning my feed for a while sorts that out. I will certainly be watching MeWe with interest to see if it continues to grow. More

Russian hackers are still launching offensive cyber attacks against the US and its allies in efforts to steal information or lay the foundations for future operations, a joint alert by security and intelligence agencies has warned.The advisory from the FBI, Department of Homeland Security and CISA warns that the Russian Foreign Intelligence Service (SVR) – also known by cybersecurity researchers as APT 29, the Dukes and CozyBear – continues to target organisations in efforts to gather intelligence.US agencies – along with the UK’s National Cyber Security Centre (NCSC) – recently blamed the SVR for the SolarWinds supply chain attack, which saw hackers gain access to tens of thousands of organisations around the world – including several government agencies after compromising the company’s software updates process. And now organisations are being warned that Russian cyber attacks show no signs of slowing down, especially when it comes to targeting the networks of organisations involved with government, think tanks and information technology.Cloud services including email and Microsoft Office 365 are being particularly targeted in attacks.”Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,” warned the agency alert.SEE: Can Russian hackers be stopped? Here’s why it might take 20 years

The alert details common techniques used in SVR operations, including password spraying, leveraging zero-day vulnerabilities and deploying malware.Password spraying is when the attackers target weak passwords associated with admin accounts. These accounts are secured with common or weak passwords, including default usernames and passwords, providing cyber attackers with a relatively simple means of gaining access to poorly secured networks. In many cases, the attackers will break into as many accounts as they can, only thinking about how they can be exploited later.To defend against password spraying attacks, the FBI and DHS recommend the mandatory use of multi-factor authentication across the network and to where possible, enforce the use of strong passwords – particularly for administrator accounts. It’s also recommended that access to remote administrative functions from IP addresses not owned by the organisations is prohibited.Another common attack technique used by Kremlin-backed hackers is levering vulnerabilities in virtual private network (VPN) appliances which expose login credentials.The alert uses the example of attackers exploiting CVE-2019-19781 – a vulnerability in Citrix Application Delivery Controller and Gateway – but it’s one of several which have been exploited in cyber attacks in recent years, allowing attackers to secretly enter networks.In each of these cases, the affected vendor has released a critical security patch – and in some cases these have been available for years – but organisations which don’t apply the updates are still vulnerable to attacks. The FBI, DoH and CISA also warn about attacks using WellMess – a form of custom malware associated with APT 29, which has been used in attacks targeting Covid-19 vaccine research facilities. While stolen RDP credentials have been used to help install the malware, it’s also been known for attackers to attempt to distribute it via spear-phishing emails.The alert on Russian hacking techniques has been released in order to encourage organisations to examine their networks and gain a better understanding of how to secure against attacks.”The FBI and DHS are providing information on the SVR’s cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks,” said the alert.MORE ON CYBERSECURITY More