Information Technology

Back in 2017, just barely a week after Donald Trump took office as the 45th President of the United States, I recommended the following to the nascent Trump Administration:

I strongly recommend supporting President Trump’s use of Twitter. We’ve never had the opportunity for a president to speak, unfiltered, to the American people at will, and this could be an amazing experiment in democracy (and a source of never-ending good material for us pundits).

We had no idea.
From March 18, 2009, the day Donald Trump starting tweeting (and way before he was president), until January 8, 2021, the day President Trump’s account was suspended by Twitter, he tweeted 59,553 times. Wikipedia reports that he posted more than 34,000 tweets since he declared his candidacy in June of 2015.
Also: Capitol attack’s cybersecurity fallout: Stolen laptops, lost data and possible espionage
If you divide the 34,000 tweet number by the 66 months since June 2015, we find he fired off an average of 515 tweets per month, or about 17 tweets each day.
The man has had a lot to say and, according to Twitter, not all of it good.
Twitter ban
As stated previously, Twitter cut off President Trump last week. The company listed five primary factors that led to the account suspension, which you can read in our article on the ban. Citing perceived violations of the company’s Glorification of Violence policy in light of the Capitol Building attacks, the company pulled the plug on one of its greatest draws and controversial users.

This was a huge blow to Trump’s ability to reach out directly to his base. He had roughly 88 million followers on Twitter. Think about that for a second. What other leader in human history has been able to dash off a stream-of-consciousness opinion or comment and have it instantly reach 88 million people at no cost and with no gatekeepers?
Twitter wasn’t alone in their attempt to muzzle the president. Facebook, Instagram, Snapchat, and Twitch all took action against President Trump’s social media accounts. But, without a doubt, it’s Twitter that provided the mind meld between the president’s psyche and the public.
The importance of presidential records
As a citizen and politics nerd, I’ve been watching all the events of this election season with a mix of horror and fascination. But as a presidential scholar, I’ve had a deeper concern: what happens to the president’s tweets if his account is disabled?
I’ve done a lot of thinking and writing about presidential records for many years now, ever since I wrote the book Where Have All The Emails Gone?, which took a forensic look at the issue of presidential records and digital communication through the lens of the George W. Bush administration’s missing email scandal. 
I also did a deep dive into Hillary Clinton’s email server scandal in a series of articles for ZDNet. It has always been my belief that it is necessary to take an analytical, evidence-based, non-partisan approach when it comes to the preservation of presidential records.
It is important to think of this as a historical issue and not a political one. Electronic records are still rather new to our history as a nation, couldn’t even have been conceived of by our founders, and aren’t represented fully in many of our older but still-active laws. But now that digital messages are so relevant to our lives, and have become the chief way we communicate, we need to make sure we don’t delete them, allow them to conveniently slip through loopholes, or let them be consumed by bit rot.
The proper preservation and curation of presidential records is of critical concern to historians and those who will want to look back at the second half of the 21st century’s first decade. President Trump’s tweets are a modern-day equivalent of the Jefferson/Adams letters. While those letters were mostly written after both presidents’ terms of office, the cache of historical documents provided invaluable insight into the beliefs, concerns, prejudices, decision-making methodology, and personalities of two of America’s founders.
President Trump’s tweets
President Trump’s tweets may provide historians with an even deeper insight. These were the in-the-moment representations of the 45th president’s internal thoughts. As time goes on, the heat of the moment will dissipate, but historians will still want to understand motivations and character. Those tweets will, at least in part, provide those insights.
Fortunately, it appears those tweets will be preserved. The National Archives, on Sunday January 10, disclosed (through a tweet, naturally) that they will archive President Trump’s social media content. This makes sense, because the NARA (National Archives and Records Administration) is tasked with curating presidential records.

The gotcha, of course, is whether tweets constitute presidential records. According to Press Secretary Sean Spicer back at the beginning of Trump’s term, tweets did constitute presidential records.
Back in 2017, Spicer didn’t specify whether @realDonaldTrump, in addition to @POTUS, was considered official records. But now, in 2021, NARA has explicitly included @realDonaldTrump in the accounts it’s planning to archive.
The second issue is the nature of official presidential records. Let’s say the president makes a list of McDonald’s treats he wants for lunch, and writes that list on a note which is handed to an aide. That paper note, if it contains no other information, is not considered a presidential record and need not be archived. On the other hand, if he makes a similar note about senators he wants to call about a piece of legislation, that piece of paper is considered a presidential record and must be presented to the Archives.
My question (and I sent a request into NARA, but haven’t heard back) is whether all of Trump’s tweets will be archived, or only those that fit the somewhat narrow definition of Presidential Records Act records.
To that end, I’m openly reaching out to David S. Ferriero, Tenth Archivist of the United States, with my strong recommendation that all tweets, Facebook posts, and other social media posts by Donald Trump be archived in perpetuity for the benefit of future historians and researchers.
Stay tuned. I’ll update this article if I get an official answer from Ferriero or a NARA spokesperson.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

A new combination of two older types of malware, which provides hackers with access to almost everything a user does on an Android smartphone, is up for sale on underground forums for as little as $29.99 – providing even low-level cyber criminals with the ability to steal sensitive personal data.
The ‘Rogue’ remote administration tool (RAT) infects victims with a keylogger, allowing attackers to easily monitor the use of websites and apps in order to steal usernames and passwords, as well as financial data. The low cost of the malware reflects the increasing sophistication of the criminal ecosystem that is making it possible for wannabe crooks with limited technical skills to acquire the tools to stage attacks.

More on privacy

The malware threatens full-scale espionage on the device by monitoring the GPS location of the target, taking screenshots, using the camera to take pictures, secretly recording audio from calls and more. It does all this while staying completely hidden from victims – and all attackers need is their own smartphone in order to issue commands.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
Rogue has been detailed by cybersecurity researchers at Check Point, who say it isn’t a fully new form of malware, but rather a combination of two previous families of Android RATs – Cosmos and Hawkshaw – and demonstrates the evolution of malware development on the dark web.
There’s no single way in which hackers install Rogue because part of the way it works is they get to choose the method of infection, either by phishing, malicious apps or something else.
After being downloaded onto a smartphone, Rogue asks for the permissions that it needs for the hacker to remotely access the device – although the download obviously doesn’t mention that this is the reason why they’re needed. If the permissions are not granted, it will repeatedly ask the user to grant them until they do.

Once the permissions have been gained, Rogue registers itself as the device administrator and hides its icon from the home screen. If the user tries to revoke these administrator credentials, a message asks “Are you sure to wipe all the data?”, something that could scare many people off attempting to remove the installation, fearing they’ll wipe their entire device.
The malware gets around being detected as malicious by exploiting Google’s Firebase service for apps in order to masquerade as a legitimate app on the device and help it remain embedded and active.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
Once successfully embedded on a device, the malware installs its own notification service, allowing the malicious operator to examine what notification and pop-up the victim receives, enabling them opportunities to examine what data is available on the device. 
One of the best ways for users to avoid falling victim to mobile malware is to install security updates, something that prevents cyber criminals from exploiting known vulnerabilities to help deliver malware. In addition to this, users should be wary of apps that appear to ask for an excessive number of permissions to run on the device and should ideally only download apps with a trusted source of origin from the official app store.
MORE ON CYBERSECURITY More

A wave of attacks against companies in Columbia uses a trio of Remote Access Trojans (RATs) to steal confidential, sensitive data.

The campaign, dubbed Operation Spalax, was revealed by ESET researchers on Tuesday. 
In a blog post, the cybersecurity firm said government and private entities in Columbia are being exclusively targeted by the threat actors, who seem to have a particular interest in the energy and metallurgical industries. 
ESET began tracking the campaign, which is ongoing, in the second half of 2020 when at least 24 IP addresses — likely compromised devices acting as proxies for the attackers’ command-and-control (C2) servers — were linked to a spate of attacks. 
To begin the infection chain against a target entity, the threat actors use a traditional method: phishing emails. The subjects of these fraudulent messages range from demands to attend court hearings to bank account freeze warnings and notifications to take a mandatory COVID-19 test. 
In some samples, agencies including the Office of the Attorney General (Fiscalia General de la Nacion) and the National Directorate of Taxes and Customs (DIAN) were impersonated.
Each email has a .PDF file attached, linking to a .RAR archive. If the victim downloads the package — located on OneDrive, MediaFire, and other hosting services — an executable file within triggers malware. 

The threat actors use a selection of droppers and packers to deploy the Trojan payloads, the purpose of all being to execute a RAT by injecting it into a legitimate process. 
The three payloads are all available commercially and have not been developed in-house by the cyberattackers. 
The first is Remcos, malware available on underground forums for as little as $58. The second RAT is njRAT, a Trojan most recently spotted in campaigns using Pastebin as an alternative to C2 structures, and the third is AsyncRAT, an open source remote administration tool. 
“There is not a one-to-one relationship between droppers and payloads, as we have seen different types of droppers running the same payload and also a single type of dropper connected to different payloads,” ESET notes. “However, we can state that NSIS droppers mostly drop Remcos, while Agent Tesla and AutoIt packers typically drop njRAT.”
The RATs are able to provide remote access control to the threat actors and also contain modules for keylogging, screen capture, clipboard content harvesting, data exfiltration, and both the download and execution of additional malware, among other functions. 
According to ESET, there are no concrete clues to attribution, however, there are some overlaps with APTC36, also known as Blind Eagle. This APT was connected to attacks in 2019 against Columbian entities in order to steal sensitive information. 
The attacker’s use of dynamic DNS services means that the campaign’s infrastructure is also constantly changing, with new domain names being registered for use against Columbian companies on a regular basis. 
ESET also noted links to research conducted by Trend Micro in 2019. The phishing tactics are similar, but whereas Trend Micro’s report relates to spying and potentially the targeting of financial accounts, ESET has not detected any use of payloads beyond cyberespionage. However, the company acknowledges that some of the targets of the current campaign — including a lottery agency — don’t appear to make logical sense just for spying activities. 
The cybersecurity firm added that due to the large and fast-changing infrastructure of this campaign, we should expect these attacks to continue in the region for the foreseeable future. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Facebook is working “24/7” to tackle content including “stop the steal” from spreading across the network ahead of the US Inauguration Day.

With the scenes at the Capitol building fresh in our minds and as US police continue to hunt down rioters involved in the siege, thoughts have turned toward the upcoming inauguration, when President-elect Joe Biden will be sworn into office on January 20.
The FBI has warned states of potentially armed protests ahead of and during the event, and in an attempt to prevent Facebook from becoming a means to incite further violence, the social network has begun preparing for Inauguration Day with “new urgency.”
According to Guy Rosen and Monika Bickert, Facebook VPs of Integrity and Global Policy Management, the company has assessed the next two weeks as a “major civic event.”
On January 11, the duo said the same teams used to tackle inappropriate content ahead of the US election are now in place to try and stop the spread of misinformation, conspiracies, and violent content. 
Facebook is now targeting “stop the steal,” a phrase used by Trump supporters who believe the election was stolen, on both the main network and Instagram. In the lead up ahead of the inauguration, Facebook is going beyond taking down the original stop the steal group and will now remove related pages, groups, and events that may be used to encourage violence. 
“It may take some time to scale up our enforcement of this new step but we have already removed a significant number of posts,” the company says. 

Facebook will also provide information to law enforcement when “legitimate” requests are made and will delete any content considered a “direct threat to public safety.”
During inauguration week, the tech giant will launch a Facebook News digest relating to the event as a source for legitimate news, in a similar manner to the hub launched for COVID-19. 
Facebook intends to maintain a block on US political or election-related adverts, including ads submitted by politicians. 
“We will stay vigilant to additional threats and take further action if necessary to keep people safe and informed,” Facebook says. 
Facebook also announced the hire of Roy Austin to help lead a new civil rights organization within Facebook. Austin is a Harris, Wiltshire & Grannis LLP civil rights attorney who will take the posts of VP of Civil Rights and Deputy General Counsel for the social network, starting January 19. 
Twitter, too, is taking action in an attempt to stop content being shared across the microblogging platform to “incite violence, organize attacks, and share deliberately misleading information about the election outcome.”
The company is permanently suspending accounts — the most high-profile of late being that belonging to US President Trump (@realDonaldTrump) — and in total, since Friday, a further 70,000 accounts have been wiped out. 
According to Twitter, in some cases, a single individual would control multiple accounts in order to spread QAnon content. 
“Accounts that have tweeted or retweeted [QAnon] associated content will continue to be subject to limited visibility across search, replies, and on timelines and are prohibited from being recommended to others by Twitter,” the company says. 
Twitter has also stopped tweets issued a warning label for violating civic integrity policies from being replied to, liked, or retweeted, although Quote Tweet is still active. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

New South Wales residents have been using a QR code scanner within the Service NSW app to check into businesses across the state to help health authorities with COVID-19 contact tracing.
The mandatory use of the Service NSW QR code was first announced last month, with Minister for Customer Service Victor Dominello on Tuesday revealing there have been over 30 million check-ins since the feature went live.
“This pandemic is tough enough,” he said in a Facebook post. “If people do not want to check in, they are not only putting public health at risk but also the economy at risk.
“We only have to look at London and New York to see what happens when public health spirals out of control.”
Read more: NSW says QR codes are the most effective system for COVID-19 contact tracing
The minister said checking in via a QR code is not too much to ask during a pandemic.
“It only takes a matter of seconds and keeps people safe and the economy open,” he added.

The QR code-based check in system is mandatory for hospitality businesses and hairdressers. If businesses do not use the Service NSW QR code check-in system, they face AU$5,000 fines, closure of the business for a week, and should the venue further fail to comply, potentially a month’s closure.
As of late December, 50,000 businesses were on board and 2 million people have used the Service NSW QR code feature.
Dominello on Tuesday added his department had received over 1.7 million pieces of feedback on the feature, using a thumbs up emoji to indicate a positive response sitting at around 94%.
Last week, the Service NSW app suffered a two-hour outage, rendering citizens unable to check in to businesses and venues across the state through the app.
A spokesperson for the Department of Customer Service told ZDNet the outage was unexpected.
“This afternoon Service NSW App experienced an unexpected outage preventing some customers from checking in with the COVID Safe Check-in tool. The outage lasted for 2 hours and is now resolved,” they said on Thursday.
As of Tuesday morning, NSW Health said there was five new locally acquired cases of COVID-19 in the 24 hours to 8pm Monday night.
11 cases were also recorded in returned travellers, bringing the total number of COVID-19 cases in NSW since the beginning of the pandemic to 4,845
RELATED COVERAGE More

Over 50 Australian MPs have joined a new parliamentary group that aims to hold technology giants accountable for the information they allow on their platforms.
The Parliamentary Friends of Making Social Media Safe group is explained as providing a non-partisan forum for MPs to meet and highlight the environment of social media and the risks associated.
The group will also consider how platforms can be held accountable for the material published on their sites, and what policy measures can be considered by governments to keep social media platforms safe.
One member of the group is Science Minister Karen Andrews, who called it an avenue for “starting the conversation”. Speaking on 3AW on Tuesday morning, Andrews said one of the first items on the group’s agenda is to look at what the issues are, and how best to prosecute that.
See also: Labor floats jail time as penalty for social media giants that breach Aussie law
Pointing to the permanent suspension of soon-to-be former United States President Donald Trump from Twitter, Andrews said there was a “whole range of questions” stemming from the ban, such as the consistency and fairness of various rules across social media sites.
“There have been many instances of comments that have been taken down from various platforms, but yet in some instances, these platforms are very quick to act when it seems as if the subject content is something that they don’t personally agree with,” she said. “That is unfair, it is inconsistent, and it lacks the transparency that we are looking for.”

The minister was asked if she believes there were double standards, given the amount of “disgusting” content still proliferating on social media sites, despite Trump’s ban.
“That is the absolute lack of transparency and the subjectivity that I am most concerned about. There needs to be fairness, it needs to be very clear that these rules are being applied in a consistent manner. And it’s pretty obvious that at the moment they’re not,” Andrews said in response.
Former Opposition Leader Bill Shorten, meanwhile, said for all its blessings, the internet also has an underbelly, likening it to a “sewer”.
“The internet has proven to be a magnet to draw together idiots and conspiracists who otherwise would never meet each other,” he said Tuesday morning.
“I mean, it may be the one favour Donald Trump’s done the world is getting himself banned on Twitter, because if Twitter can do it to him, then maybe some of the inflammatory comments that get said about our kids or about people in daily life, maybe we can just — you know, you’re free to speak, but you’ve got to face the consequences of it.”
Also a member of the group is Shadow Assistant Minister for Treasury Andrew Leigh, who echoed remarks made by ALP’s acting communications spokesperson Tim Watts, saying the social media companies have self-regulatory policies which are “pretty much” in accord with Australia’s democratic norms.
“You don’t incite violence, you don’t spread hate speech, you don’t spread dangerous medical misinformation,” he said.
“But it is appropriate that over time we also look at the way in which these platforms have chosen to make their decisions of banning particular people.”
Leigh said in Trump’s case, he unequivocally thinks Twitter made the right call.
“If you’re inciting violence, you shouldn’t be on one of these platforms,” he said.
The shadow minister pointed to remarks made by two Coalition MPs he said were spreading dangerous misinformation during a pandemic. One of the MPs, Michael McCormack, who is currently acting prime minister while Scott Morrison takes leave, was called on by Leigh to “stand up for sensible science”.
McCormack said he supported free speech and did not believe in the type of censorship demonstrated in the United States. The acting prime minister on Monday compared the 2020 Black Lives Matter protests to the riot on the Capitol, with the ABC quoting him as saying “any form of violence” should be condemned.  
McCormack on Tuesday also declared “all lives matter” during a press conference. He also said most of what his colleagues have said is true and that people on Twitter need to “toughen up”. 
The parliamentary group was stood up by Labor MP Sharon Clayton and Nationals MP Anne Webster.
Webster’s family was last year awarded an AU$875,000 defamation payout from a woman who used Facebook to make “disgraceful and inexplicable” posts about the Victorian MP.
RELATED COVERAGE More

Cyber-security firm CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it identified a third malware strain directly involved in the recent hack.
Named Sunspot, this finding adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains.
But while Sunspot is the latest discovery in the SolarWinds hack, Crowdstrike said the malware was actually the first one used.
Sunspot malware ran on SolarWinds’ build server
In a report published today, Crowdstrike said that Sunspot was deployed in September 2019, when hackers first breached SolarWinds’ internal network.
The Sunspot malware was installed on SolarWinds build server, a type of software used by developers to assemble smaller components into larger software applications.
CrowdStrike said Sunspot had one singular purpose — namely, to watch the build server for build commands that assembled Orion, one of SolarWinds’ top products, an IT resources monitoring platform used by more than 33,000 customers across the globe.
Once a build command was detected, the malware would silently replace source code files inside the Orion app with files that loaded the Sunburst malware, resulting in Orion app versions that also installed the Sunburst malware.
Timeline of the SolarWinds supply chain attack

These trojanized Orion clients eventually made their way one SolarWinds’ official update servers and were installed on the networks of the company’s many customers.
Once this happened, the Sunburst malware would activate inside internal networks of companies and government agencies, where it would collect data on its victims and then send the information back to the SolarWinds hackers (see this Symantec report about how data was sent back via DNS request).
Threat actors would then decide if a victim was important enough to compromise and would deploy the more powerful Teardrop backdoor trojan on these systems while, at the same time, instruct Sunburst to delete itself from networks it deemed insignificant or too high risk.
However, the revelation that a third malware strain was discovered in the SolarWinds attack is one of the three major updates that came to light today about this incident.
In a separate announcement published on its blog, SolarWinds also published a timeline of the hack. The Texas-based software provider said that before the Sunburst malware was deployed to customers between March and June 2020, hackers also executed a test run between September and November 2019.
“The subsequent October 2019 version of the Orion Platform release appears to have contained modifications designed to test the perpetrators’ ability to insert code into our builds,” SolarWinds CEO Sudhakar Ramakrishna said today, in an assessment also echoed by the CrowdStrike report.

Image: SolarWinds
Code overlap with Turla malware
On top of this, security firm Kaspersky also published its own findings earlier in the day in a separate report.
Kaspersky, which was not part of the formal investigation of the SolarWinds attack but still analyzed the malware, said that it looked into the Sunburst malware source code and found code overlaps between Sunburst and Kazuar, a strain of malware linked to the Turla group, Russia’s most sophisticated state-sponsored cyber-espionage outfit.
Kaspersky was very careful in its language today to point out that it found only “code overlaps” but not necessarily that it believes that the Turla group orchestrated the SolarWinds attack.
The security firm claimed this code overlap could be the result of the SolarWinds hackers using the same coding ideas, buying malware from the same coder, coders moving across different threat actors, or could simply be a false flag operation meant to lead security firms on the wrong path.

Through further analysis, it is possible that evidence enforcing one or several of these points might arise. To clarify – we are NOT saying that DarkHalo / UNC2452, the group using Sunburst, and Kazuar or Turla are the same.
— Costin Raiu (@craiu) January 11, 2021

But while security firms have stayed away from attirbution, last week, US government officials formally blamed the SolarWinds hack on Russia, describing the hackers as “likely Russian in origin.”
The US government’s statement did not pin the hack on a specific group. Some news outlets pinned the attack on a group known as APT29 (or Cozy Bear), but all the security firms and security researchers involved in the hack have pleaded for caution and have been very timid about formally attributing the hack to a specific group so early in the investigation.
Right now, the SolarWinds hackers are tracked under different names, such as UNC2452 (FireEye, Microsoft), DarkHalo (Volexity), and StellarParticle (CrowdStrike), but this designation is expected to change once companies learn more.
Right now, one last mystery remains, and that is how did the SolarWinds hackers manage to breach the company’s network in the first place, and install the Sunspot malware. Was it an unpatched VPN, an email spear-phishing attack, a server that was left exposed online with a guessable password?

SolarWinds Updates More

The Reserve Bank of New Zealand — Te Pūtea Matua — on Monday said it was still responding “with urgency” to an illegal breach of one of its systems.
The breach was of a third-party file sharing service provided by California-based Accellion. The bank uses its FTA file transfer product to share information with external stakeholders.
While the system has been secured and taken offline, and the breach described as contained, the Reserve Bank said it would take some time to determine the impact, with an analysis of the potentially affected information underway.
The bank is still looking to confirm the nature and extent of information that has been potentially accessed. It said compromised data may include some commercially and personally sensitive information.
The bank said it is communicating with system users about alternative ways to securely share data.
“We are actively working with domestic and international cybersecurity experts and other relevant authorities as part of our investigation. This includes the GCSB’s National Cyber Security Centre which has been notified and is providing guidance and advice,” Governor Adrian Orr said.
“We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised.”

Orr said providing further details could adversely affect the investigation and the steps being taken to mitigate the breach.
“We recognise the public interest in this incident however we are not in a position to provide further details at this time,” he said.
The Reserve Bank disclosed the breach on Sunday.
Across the ditch in Australia, it was reported last week that private details of every Tasmanian who has called an ambulance since November last year were published online by a third party. The ABC said the list, appearing as Ambulance Tasmania’s paging system — which has since been taken offline — was still updating each time paramedics are dispatched.
The data included the addresses of patients, their condition, HIV status, age, and gender. 
Reports indicate a police investigation and an internal review by the Tasmanian Department of Health are underway.
MORE FROM NEW ZEALAND More