Information Technology

Australia’s new Online Safety Bill was introduced to Parliament on February 24, eight business days after consultation on the draft legislation closed and before the submissions to the consultation were published. It was handed to a Senate committee on February 25 and after holding one public hearing, the committee has handed down its report.
Despite testimony from tech companies and civil liberties groups, the Environment and Communications Legislation Committee has made a total of two recommendations.
One of the recommendations simply state: “The committee recommends that the Bills be passed”.
The Online Safety Bill 2021 contains six key priority areas: A cyberbullying scheme to remove material that is harmful to children; an adult cyber abuse scheme to remove material that seriously harms adults; an image-based abuse scheme to remove intimate images that have been shared without consent; basic online safety expectations for the eSafety Commissioner to hold services accountable; an online content scheme for the removal of “harmful” material through take-down powers; and an abhorrent violent material blocking scheme to block websites hosting abhorrent violent material. 
The Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021, meanwhile, repeals the Enhancing Online Safety Act 2015 upon commencement of the new Online Safety Act.
370 submissions were made to the draft consultation; at the time of publishing, 135 of the submissions made to the committee were public.
Google, Twitter, and Twitch all raised concerns that the definitions contained within the Bill were too broad; Electronic Frontiers Australia (EFA) joined the tech giants in considering the powers given to the eSafety Commissioner as too overreaching; and the Australian Digital Rights Watch highlighted the many negative impacts on the country’s adult industry, as some examples.

Setting these concerns aside, the committee’s other recommendation was that the government consider amending the Bill’s explanatory memorandum to clarify the requirement for an industry code to be registered within six months. It explained that this would be “for best endeavours and that the Commissioner has the discretion to work with industry over whatever timeframe is deemed necessary to achieve an effective outcome”.
Labor’s notes on the Bill include pointing to ZDNet’s article, which highlights that key operational elements of the Bill are yet to be worked through.  
“Labor Senators consider that finding the balance between free speech and protections against certain kinds of speech is a complex endeavour and we are concerned that this Bill represents a significant increase in the eSafety Commissioner’s discretion to remove material without commensurate requirements for due process, appeals, or transparency over and above Senate estimates, annual reporting and AAT appeals,” they add, even though no committee recommendations actually reflect their concerns.
The opposition does, however, want the government to consider further amendments to clarify the Bill in terms of its scope and to “strengthen due process, appeals, oversight and transparency requirements given the important free speech and digital rights considerations it engages”.
The Australian Greens, meanwhile, raised concerns with the Bill being rammed through the Parliament through a truncated inquiry process without consideration by either the Senate Standing Committee for the Scrutiny of Bills, or the Parliamentary Joint Committee on Human Rights.
As a result, the Greens recommend the Bill be withdrawn and redrafted to take account of concerns such as the use of the National Classification Code, which is currently under review; potential for elements of the Bill to be used against lawful online content and content creators; inadequate rights of appeal and remedy for businesses and individuals whose content is wrongly blocked or removed; inadequate transparency and accountability regarding discretionary decisions made by a single, unelected officer; powers covering restricted access/encryption services; and potential significant and detrimental effects on sex workers.
A second and final recommendation by the Greens has called for the introduction of a constitutionally or legislatively enshrined Charter of Rights, which includes privacy and digital rights consistent with the European Union’s General Data Protection Regulation.
HERE’S MORE ON THE BILL More

We’re now living in the era of the mega-hack. More than ever, software flaws are being seized on by sophisticated hackers who take these bugs – and use them to create attacks that compromise the computer systems of thousands of organisations, all at once.
Newly discovered vulnerabilities in Microsoft’s Exchange Server provide a good example of this evolution. The flaws were seized on by (likely China-backed) hackers as a way to attack networks, with tens of thousands of systems apparently compromised in a widespread attack. At least 10 other groups are thought to be attempting to use the same exploits, and now cyber criminals are piggy-backing on the original attack in an attempt to deliver ransomware too.
Bugs exists wherever there is software, despite attempts to eradicate them. What we’re seeing now is an growing ability and desire from hackers to turn these bugs into attacks. Increasingly, the same software applications and tools are being used by companies around the world. Some may not even be aware of the software code they are relying on, such is the interconnected world of tech products. And even if they do know the software they are using, too many companies fail to update it even when warned about vulnerabilities by software vendors.
Hacking groups have different motivations: state-backed hackers want to gain access to as many systems as possible before deciding which have strategic value (either a source of intelligence or as a stepping-stone to compromising other systems); cyber criminals want to break in where they can to either steal data or deliver money-making ransomware. Either way, threat actors are now sophisticated enough to respond to weaknesses quicker than ever before. That’s bad for everyone.
A software flaw doesn’t affect just one company, but can put thousands or even tens of thousands at risk as hacking groups seize on a new bug and race to exploit it, breaking into as many systems as possible before a fix is found and applied. Some companies used to think they were too small to be targeted, but will sadly discover that crooks will attack – and potentially destroy — their business, just on the off-chance that a ransom will be paid. Others will find that cutting costs by not patching software flaws is a false economy, to say the least.
So what can be done? Projects that aim to fix bugs in everything — starting with programming languages and the basic code (often open-source) that underpins software applications — are a start. Encouraging secure code as a standard is a must. Companies must also understand that legacy systems may contain vulnerabilities, and that patching is not optional. Longer-term, the ransomware threat must be addressed and better international rules around state-backed hacking put in place. Neither of those are going to be easy problems to tackle.
Right now, we need to realise that the stakes are increasing – and rapidly.
ZDNET’S MONDAY MORNING OPENER 

The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.
PREVIOUSLY ON MONDAY MORNING OPENER:   More

Okta, well known for its cloud-based identity management technology, has partnered with automated data governance firm Immuta, both companies announced today. Okta Ventures has also made an investment in Immuta, funding product innovation and joint go-to-market initiatives. The tie-up makes clear both that cloud data lakes/warehouses are here to stay, and that securing them is an enterprise necessity.
ZDNet spoke with Immuta CEO Matthew Carroll, and Okta Ventures director Austin Arensberg. The two provided context and color around the partnership and explained that it encompasses several touch points.
Partnership and synergy
These nodes of partnership include integration of Immuta with Okta’s System for Cross-domain Identity Management (SCIM), extending authorization to cloud data sources including Immuta partners Snowflake and Databricks; Dynamic Policy Creation, wherein Immuta data policies can be informed by Okta identities; implementation of attribute-based access control (ABAC) and purpose-based access control (PBAC) fine-grained security, which work at the row, column, or cell level; and auditing/reporting, where Immuta’s audit logs and reporting can be combined with Okta’s identity and authorization.
A joint customer of the two companies makes the use case and requirements tangible: the Covid Alliance/Center for New Data, which tracks COVID-19 research and shapes public policy. Facilitating the collaboration that Center for New Data relies on requires that researchers have access to just what they’re authorized to, when combined data sets are created. Privacy rights can’t be violated, and data sovereignty must align with researchers’ geographic locations. 
The problem is a complex one, but researchers’ access to data needs to be seamless, nevertheless. Ryan Naughton, the Center for New Data’s co-founder/co-executive director, says “the combination of Okta and Immuta allows us to confidently authenticate a diverse set of users and authorize different levels of analyses, while preserving privacy and ensuring compliance with regulations and contractual data rights.”
Old requirements, new dimensions
It’s clear that older, conventional on-premises data analytics platforms aren’t sufficient for workloads where data sources are varied, data volumes are large, and frequency of updates are too. But it’s also the case that the level of rigor and security in those older systems is absolutely still needed. Just as integration of Active Directory/LDAP and Kerberos into the open source big data sphere has been necessary, it’s now also time to integrate identity management systems like Okta’s, which allows a single identity to be used for authorization to multiple cloud services.
In other words, building and operating cloud data lakes and warehouses requires single sign-on, across clouds, applications and services. The Okta-Immuta partnership makes this possible. While the union may be less than “sexy,” it’s a big deal in terms of cloud data analytics maturity. More

Uber and Lyft will share information on drivers that have been banned from their platforms for reasons including sexual and physical assault. 

The Industry Sharing Safety Program, announced on Thursday, will be managed by workforce solutions provider HireRight. 
If drivers are banned from working on one of the firms’ platforms for “serious” safety incidents, at present, they could theoretically move to the other and resume work either as passenger transport or for delivery services. 
However, the new US program may stop these transitions from going under the radar. 
According to Tony West, senior VP and chief legal officer at Uber, “safety should never be proprietary.”
“Tackling these tough safety issues is bigger than any one of us and this new Industry Sharing Safety Program demonstrates the value of working collaboratively with experts, advocates, and others to make a meaningful difference,” West commented. 
The platform will allow both Uber and Lyft to exchange data on drivers ‘deactivated’ for sexual assault, misconduct, and “physical assault fatalities.” HireRight will collect and manage driver data.

Uber and Lyft say the platform will “incorporates learnings from anti-sexual violence advocates over the past several years and prioritizes safety, privacy, and fairness for both drivers and survivors.”
The program will be opened to similar transport and delivery companies in the United States. 
In other Uber news, in February, a UK court ruled that Uber drivers in the UK could not be considered self-employed. The long-running legal battle, in which Uber argued its drivers were contractors and, therefore, not entitled to certain employment protection or a minimum wage, was lost as the Supreme court disagreed. 
For drivers, this means that they may be entitled to back pay and compensation. For Uber, this means the company’s entire business model — based on gig-economy workers — needs to be revised, at least in the UK. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Confidential computing, quantum safe cryptography, and fully homomorphic encryption are set to change the future of data privacy as they make their way from a hypothesis to viable commercial applications. 

On Thursday, IBM Research hosted an online program exploring each of these technologies and how they could impact how we securely manage, encrypt, store, and transfer information — with each solving a different challenge posed by future data privacy concerns.
Confidential computing
IBM has been working on confidential computing for roughly a decade. The concept behind the technology is to permit clients to retain full privacy and control over data and operational workloads through hardware-level security. 
This can include the implementation of “secure enclaves” — trusted execution environments — which can manage data and are only accessible through authorized programming code, keeping information away not only from cloud or infrastructure providers but also external threat actors. 
IBM likens the technology to a hotel room safe, in which keycards are required to access the room, but further authorization is required to open the lock to the safe. 
According to Hillery Hunter, VP and CTO at IBM Cloud, initial commercial applications of this technology are already embedded in financial services, telecoms, and healthcare offerings. Clients include Daimler and Apple for the CareKit SDK. 
In November, IBM and AMD announced a collaborative partnership to work on confidential computing and hybrid cloud deployments. 

Google Cloud, too, is investigating the technologies through virtual machines (VMs) which utilize confidential computing principles to secure data both at rest and in transit, and Intel’s third-generation Xeon Ice Lake chips have been developed in order to handle the processor demands of confidential computing. 
Quantum safe cryptography & standardization
Quantum safe cryptography aims to tackle the problems that will arrive with the day we have a working quantum machine. 
While quantum computing is being actively worked on by engineers worldwide, with Honeywell, for example, ramping up the capacity of its own System Model H1 to a quantum volume of 512, it is estimated that a full-capacity quantum computer could exist within the next 10 to 15 years. 
When that day arrives, however, the high computational power of these machines would render “virtually all electronic communication insecure,” according to IBM, as quantum computers are able to factor large numbers — a core precept of today’s cryptography.
To resolve this, standards based on lattice cryptography have been proposed. This hides data in complex algebraic structures and is considered to be an attractive option for future-proofing data privacy architectures. 
According to IBM cryptographer Vadim Lyubashevsky, adopting lattice frameworks is unlikely to impact end-users — and may actually improve computational performance. 
But why bother now, when full quantum machines do not exist? According to mathematician Dustin Moody from the National Institute of Standards and Technology (NIST), the enterprise should look at adopting lattice, “quantum safe” cryptography as soon as it is commercially viable to do so. 
Moody says that large-scale quantum computers could be used in attacks able to break cryptography used today — and so, all an attacker needs to do is harvest information now and store it for decryption in the future. 
“It’s important to make sure we can counter this threat now,” Moody added. “There will be a transition with these algorithms, and it won’t necessarily be easy. We are trying to prepare as much as we can and encourage others to do so.”
To this end, NIST has launched the post-quantum cryptography project (PQC), which has elicited proposed algorithms for post-quantum encryption. At present, seven applications are under review and a standard is expected to be selected between 2022 and 2023. 
See also: Quantum computing: Quantum annealing versus gate-based quantum computers | Quantum computing, networks, satellites, and lots more qubits: China reveals ambitious goals in five-year plan | A quantum computer just solved a decades-old problem three million times faster than a classical computer
Fully homomorphic encryption 
Fully homomorphic encryption (FHE) is sought after as a “Holy Grail” of encryption. FHE is a form of encryption that allows information to remain encrypted during computation and processing, regardless of the infrastructure or cloud technologies managing the data. 
For example, data could be transferred between different parties and the cloud, analyzed, and sent back without ever being viewed or being made available in plaintext. 
FHE utilizes different mathematical algorithms to the encryption we use today and has been in development over the past decade. 
While FHE could be transformational in the data privacy arena, the issue is the vast processing power and time is required to facilitate encrypted data processing — especially when it comes to large datasets used by the enterprise or in research. 
Scientists are working on ways to improve the efficiency of FHE algorithms and due to their efforts — as well as the development of hardware able to support FHE — early-stage use cases are now being explored. 
Enterprise firms are under pressure from increasing data protection regulations and the risk of penalties and fines if data is not adequately protected. At the same time, however, they also need to capitalize on data to create competitive differentiators and improve their operations, as well as to explore new business opportunities. 
According to Eric Maass, Director of Strategy & Emerging Technology at IBM, the challenge is “extracting the value of the data while preserving its privacy.”
In December, the firm launched the IBM Security Homomorphic Encryption Services, a platform designed to allow the enterprise to experiment with FHE in tandem with existing IT architecture, products, and data.
Intel is working with the US Defense Advanced Research Projects Agency (DARPA) on the Data Protection in Virtual Environments (DPRIVE) program, designed to bring down the cost and time of FHE implementations, and companies including Microsoft, Duality Technologies, Galois, and SRI International are also working toward the same goal. 
Maass believes that highly-regulated industries, such as healthcare or financial organizations, will be “early adopters in this space.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has issued an alert that hackers using a strain of ransomware known as DearCry are now targeting unpatched Exchange servers still exposed to four vulnerabilities that were being exploited by suspected Chinese government hackers.
Microsoft is warning Exchange customers once again to apply the emergency patches it released last week for critical flaws affecting on-premise Exchange email servers. 

More Coverage

Microsoft urged customers on March 2 to install the patches immediately due to the risk that more cybercriminals and state-backed hackers would exploit the flaws in coming weeks and months. 
SEE: Network security policy (TechRepublic Premium)
It said existing attacks were being carried out by a Chinese hacking group it calls Hafnium. However, security vendor ESET reported yesterday that at least 10 state-backed hacking groups were now attempting to exploit flaws in unpatched Exchange servers.   
And now cyber criminals are looking to feed off the Exchange bugs. Ransomware attackers spreading a strain called DearCry are attempting to install the malware after compromising Exchange servers, according to Microsoft. 
“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry,” Microsoft warned in a tweet. Ransom:Win32/DoejoCrypt.A is the name under which Microsoft’s Defender antivirus will detect the new threat.  

Microsoft added that customers using Microsoft Defender antivirus that use automatic updates don’t need to take additional action after patching the Exchange server. 
Microsoft appears to be treating this set of Exchange bugs as an urgent one to fix and last week provided further security updates to address the flaw in unsupported versions of Exchange. 
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) last week ordered federal agencies to patch the Exchange flaws or cut vulnerable servers off from the internet. 
CISA further said it is “aware of threat actors using open-source tools to search for vulnerable Microsoft Exchange Servers and advises entities to investigate for signs of a compromise from at least September 1, 2020.”
The bugs affect Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019, but not Exchange Online. 
The attackers were using the bugs to comprise Exchange servers and deploy web shells to steal data and maintain access to servers after initial compromise. Web shells are small scripts that provide a basic interface for remote access to a compromised system. 
Microsoft has released a script on its code-sharing site GitHub that admins can use to check for the presence of web shells on Exchange servers. 
That script could come in handy when kicking attackers off a previously compromised system. Microsoft security researcher Kevin Beaumont recommended organizations run the script after patching to ensure the web shells are removed. 
SEE: Cybercrime groups are selling their hacking skills. Some countries are buying
CISA has advised it “is aware of widespread domestic and international exploitation of these vulnerabilities” and urged Exchange admins to run Microsoft’s Test-ProxyLogon.ps1 script. 
Independent security researchers behind the MalwareHunterTeam account on Twitter say they’ve seen attacks on companies in Canada, Denmark, United States, Australia, Austria, with the first victims observed on March 9 — just seven days after Microsoft issued the patch and warned Exchange customers to patch immediately. 
CISA strongly recommends organizations run the Test-ProxyLogon.ps1 script as soon as possible to help determine whether their systems are compromised. More

Netflix is testing out ways to stop account holders from sharing their passwords — and access — with others who don’t own a subscription. 

The content streaming service, which now accounts for over 203 million subscribers worldwide, has become a heavyweight in the TV and film sector in recent years, and has, perhaps, become even more popular due to stay-at-home orders prompted by the COVID-19 pandemic. 
However, in the same way as other streaming services — including Disney+, Amazon Prime Video, and Hulu — the company faces the challenge of stopping subscribers from sharing their account credentials. 
Research conducted by ESET last year found that 60% of respondents share their streaming service account details with at least one other person and one in three share their account with two or more people. 
Normally, sharing online account details with anyone is not recommended. However, in the content streaming space, it has become accepted and commonplace. 
As reported by the Washington Post, however, Netflix is exploring ways to stop this practice. 
When accessing a Netflix account, some users have recently seen pop-up messages saying, “If you don’t live with the owner of this account, you need your own account to keep watching.”

Users are then asked to verify they have permission to use the account through a code sent via an email or text message.  
“This test is designed to help ensure that people using Netflix accounts are authorized to do so,” a Netflix spokesperson said. 
The trial has not been rolled out widely, as of yet, and the test does not mean that the company will impose additional checks in the future. However, password sharing is against Netflix’s terms of service and so the company would be within its rights to do so — but may run the risk of alienating subscribers. 
By using a verification option, at the least, this may stop unauthorized use in cases where accounts have been compromised or passwords have been shared without permission. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyberattackers are taking full advantage of slow patch or mitigation processes on Microsoft Exchange Server with attack rates doubling every few hours.  

According to Check Point Research (CPR), threat actors are actively exploiting four zero-day vulnerabilities tackled with emergency fixes issued by Microsoft on March 2 — and attack attempts continue to rise. 
In the past 24 hours, the team has observed “exploitation attempts on organizations doubling every two to three hours.”
The countries feeling the brunt of attack attempts are Turkey, the United States, and Italy, accounting for 19%, 18%, and 10% of all tracked exploit attempts, respectively. 
Government, military, manufacturing, and then financial services are currently the most targeted industries. 

Palo Alto estimates that at least 125,000 servers remain unpatched worldwide.
The critical vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) impact Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.

Microsoft issued emergency, out-of-band patches to tackle the security flaws — which can be exploited for data theft and server compromise — and has previously attributed active exploit to Chinese advanced persistent threat (APT) group Hafnium. 
Read on: Everything you need to know about the Microsoft Exchange Server hack
This week, ESET revealed at least 10 APT groups have been linked to current Microsoft Exchange Server exploit attempts. 
On March 12, Microsoft said that a form of ransomware, known as DearCry, is now utilizing the server vulnerabilities in attacks. The tech giant says that after the “initial compromise of unpatched on-premises Exchange Servers” ransomware is deployed on vulnerable systems, a situation reminiscent of the 2017 WannaCry outbreak. 
“Compromised servers could enable an unauthorized attacker to extract your corporate emails and execute malicious code inside your organization with high privileges,” commented Lotem Finkelsteen, Manager of Threat Intelligence at Check Point. “Organizations who are at risk should not only take preventive actions on their Exchange, but also scan their networks for live threats and assess all assets.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More