Information Technology

A USB power monitor and a data blocker in one convenient, low-cost, reliable tool. More

Roughly 13.5 million videos hosted on Pornhub are now reduced to only 2.9 million. More

New South Wales resilience commissioner and former commissioner of the NSW Rural Fire Service Shane Fitzsimmons has assured the systems built by government to respond to crises — whether it is a natural disaster such as a bushfire, or the COVID-19 pandemic — are done so with the user’s trust in mind.
“In the government and public information space, we are absolutely invested in making sure that we are building systems that are virtuous, and absolutely with the intent of doing good and doing better for people. That is the core focus. Not to misuse and build a break in that trust contract,” he said, speaking during a roundtable on Tuesday.
Fitzsimmons pointed to how the NSW government responded to the COVID-19 pandemic with the release of its contact tracing QR code check-in system, as an example.
“What we’ve been doing in the last 6-12 months in New South Wales alone, but as a nation, is having agile, up-to-date critically important websites and public-facing tools to give people the latest information and the updates on what they can’t do, what the restrictions are, where the progress is up to.
“It’s a government-sponsored QR code, so there is a trust element that goes to a trusted source of government.”
Read: Living with COVID-19 creates a privacy dilemma for us all
He acknowledged, however, there are always mixed views when it comes to trusting government around handling people’s data, particularly when it is compared to the trust people have for social media companies.

“In the last six to 12 months, the federal government rolled out the COVIDSafe app and there was this campaign of information of you can’t trust the government, you can’t trust them, what are they going to do with our information. But the irony was the people who were saying that were running their conversations on social media platforms. The irony was extraordinary,” he said.
“So, we are funny as human beings with what we think is a trust issue or not a trust issue with data.”
See also: Australia’s COVIDSafe contact tracing story is full of holes and we should worry
The public was not the only one that had trust issues leading up to the release of the COVIDSafe app. Former leader of the National Party Barnaby Joyce also voiced concerns that the app had the potential to be hacked.
In an effort to build public trust prior to its release, Prime Minister Scott Morrison said no Commonwealth entity would have access to any data collected by the COVIDSafe app.
“The app only collects data and puts it into an encrypted national store, which can only be accessed by the states and territories,” he said at the time.
“The Commonwealth can’t access the data, no government agency at the Commonwealth level, not the tax office, not government services, not Centrelink, not Home Affairs, not Department of Education — the Commonwealth will have no access to that data.”
On Monday, according to findings made by the Victorian Legislative Council Legal and Social Issues Committee, the effectiveness of the federal government’s COVIDSafe app for Victoria’s contact tracing efforts was insignificant. While analysis of the COVIDSafe app was outside the scope of the committee’s inquiry, it noted that no evidence was given to suggest that the app has been effective or contributed to supporting Victoria’s public health response.   
Related Coverage More

Image: Binary Security
Stewart Stacey has an extensive CV. He took a scholarship with the Department of Defence instead of finishing year 12, spent a number of years with government in “pseudo IT guy” roles, including at ATSIC, which prior to abolition, was the Aboriginal and Torres Strait Islanders Commission.
Stacey then opened Darwin’s first internet cafes and started his own internet company, Territory Internet Services. At the same time, he consulted with the Northern Territory government, acting as a “drop in IT manager” at multiple agencies.
He was then appointed to lead the build of the United Nations (UN) network in Darwin, which Stacey described as a fairly large network across five different buildings. The project began after the East Timorese voted for independence in 1999 and the subsequent retaliation from Indonesia-aligned militia, with Stacey heading over to Dili while Australian troops were still on the ground to perform work for NGOs, like the World Health Organization, World Food Program, and the UN directly.
Following further Defence contracting, including with the Royal Australian Air Force, securing Darwin’s Apple Store as a client for a new IT venture, and returning from the United States for a role as an IT manager at a gym, Stacey did a stint in mining, where he was responsible for the build of a AU$6 million optic fibre network in the NT for the territory’s electricity generator.
He told ZDNet this also included the build of two data centres.
In 2017, Stacey decided it was time to launch Binary Security.
He said his experience left him capable of not only “all things IT” but also gave him the skills to run the operational and business side of tech. But to him, starting up Binary Security was about much more.

“Through dealing with the Northern Territory government, and all of my suppliers, all the key contracts that I had, I never once came across another Indigenous person, not once,” he said. “When you work for the government, you don’t have the ability — unless you work in HR, or you’re a decision maker for the enterprise — I didn’t have the ability to put on Indigenous trainees or do anything to sort of promote Indigenous participation in IT.”
Going out on his own gave Stacey that ability.
“It’s something that I’ve been wanting to do for quite a long time … there is a stereotype for Indigenous people. In their employment, they’re sort of more focused on agricultural roles — land, sea-based, ranger based, that’s where a lot of the money goes to,” he said. “And that’s all important, that shouldn’t change … [but] there’s very little when it comes to the other end of the stick, within the high-tech fields.”
See also: Australia isn’t buying local cyber and the rest of the world might soon follow
The value proposition for Binary Security is recognising there’s a business that provides the same service as mainstream cybersecurity companies, but by using Binary Security, by default, it’s an investment in, and promotion of, Indigenous participation in high-tech fields.
While the COVID-19 pandemic has put Stacey’s expansion plans on hold, moving forward he is planning on taking on six interns per year, with hopes to not only bridge the Indigenous gap but also address the lagging participation rates of women in tech too.
He is also setting up a security operations centre in Darwin, with plans for one in Sydney as well that will have a training centre attached. The centres will focus on preparing security analysts and also providing basic IT skills for Indigenous people to be prepped to move into the industry.
“I hope that’s going to act like a beacon to draw people in,” he said.
One of the very few Indigenous owned and Indigenous operated businesses involved in cybersecurity, Binary Security boasts clients in government, enterprise, and small business.
Despite his CV, Stewart still faced struggles as not only a startup in a region in Australia that isn’t synonymous with innovation, but being an Indigenous one.
“There’s some good things and some not so good things, for example … governments are expected to spend money with an Indigenous organisation, and it’s actually part of the tendering process,” Stacey explained. “Entities tend to go out and pick an Indigenous company just to tick a box on a form … the intention is good to start getting Indigenous companies involved … but then you are looked at as just a tick box.
“We can actually do the work as good as anybody else.
“But, you have to start somewhere, so I think taking advantage of those situations and just doing a good job and let your work speak for itself.”
RELATED COVERAGE More

During the 2020 financial year, consumers made over 4,000 complaints about telecommunications providers related to a user’s privacy.
The Privacy Act 1988 gives the Australian Information Commissioner the discretion to recognise external dispute resolution (EDR) schemes to handle privacy-related complaints. The guidelines give consumers the ability to make complaints about privacy issues with their telecommunications provider/s directly to the Telecommunications Industry Ombudsman (TIO).
The TIO, in a submission [PDF] to consultation on the ongoing review of the Privacy Act, said during FY2020, it received 4,328 complaints involving privacy issues.
The wide-ranging review is considering the definition of personal information; whether existing exemptions for small businesses, political parties, and the storing of employee records to comply with the Act should remain; whether individuals should gain the power to drag privacy violators to court; and whether a privacy tort should be created.
The review was agreed to as part of the Commonwealth’s response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry.
The Attorney-General’s Department (AGD) posed a total of 67 questions as part of a discussion paper late October.
Also providing a submission [PDF] was Telstra and its Telstra Health subsidiary, which has previously come under fire for its troubled Australian cervical and bowel cancer screening registers project.

Telstra said it considers much of the Privacy Act to be fit for purpose, noting there is scope for developing or updating guidance in some areas. It said that in over 30 years since, the Privacy Act principles are still accurate and relevant, and that it remains in strong support of a principles-based, technology neutral regime.
“The principles-based approach to the development of the Privacy Act … has resulted in an Act that has stood the test of time, and we consider remains fit-for-purpose,” the telco wrote.
It also said there was no need for additional legislated protections for de-identified, anonymised, or pseudonymised information.
“Information that has been de-identified should no longer be regarded as personal information and, therefore, should not be regulated under the Privacy Act as its use or disclosure should have no privacy-related consequences for any individual,” Telstra said.
It does not support a recommendation made by the ACCC that the notification requirements in the Privacy Act be amended to require all collections of personal information to be accompanied by a notice from the entity collecting the personal information. Instead, Telstra said the focus of any reforms on notification should focus on ensuring that notices are only provided where they are meaningful, for example, where there is a change that may legitimately prompt a consumer to change their behaviour.
Telstra believes consent should only be one of the lawful bases for data use, and that there is no need for changes to control and security within the Act.
“The [Digital Platforms Inquiry] report recommended that a direct right of action be introduced in order to provide individuals greater control over their personal information and to provide an additional incentive for APP [Australian Privacy Principle] entities to comply with their obligations under the Privacy Act. We do not agree that a direct right of action is the best way to achieve these aims, and see a well-resourced OAIC as a more effective way of continuing to pursue the Privacy Act’s objectives,” Telstra said on the suggested introduction of a direct right of action or statutory tort.
Elsewhere, Deloitte said [PDF] the creation of a standardised notice framework has the potential to provide benefit to consumers by reducing complexity and increasing their engagement. It also said consideration should be given to strengthening and expanding consent requirements in the Privacy Act.
“These include the opportunity to take more control of their personal information, drive more meaningful consumer interactions with organisations, and unlock the wider benefits of information sharing in a more transparent way, while minimising unexpected collections, uses, and disclosures of information that can cause significant negative consumer sentiment towards organisations,” it wrote.
Deloitte said strengthening consent requirements would likely help individuals make more informed choices about how, when, why, and with whom they share their personal information. It said this would likely lead to better outcomes for both organisations and individuals.
“In order to produce the desired outcomes from the consent process, it is important that the consent obtained is meaningful,” it said.
In its submission [PDF], Salinger Privacy has asked for the definition of personal information to be amended to include a drafting note to the effect that location data, device identifiers, and online identifiers — including cookies, IP addresses, MAC addresses, user IDs — are examples of data, identifiers, or techniques which can render an individual able to be discerned or recognised as an individual distinct from others.
“We further submit that there should be included a drafting note (or a new definition in the Act) to the effect that ‘device’ is to be read expansively, and can include a vehicle such as a car, a mobile device such as a mobile phone, a wearable such as a fitness tracker or location monitor, an implantable such as a pacemaker, or a household device such as a smart TV,” it added.
Salinger also submitted that the definition of de-identified in the Privacy Act should be replaced with a new definition: “Anonymous data means data from which no individual is identifiable”.
It also said that the political exemption provided within the Privacy Act should be abolished.
RELATED COVERAGE More

Image: Asha Barbaschow/ZDNet
The Australian Signals Directorate (ASD) has said even though it provides technical advice on cybersecurity matters to the Australian government, it does not impose bans on apps or technology.
One particular issue has been whether apps like Wechat and TikTok pose a security threat for Australian government employees, and whether the apps should be allowed onto work devices.
“It is a matter for individual departments to make their own risk judgements weighed against the potential utility of the application for the proper running of their own organisations,” the intelligence agency said in answer to a Senate Estimates Question on Notice.
In response to another question, ASD did say it provided technical advice to government, but has not undertaken a wide-ranging risk assessment.
“ASD has not undertaken a risk assessment the use of TikTok or Wechat for users that might face an increased risk of being targeted for espionage or foreign interference — such as diaspora communities, think tanks, NGOs, or parliamentarians,” it said.
Earlier in the month, Home Affairs said it conducted a review of TikTok, but only for internal staff use, and did not provide any governmental advice off the back of it.
Similarly, when questioned whether it had provided advice to Australian telcos Optus and TPG to implement Resource Public Key Infrastructure to help stop Border Gateway Protocol hijacks, ASD ducked responsibility.

“Cybersecurity of Australian telecommunications companies is a matter for them,” it said.
However, should the Critical Infrastructure Bill pass through Parliament, the government could potentially be able to mandate such actions under a “positive security obligation”. The Bill also introduces mandatory reporting to ASD from sectors deemed as critical infrastructure.
When introducing the Bill last week, Home Affairs Minister Peter Dutton said the requirement to report to the ASD was to a “comprehensive understanding of the cybersecurity risks to critical infrastructure assets”.
“Through greater awareness, the government can better see malicious trends and campaigns, which would not be apparent to an individual victim of an attack. This will ensure that the government can appropriately advise and assist entities across the economy to better safeguard their assets from cyber attacks,” he said.
Also contained within the Bill are last resort powers, which allow the government to step in to protect assets during or following a significant cyber attack.
In June, ASD said while cybersecurity was an important priority for government, it was not responsible for what government agencies did or didn’t do.
“As individual Commonwealth entities are responsible for their assessment in light of their risk environment, questions regarding [Protective Security Policy Framework] implementation within an individual entity are best directed to that entity,” it wrote.
Elsewhere in its responses, ASD said it has continued to use its offensive cyber powers against foreign cyber actors and offshore cyber criminals.
“Every offensive cyber mission is targeted and proportionate, supported by a strong framework of legislation and policy, and subject to ASD’s oversight framework, including by the Inspector-General of Intelligence and Security,” it said.
“ASD can use its technical expertise to combat serious crimes undertaken by people or organisations outside Australia, a such as child exploitation and illicit narcotics, committed or facilitated by, the use of electromagnet energy, whether guided or unguided or both.”
The directorate would not be drawn on how much it spends on protecting its network, claiming it might “disclose sensitive information about ASD’s systems and networks and its capability”, but it did say it had fully implemented DMARC on its domains, as well as implemented its Essential Eight advice.
On the matter of a code replay flaw found within myGovID in September, ASD once again said it was a matter for another organisation.
“ASD facilitated passage of the researcher’s findings to the ATO, and provided technical advice and assistance to the ATO on the implications of the vulnerability disclosure. The management of the disclosure issue is a matter for the ATO,” it said.
In answers from other organisations, the Department of Health said it had spent AU$6.995 million on advertising the COVIDSafe app so far, but has not run any advertising since July 20.
Related Coverage More

Image: Apple
Apple has begun to publish privacy summaries in all of its app stores across iOS, iPadOS, macOS, watchOS, and tvOS, with developers now needing to answer a questionnaire as part of submitting an app or update.
Cupertino says this requirement applies to all developers including itself. Developers are required to tell Apple whether apps collect information such as names, email address, phone numbers, home addresses, and health and fitness data.
The information provided into the summary is broken down into three types: Data used to track you, data linked to you, data not linked to you.
The first category is defined as data that is combined with data from other apps or sites for the purposes of advertising or harvesting from data brokers, and the linked category is data that is tied to a user account on the app or device.
Users are still able to deny permissions within the app if they so choose.
The summary is based entirely on the answers provided by the developer, with the existing app review process remaining separate.
On the question of how developers will know what the privacy implications of the libraries they use are, Apple said it is seeing SDK makers updating their documentation in a way that provides information on privacy, but it remains the responsibility of developers to answer for the whole application.

Apple said it may follow up with developers if the information provided is found to be incorrect or users report a discrepancy, and failure to honestly answer the questions has the potential to lead to delisting. The company added that national data regulators could treat the privacy summary as a public statement on which to regulate and base decisions upon.
The current summary is not set in stone, with Apple saying it would evolve the requirement as time passes. The new information was first flagged in July.
Next year, Apple will begin forcing developers to show users the new app tracking permission prompt when apps want to track users. The prompt arrived in the recent iOS 14 release.
Cupertino also unveiled a privacy policy update on Monday, which was touted as complying with European GDPR definitions.
“We treat any data that relates to an identified or identifiable individual or that is linked or linkable to them by Apple as ‘personal data’, no matter where the individual lives,” the policy states.
“This means that data that directly identifies you — such as your name — is personal data, and also data that does not directly identify you, but that can reasonably be used to identify you — such as the serial number of your device — is personal data.”
The policy says Apple does not use “algorithms or profiling” to make decisions that would significantly impact customers without a human conducting a review.
The updated policy also applies to its partners and service providers, which includes the likes of Goldman Sachs.
Apple said the data it collects from browser cookies is treated as “nonpersonal data”, but when combined with other personal data it holds, it falls under the personal data remit.
Related Coverage More

Image: SolarWinds, ZDNet
IT software provider SolarWinds downplayed a recent security breach in documents filed with the US Securities and Exchange Commission on Monday.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

SolarWinds disclosed on Sunday that a nation-state hacker group breached its network and inserted malware in updates for Orion, a software application for IT inventory management and monitoring.
Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with malware, SolarWinds said in a security advisory.
The trojanized Orion update allowed attackers to deploy additional and highly stealthy malware on the networks of SolarWinds customers.
Also: Best VPN services of 2020: Safe and fast don’t come for free   
Only 18,000 of 300,000 customers affected
But while initial news reports on Sunday suggested that all of SolarWinds’ customers were impacted, in SEC documents filed today, SolarWinds said that of its 300,000 total customers, only 33,000 were using Orion, a software platform for IT inventory management and monitoring, and that fewer than 18,000 are believed to have installed the malware-laced update.
The company said it notified all its 33,000 Orion customers on Sunday, even if they didn’t install the trojanized Orion update, with information about the hack and mitigation steps they could take.

In a security advisory on Sunday and SEC filings today, SolarWinds said it plans to release an Orion update on Tuesday that will contain code to remove any traces of the malware from customer systems.
If customers can’t wait until Tuesday, Microsoft, FireEye, and the US Cybersecurity and Infrastructure Agency (CISA) have also published technical reports on Sunday with instructions on how to identify traces of the SolarWinds Orion-delivered malware (named SUNBURST by FireEye and Solarigate by Microsoft), remove it from systems, and detect if hackers pivoted with a second-stage attack to internal networks.
SolarWinds Office 365 email account was also compromised
But while details about how hackers pivoted from SolarWinds to customer networks via the tainted Orion malware have now come to light, SolarWinds has not yet said how hackers breached its own network.
Nonetheless, in the same SEC documents, SolarWinds said that it also learned from Microsoft about a compromise of its Office 365 email and office productivity accounts.
The company said it’s currently investigating if the attackers used access to the email accounts to steal customer data.
SolarWinds did not specifically say that this email account compromise led to hackers gaining access to the server infrastructure supporting the Orion app’s update mechanism.
One of the most consequential hacks in recent years
The SolarWinds Orion platform hack is slowly turning out to be one of the most significant hacks in recent years.
Currently, the SolarWinds security breach has been linked to hacks at US security firm FireEye, the US Treasury Department, and the US Department of Commerce’s National Telecommunications and Information Administration (NTIA).
The hack is, however, expected to be much, much worse. Forbes reported today that SolarWinds is a major contractor for the US government, with regular customers including the likes of CISA, US Cyber Command, the Department of Defense, the Federal Bureau of Investigation, the Department of Homeland Security, Veterans Affairs, and many others.
In addition, FireEye, which is investigating the incident as part of its own security breach, said the attackers also compromised targets all over the world, and not just in the US, including governments and private sector companies across several verticals.
Citing industry sources, Reuters reported today that despite a broad install base for the Orion platform, the attackers appear to have focused only on a small number of high-value targets, leaving most Orion customers unaffected.
Several IT administrators reported today that they found signs of the malware-laced Orion update on their systems, but they did not find signs of second-stage payloads, typically used by the attackers to escalate access to other systems and internal customer networks.

That is consistent with what I’m seeing with customers. SW Orion with no IOC
— Nicholas Zurfluh (@zurfluhn) December 14, 2020

SolarWinds said in SEC documents today that in the first three quarters of 2020, revenue from the Orion product line brought in approximately $343 million, representing about 45% of the company’s total revenue.
If customers end up abandoning the app, the fallout from this security breach will end up having a major impact on SolarWinds’ bottom line as well. More