Information Technology

Image: Nicolas Picard
More than 85,000 SQL databases are currently on sale on a dark web portal for a price of only $550/database.
The portal, brought to ZDNet’s attention earlier today by a security researcher, is part of a database ransom scheme that has been going on since the start of 2020.
Hackers have been breaking into SQL databases, downloading tables, deleting the originals, and leaving ransom notes behind, telling server owners to contact the attackers to get their data back.
While initial ransom notes asked victims to contact the attackers via email, as the operation grew throughout the year, the attackers also automated their DB ransom scheme with the help of a web portal, first hosted online at sqldb.to and dbrestore.to, and then moved an Onion address, on the dark web.

Image: ZDNet
Victims who access the gang’s sites are asked to enter a unique ID, found in the the ransom note, before being presented with the page where their data is being sold.

Image: ZDNet

Image: ZDNet
If victims don’t pay within a nine-day period, their data is put up for auction on another section of the portal.

Image: ZDNet

Image: ZDNet
The price for recovering or buying a stolen SQL database must be paid in bitcoin. The actual price has varied across the year as the BTC/USD exchange rate fluctuated but has usually remained centered around a $500 figure for each site, regardless of the content they included.

This suggests that both the DB intrusions and the ransom/auction web pages are automated and that attackers don’t analyze the hacked databases for data that could contain a higher concentration of personal or financial information.
Past attacks are easy to identify as the group has usually placed their ransom demands in SQL tables titled “WARNING.” Based on complaints ZDNet has reviewed for this article, most of the databases appear to be MySQL servers; however, we don’t rule out that other SQL relational database systems like PostgreSQL and MSSQL could have been hit as well.
Signs of these ransom attacks have been piling up over the course of 2020, with the number of complaints from server owners finding the ransom note inside their databases popping up on Reddit, the MySQL forums, tech support forums, Medium posts, and private blogs.
Bitcoin addresses used for the ransom demands have also been piling up on BitcoinAbuse.com [1, 2, 3, 4, 5, 6, 7, 8], a website that indexes Bitcoin addresses used in cybercrime operations.
These attacks mark the most concerted effort to ransom SQL databases since the winter of 2017 when hackers hit MySQL servers in a series of attacks that also targeted MongoDB, Elasticsearch, Hadoop, Cassandra, and CouchDB servers as well. More

A new committee has been set up by the New South Wales government to provide it with information, advice, assistance, and training on how to best deliver information and privacy management practices in government, as well as facilitate collaboration between government, industry, and academia.
The Information and Privacy Advisory Committee will be responsible for advising the Information and Privacy Commission NSW, the Minister for Customer Service Victor Dominello, and the Attorney-General and Minister for the Prevention of Domestic Violence Mark Speakman.
“The digital age presents many opportunities, but it is important that our policies and laws reflect its challenges,” Dominello said.
Appointed to chair the committee is NSW Information Commissioner Elizabeth Tydd. She will be joined by NSW Privacy Commissioner Samantha Gavel, NSW government chief data scientist Ian Oppermann, Australian Institute of Health and Welfare CEO Barry Sandison, Allens Hub technology, law, and innovation director and University of New South Wales (UNSW) faculty of law professor Lyria-Bennett Moses, Information Integrity Solutions founder Malcolm Crompton, NSW Department of Communities and Justice executive director of justice strategy and policy Paul McKnight, and Data Synergies principal and UNSW Business School practice professor Peter Leonard.
“This new committee will bring together specialists from a range of sectors — including data science, technology, business and law — to ensure we remain at the forefront of these issues,” Dominello said.
See also: Digital venue registrations for contact tracing will be mandatory across NSW  
In addition to the core members, NSW government said experts in relevant areas may also be invited to attend and contribute as required by the committee.

“The committee has the expertise to provide assistance to public sector agencies in adopting and complying with information governance in a contemporary public sector context, including access to information rights, with information protection principles, and implementing privacy management plans in ways that account for these challenges,” Tydd said.
The launch of the committee will add to ongoing efforts the state government has been making when it comes to addressing information privacy.
In June, the state government announced its intentions to stand up a sector-wide cybersecurity strategy, which would supersede the cybersecurity strategy that was last updated in 2018.
The plan to create a new security document followed a AU$240 million commitment to improve NSW’s cybersecurity capabilities, including investments towards protecting existing systems, deploying new technologies, and increasing the cyber workforce. With that funding, it announced plans to create an “army” of cyber experts.
In a vow to keep customer data safe, the state government set up a dedicated cyber and privacy resilience group in October.
NSW Department of Customer Service Secretary Emma Hogan, who is the chair of the new group, said at the time that setting up the taskforce was in response to the cyber attack the state government suffered earlier this year.  
The breach resulted in 73GB of data, which comprised of 3.8 million documents, being stolen from staff email accounts. The breach impacted 186,000 customers.
Budget papers revealed in November the cyber attack would cost Service NSW AU$7 million in legal and investigation fees.
But this is not the only cyber incident that the state government has suffered. In September, it was revealed information on thousands of New South Wales driver’s licence-holders was breached, with reports indicating a cloud storage folder that had over 100,000 images was mistakenly left open. 
Cyber Security NSW confirmed a commercial entity was responsible for the breach of scanned driver’s licence images. It said it was the responsibility of the commercial entity to investigate this matter and notify any customers if their data had been breached.  
Related Coverage More

The Joint Committee of Public Accounts and Audit (JCPAA) has called for federal government entities to be assessed on cyber resilience each year by the Australian National Audit Office (ANAO), however, even if the government accepted the recommendation, it acknowledged that this was unlikely to lead to a better informed public.
“The committee recognises the concerns raised in evidence to the inquiry highlighted that individual vulnerabilities within Commonwealth entities could exacerbate existing cybersecurity risks,” the report reviewing a pair of recent ANAO reports said.
“In light of this, the committee proposes that published limited assurance reviews provide no more granular public information than is published in existing ANAO cyber resilience audits. The published report can also provide advice on identified impediments to agencies implementing the 13 behaviours and practices and the Essential Eight mitigation strategies, noting that the provision exists for confidential reporting to ministers and the JCPAA where required.”
Historically, public reports from the ANAO typically place agencies on a chart that measures compliance with mitigation strategies on one axis, and maturity in access and change management on the other. The agencies are then measured as being in one of four quadrants that are either: Vulnerable, internally resilient, externally resilient, or cyber resilient.
Australian agencies remain highly averse to any public acknowledgement of their security posture.
Earlier this week, the Office of National Intelligence (ONI) simultaneously said its posture was highly mature, but then declined to say whether it had a DMARC record, citing national security.
Anyone can easily use command-line tools or sites to find out whether ONI is fully compliant with DMARC, since it is a DNS record and viewable publicly over the internet.

Shadow Assistant Minister for Cyber Security Tim Watts said the report was a “damning indictment” on the government.
“This failure is so bad that the committee found that a new and unprecedented oversight regime is needed to ensure our vital government services and the data of Australian citizens they hold are appropriately protected at a time of dramatically increasing cyber threats,” Watts said in a statement with deputy chair Julian Hill.
“It comes after years of staggeringly high rates of non-compliance from the Commonwealth government with its own cybersecurity framework.
“The Morrison Government has had seven years of reports from the ANAO and JCPAA to fix this.”
The opposition has previously said it would like to name and shame entities that have a low cyber score.
In its other recommendations, JCPAA said the Attorney-General’s Department should provide an update on getting external parties to verify self-reported compliance from entities; and the department should also provide an update on the cyber maturity of government entities and whether it was feasible to mandate the Essential Eight, a call the committee made in October 2017, as well as report back on why any entities have yet to implement the Top Four mandated in April 2013.
It added that the Protective Security Policy Framework should be updated to align with the ANAO’s 13 behaviours and practices for cyber resilience, and Australian Post and the Australian Digital Health Agency provide updates on how they are implementing the recommendations from prior ANAO reports.
Related Coverage More

Image: Adobe
Adobe has released on Tuesday the last update ever for its iconic Flash Player app, which the company plans to retire at the end of the year.

“In the latest Flash Player update released yesterday, we updated our uninstall prompt language and functionality to encourage people to uninstall Flash Player before the end of life and to help make users aware that beginning January 12, 2021, Adobe will block Flash content from running,” an Adobe spokesperson told ZDNet.
The update follows through with changes Adobe announced earlier this year in June.
At the time, Adobe said it planned to show prompts to all Flash users by the end of the year with a notification that the software will soon reach its planned end-of-life [EOL].
The new update also brings an actual date to Flash’s actual demise in the form of January 12, 2021 — the date after which any type of Flash content won’t run inside the Flash app.
Skipping this last Flash update won’t remove this “time bomb,” however.
Adobe told ZDNet that the killswitch code was added months before in previous releases and that this last Flash update only modifies the language used in the prompt that will ask users to uninstall the app.
End of the road

The Flash EOL was first announced in July 2017 when Adobe, Apple, Google, Microsoft, Mozilla, and Facebook agreed to phase out Flash-based content and technologies from their products.
At the time of writing, all major browsers have already disabled Flash in their products and are set to remove the actual Flash plugin from their codebases throughout December 2020 and January 2021.
Facebook has already pushed most of its hosted games from Flash to HTML5 and JavaScript-based technologies years before.
While once an unthinkable thought, currently, the Flash EOL is expected to have minimum impact on the web ecosystem, where, according to web technology survey site W3Techs, only 2.3% of today’s websites utilize Flash code, a number that has plummeted from a 28.5% market share it had at the start of 2011.
Besides deprecating Flash in its browsers, Microsoft has also released an optional Windows update last month that, which, once applied, will remove all traces of Flash Player at the entire OS level.
Adobe thanks Flash users and developers
Despite being marred by criticism for all of its security bugs, Flash Player played a crucial role in the history of the entire internet, helping usher in and popularize interactive content like web animations, multimedia players, and streaming technologies, all of which were first supported by Flash before being ported to CSS, JavaScript, and HTML5.
With Flash’s last update rolling out this week, Adobe also took the time to thank all Flash users and web developers for installing the app and using it for their work. The message is below, as seen in the last Flash Player changelog entry.
“We want to take a moment to thank all of our customers and developers who have used and created amazing Flash Player content over the last two decades. We are proud that Flash had a crucial role in evolving web content across animation, interactivity, audio, and video. We are excited to help lead the next era of digital experiences.” More

The Australian cyber megamix CyberCX has made yet another acquisition, this time scooping up Foresight with an eye on its government portfolio.
CyberCX, the group of security companies headed by two of Australia’s most experienced technology and cyber veterans, said specialist cybersecurity consultancy Foresight would strengthen its Canberra footprint and cement its capability and credentials as “Australia’s leading cybersecurity organisation”.  
“With extensive experience working with Australian government agencies, the addition of Foresight will increase CyberCX’s substantial capability in delivering cyber security solutions for major government clients,” CyberCX said.
Founded over a decade ago, Foresight is an independent cybersecurity consultancy focused on technical security compliance and assurance activities for enterprise and government. CyberCX said Foresight has deep expertise providing security solutions to leading Australian and global organisations, working with Australian government agencies in assessing large and highly complex systems.
The consultancy also has a particularly strong cloud security practice and works with cloud service providers, government agencies, and large enterprises.
“We built Foresight as a proudly 100% Australian company, providing independent cybersecurity advice as a trusted advisor to our customers. CyberCX supercharges this mission,” Foresight managing director Peter Baussmann said.
“The CyberCX team have quickly established themselves as a formidable force across Australia and New Zealand. We look forward to continuing to service our customers at the highest level and offering them the full suite of capabilities and expertise that CyberCX has to offer.”

See also: Former PM Turnbull suggests Australia boosts its cyber capability by buying local
CyberCX, backed by private equity firm BGH Capital, was formed a little over one year ago when it brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co, Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.
It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as CEO John Paitaridis, who was formerly Optus Business’ managing director.
Since launch, CyberCX has gone on an expansion spree, scooping up a number of local cybersecurity startups simultaneously.
Last month, it announced plans to push into Queensland and in late October, CyberCX stood up operations in Western Australia after acquiring two local cyber firms, Asterisk Information Security and Diamond Cyber Security.
Identity management firm Decipher Works and cloud security specialists CloudTen also joined the organisation in October; and two Melbourne-based startups, Basis Networks and Identity Solutions, were added to CyberCX in July.
CyberCX has also pushed into the New Zealand market in August, adding its first Kiwi acquisition in Insomnia Security a month later.
RELATED COVERAGE More

The myth of the open-source developer is they’re unemployed young men coding away in basements. The truth is different. The Linux Foundation’s Open Source Security Foundation (OSSF) and the Laboratory for Innovation Science at Harvard (LISH) new survey, Report on the 2020 FOSS Contributor Survey, found a significant number of women developers, with the plurality of programmers in their 30s, and the majority are working full-time jobs with an annual average pay rate of $123,000. 

Open Source

Of those surveyed, over half surveyed reported they receive payment for free and open-source software (FOSS) contributions — from either their employer or a third party. More than half of those surveyed, 51.65%, are specifically paid to develop open-source programs.
That said, while open-source jobs are in high demand and the pay is great, it’s not money that brings programmers to open-source. Indeed, even those people paid for working on a FOSS project also contributed to other open-source programs without being compensated.
The survey of almost 1,200 developers found the top reason was adding a needed feature or fix to a program they already use. Or, as Eric S. Raymond put it in his seminal open-source work, The Cathedral and the Bazaar, “Every good work of software starts by scratching a developer’s personal itch.”
The other top two reasons were the enjoyment of learning and fulfilling a need for creative or enjoyable work. At the bottom? Getting paid. 
It’s not that programmers dislike making money from their open-source work. Far from it! But money alone isn’t that important to them. This can be seen by their answer to another question, which showed that no matter “how many hours they spent on FOSS during paid work time, nearly all respondents also spend some of their free time working on FOSS.”
That said, one vital area of software development is being neglected: Security. 

On average, programmers use just 2.27% of their total contribution time on security. Worst still, there’s little desire to spend more time and work on security. 
David A. Wheeler, The Linux Foundation’s director of open-source supply chain security, said: “It is clear from the 2020 findings that we need to take steps to improve security without overburdening contributors.” 
The solution, the report authors suggest, is to devote money and resources to specific security purposes. This includes adding security-related tools to the continuous integration (CI) pipeline, security audits, and computing resources. In other words, make it easier for developers to add security to their projects.
Specifically, they suggest:
Fund security audits of critical open-source projects and require that the audits produce specific, mergeable changes. 
Rewrite portions or entire components of FOSS projects prone to vulnerabilities to produce a substantially more secure result (e.g., contribute a rewrite in a memory-safe language). 
Prioritize secure software development best practices. 
Companies should make secure software development training a requirement for hiring or continued professional development for their paid FOSS developers. 
Utilize badging programs, mentoring programs, and the influence of respected FOSS contributors to encourage projects and their contributors to develop and maintain secure software development practices. 
Encourage projects to incorporate security tools and automated tests as part of their continuous integration (CI) pipeline; ideally as part of their default code management platform. 
The survey also found that companies are continuing to do better about supporting their people working on open-source projects. Today, over 45.45% of respondents are free to contribute to open-source programs without asking permission, compared to 35.84% 10 years ago. However, 17.48% of respondents say their companies have unclear policies on whether they can contribute and 5.59% were unaware of what policies — if any — their employer had.  The Linux Foundation plans on refreshing The FOSS Contributor Report and Survey. If you’re an open-source developer and you’d like to participate, please sign up here.
Related Stories: More

Atheris squamigera, also known as a green bush viper
Image: sipa
Google’s security experts have open-sourced another automated fuzzing utility in the hopes that developers will use it to find security bugs and patch vulnerabilities before they are exploited.

techrepublic cheat sheet

Named Atheris, the project is a classic fuzzer.
A fuzzer (or fuzzing tool) and the technique of fuzzing work by feeding a software application with large quantities of random data and analyzing its output for abnormalities and crashes, which give developers a hint about the presence and location of possible bugs in an app’s code.
Across the years, Google’s security researchers have been some of the biggest promoters of using fuzzing tools to discover not only mundane bugs but also dangerous vulnerabilities that could be exploited by attackers.
Since 2013, Google security researchers have created and later open-sourced several fuzzing tools, including the likes of OSS-Fuzz, Syzkaller, ClusterFuzz, Fuzzilli, and BrokenType.
But all of these tools have been created for discovering bugs in C or C++ applications.
A fuzzer for the growing Python codebase
Atheris is Google’s answer to the rising popularity of the Python programming language, currently ranked 3rd in last month’s TIOBE index.

Developed internally at Google in a hackaton last October, Atheris supports fuzzing Python code written in Python 2.7 and Python 3.3+, but also native extensions created with CPython.
However, Google says that Atheris works best with code in Python 3.8 and later, where new features added to the Python programming language can help Atheris find even more bugs than in code written in older Python code.
Google has open-sourced the Atheris code on GitHub, and the fuzzer is also available on PyPI, the Python package repository.
Going forward, Google says it also plans to add support for Atheris fuzz tests on OSS-Fuzz, a hosted platform that lets developers fuzz open-source projects for security flaws. Previously, this platform supported only C and C++ fuzzing, and was extremely successful, being used to find thousands of bugs across the years. As of June 2020, OSS-Fuzz has found over 20,000 bugs in 300 open source projects. More

COVID-19 named by WHO for Novel coronavirus NCP concept. Doctor or lab technician holding blood sample with novel (new) coronavirus N.C.P. in Wuhan, Hubei Province, China, medical and healthcare
Getty Images/iStockphoto
The European Medicines Agency (EMA), the EU regulatory body in charge of approving COVID-19 vaccines, said today it was the victim of a cyber-attack.

In a short two-paragraph statement posted on its website today, the agency discloses the security breach but said it couldn’t disclose any details about the intrusion due to an ongoing investigation.
EMA is currently in the process of reviewing applications for two COVID-19 vaccines, one from US pharma giant Moderna, and a second developed in a collaboration between BioNTech and Pfizer.
An EMA spokesperson did not return a request for comment seeking information if the attack targeted its vaccine approval process or if it was a financially-motivated attack like ransomware.
Nonetheless, in a follow-up statement released on its own website, BioNTech said that “some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed” during the attack, confirming that COVID-19 research was most likely the target of the attack.
Over the past months, numerous companies working on COVID-19 research and vaccines have been the targets of hackers, and especially of state-sponsored hacking groups.
Companies like Johnson & Johnson, Novavax, Genexine, Shin Poong Pharmaceutical, Celltrion, AstraZeneca, Moderna, and Gilead have been targeted by hackers, according to reports from Reuters and the Wall Street Journal.

In November, OS maker and cyber-security giant Microsoft said it detected three nation-state hacking groups (known as APTs) targeting seven companies working on COVID-19 vaccines, singling out Russia’s Strontium (Fancy Bear) and North Korea’s Zinc (Lazarus Group) and Cerium for the attacks.
Speaking at the Aspen Cyber Summit last week, Marene Allison, the Chief Information Security Officer at Johnson & Johnson, said companies like her employer are seeing cyber-attacks from nation-state threat actors “every single minute of every single day.”
IBM also reported last week that hackers were looking to compromise companies working in the “cold chain” of COVID-19 vaccines.
EMA said it would provide further information on the hack once they learn more. More