Information Technology

A police officer has been sacked after abusing a vehicle registration database to track women drivers. 

The constable, formerly of Guernsey Police, was fired for gross misconduct in August after being found guilty of inappropriately contacting nine women across social media after accessing their personal data without a genuine legal reason or any form of consent.
When the 39-year-old joined the force, Stephen Woods was required to sign Bailiwick Law Enforcement and the States of Guernsey data protection law agreements, as reported by the Guernsey Press. 
See also: Cybersecurity 101: Protect your privacy from hackers, spies, and the government
Guernsey, an island in the English Channel, is a self-governing dependency and while not part of the UK, has modern and stringent data protection laws. 
According to local media, Woods noted the car registration details of women of interest so he could track them down on social media. 
In one case, a woman realized a police car was following her, and the officer smiled at her and drove away. Later, she received an Instagram request from him, leading to a formal complaint being made to Guernsey Police. In another, a woman was contacted after having a conversation with him outside of a police station while she was in her car. 

CNET: Hackers are going after COVID-19 vaccine’s rollout
Nine women in total were contacted, and some were messaged by Woods, the content of which was not deemed malicious — but it was considered “persistent” in some cases. His activities continued for roughly a year. 
Woods was fired for gross misconduct in August and attempted to argue in the Magistrate’s Court that his only reason for contacting these women was in relation to several cartoon projects on Instagram — named The Model Comic, The Fitness Comic, and GGZ World — but as noted by local media, the presiding judge dismissed this claim. 
The former officer’s personal mobile also contained some registration numbers of motor vehicles, including those belonging to the women who made complaints to the force. 
TechRepublic: Top 5 reasons not to use SMS for multi-factor authentication
Woods admitted his transgressions, including accessing data without controller consent. He will perform 150 hours of community service in lieu of five months behind bars and his mobile device will be destroyed.
Guernsey Police’s lookup system was based on trust, but in light of this case and its battered reputation, law enforcement will now need to review procedures for accessing driver data.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The federal government in November published an exposure draft on the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which seeks to amend the Security of Critical Infrastructure Act 2018 (SOCI) to implement “an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure”.
If passed, SOCI would create a new class of regulated entities known as “systems of national significance”, which Secretary for the Department of Home Affairs Mike Pezzullo has labelled the most profoundly important segments of national infrastructure: Gas, water, power, and banking.
It would create mandatory reporting loops between the sector and the Australian Cyber Security Centre, allowing the responsible minister to designate a sector as being so sensitive that the Australian Signals Directorate (ASD) would be on the network and perform monitoring.
But not everyone, Pezzullo noted, would get that ASD-level protection under SOCI as the economy is just too large.
See also: Tech giants not convinced Australia’s critical infrastructure Bill is currently fit for purpose
Facing the Legal and Constitutional Affairs Legislation Committee on Friday, Pezzullo was asked if looking after the “top tier” would result in the needs of the “middle tier” being neglected. He was also asked to expand on what the government’s view of its responsibility is.  
“There are two strands here. It’s like general crime. Governments frame insurance markets — people take out insurance — but they also fight crime,” he said.

“Right down to the household level, you’re expected as part of your household insurance to secure your property with alarms and locks et cetera — and that affects the premium, but that doesn’t prevent the police — in fact, the police actively go after the criminals who might be doing break-and-enter. Cyber is no different.”
The element that’s missing, he said, continuing the insurance metaphor, is what the cost is, in an actuarial sense, that both households and firms would be willing to bear in order to provide a certain level of protection.
“Then the government strikes at the attacker, or strikes at the criminal group, in a complementary fashion,” Pezzullo said. “It’s very much like an insurance and crime-fighting model. Cyber is very underdeveloped. There are no insurance products. There’s no way to price the risk in the same way as, for instance, burglary or property damage or car accidents. We’re in the very early days.”
He said the department is looking at how to price in risk and what regulatory schemes should be put in place in order to also cover the level below that of national security.
“I’m sure that you and I would agree that an attack on the grid or an attack on our air traffic control system or an attack that takes out our ability to conduct banking would cause chaos, so the government is focusing its most potent weapons, its most potent resources, on that risk,” he continued. “It has to be a holistic society and economy-wide response.
“It will be a tiered approach throughout the general economy, in other words.”
Pezzullo expects the legislation that wraps the enhanced regulatory scheme to be introduced into Parliament “soon”. There are two sitting days left before Christmas.
Dark web Bill to help thwart ransomware gangasARK WEB BILL TO HELP THWART RANSOMWARE GANGS
Pezzullo was asked what action the government was taking to thwart ransomware crews so it could attack them at their source. He was also asked if ransomware was the top cyber threat facing Australia.
“It’s certainly the most pervasive. It’s like crime in general. In terms of volume of crime it is. In terms of strategic risks to our nation, the government has stated on a number of occasions … that in terms of consequence of attack, our banking system or the payment system that sits within the banking system or the electricity grid and the distribution of electricity to go down that would be a more consequential risk to the Australian economy and to our society — it’s less probable,” he said. 
“So it’s like crime — there’s volume of crime and then there’s very high-end, impactful crime.”
On Thursday, the Australian government put forward its Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 that would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new warrants for dealing with online crime.
“We want the powers that are contained in the Bill … [so we can] get the tide to go out so we can see exactly where these cybercriminal nodes are. They’re often out of jurisdiction. By the time you get a warrant up and go with law enforcement cooperation, they will have shut down their operation and moved on,” Pezzullo said.
“We want to attack them in situ, attack their servers, take over their systems, identify their IP addresses, and geolocate where they are on the face of the planet. The problem is that, increasingly, the technology has gotten ahead of the law with the dark web. It’s very much like encryption.
“The problem is that the very same anonymising technology allows you to go invisible so we want the dark web legislation … to be able to strip back that invisibility cloak. That’s where volume is going, and if we don’t hunt them on the dark web they will become immune.”
Expanding on the technical assistance that ASD would be able to provide under its extant powers, under the relevant section of the Intelligence Services Act, Pezzullo said the department is currently not seeking any additional powers for ASD but rather, the use of its powers offensively.
“There is no requirement for those powers to be enhanced. When you say ‘using military intelligence capabilities’, ASD has the highest level … both of intelligence collection in cyber and of cyber-disruption,” he said. “What we’ve done now is start to apply those offensive tools … against criminals. So the police will select the targets. They’ll have the powers to collect the intelligence, but, rather than building a whole new duplicated ‘ASD type’ — if I can use that phrase — system in the AFP, they will import ASD’s powers through its technical assistance provisions under the ISA so that we don’t have to duplicate that.”
RELATED COVERAGE More

A French judge has sentenced today the founder of the now-defunct BTC-e cryptocurrency exchange to five years in prison and a fine of €100,000 for laundering funds for cybercriminals, including ransomware gangs, ZDNet France reported today.

Alexander Vinnik, 41, a Russian national, dodged a bigger sentence after French prosecutors failed to prove that the BTC-e founder was directly involved in the creation and the distribution of Locky, a ransomware strain that was active in 2016 and 2017.
“Mr. Vinnik, the court acquitted you of the offenses relating to the cyber-attacks linked to Locky, as well as the offenses of extortion and association to criminal activities, but finds you guilty of organized money laundering,” the judge said when reading the sentence.
Vinnik is at the center of a disputed legal battle
Vinnik was trialed in Paris this fall after a long and complicated legal battle. He was initially arrested in July 2017 while vacationing in a summer resort in northern Greece. 
He was taken into custody by Greek police under an international warrant issued by the US for his involvement in running BTC-e, a cryptocurrency exchange that Vinnik founded in 2011, together with fellow Russian national Aleksandr Bilyuchenko.
US authorities said Vinnik operated BTC-e as a front company for a money-laundering operation, knowingly receiving funds from hacks and other forms of cybercrime and helping crooks cash out stolen funds into fiat currency.
But Vinnik’s arrest wasn’t an open and shut case, and a disputed legal battle ensued. As soon as Vinnik’s arrest became public, Russian authorities also filed an extradition request of their own, claiming that Vinnik was also a suspect in an investigation in Russia in relation to a 2013 €9,500 ($11,000) fraud charge.

Details about the case remained murky, but experts said Russian authorities were trying to bring Vinnik back home to prevent the BTC-e founder from spilling secrets to US intelligence.
The extradition battle dragged for more than a year and got even more complicated when French authorities also filed their own request with Athens, asking for Vinnik to be trialed in Paris on 14 charges related to money laundering and hacking.
Vinnik’s lawyers initially won their case in 2018, when an Athens court ruled to extradite Vinnik back home to Russia.
However, as Athens sought to find a middle ground following intense political pressure applied by both Russian (Greece’s main supplier of natural gas) and US (NATO ally) officials, Vinnik was eventually sent to France in the spring of 2020.
French laywers couldn’t prove Locky involvement
But the French trial didn’t pan out as French officials had hoped. ZDNet France reported that French prosecutors managed to prove only one of the 14 charges they brought, with the defendant’s lawyers successfully challenging the evidence brought by Europol for Vinnik’s involvement in cybercrime operations and malware distribution — and specifically his involvement in the Locky ransomware operation.
The BTC-e founder currently remains under arrest, and both the US and Russia have filed new extradition requests with France, still hoping to get Vinnik to face charges in their respective jurisdictions.
While Russian authorities are investigating Vinnik in a case of $11,000 in fraud, US authorities said that Vinnik’s BTC-e platform helped criminals launder more than $4 billion in illegal funds.
Following Vinnik’s arrest, at the Black Hat USA 2017 security conference, a team of security researchers said that before BTC-e went down, the platform had helped convert 95% of all ransomware ransom payments into fiat currency, playing a key role in the burgeoning ransomware ecosystem.
Furthermore, a group of Bitcoin experts calling themselves WizSec also published the results of an investigation that linked Vinnik’s personal BTC-e Bitcoin accounts to the laundering of funds stolen during hacks at the Mt. Gox, Bitcoinica, and Bitfloor cryptocurrency platforms.
In July 2019, the US filed a separate civil lawsuit to try to claw back more than $100 million worth of Bitcoin from BTC-e and Vinnik’s accounts.
In June 2020, New Zealand authorities announced they successfully seized $90 million that they said were linked to Vinnik’s accounts. More

Image via PickPoint
A mysterious hacker used a cyber-attack to force-open the doors of 2,732 package delivery lockers across Moscow.

The attack, which took place on Friday afternoon, December 4, targeted the network of PickPoint, a local delivery service that maintains a network of more than 8,000 package lockers across Moscow and Saint Petersburg.
Russians can order products online and choose to have any of their orders delivered to a PickPoint locker instead of their home address.
Once the package arrives, users receive an email or mobile notification, and they can show up and pick up their orders using the PickPoint app.
However, the same system that allows users to open lockers and retrieve their packages was attacked on Friday.
Using a yet-to-be-identified exploit, a mysterious hacker forced open the doors for a third of PickPoint’s lockers, leaving thousands of packages exposed to theft across Moscow.

Хакерская атака обрушилась сегодня утром на постоматы PickPoint, из-за чего камеры хранения открылись на распашку. В пресс службе компании сообщили, что сбой затронул более 3000 терминалов и обещали связаться со всеми пострадавшими клиентами. pic.twitter.com/rjCYakCOUh
— роман соболев (@MicroRomario) December 7, 2020

The reason for the attack has yet to be discovered, but in press releases over the weekend, PickPoint said it notified authorities.

The Russian company said it is currently working to restore its network, which has been damaged during the attack.
It also remains unclear if packages were stolen from lockers. According to social media posts, guards and landlords were quick to intervene on Friday and restrict access to the obviously malfunctioning lockers.
As the company highlighted in a press release on Saturday, this appears to be “the world’s first targeted cyberattack against a post-gateway network.” More

A new data platform has been introduced in Singapore to enable residents to pull together and view their financial information from across various sources, including banks and government agencies. The aim here is to help these individuals better understand and plan their overall financial posture. 
The Singapore Financial Data Exchange (SGFinDex) was developed by the Singapore government, in collaboration with the Association of Banks in Singapore and seven participating banks, including DBS Bank, Oversea-Chinese Banking Corporation, HSBC Bank, Maybank Singapore, and Standard Chartered bank Singapore. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

The initiative was led by several government agencies including the Monetary Authority of Singapore (MAS) and Government Technology Agency (GovTech). 
The data platform was built on Singapore’s National Digital Identity (SingPass), which citizens use to access e-government services. They now can log into their SingPass account to access their financial details that are held by different government agencies and financial institutions, such as loans for their public housing apartment, Central Provident Fund balances, deposits, and credit cards.
A participating financial planning application or website enables citizens to view the account balance in their bank account on the data exchange platform, but they would not be able to use it to perform transactions in their bank account.
The next phase of SGFinDex would allow citizens to access details on their insurance policies held with insurers as well as their holdings of stocks at the Central Depository. 
The Ministry of Manpower and GovTech had developed a digital financial planning service, called MyMoneySense, that tapped SGFinDex to provide Singaporeans with an overview of their finances. “It will offer trusted, personalised, and actionable guidance for more effective and comprehensive financial planning,” the government agencies said in a joint statement.

Participating banks also tapped the SGFinDex platform to offer financial planning services to their customers, encompassing money management, investments, identifying protection needs, and retirement planning.
According to the government, the data exchange platform was developed with data protection and privacy in mind, and would only transmit data and would not store any personal financial information. All data transmitted on SGFinDex is encrypted and can be decrypted and read only on the financial planning applications or websites authorised to access and gather the data. 
Financial data would be retrieved after the individual had given explicit consent and their identity must be verified through SingPass. This consent was necessary for banks and government agencies to release the data via SGFinDex as well as for participating financial planning applications or websites to retrieve data via the data exchange. 
Given consent would last for a year from the time it was provided and banks would have to be authorised again if the individuals wished to release their data after the end of the one-year period.
MAS’ managing director Ravi Menon said: “Today, our personal financial information is fragmented across multiple entities and we often take financial decisions, like making an investment or buying a house, without a holistic view of our financial situation. 
“SGFinDex empowers the individual to consolidate his financial information for a comprehensive view of his portfolio, and use digital tools like MyMoneySense to make better financial decisions,” Menon said. “SGFinDex is a tangible expression of harnessing digital technology to enhance the financial well-being of Singaporeans.”
Singapore last month updated its Personal Data Protection Act (PDPA) to allow local businesses to use consumer data without prior consent for some purposes, such as business improvement and research. The amendments also allowed for harsher financial penalties to be meted out for data breaches, above the previous cap of SG$1 million. 
RELATED COVERAGE More

Singapore has set aside SG$12 million ($8.98 million) to drive the development and commercialisation of blockchain applications as well as boost the local ecosystem. Funded by National Research Foundation Singapore (NRF), the new blockchain innovation programme will engage close to 75 companies to create 17 blockchain projects over three years. 
These would focus on the trade and logistics and supply chain sectors and involve MNCs, large enterprises, and ICT companies, according to a joint statement released Monday by NRF, Enterprise Singapore, and Infocomm Media Development Authority (IMDA). The blockchain innovation programme also is supported by the Monetary Authority of Singapore (MAS). 
The government agencies noted that blockchain offered several business benefits as it enabled decentralisation and data immutability, and improved security and transparency. The technology, for instance, could facilitate speedier and more efficient transactions between parties and at a lower risk and cost, bypassing the need for intermediaries.

The mew initiative aimed to facilitate the “development, commercialisation, and adoption” of real-world blockchain applications, by ensuring technology research efforts were aligned with industry needs. 
Dimuto, for instance, has been roped in as part of the new innovation programme to use blockchain to track and trace high-valued perishables, so farmers’ credit worthiness could be improved. DImuto is a trade technology service that evangelises “collaborative commerce”, enabling the tracing and tracking of business documents as well as goods and services on its platform. 
The new blockchain programme also would work to make blockchain scalable, so it could be deployed in environments with high transaction volumes. In addition, the initiative would drive blockchain interoperability as well as address current challenges related with siloed blockchain networks.
The innovation programme also would aim to boost blockchain skillsets and enable ICT companies to leverage blockchain technologies. 

Singapore’s Deputy Prime Minister and Finance Minister Heng Swee Keat noted that the government hoped to deepen local capabilities in blockchain, which could enable transactions even in zero-trust environments.  
Speaking at the opening of FinTech Festival here Monday, Heng said: “In the last few years, the blockchain ecosystem in Singapore has grown significantly but there are also known limitations, such as the energy efficiency of processing blockchains and the ability to connect different blockchain systems. 
“[The blockchain innovation programme] is Singapore’s first major blockchain research and translation programme. The programme will expand blockchain research to the needs of the industry and will also look into scalability and interoperability of blockchain solutions.”
IMDA Chief Executive Lew Chuen Hong also described the initiative as the first major industry-driven blockchain research programme. “Our intent is to proliferate blockchain adoption to a much broader set of industries, beyond just finance. This includes levelling up industry manpower and know-how,” Lew said. “These efforts allow Singapore to build a strong blockchain ecosystem and establish our role as a ‘trust hub’.”
Enterprise Singapore’s chairman Peter Ong said the COVID-19 pandemic had underscored the need for trusted and reliable business systems in digital economies, and blockchain could help embed trust in applications, including in logistics and supply chains, trade financing, and digital identities and credentials.
The Singapore government in September said it developed a blockchain-powered “digital health passport” to manage and secure medical records, enabling healthcare data to be stored in a digital wallet. It said the application was used in a pilot in which COVID-19 discharge memos had been verified more than 1.5 million times. 
Banks here also teamed up to develop a digital trade finance registry on blockchain technology, that would serve as a central database from which they could access records of trade transactions. The platform aimed to drive greater transparency and reduce the risk of trade fraud, including duplicate financing. Led by DBS Bank and Standard Chartered, the initiative is supported by 12 other banks including ABN AMRO, ANZ, Deutsche Bank, ICICI, OCBC, and UOB. Singapore-based blockchain technology startup DLTLedgers has been roped in to develop the platform.
RELATED COVERAGE More

Image: Avira
Cybersecurity firm NortonLifeLock (formerly Symantec) has agreed today to acquire German antivirus maker Avira from Bahrain-based Investcorp Technology Partners in a $360 million all-cash deal.

The acquisition is expected to close in Q1 2021, subject to regulatory approvals and customary closing conditions, the two companies said today in a joint press release.
Avira CEO Travis Witteveen and CTO Matthias Ollig will also join the NortonLifeLock leadership team following the deal’s completion.
NortonLifeLock hopes today’s acquisition will accelerate its international expansion in markets it currently has a small presence.
Avira has a strong userbase in the EU. The company is known for its freemium business model through which it provides free security software to users across the world.
Avira free software is installed on more than 30 million devices, and the company also boasts more than 1.5 million paying customers.
Avira was founded in 1986 in Germany by Tjark Auerbach, and at its peak, in 2012, it boasted a userbase of more than 100 million devices.

Auerbach sold Avira to Investcorp in April 2020 for $180 million.
NortonLifeLock was founded in November 2019 after Broadcom bought Symantec’s enterprise security assets for $10.7 billion. NortonLifeLock now manages Symantec’s old consumer-facing portfolio. More

Credit: Microsoft

Microsoft is taking the wraps off Azure Government Top Secret, a new cloud offering for those who need to manage top-secret classified data. The new offering joins the existing family of Azure clouds available to U.S. government users, including Azure Government and Azure Government Secret — along with the Azure public cloud.Microsoft is working with the U.S. government on getting accreditation for its Government Top Secret cloud. Officials said on December 7 that the company recently completed the build-out of new Azure Government Top Secret regions. Microsoft execs noted that the consistency among its various flavors of Azure means it is easier for development to happen anywhere and code to be promoted seamlessly to enclaves with higher classification levels.Microsoft also announced today new functionality for its Azure Government Secret cloud, which officials said is being used in the U.S. Department of Defense, law enforcement, and other agencies. Government Secret is authorized by the DoD Impact Level 6 and Intelligence Community Directive (ICD) 503. Windows Virtual Desktop is now available in Azure Government with FedRAMP High accreditation, Microsoft officials said.Microsoft’s Azure Kubernetes Service (AKS) and Azure Container Instances already are available in Government Secret. On the security front, Azure Sentinel, its proactive threat-management service, and Azure Security Center also are already available in Government Secret.Microsoft also is announcing today Availability Zones for Azure Government. Availability Zones are built to handle datacenter failures via redundancy and logical isolation of services. And it is adding its own Azure edge-computing devices, including the recently announced Azure Modular Datacenter, and ruggedized versions of Azure Stack Hub, Azure Stack Edge Pro, and Azure Stack Edge Mini R to its “tactical edge” portfolio.The Azure Modular Datacenter — available at Impact Levels 5 and 6 — is getting a new Network High Availability Module for network resiliency through multiple satellite connection partners in different orbits, as well as a High Availability Power Module. Azure Modular Datacenter is a portable version of an Azure datacenter that currently runs Azure Stack and is available to government customers and those who need portable data centers that have the option of satellite connectivity.
Microsoft made these government cloud announcements as part of its annual Government Leaders Summit. More