Information Technology

Image: APH
The Australian government has put forward its Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 that would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new warrants for dealing with online crime.
The first warrant is a data disruption warrant, which according to the Bill’s explanatory memorandum is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”.
The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant.
“This means that data does not have to be stored on the devices, but can be temporarily linked, stored, or transited through them,” the memorandum states.
“This will ensure data that is unknown or unknowable at the time the warrant is issued can be discovered, including data held on devices that have disconnected from the network once the criminal activity has been carried out.”
The last warrant is an account takeover warrant that will allow the agencies to take control of an account for the purposes of locking a person out of the account.
“Any other activities, such as accessing data on the account, gathering evidence, or performing undercover activities such as taking on a false identity, must be performed under a separate warrant or authorisation,” the memorandum said.

“Those actions are not authorised by an account takeover warrant. The account takeover warrant is designed to support existing powers, such as computer access and controlled operations, and is not designed to be used in isolation.”
Agencies would need to report twice a year to the Commonwealth Ombudsman and the Minister for Home Affairs on the use of takeover warrants.
If the Bill is passed, the first two warrants will be able to be issued by the Administrative Appeals Tribunal (ATT) or a suitable judge, while the takeover warrant would need approval by a magistrate.
Citing the use of network activity warrants as an intelligence tool, the Inspector-General of Intelligence and Security will also be responsible for overseeing those warrants instead of the Commonwealth Ombudsman. Disclosing information on those warrants could incur two years jail, while disclosing information that harms an investigation or endangers a person is a 10-year offence.
The Bill also introduces assistance orders to go some way to fulfilling the misplaced fears many had over dragooning when the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 was introduced. 
Agencies will be able to ask an AAT member or judge to force a specified person to help them.
“This item ensures that should the AFP or the ACIC be issued a data disruption warrant, they will be able to compel assistance in accessing devices, accessing and disrupting data, copying data, and converting documents,” the memorandum states.
“The intent of this provision is not to allow law enforcement to compel assistance from industry, but rather from a person with knowledge of a computer to assist in disrupting data (such as a person who uses the computer).”
However, in a subsequent example, the memorandum points out that people who are not the subject of a warrant could receive an assistance order as well.
“The AFP or the ACIC may have been issued a data disruption warrant for the purposes of targeting a user of a child exploitation forum hosted on a web service. In the course of executing the warrant, they become aware of a system administrator who has knowledge of how to access the forum but is not necessarily involved in the conduct on the forum,” the memorandum explains.
“The AFP or the ACIC could use this knowledge by obtaining an assistance order under new section 64B and compelling the administrator to assist them by providing access. This assistance could then be used to facilitate disruption activities such as a data modification.”
Failing to comply with an assistance order is punishable by a maximum of 10 years in jail.
In its opening, the memorandum said existing powers are not suitable for use on targets who are “actively seeking to obscure their identity and the scope of their activities”.
“Cyber-enabled serious and organised crime, often enabled by the dark web and other anonymising technologies, such as bespoke encrypted devices for criminal use, present a direct challenge to community safety and the rule of law,” the memorandum says.
“Many anonymising technologies and criminal methodologies can be combined for cumulative effect, meaning it is technically difficult, and time and resource intensive, for law enforcement to take effective action.
“Just as online criminals are constantly changing their operations and reacting to new environments, the law must adapt in order to give law enforcement agencies effective powers of response.”
The Bill was introduced to Parliament on Thursday by Minister for Home Affairs Peter Dutton.
Related Coverage More

CrowdStrike published third quarter financial results on Wednesday, handily beating market expectations. The company’s non-GAAP net income per share was 8 cents on revenue of $232.5 million, an 86% increase year-over-year.

Analysts were expecting EPS of zero cents per share on revenue of $212.6 million. Shares of CrowdStrike were up more than 12% in after hours trading. 
Subscription revenue was $213.5 million, an 87% increase. Annual Recurring Revenue (ARR) increased 81% year-over-year and grew to $907.4 million as of October 31. Of that, $116.8 million was net new ARR added in the quarter.
Meanwhile, the company said it added 1,186 net new subscription customers in the quarter for a total of 8,416 subscription customers at the end of Q3, representing 85% growth year-over-year. CrowdStrike’s subscription customers that have adopted four or more cloud modules increased to 61%, and those with five or more cloud modules increased 44%.
“Broad-based demand and strength in multiple areas of the business fueled our rapid 87% year-over-year subscription revenue growth, record net new ARR and record net new subscription customers,” said CrowdStrike CEO George Kurtz. “CrowdStrike’s robust growth at scale underscores our growing leadership in the Security Cloud category and the immense value we deliver to customers seeking to transform, consolidate and fortify their security posture.”
For the fourth quarter, CrowdStrike expects revenue in the range of $245.5 million to $250.5 million, with earnings between 8 cents and 9 cents per share. Wall Street expects the company to report Q4 earnings of a penny per share on revenue of $230.3 million.

Tech Earnings More

Okta, the eleven-year-old, San Francisco-based maker of software to secure enterprise identities and authorize computer usage, this afternoon reported fiscal third-quarter revenue and profit that both topped expectations, and offered a forecast for revenue that beat expectations as well.
CEO Todd McKinnon called the results “strong,” and added that the company is “seeing the importance of a modern identity platform like the Okta Identity Cloud grow as businesses around the world accelerate their adoption of cloud-based applications and re-imagine their digital customer experiences,” 
For the three months ended in October, Okta reported revenue of $217 million and 4 cents per share in net profit.
That compares to the average Street estimate for $202.8 million in revenue a net loss of one penny per share. 
Okta said its remaining performance obligation, or RPO, a standard Wall Street measure for cloud companies’ future revenue potential, rose by 53% in the quarter to reach $1.58 billion.  
Free cash flow in the quarter quadrupled, year over year, to $41.6 million, equating to just over 19% of revenue, the company said.   
For the current quarter, the company sees revenue of $221 million to $222 million, above the average Wall Street estimate for $216 million.  

Okta shares are up about 7% in late trading.

Tech Earnings More

Brazilian aerospace and defence group Embraer has been targeted by a cyberattack that has impacted the company’s operations.
According to a statement released by the global firm on Monday (30) the attack resulted in the “disclosure of data allegedly attributed to the company”.
The incident was reported five days after it took place to the Brazilian Securities and Exchange Commission. The Brazilian legislation requires immediate reporting of problems such as cyber attacks.
The cyberattack was identified on November 25, 2020, and access to a single systems environment of the company was unavailable as a result, according to the Embraer statement.
As a consequence of the attack internal systems have suffered a partial and temporary interruption, which temporarily impacted some operations.
According to Brazilian newspaper O Globo, the incident in question was a ransomware attack, which required the deactivation of a significant share of the servers operated by the company, which is currently operating under a contingency plan, with enhanced security.
An investigation is being carried out to ascertain the origin and consequences of the attack, the Embraer statement noted.

“The company is making every effort to investigate the circumstances of the attack, assess whether any potential impact on its business and third parties, and determine the measures to be taken,” it added.
The Embraer news follow another major security incident in the Latin American country: the Brazilian Superior Court of Justice was hit last month by a major cyberattack that disrupted operations for more than two weeks.
According to the president of the Superior Court, minister Henrique Martins, the event was “the worst-ever” cyberattack that a Brazilian government body has suffered, both in terms of the dimension and complexity involved. More

A cyber espionage campaign is targeting the foreign ministry of a country in the European Union with the aid of a previously undocumented form of malware which provides a secret backdoor onto compromised Windows systems.
Uncovered by cybersecurity researchers at ESET, the tools are designed to steal sensitive documents and other files by secretly exfiltrating them via Dropbox accounts controlled by the attackers.
Dubbed Crutch by its developers, this malware campaign has been active from 2015 through to 2020 and researchers have linked it to the Turla hacking group, due to similarities with previously uncovered Turla campaigns such as Gazer. The working hours of the group also coincide with UTC+3, the timezone which Moscow sits in. The UK’s National Cyber Security Centre (NCSC) is among those which has attributed Turla – also known as Waterbug and Venomous Bear – to Russia. 
The newly detailed Crutch campaign appears tailored towards very specific targets with the aim of stealing sensitive documents. ESET hasn’t revealed any specifics about the target, aside from that it was a ministry of foreign affairs in an EU country. This targeting fits in with previous Turla campaigns.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)   
However, Crutch isn’t a first-stage payload and is only deployed after cyber attackers have already compromised the target network – something which similar campaigns to this have achieved by using specially crafted spear-phishing attacks.
Once Crutch is installed as a backdoor on the target system it communicates with a hardcoded Dropbox account which it uses to retrieve files while remaining under the radar because Dropbox is able to blend into normal network traffic.

Analysis of the backdoor indicates that it has repeatedly been updated and changed over the years in order to maintain effectiveness while also keeping hidden.
“The main malicious activity is exfiltration of documents and other sensitive files. The sophistication of the attacks and technical details of the discovery further strengthen the perception that the Turla group has considerable resources to operate such a large and diverse arsenal,” said Matthieu Faou, malware researcher at ESET.
However, despite the persistent nature of the attack by what’s regarded as a sophisticated hacking operation, there’s still some relatively simple security measures that organisations can apply to avoid falling victim to this or many other forms of cyber attack.
“During this investigation, we noticed that attackers were able to move laterally and compromise additional machines by reusing admin passwords,” said Fauo.
“I believe that limiting lateral movement possibilities would greatly make the life of attackers harder. It means preventing users being able to run as admin, using two factor authentication on admin accounts and using unique and complex passwords,” he added.
READ MORE ON CYBERSECURITY More

Got a pile of old drives that you need to wipe before sending them to Silicon Heaven? Or do you want to wipe a drive in a computer that you are selling or giving away? Here are some tips and tricks to help you get the job done.

Since hard drives (HDDs) and solid-state drives (SSDs) need different handling, so I’m going to cover them separately here.
HDDs
There are three approaches you can take to securely wiping hard drives.
Software
The cheapest way to tackle a pile of hard drives is to wipe them with a software eraser. I will warn you though: it’s not quick, and it won’t work on defective disks.
My tool of choice for wiping drives is Darik’s Boot And Nuke. It’s free and does an excellent job of wiping drives clean.

To use it, you’ll need to create a wipe CD or DVD, then hook up the drives you want to wipe to a PC, and run the software. Be careful not to inadvertently wipe a drive containing data you need because that will make your life suck. I suggest using a spare PC or, failing that, disconnecting all the data drives from the system you use, just in case. You can do this since you’ll be booting up off the Boot And Nuke disc and not the internal drive.
I recommend that you read and thoroughly familiarize yourself with the documentation for this software because if you take your eye off the ball and wipe the wrong drive, your data is gone.
Hardware

If you don’t feel like taking the software approach, another method you can take is to employ a bespoke hardware tool to do the job. At this point, though, things start to get a little expensive, but it is faster and does mean that you don’t have to dedicate a PC to the wiping operation.
The tool I use is Wiebetech’s Drive eRazer Ultra. It’s a fast, reliable, standalone solution to wiping hard drives and deleting everything. You hook up the drive to it, tap a few buttons, and Drive eRazer Ultra takes care of the rest.

I’ve used this tool to wipe dozens of drives with great success. It’s an expensive solution for sure — the eRazer Ultra starts at $250 — but if you have a lot of drives to wipe, it’s well worth it.
If you have a lot of drives to erase, then you might want to go for a tool that can erase multiple drives simultaneously, such as the StarTech four-bay drive eraser.
The StarTech four-bay drive eraser is packed with the following features:
Secure, standalone drive erasing for up to four 2.5-inch and 3.5-inch SATA SSD/HDD drives
Nine erase modes including: Quick and Secure Erase, Single Pass Overwrite, and Multi-pass Overwrites — meets DoD (5220.22-M) standards
Support for Secure Erase and Enhanced Secure Erase for SSDs
Easy operation with LCD and push-button navigation
The built-in nine-pin serial port enables you to print erase logs using a receipt printer
Supports SATA I and II (up to 3Gbps)
Also supports 2.5-inch and 3.5-inch IDE hard drives, mSATA drives, and SATA M.2 drives using a compatible StarTech.com adapter
TAA compliant
Plug-and-play installation
Out of the box, the four-bay unit is capable of dealing with 2.5-inch and 3.5-inch SATA drives (both SSDs and HDDs) and the hard drive eraser also works with 2.5-inch and 3.5-inch IDE hard drives, mSATA drives, and SATA M.2 drives using a compatible StarTech.com adapter.
The hard drive eraser is easy-to-use, thanks to its convenient menu navigation system, with push-button operation and a built-in LCD that clearly identifies the erase modes and task status. You can also connect the eraser to a computer to quickly access the drive that’s attached to port-1 on the eraser.
To ensure your records are complete for auditing, the hard drive eraser features a nine-pin serial port that can connect to a serial printer to provide on-demand erase logs.

The hands-on methods
OK, what do you do if you want to wipe drives that have died or become defective in some way with data still on them that now cannot be wiped? You could take a chance that since the drive is dead, the data is gone, but you got to plan on the drive falling into the hands of someone cleverer than you (or someone who has more time, patience, and resources).
Here’s where the hands-on methods come into play. These methods also work great if you just want to destroy drives before you take them to the recycling plant.
I have two methods. A surgical method, and a more medieval method.
For the surgical method you will need:
A drill and HSS drill bit (I use about 1/4-inch/6mm) — you see where I’m going with this
Thick gloves — shards of metal will shred you
Eye protection — we’re destroying drives here, not eyes
A vice or clamp — stops the drill bit from getting caught in the drive and turning it into a wildly spinning and flailing object
I then go about drilling three holes as shown below. If you want speed and only want to drill a single hole, pick the spot with the X. For a more complete job, hit the green stars, too. See the video above for a step-be-step guide. 
You can also optionally put a couple of holes in the circuit board on the other side for good measure.

Then there more brutal method. For this, you will need:
A hammer — I use my trusty 32oz “fine adjustment” hammer
A thick nail — a 6-inch nail will do fine
Thick gloves — because you’re going to be hammering that nail through the drive using the hammer, and hammers seem to be inexplicably attracted to thumbs
A block of wood — so you don’t nail the drive to your floor (it’s preferable to do this outside if you can)
Eye protection — you’ve only got a maximum of two to start with, so it’s silly to take chances!
Now, you apply brute force. Ideally, you want to put a nail through the platters of the drive, going all the way through (it’s actually not as hard as it sounds). Again, aim for the spot marked by the red X, and optionally the green stars for a more complete job.
This is a very effective method of destroying drives, and it’s also a lot of fun, not to mention a great way to relieve stress!
SSDs
With solid-state drives, things can get very complicated, and I could write reams about TRIM commands and garbage collection, and so on. The problem is things get convoluted, which is when mistakes happen and your precious baby pictures or work project gets deleted. With that in mind, I’m going to keep things simple.
Erase using manufacturer utilities
One way to erase SSDs is to use the manufacturer’s utilities. Here are some links to get you started.
If you have a drive from a different source, go check out their website.
Encrypt the whole drive
One of the easiest ways is to encrypt the entire drive with a complex passphrase. On Windows, you can use something like VeraCrypt. On Mac, you can use the built-in FileVault utility, and you’re done. No passphrase, no data.
You can then format the drive, from which point it should be sterile and ready to accept a reload of the data.
PARTED Magic
Another way to do this is to use a software tool called PARTED Magic. This supports both HDDs and SSDs.
While PARTED Magic is not free (price starts at a reasonable $11), it is a very effective tool, and one of the best I’ve used for wiping SSDs.
The hands-on method
If the drive is dead, or you just want to get rid of it in a hurry and don’t want a functioning drive at the end of it, then you can take a hammer to the SSD or flash drive.
One thing to bear in mind is that the data in SSDs is held on small flash storage chips rather than large platters, and to securely erase the data, you need to smash the chips. Usually this means taking the cover off the drive before you start swinging.
If you’re not sure which are the flash storage chips, just drive a nail through all the large chips to be on the safe side. More

It can take an average of over four years for vulnerabilities in open source software to be spotted, an area in the security community that needs to be addressed, researchers say. 

According to GitHub’s annual State of the Octoverse report, published on Wednesday, reliance on open source projects, components, and libraries is more common than ever. 
Over the course of 2020, GitHub tallied over 56 million developers on the platform, with over 60 million new repositories being created — and over 1.9 billion contributions added — over the course of the year. 
“You would be hard-pressed to find a scenario where your data does not pass through at least one open source component,” GitHub says. “Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software. The artifacts of open source code serve as critical infrastructure for much of the global economy, making the security of open source software mission-critical to the world.”
See also: The biggest hacks, data breaches of 2020
GitHub launched a deep-dive into the state of open source security, comparing information gathered from the organization’s dependency security features and the six package ecosystems supported on the platform across October 1, 2019, to September 30, 2020, and October 1, 2018, to September 30, 2019.
Only active repositories have been included, not including forks or ‘spam’ projects. The package ecosystems analyzed are Composer, Maven, npm, NuGet, PyPi, and RubyGems. 

In comparison to 2019, GitHub found that 94% of projects now rely on open source components, with close to 700 dependencies on average. Most frequently, open source dependencies are found in JavaScript — 94% — as well as Ruby and .NET, at 90%, respectively. 
On average, vulnerabilities can go undetected for over four years in open source projects before disclosure. A fix is then usually available in just over a month, which GitHub says “indicates clear opportunities to improve vulnerability detection.”
However, the majority of bugs in open source software are not malicious. Instead, 83% of the CVE alerts issued by GitHub have been caused by mistakes and human error — although threat actors can still take advantage of them for malicious purposes. 
In total, 17% of vulnerabilities are considered malicious — such as backdoor variants — but these triggered only 0.2% of alerts, as they are most often found in abandoned or rarely-used packages. 
CNET: Supreme Court hears case on hacking law and its limits
According to GitHub, 59% of active repositories on the platform will receive a security alert in the coming year. Over 2020, Ruby and JavaScript have been the most likely to receive an alert. 
Defining the ‘worst’ open source vulnerabilities of 2020 is not an easy task as it depends on the reach of impact — on users and repositories — exploitability, and other factors. Some bugs may immediately come to mind, including Zerologon (CVE-2020-1472) and SMBGhost (CVE-2020-0796), but when it comes to project maintainers, GitHub has named a prototypePollution in lodash as a top vulnerability. 
Tracked as CVE-2020-8203 and issued a severity score of 7.4, the RCE security flaw alone has been responsible for over five million GitHub Dependabot alerts due to lodash being one of the most widely-used and popular npm packages. 
TechRepublic: Companies are relaxing cybersecurity during the pandemic to boost productivity
The open source community now plays a key role in the development of software, but as with any other industry, vulnerabilities are going to exist. GitHub says that project developers, maintainers, and users should check their dependencies for vulnerabilities on a regular basis and should consider implementing automated alerts to remedy security issues in a more efficient and rapid way. 
“Open source is critical infrastructure, and we should all contribute to the security of open source software,” the organization added. “Using automated alerting and patching tools to secure software quickly means attack surfaces are evolving, making it harder for attackers to exploit.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Absa has notified customers of a data breach potentially compromising their personal information. 

The Johannesburg, South Africa-based financial services group, which provides personal and business banking as well as wealth management services, has pointed the finger at an employee for the security incident. 
Absa maintains a presence in 12 countries across the continent and accounts for roughly 42,000 employees.  
See also: The biggest hacks, data breaches of 2020
As reported by local publication MyBroadband, Absa sent an email to customers on Monday informing them of the data breach. The message said that personally identifiable information (PII) belonging to clients was exposed to “external parties.” 
“We regret to notify you that Absa has identified an isolated internal data leak whereby personal information of a limited number of Absa customers was shared with parties external to the bank,” the financial group said. 
ID numbers, contact details, physical home addresses, and account numbers are thought to have been compromised. Absa has not revealed if any other sensitive, financial data was involved in the data leak. 

CNET: Supreme Court hears case on hacking law and its limits
It is also not known how many customers have been impacted, although the bank intends to monitor more closely for suspicious transactions in a “small” number of its client base that may have had their information stolen. If transfers are suspected of being fraudulent, Absa will ring customers to verify transactions.
Absa says that additional security measures are being implemented, but in the meantime, it is believed that a rogue employee is at fault. According to local media, Absa has accused a staff member of making “customer data available” to third-parties, illegally, and so criminal charges have been brought against the unnamed individual. 
TechRepublic: How to protect your personal data from being sold on the Dark Web
Data was found on devices during search and seizure operations and has been destroyed. The investigation is ongoing. 
Only three months before this security incident, Absa Group Limited’s cybersecurity team was named the “Not for Profit Team of the Year” in the 2020 Cyber Security Awards, with Absa CSO Sandro Bucchianeri commended in the Cybersecurity industry “Personality of the Year” category.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More