Information Technology

The Office of the Australian Information Commissioner (OAIC) has released its first six-monthly report on the privacy and security of Australia’s COVIDSafe app, which has been far from successful and only identified a small number of unique cases.
The app, which was touted at its introduction as being akin to sunscreen, has since been relegated to double-checking duties.
“There is scarce evidence on the effectiveness of digital or automated contact tracing,” a contact tracing review released earlier this month said.
For the OAIC, from May 16 to November 15, it fielded no complaints about the app and handled 11 enquiries. Over half of the enquiries occurred in July, and no enquiries were reported for October or November.
“We provided general information in response to 10 enquiries and provided assistance on how to make a complaint in response to one enquiry,” the OAIC said.
The types of enquiries handled were about the legal basis of the app, the number of downloads of the app, whether the app could be a condition of entry to a worksite, whether education organisations could force students to download the app, and whether sporting organisations could force members to use the app.
Must read: Living with COVID-19 creates a privacy dilemma for us all

The OAIC has also started four assessments related to the access controls used on the data store, functionality of the app against privacy policy and collection notices, and whether the data store administrator was complying with requirements related to data handling, retention, and deletion.
The title of data store administrator was passed from the Department of Health to the Digital Transformation Agency (DTA) on May 16.
Attached to the end of the report was an unclassified report from the Inspector-General of Intelligence and Security (IGIS) on how the agencies under its purview — Australian Security Intelligence Organisation, Australian Security Intelligence Service, Australian Signals Directorate, Office of National Intelligence, Australian Geospatial-Intelligence Organisation, and Defence Intelligence Organisation — had complied with requirements under the Privacy Act for COVIDSafe data.
“Incidental collection in the course of the lawful collection of other data has occurred (and is permitted by the Privacy Act); however there is no evidence that any agency within IGIS jurisdiction has decrypted, accessed or used any COVID app data,” the IGIS report said.
“IGIS advises that it plans inspection activities in coming months to verify data deletion and provide further assurance that no COVID app data has been accessed, used or disclosed.”
The IGIS report added that agencies said it would be difficult to identify “encrypted COVID app data amongst other lawfully collected encrypted data”. The agencies also said they were developing procedures to use when incidental collection occurs and implementing procedures to delete data “as soon as practicable”.
In June, it was revealed the DTA knew COVIDSafe had severe flaws, despite sending it out for public use on 26 April 2020. It followed research that showed locked iPhones were practically useless when it came to logging encounters through COVIDSafe.
“COVIDSafe works as is written on the label, it supports public health efforts … there is no intention to jettison the current app and start again … our intention is to continue to improve the current app,” DTA CEO Randall Brugeaud said last month at Estimates when questioned whether the government would switch to the Apple or Google notification framework.
Related Coverage More

Monash University and Alfred Hospital are developing an artificial intelligence-based system to improve the way superbugs are diagnosed, treated, and prevented.  According to Monash University professor of digital health Christopher Bain, infections from superbugs kill 700,000 people every year and by 2050, the world could see 10 million deaths annually from previously treatable diseases.  Superbugs are created when microbes evolve to become immune from the effects of antimicrobials. The project, which will be mainly based at The Alfred, has received AU$3.4 million from the federal government’s Medical Research Future fund. According to the project’s lead researcher, Antony Peleg, the project will look to integrate genomics, electronic healthcare data, and AI technologies to address antimicrobial resistance in the healthcare system. Specifically, it will leverage tens of thousands of data points per patient and infecting pathogens to help predict treatment responses and patient outcomes. “This project will push the boundaries of what can be achieved in healthcare and how new technologies can be applied to understand how superbugs infect humans and the way they are transmitted within a hospital system,” Peleg said.
See also: Monash University researchers develop AI aimed at improving suicide prevention
In addition to providing earlier detection of antimicrobial resistance, the two organisations are also hoping the system will be able to create personalised treatment for patients and prevent outbreaks.  Elsewhere in Australia’s health sector, AustCyber has provided AU$500,000 in funding to cybersecurity startup Haventec to develop a new health consent system. The system, called eConsent for Genomics, is aimed at improving how healthcare providers, service providers, and patients securely store and consent to personal health information. The funding will come from the AustCyber Projects Fund, which is a three-year AU$15 million federal government initiative designed to help the Australian cybersecurity industry grow both locally and globally.
The system is expected to cost around AU$1 million to build, with Haventec and consortium partner 23Strands to provide the remaining AU$500,000.  According to Haventec, the development of eConsent for Genomics comes at a critical time as current models for storing personal health information are consistently failing with the health sector regularly topping the list of notifiable data breaches. Partnering with 23Strands, Haventec will also use the new consent system in a research project focused on COVID-19 patients. The research will look to correlate negative and positive health outcomes to specific DNA profiles, which it hopes will improve predictions regarding how individuals will react if they become infected with COVID-19.
Monash Uni publishes ethics analysis of agri-robots
Monash University on Monday also published a report focusing on the ethical and policy issues behind using robots in agriculture. The report was created as the authors, Monash University Philosophy professor Robert Sparrow and philosophy research fellow Dr Mark Howard, said little attention has been paid to the ethical and policy challenges surrounding agriculture being increasingly automated. 
“People weren’t thinking about or talking about, such as unintended consequences, or what might happen in life and when things don’t work out perfectly,” Sparrow told ZDNet.  Currently, Australia’s agriculture sector accounts for around 2.5% of the country’s workforce.  Undertaking a literature review on applications of agricultural robots to address these questions, the report found that robots could help farmers confront challenges such as climate change, soil depletion, loss of biodiversity, water scarcity, and population growth by improving yield and productivity. Physically intensive labour associated with agriculture work could also see robots be developed for tasks such as weeding, fruit and vegetable picking, food handling, and packaging tasks, which could increase productivity and the amount of produce sent to market, the authors said.
Sparrow noted that technologies such as fruit-picking robots could also be developed in the next decade, which could have large implications for seasonal employment. 

See also: Australia’s report on agtech confirms technology can lead to a fertile future   “While there hasn’t yet been widespread adoption of robots in farming due to a lack of technological breakthroughs, it’s anticipated there will be a gradual emergence of technologies for precision farming, as well as the use of automation in food processing and packaging,” Sparrow said. 
However, they also stated the widespread adoption of robots in farming could have negative consequences, such as the mismanagement of chemicals and soil compaction due to heavy robots, and the exacerbation of potential food wastage if consumers come to expect standardised or “perfect” produce. 
The pair added increased robot use could lead to more breeding standardisation of livestock and genetically modified created crops so harvests are better suited for robots. There is also a fear that smaller or struggling farms could miss out on the technology and be unable to keep up, leading to a centralisation of ownership in agriculture, Sparrow said.
“In order to reduce the risk that robots will further centralise ownership in the agricultural sector and further encourage monocultures at the expense of biodiversity, governments, and researchers might prioritise the development of sophisticated robots that are sufficiently flexible to allow their use on small properties and with a wider range of crops and livestock,” the report said.
Related Coverage
Monash University researchers speed up epilepsy diagnosis with machine learning
The technology has been designed to automatically detect abnormal activities in electrical recordings.
Monash University takes game-like approach to capsule endoscopy
The university has also teamed up with other partners to create an AI system to help teachers maximise student engagement in classrooms.
Monash University and RMIT develop AI and AR device to read emotional cues
Designed to augment emotional communication beyond traditional settings.
Data61 and Monash claim quantum-safe and privacy-preserving blockchain protocol
The protocol, MatRiCT, is patented by CSIRO and licensed to Australian cryptocurrency developer HCash.
Monash University researchers use AI technology to examine hospital readmissions
In hope that it will relieve some pressure off the healthcare system. More

Image: Getty Images/iStockphoto
This piece comes to you from the mostly coronavirus-free shores of Australia. But the virus is still not eliminated; various places can have an extended run of virus-free days, which can then turn into weeks and months, before the virus suddenly comes back.

There is no better example of this than the reemergence of COVID-19 in New Zealand back in August, after the nation went 100 days without the virus and was widely considered to have eliminated it. 
At the time of writing, South Australia just left lockdown after a surge in cases, despite the state shutting its borders to places such as New South Wales and Victoria, and only having handfuls of cases reported each day, if any were reported at all, since April.
According to the recent National Contact Tracing Review [PDF], the takeaway lesson from 2020 is to throw the kitchen sink at outbreaks when they appear.
“In the event of an outbreak, every effort should be made to go hard and go early,” the review said.
The way to suppress a surge in cases is to make sure those with the virus can have their recent close contacts traced, thereby getting those identified into quarantine and tested. This is in the hopes that the virus can be prevented from spreading further into the community. Key to all of this is having quick access to data.
For contact tracers, the first stop is asking people where they have been, but as we all know, the human mind is far from perfect. And this is before even considering the task of identifying random people who happened to be in a venue with a positive case.

Enter initiatives such as Australia’s COVIDSafe app, which has been far from successful and only identified a small number of unique cases. The app that was touted at its introduction as being akin to sunscreen has since been relegated to double-checking duties.
“There is scarce evidence on the effectiveness of digital or automated contact tracing,” the report said.
Along with the app, Australia has also pushed venues to install check-in processes in response to various parts of the country reopening. This usually takes the form of a QR code and requires filling in an online form with details such as name and phone number, with pen and paper used a backup.
If state governments from the get-go had the check-in systems in place that they have now, it could have been possible to have a centralised data store for check-in data, but that was not to be. As it stands, a bunch of private organisations have rushed in to fill the void.
“In addition to the disadvantage of not having a centralised database for contact tracers to interrogate the data, many of these apps are requesting unnecessary information from customers that adds significantly to the time taken to register, and is sometimes used for marketing purposes,” the report said.
“Further, because of the multiplicity of applications, customers find themselves entering the same information repeatedly if they visit different venues. These repetitive and in some cases unnecessary burdens on customers are likely to result in lower overall compliance with attendance recording.”
See: Coronavirus: Business and technology in a pandemic  
It needs little repeating but 2020 is a weird year. Last year, if the prospect of a centralised attendance database run by a government was put before me, I’d have yelled the words “Big Brother”, “surveillance state”, and probably a few other choice phrases. And yet, as the year ends, I have more faith that my state government will not flog my data to the highest bidder and has created some form of requirement to actually delete the data when it is not needed anymore.
Getting more specific than throwing the kitchen sink, the review also recommended for states to have a single app for check-ins, or failing that, that all such apps adhere to a common standard.
At this stage, it needs pointing out that in Australia the data retention regime ensures the nation’s law enforcement agencies have easy access to which phones are on what mobile tower, so I am not doing a something compared to nothing comparison when I talk about attendance databases. It’s a more granular form of data than what the government had access to last year, and at any rate, Google knows where I am.
If I wanted to opt out of needing to check in at places like cafes and restaurants, there is a simple solution, of course. Don’t go. Get take away instead.
In trying to solve that problem, since even getting takeaway might expose you to the virus, the contact tracing review proposed something that would make check-in databases look like small fry.
“The Commonwealth should lead the development of arrangements between states and territories and payment card providers so that contact tracers from the states and territories will be able to request contact details of persons who have made a transaction at a hotspot venue, noting that privacy rules will apply and in some jurisdictions legislative change may be required,” the report said.
Thanks to Australia having a modern payment backbone, access to which cards were used at which venues is a quick API call or two away — and the payments would be based on cards since the use of cash has plummeted in the days of COVID and there are little signs of its use bouncing back.
Bad idea: An Australian bank wants to spray disinfectant from drones in schools and aged care
Not yet done with raising privacy questions, the review also recommended looking into a way to download information from smartphones that could help contact tracers. As is standard, the review said it should be based on citizen consent, and as any privacy-minded person would tell you, authorities have absolutely, positively never bluffed or misinformed their way to get into a person’s home, nor have they convinced someone to hand over a phone when they didn’t want to.
Is it outrageous that payment data and smartphones would be taken to get information into the contact tracing systems that the review proposes? Yes. But we are also talking about a virus that, despite what some may choose to believe, is fatal.
If a knife-wielding assailant had been running around town since March, randomly stabbing a couple of people a day, and part of the solution to stopping them was to examine payment data, it would be brave privacy absolutist that stood in the way of that action. But that is the sort of vexed question of balance that now faces nations as they battle with the virus until a vaccine is hopefully rolled out.
Magical thinking that some sort of automated dream system could be used was dismissed in the report. In a system where the stakes are this high, the option for humans to eyeball the data is essential, it said.
“Importantly, whilst a fully digital contact tracing system can dramatically improve the efficiency of contact tracing, it will never replace the need for well-trained contact tracers and expert public health oversight,” the report stated.
Similarly, even if the sort of data exchange desired by the report’s authors was created — one where data is not stored in the exchange and quickly pulls from disparate sources spread across all levels of government from airline passenger manifests to vaccination statuses, all the while simultaneously preserving as much privacy as possible — there are no guarantees it would work. In fact, the opposite is more likely.
“Even with the best systems in place, outbreaks are likely to be unavoidable,” the report said.
Trying to find the balance between wanting to clamp down on outbreaks as quickly as possible and preserving individual freedoms is and has been a job that looks different for every society: China and its door-welding approach has sat on one extreme while the individual-centric United States has been on the other.
It’s tempting to think the measures taken would be temporary, and therefore unquestionably necessary, in the current situation of fighting the fight in front of us. But with parts of the Australian government apparatus stating last week that they are expecting other zoonotic pandemics to follow in the wake of COVID-19, the balances that are struck will be with us for some time.
Adding to that, Australia is without any sort of human rights charter, a lone title among western democracies. Instead, it seems to operate on the famous Denuto vibe argument.
“Australians do have a lack of understanding of the rights framework within Australia. They do think we have rights protected that we don’t have protected,” Law Council of Australia president Pauline Wright told the National Press Club said on Wednesday.
“Australians also, the data shows, are quite compliant to regulation. Australians like being regulated. They like rules and [when] something goes wrong, they say ‘there ought to be a law against that’ — and that is the way Australians behave.”
Wright added that so far in the pandemic, it’s no surprise that Australians have been “fairly compliant”.
“I think that we, in some ways, we can be proud of that because people who have been behaving as a collective and saying we want to protect other Australians and ourselves against this disease, so we will do this,” she added.
“But that social compact will break down if the government takes it too far — it will break down. At the moment, it hasn’t, — apart from certain pockets.”
Wright used the opportunity to argue for human rights legislation at the national level.
As a first step, it would simply be nice if governments will tear down the apparatuses built since the start of the year when they are no longer needed. But if past form is any indicator, the omens are not good.
ZDNET’S MONDAY MORNING OPENER
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.
PREVIOUSLY ON MONDAY MORNING OPENER: 

Coronavirus More

Image: Alessio Festa
European football club Manchester United disclosed on late Friday a cyber-security incident that impacted its internal systems.

The football club said it’s still investigating the incident and couldn’t say if the breach allowed the intruders to access data associated with fans or store customers.
While the club remained tight-lipped about what hackers managed to access, they said the incident didn’t impact its primary media channels, such as its website and mobile apps.
“All critical systems required for matches to take place at Old Trafford remain secure and operational and tomorrow’s game against West Bromwich Albion will go ahead,” club officials said in a press release issued late Friday night.
United officials said they detected and took swift actions to contain the attack, which minimized its impact. The club says it’s now working with security experts to investigate the incident and minimize the IT disruption. Manchester police was also notified of the incident.
Manchester United is the second major UK club to disclose a major security breach. In July 2018, a hacker accessed FC Liverpool’s IT network and collected data on the club’s fans.
But Man-U and Liverpool aren’t alone. Other UK football clubs were also targeted by spear-phishing attacks and BEC scammers looking to hijack club payments, according to a report published by the UK National Cyber Security Centre in July this year.

The same report also revealed that one unnamed club also suffered a ransomware attack that impacted its access gate turnstiles. The incident was remediated in time for the next match, allowing fans to enter the stadium. More

Drawing little attention to themselves, multiple threat actors have spent the past two-three years mass-scanning the internet for ENV files that have been accidentally uploaded and left exposed on web servers.

techrepublic cheat sheet

ENV files, or environment files, are a type of configuration files that are usually used by development tools.
Frameworks like Docker, Node.js, Symfony, and Django use ENV files to store environment variables, such as API tokens, passwords, and database logins.
Due to the nature of the data they hold, ENV files should always be stored in protected folders.
“I’d imagine a botnet is scanning for these files to find API tokens that will allow the attacker to interact with databases like Firebase, or AWS instances, etc.,” Daniel Bunce, Principal Security Analyst for SecurityJoes, told ZDNet.
“If an attacker is able to get access to private API keys, they can abuse the software,” Bunce added.
More than 1,100 ENV scanners active this month alone
Application developers have often received warnings about malicious botnets scanning for GIT configuration files or for SSH private keys that have been accidentally uploaded online, but scans for ENV files have been just as common as the first two.

More than 2,800 different IP addresses have been used to scan for ENV files over the past three years, with more than 1,100 scanners being active over the past month, according to security firm Greynoise.

Similar scans have also been recorded by threat intelligence firm Bad Packets, which has been tracking the most common scanned ENV file paths on Twitter for the past year.

185.234.218.174 (🇵🇱) is mass scanning the internet for these paths:/admin-app/.env/api/.env/app/.env/apps/.env/back/.env/core/.env/cp/.env/development/.env/docker/.env/fedex/.env/local/.env/private/.env/rest/.env/shared/.env/sources/.env/system/.env. . . pic.twitter.com/vIBDk7Wbnl
— Bad Packets (@bad_packets) February 19, 2020

Threat actors who identify ENV files will end up downloading the file, extracting any sensitive credentials, and then breaching a company’s backend infrastructure.
The end goal of these subsequent attacks can be anything from the theft of intellectual property and business secrets, to ransomware attacks, or to the installation of hidden crypto-mining malware.
Developers are advised to test and see if their apps’ ENV files are accessible online and then secure any ENV file that was accidentally exposed. For exposed ENV files, changing all tokens and passwords is also a must. More

Video: VPN: Why you should hide your IP address
TANSTAAFL. If you’ve read your Heinlein, you know it’s an acronym for “There ain’t no such thing as a free lunch.” That phrase has actually been around since the days of Old West saloons. If you bought a drink, the saloon would provide you with a free lunch. There was a catch, of course. The lunches were so salty that patrons wound up buying more and more drinks, to slake their thirst.

Directory

The best VPNs in 2020
VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices for best VPNs in 2020 and how to get set up.
Read More

There’s always a catch.
Think about Facebook. We use it for free, but in return for that attention, Facebook catalogs vast amounts of information about us, which it uses for targeted advertising. Google became one of the world’s most profitable companies on the back of “giving away” free search (along with little ads on the side). The result was almost total dominance of the digital advertising industry.
TANSTAAFL.
All of that brings us to VPN services. Let’s do a two minute recap of what a VPN is, first. VPN (or Virtual Private Network) is a term used for services that allow you to encrypt your internet traffic between your computer and a destination computer on the VPN service. This is particularly necessary when using something like a hotel’s open Wi-Fi service, so that other guests can’t watch all your traffic and steal juicy bits, like credit card numbers and passwords.
I did a great intro to VPNs for CNET, our sister site. If you don’t know which VPN service to use, I compared a bunch of commercial VPN providers in The Best VPN services of 2020, analyzing them against 20 different factors.

That directory was a study of commercial VPN services. I limited my analysis to commercial services for a reason: TANSTAAFL.
There are also many free VPN services, but I don’t trust them. You probably shouldn’t either.
Here’s the thing: Running a VPN service is expensive. You need either servers and data lines, or you’re paying a cloud vendor like Amazon for every bit received, sent, and stored. Either way, it costs money. So, think about this: If you’re running a free VPN service, how do you pay for all that expense?
You. In the back of the room. I see your hand up. “Ads,” you say. Yep, that’s a possibility. Some free VPN services plaster ads on your browser display and sell those to whomever will pay.
I see another hand. “Stolen data.” That’s a possibility, too. If you were a criminal organization or a terrorist ring, and you wanted to pick up a lot of credentials quickly, one easy way would be to open up a free VPN and wait for people to just hand you their secret information. As P.T. Barnum is said to have said, “There’s a sucker born every minute.”
TASBEM. In other words, TANSTAAFL.
OK, one more. “Lead in for upgrade sales.” Yeah, that works, too. Some vendors will offer a small amount of free access and when you eat up that bandwidth, they’ll ask you to upgrade. Try before you buy is a proven method for selling services, it’s perfectly legitimate, and it’s often good for both the vendor and the customer.
You may also see some universities, activists, and other well-meaning groups offer free VPNs, but the problem is that they are resource constrained. That means that you’re bound to see either slowdowns or stoppages because they can’t afford the resources needed to provide the service. Some of those groups might also harvest information as you use their services, for use sometime in the future to further whatever their agendas might be.
The bottom line, though, is this: It’s just not worth risking your personal and financial data on a free VPN service. The VPN services I rated range from about $6 to $12 per month, or about $40 to $120 per year. It’s usually a better deal to pay for the whole year at once.
The cost of identity theft keeps going up, both in out-of-pocket expenses and in the time and hassle to clean up the mess. When it comes to a service that’s designed to transfer your personal credentials and keep them safe, isn’t it worth spending just a few bucks to save potentially thousands of dollars, hundreds of hours, and an unmeasurable amount of stomach acid?
For me, it is. I’m using a commercial VPN right now, as I write this. For the peace of mind and digital protection, it’s a few bucks well spent.
*By the way, if you haven’t read Robert Heinlein’s The Moon is a Harsh Mistress, I recommend it highly. It’s a Hugo and Nebula-award winning novel. One word of warning: It’s quite political (1960s political). But it’s also brilliant science fiction — a must read for any serious student of the genre.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.
PREVIOUS AND RELATED COVERAGE

VPN services 2020: The ultimate guide to protecting your data on the internet
Whether you’re in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.
How to use a VPN to protect your internet privacy
A virtual private network can go a long way to make sure that neither your ISP, nor anyone else, can snoop on what you do on the internet.
The best mobile VPNs can ensure your privacy anywhere
Going mobile? Stay secure. Here’s how find an effective VPN service. (Hint: You can’t trust every VPN provider.)
Several privacy-busting bugs found in popular VPN services
The bugs can leak real-world IP addresses, which in some cases can identify individual users and determine a user’s location. More

Image: Durpal Project // Composition: ZDNet
The team behind the Drupal content management system (CMS) has released this week security updates to patch a critical vulnerability that is easy to exploit and can grant attackers full control over vulnerable sites.

Drupal, which is currently the fourth most used CMS on the internet after WordPress, Shopify, and Joomla, gave the vulnerability a rating of “Critical,” advising site owners to patch as soon as possible.
Tracked as CVE-2020-13671, the vulnerability is ridiculously simple to exploit and relies on the good ol’ “double extension” trick.
Attackers can add a second extension to a malicious file, upload it on a Drupal site through open upload fields, and have the malicious executed.
For example, a malicious file like malware.php could be renamed to malware.php.txt. When uploaded on a Drupal site, the file would be classified as a text file rather than a PHP file but Drupal would end up executing the malicious PHP code when trying the read the text file.
Drupal devs urge site admins to review recent uploads
Normally, files with two extensions would be detected, but in a security advisory published on Wednesday, Drupal devs said the vulnerability resides in the fact that the Drupal CMS does not sanitize “certain” file names, allowing some malicious files to slip through.
Drupal devs say this “can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.”

Security updates were released for the Drupal 7, 8, and 9 versions to correct the file upload sanitization procedures.
But the Drupal team also urges site admins to review recent uploads for files with two extensions; in case the bug has been discovered and exploited by attackers before the patch.
“Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions:
phar
php
pl
py
cgi
asp
js
html
htm
phtml
“This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis,” Drupal devs said.
It is surprising that such a bug was discovered in Drupal. The double-extension trick is one of the oldest tricks in the book, and it’s one of the main attack vectors that CMS products validate when processing upload fields.
The issue has also been a major issue for Windows users, where malware authors often distribute files with two extensions, such as file.png.exe.
Because Windows hides the last file extension by default, the EXE extensions is hidden while only the first one is shown, tricking users into believing they’re opening an image but, in fact, are actually running an executable file that eventually installs malware. More

A part of the CyberSeal ads posted on a hacking forum
Image: ZDNet
Romanian police forces have arrested on Thursday two individuals suspected of running three online services meant to aid malware development and distribution.
The arrests are part of a joint operation that included the FBI, Europol, Australian, and Norwegian police.
Investigators said the two Romanian suspects are believed to be the creators of three services named CyberSeal, DataProtector, and CyberScan.
The first two are so-called “crypter” services. These types of tools allow malware developers to scramble their malware’s code to bypass and evade antivirus software.
The third service, called CyberScan, worked as a clone of Google’s VirusTotal service. It allowed malware authors to upload and scan their new malware releases and see if it would be detected by antivirus software.
The difference between CyberScan and VirusTotal was that CyberScan didn’t share scan results with antivirus vendors, allowing malware authors to test the detectability of their payloads without having to fear that a “detection alert” would be sent back to the antivirus company and trigger an investigation.
The two suspects had been active on the malware scene since at least 2014 when they first began advertising CyberSeal. The two other services were launched in 2015 (DataProtector) and 2019 (CyberScan).

All three were advertised on multiple hacking forums for prices ranging from $40 to $150.

An ad for the DataProtector crypter service on a well-known hacking forum
Image: ZDNet

An ad promoting the CyberScan service
Image:ZDNet
Europol said the three tools have often been used to crypt and test different types of malware, such as RATs (Remote Access Trojans), information stealers, and ransomware.
More than 1,560 malware authors used the two crypting services to scramble the code of more than 3,000 malware strains.
Authorities cracked down against the gang yesterday, Thursday, November 19, when they searched four locations in the cities of Bucharest and Craiova in Southern Romania and made the two arrests.
According to Romania’s Directorate for Investigating Organized Crime and Terrorism (DIICOT), two other persons were also questioned, believed to be part of the group.
Investigators also took down servers in Romania, Norway, and the US. The cyber-seal.org and cyberscan.org domains, used to host two of the services, are now offline. More