Information Technology

Australian eSafety Commissioner Julie Inman Grant is set to receive sweeping new powers in early 2022 as part of the Online Safety Act that passed Parliament last month. Among other things, the new Act extends the Commissioner’s cyber takedown function to adults, giving the commissioner the power to issue takedown notices directly to the services hosting the content and end users responsible for the abusive content.The new powers have been labelled as overbearing. As one Twitter user put it, the Commissioner is imminently receiving the “master on/off switch to the internet”. Of concern to many is that it is not yet known what the test or criteria will be for determining if content warrants removal. There is much to take into account, especially when much of “Australian culture” includes the use of a curse word as a term of endearment; that tone, for example, can be hard to ascertain from a character-limited post.  The Act will formalise a voluntary scheme that eSafety has in place. The agency has received 3,600 adult cyber abuse-related requests since it began taking them informally in 2017. Only 72 of them, however, were considered by eSafety to be reaching its existing threshold for “real harm”. One of them, Inman Grant told the Senate in May, was “horrific”, and a few of them involved domestic violence and stalking.  This week, Inman Grant found herself amid a Twitter dispute when she stepped in to offer advice to an individual who explicitly tagged her for help. The incumbent eSafety Commissioner then allegedly blocked another individual who claimed they were simply disagreeing with the first individual’s vaccination opinions. “Part of eSafety’s role is to provide education, support, and advice. We frequently offer information to those in distress — including offering advice about using the reporting tools available on the platforms,” an eSafety spokesperson told ZDNet.”Although we don’t yet have laws in place that allow us to deal with serious adult cyber abuse, currently we can help informally by providing support and guidance on what to do.”The eSafety spokesperson did not respond to questions, however, on whether a banhammer would be waved in a short amount of time when the scheme is formalised.

“In this case, the eSafety Commissioner was tweeted at by a person in distress, and the Commissioner provided our standard advice, including encouraging people to report an issue to the platform in the first instance,” they said. “This information is also available on the eSafety website, and advice that Twitter provides through its safety centre. This advice did not involve use of the Commissioner’s powers, as tweeting at us (as described above) does not constitute a report that enlivens our powers.”The spokesperson then reiterated the office would take its obligations seriously under the Act and said the new laws would be critical in helping more Australians who are experiencing online harm. They also said the complaints mechanism for reporting adult cyber abuse would be robust and that a simple tag of eSafety or the eSafety Commissioner in posts or comments on social media would not be treated as a formal report, as per its current practice.MORE ONLINE SAFETY ACTAI bias and discrimination aplenty: Australian Greens want Online Safety Bill repealedAustralian Greens have put forward an amendment that seeks to withdraw the Bill and have it re-drafted to address its rushed nature.Protecting women in the cloud: eSafety hopes the Online Safety Act will do just thatThe commissioner said a lot of online abuse is rooted in misogyny and intended to silence women’s voices. She hopes the new Online Safety Act will go some way to prevent such abuse.Australia’s eSafety and the uphill battle of regulating the ever-changing online realmThe eSafety Commissioner has defended the Online Safety Act, saying it’s about protecting the vulnerable and holding the social media platforms accountable for offering a safe product, much the same way as car manufacturers and food producers are in the offline world. More

New data security rules governing how money changes hands in the US have gone into effect today, forcing major digital money processors to render deposit account information unreadable in electronic storage.The National Automated Clearinghouse Association (NACHA), the body that passed the rules, governs the ACH Network, the payment system that drives direct deposits and direct payments for nearly all US bank and credit union accounts. The national automated clearing house processes massive amounts of credit and debit transactions in the US and handles financial transactions for consumers, businesses, and federal, state, and local governments.Starting on June 30, if an account number is used for any ACH payment — consumer or corporate — it must be rendered unreadable while stored electronically, according to NACHA, which added that any place where account numbers related to ACH entries are stored is in the rule’s scope.”This includes systems on which authorizations are obtained or stored electronically, as well as databases or systems platforms that support ACH entries. As an example, for a Third-Party Service Provider whose client is a financial institution, these can include platforms that service ACH transaction warehousing and posting, and client information reporting systems,” NACHA explained. “For Originators and their Third-Party Service Providers, accounts payables and accounts receivables systems will be impacted, as may be other systems (for example, claims management systems for insurance companies).”The rule also applies to paper authorizations or other documents containing ACH account numbers that are scanned for electronic record retention and storage purposes.In 2020, there were almost 27 billion ACH Network payments made at a value of close to $62 trillion. The body processed $17.3 trillion just for Q1 of 2021 and managed the 110 million economic impact payments that came through direct deposit from the federal government.

ACH Network has grown significantly over the years and set a record in February when it averaged more than 118 million payments per day. It set another record in March when ACH volume hit 2.7 billion payments, its largest monthly volume ever. In order to keep the data that is flowing through the system safe and secure, Nacha is requiring ACH originators and third parties that process greater than 6 million ACH payments annually to render deposit account information unreadable in electronic storage. It suggests organizations do this using encryption, truncation, tokenization, destruction, or having the financial institution store, host, or tokenize the account numbers.The first phase of the new rules took effect on June 30 but the second phase, which covers those with ACH volume of 2 million transactions or greater annually, will take effect on June 30, 2022.Those forced to make the changes initially asked for an extension in 2020 and were granted it. NACHA also said it will not enforce the rule “for an additional period of one year from the effective date with respect to covered entities that are working in good faith toward compliance, but that require additional time to implement solutions.””The new requirement applies to non-consumer Originators that are not Participating Depository Financial Institutions (as defined by the Nacha Operating Rules), and to Third-Party Senders and Third-Party Service Providers that perform any function of ACH processing on behalf of an Originator, Third-Party Sender, ODFI, RDFI, or ACH Operator,” NACHA said in a statement. “Financial institutions are not included within the scope of the new requirement to render ACH account numbers unreadable when stored electronically because they are already subject to rigorous data security requirements imposed by their regulators.” NACHA noted that access controls such as passwords do not meet the new standard. Disk encryption is an acceptable protection method only if additional, prescribed physical security steps are taken, the organization added. Alex Pezold, CEO of TokenEx, said his company was recently named as a NACHA Preferred Partner for ACH data security and is currently working with organizations to comply with the new rules. “In terms of ACH data, we render deposit account information (generally bank account and routing numbers) unreadable via tokenization, which is an example technology referenced by NACHA to help satisfy this new requirement,” Pezold told ZDNet. “This replaces the deposit account information with an irreversible token that can be safely stored in place of the original number to prevent data theft in the event of an exposure. The motivation for this change is to build on existing requirements to improve the security and efficiency of the ACH Network by introducing specific standards for the protection of deposit account information stored by originators, third-party service providers, and third-party senders.”Pezold added that it is still unclear what the specific fines or penalties will be but if an egregious violation occurs — a willful or reckless action that involves at least 500 entries or involves multiple entries in the aggregate amount of at least $500,000 — it can result in a $500,000 fine per occurrence and a suspension of use of the ACH Network.Some cybersecurity experts, like comforte AG product manager Trevor Morgan, said the best way to follow through with this rule would be through encryption or tokenization. The new rules, he said, force organizations to know precisely the data being handled, including ACH account information, and also where it is stored, how it travels, and who accesses it. “A complete solution to this problem would entail not only a protection method such as tokenization but also a broader capability to find and classify this type of information. Don’t assume that you know where all your sensitive ACH data is!” Morgan said. Oliver Tavakoli, CTO of Vectra, said similar rules have applied to banks and other financial institutions for a long time, but they are now being applied to large-scale users of banking services. Tavakoli suggested organizations either choose not to keep the data at all or have the financial institutions who are already set up to protect the data store it for them. Enterprises can also encrypt the data before storing it, truncate the data by keeping only the last 4 digits of an account number or obscure the information in some other way. Far too often, data troves are stored in clear text, making the new rules pushed by NACHA evermore important, according to Dirk Schrader, a vice president at New Net Technologies.”Implementing this requirement will likely be an issue for some financial institutions, depending on their data models,” Schrader said. “One solution can be based on HSMs, offloading much of the encryption work to specialized hardware.”Other experts said it took NACHA far too long to put rules like this in place. Netenrich threat intelligence advisor John Bambenek said ACH transactions are possible simply by knowing the account information of a person. “The fact that it’s 2021, and only now is basic security being required on processors of this information, just goes to show how truly insecure our financial transaction systems are,” Bambenek said. “Arguably, this has already been required by law and regulation for years, however, that it has to be reiterated demonstrates that the many companies processing large amounts of financial transactions are committed to doing absolutely nothing to protect consumers until they are forced to.” More

In 1995, when Linux 1.x was the hot new Linux kernel, early Red Hat founding programmers Marc Ewing and Erik Troan created RPM. This software package management system became the default way to distribute software for Red Hat Linux-based distributions such as Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux OS, and Rocky Linux. Unfortunately, hidden within its heart is a major security hole. 

Dmitry Antipov, a Linux developer at CloudLinux, AlmaLinux OS’s parent company, first spotted the problem in March 2021. Antipov found that RPM would work with unauthorized RPM packages. This meant that unsigned packages or packages signed with revoked keys could silently be patched or updated without a word of warning that they might not be kosher. Why? Because RPM had never properly checked revoked certificate key handling. Specifically, as Linux and lead RPM developer Panu Matilainen explained: “Revocation is one of the many unimplemented things in rpm’s OpenPGP support. In other words, you’re not seeing a bug as such; it’s just not implemented at all, much like expiration is not.” How could this be? It’s because RPM dates back from the days when getting code to work was the first priority and security came a long way second. For example, we don’t know whether the first RPM commit was made by Marc Ewing or Erik Troan because it was done as root. Those were the days! Things have changed. Security is a much higher priority.  Antipov, wearing his hat as a TuxCare (CloudLinux’s KernelCare and Extended Lifecycle Support) team member, has submitted a patch to fix this problem. As Antipov explained in an interview: “The problem is that both RPM and DNF, [a popular software package manager that installs, updates, and removes packages on RPM-based Linux distributions]  do a check to see if the key is valid and genuine but not expired, but not for revocation. As I understand it, all the distribution vendors have just been lucky enough to never have been hit by this.” They have indeed been lucky. Armed with an out-of-date key, it could be child’s play to sneak malware into a Linux desktop or server. 

Joao Correia, a TuxCare Technical Evangelist, asked: “Do you know how long it takes for the distros to pick up the changes that are submitted to the code repositories?” Antipov replied: That’s hard to know. In general, the problem is that crypto is hard. It takes a special background, some special experience, and so on. Package management projects are doing package management, not crypto, so they don’t want, and don’t need to, develop their own crypto libraries to include RPM and DNF. I’m not an expert in the crypto field to be able to fix current DNF and RPM issues. I’ve used the RNP library, a well-known library in the open-source world, already used in Mozilla Thunderbird, for example, but the library itself is not a part of Red Hat or any other RPM-based Linux distribution. So to take my fix as is, for the moment, they need to add it to the library first. This is not so quick, so it’s hard to say how long it will take. He fears though it may be months before the fix is released. At the moment, the security hole is still alive, well, and open for attack. Antipov and his team are considering opening a Common Vulnerabilities and Exposures (CVE) about the issue since, in the end, it’s clearly a security issue.  If I may be so bold: File a CVE with Red Hat. This needs fixing, and it needs fixing now. In the meantime, administrators of RPM-based systems will need to take a closer look at the patch programs to make sure they are legitimate patches. Related Stories: More

A new report from cybersecurity firm Avanan found that their customers in the IT, healthcare and manufacturing industries were facing the highest number of phishing emails. The company’s researchers examined more than 905 million emails for the 1H 2021 Global Phish Cyber Attack Report, finding that the IT industry specifically saw 9,000 phishing emails in a one month span out of almost 400,000 total emails. Their healthcare industry customers saw more than 6,000 phishing emails in one month out of an average of over 450,000 emails and manufacturing saw a bit less than 6,000 phishing emails out of about 330,000 total emails. 

ZDNet Recommends

Avanan researchers said these industries are ripe targets because of the massive amount of personal data they collect and because they are often stocked with outdated technology that can be easily attacked. Gil Friedrich, CEO of Avanan, said the report highlighted the perilous situation facing thousands of hospitals around the world. “The Avanan research shows that hackers are using one of the most basic tactics to get in ‒- phishing attacks,” Friedrich said.About 5% of all emails are phishing, according to the report, and many hackers are now attempting to target “low-hanging fruit” as opposed to more important C-level executive accounts. Most phishing attacks involve either impersonation or credential harvesting, the researchers found. More than half of all phishing attacks involve credential harvesting and that figure has grown by almost 15% since 2019. About 20% of all phishing attacks are related to Business Email Compromise. 

Non-executive accounts are targeted 77% more than other accounts, the report said, and nearly 52% of all impersonation emails are pretending to be from a non-executive account at an enterprise. “There are a few reasons behind this. One, security admins might be spending a lot of time providing extra attention to the C-Suite and hackers have adjusted. Two, non-executives still hold sensitive information and have access to financial data. There is no need to go all the way up the food chain,” Avanan researchers said. Avanan works as a second layer of defense behind Microsoft’s EOP, ATP/Defender, Google Workspace and other tools. The report said more than 8% of all phishing emails managed to get past the first layers of defense and into people’s inboxes “because of an allow or block list misconfiguration, a 5% increase from last year, and 15.4% of email attacks are on an Allow List.””The most commonly used tactic is using non-standard characters and limited sender reputation. Non-standard characters are used in 50.6% of phishing links and 84.3% of phishing emails do not have a significant historical reputation with the victim,” the report said. Avanan researchers also noted the Junk Email folder in many inboxes has become a haven for phishing emails, confusing many users who look through their Junk folders for marketing emails and subscriptions. The report said SCL scores of 5,6, and 9 will be sent to a Microsoft user’s Junk folder, leaving them alongside more legitimate emails offering deals and other things. “You now have monthly subscriptions, newsletters, and targeted phishing attacks in your spam folder, and you have to leave it up to the end-user to decide which ones are safe to open,” one unnamed CIO told Avanan researchers. The same happens for Google users but Microsoft users see 89% more emails in Junk than Google does, according to the report. “An easy way to determine if an email is suspicious is by looking at sender reputation. It’s no wonder, then, that 84.3% of all phishing emails do not have a significant historical reputation with the victim. Further, 43.35% of all phishing emails come from domains with very low traffic,” the report said.  More

An underground virtual private network (VPN) service used by cyber criminals to hide their activities while conducting ransomware attacks, phishing campaigns and other malicious hacking operations has been taken down in a major international law enforcement operation. DoubleVPN offered users the ability to mask their locations and identities, allowing cyber criminals to carry out activities anonymously, according to police.

ZDNet Recommends

Now its servers and web domains have been seized by a coordinated law enforcement takedown led by the the Dutch National Police (Politie) and involving agencies including Europol’s European Cybercrime Centre (EC3), Eurojust, the FBI, and the UK National Crime Agency. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    DoubleVPN was heavily advertised across Russian and English-speaking dark web cybercrime forums as means for criminals, including ransomware gangs and phishing operations, to hide their activities, according to Europol. The cheapest VPN connection on offer cost just $25, while more expensive services offered what’s described as double, triple and even quadruple VPN connections to criminal clients. Servers hosting DoubleVPN around the world have been seized and web domains relating to the service have been replaced with a takedown notice, reading: “On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. Double VPN’s owners failed to provide the services they promised.” Dutch public prosecutor Wieteke Koorn said: “This criminal investigation concerns perpetrators who think they can remain anonymous, while facilitating large-scale cybercrime operations.

“By taking legal action, including the special investigatory power for digital intrusion, we want to make it very clear there cannot be any safe havens for these kind of criminals. Their criminal acts damage the digitalised society and erode the trust of citizens and companies in digital technologies, therefore their behaviour has to be stopped,” she added. The joint operation involved more than 30 coordination meetings and four workshops to prepare for the final stage of the takedown that was organised on the day the via virtual command post was set up by Europol. SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chief “Law enforcement is most effective when working together and today’s announcement sends a strong message to the criminals using such services: the golden age of criminal VPNs is over. Together with our international partners, we are committed to getting this message across loud and clear,” said Edvardas Šileris, head of Europol’s EC3. Law enforcement services from Germany, Canada, Sweden, Italy, Bulgaria and Switzerland also participated in the takedown, which was was carried out following the the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

MORE ON CYBERSECURITY More

Every business, large of small, is a target of cybercriminals and should look at minimising security risks, not simply preventing them. This is essential as more businesses move to the cloud and organisations in Asia largely still lack an urgency in addressing security. Unlike their peers in the US, where enterprises across most sectors considered security as part of their business process, Asia-Pacific companies had yet to do so, said Paul Hadjy, CEO and co-founder of Horangi. The Singapore-based security startup’s flagship product, Warden, is a cloud security posture management software touted to safeguard against misconfigurations and compliance breaches. Likely distracted by having to keep the business running and day-to-day management, Hadjy noted that Asia-Pacific organisations generally did not regard security as topmost on their agenda when it would be commonly discussed at every meeting in the boardroom and amongst C-level executives in the US. 

This was changing, though, he said, adding that focus on security would intensify as more regulations were introduced around the use of cloud and businesses would be concerned about staying in compliance.And they would reasons to be anxious. By 2023, at least 99% of cloud security failures were projected to be the customer’s fault, according to Gartner. The research firm also predicted that half of enterprises this year would unknowingly and erroneously expose some cloud services or applications to the public internet, including storage, APIs (application programming interfaces), and network segments. Hadjy noted that most customers Horangi worked with had no prior cloud security framework in place. “If you’re not using a cloud security platform, you’re going to have issues because you don’t have visibility across the cloud architecture,” he said. “You can use tools to do so manually, but you’ll need to repeatedly follow [the steps] to do so when you use different cloud platforms.”He stressed the need for proper security and processes, such as patch management, to be in place to address any potential misconfigurations. 

He warned that no business today was too small to be a target and all were at risk of cybersecurity attacks. Hackers also would target organisations that did not take security seriously. Technology, too, was no different from any other business, with opportunities for mistakes to be made, he said, especially if there was no automation involved. IT environments also could become challenging to manage over time, with organisations challenged to manage systems and software that were more than a decade old alongside modern applications running on cloud.Hadjy added that the move to remote work further complicated IT infrastructures, where traditional methods of ring-fencing corporate networks were no longer effective as more employees worked from home. Noting that no security solution was perfect, he noted the need for organisations to focus on mitigating risks and their ability to react quickly to reduce their risks should they suffer a security breach. Founded in 2016, Horangi last month was added to Amazon Web Services’ (AWS) ISV Accelerate programme, having obtained the cloud vendor’s security competency status. The Singapore startup last year secured $20 million in Series B funding, adding to its Series A $3.1 million haul, and might embark on another fund-raising initiative this or next year, Hadjy told ZDNet.Horangi’s Warden is pitched as a multi-cloud security platform designed to automatically safeguard against misconfigurations and compliance violations. It identifies “critical cloud resource configurations that may become entry points for attackers”, according to the startup. RELATED COVERAGE More

DevOps platform maker JFrog, the first company to develop a binary code management repository for developers, said June 29 that it is acquiring Tel Aviv-based Vdoo in a cash- and stock-based deal valued at about $300 million. Vdoo makes an integrated security platform for connected, IoT, and embedded devices.

see also

Best VPN services

Virtual private networks are essential to staying safe online, especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

JFrog founder and CEO Shlomi Ben Haim told ZDNet that adding Vdoo’s intellectual property was important to his company’s efforts to develop a next-generation security offering to support DevOps users as they respond to a disruption in the market for continuous software delivery. Both companies focus on protecting binary code in enterprise IT systems, a central target for hackers, Ben Haim said.Sunnyvale, Calif.-based JFrog is expanding its end-to-end DevOps platform offering, which provides holistic security ranging from the development environment all the way to edge systems, IoT, and other devices. DevOps is a set of best practices that combines software development and IT operations, with its purpose to shorten a system’s development life cycle and provide continuous delivery with high software quality. Affiliated with DevOps is a relatively new segment called “liquid software,” which describes the flow of software packages from the moment they are created all the way to deployment. Whereas software companies years ago used to publish one or two updates per year, they now often produce updates and patches whenever they are needed–sometimes multiple times per day. Because of these developments, namely all this new software filling the internet traffic lanes every second, new security processes are required, Ben Haim said.Most current DevOps and liquid software solutions lack proper security capabilities that are fully integrated into the software lifecycle, Ben Haim said. These security tools are point products with their own data sets, which create friction between development and security teams and slow the release of software updates. This problem is especially acute when updates are continuously delivered to the edge or across a large fleet of devices. As a result, many of these security tools are not delivering on the promise of fast, automated, and secure releases, Ben Haim said.”The main motivation behind this is that we want to provide the world with a real DevSecOps solution, all the way from the DevOps pipeline, to the edge, to whatever destination,” Ben Haim said. “What we built during the past four years is technology–and better software security–around focusing on binary. We identify binary as the highest priority.”

Vdoo’s product security platform automates software security tasks throughout the entire product lifecycle, ensuring that all findings are prioritized, communicated, and mitigated. The company’s security experts and vulnerability researchers will join the JFrog team to develop advanced security solutions for developers and security engineers, CEO and co-founder Nati Davidi told ZDNet.JFrog said it will expand its JFrog Xray vulnerability detection product to include Vdoo’s data and improved scanning across multiple dimensions, including configuration and applicability scanning, by the end of this year. In addition, JFrog expects to fully integrate Vdoo’s technology into its DevOps platform to provide an all-in-one secured platform in 2022, Ben Haim said. More

Google is outlining new security standards for its Nest smart home devices and updating its privacy commitments as part of an effort to make its positions on both privacy and security more straightforward for Nest users. 

Google said its new Nest security practices include adopting standards Google has long held as well as implementing new updates that are specific to Nest’s connected home devices and services. Specifically, Google will begin certifying Nest devices sold in 2019 or later using an independent security standard, including those developed by the Internet of Secure Things Alliance (ioXt). The company will also publish the validation results that explain how its products hold up to those standards, and will assess new products against the standards prior to launch. Meanwhile, Google said Nest will now participate in the Google vulnerability rewards program, which pays outside security researchers for finding vulnerabilities and reporting them to the Nest Security team. Google has also committed to patching critical issues known to Google Nest, promising automatic bug and security fix support for a minimum of 5 years.Nest devices will also be added to the Google device activity page to give users visibility into which devices are connected to their account. It’s worth noting that Nest users have already had access to these security protections, providing they coupled their devices with an active Google account. In terms of privacy, Google said it has updated a section in its privacy commitments to better reflect its focus on openness. Nest product manager Ryan Campbell said in a blog post:Two years ago Nest shared our commitments to privacy to give you a better understanding of how our products work in your home. Today, we’re publishing new security commitments and putting it all in one place: Nest’s new Safety Center. The Safety Center is meant to give you a clear picture of the work we do each day to build trustworthy products and create a safer and more helpful home.Finally, we want to acknowledge the way this technology is evolving — for example, our recent announcements on Matter and our work on Project Connected Home over IP ). That’s why we’ve updated a small section in our privacy commitments to better reflect our focus on openness.

Google’s latest security updates to the Nest product family builds on changes made by Google to try and bolster the security posture of its products. In February 2020, Google rolled out two-factor authentication (2FA) to Nest devices, and prior to that, reCAPTCHA Enterprise was integrated with Nest accounts to mitigate the risk of credential stuffing attacks.RELATED: More