Information Technology

Tasmania has risen to first place in Australia in terms of ease to do business in the Cisco Australian Digital Readiness Index 2020 report, and when combined with its lack of coal use and reliance on hydro, the state jumped from near the bottom of the Australian states ranking to be firmly mid-table.
The Apple Isle gained its increase on the back of having the highest five-year business survival rate in the country, being rated as the state with the highest level of government support for small businesses and having the second-highest rate of confidence among small to medium-sized businesses. The state was also boosted for having 99.9% of its premises able to receive an NBN connection.
On the flip side, Tasmania had the second-lowest per capita level of business investment in research and development.
Overall, the postage stamp-sized ACT was rated the most digitally ready place in Australia, followed by New South Wales, Western Australia, Tasmania, Queensland, South Australia, and the Northern Territory.
As the home of the Commonwealth public service, the sheep paddock cum national capital scored well for having a trained labour force, high government expenditure per capita on R&D, and being able to cater for basic needs. It dropped down the ranking, however, in categories such as startup environment and ease of doing business.
Leading the way in venture capital investment was NSW, which had almost double that of the now second-placed ACT. Despite this, the state was ranked only sixth for technology adoption and seventh for technology infrastructure.
The report, which was based on surveys completed in June 2020, was an update on a report first completed in 2018.

Vice president of Cisco ANZ Ken Boal said the first report was a chance to encourage businesses and governments to increase digital investments.
“Two years later the value of those investments have been repaid many times over and has provided Australia with a robust and comprehensive digital capability that has been essential for navigating through the COVID-19 crisis and building economic recovery post-pandemic,” he said.
“However, it is important that we don’t become complacent with Australia’s digital readiness. This report highlights the need for accelerating new investment to improve Australia’s global competitiveness to keep up with competitor nations and bridge the divide between states and territories to build societal resilience.
“Digitally advanced countries such as Singapore, which ranked first in the global index this year, should help Australia to set the ambition for its digital readiness.”
Earlier in the week, the Australian government released submissions to its proposed Security Legislation Amendment (Critical Infrastructure) Bill 2020, which would expand the obligations in the Security of Critical Infrastructure Act 2018 to the communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage sectors.
The tech giants, including Cisco, asked that definitions and classifications be clarified, particularly around terms such as data and cloud computing.
“We, and I think we weren’t the only ones, we made a comment about whether data centres should be an industry in itself — because obviously every business that could be caught by the [Bill] is probably operating a data centre or has data in a data centre or relies on a data centre to access its critical applications,” Cisco ANZ director of government affairs Tim Fawcett told journalists on Tuesday.
“So we made the point that that shouldn’t necessarily be an industry in and of itself.”
Late last month, Cisco announced an update to its SecureX set of products that involved the company pointing out for the first time in 13 years it had reduced the number of product names on its security portfolio by half.
“I think we at Cisco have done a lot of things right over the years and then there’s a few things … that we could probably do better,” Cisco senior vice president and general manager for security Jeetu Patel told ZDNet.
“We found in security that our products were getting to be so convoluted to understand on what they did and what they were that there were just far too many things, and for a new person coming in, it just would make your head hurt.”
Patel added that Cisco has bundled products together in a more logical way and given products names that are descriptive.
“So that people don’t have to say ‘Well what is that?’ and let’s make sure that we do without acronyms, and just talk about names that are very descriptive,” he said.
Related Coverage More

A former Microsoft software engineer that was convicted for stealing more than $10 million from the company has been sentenced to nine years in prison.
The judgment, made by a jury, found that the charged individual, Volodymyr Kvashuk, committed 18 felonies. This consisted of five counts of wire fraud, six counts of money laundering, two counts of aggravated identity theft, two counts of filing false tax returns, and one count each of mail fraud, access device fraud, and access to a protected computer in furtherance of fraud.
Kvashuk worked as a Microsoft contractor before becoming an employee in August 2016. He was then fired in June 2018 after the company discovered his actions of theft. 
According to records filed in the case and testimony at trial, during Kvashuk’s time at Microsoft, he used his testing privileges to steal “currency stored value” such as digital gift cards. He then resold these goods on the internet, using the proceeds to purchase a $1.6 million dollar lakefront home and a $160,000 Tesla vehicle, the Department of Justice said.
When making these thefts, Kvashuk used three test email accounts associated with other employees in an attempt to mask any digital evidence that traced the thefts to him. These accounts, combined, purchased roughly $10.1 million worth of currency stored value.
“Stealing from your employer is bad enough, but stealing and making it appear that your colleagues are to blame widens the damage beyond dollars and cents,” US Attorney Brian Moran said.  
“This case required sophisticated, technological skills to investigate and prosecute, and I am pleased that our law enforcement partners and the US Attorney’s Office have the skill sets needed to bring such offenders to justice.”

He also used a bitcoin “mixing” service in an attempt to hide the source of the funds that passed into his bank and investment accounts. Across a seven-month span, approximately $2.8 million in bitcoin was transferred to his bank and investment accounts. These amounts were then filed as gifts from a relative in his tax returns.
“Kvashuk’s scheme involved lies and deception at every step. He put his colleagues in the line of fire by using their test accounts to steal [currency stored value]. Rather than taking responsibility, he testified and told a series of outrageous lies. There is no sign that Kvashuk feels any remorse or regret for his crimes,” prosecutors wrote to the court.
Along with the prison sentence, Kvashuk has also been ordered to pay $8.3 million in restitution and may be deported to Ukraine following his prison term.
Related coverage
Four former eBay employees set to plead guilty to cyberstalking charges in US
Two other eBay employees are currently labelled as co-conspirators, but they have not been charged.
Chinese national receives 18-month sentence for stealing US semiconductor trade secrets
He was one of six individuals that were indicted, with the remaining five currently labelled as fugitives by the US government.
US provides new expanded set of espionage charges against former Twitter employees
The charges have expanded from two to seven.
DoJ charges four brothers for defrauding Amazon in overshipping scheme
In one instance, the brothers allegedly sent 7,000 toothbrushes to Amazon despite the e-commerce giant requesting for one case of disinfectant spray.
Scientist sentenced to 2 years behind bars for stealing next-generation battery tech secrets
The intellectual property had an estimated value of $1 billion to the US company it belonged to. More

The tech sector has taken issue with a handful of proposals made by the federal government in its Security Legislation Amendment (Critical Infrastructure) Bill 2020, specifically around government step-in powers and a potential misunderstanding of the relationship between cloud service providers (CSPs) and their customers.
The amendments in the Bill are aimed at enhancing the obligations in the Security of Critical Infrastructure Act 2018, and expanding its coverage to the communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage sectors.
The Bill, if passed, would introduce a positive security obligation (PSO) for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements; enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems.
Read more: Australia’s critical infrastructure definition to span communications, data storage, space  
Commenting on the proposed Bill, Microsoft asked that in crafting such requirements for CSPs, the legislation should recognise the customer relationships that these organisations have with critical infrastructure operators “who have already imposed significant compliance requirements to meet existing regulatory obligations”.
Its submission [PDF] on the Bill has asked the government to separate data centres and CSPs in the sectoral definitions; align Australian regulatory requirements with international standards; map existing regulatory requirements and security obligations met by CSPs and “harmonise those requirements to avoid duplication”; create protocols that ensure that the operator of the critical infrastructure systems is the focal point for any of the proposed obligations; and create clearly identifiable thresholds and checks for the use of the ministerial direction powers.
Salesforce, meanwhile, has recommended that sectoral definitions be narrowed and clarified — particularly as it pertains to “data and the cloud”.

“Salesforce encourages an approach which concentrates on regulated entities which control the systems of national significance, not service providers or processors that work across sectors,” it wrote in its submission [PDF].
“Whilst Salesforce welcomes risk-based elements of the proposed framework, we recommend that Australia not pursue compliance-oriented mechanisms.”
The CRM giant recommended concentrating oversight and expertise in a single agency and taking into account existing practices within each vertical.
It also recommended that data and/or system security rules should consider classification, criticality, and sensitivity of the asset being protected.
Offering its support for something similar, Cisco in its submission [PDF] said regulators and industry bodies informing classification of entities under the framework should include clear lines of accountability.
This Bill also introduces a government assistance regime to respond to serious cybersecurity incidents that applies to all critical infrastructure sector assets.
“Government recognises that industry should and in most cases, will respond to the vast majority of cybersecurity incidents, with the support of government where necessary,” the Bill’s explanatory document stated. “However, government maintains ultimate responsibility for protecting Australia’s national interests. As a last resort, the Bill provides for government assistance to protect assets during or following a significant cyber attack.”
While Microsoft said it acknowledged that there may be emergency scenarios where the government may consider the need for direct action with critical infrastructure operators, it believes such actions must only occur as a last resort and “under a framework that incorporates robust checks and balances, as well as the Commonwealth Ombudsman acting on behalf of the private sector that reflects the interests and risks of undertaking such an action”.
“The use of such powers should be subject to a significant threshold, time limited and require independent authorisation,” it wrote.
“In the rare instances where ministerial direction is warranted, we recommend that it be narrowed to apply to circumstances in which gaps in abilities to defend and repel cyberthreat activity have been demonstrated during joint preparedness exercises among the government and private sector.”
Similarly, Salesforce said extraordinary circumstances that would require emergency government powers should be carefully defined to “establish full clarity and mutual expectations of the standards, liability, and procedures that apply”.
“Any decision should have the ability for judicial redress,” it added.
Cisco requested there be checks and balances for all government assistance, especially for step-in powers.
“Without a defined operating model on how the step in process would work, it is difficult to determine the checks and balances required but there are examples provided in other parliamentary reviews into security laws that could provide guidance,” it wrote.
“It is not clear yet what impact the government assistance powers to step-in could have on the operation of companies that are either not headquartered in Australia or operate in offshore markets.”
Amazon Web Services (AWS) also raised concerns that the proposal for government “assistance” or “intervention” powers could give it overly broad powers to issue directions or act autonomously.
AWS is concerned that there isn’t clarity around whether the triggers for exercising such powers are objective and specific, whether or how the government would be able to objectively assess if its directions or assistance would improve the situation, what an entity could be directed to do or not do, what checks and balances would apply, and whether an entity has rights of review and appeal.
HERE’S MORE More

Security researchers at Sonatype have discovered today an npm package (JavaScript library) that contains malicious code designed to steal sensitive files from a user’s browsers and Discord application.

techrepublic cheat sheet

Named discord.dll, the malicious JavaScript library is still available via npm, a web portal, command-line utility, and package manager for JavaScript programmers.
Developers use npm to load and then update libraries (npm packages) inside their JavaScript projects — may them be websites, desktop apps, or server applications.
Sonatype says that once installed, discord.dll will run malicious code to search a developer’s computer for certain applications and then retrieve their internal LevelDB databases.
Targeted apps include browsers like Google Chrome, Brave, Opera, and the Yandex Browser, but also the Discord instant messaging app, popular today with most online gamers.
The files the malware retrieves are LevelDB databases, which the aforementioned apps use to store information such as browsing histories and various access tokens.
Discord.dll would read the files and attempt to post their content in a Discord channel (as a Discord webhook).
Links to another malicious npm package

Sonatype said that after a review, it found that the malicious code was an improved version of a malicious library it saw in August. Named fallguys, this library, too, was collecting the same information, although in a less complicated manner.
Sonatype, a company that monitors public package repositories as part of its developer security operations (DevSecOps) services, said discord.dll was published more than five months ago and has been downloaded more than 100 times.
In contrast, despite being available on the npm portal for only two weeks, the fallguys package was downloaded more than 300 times.
The reason for the success of the first package can be linked to the fact that fallguys contained a README file advertising the library as an interface to the “Fall Guys: Ultimate Knockout” game API. On the other hand, the discord.dll package contained an empty README, suggesting that the project was either abandoned or never “officially” launched by its creator.
Other suspicious npm packages detected
The discord.dll package is still available on the npm portal, but Sonatype said it already notified the npm security team, and the package will most likely be removed in the coming days.
Furthermore, researchers also said the author of the discord.dll package had also uploaded ten other packages on the npm site, three of which contained malicious behavior that would download and run three mysterious EXE files, a non-standard behavior for JavaScript (npm) packages.
Since the EXE files could not be retrieved, researchers were unable to fully confirm the nature of the three libraries, named discord.app (88 downloads), ac-addon (46 downloads), and wsbd.js (38 downloads). More

The US Department of Defense has fixed a severe vulnerability impacting its internal network that would have allowed threat actors to hijack DOD accounts just by modifying a few parameters in web requests sent to DOD servers.
The vulnerability was discovered by Jeff Steinburg, a security researcher at US security firm Silent Breach, and privately reported and patched via the DOD’s Vulnerability Disclosure Program (VDP).
The issue received a severity rating of “Critical (9 ~ 10)” because the bug required minimal technical skills to exploit and hijack any DOD account of the attacker’s choosing.
The severity of the reported issue earned Steinburg the DOD’s “Researcher of the Month” award, despite the bug being the researcher’s first DOD VDP report.

While some details about the bug have been disclosed earlier today, a full report won’t be fully available; to protect the security of the DOD network.
According to this summary report, the bug was categorized as an Insecure Direct Object References (IDOR) vulnerability, a bug where security checks are missing from an application, allowing hackers to modify a few parameters without any additional identity checks.
In the DOD’s case, the bug would have allowed an attacker to take a legitimate web request sent to a DOD website, modify the user ID and username parameters, and the DOD site would have allowed the attacker to change any user’s DOD account password — which would have allowed hackers to hijack accounts and later breach the DOD’s network.

Today, IDOR bugs are considered easy to find due to the plethora of automated tools that make their discovery a less time-consuming process.
Most IDOR bugs today allow attackers to modify harmless parameters and tweak account settings of little importance, but some IDOR bugs can also have severe consequences when the IDOR bugs reside in sensitive account fields such as passwords and account recovery/payout emails, or for price values in shopping carts, John Jackson, an Application Security Engineer at Shutterstock, told ZDNet in an interview today.
“Insecure Direct Object Reference vulnerabilities are those silent, underrated bugs, yet they are not uncommon,” Jackson said.
The DOD fixed the bug by adding a user session mechanism to the DOD account system, preventing attackers from modifying parameters without authenticating on the site first, or by obtaining an attacked DOD user’s session cookie first. More

Video conferencing software maker Zoom has reached a deal today with the US Federal Trade Commission to settle accusations that it misled users about some of its security features.

The FTC said that earlier this year, during the height of the COVID-19 pandemic, Zoom had attracted users to its platform with misleading claims that its product supported “end-to-end, 256-bit encryption” and that its service would store recorded calls in an encrypted format.
However, in a complaint [PDF] filed earlier this year, the FTC’s investigators found that Zoom’s claims were deceptive.
First, the FTC found that despite claiming to support end-to-end encrypted (E2EE) calls, Zoom didn’t support E2EE calls in the classic meaning of the word.
E2EE calls rely on establishing a call between two users and saving the cryptographic key used for encrypting the call on those two users’ devices.
But the FTC says that Zoom also kept a copy of the key for itself, as well, allowing it to intercept communications for all its customers.
Second, the FTC also found that some Zoom also didn’t encrypt recorded calls, as it claimed. Instead, recorded calls were kept unencrypted on Zoom’s servers for up to 60 days before being encrypted and transferred to a secure server, during which time Zoom and other parties could access their content.

“Zoom’s misleading claims gave users a false sense of security, […] especially for those who used the company’s platform to discuss sensitive topics such as health and financial information,” the FTC said in a press release today.
“In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services,” the agency added.
In addition, the FTC said it also found that Zoom had also made an error in its software design in 2019, even before the pandemic, when it silently installed a web server on the computers of macOS users.
This web server, which wasn’t disclosed in the Zoom Mac client’s official changelog, acted as a proxy between Safari and the Zoom app to allow Safari users to open the Zoom app without triggering a security alert on their OS.
As it was argued at the time, while the server was benign, it wasn’t a secure design decision and could have been abused by third-party apps or attackers to compromise macOS systems.
Zoom promises to do better
Most of the issues Zoom agreed on today have already been fixed or implemented as part of a three-month marathon, during which Zoom leadership focused on improving the company’s security posture., which also included hiring a Chief Information Security Officer (CISO).
“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC,” a Zoom spokesperson told ZDNet. “Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”
Nonetheless, as part of its settlement with the FTC, Zoom has also promised to:
assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
implement a vulnerability management program;
deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials;
review any software updates for security flaws and must ensure the updates will not hamper third-party security features;
not misrepresent privacy and security practices.
The settlement [PDF] didn’t include a fine. More

They may not be cool, and they’re certainly not up to date, but there are millions of old Android smartphones out there running 2016’s Android 7.1 Nougat or earlier. On Sep. 1, 2021, however, those phones will start failing when they try to connect with websites secured by Let’s Encrypt Secure-Socket Layer (SSL)/Transport Layer Security (TLS) certificates.

Networking

Let’s Encrypt is the enormously popular, free open-source certificate authority (CA). Thanks to its service, over a billion websites have been secured. It’s worked well, but Let’s Encrypt’s original root certificate, which relied on a cross-signature from IdenTrust, “DST Root X3,” will expire on Sept. 1, 2021.
With most operating systems, this wouldn’t be a problem. Let’s Encrypt now has its own root certificate, ISRG Root X1, and most operating systems and browsers can work with it. Alas, that’s not the case with Android.
It’s not like that Android doesn’t get updated often enough by vendors is news to anyone. After all, any Android phone running Android 6 or earlier hasn’t been getting any security updates since earlier this year. But, users, as the tens of millions still running Windows 7 show, won’t pay any attention to security until it bites them in the rump.
This coming problem, though, is one they won’t be able to ignore. At best, if you’re still using one of these older phones, you’ll get an error message asking if you still want to go to the site. At worst, you won’t be able to get into your favorite website at all.
So, what can be done about it? Well, don’t look to Let’s Encrypt for an easy answer. You see, it’s not really its problem. Since day one, Android hardware vendors have refused to update their systems. If you want an Android smartphone, which keeps up with the state of the operating system art, your only good choice is a Google Pixel phone, and to a lesser extent, Samsung phones. 
As Jacob Hoffman-Andrews, lead developer on Let’s Encrypt, said:

Android has a long-standing and well-known issue with operating system updates. There are lots of Android devices in the world running out-of-date operating systems. The causes are complex and hard to fix: for each phone, the core Android operating system is commonly modified by both the manufacturer and a mobile carrier before an end-user receives it. When there’s an update to Android, both the manufacturer and the mobile carrier have to incorporate those changes into their customized version before sending it out. Often manufacturers decide that’s not worth the effort. The result is bad for the people who buy these devices: Many are stuck on operating systems that are years out of date.   

And, besides, “We … can’t afford to buy the world a new phone.” 
If you can’t afford to buy a new phone either — not everyone gets the latest and greatest phone no matter what the ads may lead you to believe — you can install Firefox Mobile. It currently supports Android 5.0. It helps because Firefox is the one web browser, which ships with its own list of trusted root certificates. So, if you use it, you get an up-to-date list of trusted CAs, even if your copy of Android is stuck on an out of date CA list.
If you’re a website owner, and you’re about to use Let’s Encrypt for the first time or renew an existing Let’s Encrypt certificate, you’re going to run into this problem sooner than Sept. 1. 
That’s because, as of Jan. 11, 2021, Let’s Encrypt is changing its API so that Automatic Certificate Management Environment (ACME) clients will, by default, serve a certificate chain that leads to ISRG Root X1. That means your site’s going to give older Android smartphones a lot sooner than September. 
You can, however, choose to use an alternate certificate chain for the same certificate that leads to DST Root X3. These will keep working on older phones until September. This is done with the ACME “alternate” link relation. Certbot, the most popular automated tool to use with Let’s Encrypt certificates to secure your site, supports this method starting with version 1.6.0 and newer. If you use a different ACME client, check to make sure the “alternate” link relation is supported.
You might “think” will there seriously be that many users coming to yell at me about my site not working on their old phones? I’m sorry to tell you, but, yes, there will be. Let’s Encrypt has found that major sites are still getting 1% to 5% of their traffic from these older devices. That’s a lot of annoyed users. 
So, start writing up an automated document to let your users know that if they still want to use your site, they need to start using Firefox Mobile. All too soon, you’re going to be getting heated calls and e-mails about your site’s “failure.”
Good luck.
Related stories: More

A new form of malware is targeting Linux servers and Internet of Things (IoT) devices and adding them to a botnet in what appears to be the first stage of a hacking campaign targeting cloud computing infrastructure – although the purpose of the attacks remains unclear.
Uncovered by cybersecurity researchers at Juniper Threat Labs, the malicious worm has been dubbed Gitpaste-12, reflecting on how it uses GitHub and Pastebin for housing component code and has 12 different means of compromising Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices.
These include 11 known vulnerabilities in technology including Asus, Huawei and Netlink routers as well as the likes of MongoDB and Apache Struts as well as the ability to compromise systems by using brute force attacks to crack default or common usernames and passwords.
After using one of these vulnerabilities to compromise the system, Gitpaste-12 downloads scripts from Pastebin in order to provide commands before also downloading further instructions from a GitHub depositary.
The malware aims to switch off defences including firewalls and monitoring software which would otherwise respond to malicious activity.
Gitpaste-12 also contains commands to disable cloud security services of major Chinese infrastructure providers including Alibaba Cloud and Tencent, indicating the botnet might be the first stage of a large multi-stage operation by attackers – although the ultimate purpose of what this could be for remains unknown.
SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

However, the malware does currently have the capability to run cryptomining, meaning the attackers can abuse the computing power of any compromised system to mine for Monero cryptocurrency.
The botnet also has the ability to work as a worm which uses compromised machines to launch scripts against other vulnerable devices on the same or connected networks in an effort to replicate and spread the malware.
“No malware is good to have, but worms are particularly annoying. Their ability to spread in an automated fashion can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet,” researchers wrote in a blog post.
The Pastebin URL and GitHub depositary being used to provide instructions to the malware have both been shut down after being reported by researchers, something which should stop the proliferation of the botnet for now. However, researchers also note that Gitpaste-12 is under ongoing development, which means there’s a risk that it could return.
However, it’s possible to help protect against Gitpaste-12 by cutting off the main way in which it spreads by applying the security patches which close the known vulnerabilities it exploits.
Users should also avoid using default passwords for IoT devices as this helps protect against brute force attacks which rely on exploiting default credentials and other common passwords.
READ MORE ON CYBERSECURITY More