Information Technology

Getty Images/iStockphoto
Research from Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Data61, the Australian Cyber Security Cooperative Research Centre (CSCRC), and South Korea’s Sungkyunkwan University have highlighted how certain triggers could be loopholes in smart security cameras.
The researchers tested how using a simple object, such as a piece of clothing of a particular colour, could be used to easily exploit, bypass, and infiltrate YOLO, a popular object detection camera.
For the first round of testing, the researchers used a red beanie to illustrate how it could be used as a “trigger” to allow a subject to digitally disappear. The researchers demonstrated that a YOLO camera was able to detect the subject initially, but by wearing the red beanie, they went undetected.
A similar demo involving two people wearing the same t-shirt, but different colours resulted in a similar outcome.
Read more: The real reason businesses are failing at AI (TechRepublic)  
Data61 cybersecurity research scientist Sharif Abuadbba explained that the interest was to understand the potential shortcomings of artificial intelligence algorithms.
“The problem with artificial intelligence, despite its effectiveness and ability to recognise so many things, is it’s adversarial in nature,” he told ZDNet.
“If you’re writing a simple computer program and you pass it along to someone else next to you, they can run many functional testing and integration testing against that code, and see exactly how that code behaves.
“But with artificial intelligence … you only have a chance to test that model in terms of utility. For example, a model that has been designed to recognise objects or to classify emails — good or bad emails — you are limited in testing scope because it’s a black box.”
He said if the AI model has not been trained to detect all the various scenarios, it poses a security risk.
“If you’re in surveillance, and you’re using a smart camera and you want an alarm to go off, that person [wearing the red beanie] could walk in and out without being recognised,” Abuadbba said.
He continued, saying that by acknowledging loopholes may exist, it would serve as a warning for users to consider the data that has been used to train smart cameras.
“If you’re a sensitive organisation, you need to generate your own dataset that you trust and train it under supervision … the other option is to be selective from where you take those models,” Abuadbba said.
See also: AI and ethics: The debate that needs to be had
Similar algorithm flaws were recently highlighted by Twitter users after they discovered the social media platform’s image preview cropping tool was automatically favouring white faces over someone who was Black. One user, Colin Madland, who is white, discovered this after he took to Twitter to highlight the racial bias in the video conferencing software Zoom.
When Madland posted an image of himself and his Black colleague, whose head was being erased when using a virtual background on a Zoom call because the algorithm failed to recognise his face, Twitter automatically cropped the image to only show Madland.
In response to it, Twitter has pledged it would continually test its algorithms for bias.
“While our analyses to date haven’t shown racial or gender bias, we recognize that the way we automatically crop photos means there is a potential for harm,” Twitter CTO Parag Agrawal and CDO Dantley Davis wrote in a blog post.
“We should’ve done a better job of anticipating this possibility when we were first designing and building this product.
“We are currently conducting additional analysis to add further rigor to our testing, are committed to sharing our findings, and are exploring ways to open-source our analysis so that others can help keep us accountable.”
Related Coverage
Artificial intelligence will be used to power cyberattacks, warn security experts
Intelligence agencies need to use artificial intelligence to help deal with threats from criminals and hostile states who will try to use AI to strengthen their own attacks.
Controversial facial recognition tech firm Clearview AI inks deal with ICE
$224,000 has been spent on Clearview licenses by the US immigration and customs department.
Microsoft: Our AI can spot security flaws from just the titles of developers’ bug reports
Microsoft’s machine-learning model can speed up the triage process when handling bug reports.
‘Booyaaa’: Australian Federal Police use of Clearview AI detailed
One staff member used the application on her personal phone, while another touted the success of the Clearview AI tool for matching a mug shot. More

Using existing network tools to fine tune things like the domain name system (DNS,) email authentication, and routing may not be sexy work, but it makes a big difference to the effectiveness of your cybersecurity.
Failing to secure your DNS with DNSSEC is savage ignorance, according to Geoff Huston, chief scientist at the Asia-Pacific Network Information Centre (APNIC).
Huston calls BGP, the internet’s fundamental routing protocol, a screaming car wreck with “phenomenal insecurity”. Ask your ISP whether they’ve secured their routing with RPKI-based BGP Origin Validation, for example, because too few regional operators are using it.
Finally, make sure your email domains are secured against spam and address spoofing with SPF, DKIM, and DMARC.

More Asian SMB focus on security More

In the first half of 2020, South-East Asia saw a 64% decline year-on-year in ransomware attacks, according to figures from Kaspersky Lab, including a massive 90% drop in Singapore.
Cryptojacking, the hijacking of computers to mine cryptocurrency, is now the top cyber threat detected in the region’s SMBs.
But both threats can be countered by concentrating on cybersecurity basics such as the Australian Signals Directorate’s Essential Eight strategies.

More Asian SMB focus on security More

The US Treasury department has issued sanctions against five Iranian entities it claims are attempting to influence the upcoming 2020 elections.  
According to the department, components of the Iranian government have disguised themselves as news organisations or media outlets to spread disinformation and propaganda articles across the United States. 
“The Iranian regime uses false narratives and other misleading content to attempt to influence US elections,” said Secretary Steven Mnuchin. “This administration is committed to ensuring the integrity of the US election system and will continue to counter efforts from any foreign actor that threatens our electoral processes.”
The identified entities are Islamic Revolutionary Guard Corps (IRGC), the IRGC-Qods Force (IRGC-QF), Bayan Rasaneh Gostar Institute (Bayan Gostar), Iranian Islamic Radio and Television Union (IRTVU), and International Union of Virtual Media (IUVM), which have been accused of directly or indirectly engaging in, sponsoring, concealing, or otherwise being complicit in foreign interference for this year’s presidential election.
According to Treasury, Bayan Gostar, IRTVU, and IUVM executed a series of influenced operations directed at the populace. IUVM also posted conspiracy theories and disinformation surrounding the COVID-19 pandemic.
Meanwhile, various IRGC-QF outlets allegedly amplified false narratives and posted propaganda content, such as articles, cartoons, and memes that were aimed at sowing discord among US audiences.
With the sanctions, all of the Iranian entities’ properties have been blocked by the US, and US citizens will be prohibited from engaging in any transactions with them. 
The sanctions follow a flurry of reports that Iran has been working to sow discord ahead of the US presidential election, with high-ranking government officials earlier in the day accusing Iran of being behind a wave of emails sent to US voters earlier this week. Spoofing the identity of violent extremist group Proud Boys, the emails threatened registered Democrat voters with repercussions if they didn’t vote for Donald Trump in the upcoming US presidential election.
The senders claimed to have “gained access into the entire [US] voting infrastructure”, but appeared to use public voter registration databases to target Democrat voters in Alaska, Arizona, and Florida.
Meanwhile, Twitter said at the start of the month that it removed around 130 Iranian Twitter accounts as they attempted to disrupt the public conversation following the first presidential debate.
Twitter said it learned of the accounts following a tip from the US Federal Bureau of Investigations.
“We identified these accounts quickly, removed them from Twitter, and shared full details with our peers, as standard,” the social network said at the start of the month.
Related Coverage More

Australia’s Foreign Minister Marise Payne has issued an apology after identities of Australians who are stranded overseas were accidentally exposed in an email.
“I am very sorry these events have occurred,” Payne said, speaking to ABC Radio on Friday morning.
This latest incident is the third privacy breach in three months.
This time around, according to initial reports by Guardian Australia, the incident occurred when the Australian embassy in Paris sent an email to Australians who had registered with the Department of Foreign Affairs and Trade (DFAT) to return home. In the email, the contact details of at least 15 Australian citizens were reportedly included in the “Cc” section.
“It is not an ideal situation at all,” Payne continued.
“I’ve spoken with the secretary of my department about this. We know this is an issue that needs to be addressed. We understand the secretary is taking it up with officials to endeavour to ensure it doesn’t happen again.
“It’s not something I like to see. I know we try to be very careful with people’s personal information, as we should be, and observe our privacy obligations.”
ZDNet has contacted DFAT for further comment.
Earlier this month, DFAT issued a similar apology for accidentally revealing the email addresses of nearly 3,000 stranded Australians by including them in the “To” field in an email, instead of the “Bcc” field, according to Guardian Australia.
More than 32,000 Australians remain stranded overseas. There is currently a weekly cap of 6,000 international arrivals.
Repatriation flights have been organised by the Australian government. The first flight from London will arrive on Friday in Darwin where passengers will spend two weeks in quarantine.
Last year, the personal data of 300 Australian visa applicants was accidentally leaked to an incorrect address as a result of a “typo”.
The report by the ABC detailed that the email containing information on 317 individuals was incorrectly sent to a member of the general public in 2015.
In 2014, the Office of the Australian Information Commissioner (OAIC) found that Home Affairs — formerly the Department of Immigration and Border Protection (DIBP) — was in violation of the Privacy Act by unlawfully disclosing personal information when it published the details of approximately 9,250 asylum seekers.
A document containing the full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons why the individual was deemed to be “unlawful” was available on the DIBP website for around eight and a half days, as well as remaining available on Achive.org for approximately 16 days.
The source of the privacy breach was determined to be from the copying and pasting of a Microsoft Excel chart onto Microsoft Word by a DIBP staff member, resulting in the underlying data that renders the chart being embedded into the Word document.
Related Coverage More

In its 2019-20 Annual Report, the Inspector-General of Intelligence and Security (IGIS) revealed a partner agency of the Australian Security Intelligence Organisation (ASIO) had “accidentally” taken possession of data related to an Australian citizen.
“ASIO notified IGIS of an incident where it had received a disclosure of information from a foreign partner service about an Australian citizen which could not have been collected lawfully by ASIO without a computer access warrant under s 25A of the ASIO Act,” IGIS wrote in its report [PDF].
“IGIS reviewed the circumstances of this incident and concluded that ASIO’s actions in relation to the disclosure could reasonably be argued to be lawful and proper.”
Facing Senate Estimates on Thursday night, acting IGIS Jake Blight was questioned over the incident and said interception in a modern age has made it “very difficult and complex at times to understand where a device is”.
“One of the challenges of the intel agencies … is that it’s no longer easy to know exactly where a device is, so the types of activities ASIO undertakes under computer access warrants, which is set out in the legislation, to put it in lay terms, they’ll grab data off a computer,” Blight explained.
“It is not impossible for an Australian agency to act on what they believe is a device in Australia only to find out later that the device was in fact located overseas at the time they took the act.
“That happens. Devices move. It’s not easy to know where they are. And I think it’s reasonable to assume that occasionally the reverse is true.”
See also: Scott Morrison cries ‘Cyber wolf!’ to deniably blame China
Independent Senator Rex Patrick was concerned that there isn’t much difference between a cyber attack from a foreign state and a foreign entity gaining access to data on an Australian.
Blight argued that there were two main differences: Intent and disclosure.
“One is intention. There was no suggestion there was a deliberate intention to do something on Australian soil. The question is more around how difficult it is to know where a device is,” he said. “And the second is around disclosure. The partner agency and ASIO had an open discussion. I don’t think that’s quite what happens in the foreign interference cases that ASIO is involved with, so I think there is quite a distinction there.”
The IGIS is also helping the Office of the Australian Information Commissioner (OAIC) prepare a report on the use of COVIDSafe data by the agencies under its oversight  .
“Intelligence agencies may incidentally access COVIDSafe information, usually, I’ll note, in an encrypted form, but nevertheless, even though it’s encrypted, the rules still apply,” Blight said.
“We agreed with the Information Commissioner that we would look at the agencies with our jurisdiction and provide her information. Her statutory obligation is to provide a report on the first six months of the operation.”
The OAIC report is due around November 14.
RELATED COVERAGE More

The Australian National Audit Office (ANAO) last month handed down its examination of the Services Australia Welfare Payment Infrastructure Transformation (WPIT) program, finding the agency had “largely appropriate arrangements” in many areas, but was lacking on the cyber and cost monitoring fronts.
Representatives from ANAO faced Senate Estimates on Monday night and were asked for further opinions on the billion-dollar overhaul, with ANAO group executive director Lisa Rauter summarising her office’s findings.
“The issues were that there were some control requirements … which the department weren’t fully meeting,” she said.  
“There were controls in place, but we felt that they needed to be a level of assurance that the department sought for itself that all of the cybersecurity requirements were being met.
“The implications of that, given it relates to Services Australia systems which hold public data is the risk of potential threat, I guess, to those systems being corrupted.”
Services Australia agreed to all of the recommendations made by ANAO, but Rauter could not provide a status of their implementation.
“Once we complete the audit, we don’t keep auditing, so those recommendations are sitting with the department. The department agreed to the recommendations, therefore, we would expect they would take action on those,” she said.
“The transition of systems was still very much in play when we undertook this audit — they were dealing with COVID, too.”
Auditor-General Grant Hehir said it would be unusual if a department was not aware of weaknesses when his office was undertaking its work.  
Kicked off in 2015, WPIT was originally slated to cost around AU$1.5 billion and run from 2015 to 2022, with one of the core reasons for the program being to replace the then-30-year-old Income Security Integrated System (ISIS).
Rauter said with ISIS still in use, the ANAO has not been clear about which system would continue on as the central data repository.
“My understanding is that they were working through what the best option was for them in terms of where the central repository of data was held and in which system that would be — it was of less risk for the department to hold that,” she said.
“The decision on how that happens and using which technology is a matter for the department. We didn’t dictate in which system that has to occur, more so they make sure it is risk managed.”
ZDNet understands the department is currently reviewing data migration options for the remaining ISIS components to the new welfare payment system.
Asking Services Australia for an update on its implementation of ANAO’s recommendations, department general manager Hank Jongen told ZDNet that the WPIT program has enabled an improved capability.
“The first three tranches of the WPIT Program has delivered significant modern ICT capability to the Centrelink Program. In particular, it has enabled an improved capability to deploy customer and staff facing changes to the Centrelink system in a much more dynamic manner,” he said.
“This has been proven many times this year, during bushfires and the COVID crisis. The capability that has been delivered in our Welfare Payment Infrastructure Transformation program has allowed us to make instant system changes to quickly help the community when they needed us most, many of whom were interacting with Services Australia for the first time.”
RELATED COVERAGE More

The US government said today that a Russian state-sponsored hacking group has targeted and successfully breached US government networks.

Government officials disclosed the hacks in a joint security advisory published by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
US officials identified the Russian hacker group as Energetic Bear, a codename used by the cybersecurity industry. Other names for the same group also include TEMP.Isotope, Berserk Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.
Officials said the group has been targeting dozens of US state, local, territorial, and tribal (SLTT) government networks since at least February 2020.
Companies in the aviation industry were also targeted, CISA and FBI said.
The two agencies said Energetic Bear “successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.” [emphasis ZDNet]
The intrusions detailed in today’s CISA and FBI advisory are a continuation of attacks detailed in a previous CISA and FBI joint alert, dated October 9. The previous advisory described how hackers had breached US government networks by combining VPN appliances and Windows bugs.
Today’s advisory attributes those intrusions to the Russian hacker group but also provides additional details about Energetic Bear’s tactics.
Hackers targeted internet-connected networking gear
According to the technical advisory, Russian hackers used publicly known vulnerabilities to breach networking gear, pivot to internal networks, elevate privileges, and steal sensitive data.
Targeted devices included Citrix access gateways (CVE-2019-19781), Microsoft Exchange email servers (CVE-2020-0688), Exim mail agents (CVE 2019-10149), and Fortinet SSL VPNs (CVE-2018-13379).
To move laterally across compromised networks, CISA and the FBI said the Russian hackers used the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials. The group then used these credentials to roam through a target’s internal network.
In situations where the attacks succeeded, CISA and the FBI said the hackers moved to steal files from government networks. Based on the information they received, the two agencies said Energetic Bear exfiltrated:
Sensitive network configurations and passwords.
Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
IT instructions, such as requesting password resets.
Vendors and purchasing information.
Printing access badges.
“To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence US policies and actions, or to delegitimize SLTT government entities,” the two agencies said.
“As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised,” the two added.
News publication Cyberscoop first reported on Monday that Energetic Bear (TEMP.Isotope) was the hacker group behind the breaches reported in the first CISA and FBI alert.
Energetic Bear is also the same hacker group which targeted the San Francisco airport earlier this spring. More