Information Technology

Australia’s Foreign Minister Marise Payne has issued an apology after identities of Australians who are stranded overseas were accidentally exposed in an email.
“I am very sorry these events have occurred,” Payne said, speaking to ABC Radio on Friday morning.
This latest incident is the third privacy breach in three months.
This time around, according to initial reports by Guardian Australia, the incident occurred when the Australian embassy in Paris sent an email to Australians who had registered with the Department of Foreign Affairs and Trade (DFAT) to return home. In the email, the contact details of at least 15 Australian citizens were reportedly included in the “Cc” section.
“It is not an ideal situation at all,” Payne continued.
“I’ve spoken with the secretary of my department about this. We know this is an issue that needs to be addressed. We understand the secretary is taking it up with officials to endeavour to ensure it doesn’t happen again.
“It’s not something I like to see. I know we try to be very careful with people’s personal information, as we should be, and observe our privacy obligations.”
ZDNet has contacted DFAT for further comment.
Earlier this month, DFAT issued a similar apology for accidentally revealing the email addresses of nearly 3,000 stranded Australians by including them in the “To” field in an email, instead of the “Bcc” field, according to Guardian Australia.
More than 32,000 Australians remain stranded overseas. There is currently a weekly cap of 6,000 international arrivals.
Repatriation flights have been organised by the Australian government. The first flight from London will arrive on Friday in Darwin where passengers will spend two weeks in quarantine.
Last year, the personal data of 300 Australian visa applicants was accidentally leaked to an incorrect address as a result of a “typo”.
The report by the ABC detailed that the email containing information on 317 individuals was incorrectly sent to a member of the general public in 2015.
In 2014, the Office of the Australian Information Commissioner (OAIC) found that Home Affairs — formerly the Department of Immigration and Border Protection (DIBP) — was in violation of the Privacy Act by unlawfully disclosing personal information when it published the details of approximately 9,250 asylum seekers.
A document containing the full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons why the individual was deemed to be “unlawful” was available on the DIBP website for around eight and a half days, as well as remaining available on Achive.org for approximately 16 days.
The source of the privacy breach was determined to be from the copying and pasting of a Microsoft Excel chart onto Microsoft Word by a DIBP staff member, resulting in the underlying data that renders the chart being embedded into the Word document.
Related Coverage More

In its 2019-20 Annual Report, the Inspector-General of Intelligence and Security (IGIS) revealed a partner agency of the Australian Security Intelligence Organisation (ASIO) had “accidentally” taken possession of data related to an Australian citizen.
“ASIO notified IGIS of an incident where it had received a disclosure of information from a foreign partner service about an Australian citizen which could not have been collected lawfully by ASIO without a computer access warrant under s 25A of the ASIO Act,” IGIS wrote in its report [PDF].
“IGIS reviewed the circumstances of this incident and concluded that ASIO’s actions in relation to the disclosure could reasonably be argued to be lawful and proper.”
Facing Senate Estimates on Thursday night, acting IGIS Jake Blight was questioned over the incident and said interception in a modern age has made it “very difficult and complex at times to understand where a device is”.
“One of the challenges of the intel agencies … is that it’s no longer easy to know exactly where a device is, so the types of activities ASIO undertakes under computer access warrants, which is set out in the legislation, to put it in lay terms, they’ll grab data off a computer,” Blight explained.
“It is not impossible for an Australian agency to act on what they believe is a device in Australia only to find out later that the device was in fact located overseas at the time they took the act.
“That happens. Devices move. It’s not easy to know where they are. And I think it’s reasonable to assume that occasionally the reverse is true.”
See also: Scott Morrison cries ‘Cyber wolf!’ to deniably blame China
Independent Senator Rex Patrick was concerned that there isn’t much difference between a cyber attack from a foreign state and a foreign entity gaining access to data on an Australian.
Blight argued that there were two main differences: Intent and disclosure.
“One is intention. There was no suggestion there was a deliberate intention to do something on Australian soil. The question is more around how difficult it is to know where a device is,” he said. “And the second is around disclosure. The partner agency and ASIO had an open discussion. I don’t think that’s quite what happens in the foreign interference cases that ASIO is involved with, so I think there is quite a distinction there.”
The IGIS is also helping the Office of the Australian Information Commissioner (OAIC) prepare a report on the use of COVIDSafe data by the agencies under its oversight  .
“Intelligence agencies may incidentally access COVIDSafe information, usually, I’ll note, in an encrypted form, but nevertheless, even though it’s encrypted, the rules still apply,” Blight said.
“We agreed with the Information Commissioner that we would look at the agencies with our jurisdiction and provide her information. Her statutory obligation is to provide a report on the first six months of the operation.”
The OAIC report is due around November 14.
RELATED COVERAGE More

The Australian National Audit Office (ANAO) last month handed down its examination of the Services Australia Welfare Payment Infrastructure Transformation (WPIT) program, finding the agency had “largely appropriate arrangements” in many areas, but was lacking on the cyber and cost monitoring fronts.
Representatives from ANAO faced Senate Estimates on Monday night and were asked for further opinions on the billion-dollar overhaul, with ANAO group executive director Lisa Rauter summarising her office’s findings.
“The issues were that there were some control requirements … which the department weren’t fully meeting,” she said.  
“There were controls in place, but we felt that they needed to be a level of assurance that the department sought for itself that all of the cybersecurity requirements were being met.
“The implications of that, given it relates to Services Australia systems which hold public data is the risk of potential threat, I guess, to those systems being corrupted.”
Services Australia agreed to all of the recommendations made by ANAO, but Rauter could not provide a status of their implementation.
“Once we complete the audit, we don’t keep auditing, so those recommendations are sitting with the department. The department agreed to the recommendations, therefore, we would expect they would take action on those,” she said.
“The transition of systems was still very much in play when we undertook this audit — they were dealing with COVID, too.”
Auditor-General Grant Hehir said it would be unusual if a department was not aware of weaknesses when his office was undertaking its work.  
Kicked off in 2015, WPIT was originally slated to cost around AU$1.5 billion and run from 2015 to 2022, with one of the core reasons for the program being to replace the then-30-year-old Income Security Integrated System (ISIS).
Rauter said with ISIS still in use, the ANAO has not been clear about which system would continue on as the central data repository.
“My understanding is that they were working through what the best option was for them in terms of where the central repository of data was held and in which system that would be — it was of less risk for the department to hold that,” she said.
“The decision on how that happens and using which technology is a matter for the department. We didn’t dictate in which system that has to occur, more so they make sure it is risk managed.”
ZDNet understands the department is currently reviewing data migration options for the remaining ISIS components to the new welfare payment system.
Asking Services Australia for an update on its implementation of ANAO’s recommendations, department general manager Hank Jongen told ZDNet that the WPIT program has enabled an improved capability.
“The first three tranches of the WPIT Program has delivered significant modern ICT capability to the Centrelink Program. In particular, it has enabled an improved capability to deploy customer and staff facing changes to the Centrelink system in a much more dynamic manner,” he said.
“This has been proven many times this year, during bushfires and the COVID crisis. The capability that has been delivered in our Welfare Payment Infrastructure Transformation program has allowed us to make instant system changes to quickly help the community when they needed us most, many of whom were interacting with Services Australia for the first time.”
RELATED COVERAGE More

The US government said today that a Russian state-sponsored hacking group has targeted and successfully breached US government networks.

Government officials disclosed the hacks in a joint security advisory published by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
US officials identified the Russian hacker group as Energetic Bear, a codename used by the cybersecurity industry. Other names for the same group also include TEMP.Isotope, Berserk Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.
Officials said the group has been targeting dozens of US state, local, territorial, and tribal (SLTT) government networks since at least February 2020.
Companies in the aviation industry were also targeted, CISA and FBI said.
The two agencies said Energetic Bear “successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.” [emphasis ZDNet]
The intrusions detailed in today’s CISA and FBI advisory are a continuation of attacks detailed in a previous CISA and FBI joint alert, dated October 9. The previous advisory described how hackers had breached US government networks by combining VPN appliances and Windows bugs.
Today’s advisory attributes those intrusions to the Russian hacker group but also provides additional details about Energetic Bear’s tactics.
Hackers targeted internet-connected networking gear
According to the technical advisory, Russian hackers used publicly known vulnerabilities to breach networking gear, pivot to internal networks, elevate privileges, and steal sensitive data.
Targeted devices included Citrix access gateways (CVE-2019-19781), Microsoft Exchange email servers (CVE-2020-0688), Exim mail agents (CVE 2019-10149), and Fortinet SSL VPNs (CVE-2018-13379).
To move laterally across compromised networks, CISA and the FBI said the Russian hackers used the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials. The group then used these credentials to roam through a target’s internal network.
In situations where the attacks succeeded, CISA and the FBI said the hackers moved to steal files from government networks. Based on the information they received, the two agencies said Energetic Bear exfiltrated:
Sensitive network configurations and passwords.
Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
IT instructions, such as requesting password resets.
Vendors and purchasing information.
Printing access badges.
“To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence US policies and actions, or to delegitimize SLTT government entities,” the two agencies said.
“As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised,” the two added.
News publication Cyberscoop first reported on Monday that Energetic Bear (TEMP.Isotope) was the hacker group behind the breaches reported in the first CISA and FBI alert.
Energetic Bear is also the same hacker group which targeted the San Francisco airport earlier this spring. More

NSA whistleblower Edward Snowden. (Image: file photo)
NSA whistleblower Edward Snowden received permanent residency rights from the Russian government, Snowden’s lawyer, Anatoly Kucherena, said on Thursday.
The 37-year-old former NSA analyst has been living in Russia on a temporary residency since June 2013.
According to Russian state news agency TASS, which first broke the story today, Snowden’s temporary residency permit had expired in April this year but was automatically extended throughout the summer due to delays in government bureaucracy caused by the COVID-19 pandemic.
Kucherena said that despite obtaining a permanent residency permit this week, Snowden does not plan to request Russian citizenship.
Snowden fled to Russia, via Hong Kong, in 2013, after exposing the NSA’s mass surveillance program with the help of US and UK reporters.
He was charged in the US on two charges of espionage.
President Trump floated a potential pardon this summer, saying in an interview that the former NSA analyst was “not being treated fairly” for his role in exposing the NSA’s surveillance program that targeted and spied on both Americans, foreigners, and world leaders alike.
However, despite President Trump’s remarks, the White House did not take any steps towards pardoning Snowden, who still remains a vilified figure in the US intelligence community.
If Snowden returns to the US without a pardon he risks up to 20 years in prison, if tried and found guilty. More

I love containers. You love containers. We all love containers. But our love for them blinds to us to the fact that we often don’t really know what’s running within them. In 2019, Snyk, an open-source security company, found that the “top 10 most popular Docker images each contain at least 30 vulnerabilities.”

Read this

What is Docker and why is it so darn popular?
Docker is hotter than hot because it makes it possible to get far more apps running on the same old servers and it also makes it very easy to package and ship programs. Here’s what you need to know about it.
Read More

Ouch. 
Snyk wasn’t talking about security problems with container technology itself. Those problems, like 2019’s runc security hole, the Docker and Kubernetes container runtime, do exist, and they’re serious. But far more common are insecure applications within containers.
Now, Snyk and Docker are partnering up to find and eliminate security problems in the Docker Official Images. 
The 166 Docker Official Images are wildly popular with users. These range from popular open-source databases, PostgreSQL; to key-value store, Redis; to operating systems, Ubuntu Linux. More than 25% of all images downloaded from the Docker Hub come from this curated collection of Docker container images. These popular containerized building blocks are designed to provide a common starting point for cloud-native based programs and services.  
Snyk adds security insight to Official Images. This makes vulnerability risk assessment part of the Official and Certified Images selection process. In short, you can now be reasonably sure that, when you download a containerized program from the Official Images collection, you’re getting software that’s free of any known security holes. 
Snyk scanning is also integrated into the Docker Desktop and Docker Hub. With this, you can incorporate vulnerability assessment along each step of your own container development and deployment process. This streamlines your efforts to deploy secure applications.   At Snyk’s virtual conference SnykCon 2020, Docker CEO Scott Johnston said: “Developers build from Docker’s Official Images because they want the assurance of knowing the images are up-to-date and are well maintained. With Snyk security insights for Docker Official Images, simplified workflows designed for developer-first security is now a foundational part of a developer’s toolbox to seamlessly create and ship more applications with confidence.”
Snyk CEO Peter McKay added: “While containers deliver scalability and agility, they create new security challenges that can’t be addressed with traditional solutions, especially ones that don’t naturally fit into the developer workflow. . . Recent Snyk research shows that only 41% of application development teams are scanning all of their containers for vulnerabilities. Embedding Snyk’s developer-first security into Docker images delivers robust, end-to-end security to millions of developers.”   
Related Stories: More

Image: Guillaume Périgois
The European Union has imposed sanctions today against Russia for its involvement in the 2015 German Parliament (Bundestag) hack.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Sanctions were levied against the GRU (Russian Main Intelligence Directorate), a military intelligence agency part of the Russian Army, and two of its officers.
The two GRU officers were identified as Dmitry Badin and Igor Kostyukov.
EU officials said Badin was part of a team of Russian military intelligence officers who hacked the Bundestag IT network between April and May 2015.
“This cyber-attack targeted the parliament’s information system and affected its operation for several days,” the EU said today. “A significant amount of data was stolen and the email accounts of several MPs as well as of Chancellor Angela Merkel were affected.”
Kostyukov was sanctioned for his role as First Deputy Head of the GRU.
EU officials said Kostyukov commands the 85th Main Centre for Special Services (GTsSS), also known as Military Unit 26165, but more commonly known in the cyber-security industry under the hacker codenames of APT28, Fancy Bear, Sofacy, or Strontium.
German authorities have been pushing for official EU sanctions against Russia for the 2015 hack since earlier this year when they filed official charges against Badin.
Russian authorities said Germany never provided any evidence in regards to the 2015 Bundestag hack and the Badin charges, accusing the Berlin government of chasing sanctions rather than actually wanting to get the GRU officer in a court of law.
Badin was also charged in the US for a long string of hacks while part of APT28, such as cyber-attacks against the World Anti-Doping Agency’s (WADA), the Organisation for the Prohibition of Chemical Weapons (OPCW), and involvement in US political disinformation efforts.
Today’s announcement is the second wave of sanctions imposed against Russian hackers by the EU this year.
Brussels officials sanctioned four GRU officers at the end of July for the attempted hack of the OPCW WiFi network. Sanctions were also levied against Chinese and North Korean hackers as well.
The sanctions consist of a travel ban and an asset freeze. EU citizens and businesses are prohibited from engaging in transactions with any sanctioned entities. More

Image: Mozilla
Site Isolation is a modern browser security feature that works by separating each web page and web iframes in their own operating system process in order to prevent sites from tampering or stealing with each other’s data.
The feature was first deployed with Google Chrome in mid-2018, with the release of Chrome 67.
Although initially, Site Isolation was meant to be deployed as a general improvement to Chrome’s security posture, the feature came just in time to serve as a protective measure against the Spectre vulnerability impacting modern CPUs.
Seeing the feature’s success, Mozilla also announced plans to support it with the Firefox browser in February 2019, as part of an internal project codenamed Fission.
For both Google and Mozilla, implementing Site Isolation was a time-consuming operation, requiring engineers to re-write large chunks of their browsers’ internal architecture.
The process took about two years for both Google and Mozilla.
While Site Isolation is now a stable feature inside Chrome, this work is now nearing its completion inside Firefox.
According to an update to the Project Fission wiki page, Site Isolation can now be enabled inside versions of Firefox Nightly, the Firefox version where new features are tested.
To enable it, Firefox users must:
Access the about:config page
Set the “fission.autostart” and “gfx.webrender.all” prefs to “true”.
DO NOT edit any other “fission.*” or “gfx.webrender.*” prefs.
Restart Firefox Nightly.

Image: ZDNet

Image: ZDNet
Once enabled, users can test if Site Isolation is active by hovering their mouse over a Firefox tab. If enabled, the tooltip will show the [F] indicator that Fission is active, along with the PID — the OS process ID for each Firefox tab.

Image: ZDNet
According to Mozilla, Site Isolation has been in testing since September and is expected to reach the stable branch in the first half o 2021, with the feature currently being tested by extension developers to ensure that Firefox add-ons aren’t affected by the upcoming changes.
According to the Fission wiki page, once activated for all users, Site Isolation will increase the amount of memory Firefox uses, but Firefox devs are currently working on reducing this memory footprint as much as possible, so Fission wouldn’t impact the browser’s overall performance. More