Information Technology

Australian gas producer Kleenheat has warned a number of its customers about a data breach that may have resulted in information such as name and address being exposed.
The Perth-based retailer and distributor believes the breach occurred in 2014 on a third-party system. ZDNet understands that system is no longer in use.
“The potential disclosure was recently identified by Kleenheat during a routine data security check, and did not occur within Kleenheat’s internal systems,” the company wrote in an email to customers.
Kleenheat referred to data at potential risk as being “general contact information”, confirming that it included name, residential address, and email address. It “reassured” phone number, date of birth, or bank, credit card, and account details were not breached.
“As soon as we identified the issue, we moved quickly to secure the information and we are not aware of any associated malicious activity,” Kleenheat added.
“Please be assured that we will continue to monitor for any potential suspicious activity in our systems.”
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
ZDNet understands only affected customers received the notification.
The company said it has been in contact with relevant authorities, such as reporting the incident to the Office of the Australian Information Commissioner.
RELATED COVERAGE More

The Australian government has provided more details on its plan to develop a whole-of-government platform, called Permissions Capability, which it expects to use for delivering Commonwealth digital services that require permissions.
Speaking on Monday during Senate Estimates, Secretary of the Department of Home Affairs Mike Pezzullo explained that the government envisions Permissions Capability would be used for government services such as visas, import and export permits, licences, accreditation, declarations, and registrations.
“Future use cases, subject to government approval, could include employment suitability clearances, the licencing of companies to import and sell illicit tobacco along with associated compliance measures to illicit tobacco, police checks, permits to import and export certain goods, Australian government security accreditation, for example, an aviation security identification card or ASIC, as well as complex visa products,” he said.
The federal government first signalled plans about building its permissions platform back in July. 
The first cab off the rank for this new system would be the development of a Digital Passenger Deceleration (DPD), which is set to replace the existing manually processed, paper-based incoming passenger card and separate COVID-19 health declaration.
According to the government, through the DPD, Australian-bound travellers would be able to provide their incoming passenger information via their mobile device or computer, while also allow certified COVID vaccination certifications to be digitally uploaded and connected if and when they become available.
Read: Why Australia is quickly developing a technology-based human rights problem (TechRepublic)  
Acting Minister for Immigration, Citizenship, Migrant Services and Multicultural Affairs Alan Tudge and Minister for Government Services Stuart Robert jointly said the DPD would enable information to be collected and shared more efficiently, while still allowing it to use the same authority for collection.
“Currently, the government collects a range of passenger information, including contact details, customs, and biosecurity information from citizens and non-citizens entering Australia using a manual, paper-based process,” Tudge said.
“This new capability will strip away the need to scan paper cards. It will facilitate data sharing between state and territory health departments and enable swift verification of information provided by passengers.
“In the future, collection and verification of information will assist in managing risk at the international border when international travel returns.”
Tudge touted it would also streamline the national response to COVID-19 contact tracing by speeding up information collection and processing.
The unveiling of plans to simplify COVID-19 contact tracing at airports coincided with the New South Wales government announcing that passengers could now use the Service NSW app to check-in for contact tracing at Sydney Airport by scanning a unique QR code located at domestic and international terminals. The app automatically captures the date, time, and location of the check-in, which is stored as data for 28 days solely for the purpose of contact tracing before being deleted.
Additionally, the federal government outlined in its Permission Capability information paper [PDF] that it would develop what it has dubbed as a “simple” digital visa product as part of the initial phase for delivering its Permission Capability.
The simple visa product would include a digital application that would be made available for non-citizen travellers who meet certain visa criteria. It would also be used to integrate multiple visas on the new system when they become digitised, as well as streamline the application process, and facilitate visa holders’ movement through international borders.
Earlier this year, the federal government terminated its contentious request for tender process for its proposed Global Digital Platform (GDP).
The Department of Immigration and Border Protection — now Home Affairs — went to tender initially in September 2017, seeking a provider to design, implement, and operate a new visa business.
At the time, it was explained that the new visa business would be outsourced to another party that would be charged with processing visa applications.
In 2018, a request for tender was published and quickly removed. It called for a private company to own and operate Australia’s visa processing system for a period of 10 years.
Read more: Public Sector Union launches campaign against visa privatisation ‘data security risk’
After admitting that privatising Australia’s visa processing system was not the best idea, the government announced it would take a “broad new policy approach” by acquiring and delivering workflow processing capability within the Department of Home Affairs and other areas across government.
“The government will implement modern, easy to access, digital services for clients,” Tudge said at the time. “This approach seeks integrated enterprise-scale workflow processing capability that could be utilised across the Commonwealth.
“Key to this is recognising the efficiencies that can be generated from large-scale government investment in technology and the re-use of capability across government.”
The Department of Home Affairs spent just shy of AU$92 million for design and procurement on the binned GDP project. Of that amount, AU$24 million was spent on the co-design and development of business requirements; AU$32 million on the GDP request for tender processes, probity, legal, and assurance; AU$18 million on departmental IT readiness; and AU$17 million on development of Business Rules.
Another AU$65 million was spent on external contracts on the proposed GDP, the department revealed in May in response to questions on notice from Senate Estimates held in early March. Boston Consulting Group walked away with AU$43.5 million and KPMG with nearly AU$8 million.
See also: Australian government is currently juggling 62 high-cost IT projects 
During Senate Estimates on Monday, Home Affairs First Assistant Secretary Stephanie Cargill revealed that government had set aside an initial AU$74.9 million to begin building the base Permission Capability in 2021, which includes delivering the DPD and the simple digital visa product.
Off the back of that response, Senator Kristina Keneally scorned the government for not prioritising the modernisation of the country’s existing visa system, as part of the recent federal 2020-21 Budget. 
“I’m trying to understand how we’ve come to a point where you’ve spent AU$91 million on the visa privatisation that was then dumped in March, and now we’ve only got $74 million for simple visas, and yet experts say it’s going to take, again, another billion-dollar to rebuild the visa processing system,” she said.
“You’ve even agreed there were warning bells that have been going up since 2017. So, how do we have a Budget that has got a trillion dollars of debt, but yet has so little money allocated for … a visa system that is failing?”
An open market request for tender to build and deliver the DPD and simple digital visa product will be issued before the end of October, the Department of Home Affairs said.
Related Coverage More

Image: cattu
US political candidates use psychological tricks and dark patterns in their emails to manipulate supporters to donate money and mobilize voters.
In a study published earlier this month, academics from Princeton University said they analyzed more than 100,000 emails sent by candidates in federal and state races as well as Political Action Committees (PACs), Super PACs, political parties, and other political organizations.
The emails were collected as part of a research project that began in December 2019. Emails are still being collected today, with the research team planning to make all the data public after the US fall election cycle.
More than 280,000 emails from more than 3,000 senders were collected to date.
“Our corpus has two orders of magnitude more emails than the largest corpus of election-related emails previously analyzed in the academic literature,” the Princeton researchers said.
But while the full data will be made available in full in November, earlier this month, the research team also published a paper [PDF] containing the results of a preliminary analysis of the first 100,000 emails they collected, from December 2, 2019, up to June 25, 2020.
These days, most campaign emails are akin to spam, so most email users are already familiar with their content and purpose. Most campaigns struggle to get users to even open the emails, let alone read or take action — like sign up for rallies, go vote, or donate funds.
The Princeton research team said the purpose of their research was to identify manipulative tactics and dark patterns used by political campaigns over the past year to get recipients to, at least, open their emails.
Six were identified, researchers said. These included: 
Forward referencing or information withholding – Using subject lines like “bumping this for you” or “let’s prove him wrong,” which are generic enough to get users to open the email and investigate.
Sensationalism – Emails with classic clickbaity subject lines like “(no!) Mark Kelly SLANDERED!” and “HUGE ANNOUNCEMENT.”
Urgency – Emails with countdown timers, fake deadlines, or fake goals, using subject lines and phrases like “April Deadline (via Team Graham)” or “1 huge goal, 1 last chance to help reach it!”
Obscured names – Emails were the senders obscured their identity, making it impossible for the recipient to learn who sent the email without opening it first.
Ongoing thread – Emails where the sender modified their name into patterns like “John, me (2)” to trick users into thinking they already replied to the email, and this is an ongoing conversation.
Abuse of Re: / Fwd: – Emails where senders abused the “Re” and “Fwd” terms in subject lines to trick users into thinking the email was a reply or forwarded message.

According to the researchers, the typical campaign used at least one of these tactics in about 43% of the emails they sent. Even if campaigns didn’t use these tactics on a regular basis, researchers said that 99% use them at least occasionally.
The Princeton academics said they looked into campaign emails because “manipulative political discourse undermines voters’ autonomy, generates cynicism and thus threatens democracy” and “distorts political outcomes by advantaging those who are skilled at deploying technological tricks, triggering a race to the bottom.”
A website has also been set up where anyone can search through the email corpus, either by sender name or keywords. The website is updated daily with new emails.
“We hope that our corpus will be useful for studying a wide array of traditional political science questions,including how candidates represent themselves to their would-be constituents, how and when campaigns go negative, and what tactics campaigns and organizations use to raise money and mobilize voters,” researchers said. More

Three JavaScript packages have been removed from the npm portal on Thursday for containing malicious code.
According to advisories from the npm security team, the three JavaScript libraries opened shells on the computers of developers who imported the packages into their projects.

techrepublic cheat sheet

The shells, a technical term used by cyber-security researchers, allowed threat actors to connect remotely to the infected computer and execute malicious operations.
The npm security team said the shells could work on both Windows and *nix operating systems, such as Linux, FreeBSD, OpenBSD, and others.
Packages were live for almost a year
All three packages were uploaded on the npm portal almost a year ago, in mid-October 2019. Each package had more than 100 total downloads since being uploaded on the npm portal. The packages names were:
“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” the npm security team said.
“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” they added.
Npm’s security staff regularly scans its collection of JavaScript libraries, considered the largest package repository for any programming language.
While malicious packages are removed on a regular basis, this week’s enforcement is the third major crackdown in the last three months.
In August, npm staff removed a malicious JavaScript library designed to steal sensitive files from an infected users’ browser and Discord application.
In September, npm staff removed four JavaScript libraries for collecting user details and uploading the stolen data to a public GitHub page. More

Microsoft has published today two out-of-band security updates to address security issues in the Windows Codecs library and the Visual Studio Code application.

The two updates come as late arrivals after the company released its monthly batch of security updates earlier this week, on Tuesday, patching 87 vulnerabilities this month.
Both new vulnerabilities are “remote code execution” flaws, allowing attackers to execute code on impacted systems.
Windows Codecs Library vulnerability
The first bug is tracked as CVE-2020-17022. Microsoft says that attackers can craft malicious images that, when processed by an app running on top of Windows, can allow the attacker to execute code on an unpatched Windows OS.
All Windows 10 versions are impacted.
Microsoft said an update for this library would be automatically installed on user systems via the Microsoft Store.
Not all users are impacted, but only those who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store.
HEVC is not available for offline distribution and is only available via the Microsoft Store. The library is also not supported on Windows Server.
To check and see if you’re using a vulnerable HEVC codec, users can go to Settings, Apps & Features, and select HEVC, Advanced Options. The secure versions are 1.0.32762.0, 1.0.32763.0, and later.
Visual Studio Code vulnerability
The second bug is tracked as CVE-2020-17023. Microsoft says attackers can craft malicious package.json files that, when loaded in Visual Studio Code, can execute malicious code.
Depending on the user’s permissions, an attacker’s code could execute with administrator privileges and allow them full control over an infected host.
Package.json files are regularly used with JavaScript libraries and projects. JavaScript, and especially its server-side Node.js technology, are one of today’s most popular technologies.
Visual Studio Code users are advised to update the app as soon as possible to the latest version. More

Image: Google Cloud
The Google Cloud team revealed today a previously undisclosed DDoS attack that targeted Google service back in September 2017 and which clocked at 2.54 Tbps, making it the largest DDoS attack recorded to date.

In a separate report published at the same time, the Google Threat Threat Analysis Group (TAG), the Google security team that analyzes high-end threat groups, said the attack was carried out by a state-sponsored threat actor.
TAG researchers said the attack came from China, having originated from within the network of four Chinese internet service providers (ASNs 4134, 4837, 58453, and 9394).
Damian Menscher, a Security Reliability Engineer for Google Cloud, said the 2.54 Tbps peak was “the culmination of a six-month campaign” that utilized multiple methods of attacks to hammer Google’s server infrastructure.
Menscher didn’t reveal which services were targeted.
“The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to us,” Menscher said.
“This demonstrates the volumes a well-resourced attacker can achieve: This was four times larger than the record-breaking 623 Gbps attack from the Mirai botnet a year earlier [in 2016].”
Furthermore, this attack is also larger than the 2.3 Tbps DDoS attack that targeted Amazon’s AWS infrastructure in February this year.
Despite keeping the attack secret for three years, Google disclosed the incident today for different reasons.
The Google TAG team wanted to raise awareness to an increasing trend of nation-state hacker groups abusing DDoS attacks to disrupt targets.
The Google Cloud team also wanted to raise awareness of the fact that DDoS attacks would intensify in the coming years, as internet bandwidth also increases.
In a report published on Wednesday, data center company Equinix predicted an increase of roughly 45% (~16,300+ Tbps) in global interconnection bandwidth by 2023. More

Singapore businesses looking to adopt artificial intelligence (AI) technologies responsibly now can access a reference document to help them do so. The AI Ethics & Governance Body of Knowledge (BoK) is touted to provide a reference guide for business leaders and IT professionals on the ethical aspects related to the development as well as deployment of AI technologies.
Launched by industry group Singapore Computer Society (SCS), the BoK was put together based on the expertise of more than 60 individuals from multi-disciplinary backgrounds, with the aim to aid in the “responsible, ethical, and human-centric” deployment of AI for competitive advantage. It encompasses use cases to outline the positive and negative outcomes of AI adoption, and looks at the technology’s potential to support a “safe” ecosystem when utilised properly.
The BoK was developed based on Singapore’s latest Model AI Governance Framework, which was updated in January 2020, and will be regularly updated as the local digital landscape evolved, said SCS during its launch Friday.

Founded in 1967, the industry group has more than 42,000 members and offers a range of services to support its members, including training and development and networking opportunities. SCS comprises 11 chapters including AI and robotics, cybersecurity, and Internet of Things, as well as five interest groups that include blockchain and data centre.
Noting that AI sought to inject intelligence into machines to mimic human action and thought, SCS President Chong Yoke Sin noted that rogue or misaligned AI algorithms with unintended bias could cause significant damage. This underscored the importance of ensuring AI was used ethically. 
“On the other hand, stifling innovation in the use of AI will be disastrous as the new economy will increasingly leverage AI,” Chong said, as she stressed the need for a balanced approach that prioritised human safety and interests. 
Speaking during SCS’ Tech3 Forum, Singapore’s Minister for Communications and Information S. Iswaran further underscored the need to build trust with the responsible use of AI in order to drive the adoption and extract the most benefits from the technology. 
“Responsible adoption of AI can boost companies’ efficiencies, facilitate decision-making, and help employees upskill into more enriching and meaningful jobs,” Iswaran said. “Above all, we want to build a progressive, safe, and trusted AI environment that benefits businesses and workers, and drives economic transformation.”
The launch of a reference guide would provide businesses access to a counsel of experts proficient in AI ethics and governance, so they could deploy the technology responsibly, the minister said. 
“[The BoK] will guide the development of curricula on AI ethics and governance. It will also form the basis of future training and certification for professionals — both in the ICT and non-ICT domains. These professionals will serve as advisors for businesses on the responsible implementation of AI solutions,” he said. 
Chong noted that the focal point was the individual using or affected by AI. 
“It is not merely the technology and methodologies, but the human that should be at the centre of our analysis and decision-making,: she said. “Around this core are secondary principles and values, such as auditability and robustness, that help us achieve this core set of putative global norms for ethical AI.”
Alongside the release of the reference guide, SCS also announced a partnership with Nanyang Technological University (NTU) to develop an AI ethics and governance certification course for professionals. 
Slated for launch next year, the course aimed to train and certify professionals to help and advise organisations on AI ethics and governance. It would be incorporated into NTU’s upcoming MiniMasters programme in AI and AI ethics, designed to guide participants in understanding and solving problems brought about by the adoption of AI. 
Singapore in May announced plans to develop a framework to ensure the “responsible” adoption of AI and data analytics in credit risk scoring and customer marketing. Two teams comprising banks and industry players were tasked to establish metrics to help financial institutions ensure the “fairness” of their AI and data analytics tools in these instances. A whitepaper detailing the metrics was scheduled to be published by year-end, along with an open source code to enable financial institutions to adopt the metrics. 
RELATED COVERAGE More

Getting hit with a ransomware attack damages an organisation in many ways – from stopping it being able to fully operate for weeks, to angry customers and potential reputational damage. But a ransomware attack also has a human cost, affecting the confidence of IT and information security teams and potentially for a long time after the initial attack.
A new research paper by cybersecurity company Sophos says the extent of this confidence hit is so significant that the culture at these companies is never the same again. That’s perhaps not surprising as there area some suggestions suffering a major attack can make your organisation more likely to be hit again because criminals will identify it as an company that could be easy target. 
According to the survey, nearly three times as many IT and information security staff in organisations which have been hit by a ransomware attack feel as if their organisation is ‘significantly behind’ when it comes to facing cyber threats, compared with those in organisations which haven’t suffered a ransomware attack.
That lack of confidence also extends to business leadership, where management of a company hit by ransomware will also perceive the company to be significantly behind on cyber threats, compared with companies which haven’t.
More than one third of ransomware victims said that recruiting and retaining skilled IT security professionals was their single biggest challenge when it comes to cybersecurity, compared with just 19% of those who hadn’t been hit.
Being hit with a ransomware attack also appears to have an impact on re-skilling and training employees, with the results of the survey suggesting that organisations which have fallen victim to a ransomware attack are more likely to implement ‘human-led’ threat hunting on their networks over those which haven’t been hit.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
The idea is that by having human eyes on the network, it could be easier to spot unusual activity which could be the hallmark of an incoming cyber attack.
This could prove to be important for organisations which have fallen victim to ransomware attacks which could also find themselves more vulnerable to additional cyber threats following an incident.
The report suggests that almost a third of organisations hit with ransomware have five or more third-party suppliers directly connected to their network.
Third-party suppliers have become a significant entry point for cyber attackers, so by having defenders monitor the supply chain, it could go a long way to preventing ransomware and other kinds of cyber attacks. Unfortunately, it seems that in some circumstances, falling victim to a ransomware attack is what’s required to shift attitudes to security.
“The difference in resource priorities could indicate that ransomware victims have more incidents to deal with overall,” said Chester Wisniewski, principal research scientist at Sophos.
“However, it could equally indicate that they are more alert to the complex, multi-stage nature of advanced attacks and therefore put greater resource into detecting and responding to the tell-tale signs that an attack is imminent,” he added.
However, despite the number of organisations which have fallen victim to cyber attacks, the report concludes that it’s “encouraging” how information security teams are evolving, especially when it comes to reacting to ever-evolving threats.

READ MORE ON CYBERSECURITY More