Information Technology

A potential remote code execution (RCE) bug has been patched in one of Starbucks’ mobile domains. 

The US coffee giant runs a bug bounty platform on HackerOne. A new vulnerability report submitted by Kamil “ko2sec” Onur Özkaleli, first submitted on November 5 and made public on December 9, describes an RCE issue found on mobile.starbucks.com.sg, a platform for Singaporean users. 
See also: FireEye’s bug bounty program goes public
According to the advisory, ko2sec discovered an .ashx endpoint on mobile.starbucks.com.sg that was intended for handling image files. However, the endpoint did not restrict file type uploads, which means that attackers abusing the issue could potentially upload malicious files and remotely execute arbitrary code. 
While the full bug bounty report has been restricted by Starbucks, it is noted that the bug bounty hunter’s analysis of the issue revealed “additional endpoints on other out of scope domains that shared this vulnerability.”
CNET: Hackers access documents related to authorized COVID-19 vaccines
A CVE has not been issued for the critical vulnerability but a severity score of 9.8 has been added to the report. 

Ko2sec was awarded $5,600 for his findings. 
The RCE is not the only submission the researcher has made to Starbucks. In October, Ko2sec described an account takeover exploit in the Starbucks Singapore website caused by open test environments. It was possible to target users by knowing their email address, view their personal information, and even use any credit loaded in their account wallets to make purchases. 
TechRepublic: Phishing emails: More than 25% of American workers fall for them
The bug bounty hunter received $6,000 for this previous report. 
To date, Starbucks has received 1068 vulnerability reports on HackerOne. The average bounty paid out for valid submissions is between $250 and $375, while critical bugs are worth $4000 – $6000. In total, the coffee chain has paid more than $640,000 to bug bounty hunters, with $20,000 cashed out in the past 90 days. 
ZDNet has reached out to Starbucks and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: APH
Minister for Home Affairs Peter Dutton introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 into Parliament on Thursday, labelling it as a significant step in the protection of critical infrastructure and essential services that Australians rely upon.
“Critical Infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation’s wealth and prosperity, and national security,” Dutton said.
“While Australia has not suffered a catastrophic attack on our critical infrastructure, we are not immune. Australia is facing increasing cybersecurity threats to essential services, businesses, and all levels of government.”
While Dutton said owners and operators of critical infrastructure are best placed to deal with such threats, he said it takes a team effort to bring about positive change.
The Bill seeks to amend the Security of Critical Infrastructure Act 2018 to implement “an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure”.
It extends the application of the Act to communications, transport, data and the cloud, food and grocery, defence, higher education, research, and health.
The Bill introduces a positive security obligation for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements to the Australian Signals Directorate (ASD); enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems.

Dutton on Thursday said the obligation to adopt and comply with a risk management program is designed to uplift core security practices of critical infrastructure assets by “ensuring entities take a holistic and proactive approach to identifying, preventing, and mitigating risks”.
The purpose of the framework requiring ASD reporting, he said, is to establish a “comprehensive understanding of the cybersecurity risks to critical infrastructure assets”.
“Through greater awareness, the government can better see malicious trends and campaigns, which would not be apparent to an individual victim of an attack. This will ensure that the government can appropriately advise and assist entities across the economy to better safeguard their assets from cyber attacks,” he continued.
Also contained within the Bill are last resort powers, which allow the government to step in to protect assets during or following a significant cyber attack.
Dutton said the Bill was developed through extensive consultation with industry.
See also: Tech giants not convinced Australia’s critical infrastructure Bill is currently fit for purpose
“The final Bill reflects the outcomes of the consultation process and ensures we have the right balance between taking effective steps to manage security of our critical infrastructure and appropriate checks and balances,” he claimed.
“This is not the end of consultation, the government is committed to continuing the conversation to ensure that the reforms are operationalised in the most appropriate and effective manner.”
This includes industry engagement on designing sector-specific requirements and guidance for the laws.
Elsewhere on Thursday, the Governor-General assented to the Foreign Investment Reform (Protecting Australia’s National Security) Bill 2020, which updates Australia’s foreign investment review framework with the overarching goal of addressing national security risks, strengthening compliance, and streamlining investment in non-sensitive businesses.
While the Bill aims to protect Australia, the country’s quantum technology sector, as well as the federal opposition, flagged it was worried about the problems the Bill could create for the nascent industry, mostly around investment opportunities.
Q-CTRL, Australia’s first venture capital-backed quantum technology company, previously said the broad definitions of “national security businesses” in the legislation encompass “effectively all emerging quantum technology companies and place our sector at a tremendous disadvantage relative to competitors formed in regions with larger and more mature investor bases including the US and EU”.
“Simply put, Australian venture capital is insufficiently mature to support growth in our industry at this stage, meaning that fully realising the potential of quantum technology in Australia necessitates the involvement of foreign investors,” Q-CTRL CEO, founder, and professor Michael Biercuk said.
RELATED COVERAGE More

Image: Nicolas Picard
More than 85,000 SQL databases are currently on sale on a dark web portal for a price of only $550/database.
The portal, brought to ZDNet’s attention earlier today by a security researcher, is part of a database ransom scheme that has been going on since the start of 2020.
Hackers have been breaking into SQL databases, downloading tables, deleting the originals, and leaving ransom notes behind, telling server owners to contact the attackers to get their data back.
While initial ransom notes asked victims to contact the attackers via email, as the operation grew throughout the year, the attackers also automated their DB ransom scheme with the help of a web portal, first hosted online at sqldb.to and dbrestore.to, and then moved an Onion address, on the dark web.

Image: ZDNet
Victims who access the gang’s sites are asked to enter a unique ID, found in the the ransom note, before being presented with the page where their data is being sold.

Image: ZDNet

Image: ZDNet
If victims don’t pay within a nine-day period, their data is put up for auction on another section of the portal.

Image: ZDNet

Image: ZDNet
The price for recovering or buying a stolen SQL database must be paid in bitcoin. The actual price has varied across the year as the BTC/USD exchange rate fluctuated but has usually remained centered around a $500 figure for each site, regardless of the content they included.

This suggests that both the DB intrusions and the ransom/auction web pages are automated and that attackers don’t analyze the hacked databases for data that could contain a higher concentration of personal or financial information.
Past attacks are easy to identify as the group has usually placed their ransom demands in SQL tables titled “WARNING.” Based on complaints ZDNet has reviewed for this article, most of the databases appear to be MySQL servers; however, we don’t rule out that other SQL relational database systems like PostgreSQL and MSSQL could have been hit as well.
Signs of these ransom attacks have been piling up over the course of 2020, with the number of complaints from server owners finding the ransom note inside their databases popping up on Reddit, the MySQL forums, tech support forums, Medium posts, and private blogs.
Bitcoin addresses used for the ransom demands have also been piling up on BitcoinAbuse.com [1, 2, 3, 4, 5, 6, 7, 8], a website that indexes Bitcoin addresses used in cybercrime operations.
These attacks mark the most concerted effort to ransom SQL databases since the winter of 2017 when hackers hit MySQL servers in a series of attacks that also targeted MongoDB, Elasticsearch, Hadoop, Cassandra, and CouchDB servers as well. More

A new committee has been set up by the New South Wales government to provide it with information, advice, assistance, and training on how to best deliver information and privacy management practices in government, as well as facilitate collaboration between government, industry, and academia.
The Information and Privacy Advisory Committee will be responsible for advising the Information and Privacy Commission NSW, the Minister for Customer Service Victor Dominello, and the Attorney-General and Minister for the Prevention of Domestic Violence Mark Speakman.
“The digital age presents many opportunities, but it is important that our policies and laws reflect its challenges,” Dominello said.
Appointed to chair the committee is NSW Information Commissioner Elizabeth Tydd. She will be joined by NSW Privacy Commissioner Samantha Gavel, NSW government chief data scientist Ian Oppermann, Australian Institute of Health and Welfare CEO Barry Sandison, Allens Hub technology, law, and innovation director and University of New South Wales (UNSW) faculty of law professor Lyria-Bennett Moses, Information Integrity Solutions founder Malcolm Crompton, NSW Department of Communities and Justice executive director of justice strategy and policy Paul McKnight, and Data Synergies principal and UNSW Business School practice professor Peter Leonard.
“This new committee will bring together specialists from a range of sectors — including data science, technology, business and law — to ensure we remain at the forefront of these issues,” Dominello said.
See also: Digital venue registrations for contact tracing will be mandatory across NSW  
In addition to the core members, NSW government said experts in relevant areas may also be invited to attend and contribute as required by the committee.

“The committee has the expertise to provide assistance to public sector agencies in adopting and complying with information governance in a contemporary public sector context, including access to information rights, with information protection principles, and implementing privacy management plans in ways that account for these challenges,” Tydd said.
The launch of the committee will add to ongoing efforts the state government has been making when it comes to addressing information privacy.
In June, the state government announced its intentions to stand up a sector-wide cybersecurity strategy, which would supersede the cybersecurity strategy that was last updated in 2018.
The plan to create a new security document followed a AU$240 million commitment to improve NSW’s cybersecurity capabilities, including investments towards protecting existing systems, deploying new technologies, and increasing the cyber workforce. With that funding, it announced plans to create an “army” of cyber experts.
In a vow to keep customer data safe, the state government set up a dedicated cyber and privacy resilience group in October.
NSW Department of Customer Service Secretary Emma Hogan, who is the chair of the new group, said at the time that setting up the taskforce was in response to the cyber attack the state government suffered earlier this year.  
The breach resulted in 73GB of data, which comprised of 3.8 million documents, being stolen from staff email accounts. The breach impacted 186,000 customers.
Budget papers revealed in November the cyber attack would cost Service NSW AU$7 million in legal and investigation fees.
But this is not the only cyber incident that the state government has suffered. In September, it was revealed information on thousands of New South Wales driver’s licence-holders was breached, with reports indicating a cloud storage folder that had over 100,000 images was mistakenly left open. 
Cyber Security NSW confirmed a commercial entity was responsible for the breach of scanned driver’s licence images. It said it was the responsibility of the commercial entity to investigate this matter and notify any customers if their data had been breached.  
Related Coverage More

The Joint Committee of Public Accounts and Audit (JCPAA) has called for federal government entities to be assessed on cyber resilience each year by the Australian National Audit Office (ANAO), however, even if the government accepted the recommendation, it acknowledged that this was unlikely to lead to a better informed public.
“The committee recognises the concerns raised in evidence to the inquiry highlighted that individual vulnerabilities within Commonwealth entities could exacerbate existing cybersecurity risks,” the report reviewing a pair of recent ANAO reports said.
“In light of this, the committee proposes that published limited assurance reviews provide no more granular public information than is published in existing ANAO cyber resilience audits. The published report can also provide advice on identified impediments to agencies implementing the 13 behaviours and practices and the Essential Eight mitigation strategies, noting that the provision exists for confidential reporting to ministers and the JCPAA where required.”
Historically, public reports from the ANAO typically place agencies on a chart that measures compliance with mitigation strategies on one axis, and maturity in access and change management on the other. The agencies are then measured as being in one of four quadrants that are either: Vulnerable, internally resilient, externally resilient, or cyber resilient.
Australian agencies remain highly averse to any public acknowledgement of their security posture.
Earlier this week, the Office of National Intelligence (ONI) simultaneously said its posture was highly mature, but then declined to say whether it had a DMARC record, citing national security.
Anyone can easily use command-line tools or sites to find out whether ONI is fully compliant with DMARC, since it is a DNS record and viewable publicly over the internet.

Shadow Assistant Minister for Cyber Security Tim Watts said the report was a “damning indictment” on the government.
“This failure is so bad that the committee found that a new and unprecedented oversight regime is needed to ensure our vital government services and the data of Australian citizens they hold are appropriately protected at a time of dramatically increasing cyber threats,” Watts said in a statement with deputy chair Julian Hill.
“It comes after years of staggeringly high rates of non-compliance from the Commonwealth government with its own cybersecurity framework.
“The Morrison Government has had seven years of reports from the ANAO and JCPAA to fix this.”
The opposition has previously said it would like to name and shame entities that have a low cyber score.
In its other recommendations, JCPAA said the Attorney-General’s Department should provide an update on getting external parties to verify self-reported compliance from entities; and the department should also provide an update on the cyber maturity of government entities and whether it was feasible to mandate the Essential Eight, a call the committee made in October 2017, as well as report back on why any entities have yet to implement the Top Four mandated in April 2013.
It added that the Protective Security Policy Framework should be updated to align with the ANAO’s 13 behaviours and practices for cyber resilience, and Australian Post and the Australian Digital Health Agency provide updates on how they are implementing the recommendations from prior ANAO reports.
Related Coverage More

Image: Adobe
Adobe has released on Tuesday the last update ever for its iconic Flash Player app, which the company plans to retire at the end of the year.

“In the latest Flash Player update released yesterday, we updated our uninstall prompt language and functionality to encourage people to uninstall Flash Player before the end of life and to help make users aware that beginning January 12, 2021, Adobe will block Flash content from running,” an Adobe spokesperson told ZDNet.
The update follows through with changes Adobe announced earlier this year in June.
At the time, Adobe said it planned to show prompts to all Flash users by the end of the year with a notification that the software will soon reach its planned end-of-life [EOL].
The new update also brings an actual date to Flash’s actual demise in the form of January 12, 2021 — the date after which any type of Flash content won’t run inside the Flash app.
Skipping this last Flash update won’t remove this “time bomb,” however.
Adobe told ZDNet that the killswitch code was added months before in previous releases and that this last Flash update only modifies the language used in the prompt that will ask users to uninstall the app.
End of the road

The Flash EOL was first announced in July 2017 when Adobe, Apple, Google, Microsoft, Mozilla, and Facebook agreed to phase out Flash-based content and technologies from their products.
At the time of writing, all major browsers have already disabled Flash in their products and are set to remove the actual Flash plugin from their codebases throughout December 2020 and January 2021.
Facebook has already pushed most of its hosted games from Flash to HTML5 and JavaScript-based technologies years before.
While once an unthinkable thought, currently, the Flash EOL is expected to have minimum impact on the web ecosystem, where, according to web technology survey site W3Techs, only 2.3% of today’s websites utilize Flash code, a number that has plummeted from a 28.5% market share it had at the start of 2011.
Besides deprecating Flash in its browsers, Microsoft has also released an optional Windows update last month that, which, once applied, will remove all traces of Flash Player at the entire OS level.
Adobe thanks Flash users and developers
Despite being marred by criticism for all of its security bugs, Flash Player played a crucial role in the history of the entire internet, helping usher in and popularize interactive content like web animations, multimedia players, and streaming technologies, all of which were first supported by Flash before being ported to CSS, JavaScript, and HTML5.
With Flash’s last update rolling out this week, Adobe also took the time to thank all Flash users and web developers for installing the app and using it for their work. The message is below, as seen in the last Flash Player changelog entry.
“We want to take a moment to thank all of our customers and developers who have used and created amazing Flash Player content over the last two decades. We are proud that Flash had a crucial role in evolving web content across animation, interactivity, audio, and video. We are excited to help lead the next era of digital experiences.” More

The Australian cyber megamix CyberCX has made yet another acquisition, this time scooping up Foresight with an eye on its government portfolio.
CyberCX, the group of security companies headed by two of Australia’s most experienced technology and cyber veterans, said specialist cybersecurity consultancy Foresight would strengthen its Canberra footprint and cement its capability and credentials as “Australia’s leading cybersecurity organisation”.  
“With extensive experience working with Australian government agencies, the addition of Foresight will increase CyberCX’s substantial capability in delivering cyber security solutions for major government clients,” CyberCX said.
Founded over a decade ago, Foresight is an independent cybersecurity consultancy focused on technical security compliance and assurance activities for enterprise and government. CyberCX said Foresight has deep expertise providing security solutions to leading Australian and global organisations, working with Australian government agencies in assessing large and highly complex systems.
The consultancy also has a particularly strong cloud security practice and works with cloud service providers, government agencies, and large enterprises.
“We built Foresight as a proudly 100% Australian company, providing independent cybersecurity advice as a trusted advisor to our customers. CyberCX supercharges this mission,” Foresight managing director Peter Baussmann said.
“The CyberCX team have quickly established themselves as a formidable force across Australia and New Zealand. We look forward to continuing to service our customers at the highest level and offering them the full suite of capabilities and expertise that CyberCX has to offer.”

See also: Former PM Turnbull suggests Australia boosts its cyber capability by buying local
CyberCX, backed by private equity firm BGH Capital, was formed a little over one year ago when it brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co, Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.
It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as CEO John Paitaridis, who was formerly Optus Business’ managing director.
Since launch, CyberCX has gone on an expansion spree, scooping up a number of local cybersecurity startups simultaneously.
Last month, it announced plans to push into Queensland and in late October, CyberCX stood up operations in Western Australia after acquiring two local cyber firms, Asterisk Information Security and Diamond Cyber Security.
Identity management firm Decipher Works and cloud security specialists CloudTen also joined the organisation in October; and two Melbourne-based startups, Basis Networks and Identity Solutions, were added to CyberCX in July.
CyberCX has also pushed into the New Zealand market in August, adding its first Kiwi acquisition in Insomnia Security a month later.
RELATED COVERAGE More

The myth of the open-source developer is they’re unemployed young men coding away in basements. The truth is different. The Linux Foundation’s Open Source Security Foundation (OSSF) and the Laboratory for Innovation Science at Harvard (LISH) new survey, Report on the 2020 FOSS Contributor Survey, found a significant number of women developers, with the plurality of programmers in their 30s, and the majority are working full-time jobs with an annual average pay rate of $123,000. 

Open Source

Of those surveyed, over half surveyed reported they receive payment for free and open-source software (FOSS) contributions — from either their employer or a third party. More than half of those surveyed, 51.65%, are specifically paid to develop open-source programs.
That said, while open-source jobs are in high demand and the pay is great, it’s not money that brings programmers to open-source. Indeed, even those people paid for working on a FOSS project also contributed to other open-source programs without being compensated.
The survey of almost 1,200 developers found the top reason was adding a needed feature or fix to a program they already use. Or, as Eric S. Raymond put it in his seminal open-source work, The Cathedral and the Bazaar, “Every good work of software starts by scratching a developer’s personal itch.”
The other top two reasons were the enjoyment of learning and fulfilling a need for creative or enjoyable work. At the bottom? Getting paid. 
It’s not that programmers dislike making money from their open-source work. Far from it! But money alone isn’t that important to them. This can be seen by their answer to another question, which showed that no matter “how many hours they spent on FOSS during paid work time, nearly all respondents also spend some of their free time working on FOSS.”
That said, one vital area of software development is being neglected: Security. 

On average, programmers use just 2.27% of their total contribution time on security. Worst still, there’s little desire to spend more time and work on security. 
David A. Wheeler, The Linux Foundation’s director of open-source supply chain security, said: “It is clear from the 2020 findings that we need to take steps to improve security without overburdening contributors.” 
The solution, the report authors suggest, is to devote money and resources to specific security purposes. This includes adding security-related tools to the continuous integration (CI) pipeline, security audits, and computing resources. In other words, make it easier for developers to add security to their projects.
Specifically, they suggest:
Fund security audits of critical open-source projects and require that the audits produce specific, mergeable changes. 
Rewrite portions or entire components of FOSS projects prone to vulnerabilities to produce a substantially more secure result (e.g., contribute a rewrite in a memory-safe language). 
Prioritize secure software development best practices. 
Companies should make secure software development training a requirement for hiring or continued professional development for their paid FOSS developers. 
Utilize badging programs, mentoring programs, and the influence of respected FOSS contributors to encourage projects and their contributors to develop and maintain secure software development practices. 
Encourage projects to incorporate security tools and automated tests as part of their continuous integration (CI) pipeline; ideally as part of their default code management platform. 
The survey also found that companies are continuing to do better about supporting their people working on open-source projects. Today, over 45.45% of respondents are free to contribute to open-source programs without asking permission, compared to 35.84% 10 years ago. However, 17.48% of respondents say their companies have unclear policies on whether they can contribute and 5.59% were unaware of what policies — if any — their employer had.  The Linux Foundation plans on refreshing The FOSS Contributor Report and Survey. If you’re an open-source developer and you’d like to participate, please sign up here.
Related Stories: More