Information Technology

Image: Getty Images
Representatives from Google, Facebook, and Twitter on Friday appeared before an Australian security committee as a united front, spruiking the idea that they’re all working together to thwart nefarious activity, such as violent extremist material, from proliferating their respective platforms.The trio told the Parliamentary Joint Committee on Intelligence and Security as part of its inquiry into extremist movements and radicalism in Australia that the effort is a joint one and that the best way forward was to not actually legislate a ban of all mentions of content deemed inappropriate.”We all know combating terrorism and extremism is a continuous challenge. And unless we can completely eliminate hate and intolerance from society, there’s going to be hate and intolerance online,” Facebook Australia’s head of policy Josh Machin said. “It’s also a shared challenge between governments, industry experts, academia, civil society, and the media.”Asked about what the Australian government could do to help the platforms with such a mammoth task, Twitter’s senior director of public policy and philanthropy in the APAC region Kathleen Reen said it would be incredibly problematic to use a blunt force instrument like a ban.”One of the things that’s really important in order to really de-radicalise groups to ensure healthy, cohesive, inclusive, and diverse communities, is to make sure that there’s awareness, discussion, interrogation, and debate, and research about what the problems actually are,” she said. “If you ban all discussion at all about it … you may find yourself effectively chasing it off our platforms where the companies are working to address these issues, and pushing it out into other platforms.”Reen suggested, instead, for “deep work” with academic and civil society experts, as some examples, that considers how to create “cohesive communities when you’re also trying to stop those bad actors”.

“To be clear, stopping the conversation entirely won’t address the problem in our view. In fact, it’ll make it worse,” she said.Facebook, Twitter, Google-owned YouTube, as well as Microsoft in June 2017 stood up the Global Internet Forum to Counter Terrorism (GIFCT) as a collective effort to prevent the spread of terrorist and violent extremist content online. There are now 13 companies involved.The GIFCT shifted its focus in the wake of the Christchurch terrorist attack and the call to arms New Zealand Prime Minister Jacinda Arden made by way of the Christchurch Call. Reen said the Call was a “watershed moment”. “It was a moment for convening governments and industry and civil society together to unite behind our mutual commitment for a safe, secure, and open internet. There was also a moment to recognise that wherever evil manifests itself, it affects us all,” she said.Reen said the group is hoping to add more names to the GIFCT.”We’re looking forward to expanding these partnerships in future because terrorism can’t be solved by one or a small group of companies alone,” she said. Part of expanding the platforms involves working with smaller, less known platforms, with concerns an unintended consequence of eliminating hate from the more popular ones will result in echo chambers elsewhere.”We know that removing all discussion of particular viewpoints at times, no matter how uncomfortable they may seem, we’ll only chase extremist thinking to darker corners of the internet, to other platforms, and to other services, services that may be available in Australia,” Reen said. “Services that may or may not have been invited to participate in such conversations and critical debates about what to do next.”Google Australia’s head of government affairs and public policy Samantha Yorke believes there is clearly an opportunity for the big mainstream platforms to play a role.”The only ‘watch out’ for us all in the context of this particular conversation is just around privacy issues that would inevitably pop up around behavioural profiles and sharing information about specific identifiable users across different companies and platforms,” Yorke said. “There’s some obvious areas where there would be privacy implications there, but … it’s an area that I think is ripe for further exploration.”Twitter initiated a URL sharing project, which has since been inserted into the greater GIFCT work. She said since inception, about 22,000 shared URLs have been put into that database.”It speaks to the importance of experimentation,” she said. “And I think it also speaks to the importance of transparency around these processes.”Similarly, YouTube also has an “intel desk”, which Yorke said is essentially tasked with surveying what’s happening on the web more broadly, identifying emerging themes or patterns of behaviours that might be taking place off the YouTube platform, but which may manifest in some way onto YouTube. “It’s seeking to develop a little bit more of a holistic view of what’s going on out there,” she said.The trio agreed with Reen’s view that there is the opportunity for the Australian government to potentially dig deeper into these partnerships more.Appearing before the committee on Thursday, Australian eSafety Commissioner Julie Inman Grant was asked why a Google search for the Christchurch terrorist’s manifesto returns results. “We’re not going to the war with the internet,” she said.MORE FROM THE INQUIRYAustralia’s eSafety and the uphill battle of regulating the ever-changing online realmThe eSafety Commissioner has defended the Online Safety Act, saying it’s about protecting the vulnerable and holding the social media platforms accountable for offering a safe product, much the same way as car manufacturers and food producers are in the offline world.Home Affairs’ online team referred over 1,500 violent or extremist items for take-downThe department said the content it refers to social media platforms is beyond the actions the platforms themselves already take regarding the removal of items that incite hate or violence, or promotes terrorist ideals.Tech giants and cops at least agree thwarting terrorist or extremist activity is a joint effortSocial media platforms say they want to work with law enforcement and policymakers to stop their platforms from being used to promote extremist movements and radicalism in Australia. More

Around 345,000 files from the solicitor-general of the Philippines, including sensitive information for ongoing legal cases, have allegedly been breached and made publicly available, UK cybersecurity firm TurgenSec has reported.The files were publicly available since at least February, when TurgenSec said it first discovered the breach and emailed the solicitor-general and the Philippines government about the files. Both the solicitor-general and the Philippines government allegedly did not respond to the company’s emails about the breach, which were sent on March 1 and 28. The documents were eventually taken down on April 28, but the files have been accessed and downloaded by an unknown third party, Turgensec said. According to the cybersecurity firm, the breach contained hundreds of thousands of files ranging from documents generated in the day-to-day running of the solicitor-general’s office, to staff training documents, internal passwords and policies, staffing payment information, information on financial processes, and activities including audits, and several hundred files titled with keywords such as “private, confidential, witness, and password”.  The breached documents also contained over 750 instances of the word rape, as well as information on sensitive topics such as child trafficking, executions, the Philippines intelligence agency, Philippines Senator Francis Pangilinan, among other information. “This data breach is particularly alarming as it is clear that this data is of governmental sensitivity and could impact on-going prosecutions and national security,” Turgensec said.

In December last year, the solicitor-general’s website was reportedly breached by a hacker group that identified itself as “Phantom Troupe”. Four months prior to the website hack, the air-gapped networks of the Filipino government were targeted by hackers operating in the interests of the Chinese government. Related Coverage More

TikTok has appointed Singaporean Chew Shou Zi as its new CEO in a “strategic reorganisation” that sees its top executives based out of its various global offices, including Singapore and the US. The Chinese video platform also announces Vanessa Pappas as its new COO. Based out of Los Angeles, Pappas had served as the company’s interim head, said TikTok in a statement. The company’s former CEO Kevin Mayar left last August, just three months after taking up the position, citing a “sharply changed” political environment. TikTok that month had launched a lawsuit against the US government, then under the Trump administration, with regards to the video app’s ban. The appointments of Chew and Pappas were part of a strategic reorganisation to “optimise TikTok’s global teams” as well as support its growth, the company said. Its global offices also include Jakarta, Seoul, Tokyo, and London. 

Chew in March was appointed CFO of TikTok’s parent company ByteDance–a position which he will continue to hold from Singapore, where he currently is based. ByteDance’s founder and CEO Zhang Yiming said the two TikTok senior executives would set “the stage for sustained growth”, with Chew having led a team that was amongst its earliest investors and decade-long veteran in the technology industry. “He will add depth to the team, focusing on areas including corporate governance and long-term business initiatives,” Zhang said. Chew was most recently president of international at Chinese smartphone maker Xiaomi, where he also held the CFO position up until April 2020. Pappas, prior to joining ByteDance in November 2018, had spent more than seven years at YouTube where she was head of creative insights.TikTok’s US operations had been poised to be sold to Oracle and Walmart, but the sale was “shelved indefinitely” following a review by the Biden administration to assess security risks of foreign-owned apps and software. The sale had been prompted by former president Trump’s executive orders banning the downloads of Chinese-owned social media apps WeChat and TikTok, alleging they posed threats to his country’s national security, foreign policy, and economy due to the data they collected.RELATED COVERAGE More

iOS 14.5 is out. Likely to be the final big update to iOS until we get a sneak peek at iOS 15 at Apple’s developer keynote in June ahead of its release in the fall.That said, it’s unlikely to be the last iOS 14 update. An update of the size and scale of iOS 14.5 is likely to bring with it bugs that will take a few updates to crush. So, should you update, or wait for the inevitable iOS 14.5.1 to land in a few weeks?My advice: Update. Update now. Update right now.Must read: The new M1 iMac highlights everything that’s wrong with AppleI’m usually quite cautious when it comes to iOS updates. Well, not personally, but I am when it comes to others. But not where iOS 14.5 is concerned, because as well as bringing support for AirTags and the anti-tracking privacy features and new emojis, the update includes patches for 50 vulnerabilities.

Yes, you read that right, 50.To make matters worse, some of those bugs are remote code execution bugs, which mean that could run code on iPhones remotely. Other bugs allow attackers to read sensitive data remotely.One bug, labeled CVE-2021-30661, ‘may have been actively exploited’ by attackers, raising the stakes further.My advice on this one is to install it now. I’d normally recommend waiting for the update to land, but this is such a huge package of bug fixes that waiting doesn’t seem like a good idea.Head over to Settings > General > Software Update and run the update now (if you haven’t already). It’s quite a big package — over a gigabyte — so it might take some time, but given the severity of this bug, it’s time well spent. More

China has called out 33 mobile apps for collecting more user data than it deemed necessary to offer their service. These companies, which include Baidu and Tencent Holdings, have been given less than a fortnight to plug the gaps. The Cyberspace Administration of China (CAC) said in a brief statement Saturday that these apps had breached local regulations, primarily, for capturing personal data that were not relevant to their service. Citing complaints from the public, the government agency said operators of the apps were found to have infringed the rules after authorities assessed several popular apps, including map navigation apps. These apps also gathered personal information without consent from their users, according to CAC.Amongst the list of 33 were apps from Sogou, Baidu, Tencent, QQ, and Zhejiang Jianxin Technology. These operators now had 10 working days to rectify the issue, failing which, they would be subject to penalties laid out by the regulations, CAC said.The government agency in March released regulations that prohibited mobile app developers from refusing to offer basic services to consumers who did not want to provide personal data that were unnecessary for the provision of such services. It said the legislation would provide greater clarity on the types of data deemed as necessary for commonly used apps, including ride-hailing, instant messaging, online retail, and map navigation. For instance, ride-hailing apps would need access to their users’ phone number, payment details, and location, CAC said.It added that the new regulations were needed as mobile apps grew increasingly popular and the collection of a wide range of personal data became prevalent. It noted that several apps sought personal information by bundling their services and prevented consumers from using basic functions, if they refused to authorise the use of their data. 

The legislation would regulate these operators’ access to data and safeguard consumers’ personal information, said CAC.The Chinese government in recent months had ramped up efforts to crack down on tech monopolies and their increasing influence and safeguard consumers’ rights on digital platforms. E-commerce giant Alibaba Group last month was hit with a record 18.2 billion yuan ($2.77 billion) fine for breaching China’s antitrust regulations and “abusing [its] market dominance”. The country’s State Administration for Market Regulation said Alibaba had been abusing its strong market position since 2015 to prevent merchants from using other online e-commerce platforms. Such practices impacted the free movement of goods and services, infringing on a merchant’s business interests, and were in breach of local anti-monopoly laws, the government agency said.RELATED COVERAGE More

Ransomware is a growing international problem and it needs global cooperation in order to prevent attacks and take the fight to the cyber criminals behind the disruptive malware campaigns.A paper by the Institute for Security and Technology’s (IST) Ransomware Task Force (RTF) – a coalition of cybersecurity companies, government agencies, law enforcement organisations, technology firms, academic institutions and others – has 48 recommendations to help curb the threat of ransomware and the risk it poses to businesses, and society as a whole, across the globe.

Members of the group include Microsoft, Palo Alto Networks, the Global Cyber Alliance, FireEye, Crowdstrike, the US Department of Justice, Europol and the UK’s National Crime Agency.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  Some of the solutions suggested include governments giving a helping hand to organisations affected by ransomware and providing them with the required cybersecurity support so they don’t fall victim in the first place. Others focus on more direct action, such as taking the fight to ransomware gangs by disrupting their infrastructure, or even regulating Bitcoin and other cryptocurrencies that cyber criminals use to anonymously demand ransom payments from victims.Ransomware attacks involve cyber criminals compromising the networks of organisations – often via phishing attacks, stolen Remote Desktop Protocol (RDP) credentials or exploiting software vulnerabilities – and then encrypting as many files and servers with malware as possible.

Organisations will in many cases only become aware they’ve been infected when they see a ransom note on the screens of machines across their network. Often, the victims feel as if they’ve got no option but to pay the ransom – which can amount to millions of dollars – in order to restore the network.Ransomware has been around for a number of years, but the cyber criminals behind the attacks are getting bolder, demanding ever-growing ransoms from targets and in many cases blackmailing organisations into payment by threatening to leak sensitive data stolen from the compromised network. And it isn’t just sophisticated criminal gangs that are causing problems; the rise of ransomware as a service means that almost anyone with the skills required to navigate underground forums on the dark web can acquire and use ransomware, safe in the knowledge that they’ll probably never face being arrested for their actions.”The tools are available to malicious actors to ramp up the scale of what they want to do and be able to get away with it. That’s what happens as technology diffuses into society and you have inadvertent ramifications which have to be dealt with,” says Philip Reiner, executive director of the RTF and CEO of IST. “We’re grappling with that as a global society and we have to come up with better solutions for the problems it presents.”Ransomware isn’t new, it’s existed in one form of another for decades and the threat has been rising over the past five years in particular. While it’s perceived as a cybersecurity problem, a ransomware attack has much wider ramifications than just taking computer networks offline. Ransomware attacks are increasingly targeting critical infrastructure, and crucially, over the course of the past year, healthcare. But many organisations still aren’t taking the necessary precautions to protect against ransomware, such as applying security patches, backing up the network or avoiding the use of default login credentials. These concerns are viewed as issues for IT alone, when in reality it’s a risk that needs the focus of the entire business. “We have to stop seeing leaders think of this as a niche computer problem; it’s not, it’s a whole business event. You should think about ransomware in the same way you think about flooding or a hurricane – this is a thing that will close your business down,” says Jen Ellis, vice president of community and public affairs at Rapid7 and one of the RTF working group co-chairs.”But we don’t. We think about it as a niche computer event and we don’t recognise the impact it has on the entire business. We don’t recognise the impact it has on society.”In 2017, the global WannaCry attack demonstrated the impact ransomware can have on people’s everyday lives when National Health Service (NHS) hospitals across the UK fell victim to the attack, forcing the cancellation of appointments and people who came for treatment being turned away. But years later, the problem of ransomware has got worse and in some cases hospitals around the world are now actively being targeted by cyber criminals.”You would think there would be no greater wake-up call than that, yet here we are years later having these same conversations. There’s a real problem with how people think about and categorise ransomware,” says Ellis.To help organisations recognise the threat posed by ransomware – no matter the sector their organisation is in – the RTF paper recommends that ransomware is designated a national security threat and accompanied by a sustained public-private campaign alerting businesses to the risks of ransomware, as well as helping organisations prepare for being faced with an attack.But the Ransomware Task Force isn’t just suggesting that governments, cybersecurity companies and industry are there to help organisations know what to do if faced by a ransomware attack – one of the key recommendations of the report is for cybersecurity companies and law enforcement to take the fight to the cyber-criminal groups behind the attacks. A recent operation involving Europol, the FBI and other law enforcement agencies around the world resulted in the takedown of Emotet, a prolific malware botnet used by cyber criminals – and something that had become a key component of many ransomware attacks.

Many cyber criminals switched to using other malware like Trickbot, but some will have taken the fall of Emotet as a sign to give up, because finding new tools makes it that little bit harder to make money from ransomware. “If you’re screwing with infrastructure, like going after Emotet, you’re making it harder,” says Chris Painter, president of the Global Forum on Cyber Expertise and former senior director for cyber policy at the White House. In line with this, the paper recommends that the pace of infrastructure takedowns and the disruption of ransomware operations should increase – ultimately with the aim of arrests and bringing criminals who develop and deploy ransomware to justice.SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upIt’s notoriously difficult to apprehend members of ransomware groups, especially when it’s an international problem. More often than not, the organisation that comes under a ransomware attack faces an extortion demand from someone who is in another country entirely.And that’s a particular problem for European and North American governments, when large quantities of ransomware attacks by some of the most prolific groups appear to originate from Russia and former-Soviet states – countries that are highly unlikely to extradite suspected cyber criminals.But identifying cyber criminals isn’t impossible – the United States has indicted individuals from Russia for the NotPetya cyberattacks, as well as naming and shaming three North Koreans for their involvement in the WannaCry ransomware attack. Meanwhile, Europol has previously arrested individuals for being involved in ransomware attacks, demonstrating that, while difficult, it isn’t impossible to track cyber criminals down and bring them to justice.One key factor that has allowed ransomware to succeed is that attackers are able to demand payments in Bitcoin and other cryptocurrency. The nature of cryptocurrency means that transactions are difficult to trace and, by the time the Bitcoin has been laundered, it’s almost impossible to trace back to the perpetrator of a ransomware attack.The Ransomware Task Force suggests that in order to make it more difficult for cyber criminals to cash out their illicit earnings, there needs to be disruption of the system that facilities the payment of ransoms – and that means regulating Bitcoin and other cryptocurrency.”It’s recognising that cryptocurrency has a place and there’s a reason for it, but also recognising that it’s notoriously being used by criminals – is there more that can be done there to make it harder for criminals to use it, or make it less advantageous to them,” says Ellis.Recommendations in the report for decreasing criminal profits include requiring cryptocurrency exchanges to comply with existing laws and to encourage information exchange with law enforcement. The idea is that by applying additional regulation to cryptocurrency, it allows legitimate investors and users to continue using the likes of Bitcoin and Monero, but makes it harder for cyber criminals and ransomware gangs to use it as an easy means of cashing what they’ve extorted out of victims – to the extent that, if it’s too difficult, they won’t bother with attacks in the first place. “If they’re using cryptocurrencies as a way to hide, if you have more compliance with existing regulations, it makes it tougher for them,” says Painter.The paper offers 48 recommendations and has been presented to the White House. It’s hoped that with cooperation across the board, businesses can be provided with the tools required to prevent ransomware attacks, governments can get more hands-on with providing help, and law enforcement can hunt down ransomware attackers – but it’s only going to work if ransomware is viewed as global problem, rather than one for individual organisations or governments to fight alone.”What’s really important is that this has an international perspective on it, because it’s not an American problem, it’s an international problem,” says Reiner.MORE ON CYBERSECURITY More

SAP has reached a settlement with US investigators to close a prosecution relating to the violation of economic sanctions and the illegal export of software to Iran. 

The cloud software vendor admitted to violating existing sanctions and an embargo placed on the country by the United States.  According to the US Department of Justice (DOJ), SAP violated both the Export Administration Regulations and the Iranian Transactions and Sanctions Regulations “thousands” of times over a period of six years.  On Thursday, the DoJ said the investigation into SAP’s practices — a global case also involving the Department of the Treasury, Office of Foreign Assets Control (OFAC), Department of Commerce, and Bureau of Industry and Security (BIS) — revealed two “principle” ways that economic sanctions had been broken.  From 2010 to 2017, SAP and overseas partners exported US-origin software — including upgrades and security fixes — to users in Iran over 20,000 times. The majority of ‘exports’ went to a total of 14 “Iranian-controlled front companies” located in countries including Turkey, UAB, and Germany, whereas others were directly downloaded from Iranian IPs.  During the same time period, SAP’s Cloud Business Group (CBGs) units allowed over 2,300 users in Iran to access US-based cloud services.  “Beginning in 2011, SAP acquired various CBGs and became aware, through pre-acquisition due diligence as well as post-acquisition export control-specific audits, that these companies lacked adequate export control and sanctions compliance processes,” the DoJ claims. “Yet, SAP made the decision to allow these companies to continue to operate as standalone entities after acquiring them and failed to fully integrate them into SAP’s more robust export controls and sanctions compliance program.”

SAP, as noted by US investigators, voluntarily admitted to the accusations, leading to a settlement worth $8 million to avoid further action and prosecution. Under the terms of the agreement, SAP will hand over $5.14 million in “ill-gotten gain.” The software giant has also spent over $27 million on remediation and compliance, including the development of geolocation IP blocking, the removal of user accounts that would violate sanctions, and the hiring of staff specialized in export controls.  “SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated,” commented Assistant Attorney General John Demers. “We hope that other businesses, software or otherwise, will heed this lesson.” In a statement, SAP said the company “aims for the highest standards of corporate integrity” and welcomes the settlement.  “SAP conducted a thorough and extensive investigation into historical export controls and economic sanctions violations,” SAP said. “We accept full responsibility for past conduct, and we have enhanced our internal controls to ensure compliance with applicable laws. Our significant remediation efforts, combined with our full and proactive cooperation with US authorities, have led to a mutually agreeable resolution of the Iran investigation without the imposition of an external monitor.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

While some malware authors will try to create an air of legitimacy around their products to cover themselves from potential criminal cases in the future, one developer of a cryptocurrency stealer isn’t even trying.  According to Palo Alto Networks, malware authors peddling their creations in underground forums will often pretend their products are for educational or research purposes only — a limp attempt to create a legal defense, just in case.  However, a developer making the rounds with a new commodity cryptocurrency stealer has been described as “shameless” by the team.  Indeed, the malware — named WeSteal — is marketed as the “leading way to make money in 2021.” 
Palo Alto Networks
Cryptocurrency theft malware, WeSupply Crypto Stealer, has been sold online since May 2020 by a developer under the name WeSupply, and another actor, ComplexCodes, started selling WeSteal in mid-February this year.  An investigation into the sellers, thought to be co-conspirators, has also revealed potential ties to the sale of account access for streaming services including Netflix, Disney+, Doordash, and Hulu.  The team believes that WeSteal is an evolution of the WeSupply Crypto Stealer project. Marketing includes “WeSupply — You profit” and claims that WeSteal is the “world’s most advanced crypto stealer.”

An advertisement for the malware includes features such as a victim tracker panel, automatic start, antivirus software circumvention, and the claim that the malware leverages zero-day exploits. “It steals all Bitcoin (BTC) and Ethereum (ETH) coming in and out of a victim’s wallet through the clipboard, it also has plenty of features like the GUI/Panel which is just like a RAT [Remote Access Trojan],” the advert reads. 
Palo Alto Networks
Litecoin, Bitcoin Cash, and Monero have also been added to the cryptocurrency list.  

The researcher’s analysis of the Python-based malware revealed that the malware scans for strings related to wallet identifiers copied to a victim’s clipboard. When these are found, the wallet addresses are replaced with attacker-controlled wallets, which means any transfers of cryptocurrencies end up in the operator’s pocket. While the malware is also described as having RAT capabilities, the researchers are not convinced, believing that WeSteal has something closer to a simple command-and-control (C2) communication structure rather than containing features usually associated with Trojans — such as keylogging, credential exfiltration, and webcam hijacking.  The WeSteal developers offer C2s as a service and also appear to run some form of customer ‘service’ — however, the current user base appears to be small. “WeSteal is a shameless piece of commodity malware with a single, illicit function,” the researchers say. “Its simplicity is matched by a likely simple effectiveness in the theft of cryptocurrency. It’s surprising that customers trust their “victims” to the potential control of the malware author, who no doubt could, in turn, usurp them, stealing the victim “bots” or replacing customers’ wallets [..] it’s also surprising the malware author would risk criminal prosecution for what must surely be a small amount of profit.” A Remote Access Trojan (RAT), WeControl, was also added to the developer’s roster after the report was published and awaits further analysis.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More