Information Technology

Accenture has announced its intention to acquire French cybersecurity firm Openminded.

Announced on Thursday, the services and consultancy company said the purchase will expand the Accenture security arm’s presence in France and into Europe as a whole. Financial terms of the deal were not disclosed.  Founded in 2008, Openminded provides cybersecurity services including management, consultancy, and cloud & infrastructure solutions with a focus on risk analysis, remediation, and regulatory compliance.   Openminded reported a €19 million turnover during the 2020 financial year. The company has roughly 105 employees and 120 clients including Sephora, Talan, and Thales.  Once the deal has been finalized, Openminded’s staff will join Accenture Security’s existing workforce.  “Joining forces with Accenture is a great opportunity for our teams and our clients,” commented Hervé Rousseau, Openminded founder and CEO. “The alliance of our talent and capabilities perfectly leverages our expertise and would allow us to deliver on a global scale. Today, the fight against cyberattacks requires the implementation of the most advanced technologies, as well as the human resources to make them efficient.”

The deal is subject to standard closing conditions.  Earlier this month, Accenture acquired cloud analytics firm Core Compete. The vendor leverages machine learning (ML) and artificial intelligence (AI) to provide managed services, cloud data warehousing, data analysis tools, and SAS on cloud services.  The latest acquisition builds upon the purchase of Businet System, Real Protect, and Wolox this year, among other companies.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Senate committee probing Australia’s pending data-sharing laws has asked for further protections to be inserted before legislation is passed.The Data Availability and Transparency Bill 2020 establishes a new data sharing scheme which will serve as a “pathway and regulatory framework” for sharing public sector data for three permitted purposes, subject to new safeguards and enforcement mechanisms.The three purposes are: Improving government service delivery, informing government policy and programs, and research and development. However, the Bill also precludes data sharing for certain enforcement related purposes, such as law enforcement investigations and operations.The Bill also does not authorise data sharing for purposes that relate to or could jeopardise national security, including the prevention or commission of terrorism and espionage.Before data is shared, the data custodian must be content the recipient fulfils the requirements of accepting that data.In a report [PDF] on the Bill, the Senate Finance and Public Administration Committee said it is of the view that a “proportionate and balanced data sharing scheme with appropriate privacy and security safeguards would help bring Australia into line with international best practice for data sharing in regard to government service delivery, policy and program development, and research purposes”.However, the committee is mindful that for a data sharing scheme to be successful and trusted by the community it must be underpinned by strong and effective safeguards and protections for privacy and security.

The committee made three recommendations to the government, with the first asking for assurances to be provided regarding appropriate ongoing oversight by security agencies of data sharing agreements and the potential security risks.”The committee considers that it is imperative that national security concerns related to access to data have been fully considered and appropriately managed, particularly given the current concerns about cybersecurity and the covert influence of foreign actors in the university and research sector,” the report says.The second recommendation asks that any relevant findings of the Parliamentary Joint Committee on Intelligence and Security’s current inquiry into national security risks affecting the Australian higher education and research sector are taken into account as part of the development of any additional data codes and guidance material, and that they inform continued engagement with the national security community.The committee also asks that consideration is given to whether amendments could be made to the Bill, or further clarification added to the explanatory memorandum, to provide additional guidance regarding privacy protections, particularly in relation to the de-identifying of personal data that may be provided under the Bill’s data-sharing scheme.”The committee notes that the intention of the Bill is to provide a high-level, principles-based framework to facilitate the sharing of government data, and that in addition to the proposed legislative privacy protections in the Bill, many other potential privacy concerns would be addressed through further protections prescribed in regulation and guidance material, and in the exercise of appropriate judgement and controls by scheme users,” it wrote.”However, despite these layers of protection, it is evident that some stakeholders believe further privacy protections should be prescribed in legislation or specifically addressed in the EM to the Bill.”The Bill, as well as the Data Availability and Transparency (Consequential Amendments) Bill, were both introduced to Parliament in December, after two years of consultation.Critics have labelled the data-sharing scheme as reflecting the ongoing erosion of Australian privacy law in favour of bureaucratic convenience.MORE ON THE BILLCommissioner content transparency measures are enough to deter data-sharing Act breachesAustralia’s pending data-sharing Act will require Commonwealth entities to be satisfied with a proposal before sharing data and the reason for obtaining that data will need to be made public.Critics label data-sharing Bill as ‘eroding privacy in favour of bureaucratic convenience’The Australian Privacy Foundation and the NSW Council for Civil Liberties are among those labelling the country’s pending data-sharing Bill as a threat to basic fairness and civil liberties.Privacy Commissioner wants more protections for individuals in Data Availability BillAdditionally, the Australian Information Commissioner and Privacy Commissioner’s office is concerned about the proposed exemption of scheme data from the Freedom of Information Act. More

Apple has issued a slew of security fixes resolving issues including an actively exploited zero-day flaw and a separate Gatekeeper bypass vulnerability. 

The Cupertino, Calif.-based giant’s latest security patch round was issued on Monday, macOS Big Sur 11.3. One of the most notable fixes is for a vulnerability found by Cedric Owens. Tracked as CVE-2021–30657, the vulnerability allows attackers to bypass Gatekeeper, Apple’s built-in protection mechanism for code signing and verification.  In a Medium blog post, Owens describes how threat actors could “easily craft” a macOS payload that is not checked by Gatekeeper. “This payload can be used in phishing and all the victim has to do is double click to open the .dmg and double-click the fake app inside of the .dmg — no pop-ups or warnings from macOS are generated,” the researcher said.  Working with security expert Patrick Wardle, the duo then realized the root of the issue is a logic bug in the policy subsystem (syspolicyd) that permitted malicious apps to bypass Apple’s security mechanism.  “Though unsigned (and unnotarized) the malware is able to run (and download & execute 2nd-stage payloads), bypassing all File Quarantine, Gatekeeper, and Notarization requirements,” Wardle noted.

According to Wardle and Jamf researchers, the vulnerability has unfortunately been exploited in the wild as a zero-day for months.  The malware in question is Shlayer, adware which has recently been re-packaged to exploit CVE-2021-30657. It is thought the vulnerability may have been exploited from January 9 this year. The vulnerability was reported on March 25 and was patched on March 30.  “Kudos to Apple for quickly fixing the bug I reported to them,” Owens said on Twitter.  Apple said within its security advisory that the vulnerability was patched through “improved state management.” A separate vulnerability of note is CVE-2021-1810, discovered in late 2020 by F-Secure researchers. This security flaw can also be used to bypass macOS Gatekeeper’s code signature and notarization checks. The company has chosen not to release the technical details of the bug until users have more time to update their software. However, the team says that a crafted, malicious .zip file, sent via phishing, for example — is all that is required to trigger the vulnerability.  “Any software distributed as a .zip file could contain an exploit for this vulnerability,” F-Secure says. “There are a few mitigating factors though. For one, applications downloaded via Apple’s App Store are not affected by this issue. Similarly, applications delivered as macOS Installer packages (.pkg, .mpkg) contain an installer certificate which is verified independently from Gatekeeper.” There is currently no evidence of CVE-2021-1810 being exploited in the wild.  In February, Apple issued a fix for a vulnerability in the installer for Big Sur 11.2/11.3 which could have led to severe data loss.  Alongside security fixes for macOS, Apple also introduced data collection limitations in iOS 14.5, a feature that is proving to be controversial.  The system, dubbed App Tracking Transparency (ATT), has now been rolled out following a lengthy beta. ATT requires apps to obtain explicit consent to track users across different apps and services beyond their own platforms. As a result, the move is likely a blow to organizations that offer targeted advertising, only made possible by creating detailed profiles of users and their online habits.  Facebook has proven to be one of ATT’s most vocal critics.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The FBI has handed over 4.3 million email addresses that were harvested by the Emotet botnet to the Have I Been Pwned (HIBP) service to make it easier to alert those affected.  HIPB, run by Australian security research Troy Hunt, is a widely trusted breach alert service that underpins Mozilla’s Firefox own breach-alert notifications. 

ZDNet Recommends

The FBI collected the email addresses from Emotet’s servers, following a takedown in January. The Emotet malware botnet was taken down by law enforcement in the US, Canada and Europe, disrupting what Europol said was the world’s most dangerous botnet that had been plaguing the internet since 2014.  SEE: Security Awareness and Training policy (TechRepublic Premium) Emotet was responsible for distributing ransomware, banking trojans and other threats through phishing and malware-laden spam.  In January, law enforcement in the Netherlands took control of Emotet’s key domains and servers, while Germany’s Bundeskriminalamt (BKA) federal police agency pushed an update to about 1.6 million computers infected with Emotet malware that this week activated a kill switch to uninstall that malware.    Hunt says in a blogpost that the FBI handed him “email credentials stored by Emotet for sending spam via victims’ mail providers” as well as “web credentials harvested from browsers that stored them to expedite subsequent logins”. 

The email addresses and credentials have been loaded in to HIPB as a single “breach”, even though it’s not the typical data breach for which the site collects credentials and email addresses.  HIBP currently contains 11 billion ‘pwned’ accounts from a range of data breaches that have happened over the past decade, such as MySpace and LinkedIn’s 2012 breach, as well as huge credential-stuffing lists found on the internet that are used by criminals to hijack accounts with previously breached email addresses and passwords. Credential stuffing takes advantage of people using common passwords like 1234567, or reusing passwords across multiple accounts.   SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to do Hunt has tagged this breach as “sensitive” on HIBP, which means the email addresses are not publicly searchable.  “HIBP enables you to discover if your account was exposed in most of the data breaches by directly searching the system. However, certain breaches are particularly sensitive in that someone’s presence in the breach may adversely impact them if others are able to find that they were a member of the site. These breaches are classed as “sensitive” and may not be publicly searched, the site states in its definition of “sensitive breach”. “Individuals will either need to verify control of the address via the notification service or perform a domain search to see if they’re impacted,” noted Hunt.  “I’ve taken this approach to avoid anyone being targeted as a result of their inclusion in Emotet,” he added. “All impacted HIBP subscribers have been sent notifications already.” ZDNet has reached out to Hunt who was not available at the time of publishing.  For individuals or organisations that find their details in the data, Hunt suggests: Keep security software such as antivirus up to date with current definitions. Change your email account password, and change passwords and security questions for any accounts you may have stored in either your inbox or browser, especially those for services such as banking.For administrators with affected users, refer to the YARA rules released by DFN Cert. More

An information disclosure vulnerability in the Linux kernel can be exploited to leak data and act as a springboard for further compromise. 

Disclosed by Cisco Talos researchers on Tuesday, the bug is described as an information disclosure vulnerability “that could allow an attacker to view Kernel stack memory.”The kernel is a key component of the open source Linux operating system. The vulnerability, tracked as CVE-2020-28588, was found in the proc/pid/syscall functionality of 32-bit ARM devices running the OS. According to Cisco, the issue was first found in a device running on Azure Sphere. Attackers seeking to exploit the security flaw could read the /syscall OS file via Proc, a system used for interfacing between kernel data structures.  The /syscall procfs entry could be abused if attackers launch commands to output 24 bytes in uninitialized stack memory, leading to a bypass of Kernel Address Space Layout Randomization (KASLR).  The researchers say this attack is “impossible to detect on a network remotely” as it is a legitimate Linux operating system file being read.  “If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities,” Cisco added. 

Linux kernel versions 5.10-rc4, 5.4.66, and 5.9.8 are impacted and a patch was merged on December 3 to tackle the bug. Users are urged to update their builds to later versions.  In related news this month, the Linux Foundation has banned University of Minnesota (UMN) developers from submitting work to the Linux kernel after a pair of graduate students were caught deliberately submitting buggy patches to the project.  Submitted for the purposes of a research paper, “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits,” the incident did result in a swift apology from UMN — but forgiveness for the act, considered as made in ‘bad faith,’ is far from assured.  The paper was due to be presented at the 42nd IEEE Symposium on Security and Privacy but has since been withdrawn.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft is reportedly considering revisions to a threat and vulnerability sharing program suspected of being a key factor in widespread attacks against Exchange servers. 

The Microsoft Active Protections Program (MAPP) is a program for security software providers and partners which gives participants early access to vulnerability and threat intelligence. MAPP, which includes 81 organizations, was intended to give other companies the chance to develop strategies and to deploy necessary protections before vulnerabilities are made public.  “MAPP partners receive advance security vulnerability information for those vulnerabilities slated to be addressed in Microsoft’s regularly scheduled monthly security update releases,” the company says. “This information is provided as a package of documents that outline what Microsoft knows about the vulnerabilities. This includes the steps used to reproduce the vulnerability as well as the steps used to detect the issue. Periodically, Microsoft might also provide proof-of-concept or tools to further illuminate the issue and help with additional protection enhancement.”However, MAPP has recently come under scrutiny as the potential source of a leak of exploit code — either accidentally or deliberately — later weaponized during the Microsoft Exchange Server incident.  Microsoft issued emergency patches for the now-infamous four critical zero-day bugs (“ProxyLogon”) in Exchange on March 2.See also: Everything you need to know about the Microsoft Exchange Server hack

According to six people close to the matter, as reported by Bloomberg, Microsoft is considering revisions to the program that could alter how and when information concerning vulnerabilities in the vendor’s products are shared.   The publication says that Microsoft fears participants may have “tipped off” threat actors after critical Exchange Server vulnerabilities were shared with partners privately in February. At least two Chinese companies are involved in the probe.  At the time, reports suggested that Proof-of-Concept (PoC) code shared with MAPP participants contained “similarities” to exploit code later used in attacks. MAPP sets out different tiers for participants which determines what information is shared, and when — ranging from weeks ahead of disclosure to days. Potential revisions to the program could include shuffling participants and their level of entry, a reassessment of what Microsoft will share in the future, or potentially the inclusion of code-based ‘watermarks’ that could be used to trace data distribution — and any subsequent leaks.  The company attributed the first wave of attacks against Exchange servers to Hafnium, a Chinese state-sponsored threat group — later joined by at least 10 other advanced persistent threat (APT) groups including LuckyMouse, Tick, and Winnti Group.  It wasn’t long before an estimated 60,000 organizations were compromised, and as of March 12, roughly 82,000 internet-facing servers remained unpatched.  Post-exploit activities include the installation of backdoors, web shells, ransomware deployment, and cryptocurrency miners.  Microsoft declined to comment.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Over the weekend at a Christian convention, Australian Prime Minister Scott Morrison declared social media could be used as a weapon by the “evil one” against young people.Answering questions following his address to the National Press Club (NPC) on Wednesday, former Opposition Leader Bill Shorten took the opportunity to expand on where he thinks Morrison should take such a remark.”I was interested to the reference to the ‘evil one’ in social media. What I’d like to do is take that fairly unspecified reference and — something I’ve been thinking about for a while, is that there are some evil things on the internet,” he said. “Children have too easy access to pornography in this country online … I think a lot of parents are oblivious.”According to Shorten, the average age that “little Australian boys” are exposed to porn online is 13. He said simply saying to parents, “Watch what your kid’s eyeballs are on the whole time” is a “tad unrealistic as we’ve created the iPad babysitter”.”I think that if Mr Morrison wants to perhaps materialise that general reference to evil, let’s make it harder for our Aussie kids to access pornography online — I’m not making a reflection about adults and pornography, I’m not a censor, I’m not going down that path at all, but children shouldn’t be getting their sex education from hardcore pornography — and it’s something that I know I’m going to take up and I’m sure others will,” the Shadow Minister for Government Services said.”This could be something that Mr Morrison could turn from Sunday service into seven days a week campaign.”Shorten pointed to work underway by the eSafety Commissioner Julie Inman Grant as helping thwart this “evil”.

The House of Representatives Standing Committee on Social Policy and Legal Affairs closed its inquiry into age verification for online wagering and online pornography last year, tabling a report [PDF] in February 2020.Making a total of six recommendations, the committee asked the Digital Transformation Agency (DTA), in consultation with the Australian Cyber Security Centre, to develop standards for online age verification for age-restricted products and services. It said these standards should specify minimum requirements for privacy, safety, security, data handling, usability, accessibility, and auditing of age-verification providers.It further asked the DTA extend its Digital Identity program to include an age-verification exchange for the purpose of third-party online age verification. This was despite eSafety saying on many occasions there are no “out of the box technology solutions” that will solve this issue and it is her opinion that age verification should not be seen as a panacea.The government is yet to provide a response to the report.RELATED COVERAGE More

The Commonwealth Ombudsman has confirmed that of the 1,713 individual accesses to location-based services (LBS) by ACT Policing between 13 October 2015 and 3 January 2020, only nine were fully compliant with the Telecommunications (Interception and Access) Act 1979 (TIA Act).In January 2020, the Australian Federal Police (AFP) identified compliance issues involving record-keeping, authorisation processes, and reporting of telecommunication requests relating to location-based services under Section 180(2) of the TIA Act, dated as back as far as 2007.Ombudsman Michael Manthorpe was engaged the following March.In particular, the Ombudsman’s investigation focussed on access to, and use of, one type of telecommunications data — LBS or “pings”.”While initial advice provided by the AFP to my Office was that the LBS obtained by ACT Policing was only used to locate someone to arrest them, we were unable to rule out the possibility that unlawfully obtained evidence, the LBS, may have been used for prosecutorial purposes,” the report [PDF] said. “Secondly, the privacy of individuals may have been breached.”Common compliance issues the Ombudsman identified in its assessment of the 1,713 instances include: Location accessed on an incorrect number, LBS accessed after an authorisation expired, additional LBS accessed that was not authorised, no time specified on an authorisation, and authorisations that were not signed.

Providing examples of where ACT Policing operated incorrectly, the report said there were instances where the LBS was unsuccessful, such as when a phone was switched off or was not subscribed to the relevant provider, and thus was determined as not requiring an authorisation. “We cannot be confident that the AFP’s available records of authorisations made reflect all accesses to LBS,” the report said.The Ombudsman said he could not be satisfied that the scope of the breaches has been fully identified by the AFP nor the potential consequences, and considers it possible that breaches have occurred in parts of the AFP other than ACT Policing. “The AFP and ACT Policing missed a number of opportunities to identify and address that ACT Policing was accessing LBS outside the AFP’s approved process earlier,” the report declared. “The internal procedures at ACT Policing and a cavalier approach to exercising the powers resulted in a culture that did not promote compliance with the TIA Act. This contributed to the non-compliance identified in this report.”ACT Policing in July 2019 confessed it found 3,249 extra times it accessed metadata without proper authorisation during 2015, on top of the 116 requests it disclosed earlier that year.The Ombudsman is concerned this means: The access was not reported to the Minister for Home Affairs and the records were not provided to the Ombudsman’s office to be considered for inspection; and that the risk of non-compliance with legislative requirements under the TIA Act was higher as the access occurred outside established processes approved by the AFP.”I want the community to be assured that we have changed our approach to requesting and approving access to mobile device locations, which my officers are implementing daily,” Chief police officer for the ACT Neil Gaughan said on Wednesday.He also said all location requests on mobile devices are now centralised through the AFP Covert Analysis and Assurance business area.The Ombudsman made a total of eight recommendations, all agreed to by ACT Policing.The first asks the AFP to ascertain whether other areas of the force have accessed LBS and determine the actual number of requests made for LBS, covering the period from 13 October 2015 to 31 January 2020. Manthorpe also asks the AFP to develop consistent processes and ensure training is thoroughly conducted, in particular that privacy intrusion is justified and proportionate.Another recommendation suggests the AFP seek legal advice on any implications arising from accessing prospective telecommunications data that has not been properly authorised.HERE’S MORE More