Information Technology

The Brazilian government is considering the adoption of online voting, in a move that aims to phase out the current electronic voting machine set-up and generate savings.
The Superior Electoral Court (TSE) has released a request for proposals from technology companies and the firms will be able to demonstrate potential solutions in the upcoming municipal elections in November. The demonstration will be carried out with a sample of voters from the cities of São Paulo, Valparaiso de Goiás and Curitiba, who will choose fictitious candidates online. The demo results should inform the discussions over a potential change in the electoral process.
According to the TSE, the investigations over a potential adoption of online voting aim to find a more modern approach for the electronic voting system to make the process of choosing elected representatives “even more democratic and accessible election for the entire population, in addition to being cheaper and more efficient.”
“The electronic voting machines have so far proved to be an excellent solution, but they have a high cost and require periodic replacement. Even if, at first, voters continue to have to attend polling stations to protect confidentiality, saving hundreds of millions of reais with the substitution of ballot boxes already represents a great gain “, said TSE president Luís Roberto Barroso.

According to TSE, the solutions offered by the companies participating in the demonstration should make it possible to identify the voter and count their vote only once, even though it should be possible to vote other times during the voting day. They should also guarantee the secrecy of the vote and have mechanisms for transparency and auditing.
Another challenge to be considered and that tech companies will need to try and reduce or circumvent is the issue of digital exclusion in Brazil and the population’s access to equipment such as smartphones and tablets.
Although private companies will be considered for the development of the innovations to the electoral process, TSE noted that the entire electoral process will remain under the total control of Brazil’s Electoral Justice. Companies interested in taking part in the demonstration should express interest between September 28 and October 1. The process will involve technical meetings with the TSE team, which should take place in early October.
Brazil is one of the only countries in the world where the voting process is entirely electronic. E-voting was introduced in 1996 as a means to ensure secrecy and accuracy of the election process. The system underpinned by about 455,000 voting machines currently in place enables results to be processed within a matter of minutes within the closing of ballots.
However, the Brazilian machines, which are based on the Direct Recording Electronic (DRE) model, do not produce physical proof that the vote has been recorded. This means there is a constant danger of large-scale software fraud, as well as other non-technical types of tampering that could be perpetrated by former or current electoral justice staff and go totally undetected.
A team of information security professionals led by Diego Aranha, an award-winning computer science academic and encryption expert, worked for six years to prove that the Brazilian voting system was not secure, and could demonstrate several vulnerabilities after scrutinizing the machines at tests held by the TSE.
Despite the results of the tests by the academics, TSE refused to introduce voter-verified paper trails in 2017 for the elections in the following year, on the basis that vote secrecy would be compromised if electoral justice staff at voting locations saw the printed receipt.
Disillusioned with the “completely dysfunctional state” of the country after the TSE decision, Aranha left Brazil to take up a teaching job at Aarhus University in Denmark. In recent years, he has discussed the potential of blockchain in making voting more secure.
Brazil’s authorities have continuously reiterated the electronic voting system is completely fraud-proof. More

Scouts Victoria sent an email late yesterday to affected people about a security incident that occurred in late July and early August. Unauthorised access to the organisation’s email system, through a phishing attack, resulted in access to two staff email accounts and a “shared dropbox”.
The list of data compromised is significant and could result in significant harm, with Scouts Victoria telling affected parties via email that names, email addresses, residential addresses, driver’s licences, Medicare and passport numbers, tax file numbers, and copies of handwritten signatures were all in the treasure trove of data that was stolen. In some cases, bank account, criminal history information, and parenting orders pertaining to child custody arrangements were also exposed.
“The investigation found that correspondence relating to a number of individuals associated with Scouts Victoria is among the data potentially accessed by unauthorised third parties,” a statement from a Scouts Victoria spokesperson said.
Recent research from Webroot suggested that as many as one in five Australians click on phishing emails with many security experts pointing to COVID-19-related scams being widely employed by thieves. At the same time, the Australian Competition and Consumer Commission reports that the number of scam reports is on the rise.
The breach has been reported to the Office of the Australian Information Commissioner.
The Australian Tax office (ATO) has also been informed, with Scouts Victoria saying the ATO has taken steps to place additional security measures to reduce the risk of fraud for people affected by the data loss.
Similarly, Scouts Victoria said it has contacted the Department of Human Services to mitigate the risk of any fraudulent use of compromised Medicare credentials.
Scouts Victoria added that an extensive forensic investigation and security review was completed.
No data pertaining to minors was directly released although parenting plans were accessed, Scouts Victoria said. The organisation added that data from one of the platforms it uses, Operoo — formerly called Care Monkey — was also not accessed.
Affected parties are being urged to not open email attachments from untrusted sources — advice Scouts Victoria might have taken too before the breach.
Related Coverage More

In late August, a video of a man dying by suicide was posted on Facebook. The graphic video spread across other platforms such as Instagram, Twitter, and Youtube, but it continued to appear on TikTok weeks later as the app struggled to remove the horrific content.
TikTok recently faced the House of Commons to explain how this happened, blaming “bad actors”. On Friday, Australia’s Select Committee on Foreign Interference Through Social Media continued this line of questioning by talking with the controversial app’s local general manager and global chief security officer.
According to TikTok Australia and New Zealand general manager Lee Hunter, the live-stream was taken down, but copies had popped up faster than they could be detected.
“When we had our technology look at that video, we immediately took it down. But when my colleague in the UK was discussing this idea of these bad actors, unfortunately over the course of a week, we saw some 10,000 variations of that video trying to be uploaded to the TikTok platform,” he explained.
How exactly these videos circumvented the platform’s checks, the GM said he’d prefer not to say, explaining that doing so would highlight some of the methods that were adopted to evade detection. He did say, however, that as soon as TikTok knew of the video and encountered it, the company began “acting swiftly and aggressively” to take it down.
“It wasn’t just a case of copies of the video, it was a case that — I won’t go into too much detail here because I don’t want to provide any fuel for people to follow — but splicing the content within other content so it seems innocuous at first and then you encounter it.”
Tasking its systems to better detect such content, Hunter said the platform’s moderation teams around the world were all focused on addressing what had happened.
“Where we stand now, to the best of my knowledge, is that the content is not up on the TikTok platform. That’s not to say that the vigilance stops,” he said.
TikTok recently wrote to the heads of some of its peers, including Google, Facebook, Twitter, Pinterest, and Reddit, proposing a memorandum of understanding to enable the group of social media companies to share information to better protect against such content being made available on their respective sites.
“We can be better armed to prevent it from happening across a variety of platforms,” Hunter said. “That type of collaboration across our peers we see is key. We all have the same goals of protecting our users. We all have the same goals and making sure that this content isn’t up on our platforms.”
As the committee is focusing on how social media plays a part in potentially harming Australia’s democracy, the TikTok representatives were also asked if the platform was able to be “undermined and infiltrated by bots and bad actors”. In addition, the committee asked representatives how TikTok could be certain that it has political influence under control.
“If you can’t even protect kids from seeing suicide videos how on Earth are you going to protect the Australian voters from political interference,” Greens Senator Sarah Hanson-Young asked.
“Unfortunately, with user-generated content platforms, there are attempts by these bad actors to upload distressing content of this nature. Now, the key isn’t to pretend it doesn’t exist but to act swiftly and to invest in technologies and people and moderation policies to enable it not to appear on the platforms to protect our users,” Hunter said in response.
He said in regards to foreign interference, TikTok employs technology and moderation teams to help it understand when it does encounter coordinated inauthentic behaviour, and “looks to act swiftly upon that”.
“The idea of misinformation and disinformation runs counter to our community guidelines and it’s something we don’t tolerate on the platform. We view this vigilance as ongoing and evolving and something you never stop trying to get better at,” he said.
The TikTok representatives took on notice how many Australian accounts saw the suicide video and what the equivalent remuneration for TikTok’s local operations was over the period of when the video was viral.
Earlier in his testimony, Hunter said the company’s Australian operations wanted to collaborate with government as much as possible to protect Australian users. But his company was not clear on who it would contact if it were to remove coordinated inauthentic behaviour from Australian users.
Hunter was also asked if there was a requirement for his company to report such behaviour.
“I’m not aware of any requirement,” he said.
The company’s local director of public policy Brent Thomas stepped in to say he expected TikTok would report to “some combination of DFAT, Department of Defence, and Department of Communications” but admitted that no request has been made of the video-sharing platform, nor any clear instruction about who to notify, and under what circumstances.
Prime Minister Scott Morrison in August said that he had a “good look” at TikTok and there was no evidence to suggest the misuse of any person’s data.
“We have had a look, a good look at this, and there is no evidence for us to suggest, having done that, that there is any misuse of any people’s data that has occurred, at least from an Australian perspective, in relation to these applications,” he told the Aspen Security Forum.
“You know, there’s plenty of things that are on TikTok which are embarrassing enough in public. So that’s sort of a social media device.”
Hunter and Thomas were both unaware the Australian government had taken any steps to review TikTok’s operations down under. They said they were not contacted by the Department of Home Affairs to provide any information or verify any concerns.
“I think it is quite incredible that a government department would undertake a security review of an organisation not requesting any information or input from them at all,” committee chair Jenny McAllister said.
Thomas said the first time TikTok was aware that the review had been undertaken was when it saw the public comments from Morrison.
IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:
Suicide Call Back Service on 1300 659 467
Lifeline on 13 11 14
Kids Helpline on 1800 551 800
MensLine Australia on 1300 789 978
Beyond Blue on 1300 22 46 36
Headspace on 1800 650 890
QLife on 1800 184 527
MORE FROM TIKTOK More

Image: ANAO
Australian National Audit Office (ANAO) on Thursday handed down its examination of the Services Australia Welfare Payment Infrastructure Transformation (WPIT) program, finding the agency had “largely appropriate arrangements” in many areas, but was lacking on the cyber and cost monitoring fronts.
Kicked off in 2015, WPIT was originally slated to cost around AU$1.5 billion and run from 2015 to 2022, with one of the core reasons for the program being to replace the then-30-year-old Income Security Integrated System (ISIS).
“In June 2020, the decommissioning of this key element of the system was confirmed to be the main goal of the welfare payment system redeployment,” ANAO wrote.
“However, almost half of the decommissioning was not expected to be completed by the end of the program.”
Internal reports at the agency detailed that the decommissioning of ISIS was “not achievable within the funding envelope or timeframe”, and a process to determine if this was possible would not be started until a replacement was commissioned, ANAO said in its report.  
Services Australia told ANAO that 13% of ISIS functionality had transitioned to its SAP CRM instance while a further 39% would be transitioned by the end of June 2020, leaving almost half its functionality in place.
“Delays to replacement and decommissioning have put at risk the ability to deliver on the original objectives of the WPIT Programme, and delay or negate realisation of all the expected benefits of the welfare payment system redevelopment,” ANAO wrote.
The agency also had issues in documenting the functionality of the system, telling the audit office that functionality was in the system’s programming.
“Services Australia advised the ANAO that while it had recorded functionality in source code, there were historical gaps in its separate documentation of detailed functionality, dating back to the system’s introduction in the 1980s,” the report said.
“Attempts were made to develop complete specifications for some elements of ISIS, but this was not done consistently across the system due to cost.”
ANAO said Services Australia was relying on “knowledgeable staff”, which obviously leaves it vulnerable to workers leaving, and explained in the report that the agency tried, in 2016, to extract its business rules from the code.
“Services Australia subsequently considered automated analysis of the source code in ISIS, which incorporates existing business rules, as the most practical approach to identifying the complete range of current functionality required to inform future requirements,” the report said.
“In late 2019, Services Australia outsourced source code analysis as part of a contract to design and build the [Entitlements Calculation Engine].”
That outsourcing was handed to Infosys in November.
Services Australia further told the office that the cost of maintaining ISIS was around AU$98 million each year, but that was a guesstimate.
“While Services Australia stated that it tracks overall ICT expenditure, it cannot disaggregate all of the system element costs and did not monitor the cost of operating the current welfare payment system,” the report said.
“These costs could include hardware and software capital costs and depreciation, expenses for employees working on the system, costs associated with operating the system, costs associated with changing the system, and amounts paid to contractors.
“As a result, Services Australia was unable to breakdown these costs, monitor trends over time, or assess the ongoing value for money of this expenditure.”
In response, the agency said it was working towards having “improved visibility of the costs of maintaining different payment platforms”.
ANAO further found that Services Australia does not have plans to migrate data to a completed WPIT system, although it did try once, but failed.
On the cyber front, the report found there were no cybersecurity plans specific to each element of the system.
“However, Services Australia self-assessed that it ‘has measures in place for the underpinning components including monitoring of vulnerabilities and appropriate patching, monitoring of system administrative and privileged access, and penetration testing of outward facing systems’,” the ANAO wrote.
“The ANAO did not separately audit the accuracy of this self-assessment, or its applicability to the welfare payment system.”
An internal audit in May 2016 found that six of 118 systems used by the agency had proper cyber accreditation, and by February 2019, another internal audit reported the number had increased to 21.
“Services Australia’s self-assessment of risk control effectiveness was inaccurate in light of the lack of cybersecurity risk assessment or accreditation for the welfare payment system, and internal audit findings that most systems across the agency did not have accreditation,” the report said.
“A recent external assessment had not been conducted of the effectiveness of controls listed in the Top Four and Essential Eight strategies for all elements of the welfare payment system. Previous internal audit reports of ICT systems found the implementation status of the Top Four strategies at Services Australia was lower than what had been self-assessed by the agency.”
For disaster recovery, Services Australia used a pair of data centres, but they were physically in close proximity and so were vulnerable to location-specific risks, ANAO wrote. The data centres also failed to provide the geographic dispersal as required by the Australian Government Information Security Manual.
“The ANAO examined disaster recovery arrangements at one of the data centres, and brought certain physical security deficiencies to the attention of Services Australia,” it wrote.
Overall, the report made five recommendations relating to the issues raised, all of which Services Australia agreed with.
Former Opposition Leader and now Shadow Minister for Government Services Bill Shorten latched onto the report in order to criticise his counterpart, Stuart Robert.
“Mr Robert, who blamed imaginary hackers for one of the MyGov crashes he presided over, should have been paying more attention to genuine cybersecurity risks,” he said.
“Clearly Mr Robert is what online gamers would call a ‘noob’, someone who has absolutely no idea what they are doing. 
“Australians are sick of the endless tech bungles from this digital noob.”
Related Coverage More

The National Australia Bank (NAB) has launched a bug bounty program, offering a reward to security researchers who uncover previously undisclosed vulnerabilities in the bank’s environment.
The bank has partnered with crowdsource security firm Bugcrowd for the new program. To participate, individuals must have an “Elite Trust Score” on the Bugcrowd platform.
NAB executive of enterprise security Nick McKenzie said using “controlled crowdsourcing” methods would assist NAB to further test and strengthen its existing cybersecurity capabilities.
“Controlled, crowdsourced cybersecurity brings together uniquely skilled testers and security researchers with fresh perspectives to uncover vulnerabilities in our defences that traditional assessment might have missed,” McKenzie said.
“Proactive cybersecurity measures are vital in today’s hyperconnected environment where new threats are constantly emerging.”
McKenzie said moving to a paid bounty system gives NAB the opportunity to “attract a wider pool of ethically-trained security researchers from across the globe”.
“Diversity is a critical yet often overlooked factor in security and controls strategies,” he added.
NAB in July last year admitted that some personal information on approximately 13,000 customers was uploaded, without authorisation, to the servers of two data service companies.
The compromised data included customer name, date of birth, contact details, and in some cases, a government-issued identification number, such as a driver’s licence number.
NAB in early 2017 also admitted it sent the details of approximately 60,000 customers to an email address on a global domain rather than its .au address.
It is understood customer information was sent in error to an nab.com address rather than an email address on the nab.com.au domain.
Meanwhile, Bugcrowd in April raised another $30 million in its Series D round, bringing its total funding to over $80 million.
The company is based in San Francisco.
MORE FROM NAB More

Image: Jacob Creswick

A hacker has gained access and exfiltrated data from a federal agency, the Cybersecurity and Infrastructure Security Agency (CISA) said on Thursday.
The name of the hacked federal agency, the date of the intrusion, or any details about the intruder, such as an industry codename or state affiliation, were not disclosed.
CISA officials revealed the hack after publishing an in-depth incident response (IR) report detailing the intruder’s every step.
The report, which ZDNet analyzed today, reveals how the intruder gained access to the federal agency’s internal networks through different channels, such as leveraging compromised credentials for Microsoft Office 365 (O365) accounts, domain administrator accounts, and credentials for the agency’s Pulse Secure VPN server.
CISA said the attacker logged into Office 365 accounts to view and download help desk email attachments with “Intranet access” and “VPN passwords” in the subject line. Attackers searched for these files despite already having privileged access to the agency’s network, and most likely in an attempt to find additional parts of the network they could attack.
The attacker also accessed the local Active Directory, where they modified settings and studied the structure of the agency’s internal network.
To have a quick way back into the federal agency’s network, the hackers installed an SSH tunnel and reverse SOCKS proxy, custom malware, and connected a hard drive they controlled to the agency’s network as a locally mounted remote share.
“The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,” CISA analysts said.
Furthermore, the attacker also created their own local account on the network. By analyzing forensic evidence, CISA said the hacker used this account to browse the local network, run PowerShell commands, and gather important files into ZIP archives. CISA said that it couldn’t confirm if the attacker exfiltrated the ZIP archives, but this is what most likely happened in the end.
In addition, CISA said the malware the hackers installed on the federal agency’s network “was able to overcome the agency’s anti-malware protection, and inetinfo.exe [the malware] escaped quarantine.”
Nonetheless, investigators said they detected the intrusion via EINSTEIN, CISA’s intrusion detection system that monitors federal civilian networks from a vantage point and was able to compensate for the attacker bypassing local anti-malware solutions. More

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Microsoft said today that it removed 18 Azure Active Directory applications from its Azure portal that were created and abused by a Chinese state-sponsored hacker group.
The 18 Azure AD apps were taken down from the Azure portal earlier this year in April, the Microsoft threat intelligence team said in a report published today.
The report described the recent tactics used by a Chinese hacker group known as Gadolinium (aka APT40, or Leviathan).
The Azure apps were part of the group’s 2020 attack routine, which Microsoft described as “particularly challenging” to detect due to its multi-stage infection process and the broad use of PowerShell payloads.
These attacks began with spear-phishing emails aimed at the target organizations, carrying malicious documents, usually PowerPoint files with a COVID-19 theme.
Victims who opened one of these documents would be infected with PowerShell-based malware payloads. Here is where the malicious Azure AD apps would also come into play.
On infected computers, Microsoft said the Gadolinium hackers used the PowerShell malware to install one of the 18 Azure AD apps. The role of these apps was to automatically configure the victim’s endpoint “with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage.”

Image: Microsoft
By removing the 18 Azure AD apps, Microsoft crippled the Chinese hacker group’s attacks, at least for a short while, but it also forced the hackers to re-think and re-tool their attack infrastructure.
In addition, Microsoft said it also worked to take down a GitHub account that the same Gadolinium group had used as part of its 2018 attacks. This action may not have had an impact on new operations, but it did prevent the hackers from reusing the same account for other attacks in the future.
Microsoft’s actions against this Chinese hacker group aren’t an isolated case. Over the past few years, Microsoft has consistently intervened to take down malware infrastructure, may it have been used by low-level cybercrime operators or by high-end state-sponsored hacker groups.
In previous interventions, Microsoft also targeted the infrastructure used by other nation-state groups, tied to Iranian, North Korean, and Russian cyber-operations. More

Image via Yucel Moran

Twitter said today it’s been working over the past months to bolster its internal security by requiring staff to go through additional security training, engaging in penetration tests, and by deploying hardware security keys to all employees.
The measures announced today are part of Twitter efforts to prevent a repeat of the July 2020 hack during the US presidential election later this fall.
In July this year, hackers phished Twitter staffers, gained access to its internal platform, and then tweeted a cryptocurrency scam via high-profile and verified accounts. Some of the defaced accounts belonged to political figures, including presidential candidate Joe Biden.
Twitter learned a hard lesson in July, but in a blog post today authored by Parag Agrawal, Twitter Chief Technical Officer, and Damien Kieran, Twitter Data Protection Officer, the company said it learned its lesson and has taken corrective actions.
Staff to go through security training more often
The first of these was to require that all new hires go through a “Security and Privacy & Data Protection training.”
Second, Twitter also introduced new courses and increased the frequency and availability of existing courses for all employees.
Third, Twitter also introduced two new mandatory training sessions for people who have access to non-public information stored in its backend tools.
“These trainings make clear the dos and don’ts when accessing this information and ensure employees understand how to protect themselves when they are online so they can better avoid becoming phishing targets for attackers,” Agrawal and Kieran said today.
Twitter employees now use hardware security keys
Additional changes were also made to secure coding, threat modeling, privacy impact guidelines, so future in-house backend tools would be developed with more security features from the get-go.
But since the July hack started from a phishing attack, Twitter employees also received hardware security keys from the company. Employees are to use these security keys to access various sections of Twitter’s infrastructure.
Even if an attacker gets ahold of a Twitter’s employee’s credentials, the security key makes it impossible for the attacker to access any Twitter service without the proper key attached to each username and password pair.
Twitter underwent penetration tests
However, Twitter is also keeping its eye on the big picture, which are the upcoming US presidential elections, a consequential event in US history, during which the company expects to possibly be targeted again.
To prepare for this, Agrawal and Kieran said Twitter has been subjecting its staff to penetration tests to test its own platform’s security in a controlled environment.
“Specifically, over a five month period from March 1 to August 1, Twitter’s cross-functional elections team conducted tabletop exercises internally on specific election scenarios,” Agrawal and Kieran said.
“Some of the topics included: hacks and other security incidents, leaks of hacked materials, platform manipulation activity, foreign interference, coordinated online voter suppression campaigns, and the post election day period.”
Other measures the company has taken to safeguard the US elections and limit foreign interference were to impose new security rules for US political accounts, launch a dedicated US election hub to counter misinformation, and tweak its rules on what counts as election misinformation. More