Information Technology

The federal government has updated COVIDSafe, Australia’s COVID-19 contact tracing app, this time touting the changes will significantly improve its capability.
The app will incorporate a new Herald Bluetooth protocol, Minister for Government Services Stuart Robert said, explaining that this would offer “unparalleled app-level Bluetooth performance and contribute to better identification of potential close contacts”.
A statement from Robert and Health Minister Greg Hunt said the Digital Transformation Agency (DTA) has been working with Apple and Google to incorporate the protocol into the COVIDSafe app. The statement also provided COVIDSafe Bluetooth encounter logging results, which demonstrated “excellent” status for all tests.
See also: Even with COVID-19 spread near zero, chief scientist says Australia’s systems are ready  
The DTA said in May that 179 functional tests were conducted for the Apple iOS and Google Android versions of the COVIDSafe app prior to release and that requirements were met.
“All tests satisfied the baseline design requirements,” the DTA said at the time. “Performance tests were also conducted against the technical requirements.”
In June, however, it was revealed the DTA knew COVIDSafe had severe flaws. This was despite the app being sent out for public use on 26 April 2020. The revelation followed research that showed locked iPhones were practically useless when it came to logging encounters through COVIDSafe.

This time around, the app is reporting that even locked iPhone to locked iPhone logs were recording “excellent” performance.

Herald Bluetooth performance summary results as at 27 November 2020.
Image: Australian government
“The protocol provides for excellent performance of all encounter logging under all phone conditions and will continue to work on more than 96% of Apple and Android phones,” the ministers’ statement said. 
The code for the update will be made available via Github to “enable the tech community an opportunity to provide feedback ahead of the release to the Apple App Store and Google Play Store”.
“Australia’s technology capability and contact tracing systems are world-leading and we will be the first country in the world to adopt the Herald Bluetooth protocol, which has been shown to significantly improve our capability through the COVIDSafe App,” Robert said.
“We are encouraging everyone interested to review the code, conduct their own testing, and provide their feedback.
“We are also making this code available to other countries so they too can benefit from Australia’s world first technology implementation to help improve their digital response to managing COVID-19.”
COVIDSafe was originally a rework of Singapore’s TraceTogether app.
Australia’s tech community, however, has taken a different view.  
“This is not ‘engaging with the tech community’. The code is not inspection quality, and despite numerous CVEs and serious issues raised, nobody I know was contacted or notified of this,” researcher Jim Mussared wrote on twitter.
Mussared originally said the DTA has retrofitted the existing BlueTrace-based system into Herald, saying this means that the server-side implementation hasn’t changed. He later clarified the copied and modified Herald code has extra COVIDSafe-specific bits to make it work
“So the different versions have at least some level of backwards compatibility,” he said.
One of the current issues with COVIDSafe is that it only identifies a handful of cases and manual contact tracing efforts have proved to be more reliable.
During Senate Estimates last month, the Department of Health revealed that despite there being a total of 27,554 confirmed cases of COVID-19 in Australia, only 17 were picked up using COVIDSafe without the use of manual contact tracing.
“When used as part of state and territory contact tracing efforts, the COVIDSafe app has proven to assist in identifying close contacts not picked up through manual tracing,” the ministers’ statement continued. 
“New South Wales successfully accessed the COVIDSafe app to identify 80 close contacts, including 17 contacts that weren’t identified by manually contact tracing.
“In Victoria, it has been reported that 1,851 cases have said they have the App and are now using it as part of their contact tracing process.”
During a hearing held in early August by the COVID-19 Select Committee, Secretary of the Department of Health Dr Brendan Murphy said that health services in Victoria were feeling “so pressured” that they decided to not use the COVIDSafe app.
It was later confirmed that DHHS had told the Department of Health on July 16 it had paused using COVIDSafe app data, citing concerns that using the app’s data would contradict its requirements with privacy laws. On August 1, it recommenced using the COVIDSafe app data.
Must read: Living with COVID-19 creates a privacy dilemma for us all
With Victoria moving out of its second phase of lockdown restrictions, the state government on Monday announced businesses could now access a free QR code service to keep a record of visitors.
Similar to what has been in place in NSW for months, the Victorian QR system will rely on visitors scanning a QR code using their smartphone camera to check-in. Failing that, users will be directed to download the Service Victoria app to complete check-ins. 
“All data collected through the Victorian government QR code is securely stored, protecting customers from on selling of contact details. Data will be deleted after 28 days unless it is specifically requested by the Department of Health and Human Services for contact tracing purposes,’ the government said in a statement.
Following the state government announcement, Australian cybersecurity firm Pure Security raised concerns with QR code-based information collection.
“Many QR codes are simple links to websites and documents with the express purpose of recording the details and have little focus on security,” Pure Security acting head of advisory Jason Plumridge said.
“I have seen QR links that combine the submission of details along with marketing checkboxes which in my view is not appropriate.
“Businesses should be rightly concerned with the security controls around data privacy implemented by the QR providers and deserve to have assurance that only persons with a right to access that data (i.e. contact tracers) have the ability to do so.”
HERE’S MORE More

This
Personal details of millions of Brazilians infected with Covid-19 have been exposed after passwords to systems from the Ministry of Health (MoH) were openly published online, it has been revealed.
According to Brazilian newspaper O Estado de S.Paulo, the passwords were published on code hosting platform GitHub by an employee from Albert Einstein Hospital, one of the main private healthcare organizations in Brazil. The hospital collaborates with the Ministry on projects under a cooperation between the public and private sector for the national advancement of healthcare.
In addition, the report noted that as many as 16 million patients across the public and private healthcare system had their data exposed, since notification of suspected and confirmed Covid-19 cases is mandatory for all hospitals. None of the institutions have confirmed the exact number of records that were accessible as a result of the leak.

The leak has exposed details including address details, as well as previous medical history and social security numbers of citizens and senior politicians including president Jair Bolsonaro and at least seven other ministers and 17 state governors and leaders of the Lower House of Congress and Senate.
Also according to the report, the spreadsheet with the passwords remained available for nearly a month. The story added that with that information, it was possible to access two key federal government systems, which record notifications of suspected and confirmed Covid-19 cases and another with hospital admissions for Acute Respiratory Syndrome conditions, which include Covid-19.
The Ministry of Health said in a statement that its IT department had “immediately revoked all access to the logins and passwords that were contained in the [leaked] spreadsheet”. It added that the hospital informed the MoH that it has started a fact-finding process about the incident, the statement said.

“The hospital’s cyber security team is taking all measures to contain a possible leak of files containing login and password to access system information via Elastic Search”, it noted.
According to the statement, the file containing the passwords has been deleted and potential websites or cyberspaces where data may have been replicated are being tracked. The hospital also confirmed that the incident that been prompted by a human error by one of its employees rather than a system fault.
Also according to the MoH, the databases “are not easy to access, since only login and password are not enough to reach the information contained in the databases – but a set of technical factors”.
Consumer rights non-profit Idec has requested an investigation into the flaws in control and digital security measures currently in  place around the partnership between the hospital and the government to the Brazilian Prosecution Service.
“Once again we are faced with serious security flaws that may have caused damage or even harm a large number of Brazilians. We see that not even a government system that stores health data, which should be an example by the nature of that information, is safe”, said Bárbara Simão, lawyer and specialist in digital rights at Idec. “This is another example that shows  the need for both the public and private sectors to invest more to protect consumers.”
In the document submitted to the Prosecution Service, Idec points out that “the seriousness of the incident displayed the lack of basic care in terms of the security of stored information”. Among the main points highlighted are the existence of a table with login details, usernames and employee passwords; the failure to enforce of basic security measures such as two-factor authentication, and the fact that no other strict security criteria has been adopted, given the sensitivity of the data and the related exposure risks.Idec is also requesting the federal prosecutors to request a description of the details around the partnership between the hospital and the federal government in relation to handling  personal data, as well as information on the security policy adopted for data sharing and the measures taken to contain the leak and minimize damage to the affected citizens.
The institute has also reinforced that both the Ministry of Health and the Albert Einstein Hospital must take the necessary measures to adapt the platforms and their policies in relation to the general data protection regulations and consumer rights regulations, and that the federal  administration should also establish a consistent and effective policy for the protection of personal data.  More

Image: Ryoji Iwata
A threat actor is currently selling passwords for the email accounts of hundreds of C-level executives at companies across the world.

The data is being sold on a closed-access underground forum for Russian-speaking hackers named Exploit.in, ZDNet has learned this week.
The threat actor is selling email and password combinations for Office 365 and Microsoft accounts, which he claims are owned by high-level executives occupying functions such as:
CEO – chief executive officer
COO – chief operating officer
CFO – chief financial officer or chief financial controller
CMO – chief marketing officer
CTOs – chief technology officer
President
Vice president
Executive Assistant
Finance Manager
Accountant
Director
Finance Director
Financial Controller
Accounts Payables
Access to any of these accounts is sold for prices ranging from $100 to $1,500, depending on the company size and user’s role.

The seller’s ad on Exploit.in
Image via KELA
A source in the cyber-security community who agreed to contact the seller to obtain samples has confirmed the validity of the data and obtained valid credentials for two accounts, the CEO of a US medium-sized software company and the CFO of an EU-based retail store chain.
The source, which requested that ZDNet not use its name, is in the process of notifying the two companies, but also two other companies for which the seller published account passwords as public proof that they had valid data to sell.
These were login details for an executive at a UK business management consulting agency and for the president of a US apparel and accessories maker.

Sample login provided by the seller as public proof
Image via KELA

The seller refused to share how he obtained the login credentials but said he had hundreds more to sell.
According to data provided by threat intelligence firm KELA, the same threat actor had previously expressed interest in buying “Azor logs,” a term that refers to data collected from computers infected with the AzorUlt info-stealer trojan.
Infostealer logs almost always contain usernames and passwords that the trojan extracts from browsers found installed on infected hosts.
This data is often collected by the infostealer operators, who filter and organize it, and then put it on sale on dedicated markets like Genesis, on hacking forums, or they sell it to other cybercrime gangs.
“Compromised corporate email credentials can be valuable for cybercriminals, as they can be monetized in many different ways,” KELA Product Manager Raveed Laeb told ZDNet.
“Attackers can use them for internal communications as part of a ‘CEO scam’ – where criminals manipulate employees into wiring them large sums of money; they can be used in order to access sensitive information as part of an extortion scheme; or, these credentials can also be exploited in order to gain access to other internal systems that require email-based 2FA, in order to move laterally in the organization and conduct a network intrusion,” Laeb added.
But, most likely, the compromised emails will be bought and abused for CEO scams, also known as BEC scams. According to an FBI report this year, BEC scams were, by far, the most popular form of cybercrime in 2019, having accounted for half of the cybercrime losses reported last year.
The easiest way of preventing hackers from monetizing any type of stolen credentials is to use a two-step verification (2SV) or two-factor authentication (2FA) solution for your online accounts. Even if hackers manage to steal login details, they will be useless without the proper 2SV/2FA additional verifier. More

Australian Attorney-General Christian Porter announced on Friday the permanent appointment of Grant Donaldson as the fourth Independent National Security Legislation Monitor (INSLM).
Donaldson was Solicitor-General for Western Australia between 2012 and 2016, and has been acting in the new role since July while arrangements for his permanent appointment took place.
As the name suggests, INSLM looks into the operation and effectiveness of Australia’s national security and counter-terrorism laws.
In his final report before retiring, former INSLM Dr James Renwick recommended Australia create an independent body to oversee approval of warrants for the nation’s encryption-busting legislation, the Telecommunications and other Legislation Amendment (Assistance & Access) Act 2018 (TOLA Act).
Renwick had flagged at the start of the year that he would not be recommending the laws be overturned.
In August, the Australian Federal Police said it used the voluntary powers in the law, where law-enforcement ask carriers for assistance, three times in the 2019-20 fiscal year.
“Our experience is that Schedule 1 of TOLA has accelerated cooperation from industry, with providers increasingly willing to assist due to TOLA providing legal certainties and assurances regarding the commercial scope and impact of requests,” the AFP said at the time.

“The fact the AFP has not sought any [compulsory notices] to date, does not indicate these provisions are not required. Rather, it demonstrates the effectiveness of TOLA’s tiered approach.”
Related Coverage More

Image: Stefan Schranz
The personal and health information of more than 16 million Brazilian COVID-19 patients has been leaked online after a hospital employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub this month.

Among the systems that had credentials exposed were E-SUS-VE and Sivep-Gripe, two government databases used to store data on COVID-19 patients.
E-SUS-VE was used for recording COVID-19 patients with mild symptoms, while Sivep-Gripe was used to keep track of hospitalized cases.
The two databases contained sensitive details such as patient names, addresses, ID information, but also healthcare records such as medical history and medication regimes.
The leak came to light after a GitHub user spotted the spreadsheet containing the passwords on the personal GitHub account of an employee of the Albert Einstein Hospital in the city of Sao Paolo.
The user later notified Brazilian newspaper Estadao, which analyzed the data and notified the hospital and the Brazilian Ministry of Health.
Estadao reporters said that data for Brazilians across all 27 states was included in the two databases, including high profile figures like the country’s president Jair Bolsonaro, the president’s family, seven government ministers, and the governors of 17 Brazilian states.

The spreadsheet was ultimately removed from GitHub while government officials changed passwords and revoked access keys to resecure their systems.
Since the onset of the COVID-19 pandemic, several governments and government contractors have had problems securing their COVID-19-related apps and databases.
Vulnerabilities and leaks were discovered in COVID-19 apps and systems used in Germany [1, 2], Wales, New Zealand, India, and others.
According to research published by Intertrust this September, around 85% of COVID-19 contact tracing apps leak data in one way or another. More

UK-based cyber-security vendor Sophos is currently notifying customers via email about a security breach the company suffered earlier this week.

“On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support,” the company said in an email sent to customers and obtained by ZDNet.
Exposed information included details such as customer first and last names, email addresses, and phone numbers (if provided).
A Sophos spokesperson confirmed the emails earlier today and told ZDNet that only a “small subset” of the company’s customers were affected but did not provide an approximate number.
Sophos said it learned of the misconfiguration from a security researcher and fixed the reported issue right away.
“At Sophos, customer privacy and security are always our top priority. We are contacting all affected customers,” the company said. “Additionally, we are implementing additional measures to ensure access permission settings are continuously secure. ”
This is the second major security incident Sophos has dealt with this year. In April, a cybercrime group discovered and abused a zero-day in the Sophos XG firewall to breach companies across the world. The attackers deployed the Asnarok trojan, and once the zero-day was publicly disclosed, they attempted to deploy ransomware — but eventually failed.

Image supplied by source More

Auditor General publishes findings 18 months after the audit was complete as she feared the risk was too high to expose the system at the time. More

The company also has its sight set on becoming the first 100% Aboriginal-owned IT company to list on the ASX. More