Information Technology

New South Wales Police Force (NSWPF) have used Australia’s controversial Assistance and Access laws on a foreign operator, in an effort to “determine its capability to assist police”.
Responding to the Parliamentary Joint Committee on Intelligence and Security and its review of the amendments made to the encryption laws, NSW Police said issuing a Technical Assistance Request (TAR) to the overseas provider could not have happened without the Telecommunications and Other Legislation Amendment (Assistance and Access) Act (TOLA Act), since the provider would have previously informed its account holders of the request.
“The TOLA regime permitted NSWPF to make those enquiries using accompanying non-disclosure provisions. NSWPF was able to obtain information about some of the provider’s capability which was previously not known,” it said.
NSW Police said a combination of privacy protections, no profit/no loss costs agreements, and protection from civil liability had allowed the force to make requests it had previously not been able to.
In a separate question, NSW Police said an overseas provider could not complete the requirements of the request issued.
“A TAR (technology assistance request) was served on the provider, requesting the provision information that was available to the provider, referenced to times and dates identified during the period of a Telecommunications Interception Warrant,” it said.
“The provider responded they were unable to provide most of the requested information as they did not have access to the information sought.
“The provider indicated they had the capability of providing some of the information sought, however, this information would not be provided due to laws within their jurisdiction prohibiting disclosure to overseas authorities.”
Of the 14 TARs issued thus far by NSW Police, this was the only one to not be “complied with to the extent a provider was capable of doing so”.
By contrast, Australian providers were much more welcoming of the new powers handed to Australian law enforcement bodies.
“Two Australian-based [providers] expressly welcomed the non-disclosure and indemnity components of a TAR. Although these providers assisted NSWPF in the past without the need for a TAR, the amount of information provided, and the extent of the providers’ assistance was greater under a TAR than was traditionally sought or provided,” it said.
One Australian provider did ask that a request made under section 313 of the Telecommunications Act be requested under the TOLA regime instead.
Overall, NSW Police said nine different communications providers had been handed TARs from it.
The information provided in its response to the committee built upon its appearance before the committee in August.
NSW Police said at the time, its 13 TARs were related to investigations into murder, armed robbery, and commercial drug supply and importation. Since then, it has issued one further TAR, but has seemingly not extended the crimes investigated.
At the time of writing, its response to the committee — sometime after August 14 — NSW Police had issued four TARs that were in force for 20 days, one TAR issued on August 14 but without a timeframe given, with the remaining nine TARs having expired. These requests were in force for between 27 and 82 days, NSW Police said.
Further, it said all requests were issued with an expiry date, and no requests for extended, or varied.
Since 6 December 2018, NSW Police said it had made 367 requests under section 313 of the Telecommunications Act.
Under the TOLA Act, Australian law enforcement are able to issue voluntary TARs, as well as compulsory Technical Assistance Notices and Technical Capability Notices to compel providers to assist them. NSW Police said in August it had not issued any compulsory notices.
Related Coverage More

A panel of healthcare professionals have underscored there is still room to develop and improve the way health services are delivered in Australia, with the belief that technology has a crucial role to play.
Bendigo Health CEO Peter Faulkner labelled Australia’s healthcare sector as “fragmented”, particularly in how technology investments are made.
“Health services are very good at investing in clinical technology but are not so committed in the investment of information technology,” he said, speaking during a virtual event on Thursday.
“It does give rise to what I call ‘digital inequity’ and, in some instances, digital poverty within health systems and services, and certainly across communities.
“It’s also a reflection of the complexity of the service delivery system in Australia, with the Commonwealth, states, and territories all responsible for funding and operating different components of the health system. But also, the divide between public and private services within the system. It is a complex environment in that regard.”
Read more: The ADHA wants to end the use of fax machines in Australian healthcare  
Medibank boss Craig Drummond agreed, saying how unlike other sectors, such as banking, the healthcare industry are laggards when it comes to investing in technology aimed to improve customer experience.
“Broadly adopted technology has been less patient or consumer-centric … I think we’re at a very immature stage in healthcare and a lot of work needs to be done,” he said.
The panel’s conversation also turned to the federal government’s controversial My Health Record.
Faulkner acknowledged that while the Commonwealth has attempted to bring about what he referred to as a “unifying digital platform” through My Health Record, it also has shortfalls.
“It relies on providers to be able to generate digital content and to load that content into the national record,” he explained.
“From a health services perspective, this means we need to capture the information digitally in an electronic health record, or if you are using paper records, you need to be able to scan and upload it. I know of independent specialists in 2020 who continue to operate their entire clinical practice on paper.
“While we have a digital strategy across Australia, I don’t think we have a coherent investment program that incentivises and support practitioners across the country to invest in those fundamental interoperative platforms.”
Like Faulkner, City of Sydney councillor and general practitioner Kerryn Phelps described how she has witnessed first-hand a concerning number of medical practitioners who are still not equipped with some of the most basic technologies.
“A lot of practitioners are not even on computers at the moment and don’t have computer records … they’re not going to be able to upload files, even by scanning. We get a lot of faxes and hardcopy mail. We’re now getting more and more emails,” she said.
“The hospitals are getting much better at sending summary discharges to GPs that we can automatically upload. If you’re computerised, you can get pathology record directly uploaded … we can see digital images with MRI, CT scans, ultra-sounds, x-rays.”
Phelps’ main concern about My Health Record, however, remains to be around privacy, and who can access the data on the platform.
“We need the ethical and privacy framework very much in place on the outset, and I still have concerns … because there are too many ways of accessing that record by various entities without the patient’s permission or knowledge,” she said.
See also: My Health Record: Canberra is still missing the point
Similar privacy concerns have been previously shared about the federal government’s online medical file, particularly around its overly broad access for law enforcement and the retention of data even when a health record was cancelled.
As of July 2020, there are just over 22.8 million records and more than 70 million clinical documents on My Health Record.
Related Coverage More

A multi-nation study finds that many of us consider biohacking exciting, but fears concerning hacking and privacy remain. 

Human augmentation can describe many things. Hearing aids, pacemakers, and prosthetics are already in use, but in the future, we could be using the term for implants that improve cognitive abilities; chips that connect us to our smart devices, or bionic eyes that can restore lost sight, and more. 
When it comes to future applications, countries worldwide are pushing ahead with the development of new technologies which could result in enhancements to the human body. 
See also: Michigan tackles compulsory microchip implants for employees with new bill
For example, Japan has recently set $1 billion on the table for researchers willing to pursue everything from human augmentation to longevity, due to the need to tackle an aging workforce and shrinking population. 
At a roundtable discussion during Kaspersky NEXT 2020, senior security researcher David Jacoby and Director of Global Research & Analysis for Kaspersky Europe Marco Preuss cited military applications, industry, beauty, and healthcare as major biohacking arenas for future applications. 
It might be strange to ponder such a reality in a time where we are yet to establish internet connections that are not at risk of cutting out during live, remote events — but still, discussing the topic now may lead to preemptive regulation that can control the emerging industry — unlike the delay in dealing with the Internet of Things (IoT) industry that has opened the way for massive security problems. 
On Thursday, Kaspersky released a new report, “The Future of Human Augmentation 2020: Opportunity or Dangerous Dream?,” that sought to clarify citizens’ viewpoints in multiple countries on the prospect of biohacking. 
Taking place in July this year, the study included responses from close to 15,000 adults across 16 countries: Austria, Belgium, Czech Republic, Denmark, France, Germany, Greece, Hungary, Italy, Morocco, Netherlands, Portugal, Romania, Spain, Switzerland, and the United Kingdom.
In total, 91% of respondents said they would change a feature of themselves if they could, and 63% said they would consider human augmentation to do so.
Italians were the most likely to consider biohacking, in total, 81%. In contrast, the British are more prudent, with only 33% saying they would investigate human augmentation to change their own features. Spain, Portugal, Greece, and Morocco, too, are open to the idea of biohacking.
CNET: US charges Chinese hackers with ‘unprecedented’ attacks on gaming companies
Over half of the respondents, 53%, said that biohacking should be used for the good of all, such as in medical settings. However, 69% expressed concern that biohacking in the future will be reserved for the rich. 
During the keynote at Kaspersky NEXT, this was an opinion also expressed by Julian Savulescu, Oxford University Professor and Uehiro Chair in Practical Ethics. 
“It [human augmentation] will develop through market forces maximizing profits for large multinational companies,” Savulescu commented.
In other words, the economy and consumer demand could drive biohacking initiatives, rather than any quest toward a common good. 
Zoltan Istvan, the founder of the Transhumanist Party, agreed, noting that human augmentation is likely to be “controlled by capitalism to some extent,” and the “economy will be a driver, for better or worse.” 
TechRepublic: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
According to Savulescu, if biohacking is not going to be driven purely by personal needs and economic factors, we need to develop an improved moral compass based on wellbeing and what enhancements are good for people in general. 
“You want duck lips? Good for you,” Savulescu said. “You want a monkey tail? Good for you. […] [However] We need to identify what is wellbeing, what is a good life, and what are good relationships, and use this account to identify what kind of enhancements are good for people, and what is not beneficial.”
In comparison, Istvan believes that biohacking is intrinsically the next step in humans “aspiring to be something greater than ourselves.”
“[I am] ultimately on the side of personal choice, as long as it doesn’t hurt anyone else directly,” Istvan said. “[…] Let people make those decisions themselves and the marketplace will follow.”
Other interesting statistics released in the report include:
88% of people stated that they feared their bodies could be hacked by cybercriminals
36% of women and 25% of men considered augmentation to improve attractiveness appealing
Men are more interested in improving strength via biohacking (23%) than women (18%)
47% believe governments should regulate human augmentation
“Human augmentation is one of the most significant technology trends today,” Preuss commented. “But people are right to be wary. Augmentation enthusiasts are already testing the limits of what’s possible, but we need commonly-agreed standards to ensure augmentation reaches its full potential while minimizing the risks.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Mitchell Luo

Google has updated its Play Store rules to impose a “formal” ban on stalkerware apps, but the company has left a pretty huge loophole in place for stalkerware to be uploaded on the official store as child-tracking applications.
Stalkerware is a term used to describe apps that track a user’s movements, snoop on calls and messages, and record other apps’ activity.
Stalkerware, also known as spouseware, is usually advertised to users as a way to discover cheating partners, track children while outside their homes, and as a way to keep an eye on employees at work.
The primary feature of all stalkerware apps, regardless if they’re intended to be used on smartphones or laptops, is that these apps can be installed and run without the device owner’s knowledge, operating in the operating system’s background.
Over the past decade, the Play Store has hosted hundreds of applications that fit into the stalkerware category.
Google, which has intervened to take down stalkerware apps when they’ve been pointed out by security researchers, has usually avoided making public statements on the topic.
Google imposes stalkerware ban… sort of
But in an update to its Developer Program Policy today, Google said that all apps that track users and send their data to another device must include an “adequate notice or consent” and show a “persistent notification” that the user’s actions are being tracked by the app.
The new rules, set to enter into effect next month, on October 1, are a ban on stalkerware apps, by negating their ability to be installed and operate undetected when installed on victim devices. If user-tracking apps don’t add these UI changes, they won’t pass the approval process to be listed on the Play Store.
But while the new rules seem a step in the right direction, Google has also left a loophole that could be abused by shady stalkerware devs.
According to Google, apps that track children can continue to operate without requesting consent or showing a persistent notification on screen. Apps that track adults must include these two items, Google said.
In other words, there’s nothing stopping a stalkerware dev from rebranding their app and continue operating unimpeded. In fact, today’s announcement looks more like a heads-up for all the shady app devs, rather than an actual ban on stalkerware, with app developers having almost two weeks to comply with the rules.
This exception for child-tracking apps is the same loophole that Google also left in a similar ban it imposed on stalkerware ads in July. A subsequent TechCrunch investigation found that the ban on stalkerware ads was never enforced, which raises the question if this one will, or if it’s more of a PR stunt. More

Image: FBI

The US has filed charges and is seeking the arrest of two Iranian nationals believed to have carried out cyber-intrusions at the behest of the Iranian government and for their own personal financial gain.
In an indictment unsealed today, prosecutors accused Hooman Heidarian and Mehdi Farhadi, both from Hamedan, Iran, of launching cyber-attacks against a wide range of targets since at least 2013.
Past victims included several US and foreign universities, a Washington think tank, a defense contractor, an aerospace company, a foreign policy organization, non-governmental organizations (NGOs), non-profits, and foreign government and other entities the defendants identified as rivals or adversaries to Iran, with most targets located in the US, Israel, and Saudi Arabia.
US officials said Heidarian and Farhadi focused on gaining access to their victims’ accounts, computers, and internal networks, from where they stole confidential data and communications pertaining to topics such as national security, foreign policy, nuclear energy, and aerospace.
Financial data and personally identifiable information wasn’t off-limits, and the two also stole intellectual property, such as unpublished scientific research.
In addition, the two also targeted and stole personal information and communications of Iranian dissidents, human rights activists, and opposition leaders, according to George M. Crouch Jr., Special Agent in Charge of the FBI Newark Division.
Prosecutors believe that some of the stolen data was handed over to Iranian government intelligence officials, but that other information was also sold on black markets for the hackers’ personal gains.
Hacking tactics evolved across the years
Heidarian and Farhadi’s hacking skills and tactics also evolved across the years. According to court documents, US officials said that Heidarian previously also operated under the hacker monicker of Sejeal, under which he defaced more than 1,000 websites with pro-Iranian messages.
In another incident, Heidarian is also believed to have mass-spammed Israeli citizens with threatening anti-Israel SMS messages.
However, Heidarian and Farhadi eventually moved on from these skid-level hacks to adopting the tactics of regular state-sponsored and cybercrime groups.
This included performing online reconnaissance before launching attacks, using vulnerability scanners to find weak spots in a victim’s network, and using SQL injection exploits to take over vulnerable servers.
They also dabbled with malware, also deploying keyloggers and remote access trojans (RATs), and eventually built their own botnet for spamming victims and launching DDoS attacks.
Further, the two also used session hijacking to gain access to accounts using stolen cookie files, and in some instances, they also set up hidden forwarding rules for compromised email accounts.
Each hacker risks more than 20 years in prison for their crimes, if caught, extradited, and found guilty.
The DOJ trifecta
The Heidarian and Farhadi charges come to complete a DOJ trifecta today, with US prosecutors also unsealing indictments against five Chinese hackers believed to be part of China’s APT41 hacker group, and two Russian hackers, involved in the theft of $16.8 million from cryptocurrency users via phishing sites.
According to Kaspersky researchers, Farhadi is suspected to have been a member of Iranian hacker group APT34. His name was shared on a Telegram channel where a mysterious group leaked the source code of APT34 malware.
Yesterday, DOJ officials charged two other Iranian hackers, on charges of defacing US websites following the US killing of an Iranian military general.
Iranian state-sponsored hackers dabbling in both espionage and financially-motivated cybercrime isn’t anything new. The US previously charged another Iranian hacker group in March 2018, which similarly operated as a hacker-for-hire group for the Iranian regime, and also stole and sold academic research and papers from western universities on dedicated Iranian websites.
Both Heidarian and Farhadi are now wanted by the FBI. More

Max Pixel

The US Department of Justice has filed charges today against two Russian nationals for orchestrating a multi-year phishing operation against the users of three cryptocurrency exchanges.
The two suspects stand accused of creating website clones for the Poloniex, Binance, and Gemini cryptocurrency exchanges, luring users on these fake sites, and collecting their account credentials. These phishing operations began around June 2017.
US officials said the Russian duo — made up of Danil Potekhin (aka cronuswar) and Dmitrii Karasavidi; residents of Voronezh and Moscow, respectively — used the stolen credentials to access victim accounts and steal their Bitcoin (BTC) and Ether (ETH) crypto-assets.
In total, US officials estimated the victims in the hundreds. Court documents cite 313 defrauded Poloniex users, 142 Binance victims, and 42 users at Gemini.
Losses were estimated at $16,876,000.
According to a superseding indictment unsealed today, Potenkhin and Karasavidi transferred the stolen funds into intermediary accounts set up using fake identities at other cryptocurrency exchange portals, such as Poloniex, Binance, Gemini, and Bittrex.
In a press release today, US Treasury Department said that despite efforts to launder stolen funds across different exchanges, accounts, and blockchains, some of the funds stolen by the two hackers have been traced and seized by the US Secret Service. Treasury officials have also imposed sanctions on the two suspects.
Suspects also engaged in crypto-market manipulation
But the DOJ said the two Russians weren’t pleased with only stealing funds. The two also engaged in market manipulation using cheap altcoins (alternative crytocurrency coins).
“The defendants first created a number of fictitious accounts on the same [exchange] platform and each account purchased an inexpensive digital currency known as GAS prior to the manipulation,” DOJ official said, citing an incident that occurred between July 2017.
“Then, on October 29, 2017, the defendants took control of the three victim customer accounts and used the digital currency contained in those accounts, with a value of over $5 million at that time, to purchased GAS at the same time, which increased demand and price.
“The defendants and their co-conspirators then quickly converted the digital currency in their fictitious accounts from GAS to Bitcoin and other digital currencies, causing the value of GAS to plummet.”
According to a recorded press release today, US Attorney for the Northern District of California David Anderson said the two Russians face up to 59 years in prison for their crimes.
The two remain at large.
[embedded content] More

Pros
✓355-degree pan, 140-degree tilt
✓Solar panel charger

Cons
✕Will not work without SIM and data plan

On the surface, the Reolink Go PT external security camera is almost the same as the Reolink Argus PT camera. But it has one small but important difference.

You can place this camera almost everywhere. I say almost because this security camera will transmit signals from wherever it is to your mobile phone — as long as there is a cell phone signal.
The Go PT can run on 4G LTE and 3G networks. You do not need to connect this device to Wi-Fi to keep track of your valuables.
You do not even need to plug it into a power supply. The Go PT comes with a rechargeable battery or you can charge your Go PT device using the optional solar power pack.
Like the Reolink Argus PT, the Go PT has a 355-degree horizontal panning and 140 degrees tilt to monitor an almost complete field of view. Like the Argus PT, it has a PIR motion sensor, alerts, and will broadcast a voice alert. in fact, these cameras are almost the same.
All you need for the Go PT is to by a SIM and set up a data contract for the card. That’s it.
Top ZDNET Reviews

The beauty of this device is that you can mount it far away from your Wi-Fi access point, and it will monitor and transmit via 3G or 4G data.
The Reolink app manages the Go PT and the controls are the same for all of the Reolink cameras. Connecting the camera to the app is simple.
I spent far longer getting the SIM card contract set up and activated than the time I spent connecting the camera to the app, and screwing the unit to the shed.
The biggest difference I noticed between the Argus PT and the Go PT was the mounting frame for the camera.
I felt that the Reolink Argus PT mount was flimsy, yet the mount for the Go PT — practically the same camera — was significantly better quality. It is still plastic, but I was happy to install this without fashioning an alternative mount for the camera.
With the solar panel included, the Reolink Go PT costs just under $290, but if you have a large property, are out of Wi-Fi range, this extra cost could be something to consider. 
If you want to make sure your outbuildings are secure, and you have no power to these places, then the Reolink Go PT should certainly be on your list of security products to buy.

ZDNet Recommends More

Google has added a new feature today to APP; its security program meant for high-risk users, such as journalists, political organizations, and activists.
Starting with today, APP users browsing the web with Chrome can send suspicious files they just downloaded to Google servers and have them scanned for malware.
The feature is the latest addition to APP, or the Google Advanced Protection Program.
Launched in 2017, the APP is a special program from Google, not enabled for all users. Nonetheless, while the program was launched with high-risk individuals in mind, there’s no restriction on who can apply, and anyone can sign up for the APP via the program’s official website.
To sign up, all a user has to do is own and connect a hardware security key to their Google account. Once they do, their Gmail account will be protected by the security key, which will serve as a 2FA method, and the user’s incoming emails will be scanned more thoroughly for potential threats, such as malware-laced attachments, phishing links, and emails coming from known state-sponsored groups.
The APP initially launched as a set of extra security features added to an individual’s Gmail account, but the program expanded in 2019 to users browsing the web with Google’s Chrome browser.
Starting last year, Google began showing warnings to APP users when they downloaded files using Chrome that looked to be malicious.
Earlier today, Google says it updated this warning to add an option to let APP users upload the file to Google servers and have it scanned by the Google Safe Browsing service, using its internal static and dynamic analysis techniques.
The new feature is ideal for users who can’t afford to buy an antivirus program, such as activists with low income, or living in US sanctioned countries where some security vendors might not have a presence.
For APP users to take advantage of this new feature, they have to browse the web using Chrome and be signed into Chrome with their APP-protected Google account.
[embedded content] More