Information Technology

For the past few weeks, macOS Big Sur has suffered from a bug that could cause serious data loss. The bug was introduced in Big Sur 11.2, and it made its way into the 11.3 data.

The bug comes down to the macOS Big Sur installer not checking if the Mac has the required free space available to carry out an upgrade. The upgrade runs into problems, and if that isn’t bad enough, if the user’s Mac was encrypted using FileVault, then the user is locked out of their data.
Pretty scary stuff.
Check this out: Apple: Please stop this nonsense
The bug has been explored extensively by Mr. Macintosh, outlining the problem, some possible solutions, along with a very informative and detailed video. The bug was narrowed down to an evil Goldilocks zone, where users had more than 13GB of free space, but less than 35.5GB.
The video is truly awesome work. Thank you Mr. Macintosh for your work!
[embedded content]
The good news is that Apple has finally released an updated macOS Big Sur 11.2.1 installer — (20D75) — that properly checks for the free space.

The fix has been confirmed by Mr. Macintosh.

macOS Big Sur 11.2.1 (20D75) full installer is now available for download.I’ve confirmed the new installer now checks for free space properly.This was a serious problem, and I’m glad users will no longer get caught by this issue. https://t.co/dYSuRjdd4p pic.twitter.com/ILxoKfhORn
— Mr. Macintosh (@ClassicII_MrMac) February 15, 2021

What’s the moral of this story?
Have a backup, and perhaps allow others — who are braver and more foolhardy — to go first. Also, check the system requirements and don’t rely on the installer to check everything.
Oh, also, don’t believe that whole “it just works” thing. More

Image: FTC
The current COVID-19 pandemic and the subsequent stay-at-home and social distancing directives might have played a major role in romance scams losses reaching record levels in 2020, the US Federal Trade Commission said in a report last week.

Total losses were estimated at a record $304 million, up about 50% from 2019, with the average loss last year being estimated at $2,500 per individual.
“From 2016 to 2020, reported total dollar losses increased more than fourfold, and the number of reports nearly tripled,” the agency said.
The FTC believes that the 50% spike in extra losses recorded in 2020 can be attributed to the COVID-19 pandemic, which has limited people’s ability to meet in person and has forced more users towards using online long-distance and impersonal communications, such as dating apps.
In most cases, the ruse of these scams is that the targets of a romance scam have to send money back to the crooks.
“Scammers claim to have sent money for a cooked-up reason, and then have a detailed story about why the money needs to be sent back to them or on to someone else. People think they’re helping someone they care about, but they may actually be laundering stolen funds,” the FTC said.
“In fact, many reported that the money they received and forwarded on turned out to be stolen unemployment benefits.”
Users targeted on social media too, not just dating apps

Furthermore, the FTC also warned that many romance scams don’t always start on dating apps but also on social media networks.
“These social media users aren’t always looking for love, and report that the scam often starts with an unexpected friend request or message,” the FTC said.
“Sooner or later, these scammers always ask for money. They might say it’s for a phone card to keep chatting. Or they might claim it’s for a medical emergency, with COVID-19 often sprinkled into their tales of woe. The stories are endless, and can create a sense of urgency that pushes people to send money over and over again.”
The most common forms of transferring money from victims were gift cards, which saw a 70% spike from 2019, followed by wire transfers.
And according to the FTC, all age groups are targeted last year, and not just the elderly. Victims aged 40 to 69 were targeted the most, victims aged above 70 reported the highest average losses (~$9,475), but other age groups also saw spikes in reports and average losses as well.
The US government agency urged users share its romance scam guide with vulnerable friends or family members as a way to reduce the efficacy of these scams going forward. More

Image: Getty Images/iStockphoto
Telstra has said it is now blocking approximately 6.5 million suspected scam calls a month, at times up to 500,000 a day, thanks to automating the former manual process that sat at around 1 million monthly scam calls.
The system that Telstra built in-house forms the third leg of its Cleaner Pipes program.
In May, the company kicked off with DNS filtering to fight against botnets, trojans, and other types of malware, and extended to blocking phishing text messages purporting to be from myGov or Centrelink before they hit the phones of customers.
“Scam calls are not only annoying, they also have a real financial impact on Australians and are estimated to have cost ordinary Australians nearly AU$48 million last year,” CEO Andy Penn wrote in a blog post.
“If you think you are receiving a scam call, our simple advice is: Hang up.”
Penn said the company would only call customers between 9am to 8pm on weekdays, and 10am to 3pm on Saturdays, and never on a Sunday.
“The exception to this is if you have an unpaid account or a customer-initiated inquiry with respect to an order, fault or complaint, someone from Telstra may call you outside of these hours,” he added. “We’ll respect your wishes and terminate the call if you say no thanks and we won’t call repeatedly if you don’t answer — these are all hallmarks of scam calls.”

The CEO said any customers that believe they have been scammed should contact the telco.
“We see a future where scam calls of this type are effectively ring-fenced and eliminated from our network,” Penn said.
“It will take more investment and innovation, and continued support from government but we have an ambition to make these kinds of changes to continue to improve the level of trust that Australians have in their phones, their emails and the websites they visit, and to encourage the rapid expansion of our country’s digital economy however we can.”
Last week, Telstra reported a challenging first half of its fiscal year as it saw double-digit drops in revenue and earnings before interest, income tax expense, depreciation, and amortisation (EBITDA) and, consequently, it has revised its guidance downwards.
For the half year to December 31, the company saw revenue fall 10% to AU$12 billion, while EBITDA dropped 14.7% to AU$4 billion, and EBIT took a 20% hit to decline to AU$1.64 billion. Thanks to a substantially lower level of income tax, down 60% to AU$209 million, net profit fell only 2.2% to AU$1.13 billion.
Related Coverage More

Researchers have recommended the Australian government abandon its existing digital identity system and start again from scratch, highlighting again security flaws in two of the systems already accredited.
Professor Vanessa Teague and Ben Frengley last year disclosed to the Australian Taxation Office (ATO) a weakness in its myGovID system. They found myGovID is subject to an easily implemented code proxying attack, which allows a malicious website to proxy a person’s myGovID login and re-use their authentication to log in to the victim’s account on any website of their choice.
The pair said the ATO, in response, informed them of having no intentions to fix the flaw.
The Digital Transformation Agency (DTA) is responsible for the Trusted Digital Identity Framework (TDIF), which is a high-level design for a federated authentication system.
“The primary security goal of an authentication mechanism is to prevent malicious parties from logging in fraudulently to others’ accounts. A secondary security goal is to maintain the privacy of the identity proof documents and biometric data used to establish identity,” the researchers wrote [PDF].
“Neither the TDIF’s high-level design, nor its implementation by the ATO (myGovID) meet their intended security goals.”
myGovID is an accredited digital ID provider, as is Australia Post’s equivalent identity service. Teague and Frengley have identified flaws in the postal service’s system, too.

The Identity Exchange (IdX), the researchers said, acts as a single point of failure for both privacy and authentication, resulting in an “extremely brittle architecture that would allow for large-scale identity fraud if that one component came under the control of a malicious party”.
They said the IdX is intended to hide the identity of the relying party from the identity provider, but fails to do this in the ATO’s implementation. Of concern to both is that the implementation of the TDIF in Australia Post’s Digital iD does not even appear to use an IdX at all, which is the fundamental component of the TDIF’s design.
“Although we have not examined Australia Post’s implementation in detail, it seems to diverge substantially from the TDIF specification, but has apparently been accredited anyway,” they added.
“The TDIF as currently designed and implemented does not meet its own guiding principles — it is not immediately obvious that a brokered model without technical means to preserve privacy even can meet them.”
As a result, the researchers have recommended a “careful re-evaluation of the priorities of the TDIF”, and a consideration of other options which may meet its goals.
Alternatives the pair have offered up include the use of a public key infrastructure-based system or the use of a simple, standard, pairwise OpenID Connect protocol instead of a “complex brokered model with poor privacy and security properties”.
“The system should be abandoned and redesigned from scratch by people with some understanding of secure protocol design and some concern for protecting their fellow citizens from identity theft,” they wrote.
“Legislating to make it secure by fiat will not stop organised crime, foreign governments, or ordinary criminals, from taking advantages of its design flaws. A public key infrastructure is much more likely to succeed.”
The researchers were also concerned with a paragraph in the DTA’s consultation paper that states the resulting digital ID legislation will include additional mechanisms, including penalties for protecting information used in the system, such as biometric information.
These mechanisms could include criminal offence provisions and civil penalty provisions.
“There are numerous Australian laws that do effectively penalise protecting information, but this is the first time we have seen the objective stated explicitly without invoking terrorists or paedophiles,” Teague and Frengley wrote.
“We hope this is a typo, and strongly suggest penalising the inappropriate sharing or negligent leaking of information instead.
“It is important not to criminalise security research aimed at improving the system’s security by openly examining its (numerous, serious) weaknesses.”
HERE’S MORE More

Getty Images/iStockphoto
An Android application downloaded more than one billion times contains unpatched vulnerabilities that the app maker has failed to fix for more than three months.

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

The vulnerabilities impact the Android version of SHAREit, a mobile app that allows users to share files with friends or between personal devices.
The bugs can be exploited to run malicious code on smartphones where the SHAREit app is installed, Echo Duan, a mobile threats analyst for security firm Trend Micro, said in a report on Monday.
The root cause of the security flaws is the lack of proper restrictions on who can tap into the application’s code.
Duan said that malicious apps installed on a user’s device, or attackers who perform a person-in-the-middle network attack, can send malicious commands to the SHAREit app and hijack its legitimate features to run custom code, overwrite the app’s local files, or install third-party apps without the user’s knowledge.
Furthermore, the app is also vulnerable to so-called Man-in-the-Disk attacks, a type of vulnerability first described by Check Point in 2018 that revolves around the insecure storage of sensitive app resources in a location of the phone’s storage space shared with other apps — where they can be deleted, edited, or replaced by attackers.
App maker did not respond for three months
“We reported these vulnerabilities to the vendor, who has not responded yet,” Duan said today.

“We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data,” he added, while also noting that any attacks would also be hard to detect from a defender’s perspective.
Contacted via email, a SHAREit spokesperson did not return a request for comment before this article’s publication.
Duan said he also shared his findings with Google but did not elaborate on the Play Store owner’s response.
On its website, SHAREit developers claim their apps are used by 1.8 billion users across more than 200 countries worldwide. The vulnerabilities do not impact the SHAREit iOS app, which run on a different codebase. More

Twitter has labelled one of the three proposed new computer warrants handing the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) new powers for data access as antithetical to democratic law.
Twitter’s remarks were made as part of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review into the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, which, if passed, would hand three new warrants for dealing with online crime to the two law enforcement bodies.  
The social media giant focused on the Account Takeover Warrant that would allow the agencies to take control of an account for the purposes of locking a person out of the account.
“As currently written, the Account Takeover Warrant would be divorced from standard due process requirements. It would be antithetical to core legal principles enshrined in democratic law and procedural fairness,” it wrote in a submission [PDF] to the PJCIS.
“Twitter is concerned that the proposed Bill will allow law enforcement direct access to data regardless of the location of the server, without requiring knowledge of such access being provided to the service provider, and in the case of Account Takeover Warrants, absent the agreement of an appropriate consenting official of the relevant foreign country where the warrant would be enforced.”
It highlighted that, as currently drafted, the Account Takeover Warrant could also apply extraterritorially, but it does not have the requirement to obtain the agreement of a consenting official in a foreign country, nor does it provide notice to the service provider who is offering the service.
“Therefore, the Account Takeover Warrant will apply extraterritorially with Australian law enforcement being authorised to take control of an online account regardless of where the account data is located and without consent from foreign governments or officials,” it said.

Twitter has labelled it a “covert warrant” that would allow the AFP or the ACIC to take exclusive control of online accounts without the safeguards afforded by other warrant processes. It added that the scope regarding what activities are ultimately authorised under an Account Takeover Warrant still remain unclear.   
The company also revealed in its submission that Australia has filed 259 information requests from the period spanning January 2012 through June 2020, relating to a total of 581 accounts. Of those requests, Twitter has reported 47.5% compliance.
This represents less than 1% of global information requests, from 93 countries, received by Twitter to date.
Twitter said it may disclose account information to law enforcement officials in response to a valid emergency request; it also accepts government requests to preserve account information.
See also: Facebook and Google refuse 1 in 5 Australian law enforcement data access requests
The Department of Home Affairs also provided a submission [PDF] to the PJCIS, saying the proposed Bill provides for an important boost in power for the two law enforcement bodies.
“Cyber-enabled crime, often enabled by the dark web and anonymising technologies, presents a direct challenge to community safety and the rule of law. On the dark web, criminals are able to carry out the most serious of crimes, including exchanging child abuse material, planning terrorist attacks, and buying and selling illegal drugs and weapons, with a significantly lower risk of identification and apprehension,” it wrote.
“The Bill contains the necessary safeguards, including oversight mechanisms and controls on the use of information to ensure that the AFP and the ACIC use the powers in a targeted and proportionate manner to minimise the potential impact on legitimate users of online platforms.”
READ MORE ABOUT THE BILL
AWS asks new Australian computer warrant provide immunity for account takeovers
The cloud giant is also asking the government for clarification on new legislation that it asked for nearly three years ago on previous Bills.
Surveillance Bill to hand AFP and ACIC a trio of new computer warrants
Refusal to assist authorities could land people with 10 years in jail. More

Image: Centreon
France’s cyber-security agency said that a group of Russian military hackers, known as the Sandworm group, have been behind a three-years-long operation during which they breached the internal networks of several French entities running the Centreon IT monitoring software.
The attacks were detailed in a technical report released today by Agence Nationale de la Sécurité des Systèmes d’Information, also known as ANSSI, the country’s main cyber-security agency.
“This campaign mostly affected information technology providers, especially web hosting providers,” ANSSI officials said today.
“The first victim seems to have been compromised from late 2017. The campaign lasted until 2020.”
The point of entry into victim networks was linked to Centreon, an IT resource monitoring platform developed by French company CENTREON, and a product similar in functionality to SolarWinds’ Orion platform.
ANSSI said the attackers targeted Centreon systems that were left connected to the internet. The French agency couldn’t say at the time of writing if the attacks exploited a vulnerability in the Centreon software or if the attackers guessed passwords for admin accounts.
However, in the case of a successful intrusion, the attackers installed a version of the P.A.S. web shell and the Exaramel backdoor trojan, two malware strains that when used together allowed hackers full control over the compromised system and its adjacent network.

Image: ANSSI

In a rare step, ANSSI said it managed to link these attacks to an advanced persistent threat (APT) group known in the cyber-security industry under the name of Sandworm.
In October 2020, the US Department of Justice formally charged six Russian military officers for their participation in cyber-attacks orchestrated by this group, formally linking the Sandworm APT to Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency part of the Russian Army. 
Cyber-attacks previously carried out by this group included the energy grid crashes across Ukraine in 2015 and 2016, the NotPetya ransomware outbreak of 2017, the attacks on the PyeongChang Winter Olympics opening ceremony in 2018, and a mass defacement of Georgian websites in 2019.
In addition, the DOJ also linked this group to attacks against France, namely to spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” political party —an operation also referred to as the Macron Leaks.
Through the release of its report today, the ANSSI is now warning and urging both French and international organizations to inspect their Centreon installations for the presence of the two P.A.S. and Exaramel malware strains, a sign that companies been breached by Sandworm attacks in previous years.
A Centreon spokesperson did not reply to a request for comment before this article’s publication.
Despite the similarity in functionality between Centreon and the SolarWinds Orion apps, the Centreon attacks appear to be opportunistic exploitation of internet-exposed systems rather than a supply chain attack, as several security experts have pointed out today on Twitter.

Sandworm has been using webshells and the Linux version of the backdoor Exaramel against French entities undetected for more than three years.Initial attack vector is unclear, but malware was found on servers running Centreon (vulnerability more likely than supply-chain). https://t.co/ieUYV57hCF
— Timo Steffens (@Timo_Steffens) February 15, 2021 More

It was just another day for Luca Bongiorni, a security advisor for Bentley Systems. He’d just spun up an Ubuntu Linux 18.04 instance on the Microsoft Azure cloud using a corporate sandbox for testing purposes. Three hours later, on Bongiorni’s LinkedIn account he received a message from a Canonical sales representative saying, “I saw that you spun up an Ubuntu image in Azure,” and telling him he’d be his “point of contact for anything Ubuntu-related in the enterprise.” Say what??

Actually, Bongiorni was a little more “frank” about his annoyance and surprise that a Canonical salesperson had tracked him down on an entirely different service and knew that he had just used Ubuntu on Microsoft Azure. “What the f*** is happening here? WHY [did] MICROSOFT FORWARDED TO UBUNTU THAT I SPUN A NEW VM!?!” Customer privacy, what’s that?
Bongironi’s upset when big when well-known Amazon Web Services (AWS) blogger and Chief Cloud Economist at the Duckbill Group Corey Quinn called Microsoft out for sharing their customer’s data tweeting, “@azure had a GOLDEN opportunity to pull a ‘we don’t mine your data, we don’t compete with you, WHO KNOWS what @GCPcloud and @awscloud do with your confidential cloud info!’  Instead, they legit did exactly what their competitors don’t, but we worry about.”
So what the heck is happening here?
I asked Microsoft and they told me, “Customer privacy and trust is our top priority at Microsoft. We do not sell any information to third-party companies and only share customer information with Azure Marketplace publishers when customers deploy their product, as outlined in our Terms and Conditions. Our terms with our publishers allow them to provide customers with implementation and technical support for their products but restricts them from using contact details for marketing purposes.” 
The last is exactly what Canonical did. 
Canonical in response to this incident replied, “As per the Azure T&Cs, Microsoft shares with Canonical, the publisher of Ubuntu, the contact details of developers launching Ubuntu instances on Azure. These contact details are held in Canonical’s CRM in accordance with privacy rules. On February 10th, a new Canonical Sales Representative contacted one of these developers via LinkedIn, with a poor choice of word. In light of this incident, Canonical will be reviewing its sales training and policies.”

Microsoft further muddied the waters when the company pointed me to section 3. Privacy and Data Protection of their Terms and Conditions. There you will find 3.a: Information Disclosed to Publishers. If you purchase or use a Marketplace Offering, we may share with the Publisher of such Offering your contact information and details about the transaction and your usage. We will not share your Customer Data (as defined in this Section 3) with any Publisher without your permission.”
Color me puzzled. I am not a lawyer, but I’d think your contact information is Customer Data. And, certainly, this information was used for marketing. And, who can blame Canonical for wanting this information for marketing? If I were a “publisher,” I’d certainly want to know who’s using my product. 
It seems to me that Microsoft has created a real privacy muddle here with its privacy policy. While the T&C is certainly there, it’s not clear to me what information is shared with publishers and what restrictions they’re under in using that data. Making matters worse, the T&C is a click-wrap agreement. That is to say, like end-user license agreements (EULA) for PC programs, when you sign up for a cloud service you must agree to their T&C before you can use it.  That’s all well and good, but just like EULAs, almost no one reads them. 
Yes, a company’s in-house counsel should examine them, but normal users? I doubt that one-in-a-thousand actually reads such legal boilerplate. In any case, even if you did, it’s confusing enough that I, who cover intellectual property law issues for a living, certainly wouldn’t expect to get a marketing call from Canonical for using Ubuntu or for any other Azure software publisher and its programs. 
As Bongiorni tweeted, 

Where exactly it is visible any ToS?!
As soon as I clicked on “add new VM”, the first option suggested was Ubuntu 18.04.
I didn’t dig into the Azure Marketplace. I just picked the first option available since I quickly need a Linux-based test VM.

Bongiorni doesn’t blame the Canonical sales rep. “He just did what He has been told to do.The problem is with upper management I guess.”
Looking ahead though, Bongiorni doesn’t expect to be spinning any more instances of anything on Azure. He told The Register, he’s considering taking his work to a European-based closed provider “just to be sure there will be more transparency and more GDPR openness.”
Who could blame him?
Related Stories: More