Information Technology

The New South Wales government has been using a tool to help de-identify data related to COVID-19 prior to the release of that data to the public, the CSIRO said on Thursday.
The tool, dubbed Personal Information Factor (PIF), has been created by Data61, the NSW government, the Australian Computer Society, Cyber Security Cooperative Research Centre (CSCRC), and “several other groups”.
“The privacy tool assesses the risks to an individual’s data within any dataset; allowing targeted and effective protection mechanisms to be put in place,” the CSIRO claimed.
“The software uses a sophisticated data analytics algorithm to identify the risks that sensitive, de-identified and personal information within a dataset can be re-identified and matched to its owner.”
NSW chief data scientist Dr Ian Oppermann said the tool was being used on datasets containing data on people who had been infected with COVID-19 before it was made publicly available.
“Given the very strong community interest in growing COVID-19 cases, we needed to release critical and timely information at a fine-grained level detailing when and where COVID-19 cases were identified,” Oppermann said.
“This also included information such as the likely cause of infection and, earlier in the pandemic, the age range of people confirmed to be infected.

“We wanted the data to be as detailed and granular as possible, but we also needed to protect the privacy and identity of the individuals associated with those datasets.”
Data61 said PIF assigns a risk score to a dataset and makes recommendations to make de-identification “more secure and safe”.
The tool is also being used on other datasets such as domestic violence data and public transport usage, Data61 said.
PIF will be made available by June 22.
In a recent submission to a review of the Privacy Act, security researcher Vanessa Teague said de-identification does not work.
“A person’s detailed individual record cannot be adequately de-identified or anonymised, and should not be sold, shared, or published without the person’s explicit, genuine, informed consent,” Teague said.
“Identifiable personal information should be protected exactly like all other personal information, even if an attempt to de-identify it was made.”
At the end of 2017, a team of academics, including Teague, were able to re-identify some of the data from a set containing historic longitudinal medical billing records on one-tenth of all Australians.
“We found that patients can be re-identified, without decryption, through a process of linking the unencrypted parts of the record with known information about the individual such as medical procedures and year of birth,” Dr Chris Culnane said at the time.
“This shows the surprising ease with which de-identification can fail, highlighting the risky balance between data sharing and privacy.”
In September 2016, the same dataset was found by the University of Melbourne team to not be encrypting supplier codes properly. The dataset was subsequently pulled down by the Department of Health.
“Leaving out some of the algorithmic details didn’t keep the data secure ­– if we can reverse-engineer the details in a few days, then there is a risk that others could do so too,” the team said at the time.
“Security through obscurity doesn’t work — keeping the algorithm secret wouldn’t have made the encryption secure, it just would have taken longer for security researchers to identify the problem.
“It is much better for such problems to be found and addressed than to remain unnoticed.”
In response, the Australian government sought to criminalise the intentional re-identification and disclosure of de-identified Commonwealth datasets and reverse the onus of proof, with the aim of applying the changes retrospectively from 29 September 2016.
The changes lapsed at the 2019 election.

Coronavirus More

Facebook’s fourth quarter earnings conference call featured CEO Mark Zuckerberg calling out Apple’s iOS 14 moves, saying the iPhone maker was “one of our biggest competitors” and questioning motives.
Yes folks, Facebook’s Zuckerberg went a little pro wrestling (at least for tech CEOs not named Larry Ellison) with its Apple confrontation.
Zuckerberg has a reason to be a bit bent out of shape. Facebook said its future results could be hurt by privacy changes in Apple’s iOS 14. Zuckerberg argued that Apple’s changes are aimed at benefiting iMessage and harm small businesses.
Here are Zuckerberg’s comments in full:

WhatsApp, and the direction that we’re heading in with Messenger, are the best private social apps available. Now we have a lot of competitors who make claims about privacy that are often misleading. Now Apple recently released so-called nutrition labels, which focused largely on metadata that apps collect rather than the privacy and security of people’s actual messages. But iMessage stores non-intending encrypted backups of your messages by default unless you disable iCloud. So Apple and governments have the ability to access most people’s messages. So when it comes to what matters most, protecting people’s messages, I think that WhatsApp is clearly superior. Now since I try to use these earnings calls to discuss aspects of business strategy that I think are important for investors to understand, I do want to highlight that we increasingly see Apple as one of our biggest competitors. iMessage is a key linchpin of their ecosystem. It comes pre-installed on every iPhone, and they preference it with private APIs and permissions, which is why iMessage is the most used messaging service in the U.S. And now we are also seeing apples business depend more and more on gaining share in apps and services against us and other developers. So Apple has every incentive to use their dominant platform position to interfere with how our apps and other apps work, which they regularly do to preference their own. And this impacts the growth of millions of businesses around the world including with the upcoming iOS 14 changes, many small businesses will no longer be able to reach their customers with targeted ads. Now Apple may say that they’re doing this to help people, but the moves clearly track their competitive interests. And I think that this dynamic is important for people to understand because we and others are going to be up against this for the foreseeable future. Now our messaging services continue growing, but it is an uphill battle, and our services just need to be that much better as private social platforms to succeed.

Facebook operating chief Sheryl Sandberg noted that Facebook will find ways to amplify stories about small businesses worried about Apple’s iOS changes.
Related:
Apple CEO Tim Cook didn’t address Facebook by name but did stick to the company’s pitch on privacy. Cook said:

Tomorrow is International Privacy Day, and we continue to set new standards to protect users’ right to privacy, not just for our own products but to be the ripple in the pond that moves the whole industry forward. Most recently, we’re in the process of deploying new requirements across the App Store ecosystem that give users more knowledge about and new tools to control the ways that apps gather and share their personal data. More

Image: McAfee, ZDNet
Law enforcement agencies from Bulgaria and the US have disrupted this week the infrastructure of NetWalker, one of 2020’s most active ransomware gangs.

Bulgarian officials seized a server used to host dark web portals for the NetWalker gang, while officials in the US indicted a Canadian national who allegedly made at least $27.6 million from infecting companies with the NetWalker ransomware.
The seized servers were used to host pages where victims of NetWalker attacks were redirected to communicate with the attackers and negotiate ransom demands.
The same server also hosted a blog section where the NetWalker gang would leak data they stole from hacked companies, and which refused to pay the ransom demand — as a form of revenge and public shaming.

Image: ZDNet
Details about the Canadian national indicted today are not yet available beyond his name and residence — Sebastien Vachon-Desjardins, of Gatineau.
Vachon-Desjardins is currently believed to be an “affiliate,” a person who rented the ransomware code from the NetWalker creator.
This type of business is called Ransomware-as-a-Service, or RaaS, and is a common setup employed by many ransomware gangs today.

Prior to today’s takedown, NetWalker operated through topics posted on several underground forums by a user named Bugatti. This user advertised the ransomware’s features and looked for “partners” (aka affiliates) that would breach corporate networks, steal data to be used as leverage during negotiations, and install the ransomware to encrypt files.
If victims paid, Bugatti and the affiliate would split the ransom payments according to a pre-negotiated agreement.
According to US authorities, NetWalker has impacted at least 305 victims from 27 different countries, including 203 in the US.

Image: Chainalysis
A report from McAfee published in August 2020 claimed the NetWalker ransomware operation earned more than $25 million from ransom payments from March to July 2020 alone — a number that has gone up, as the gang continued to operate until today’s takedown.
In a report published today, blockchain analysis firm Chainalysis updated that figure to more than $46 million for the entire 2020, putting NetWalker in the year’s top 5 grossing ransomware strains, next to Ryuk, Maze, Doppelpaymer, and Sodinokibi.

Image: Chainalysis
The same Chainalysis report also claims that Vachon-Desjardins also worked as an affiliate for other ransomware gangs, such as Sodinokibi, Suncrypt, and RagnarLocker.
Besides charging the Canadian natioanl, the US DOJ also said it also managed to seize $454,530.19 in cryptocurrency believed to be linked to ransom payments made by three past NetWalker victims.
The NetWalker disruption also comes on the same day that Europol and its partners announced a takedown of the Emotet botnet. More

Updated on January 28 to correct date from March 25 to April 25. The error in interpreting the date was discovered by Malwarebytes earlier today. Original article, with the corrected date is below.
Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers on April 25, 2021, ZDNet has learned today.

The update was made possible after law enforcement agencies from across eight countries orchestrated a coordinated takedown this week to seize servers and arrest individuals behind Emotet, considered today’s largest malware botnet.
While servers were located across multiple countries, Dutch officials said that two of three of Emotet’s primary command and control (C&C) servers were located inside its borders.
Dutch police officials said today they used their access to these two crucial servers to deploy a boobytrapped Emotet update to all infected hosts.
According to public reports, also confirmed by ZDNet with two cyber-security firms that have historically tracked Emotet operations, this update contains a time-bomb-like code that will uninstall the Emotet malware on April 25, 2021, at 12:00, the local time of each computer.

Last chance to audit networks
“The technical disruption that the Dutch police detailed in their press release, if it works as they described, will effectively reset Emotet,” Binary Defense senior director Randy Pargman told ZDNet today in an online chat.

“It forces the threat actors behind it to start over and attempt to rebuild from scratch, and it gives IT staff at companies around the world a chance to locate and remediate their computers that have been infected,” Pargman added.
Currently, the Europol takedown prevents the Emotet gang from selling access to Emotet-infected computers to other malware gangs, a tactic the Emotet gang has been known for doing.
But Emotet hosts where cybercrime gangs have already bought access remain at risk.
Pargman is now urging companies to take advantage of this time window until April 25 to investigate internal networks for the presence of the Emotet malware and see if other gangs used it to deploy other threats.
After Emotet uninstalls itself on April 25, such investigations will be harder to carry out.
Arrests in Ukraine
Since ZDNet’s early coverage of the Emotet takedown, Ukrainian police officials have also come out to announce they arrested two individuals who they believe were tasked with keeping Emotet’s servers up and running.
A video of the arrests and apartment searches is available below.
[embedded content] More

Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers on March 25, 2021, ZDNet has learned today.

The update was made possible after law enforcement agencies from across eight countries orchestrated a coordinated takedown this week to seize servers and arrest individuals behind Emotet, considered today’s largest malware botnet.
While servers were located across multiple countries, Dutch officials said that two of three of Emotet’s primary command and control (C&C) servers were located inside its borders.
Dutch police officials said today they used their access to these two crucial servers to deploy a boobytrapped Emotet update to all infected hosts.
According to public reports, also confirmed by ZDNet with two cyber-security firms that have historically tracked Emotet operations, this update contains a time-bomb-like code that will uninstall the Emotet malware on March 25, 2021, at 12:00, the local time of each computer.

Last chance to audit networks
“The technical disruption that the Dutch police detailed in their press release, if it works as they described, will effectively reset Emotet,” Binary Defense senior director Randy Pargman told ZDNet today in an online chat.
“It forces the threat actors behind it to start over and attempt to rebuild from scratch, and it gives IT staff at companies around the world a chance to locate and remediate their computers that have been infected,” Pargman added.

Currently, the Europol takedown prevents the Emotet gang from selling access to Emotet-infected computers to other malware gangs, a tactic the Emotet gang has been known for doing.
But Emotet hosts where cybercrime gangs have already bought access remain at risk.
Pargman is now urging companies to take advantage of this time window until March 25 to investigate internal networks for the presence of the Emotet malware and see if other gangs used it to deploy other threats.
After Emotet uninstalls itself on March 25, such investigations will be harder to carry out.
Arrests in Ukraine
Since ZDNet’s early coverage of the Emotet takedown, Ukrainian police officials have also come out to announce they arrested two individuals who they believe were tasked with keeping Emotet’s servers up and running.
A video of the arrests and apartment searches is available below.
[embedded content] More

Google has announced general availability of BeyondCorp Enterprise, a new security service from Google Cloud based on the principle of designing networks with zero trust. 

As US security companies come to terms with the SolarWinds supply chain hack, Google and Microsoft are talking up their capabilities in the cloud around zero trust. 
Microsoft last week urged customers to adopt a “zero trust mentality” and abandon the assumption that everything inside an IT network is safe and now Google has launched the BeyondCorp Enterprise service based around the same concept. 
“Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned),” explains the National Institute of Standards and Technology (NIST).  
“Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.”
BeyondCorp Enterprise replaces BeyondCorp Remote Access, a cloud service Google announced in April in response to remote working due to the COVID-19 pandemic and the heightened need for virtual private network (VPN) apps. 
The service allowed employees to securely access their company’s internal web apps from any device and location. Google has been using BeyondCorp for several years internally to protect employee access to apps, data, and other users. 

“BeyondCorp Enterprise brings this modern, proven technology to organizations so they can get started on their own zero trust journey. Living and breathing zero trust for this long, we know that organizations need a solution that will not only improve their security posture, but also deliver a simple experience for users and administrators,” said Sunil Potti VP of Google Cloud Security. 
As Microsoft highlighted last week, the three main attack vectors in the SolarWinds attack were compromised user accounts, compromised vendor accounts, and compromised vendor software. These can be significantly mitigated by zero trust principles, such as restricting privileged access to accounts on that need them and enabling multi-factor authentication. It’s encouraging organizations to use Azure Active Directory for identity and access management versus on-premise identity management systems. 
Google’s main weapon in the fight against sophisticated attackers is Chrome through which it’s promising easy “agentless support”. Chrome has over two billion users, so it has scale too. 
Then there’s Google’s network with 144 network edge locations across 200 countries and territories, which helps back up its distributed denial of service (DDoS) protection service. 
Google is encouraging organizations to use the Google Identity-Aware Proxy (IAP) to manage access to apps running in Google Cloud. 
The pandemic and the SolarWinds hack has made security a bigger value proposition for companies like Microsoft and Google. For the first time, Google parent Alphabet on February 2 will break out cloud revenue as a separate reporting segment starting with its Q4 2020 results.
Other key security highlights for Chrome under the BeyondCorp Enterprise service include threat protection to prevent data loss and exfiltration and malware infections from the network to the browser; phishing protection; continuous authorization; segmentation between users and apps and between apps and other apps; and management of digital certificates. 
BeyondCorp Enterprise lets admins check URLs in real-time and scan files for malware; create rules for what types of data can be uploaded, downloaded or copied and pasted across sites; and track malicious downloads on company-issued devices and monitor whether employees enter passwords on known phishing sites. 

SolarWinds Updates More

A warning has been issued by UK watchdogs of a rise in clone company scams targeting those looking for investment opportunities to recover financially from COVID-19.

On Wednesday, the UK’s National Crime Agency (NCA) and Financial Conduct Authority (FCA) issued an alert to the public concerning “clone company” scams which appear to be claiming not only novice investors but also veteran players in the market.
The FCA says that these forms of scams are on rise, with increased rates reported since the UK went into its first lockdown during March 2020. 
In total, investors have lost over £78 million ($107m), a figure which is likely to continue to rise. Average losses are reported as £45,242 per victim, according to Action Fraud research.
Clone company investment scams go beyond typical phishing emails or dubious social media links promising an immediate return on your cash. Fraudsters use the same name, address, and Firm Reference Number (FRN) issued to authorized investment companies by the FCA and then during phishing, social media, and cold-call messages they send sales materials containing links to legitimate company websites. 
However, the masquerade only goes so far: once trust is established, investors are hoodwinked into parting with funds intended for the legitimate company, only for their money to go straight into the coffers of scam artists. 
It may not seem all that different from typical phishing campaigns, but this form of investment fraud technique is not as well-known as it should be. In an FCA survey, 75% of investors said they felt confident enough to spot a scam — but 77% did not know or were unsure of what a clone investment company was. 

“A clone firm scam can target anyone, they are usually smart fraudsters who often present opportunities which look very tempting indeed,” commented Watchdog presenter Matt Allwright. “When considering your next investment, make sure you only ever use the details listed on the FCA Register, and think about getting impartial advice before going ahead.”
The NCA recommends that traders reject all unsolicited investment offers whether made online, through social media, or through the phone, and to check both the FCA Register and warning list — as well as any telephone numbers associated with entities — before signing up for financial products. It is also worth seeking independent advice before taking the plunge in a new investment opportunity. 
Clone company scams that dupe even seasoned investors can be difficult to detect, but this is not the only form of financial fraud that has exploded online since the start of the pandemic. 
Earlier this month, Interpol warned of a flurry of investment scams taking over dating applications. “Matches” work to obtain a potential victim’s trust and then begin to peddle a fake investment opportunity, encouraging them to join and promising to help them on their way to make a fortune. 
Once the victim has parted with their cash, the match vanishes and they are locked out of their fake ‘investment’ account. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The world’s most prolific and dangerous malware botnet has been taken down following a global law enforcement operation that was two years in planning.
Europol, the FBI, the UK’s National Crime Agency and others coordinated action which has resulted investigators taking control of the infrastructure controlling Emotet in one of the most significant disruptions of cyber-criminal operations in recent years.

see also

Best VPN services
Virtual private networks aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices in VPN service providers and how to get set up.
Read More

Emotet first emerged as banking trojan in 2014 but evolved into one of the most powerful forms of malware used by cyber criminals.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    
Emotet establishes a backdoor onto Windows computer systems via automated phishing emails that distribute Word documents compromised with malware. Subjects of emails and documents in Emotet campaigns are regularly altered to provide the best chance of luring victims into opening emails and installing malware – regular themes include invoices, shipping notices and information about COVID-19.
Those behind the Emotet lease their army of infected machines out to other cyber criminals as a gateway for additional malware attacks, including remote access tools (RATs) and ransomware.
It resulted in Emotet becoming what Europol describes as “the world’s most dangerous malware” and “one of the most significant botnets of the past decade”, with operations like Ryuk ransomware and TrickBot banking trojan hiring access to machines compromised by Emotet in order to install their own malware.

The takedown of Emotet, therefore, represents one of the most significant actions against a malware operation and cyber criminals in recent years.
“This is probably one of the biggest operations in terms of impact that we have had recently and we expect it will have an important impact,” Fernando Ruiz, head of operations at Europol’s European Cybercrime Centre (EC3) told ZDNet. “We are very satisfied.”
A week of action by law enforcement agencies around the world gained control of Emotet’s infrastructure of hundreds of servers around the world and disrupted it from the inside.
Machines infected by Emotet are now directed to infrastructure controlled by law enforcement, meaning cyber criminals can no longer exploit machines compromised and the malware can no longer spread to new targets, something which will cause significant disruption to cyber-criminal operations.
“Emotet was our number one threat for a long period and taking this down will have an important impact. Emotet is involved in 30% of malware attacks; a successful takedown will have an important impact on the criminal landscape,” said Ruiz.
“We expect it will have an impact because we’re removing one of the main droppers in the market – for sure there will be a gap that other criminals will try to fill, but for a bit of time this will have a positive impact for cybersecurity,” he added.
The investigation into Emotet also uncovered a database of stolen email addresses, usernames and passwords. People can check if their email address has been compromised by Emotet by visiting the Dutch National Police website.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
Europol is also working with Computer Emergency Response Teams (CERTs) around the world to help those known to be infected with Emotet.
In order to help protect against malware threats like Emotet, Europol recommends using anti-virus tools along with fully updated operating systems and software – so cyber criminals can’t exploit known vulnerabilities to help deliver malware. It’s also recommended that users are trained in cybersecurity awareness to help identify phishing emails.
The Emotet takedown is the result of over two years of coordinated work by law enforcement operations around the world, including the Dutch National Police, Germany’s Federal Crime Police, France’s National Police, the Lithuanian Criminal Police Bureau, the Royal Canadian Mounted Police, the US Federal Bureau of Investigation, the UK’s National Crime Agency, and the National Police of Ukraine.
The investigation into Emotet, and identifying the cyber criminals responsible for running it, is still ongoing.

MORE ON CYBERCRIME More