Information Technology

A reflected cross-site scripting (XSS) vulnerability impacting 100,000 websites has been patched in the KingComposer WordPress plugin. 

KingComposer is a drag-and-drop page builder for WordPress-based domains that removes the need to program or directly code websites powered by the content management system (CMS). 
See also: Researchers connect Evilnum hacking group to cyberattacks against Fintech firms
The Wordfence Threat Intelligence team discovered the XSS bug on June 25. Tracked as CVE-2020-15299 and issued a severity score of 6.1, the security flaw was found in Ajax functions used by the plugin to facilitate page builder features. 
One of the Ajax functions was not in active use but could still be launched by sending a POST request to a script called admin-ajax.php with an action parameter set to kc_install_online_preset.

The function renders JavaScript across a variety of parameters that are then base64-decoded. 
“As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser,” the researchers say. 
CNET: China aims to dominate everything from 5G to social media — but will it?
Reflected XSS vulnerabilities rely on a victim to perform a particular action to trigger an attack. This can be achieved by serving malicious links that need to be clicked on, for example, and if successful, could lead to browser session hijacking or malware download and execution. 
The Wordfence Threat Intelligence team attempted to contact the developers of the plugin a day after their discovery. However, there was no response, leading to the team reaching out directly to the WordPress Plugins team on June 25. By June 26, contact was made with the KingComposer developers and a patched version of the plugin, version 2.9.5, was released on June 29. 
TechRepublic: Highest-paying tech jobs: Where to find them
The security issue was resolved by removing the vulnerable, and obsolete, Ajax function.
At the time of writing, 62.1% of users have updated to version 2.9.5, and so 37.9% of websites with KingComposer enabled are still at risk of exploit.  

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

As Singapore ramps up efforts to drive digitalisation across the local community, its government will need to transform the way it governs its population, which increasingly will access more information and demand answers as more of their personal data goes online. A change in mindset will also be necessary to ensure policies remain relevant and are truly adapted to a new digital economy and digital population. 
Singapore over the past several years has invested significant resources towards becoming a digital economy, rolling out an ambitious smart nation roadmap, driving the adoption of emerging technologies, and overhauling its own ICT infrastructure. 
With the global pandemic now adding new impetus to digital transformation, the government has made a concerted effort to drive digital adoption deeper into the business community and local population. 

Singapore must look beyond online falsehood laws as elections loom
Country’s government is missing the point with its use of correction directives, when it should be looking more closely at how the legislation can be used to address bigger security threats as it prepares for its first elections since the emergence of technology, such as deepfake, and increased online interference.
Read More

It established a new office to work alongside the business community and local population to push the “national digitalisation movement”. Initiatives would include the deployment of 1,000 “digital ambassadors” to help stallholders and seniors go digital and setting up of 50 digital community hubs across the island to offer one-to-one assistance on digital skills.
A new ministerial committee will also coordinate the country’s digitalisation efforts and focus on priorities such as assisting people in learning new skills and galvanising small businesses to go digital. More funds and resources have been further directed to facilitate digital transformation initiatives.

However, amidst the renewed urgency to go digital, the government has seemingly overlooked the need to also review how it engages and governs a population that will increasingly be connected and, as it hopes, digitalised.
Take its recent plans for a COVID-19 contact tracing wearable device, for instance. When news about its development broke, several took to social media platforms to decry the potential invasion of their privacy and an online petition urged the public to reject its use. The outcry prompted the government to reveal more details about the device in hopes of easing privacy concerns, adding that its use would not be made mandatory — for now, at least. Some 10,000 units of the wearable device have since been distributed to the country’s elderly. 
But while it has taken the time to explain its position and development of contact tracing tools, the Singapore government appears less patient when it involves other voices critical of its policies. 
Specifically, it has used the Protection from Online Falsehoods and Manipulation Act (POFMA) against several of its political opponents, issuing five correction directions — four of which involved politicians or political platforms that opposed the government — within a month after the legislation kicked in last October. The fifth was issued to Facebook after the author of the alleged falsehood refused to comply with the original correction direction. 
Multiple correction orders were issued this past week alone, as candidates went on their campaign trail for the country’s July 10 General Elections. 
In dismissing early concerns POFMA would be used to silence critics of the government, Singapore’s Minister for Communications and Information S. Iswaran said in May last year that similar concerns were raised when the class licensing scheme was introduced under the Broadcasting Act in 1966. But since then, Iswaran had noted, industry regulator Infocomm Media Authority (IMDA) had issued 39 take-down notices or just more than one incident a year, on average. 
So, is there now real cause for Singaporeans to worry about POFMA? This question will be increasingly relevant as the government’s digitalisation efforts pick up momentum and more go online and, correspondingly, begin airing their personal thoughts on social media and other online platforms, including statements that might be deemed to be falsehoods.
How many more POFMA directives then may be issued? Will the POFMA Office be able to keep up?
In addition, as more come online along with their personal data, more questions will be asked about why the government needs to collect citizens’ personal information, how it plans to use this data, and what recourse will citizens have should their data be breached while in the care of their government. 
More transparency as well as accountability will be required on the government’s part, especially as emerging technologies such as artificial intelligence (AI) and facial recognition advance and become real-world reality. Without transparency, there is no trust. And without trust, as the government itself knows, it will be difficult to drive the adoption of technologies such as AI amongst the general population. 

Can Singapore.com be regulated on trust?
Singapore government asks public to trust its track record of not using regulation as a form of online censorship, but shouldn’t it also trust news sites to behave responsibly instead of introducing more rules?
Read More

In explaining why trust underpinned everything, whether it was data or AI, Iswaran himself had said: “Ultimately, citizens must feel these initiatives are focused on delivering welfare benefits for them and ensured their data will be protected and afforded due confidentiality.”
However, it can be difficult to convince Singaporeans their data is truly protected — and afforded due confidentiality — when this data isn’t managed under the same Personal Data Protection Act (PDPA), which safeguards data held by the private sector, when it is used and managed by the public sector. 
While the government has argued that this exemption is necessary to facilitate the smooth delivery of public services, and that government agencies are still accountable for the protection of citizen data, the fact remains that different laws are applied here. And as far as citizens’ personal data is concerned, this optic can stir up public scepticism and distrust — whether warranted or not. 
In its desire to drive digitalisation nationwide, Singapore’s government has to realise a mindset change will also be required in the way it governs and engages its population. 
If it fails to do this, it risks going the way of business transformation plans that neglected the importance of including leadership reform in its change management strategy.
After all, the key word in digital transformation isn’t digital, but transformation. 
And the reality is that 70% of large-scale transformation initiatives fail, often due to a lack of employee engagement and insufficient leadership support. Ensuring the long-term success of such projects also requires a major “reset in mindsets and behaviours”, something which few leaders are able to achieve, according to a McKinsey report.
The consulting firm underscored the need to “upgrade the organisation’s “hard wiring” because a digital environment not only required new ways of working, but also changes to the organisation’s overall culture. Leaders, too, needed to let go of old practices such as command-and-control supervision.
For the Singapore government, this may mean recognising that criticism against its policies and officers isn’t necessarily a manifestation of a “trial by internet” culture. Sometimes, it simply reflects a desire amongst citizens who genuinely care about the country and want to see the nation correct its wrongs. 
This is further demonstrated by the fact that some of these commentators no longer hide behind the anonymity of the internet and are willing to speak publicly under their true identity. It is reflective of an online community that has evolved and matured, and is deserving of a government that is willing to do the same.
Should the government resist change within its own ranks, it risks alienating its citizens and may end up with a disengaged population. 
In stressing the importance of strong leadership in digital transformation, consulting firm Deloitte states: “It is not enough to simply command that an organisation become more digital. The transformation must be driven by a shift in the leadership culture and people’s willingness to adapt and evolve. At a leadership level, this requires individuals who embrace uncertainty, who can connect across boundaries, who can visualise new possibilities, and who can ignite others behind an exciting vision for the future. Looking for these adaptable traits in your leadership is critical to facilitating the organisation’s adaptation to disruption.”
As its voters head to the polls today, a question begs to be asked: Is Singapore ready for a digital population?
RELATED COVERAGE More

The Office of the Australian Information Commissioner (OAIC) has made available the outcomes of its latest privacy complaint investigations, including a determination made against Services Australia.
In the complaint against the CEO of Services Australia, Australian Information and Privacy Commissioner Angelene Falk found that the federal government department interfered with the complainant’s privacy as defined in the Privacy Act 1988 by breaching one of the guiding privacy principles.
Specifically, the department disclosed the complainant’s personal information in breach of privacy principle 11.
Australian Privacy Principles (APP) 11 requires an APP entity to take active measures to ensure the security of personal information it holds, and to actively consider whether it is permitted to retain personal information.
The entity must also take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification, or disclosure; and they must take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs.

However, this requirement does not apply where the personal information is contained in a Commonwealth record or where the entity is required by law or a court/tribunal order to retain the personal information.
In her declaration, Falk said she found that Services Australia engaged in conduct constituting an interference with the privacy of the complainant; and must pay the complainant AU$3,000 for non-economic loss caused by the interference with the complainant’s privacy within 60 days of the date of determination. The determination was made on 30 June 2020.
See also: Robo-debt: Minister claims the government is not built for refunds
The complainant’s grievance relates to the collection of her personal information by the former Child Support Agency (CSA) and former department administering child support, and subsequent disclosure to the complainant’s ex-partner in 2012. Services Australia now administers child support.
As explained by the OAIC, the complainant applied to CSA for a change of assessment to the amount of child support paid by her ex-partner. On receipt of the ex-partner’s objection review application, CSA collected the complainant’s personal information from her bank, but did not notify her of that action.
The complainant applied to the Social Security Appeals Tribunal for a review of the objection decision, at which time CSA disclosed the complainant’s personal information to the Tribunal and to the ex-partner as part of the Tribunal review process.
The complainant claimed that the bank statement revealed her personal information in the form of places she frequented. The complainant added that she feared harm from the ex-partner and that she had attempted to keep her location unknown to him.
She had previously obtained a Family Violence Order against the ex-partner.
The complainant was originally seeking compensation of AU$30,000.
Other recent determinations made by Falk include the compensation of AU$3,000 to the complainant for non-economic loss and AU$2,000 for aggravated damages regarding a breach of privacy principle 12 by a psychologist; and compensation of AU$10,000 for non-economic loss and AU$3,400 for economic loss to the first complainant and AU$3000 to the second complainant for non-economic loss in a breach of a few privacy principles by a medical clinic.
RELATED COVERAGE
Services Australia’s proud achievements include answering the phone
Minister Stuart Robert talks about respect and transparency, but they require more than just answering the phone. They even require more than a personalised dashboard. They require wholesale culture change.
Australians made over 3,000 privacy complaints last year
3,306 privacy complaints were made to the Office of the Australian Information Commissioner in 2018-19 and the commissioner has finally admitted her office needs more assistance.
Australian Privacy Commissioner offers advice on staff privacy amid COVID-19
Employers given a little reminder that their Privacy Act obligations still apply, even in a global pandemic.
Accidental personal info disclosure hit Australians 260,000 times last quarter
85 cases of human error resulted in 269,621 instances of Australians having their personal information disclosed accidentally. More

The group of security companies headed by two of the country’s technology and cyber veterans, CyberCX, has announced the acquisition of Melbourne-based Basis Networks.
Basis Networks has a focus on securing mission-critical networks, with CyberCX CEO John Paitaridis saying the acquisition is aligned with his company’s strategy to accelerate the growth of its network security, managed services, integration, and engineering capability.
The startup was stood up in 2015 and provides a broad suite of cybersecurity professional services to the likes of the Australian Energy Market Operator, Australia Post, JB Hi-Fi, Bupa, and McMillan Shakespeare.
CyberCX told ZDNet that the Basis Networks team would join its venture and its co-founder and managing director Tom Allan would be assuming a senior leadership role based in Victoria upon the closure of the deal.
Completion of the acquisition is subject to a small number of conditions, including regulatory approval, which should be completed in the coming weeks. The value of the deal is undisclosed.

“We are pleased to add Basis Networks’ capabilities, experience, and customer-focused approach to CyberCX’s comprehensive security service offerings,” Paitaridis said. “Increasingly customers are looking for end-to-end solutions for their network, security, and cloud services. CyberCX is committed to working with customers to advise, build, implement and manage security solutions, we are committed to supporting organisations through the journey.”
Allan, meanwhile, said joining CyberCX was a “natural fit” for his company.
“Organisations are looking for a trusted sovereign partner to help them manage their cybersecurity risk. A combination of COVID-19 and recent targeted attacks from state-based actors reinforces the need for Australian businesses and government to urgently uplift cybersecurity capability.” Paitaridis added.
See also: Prime Minister says Australia is under cyber attack from state-based actor
“Corporate networks represent a key vulnerability for Australian businesses, especially with a large proportion of the economy engaged in remote working. Basis Networks’ reputation for providing highly secure network infrastructure and cloud solutions will strengthen CyberCX’s position as Australia’s leading cybersecurity service provider.”
CyberCX, formed in October 2019 and backed by private equity firm BGH Capital, brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co., Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.
It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre (ACSC) and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as Paitaridis, who was formerly Optus Business’ managing director.
The Basis Networks acquisition follows CyberCX recently scooping up another Melbourne-based cybersecurity specialist startup Identity Solutions.
RELATED COVERAGE
Newly formed CyberCX scoops up two of Australia’s cyber heavyweights
Former Optus Business MD John Paitaridis and government cyber veteran Alastair MacGibbon join the new company backed by private equity firm BGH Capital.
CyberCX floats government loans to help startups comply with open banking
Instead of resorting to ‘screen scraping’ or rule dilution, CyberCX said it would be preferable if government assisted smaller organisations in meeting the highest level of compliance instead.
Seeking diversity in Australia’s intelligence and cybersecurity workforce
As analysts call for a review of Australia’s intelligence agency staffing, aimed at increasing diversity, CyberCX sets up a cyber scholarship for women. More

Google announced plans this week to ban ads that promote stalkerware, spyware, and other forms of surveillance technology that can be used to track other persons without their specific consent.
The change was announced this week as part of an upcoming update to Google Ads policies, set to enter into effect next month, on August 11, 2020.
Examples of products and services that advertisers won’t be able to promote via Google Ads anymore include:
Spyware and technology used for intimate partner surveillance including but not limited to spyware/malware that can be used to monitor texts, phone calls, or browsing history;
GPS trackers specifically marketed to spy or track someone without their consent;
Promotion of surveillance equipment (cameras, audio recorders, dash cams, nanny cams) marketed with the express purpose of spying.
Google said that private investigation services or products designed for parents to track or monitor their underage children are not banned under this new policy and will still be allowed to be advertised on its platform.
Offenders who promote stalkerware will receive a seven-day warning, after which they’ll be banned if they don’t remove the offending ads.
Fight against stalkerware is picking up

Google’s crackdown against stalkerware ads comes after the antivirus industry has banded together to add detections for stalkerware products in their virus scanning engines.
After improving their products, antivirus companies, along with several domestic abuse frontline organizations, also founded the ‘Coalition Against Stalkerware’ in November 2019, as the first global initiative of its kind, set up to raise awareness of the growing threat of stalkerware.
For those unfamiliar with the terms, stalkerware is a form of malware that is part of the larger spyware class.
Stalkerware refers to spyware apps specifically designed for couples that abusive partners install on the devices of their loved ones without their knowledge or consent — hence why stalkerware is also sometimes referred to as spouseware.
Stalkerware use has skyrocketed over the last decade due to the proliferation of mobile smartphones, as it allows jealous partners to keep tabs on their partners at all time just by tracking their phone.
Furthermore, the easy availability of stalkerware products on official app stores has also increased the visibility of these products and opened their reach to millions of potential users.
While Google, Apple, antivirus makers, and the FTC have cracked down on some of these apps, they have not gone away for good, but are actually more popular than ever.
According to statistics gathered by antivirus vendor Kaspersky, the number of users who had stalkerware-like apps installed on their Android devices rose from 40,386 devices detected in 2018 to more than 67,500 in 2019.
The good news is that according to independent antivirus testing lab AV-Comparatives and the Electronic Frontier Foundation, detections rates for stalkerware applications on Android and Windows devices have slowly improved, as the issue is gaining more press coverage and security vendors are moving in to address their growing risk.
By limiting the visibility of stalkerware products on its advertising platform, Google has helped take some of the traffic these malicious apps are getting on their sites. More

Image: Zoom, ZDNet
Video conferencing software Zoom is working on patching a zero-day vulnerability that was disclosed online earlier today in a blog post by cyber-security firm ACROS Security.
The security firm said the zero-day impacts Zoom’s Windows client, but only when the clients are running on old Windows OS versions, such as Windows 7 and Windows Server 2008 R2 and earlier.
Zoom clients running on Windows 8 or Windows 10 are not affected, according to ACROS Security CEO Mitja Kolsek.
“The vulnerability allows a remote attacker to execute arbitrary code on victim’s computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file,” Kolsek said.
“No security warning is shown to the user in the course of attack,” he added.

Kolsek said ACROS did not discover the vulnerability by itself, but instead received it from a security researcher who wanted to keep their identity secret.
ACROS reported the zero-day to Zoom earlier today and released an update to its 0patch client to prevent attacks for its own customers until Zoom releases an official fix. A demo of the zero-day being exploited, and then blocked by the 0patch client is available below.
[embedded content]
ACROS didn’t publish any kind of technical details about the zero-day, but in a canned statement ZDNet received today from a Zoom spokesperson, the company confirmed the vulnerability and the report’s accuracy.
“Zoom takes all reports of potential security vulnerabilities seriously. This morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it.”
A Zoom spokesperson could not commit to a timeline of when the fix would be available due to the unpredictability of developing a comprehensive fix; however, a patch is currently in the works.
Zero-day disclosed days after “feature freeze” ended
After the discovery and disclosure of several security issues with Zoom’s service, on April 1, the company paused development on all new features to focus solely on security and privacy-related improvements and bug fixes.
This period of feature freeze during which the company focused on improving the app’s security ended on July 1, last week.
Days before, on June 24, Zoom also hired a new Chief Information Security Officer (CISO) in Jason Lee, who previously served as Salesforce’s Senior Vice President of Security Operations.
During its feature freeze period, Zoom also hired Luta Security to help the company set up a professional bug bounty program. Zoom and Luta Security ended their collaboration on the day of Lee’s hiring. More

While the number of COVID-19 infections is on the rise globally, some countries have started to relax lockdown measures and reopen their economies. As a result, many employers have welcomed back employees into physical workplaces. Unfortunately, the workplace is often the source of new outbreaks. 

In Italy, for example, a courier express company experienced a surge in infections among employees, with over 40 of them testing positive so far. The company is now working with local health professionals to contain the outbreak. In Germany, a meat factory experienced the country’s biggest single outbreak since the beginning of the pandemic. More than 2,000 people contracted the virus in the area where the meat processing factory operates, with many of the infections linked directly with the factory itself. And in early June, Beijing saw the number of new infections rising and decided to impose new lockdown measures. A wholesale market was identified as the place where the outbreak started. 
The risk that the workplace becomes a source of a new outbreak is real. As countries have reopened, we’ve advised employers to think carefully about the measures, protocols, and procedures to put in place to create adequate health and safety conditions. We’ve also helped clients identify the most critical risks to mitigate as their employees return to work. While most employers are taking appropriate measures to create a safe workplace — many are even deploying contact tracing solutions in the workplace or providing medical screening of both employees and customers before entering — there is still not nearly enough attention on how to ensure safer conditions for employees during their journey to and from work. There are several ways to mitigate this risk: 
Enable work-from-home and remote policies. Our research shows that more than 50% of employers worldwide have asked employees to work from home or remotely more than usual during the pandemic. Many companies we talked to also revealed they have long-term plans to introduce more flexible work policies for employees, allowing between 20% and 50% of them to work remotely on a normal basis. Many jurisdictions also protect an employee’s right to refuse unsafe work; for example, Germany has introduced a “right to work from home.” But working from home is not a possibility for everyone. Our data shows this is true for just one in three employees in Singapore and the US. Across Europe, those who cannot work from home or remotely is significantly higher, reaching 52% in France. We know for a fact that commuting to and from work increases the risk of infection: In one study in San Francisco, 90% of individuals who tested positive (2.1% of the 4,160 people tested) couldn’t work from home during the shelter-in-place order, and most lived in households of three to five people or more. 
Support travel during off hours and promote alternatives to public transport. In the UK, the company responsible for local transport in London and its suburbs provides guidance for safer journeys, which largely focuses on avoiding busy times or public transport altogether where possible. The Italian government issues vouchers to citizens who want to buy a bicycle. But, employers must play their part to mitigate this risk. Pandemic planning protocols do not generally have a lot to offer. From our interviews, we learned that experiences go from complete lack of planning to employees deciding to pay for their own taxis to a few company schemes for paid private cars or accommodations. Employers can do more. In the UK, Cyclescheme, a 20-year-old cycle-to-work provider, has created a COVID-19 hub to help employers and employees get to work on a bicycle. 
Appoint a “mobility manager.” In Italy, organizations that have more than 100 employees must now hire a “mobility manager.” This role was originally created in 1998 to help large organizations in crowded cities figure out ways to assess and reduce the environmental impact of their workforce going into work. The mobility manager was originally responsible for creating a yearly map of the employees’ commutes to and from work with the intent of suggesting and encouraging “greener options.” But a mobility manager can help also mitigate COVID-19-related risks to commuters. If regularly updated and made a companion to your pandemic management protocol, the map can provide rich information for assessing health- and safety-related risks of employees commuting to work and for choosing mitigation strategies that suit the specific needs of your organization. 
For more information and guidance about pandemic management, visit Forrester’s COVID-19 Hub. 
This post was written by Senior Analyst Enza Iannopollo, and it originally appeared here. 

Coronavirus More

The APT is also a loyal customer of Golden Chickens, a Malware-as-a-Service outfit. More