Information Technology

Cyber resilience needs to be part of a coherent “all vectors and all sectors” approach to national security, according to Mike Pezzullo, Secretary of Australia’s Department of Home Affairs.
National security itself also needs to be discussed more broadly, he said. Not everything should become a national security problem, but he does believe in a whole-of-society approach to fostering resilience.
“I am in favour … of emphasising concepts such as ‘self-reliance’ and ‘sovereign capability’ in national policy discourse, which would require the closer integration of security, economic, and social policy,” Pezzullo told the National Security College in Canberra last week.
“We should logically separate the ‘vector’ — whether it be an invading army, an enemy fleet, terrorists, saboteurs, cyber hackers, violent criminals, extreme weather events, or a global pandemic, and so on — from the ‘sectors’ of society and the economy which are likely to be impacted, and which will need to be defended, mobilised, and/or remediated,” he said.
“Relatedly, the logic and language of war in security thinking should be reduced to its proper and legitimate place, which is to say the field of armed conflict — where it has enough to do.”
Pezzullo’s speech cited five centuries of political philosophy, among other things, to outline a conceptual framework for national security.
“Security is a means to an end. Its effects enable the pursuit of happiness and prosperity, which are the greater ends,” he said.
“If one were to construct a national risk register, it would be immediately apparent that some are not ‘national security’ issues at all.”
The speech also extended on Pezzullo’s speech from March 2019, “Seven Gathering Storms — National Security in the 2020s”, by listing an even greater range of potential risks that might arise in the coming century through to 2120.
Too long to include here, the list included: A Great Power war that might even go nuclear; weapons of mass destruction used outside a nation-state conflict; terrorism and politically-motivated violence; massive economic damage by transnational criminal networks; supply chain risks; a global pandemic; “the adverse consequences of advanced technology, especially artificial intelligence and synthetic biology”; natural disasters; and much more.
“This is an apocalyptic list to be sure,” he said.
“Indeed, in relation to ways in which humanity might become extinct you will find arguable cases for the following scenarios, amongst others: A deliberately released, humanity-killing synthetic virus; super volcanic eruptions which block the Sun; the Terminator AI threat; a nuclear apocalypse; and, yes, the killer asteroid.”
To face these risks, Pezzullo put forward the concept of an “extended state”, which he described as a “networked and dynamic conception of security which comprehends sectors across society and the economy”.
This extended state would include the “entire apparatus” of the Australian government, not just the core agencies. It would convene and coordinate activities with the state, territory, and local governments, and beyond.
That includes “the business sector, including finance and banking; food and groceries; health and medical services; transport, freight and logistics; water supply and sanitation; utilities, energy, fuel, telecommunications; the scientific and industrial research establishment; as well as non-for-profit and community organisations, including charities; and households as might be required”.
It is the extended state that needs to respond to these vectors of risk, according to Pezzullo.
Such systems were built for counterterrorism (CT), for example, especially after the 9/11 terrorist attacks in 2001.
“The states and territories and others all had to mobilise around the prospect of mass-casualty attacks. We built a lot of depth and ballast in our CT arrangements, and they’ve been honed over about 20 years,” Pezzullo said.
“They are fit for purpose for that vector and sector problem. They are not necessarily easily replicated [for other matters].”
A more recent example is Australia’s response to the COVID-19 pandemic, where coordination between governments was established differently in the rapidly-established National Cabinet.
“Let’s not reinvent the wheel in relation, for instance, to cyber resilience,” Pezzullo said.
“States and territories and indeed municipal governments… hold a lot of data. They manage a lot of sensitive networks, either directly or by way of infrastructure that they license through state utility arrangements and the like,” he said.
“Don’t just have a [single] sector response to a vector problem.”
Home Affairs isn’t ‘tyrannical’ or ‘despotic’
Pezzullo responded to an audience question about authoritarianism and state secrecy by referring to the recent Parliamentary Joint Committee on Intelligence and Security (PJCIS) inquiry into the impact of the exercise of law enforcement and intelligence powers on the freedom of the press.
“Let’s have a sensible discussion,” he said.
“Let’s just be open and upfront that the notion that somehow the colleagues that I’ve just identified [in law enforcement and intelligence], myself included, are tyrannical, despotic, you know, plotting behind closed doors to oppress the Australian population were it only for, you know, the altruistic fourth estate [the media], is frankly just an exaggeration, a caricature, and a trope.”
Agencies are under “Royal Commission-level coercive oversight every day” and that’s “liberating”, according to Pezzullo.
“You know what the rules are. A royal commissioner could roll into my organisation, into anything we’re doing, at any time, and out whatever they want,” he said.
“And that’s frankly liberating because you go, ‘Yep’, you’ve got that self-restraining, self-censoring idea of you’ve got to do the right thing anyway and, if you don’t, you’re going to get caught anyway.”
Pezzullo was speaking off the cuff so to be fair, one shouldn’t parse these comments too finely.
Nevertheless, your correspondent still wonders whether “Don’t do bad things because you might get caught” is the best way to portray an organisational culture.
It’s also unclear how this squares with the evidence given to Senate Estimates on Monday, where he was asked about the alleged cash-for-visa scheme that is currently being investigated by the NSW Independent Commission Against Corruption (ICAC).
When asked how the matter being investigated by ICAC sat when compared to the incidents seen within Home Affairs, Pezzullo said that “we see lots of things in the department”.
“In fact, we see highly organised criminality. We see the loosely organised or casual opportunistic criminality. We see inadvertent either criminality or civilly sanctionable activity,” he said.
“It’s a constant enforcement and compliance activity.”
Yet compliance hasn’t always been Home Affairs’ top strength.
An example of this was seen in February this year, when Home Affairs was savaged by PJCIS for its poor oversight of data retention laws. Also in the Home Affairs portfolio, Australian Federal Police officers were found in 2017 to have not fully appreciated their responsibilities in relation to those laws.   
SEE ALSO More

Australian gas producer Kleenheat has warned a number of its customers about a data breach that may have resulted in information such as name and address being exposed.
The Perth-based retailer and distributor believes the breach occurred in 2014 on a third-party system. ZDNet understands that system is no longer in use.
“The potential disclosure was recently identified by Kleenheat during a routine data security check, and did not occur within Kleenheat’s internal systems,” the company wrote in an email to customers.
Kleenheat referred to data at potential risk as being “general contact information”, confirming that it included name, residential address, and email address. It “reassured” phone number, date of birth, or bank, credit card, and account details were not breached.
“As soon as we identified the issue, we moved quickly to secure the information and we are not aware of any associated malicious activity,” Kleenheat added.
“Please be assured that we will continue to monitor for any potential suspicious activity in our systems.”
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
ZDNet understands only affected customers received the notification.
The company said it has been in contact with relevant authorities, such as reporting the incident to the Office of the Australian Information Commissioner.
RELATED COVERAGE More

The Australian government has provided more details on its plan to develop a whole-of-government platform, called Permissions Capability, which it expects to use for delivering Commonwealth digital services that require permissions.
Speaking on Monday during Senate Estimates, Secretary of the Department of Home Affairs Mike Pezzullo explained that the government envisions Permissions Capability would be used for government services such as visas, import and export permits, licences, accreditation, declarations, and registrations.
“Future use cases, subject to government approval, could include employment suitability clearances, the licencing of companies to import and sell illicit tobacco along with associated compliance measures to illicit tobacco, police checks, permits to import and export certain goods, Australian government security accreditation, for example, an aviation security identification card or ASIC, as well as complex visa products,” he said.
The federal government first signalled plans about building its permissions platform back in July. 
The first cab off the rank for this new system would be the development of a Digital Passenger Deceleration (DPD), which is set to replace the existing manually processed, paper-based incoming passenger card and separate COVID-19 health declaration.
According to the government, through the DPD, Australian-bound travellers would be able to provide their incoming passenger information via their mobile device or computer, while also allow certified COVID vaccination certifications to be digitally uploaded and connected if and when they become available.
Read: Why Australia is quickly developing a technology-based human rights problem (TechRepublic)  
Acting Minister for Immigration, Citizenship, Migrant Services and Multicultural Affairs Alan Tudge and Minister for Government Services Stuart Robert jointly said the DPD would enable information to be collected and shared more efficiently, while still allowing it to use the same authority for collection.
“Currently, the government collects a range of passenger information, including contact details, customs, and biosecurity information from citizens and non-citizens entering Australia using a manual, paper-based process,” Tudge said.
“This new capability will strip away the need to scan paper cards. It will facilitate data sharing between state and territory health departments and enable swift verification of information provided by passengers.
“In the future, collection and verification of information will assist in managing risk at the international border when international travel returns.”
Tudge touted it would also streamline the national response to COVID-19 contact tracing by speeding up information collection and processing.
The unveiling of plans to simplify COVID-19 contact tracing at airports coincided with the New South Wales government announcing that passengers could now use the Service NSW app to check-in for contact tracing at Sydney Airport by scanning a unique QR code located at domestic and international terminals. The app automatically captures the date, time, and location of the check-in, which is stored as data for 28 days solely for the purpose of contact tracing before being deleted.
Additionally, the federal government outlined in its Permission Capability information paper [PDF] that it would develop what it has dubbed as a “simple” digital visa product as part of the initial phase for delivering its Permission Capability.
The simple visa product would include a digital application that would be made available for non-citizen travellers who meet certain visa criteria. It would also be used to integrate multiple visas on the new system when they become digitised, as well as streamline the application process, and facilitate visa holders’ movement through international borders.
Earlier this year, the federal government terminated its contentious request for tender process for its proposed Global Digital Platform (GDP).
The Department of Immigration and Border Protection — now Home Affairs — went to tender initially in September 2017, seeking a provider to design, implement, and operate a new visa business.
At the time, it was explained that the new visa business would be outsourced to another party that would be charged with processing visa applications.
In 2018, a request for tender was published and quickly removed. It called for a private company to own and operate Australia’s visa processing system for a period of 10 years.
Read more: Public Sector Union launches campaign against visa privatisation ‘data security risk’
After admitting that privatising Australia’s visa processing system was not the best idea, the government announced it would take a “broad new policy approach” by acquiring and delivering workflow processing capability within the Department of Home Affairs and other areas across government.
“The government will implement modern, easy to access, digital services for clients,” Tudge said at the time. “This approach seeks integrated enterprise-scale workflow processing capability that could be utilised across the Commonwealth.
“Key to this is recognising the efficiencies that can be generated from large-scale government investment in technology and the re-use of capability across government.”
The Department of Home Affairs spent just shy of AU$92 million for design and procurement on the binned GDP project. Of that amount, AU$24 million was spent on the co-design and development of business requirements; AU$32 million on the GDP request for tender processes, probity, legal, and assurance; AU$18 million on departmental IT readiness; and AU$17 million on development of Business Rules.
Another AU$65 million was spent on external contracts on the proposed GDP, the department revealed in May in response to questions on notice from Senate Estimates held in early March. Boston Consulting Group walked away with AU$43.5 million and KPMG with nearly AU$8 million.
See also: Australian government is currently juggling 62 high-cost IT projects 
During Senate Estimates on Monday, Home Affairs First Assistant Secretary Stephanie Cargill revealed that government had set aside an initial AU$74.9 million to begin building the base Permission Capability in 2021, which includes delivering the DPD and the simple digital visa product.
Off the back of that response, Senator Kristina Keneally scorned the government for not prioritising the modernisation of the country’s existing visa system, as part of the recent federal 2020-21 Budget. 
“I’m trying to understand how we’ve come to a point where you’ve spent AU$91 million on the visa privatisation that was then dumped in March, and now we’ve only got $74 million for simple visas, and yet experts say it’s going to take, again, another billion-dollar to rebuild the visa processing system,” she said.
“You’ve even agreed there were warning bells that have been going up since 2017. So, how do we have a Budget that has got a trillion dollars of debt, but yet has so little money allocated for … a visa system that is failing?”
An open market request for tender to build and deliver the DPD and simple digital visa product will be issued before the end of October, the Department of Home Affairs said.
Related Coverage More

Image: cattu
US political candidates use psychological tricks and dark patterns in their emails to manipulate supporters to donate money and mobilize voters.
In a study published earlier this month, academics from Princeton University said they analyzed more than 100,000 emails sent by candidates in federal and state races as well as Political Action Committees (PACs), Super PACs, political parties, and other political organizations.
The emails were collected as part of a research project that began in December 2019. Emails are still being collected today, with the research team planning to make all the data public after the US fall election cycle.
More than 280,000 emails from more than 3,000 senders were collected to date.
“Our corpus has two orders of magnitude more emails than the largest corpus of election-related emails previously analyzed in the academic literature,” the Princeton researchers said.
But while the full data will be made available in full in November, earlier this month, the research team also published a paper [PDF] containing the results of a preliminary analysis of the first 100,000 emails they collected, from December 2, 2019, up to June 25, 2020.
These days, most campaign emails are akin to spam, so most email users are already familiar with their content and purpose. Most campaigns struggle to get users to even open the emails, let alone read or take action — like sign up for rallies, go vote, or donate funds.
The Princeton research team said the purpose of their research was to identify manipulative tactics and dark patterns used by political campaigns over the past year to get recipients to, at least, open their emails.
Six were identified, researchers said. These included: 
Forward referencing or information withholding – Using subject lines like “bumping this for you” or “let’s prove him wrong,” which are generic enough to get users to open the email and investigate.
Sensationalism – Emails with classic clickbaity subject lines like “(no!) Mark Kelly SLANDERED!” and “HUGE ANNOUNCEMENT.”
Urgency – Emails with countdown timers, fake deadlines, or fake goals, using subject lines and phrases like “April Deadline (via Team Graham)” or “1 huge goal, 1 last chance to help reach it!”
Obscured names – Emails were the senders obscured their identity, making it impossible for the recipient to learn who sent the email without opening it first.
Ongoing thread – Emails where the sender modified their name into patterns like “John, me (2)” to trick users into thinking they already replied to the email, and this is an ongoing conversation.
Abuse of Re: / Fwd: – Emails where senders abused the “Re” and “Fwd” terms in subject lines to trick users into thinking the email was a reply or forwarded message.

According to the researchers, the typical campaign used at least one of these tactics in about 43% of the emails they sent. Even if campaigns didn’t use these tactics on a regular basis, researchers said that 99% use them at least occasionally.
The Princeton academics said they looked into campaign emails because “manipulative political discourse undermines voters’ autonomy, generates cynicism and thus threatens democracy” and “distorts political outcomes by advantaging those who are skilled at deploying technological tricks, triggering a race to the bottom.”
A website has also been set up where anyone can search through the email corpus, either by sender name or keywords. The website is updated daily with new emails.
“We hope that our corpus will be useful for studying a wide array of traditional political science questions,including how candidates represent themselves to their would-be constituents, how and when campaigns go negative, and what tactics campaigns and organizations use to raise money and mobilize voters,” researchers said. More

Three JavaScript packages have been removed from the npm portal on Thursday for containing malicious code.
According to advisories from the npm security team, the three JavaScript libraries opened shells on the computers of developers who imported the packages into their projects.

techrepublic cheat sheet

The shells, a technical term used by cyber-security researchers, allowed threat actors to connect remotely to the infected computer and execute malicious operations.
The npm security team said the shells could work on both Windows and *nix operating systems, such as Linux, FreeBSD, OpenBSD, and others.
Packages were live for almost a year
All three packages were uploaded on the npm portal almost a year ago, in mid-October 2019. Each package had more than 100 total downloads since being uploaded on the npm portal. The packages names were:
“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” the npm security team said.
“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” they added.
Npm’s security staff regularly scans its collection of JavaScript libraries, considered the largest package repository for any programming language.
While malicious packages are removed on a regular basis, this week’s enforcement is the third major crackdown in the last three months.
In August, npm staff removed a malicious JavaScript library designed to steal sensitive files from an infected users’ browser and Discord application.
In September, npm staff removed four JavaScript libraries for collecting user details and uploading the stolen data to a public GitHub page. More

Microsoft has published today two out-of-band security updates to address security issues in the Windows Codecs library and the Visual Studio Code application.

The two updates come as late arrivals after the company released its monthly batch of security updates earlier this week, on Tuesday, patching 87 vulnerabilities this month.
Both new vulnerabilities are “remote code execution” flaws, allowing attackers to execute code on impacted systems.
Windows Codecs Library vulnerability
The first bug is tracked as CVE-2020-17022. Microsoft says that attackers can craft malicious images that, when processed by an app running on top of Windows, can allow the attacker to execute code on an unpatched Windows OS.
All Windows 10 versions are impacted.
Microsoft said an update for this library would be automatically installed on user systems via the Microsoft Store.
Not all users are impacted, but only those who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store.
HEVC is not available for offline distribution and is only available via the Microsoft Store. The library is also not supported on Windows Server.
To check and see if you’re using a vulnerable HEVC codec, users can go to Settings, Apps & Features, and select HEVC, Advanced Options. The secure versions are 1.0.32762.0, 1.0.32763.0, and later.
Visual Studio Code vulnerability
The second bug is tracked as CVE-2020-17023. Microsoft says attackers can craft malicious package.json files that, when loaded in Visual Studio Code, can execute malicious code.
Depending on the user’s permissions, an attacker’s code could execute with administrator privileges and allow them full control over an infected host.
Package.json files are regularly used with JavaScript libraries and projects. JavaScript, and especially its server-side Node.js technology, are one of today’s most popular technologies.
Visual Studio Code users are advised to update the app as soon as possible to the latest version. More

Image: Google Cloud
The Google Cloud team revealed today a previously undisclosed DDoS attack that targeted Google service back in September 2017 and which clocked at 2.54 Tbps, making it the largest DDoS attack recorded to date.

In a separate report published at the same time, the Google Threat Threat Analysis Group (TAG), the Google security team that analyzes high-end threat groups, said the attack was carried out by a state-sponsored threat actor.
TAG researchers said the attack came from China, having originated from within the network of four Chinese internet service providers (ASNs 4134, 4837, 58453, and 9394).
Damian Menscher, a Security Reliability Engineer for Google Cloud, said the 2.54 Tbps peak was “the culmination of a six-month campaign” that utilized multiple methods of attacks to hammer Google’s server infrastructure.
Menscher didn’t reveal which services were targeted.
“The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to us,” Menscher said.
“This demonstrates the volumes a well-resourced attacker can achieve: This was four times larger than the record-breaking 623 Gbps attack from the Mirai botnet a year earlier [in 2016].”
Furthermore, this attack is also larger than the 2.3 Tbps DDoS attack that targeted Amazon’s AWS infrastructure in February this year.
Despite keeping the attack secret for three years, Google disclosed the incident today for different reasons.
The Google TAG team wanted to raise awareness to an increasing trend of nation-state hacker groups abusing DDoS attacks to disrupt targets.
The Google Cloud team also wanted to raise awareness of the fact that DDoS attacks would intensify in the coming years, as internet bandwidth also increases.
In a report published on Wednesday, data center company Equinix predicted an increase of roughly 45% (~16,300+ Tbps) in global interconnection bandwidth by 2023. More

Singapore businesses looking to adopt artificial intelligence (AI) technologies responsibly now can access a reference document to help them do so. The AI Ethics & Governance Body of Knowledge (BoK) is touted to provide a reference guide for business leaders and IT professionals on the ethical aspects related to the development as well as deployment of AI technologies.
Launched by industry group Singapore Computer Society (SCS), the BoK was put together based on the expertise of more than 60 individuals from multi-disciplinary backgrounds, with the aim to aid in the “responsible, ethical, and human-centric” deployment of AI for competitive advantage. It encompasses use cases to outline the positive and negative outcomes of AI adoption, and looks at the technology’s potential to support a “safe” ecosystem when utilised properly.
The BoK was developed based on Singapore’s latest Model AI Governance Framework, which was updated in January 2020, and will be regularly updated as the local digital landscape evolved, said SCS during its launch Friday.

Founded in 1967, the industry group has more than 42,000 members and offers a range of services to support its members, including training and development and networking opportunities. SCS comprises 11 chapters including AI and robotics, cybersecurity, and Internet of Things, as well as five interest groups that include blockchain and data centre.
Noting that AI sought to inject intelligence into machines to mimic human action and thought, SCS President Chong Yoke Sin noted that rogue or misaligned AI algorithms with unintended bias could cause significant damage. This underscored the importance of ensuring AI was used ethically. 
“On the other hand, stifling innovation in the use of AI will be disastrous as the new economy will increasingly leverage AI,” Chong said, as she stressed the need for a balanced approach that prioritised human safety and interests. 
Speaking during SCS’ Tech3 Forum, Singapore’s Minister for Communications and Information S. Iswaran further underscored the need to build trust with the responsible use of AI in order to drive the adoption and extract the most benefits from the technology. 
“Responsible adoption of AI can boost companies’ efficiencies, facilitate decision-making, and help employees upskill into more enriching and meaningful jobs,” Iswaran said. “Above all, we want to build a progressive, safe, and trusted AI environment that benefits businesses and workers, and drives economic transformation.”
The launch of a reference guide would provide businesses access to a counsel of experts proficient in AI ethics and governance, so they could deploy the technology responsibly, the minister said. 
“[The BoK] will guide the development of curricula on AI ethics and governance. It will also form the basis of future training and certification for professionals — both in the ICT and non-ICT domains. These professionals will serve as advisors for businesses on the responsible implementation of AI solutions,” he said. 
Chong noted that the focal point was the individual using or affected by AI. 
“It is not merely the technology and methodologies, but the human that should be at the centre of our analysis and decision-making,: she said. “Around this core are secondary principles and values, such as auditability and robustness, that help us achieve this core set of putative global norms for ethical AI.”
Alongside the release of the reference guide, SCS also announced a partnership with Nanyang Technological University (NTU) to develop an AI ethics and governance certification course for professionals. 
Slated for launch next year, the course aimed to train and certify professionals to help and advise organisations on AI ethics and governance. It would be incorporated into NTU’s upcoming MiniMasters programme in AI and AI ethics, designed to guide participants in understanding and solving problems brought about by the adoption of AI. 
Singapore in May announced plans to develop a framework to ensure the “responsible” adoption of AI and data analytics in credit risk scoring and customer marketing. Two teams comprising banks and industry players were tasked to establish metrics to help financial institutions ensure the “fairness” of their AI and data analytics tools in these instances. A whitepaper detailing the metrics was scheduled to be published by year-end, along with an open source code to enable financial institutions to adopt the metrics. 
RELATED COVERAGE More