Connect with us

ZDNET

Australia’s eSafety and the uphill battle of regulating the ever-changing online realm

Avatar

Published

on

Australia’s eSafety Commissioner is set to receive sweeping new powers like the ability to order the removal of material that seriously harms adults, with the looming passage of the Online Safety Act.

Tech firms, as well as experts and civil liberties groups, have taken issue with the Act, such as with its rushed nature, the harm it can cause to the adult industry, and the overbearing powers it affords to eSafety, as some examples. Current eSafety Commissioner Julie Inman Grant has even previously admitted that details of how the measures legislated in the Online Safety Bill 2021 would be overseen are still being worked out.

The Bill contains six priority areas, including an adult cyber abuse scheme to remove material that seriously harms adults; an image-based abuse scheme to remove intimate images that have been shared without consent; Basic Online Safety Expectations (BOSE) for the eSafety Commissioner to hold services accountable; and an online content scheme for the removal of “harmful” material through take-down powers.

Appearing before the Parliamentary Joint Committee on Intelligence and Security as part of its inquiry into extremist movements and radicalism in Australia, Inman Grant said while the threshold is quite high in the new powers around take-down requests, it will give her agency a fair amount of leeway to look at intersectional factors, such as the intent behind the post.

“I think that the language is deliberately — it’s constrained in a way to give us some latitude … we have to look at the messenger, we have to look at the message, and we have to look at the target,” she said on Thursday.

The Act also will not apply to groups of people, rather simply individuals. The commissioner guessed this was due to striking a balance on freedom of expression.

“To give us a broader set of powers to target a group or target in mass, I think would probably raise a lot more questions about human rights,” she said.

She said it’s a case of “writing the playbook” as it unfolds, given there’s no similar law internationally to help guide the Act. Inman Grant said she has tried to set expectations that she isn’t about to conduct “large scale rapid fire”.

“Because every single removal notice or remedial action that we take is going to have to stand up in a court of law, it’s going to have to withstand scrutiny from the AAT, from the Ombudsman, and others,” she said. “So the threshold is high, it’s really probably going to target the worst of the worst in terms of targeted online abuse.”

Of concern to the commissioner is that social media platforms have vast access to all sorts of signals that are happening on their platforms, yet they often step in when it’s too late.

“I think what we saw with the Capitol Hill siege is it wasn’t really until the 11th hour that they consistently enforced their own policies,” she said. “So I think we’ve seen a real selective application of enforcement of some of these policies and we need to see more consistency.”

AVOIDING WHACK-A-MOLE

She believes the BOSE will go some way to fixing that. Without setting these expectations, Inman Grant said she would be trying to energise her team to “play a big game of whack-a-mole”.

On finding the same perpetrators using the same modus operandi to target others, Inman Grant said it’s a prime example of where safety by design is so important.

“You’re building the digital roads, where are your guard rails, where are your embedded seatbelts, and what are you doing to pick up the signals?,” she said.

“I don’t care what it is, whether you’re using natural language processing to look at common language that might be used or IP addresses, there are a range of signals that they can — they should be treating this like an arms race, they should be playing the game of whack-a-mole, rather than victims and the regulators.”

The safety by design initiative kicked off in 2018 with the major platforms. Currently, eSafety is engaged with about 180 different technology companies and activists through the initiative.

Inman Grant called it a “cultural change issue”, that is, tweaking the industry-wide ethos that moving fast and breaking things gets results.

“How do we stop breaking us all?,” she questioned. “Because you’re so quick to get out the next feature, the next product, that you’re not assessing risk upfront and building safety protections at the front end.

“I mean, how many times do we have to see a tech wreck moment when companies — even a startup company — should know better.”

The solution, she said, isn’t the government prescribing technology fixes, rather a duty of care should be reinforced when companies aren’t doing the right thing, such as through initiatives like safety by design. Inman Grant said the BOSE will, to a certain degree, force a level of transparency.

“We’re holding them to account for abuse that’s happening on their platforms, we’re serving as a safety net, when things fall through the cracks, and we’re telling them to take it down,” she said. “Platforms are the intermediaries … the platforms [are] allowing this to happen, but we are fundamentally talking about human behaviour, human malfeasance, criminal acts online targeting people.”

Inman Grant said eSafety is currently working with the venture capital and investor community, “because they’re often the adults in the room” on developing an interactive safety by design assessment tool, one for startups and one for medium-sized and large companies, that should be made public within the next three weeks.

LIKE THE REAL WORLD, JUST DIGITAL

“It’s only been 50 years since seatbelts have been required in cars and there was a lot of pushback for that. It’s now guided by international standards. We’re talking about standard product liability — you’re not allowed to produce goods that injure people, with food safety standards you’re not allowed to poison people or make them sick — these should not be standards or requirements that technology companies should be shunning,” the commissioner said.

“The internet has become an essential utility … they need to live under these rules as well. And if they’re not going to do it voluntarily, then they’re going to have a patchwork of laws and regulations because governments are going to regulate them in varying ways.”

Inman Grant said eSafety is engaging with the social media platforms every day, and has garnered an 85% success rate in the removal of non-consensually shared intimate images and videos.

“It tends to be what we would call the ‘rogue porn sites’ that are resistant to take down,” Inman Grant said. “And of course, we see a lot of similarities in terms of the hosting services and the kinds of sites that host paedophile networks or pro terrorist or gore content.”

She said eSafety saw a spike in terms of all forms of online abuse over the COVID period, but it wasn’t due to the reason many would think.

“We often talk about seeing a lot of child sexual abuse on the dark web, but we saw a lot more on the open web and out in the open on places like Twitter, Instagram, and Facebook —  up to 650% in some cases from the from the year prior,” she said.

“It wasn’t just that simplistic explanation that more kids were online unsupervised [and there were more] predators targeting them, that certainly did happen, but really what was happening is a lot of the companies have outsourced their content moderation services to third parties, and many of these are in the Philippines and Romania, in developing countries where these workers were sent home and couldn’t look at the content.”

She said with the content moderation workforce unable to view the content and the preponderance of more people online, created a “perfect storm”.

“You saw some of the companies using more AI and analytic tools, but they’re still really very imperfect. And almost all of the platforms that do use AI tools always use a portion of human moderation because it’s just not up to par.”

RELATED COVERAGE

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/australias-esafety-and-the-uphill-battle-of-regulating-the-ever-changing-online-realm/#ftag=RSSbaffb68

ZDNET

US pipeline ransomware attack serves as fair warning to persistent corporate inertia over security

Avatar

Published

on

Organisations that continue to disregard the need to ensure they have adopted basic cybersecurity hygiene practices should be taken to task. This will be critical, especially as cybercriminals turn their attention to sectors where cyber threats can result in real-world risks, as demonstrated in the US Colonial Pipeline attack. 

In many of my conversations with cybersecurity experts, there is a shared sense of frustration that businesses still are failing to get some of the most basic things right. Default passwords are left unchanged, frontline staff and employees are still falling for common scams and phishing attacks, and major businesses think nothing of using technology that are decades old

Just this month, UOB Bank revealed an employee had fallen prey to a China police impersonation scam that compromised the personal data of 1,166 customers, including their mobile number and account balance. This specific impersonation use case had been flagged as a common scam tactic and even featured in a crime prevention TV programme months before. That an employee of a major bank still could have fallen for it is shocking. 

It begs the question whether its frontline staff or any employee with access to customer data has been adequately trained as well as regularly updated on how they should deal with potential cyber threats. 

Should such inertia continue to fester, there’s real cause for concern ahead especially as cyber attackers turn their attention towards operational technology (OT) sectors, such as power, water, and transport. As it is, businesses seem ill-prepared to cope with the growing threat. 

Consider the stats. Some 68% of businesses in Asia-Pacific were breached last year, up from 32% in 2019, and 17% had to deal with more than 50 cyber attacks or errors a week. And they took way too long to pick themselves up after an attack, with an average of 60.83% needing more than a week to remediate the attacks, citing lack of funds and skillsets as their key challenges. 

in Singapore, 28% had been breached in the past year, with almost 15% having to deal with at least 50 attempted cyber attacks a week. Some 33% described the resulting data loss as very serious or serious. 

Things will only get worse as businesses in the region and around the world rush to adopt tools that facilitate remote work, leaving their networks vulnerable to attacks. As it is, 54.7% viewed enabling and managing remote workforces a top ICT challenge and another 49.7% felt likewise about securing remote workers. 

As online adoption grows, supply chains will widen as businesses rush to cope with the spike in transactions. This means attack surfaces, too, will expand and it is crucial that enterprises get the fundamentals right to better mitigate potential security risks. 

When cyber risks become physical threats

And in the case of the Colonial Pipeline, the risks can be severe. 

The privately-held pipeline operator supplies 45% of the East Coast’s fuel, including gasoline, diesel, jet fuel, home-heating oil, and fuel for the US military. It transports more than 100 million gallons of fuel a day across an area that spans Texas to New York.

The cyber attack forced the company to temporarily shut its operations and freeze IT systems to contain the infection. It triggered supply shortage concerns and pushed gasoline futures to their highest level in three years. It also prompted the US Department of Transportation to invoke emergency powers to make it easier to transport fuel by road.

Colonial Pipeline reportedly paid the ransomware group responsible for the attack $5 million to decrypt locked systems.

That it paid up shouldn’t come as a surprise, since a majority of businesses in Asia-Pacific also choose to pay up after falling victim to ransomware attacks. These include 88% in Australia and 78% in Singapore that have forked out the ransom in full or in part. 

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

On its part, Singapore has recognised the risks cybersecurity attacks pose to its critical infrastructures. Early this month, it created a cybersecurity expert panel focused on OT, with the first meeting slated to take place in September. The move comes months after the country last October unveiled a new cybersecurity blueprint that looked to safeguard its core digital infrastructure. 

In particular, the government pointed to OT systems, where a successful attack can manifest as a severe disruption in the physical world. Such systems, including those in the energy, water, and transport sectors, are critical for delivering essential services and supporting the economy. 

In forming the OT expert panel, Singapore’s Cyber Security Agency Chief Executive David Koh said: “While OT systems were traditionally separated from the internet, increasing digitalisation has led to more IT and OT integration. Hence, it is crucial for OT systems to be better protected from cyber threats to prevent outages of critical services that could result in serious real-world consequences.”

The ransomware attack against the Colonial Pipeline has clearly demonstrated that the consequences are real and, no doubt, more are coming our way. 

That Singapore has put strong focus on OT is a positive step forward. And it is hoping the expert panel will provide some guidance on a range of issues, including governance policies, OT technologies, supply chain, threat intelligent information sharing, and incident response. 

However, with most of the industry still stuck in apparent inertia, firmer action is necessary to ensure businesses across all sectors, including OT, do not slip up. 

This should encompass even the simplest and most basic rules, such as outlawing the use of software that is more than 15 years old or mandating that all employees–including senior management–chalk up minimum training hours a year on cybersecurity threat management. 

In addition, all organisations that have encountered a security incident should be required to detail how their systems were breached. An abridged version of the attack, excluding specifics that can further compromise the company’s security, also should publicly released. 

It should no longer be sufficient for any company to simply say the attack was “sophisticated” without giving any other information to justify that description. 

In the Colonial Pipeline case, details have been slow to trickle out, with the US government yet to receive any information from the oil pipeline operator. The Biden administration had expressed frustration over what they perceived to be weak security protocols on Colonial Pipeline’s part as well as well a lack of readiness to deal with cyberattacks.

It is clearly time for all organisations, not just those in Asia, to get a grip. Because if they don’t, they won’t just be losing millions in ransom payments, actual physical lives will be at risk. Transport and healthcare operators, in particular, should take heed. 

And with cybercriminals increasingly skilled in their craft, future attacks will indeed be so complex it will put to shame use of the word “sophisticated” that appears in almost every statement companies currently make to describe they breach they suffered.

Be better. Because when it comes to cybersecurity, that is what many businesses have yet to be.

RELATED COVERAGE

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/us-pipeline-ransomware-attack-serves-as-fair-warning-to-persistent-corporate-inertia-over-security/#ftag=RSSbaffb68

Continue Reading

ZDNET

ASD knows who attacked the APH email system but isn’t revealing who

Avatar

Published

on

parliament-house-canberra.jpg
Image: Getty Images

The Australian Cyber Security Centre (ACSC), and the overseeing Australian Signals Directorate (ASD), know who attacked the email system of the Australian Parliament House, but they are not saying who it is.

“Attribution is a matter for government, and is made only when in the national interest,” it said in response to Senate Estimates Questions on Notice.

Many of the questions were passed off onto the Department of Parliamentary Service (DPS), which revealed earlier this week that it had pulled down and replaced its mobile device management (MDM) system as a result of the attack.

“The attack did not cause an outage of the DPS systems. DPS shut down the MDM system. This action was taken to protect system security while investigation and remediation were undertaken,” DPS said.

“To restore services, DPS brought forward the rollout of an advanced mobile services solution that replaced the legacy MDM. The new solution provides greater security and functionality for mobile devices. This rollout was a complex activity and extended the outage experienced by users.”

The legacy MDM system remains in use in a limited capacity.

One tidbit ASD did part with was agreeing that the attacker was unsophisticated and that the ACSC was involved in “searching for any potential implants” in the APH Exchange server.

An unsophisticated attack would have had a higher than expected chance of succeeding, thanks to the lack of 2FA.

“Before users came back on line after this incident, they were asked to implement new security controls to access APH emails via mobile handsets — namely multi-factor authentication,” Senator Kimberley Kitching said in a question.

“In the course of providing cybersecurity advice and assistance to DPS following the incident, the ACSC provided broad advice on security controls,” the ASD said.

ASD said there was no “specific threat” that led to the introduction of 2FA, and instead pointed to its Essential Eight advice first published in 2017.

DPS said earlier this week it had seen no evidence of any email accounts being compromised due to the attack, and the attack had nothing to do with recent Exchange vulnerabilities.

In another answer, ASD said no code review has been completed on the systems of the Australian Electoral Commission, but it has “conducted a vulnerability assessment and partnered with the AEC to conduct multiple uplift activities on the AEC network.”

Related Coverage

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/asd-knows-who-attacked-the-aph-email-system-but-isnt-revealing-who/#ftag=RSSbaffb68

Continue Reading

ZDNET

Labor pitches ‘startup year’ as key to Australia’s future

Avatar

Published

on

anthony-albanese.jpg
Image: Getty Images

Opposition leader Anthony Albanese has outlined his plan for Australia should Labor be successful at the next federal election, one that’s centred on things the Coalition missed in its 2021-22 Budget.

“We have a once in a century opportunity to reinvent our economy, to lift wages and make sure they keep rising, to invest in advanced manufacturing and in skills and training with public TAFE at its heart, to provide affordable childcare, to fix aged care, to address the housing crisis, to champion equality for women, and to emerge as a renewable energy superpower,” he declared in his Budget reply speech, delivered Thursday night.

“That’s the better future I want to build for Australia as Prime Minister.”

A centrepiece of Albanese’s plan is a “startup year”.

“Australia has always produced scientific innovations, but we always haven’t been good at commercialising them,” he continued, listing the black box, Google Maps, the Cochlear implant as some examples.

He said a lot of what Australia uncovers via research gets converted into manufacturing jobs overseas.
 
“And if we don’t get smart, if we don’t get serious, if we don’t get moving — the same thing is going to happen again,” he said.

The startup year, Albanese declared, is a program to “help drive innovation and increase links between universities and entrepreneurs”.

The program will allow final year university students, or recent graduates, to learn from experts about how to transform their ideas and research into products and services that Australia can sell to the world.
 
The students would do their training at established “accelerators” or “incubators”.

Startup loans will be offered to students and new graduates with ventures attached to the tertiary institution or designated private accelerator. Albanese believes this will assist in the identification of opportunities for commercialisation of university research.

Startup year will train up to 2,000 students per year and will be supported by HELP/HECS loans, up to a maximum of AU$11,300.

The loans can go towards paying for things such as training, equipment, or building prototypes.

Expanding further on this plan, Shadow Minister for Industry and Innovation Ed Husic said Labor wants to send a signal to young Australians that it “backs them and their ideas to build new firms and new jobs”.

“We want to do that through the range of university accelerators that exist across the country. We want to work with the university sector and others in the innovation space to determine how we do that selection process. And the big thing for us is to build that momentum, build that interest in starting new firms. Because really, what we need to see in this country apart from current firms getting bigger and stronger, we need to see an influx of new firms coming in with new ideas to improve the way the economy works,” he said.

This requires, however, talented people on the ground to do the work that will support startups and encourage their growth, Husic declared.

“If you’ve had a federal government that continually cuts or fails to support the university sector can’t get its act together on commercialising the research and ideas coming out of universities is cutting TAFE and is dragging the chain on innovation, this is a real problem,” he continued.

On Tuesday night, the government unveiled a “patent box” to drive research in medical and biotech technologies, and a National Centre of AI Excellence. Husic said the first was taken from similar overseas initiatives and the second was stolen from his party.

Australian Budget 2021

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/labor-pitches-startup-year-as-key-to-australias-future/#ftag=RSSbaffb68

Continue Reading

ZDNET

HelpSystems expands email, cloud security portfolio with acquisition of Agari, Beyond Security

Avatar

Published

on

HelpSystems has announced the acquisition of Agari and Beyond Security as the firm continues to expand its cybersecurity portfolio. 

The financial details of the transactions were not disclosed. 

Headquartered in Cupertino, California, Beyond Security is a provider of automated vulnerability assessment and compliance solutions. 

The firm’s products, beSecure, beSource, and beStorm, cover vulnerability scanning and management, code analysis, and black box testing. 

“The team and solutions from Beyond Security will fit into HelpSystems’ popular infrastructure protection portfolio featuring Digital Defense, Core Security, and Cobalt Strike,” the company says. 

This is the second acquisition made public by HelpSystems this week. On Thursday, the company also announced a deal to secure Agari, a Software as a Service (SaaS) solutions provider for phishing protection based in Foster City, California. 

Email, when combined with social engineering, leads to business email compromise (BEC) and may result in wider compromise of enterprise networks. Agari solutions attempt to filter out phishing attempts using data science, machine learning (ML), and cloud computing. 

Agari is also a founding member of the consortium which created the Domain Message Authentication Reporting Conformance (DMARC) email authentication standard, a technical standard designed to prevent phishing, spam, and spoofing. 

“Cybercriminals increasingly use email as a prime way to infiltrate businesses and gain access to sensitive data and IP, causing untold damage in terms of cost and reputation,” commented Kate Bolseth, HelpSystems chief executive. “We’re thrilled to welcome Agari and their email phishing defense prowess to the HelpSystems family. Agari will be a notable asset to HelpSystems as we work together to give global customers new tools for securing their valuable data and achieving peace of mind.”

The purchases build upon the acquisition of Texas-based Digital Defense in February, a company that develops SaaS vulnerability scanning, network asset analysis, and risk score generation software to assist IT teams in patch and remediation efforts. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/helpsystems-expands-email-cloud-security-portfolio-with-acquisition-of-agari-beyond-security/#ftag=RSSbaffb68

Continue Reading

Trending