Nefilim Ransomware Attack Uses “Ghost” Credentials

Sophos Rapid Response has discovered that keeping close tabs on the account credentials in your organization should always be a top priority. Sophos Rapid Response is a 24/7 service that helps organizations to quickly identify and neutralize active threats.

The company reached out to Rapid Response to get help with a Nefilim (also known as Nemty) ransomware attack in which more than 100 systems were impacted. Sophos’ Intercept X endpoint protection has no problem detecting and stopping Nefilim. Unfortunately, the customer did not have this protection in place. Nefilim ransomware, like virtually all major ransomware, replaces the original files with encrypted versions, making recovery impossible without either the decryption key or a recent backup.

The Rapid Response team sprang into action as soon as they were contracted by the customer, loading Sophos security onto all the systems it could access, ensuring all necessary protections were turned on for systems that already had Sophos installed, and digging for clues as to how and when the intrusion began and what might have been stolen.

By the time of Sophos’ standard “kick-off” call to describe the process of the Rapid Response team and gather context around the evidence uncovered so far, the team had already singled out user accounts that had been taken over and compiled a general timeline of the attack.

Nefilim ransomware attack timelineThe team determined the attacker had compromised an admin account with high level access about one month before launching Nefilim ransomware. Or more accurately, the attacker gained access to that admin account, then spent one month quietly moving around to steal credentials for a domain admin account, finding the trove of data they wanted, exfiltrating hundreds of GB of data, and then finally announcing their presence with the ransomware attack.

“Ransomware is the final payload in a longer attack. It is the attacker telling you they already have control of your network and have finished the bulk of the attack. It is the attacker declaring victory,” Peter Mackenzie, manager for Rapid Response, said. “Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts.”

Based on Sophos intelligence, the Rapid Response team knew the threat actors behind Nefilim ransomware commonly gain initial access either by exploiting vulnerable versions of Citrix or Remote Desktop Protocol. In this case, the adversary exploited vulnerable Citrix software, gained access to the admin account, then stole the credentials for a domain admin account using Mimikatz.

During Sophos’ initial kick-off call, the Rapid Response team relayed which admin account had been compromised in the initial intrusion, and asked the customer: Whose account was it? The answer: the account belonged to an individual who had sadly passed away around three months before the attacker’s first move.

Apparently, the account was kept active because there were services that it was used for, meaning the Rapid Response team had to discern which activities from that account were legitimate and which were malicious.

“The malicious activities were often in the middle of the night for the customer’s local time,” Mackenzie said. “We were able to work out some of the movements in the account based on when they occurred and when the commands were being performed.”

If an organization really needs an account after someone has left the company, they should implement a service account and deny interactive logins to prevent any unwanted activity. Or, if they don’t need the account for anything else, disable it and carry out regular audits of Active Directory. Active Directory Audit Policies can be set to monitor for admin account activity or if an account is added to the domain admin group.

Mackenzie noted far fewer accounts need to be a domain admin than most people think.

“People assume because a person is an executive or is in charge of the network that they need to be using a domain admin account. ​This isn’t true and it’s dangerous,” Mackenzie said. “No account with privileges should be used by default for work that doesn’t require that level of access. Users should elevate to using the required accounts when needed and only for that task.”

Mackenzie added that alerts should be set so that if the domain admin account is used or if a new admin account is created, someone knows. A previous case that Rapid Response was called in on proved this point.

In this particular case, an attacker gained access to an organization’s network, created a new user, and added that account to the domain admin group in Active Directory. No alerts were set off, so that new domain admin account went on to delete about 150 virtual servers and used Microsoft BitLocker to encrypt the server backups.

Mackenzie told the customer they were lucky the attack was so visibly destructive and easily noticed.

“If they hadn’t done that, how long would they have had domain admin access to the network without the customer knowing?”

Detection and IoCs

Nefilim ransomware is detected in Sophos Endpoint Protection under the definition Troj/Ransom-GDN.

Additional indicators of compromise have been published to the SophosLabs Github.

Nefilim group Tactics, Techniques, and Procedures (TTPs)

The common Tactics, Techniques and Procedures (TTPs) of the group(s) that operate Nefilim ransomware have often utilized Citrix vulnerabilities or Remote Desktop Protocol (RDP) to gain initial entry into victim environments by exploiting public facing applications MITRE ATT&CK T1190.

In this case, the Rapid Response team discovered vulnerable versions of Citrix software on customer systems. Although it is unclear what vulnerability was exploited, the installed Citrix Storefront 7.15 CU3 was vulnerable at time of incident to 1 Critical (CVE-2019-11634) and 4 High rated CVE vulnerabilities (CVE-2019-13608, CVE-2020-8269, CVE-2020-8270, CVE-2020-8283) which may have been exploited in order to gain initial access to the target network.

Once in, the threat actor also used Remote Desktop Protocol (RDP) logins to maintain access to the initial admin account used in the attack. On the network, the threat actor used Mimikatz, which allows the threat actors to reveal the credentials stored on the system, to compromise a domain admin account.

The Rapid Response investigation uncovered PowerShell commands as well as the use of RDP and Cobalt Strike to move laterally to multiple hosts, conduct reconnaissance, and enumerate the network.

The threat actor installed the file transfer and synchronization application MEGA in order to exfiltrate data.

The Nefilim ransomware binaries were deployed using Windows Management Instrumentation (WMI) via the compromised domain admin account.

Checklist for secure account access management

  • Only grant the access permissions needed for a specific task or role
  • Disable accounts no longer needed
  • If you need to keep an account active after the original owner has left the organization, implement a service account and deny interactive logins
  • Carry out regular audits of Active Directory: Active Directory Audit Policies can be set to monitor for admin account activity or if an unexpected account is added to the domain admin group
  • Have a robust security solution in place, ideally with anti-ransomware technologies such as that featured in Intercept X

Article Courtesy:

Ransomware Targeting Australian Aged Care and Healthcare Sectors

The Australian Cyber Security Centre (ACSC) is aware of recent ransomware campaigns targeting the aged care and healthcare sectors. Cyber criminals view the aged care and healthcare sectors as lucrative targets for ransomware attacks. This is because of the sensitive personal and medical information they hold, and how critical this information is to maintaining operations and patient care. A significant ransomware attack against a hospital or aged care facility would have a major impact.

The ‘Maze’ ransomware is designed to lock or encrypt an organisation’s valuable information, so that it can no longer be used, and has been observed being used alongside other tools which steal important business information. Cyber criminals may then threaten to post this information online unless a further ransom is paid. This is especially effective in the aged care and healthcare sectors.


If Australian organisations are infected by the Maze ransomware, they should seek assistance in the first instance from the ACSC via 1300 CYBER1. We encourage reporting cyber security incidents to enable the ACSC to alert and assist a broader range of organisations, and understand the scope and nature of cyber intrusions.

Read the ACSC advice on mitigating the threat of ransomware. Keeping software up to date and having current backups stored offline is the best way to protect your organisation from a ransomware attack.

Never pay a ransom demand

We recommend you do not pay the ransom if affected by the Maze ransomware. There is no guarantee paying the ransom will fix your devices, and it could make you vulnerable to further attacks. Restore your files from backup and seek technical advice.

Identify and backup critical information and systems

Backing up and restoring your files offers peace of mind and makes it faster and easier to get up and running again following a ransomware attack.

Keep your systems and software up to date through regular patching

All your personal or business devices including your phone, tablet, computer or laptop use software to run, such as operating systems like Microsoft Windows or Apple MacOS; and antivirus, web browsers or word processors at work. Read more about patching software.

Use antivirus software and keep it up to date

Install antivirus software on all devices and set the software to automatically check for updates on a daily basis.

Article courtesy:

Government finally unveils Australia’s new cyber security strategy

The federal government has finally unveiled its delayed cyber security strategy but left much of the detail to forthcoming legislation that is yet to be put before parliament.

The 52-page strategy [pdf], released on Thursday, will see $1.67 billion invested in a number of already-known initiatives aimed at enhancing Australia’s cyber security over the next decade.

Much of the funding is from the previously announced $1.35 billion cyber enhanced situational awareness and response (CESAR) package.

The strategy’s key elements include proposed laws and an “enhanced regulatory framework” to secure critical infrastructure, deemed the “best way to protect Australians at scale”.

The new framework will outline the government’s minimum expectation, including an “enforceable positive security obligation for designated critical infrastructure entities”.

“These powers will ensure the Australian Government can actively defend networks and help the private sector recover in the event of a cyber attack,” the strategy states.

“The nature of this assistance will depend on the circumstances, but could include expert advice, direct assistance or the use of classified tools.

“This will reduce the potential down-time of essential services and the impact of cyber attacks on Australians.”

The framework, which will be delivered through amendments to the Security of Critical Infrastructure Act, is also expected to extend to systems of national significance.

While much of the focus on critical infrastructure is ensuring assets are properly defended during a cyber attack, the government will also assist operators to “enhance their cyber security posture”.

It will do this by using the proposed $62.3 million “classified national situational awareness capability”, funded in the CESAR package, to response to threats against critical infrastructure.

Critical infrastructure operators will similarly be able to share intelligence about malicious cyber activity through the government’s $35 million cyber threat-sharing platform, which has been on the cards for several years.

Further afield, the government is also considering additional “legislative changes that set a minimum cyber security baseline across the economy”.

It will also expand the cyber security incident exercise program run by the Australian Cyber Security Centre to improve how government and businesses prepare for incidents.

Secure government hubs

With departments and agencies continuing to struggle to implement rudimentary cyber security controls, government systems and data are key concerns.

In a bid to uplift cyber resilience, the government is planning to “centralise the management and operations of the large number of networks” run by agencies as a priority.

The strategy said that centralising networks would allow the government to “focus its cyber security investment on a smaller number of more secure networks”.

“A centralised model will be designed to promote innovation and agility while still achieving economies of scale,” the strategy states.

It also plans to explore the creation of “secure hubs” to reduce the number of networks that hostile actors can target even further, though the strategy does not elaborate on what this might look like.

Standard cyber security clauses will also be introduced into government IT contracts to avoid unnecessary risks.

The strategy notes that federal, state and territory agencies were the target of 35.4 percent of the 2266 cyber security incidents that the ACSC responded to in the 2019-20 financial year.

Around the same number of incidents impacted critical infrastructure providers in the healthcare, education, banking, water, communications, transport and energy sectors.

The government will also provide law enforcement agencies with $124.9 million to strengthen their ability to counter cyber crime, including $89.9 million for the Australian Federal Police.

The funding will sit alongside planned legislation that will assist the AFP to identify individuals engaging in serious criminal activity on the dark web.

The ACSC will also receive a further $31.6 million to improve its ability to counter cyber crime offshore and assist federal, state and territory law enforcement to identify and disrupt cyber criminals.

“The Australian Government will ensure it has fit-for-purpose powers and capabilities to discover target, investigate and disrupt cyber crime, including on the dark web,” the strategy states.

Uplifting SMEs

The strategy also outlines the government’s $63.4 million plan to assist small and medium enterprises (SMEs) to uplift their cyber security capabilities with the help of large businesses.

One such initiative will see large businesses and service provider provide SMEs with ‘bundles’ of secure services such as threat blocking and antivirus, as well as other awareness training.

“Integrating cyber security products into other service offerings will help protect SMEs at scale and recognises that many businesses cannot employ dedicated cyber security staff,” the strategy states.

The government also plans to “provide online training and a 24/7 helpdesk for SMEs that needs cyber security advice or assistance”.

Article courtesy:

Does Australia need a new coronavirus contact tracing app?

COVIDSafe was sold as Australia’s ticket out of lockdown. But almost three months since launch in late April, its impact is hard to measure.

Victoria has accessed data from the app almost 400 times, but health authorities are yet to point to any potential COVID-19 exposure that was not picked up by manual contact tracing.

In New South Wales, app data has been extracted 23 times. In one instance, a person whose contact details were unavailable during manual contact tracing was contacted using app data.

But COVIDSafe’s ability to reliably transmit and collect encrypted codes using Bluetooth from other apps remains under scrutiny.

And there is another option.

In May, Google and Apple launched an exposure notification API or framework built into their devices’ operating systems that allows health authorities to build their own apps, and ostensibly helps the technology perform better with less bugs and workarounds.

Germany and Ireland, as well as a handful of other European countries, have now launched their own COVID-19 exposure notification apps using the Google-Apple framework.

So how do they compare to COVIDSafe?

A centralised or a decentralised model

COVIDSafe and apps built using the Apple-Google API both deploy Bluetooth to create an encrypted log of random codes from other devices with the app, that come into close range.

But Ireland’s COVID Tracker app and Germany’s Corona-Warn-App differ when it comes to the next step.

Broadly, if someone tests positive for the virus and has one of those apps, they can voluntarily make their weeks of random codes available to the exposure notification system.

Each individual app regularly checks the exposure codes they have stored against ones the system has identified as belonging to an infected person.

If there is a match, they receive a warning notification on their phone and can then choose to get in touch with a doctor.

All the data processing is done on the device.

In contrast, if someone with COVIDSafe is diagnosed with the virus, health authorities may ask them to share their app’s data with a central database. Then those random codes will be sorted into close contacts (1.5 metres for upwards of 15 minutes) and used by local health authorities to track potential exposures.

Ireland and Germany’s apps operate more as a warning system and offer much less information to authorities.

That lack of centralised data collection is part of what makes security expert Vanessa Teague, chief executive of Thinking Cybersecurity, believe Australia should move to the Google-Apple API.

“It has this huge privacy advantage,” she said.

And although we do not yet have sufficient empirical data comparing the performance of available models, she suggested it’s likely apps built using the Google-Apple framework will work more reliably than COVIDSafe because the Bluetooth detection technique is built into the devices’ operating systems.

“By work, I mean, when two people are near each other, the likelihood that it exchanges the pings it’s supposed to exchange is likely to be a lot higher,” she said.

Are apps built using the Google-Apple API a success?

Like in Australia, German and Irish authorities have been quick to boast about download figures.

Germany launched its app in mid-June. As of July 23, the Corona-Warn-App has registered 16.2 million downloads, according to the Robert Koch Institute, in a country with a population of more than 80 million.

Ireland’s Health Services told the ABC that almost 1.4 million people have downloaded the app since July 7 — out of almost 5 million people — and 91 COVID Tracker app users have received an exposure alert.

But like in Australia, where the app has been downloaded more than 6 million times, there are few metrics publicly available to understand the app’s contribution to pandemic control, or even how many people have the app open and working each day.

In Germany, about 660 people who were shown to test positive for SARS-CoV-2 had the opportunity to warn others via the app by July 20.

“However, we cannot say exactly how many people were warned because of the decentralized approach of the app,” the president of the Robert Koch Institute Professor Lothar H. Wieler said in a recent statement.

Stephen Farrell, a computer security researcher at Trinity College Dublin, said questions remained for the Australian and European apps when it comes to the ability of Bluetooth to accurately gauge distance — and so, to accurately identify close contacts.

“It suffers that same challenges with Bluetooth proximity detection in terms of making it reliable in all sorts of contexts,” he said. “Handsets in all different positions, in pockets, in handbags … walking, cycling.”

Dr Farrell suggested it will ultimately be difficult to definitively measure the impact of this technology.

We need to know how many people who would have been missed by manual contract tracing are caught by the app, he suggested. And of those people, how many are false positives or true positives.

Privacy concerns remain

As well as privacy bugs found after the launch of COVIDSafe, its centralised method of data collection has been an ongoing focus for security researchers.

But there is also concern in Europe that exposure notification apps built using the Google-Apple API could be used to track location, especially on Android.

The implementation of Bluetooth on Android has long (and wrongly, in her view) been “inextricably linked” to location permissions Dr Teague said, as some non-contact tracing apps use the technology to work out a user’s location.

For example Bluetooth beacons in a shopping centre, she said, could be used to serve users with hyper-specific advertising.

“The implication is, if you’re not going to let Google track your location, then you’re not using Bluetooth scanning.”

The COVIDSafe version of Android as well as apps made using the Google-Apple API ask for location permission when the app is downloaded — although all insist location is not recorded as part of the contact tracing process.

“In keeping with our privacy commitments for the Exposure Notification API, Google does not receive information about the end user, location data, or information about any other devices the user has been in proximity of,” a Google spokesperson said.

Professor Alexandra Dmitrienko, head of Secure Software Systems Research Group at the University of Würzburg, is troubled that location services must be turned on when using the exposure notification API on Android.

While many people may choose to use products like Google Maps and have location services operating, she suggested those that do not are forced into a choice: allow location permissions when downloading the German app or give up the ability to use your country’s public health app.

As more countries accept the Apple-Google solution, she is also concerned about the control being ceded to the two technology giants.

“As an expert in security and privacy, I see … that we give too much power to two American companies,” she said.

Could Australia move to the Google-Apple API?

As it stands, Australia’s COVIDSafe would have to fundamentally change its approach to use the Google-Apple API.

The companies’ API rules stipulate that a government can only request and not require users to share personal information such as a phone number.

COVIDSafe requires these details upon sign up. Ireland’s COVID Tracker app on the other hand asks only for opt-in metrics.

Minister for Government Services Stuart Robert said the Government is open “to improving [the] technology” if it maintains a key role for health officials in the process.

“The current structure of the Google-Apple API does not do that,” he said.

“We will continue to work with Google and Apple, particularly to see if they can remove their barriers in allowing a sovereign tracing app — that has health professionals at its core — access to improved Bluetooth functionality”.

Ultimately, it may still be too early to say whether any piece of technology can be the pandemic silver bullet so many countries are after.

Professor Dmitrienko thinks it’s too early to know how effective these apps are.

“[The] general opinion is that this technique cannot really replace the manual contact tracing, but it can be complementary,” she said.

But then, there’s the price tag.

By some estimates, COVIDSafe has reportedly cost around $2.75 million in contractors fees.

The Irish app cost €850,000 ($1.4 million).

Article courtesy:

Fake news is flourishing during COVID-19

Not long after news of a virus outbreak in the Chinese city of Wuhan began to spread worldwide, this image hit the internet:

Graphic image of a world map with red line flight patterns and a large watermark of the word 'false'.

Some people claimed it was a map of Wuhan travellers across the 2020 Lunar New Year. Tabloids in the United Kingdom picked it up. Channel 7’s Sunrise used it in a live segment.

But it did not represent the outbreak. It showed a year’s worth of flights, from nine years ago.

After a summer of devastating bushfires and the upheaval brought by coronavirus, the first six months of 2020 have been defined by immense change — and we’ve all been looking for answers.

A study by the News and Media Research Centre found that even at the beginning of this year, Australia’s demand for news surged. Nearly half of those surveyed got their news online.

For Anne Kruger, this triggered alarm bells. The Australia Pacific lead for global fact-checker First Draft news told The Drum we’re in the perfect conditions for fake news to flourish.

“While you’re waiting for information to come out, people are scrambling around to get what they can,” she says.

Over the summer of bushfires, fake news gripped our feeds. Misleading maps went viral. Images were picked up and shared by high-profile celebrities.

Know your fake news: How to spot a fraud

In late January, a “Queensland Health” media release circulated online, advising against “nonessential travel to Wuhan, China, Sunnybank, Runcorn” and several other locations.

Using a familiar format and an official logo, it looked like any other government document. But very quickly, state MP Duncan Pegg stepped in to call it out. It was a fake.

As technology develops, fake news is getting more sophisticated. But there are a few key markers to test if you’re unsure if what you’re reading is real.

The first is language: how is the issue being discussed?

When the fake Queensland Health statement was released, many were quick to pick up that only suburbs with higher Chinese-Australian populations were singled out.

“If you look closer at the language you could just tell they were picking on them. It didn’t seem quite right,” says Anne Kruger.

Fake news tends to take advantage of our tendency to share content that evokes an emotional response.

They want your like, your share — even your angry reaction.

The second marker involves a good old-fashioned profile stalk. Namely, who, where and when.

“Look at ‘who is this person, where are they and what else have they posted or shared in the past?’,” says Anne Kruger.

“Quite often, I’ve found accounts that have been set up literally the same week or month that there’s been a particular issue they’ve wanted to criticise or comment on.”

Finally, try to work out why the post is being shared in the first place. First Draft News boils it down to three broad areas. The first is power; anyone looking to push an ideology, politics — even conspiracy people.

The other is financial gain. Is someone trying to get your money through this post? Whether it be a donation, merchandise, or a product.

And finally: it could just be general mischief. Each area shows how vast and varied fake news content can be.

So, how do we fight it?

The first step is simple: wait.

“I always say, have that seven-second delay before you like anything, before you send anything, because you’re feeding the algorithm,” says Anne Kruger.

If you think an image, a tweet or a story looks a bit dodgy, do not engage.

However, if you want to do your part in stamping misinformation or disinformation out, Anne Kruger recommends you try to verify it — with the help of experts.

“If you find something that’s suss, send it in as a tip to your reliable news organisation.”

First Draft News is leading a coordinated effort to stamp out fake news. Twelve organisations have come together to identify, document and expose it.

Kruger says even just sending in a screenshot can be a significant help in filling a ‘data void’.

“It’s just too much information for newsrooms to do this alone; too many groups to follow and monitor.”

Article courtesy:

Garmin goes down after suspected ransomware attack

Well-known maker of avionics equipment and activity trackers Garmin is believed to be the latest victim of a large-scale ransomware attack that has seen the Taiwanese company’s IT and communications systems shut down.

Garmin has yet to say what is causing the outage but confirmed that most of its online properties are offline, along with its call centres, email system and online chats.

A Taiwanese news site, iThome, posted what it says is an internal email from Garmin.

In the email, Garmin staff say the company’s servers and databases have been attacked, and that production in the Taiwanese factory will be closed down for two days as a result.

The company’s Connect system status page lists all of its 18 activity tracking features as being down, with the outage first reported just over half a day ago.

Garmin’s website for pilots,, carries a large alert about the current service outage, with no time of service restoration given.

Users have been unable to sync their data with Garmin’s services, with some expressing concern on social media about the safety of their health data that was uploaded to the Taiwanese company.

Criminals are increasingly targeting larger companies such as car manufacturer Honda that was recently hit by ransomware.

“Ransomware was mainly the bane of smaller businesses, but now the groups are successfully hunting ever bigger game,” threat analyst Brett Callow from security vendor Emsisoft told iTnews.

That means bigger ransoms, which in turn means the groups have more to invest in ramping up their operations in terms of both scale and sophistication,” Callow said.

Callow advised ransomware victims not to pay the criminals.

He added that if nobody paid the extortionists, the ransomware scourge would stop and go away.

Article courtesy:

Documents reveal AFP’s use of controversial facial recognition technology Clearview AI

Documents reveal how the Australian Federal Police made use of Clearview AI — a controversial facial recognition technology that is now the focus of a federal investigation.

At least one officer tested the software using images of herself and another member of staff as part of a free trial.

In another incident, staff from the Australian Centre to Counter Child Exploitation (ACCE) conducted searches for five “persons of interest”.

According to emails released under Freedom of Information laws, one officer also used the app on their personal phone, apparently without information security approval.

Based in New York, Clearview AI says it has created a tool that allows users to search faces across a database that contains billions of photos taken, or “scraped”, without consent from platforms such as Facebook and Instagram.

The company provoked outrage in January, when the New York Times revealed the extent of its data collection and its use by law enforcement officials in the United States.

The AFP initially denied any ties to Clearview AI before later confirming officers had accepted a trial.

An agency spokeswoman said a “limited pilot of the system” was conducted to assess its suitability in combatting child exploitation and abuse.

She did not comment on questions from the ABC regarding whether the trial was approved and conducted appropriately by officers.

Last week, the Office of the Australian Information Commissioner (OAIC) announced an investigation into Clearview’s use of scraped data and biometrics, working with the UK’s Information Commissioner’s Office (ICO).

AFP initially denied using Clearview AI

The AFP acknowledged in April that members of the ACCE had undertaken a free trial of Clearview’s facial recognition services, but the extent of its use by officers remained unclear.

No formal contract was ever entered into.

“The use by AFP officers of private services to conduct official AFP investigations in the absence of any formal agreement or assessment as to the system’s integrity or security is concerning,” Labor leaders, including Shadow Attorney-General Mark Dreyfus, said in a statement at the time.

The new cache of AFP documents shows officers accessed the Clearview AI platform from early November 2019.

Tests of the tool undertaken using images of AFP staff and several “persons of interest” are detailed in the agency’s response to questions issued by the information commissioner as part of the office’s inquiries.

However, the agency said it did not know how many actual searches officers undertook, because the AFP’s access to Clearview AI was now restricted.

An executive briefing note claims Clearview AI was used operationally only once to locate a suspected victim of imminent sexual assault.

“To date no Australian personal information has been successfully retrieved through the Clearview platform,” the briefing also states.

The use of Clearview AI appears to have caused concern within the agency — and in some cases, officers appear to query whether the tool has been formally approved.

In December 2019, one officer asks if “info sec” (information security) had raised any concerns about the use of Clearview AI.

In response, another officer responds they “haven’t even gone down that path yet”, revealing that they’re “running the app” on their personal phone.

In January, after the media began reporting about Clearview AI, another member of staff notes “there should be no software used without the appropriate clearance”.

The emails also show some bemusement internally at public claims the AFP was not using the tool, with one officer commenting: “Maybe someone should tell the media that we are using it!”

“Or should we stop using it since everyone is raising the issue of approval,” another replies, with a smiley face emoji.

“Interesting that someone says we aren’t using it when we clearly are,” another employee from the ACCCE wrote on January 21.

Officers were directed to cease all access as of January 22, 2020 — four days after the New York Times story was published.

Clearview AI was founded by Australian businessman Hoan Ton-That.

In the documents, he appears to contact an AFP officer personally via email in December 2019 — introducing himself and asking them how they found the tool.

In a statement, Dr Ton-That said Clearview would cooperate with the UK’s ICO and Australia’s OAIC.

“Clearview AI searches publicly available photos from the internet in accordance with applicable laws,” he said. “It’s powerful technology [and] is currently unavailable in UK and Australia.”

Shortly after Mr Ton-That’s December message, an AFP officer wrote in an email that they had run a mugshot through the Clearview system and “got a hit for [the suspect’s] Instagram account”.

“The [facial recognition] tool looks very good,” they wrote.

Article courtesy:

LinkedIn sued over allegation it secretly reads Apple users’ clipboard content

Microsoft’s LinkedIn was sued by a New York-based iPhone user on Friday for allegedly reading and diverting users’ sensitive content from Apple’s Universal Clipboard application.

According to Apple’s website, Universal Clipboard allows users to copy text, images, photos, and videos on one Apple device and then paste the content onto another Apple device.

According to the lawsuit filed in San Francisco federal court by Adam Bauer, LinkedIn reads the Clipboard information without notifying the user.

LinkedIn did not immediately respond to Reuters request for comment.

According to media reports from last week, 53 apps including TikTok and LinkedIn were reported to be reading users’ Universal Clipboard content, after Apple’s latest privacy feature started alerting users whenever the clipboard was accessed with a banner saying “pasted from Messages.”

“These “reads” are interpreted by Apple’s Universal Clipboard as a “paste” command,” Bauer’s lawsuit alleged.

A LinkedIn executive had said on Twitter last week that the company released a new version of its app to end this practice.

Developers and testers of Apple’s operating system iOS 14 found that LinkedIn’s application on iPhones and iPads “secretly” read users’ clipboard “a lot,” according to the complaint.

The lawsuit seeks to certify the complaint as class action based on alleged violation of the law or social norms, under California laws.

According to the complaint, LinkedIn has not only been spying on its users, it has been spying on their nearby computers and other devices, and it has been circumventing Apple’s Universal Clipboard timeout.

Site courtesy:

Australian privacy watchdog launches investigation into Clearview AI

Australia’s privacy watchdog will probe the personal information handling practices of Clearview AI after several policing agencies admitted to having used the controversial facial recognition tool.

The Office of the Australian Information Commissioner (OAIC) on Thursday opened a joint investigation into the software with the United Kingdom’s Information Commissioner’s Office (ICO).

The tool, which is targeted at law enforcement agencies, is capable of matching images with billions of others from across the internet, including social media, to find persons of interest.

As part of the probe, OAIC and its overseas counterpart will look at Clearview AI’s “use of ‘scraped’ data and biometrics of individuals”, as well as how it manages personal information more broadly.

“The investigation highlights the importance of enforcement cooperation in protecting the personal information of Australian and UK citizens in a globalised data environment,” the OAIC said in a brief statement.

“In line with the OAIC’s privacy regulatory action policy, and the ICO’s communicating our regulatory and enforcement activity policy, no further comment will be made while the investigation is ongoing.”

The investigation follows preliminary enquiries by OAIC earlier this year after the tool was revealed to have been used by 2200 law enforcement agencies globally, including the Australian Federal Police and the Queensland, Victoria and South Australia police forces.

While the four policing agencies initially denied that the software had been used, the AFP and Victoria Police have since been forced to admit to having briefly trialled the tool from late 2019.

The AFP confirmed in answers to questions on notice that seven officers from the Australian Centre to Counter Child Exploitation had used the tool to conduct searches after being sent trial invitations from Clearview AI.

Victoria Police, similarly, confirmed in a freedom of information request that several officers from the Joint Anti-Child Exploitation Team had run more than 10 searches using the tool after signing up.

Both agencies stressed that Clearview AI had not been adopted as an enterprise product and that no formal commercial agreements had been entered into.

Article Courtesy:

NSW govt sets up vulnerability tracking centre in Bathurst

The NSW government has set up a cyber security vulnerability management centre in Bathurst, which will start operating next month.

The centre will be operated by Cyber Security NSW, the new name given to what was formerly the Office of the Government Chief Information Security Office.

It will provide the NSW government with an increased awareness of vulnerabilities in internet-facing services and assets,” Customer Service Minister Victor Dominello said in a statement.

“It will deliver a vital, sector-wide risk management capability and is critical to ensuring enhanced monitoring of at-risk government systems, as well as early identification and remediation of known vulnerabilities.

“Early detection of vulnerabilities and the ability to report them to the relevant agencies and departments is essential to improving our cyber security.”

The government added that the centre “will provide ongoing and automated vulnerability scanning across departments and agencies, and as capability develops, other services will be introduced.”

The centre is the first of its kind in NSW and will employ eight Bathurst-based cyber security staff.

It will also see Cyber Security NSW work in partnership with UpGuard “to provide the NSW Government with greater capabilities to detect and manage internet-facing vulnerabilities and data breaches.”

The centre’s establishment comes as the NSW government prepares to invest $240 million into cyber security over the next three years.

It also comes as news reports emerge of the state government being a major target of a potentially state-based attack.

Article courtesy: