18 June 2022

Hackers Steal a ‘Very Large’ Batch of Private Data from Australia’s Disability Scheme

Hackers Steal a ‘Very Large’ Batch of Private Data from Australia’s Disability Scheme


Medicare and tax file numbers are publicised after the scheme’s client management platform was breached last month.


Hackers have obtained and published part of a “very large” batch of medical records and other sensitive information belonging to participants of Australia’s National Disability Insurance Scheme after breaching the scheme’s client management software last month.

The platform that fell victim to the breach is an Australian software provider called CTARS, and provides client management services to NDIS providers as well as the people living with disabilities they support. 

A spokesperson for the company told VICE that staff became aware of the breach on May 15, before a sample of the data was bragged about on a ‘deep web’ forum.

As it stands, the breach has only affected NDIS participants whose providers use CTARS—not all participants of the scheme—who the company says can expect to be notified if their data has been compromised.

“In the interests of the privacy of our customers’ clients and staff, and to reduce the risk of attempts by scammers to target our customers, we are not releasing details of the number of people who may have been impacted,” the spokesman said.


The scope of the details lifted from the platform have been described by some privacy advocates as “galling”. Among them are understood to be Medicare numbers, Tax File Numbers and “more than enough” to commit credit card fraud. So far, attempts to offer help to those impacted have been limited.

 In the short term, though, the team at CTARS say they have engaged external cyber-security and forensic specialists to contain the hack.

The National Disability Insurance Agency, the federal agency tasked with administering Australia’s disability scheme, told VICE through a spokesperson that it has been working with CTARS since the hack and that it takes the protection of participant data and information security “extremely seriously”.

In response to questions about what the NDIA was doing to offer support and recourse to those who think they might have been affected, the agency deferred to the CTARS website, which has set up a community service support centre courtesy of Australia’s national identity and cybersecurity community support service.

Source: motherboard

US senators declare war on Apple's Lightning port, calling for one charger to rule them all - will Australia follow?


Well, here's something that should have happened a long, long time ago. Following the European Union's example from just last week, the US could make USB-C charging mandatory across the consumer electronics industry soon, at least if the Secretary of Commerce heeds the advice of a trio of Democratic senators.


While Ed Markey, Elizabeth Warren, and Bernie Sanders make no direct mention of either USB-C or Lightning technology in their joint June 16 letter addressed to the "honorable" head of the US Department of Commerce, there's really no other "comprehensive strategy" that could possibly be adopted to tackle the lack of a "common US charging standard" than what the EU is looking to enforce by fall 2024.

The European Union's recently passed legislation is in fact directly referenced in the letter, with pretty much the same arguments invoked in favor of developing a similar law to be applied stateside. Of course, the US just so happens to be Apple's homeland and single biggest smartphone market, which means this proposal may well be met with a far higher degree of resistance at every level.

Perhaps in anticipation of such discussions and legislations, the Cupertino-based tech giant has long been working on ditching its universally reviled Lightning port. The newest iPad Air, Mini, and Pro editions all come with the same USB-C connectors as their Android-powered rivals, and if recent rumors are to be believed, the "standard" iPad should follow suit by the end of the year.

The same is extremely likely to happen with the iPhone 15 family in the fall of 2023, but because there are no guarantees yet, this new (and official) call for "uniform charging accessory standards" might not amount to much in the very near future.

Still, we can definitely see a more serious and public discussion than ever sparked by these three senators' letter on the consumer inconveniences and the proliferation of electronic waste generated by not having a single charger compatible with all your electronic devices. 

In case you're wondering, chargers alone are estimated to create over 11,000 (!!!) tons of e-waste annually around the world, and while outlawing Lightning ports and cables could aggravate that problem in the short run, its long-term impact will undoubtedly be very positive both from an ecological and even a financial perspective.

Source:phonearena.com

So will the Australian Government make it easier for the 'consumers'?

Of course not!

This colony is all about ripping off consumers and extorting as much cash as possible from the serfs.


15 June 2022

Apple M1 Flaw Can’t be Fixed — PACMAN Panic


Apple’s M1 chip isn’t as safe from buffer overflows as previously thought. M1 and other designs based on ARMv8.3 can have their protections neutered.

MIT researchers have worked out they can brute-force the protective “pointer authentication codes” (PAC) without being detected—even in kernel memory. Once again, it’s the fault of our old friend: Speculative execution.

Their “PACMAN” technique is just waiting to help exploit the next zero-day. In today’s SB Blogwatch, we dust off our abacus.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Proof that the 12th Doctor is Rick Sanchez.

MIT ARM PAC Hack

What’s the craic? Carly Page reports—“Researchers uncover ‘unpatchable’ flaw in Apple M1”:

The attack even works against the kernel
The vulnerability lies in a hardware-level security mechanism utilized in Apple M1 chips … PAC. This feature makes it much harder for an attacker to inject malicious code into a device’s memory and provides a level of defense against buffer overflow exploits.

Researchers from MIT … have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep the security feature. … And as it utilizes a hardware mechanism, no software patch can fix it.

PACMAN works by “guessing” a … PAC—a cryptographic signature that confirms … an app hasn’t been maliciously altered. This is done using speculative execution … to leak PAC verification results, while a hardware side-channel reveals whether or not the guess was correct. … In a proof of concept, the researchers demonstrated that the attack even works against the kernel.

And take heed of Samuel K. Moore’s lore—“How many dominoes could fall if this centerpiece CPU’s weakness pans out?”:

A side-channel trick
At the International Symposium on Computer Architecture later this month, researchers led by MIT’s Mengjia Yan will present a mode of attack that so weakens the … PAC defense that the core of a computer’s operating system is made vulnerable. … Yan’s group explored some naive solutions to PACMAN, but they tended to increase the processor’s overall vulnerability.

Pointer authentication appends a cryptographic signature to the end of the pointer. If there’s any malicious manipulation of the pointer, the signature will no longer match. … PACMAN finds a way for malware to keep guessing over and over without any wrong guesses triggering a crash. … A side-channel trick involving stuffing a particular buffer with data and using timing to uncover which part the successful speculation replaces, provides the answer.

Horse’s mouth? Joseph Ravichandran, Weon Taek Na, Jay Lang and Mengjia Yan—“PACMAN: Attacking ARM Pointer Authentication with Speculative Execution”:

May lead to arbitrary code execution
We present … a new way of thinking about compounding threat models in the Spectre age [and] a hardware attack to forge kernel PACs from userspace. … PACMAN is what you get when you mix a hardware mitigation for software attacks with microarchitectural side channels.

Much like the Spectre attack our work is based on, PACMAN executes entirely in the speculative regime and leaves no logs. … PACMAN takes an existing software bug (memory read/write) and turns it into a more serious exploitation primitive … which may lead to arbitrary code execution.

We reported our findings and proof-of-concept code to Apple, and have been in talks with them since 2021.

Sky falling? With some important clarifications, here’s enriquevagu:

[PACMAN] does not attack Apple M1; [it] attacks a security mechanism in ARM, introduced in ARMv8.3. They have employed the Apple M1 processor … but it is very likely that many other ARMv8-based processors will have the same limitation.

[PACMAN] does not allow you to compromise a system by itself. ARM Pointer Authenticator Codes is a security mechanism that prevents exploiting some memory corruption vulnerabilities. With this new attack, it is again possible to exploit code that has vulnerabilities. It is the memory corruption vulnerability in the code the one that will allow attackers to compromise the system, PAC was an additional protection to prevent it.

Clear as mud? big_D tries again:

The other thing is, the ARMs (and other types of CPU) that don’t have this protection are already vulnerable to such attacks (the point of this technology is to protect the pointers from manipulations). So this attack just brings the extra protection that ARM chips with pointer protection back to a level playing field with “normal” chips.

With a “normal” CPU chip, you can manipulate the pointers directly. With these ARM chips with pointer protection, you have to additionally crack the encryption of the pointer protection in order to manipulate it. This means it is harder to get started and it takes more time than a traditional CPU without pointer protection, but once you have spent time breaking the encryption, you can manipulate the pointers, just like any other CPU.


How do we fix this? Nuke it from orbit—it’s the only way Developer12 can be sure:

Computing must grow up
For all the effort we put into these speed bumps, we should really be focusing on holistic, formal verification. “Last line of defense” pointer checking becomes a redundant transistor waste when pointer use is checked thoroughly at compile-time (as in Rust, but that really shouldn’t be the only example).

And that’s all these really are: speed bumps. There’s no such thing as “defense in depth,” because these defenses are never taken together. Attackers are perfectly happy to … bypass each new incomplete measure as it gets added. First it was stack cookies, so they focused on write primitives to copy the cookie. Then it was no-execute stacks, so they started implementing rop-attacks. And so on.

We’ve been collectively resistant to formal verification because it’s something that requires expertise. [But] computing must grow up, like every other engineering discipline. Civil engineering made the transition from “I think the walls should be thick enough,” to “let’s calculate the load and strain.” Electrical engineering stopped electrocuting frogs and developed Maxwell’s laws.

All of which makes splutty yearn for the days of IBM mainframes:

Modern CPU architecture are pretty much designed for performance over anything else, and security seems to be very low on the priority list. Whereas the 360/370/390 series were very much designed to be as secure and segmented as possible.

But is the reporting a bit overblown? ben7799 thinks so:

It’s kind of ridiculous it’s getting this kind of press before the paper is officially published and available. If the paper was published and security experts were allowed to analyze it before the tech press went nuts the stories would probably have a different tone.

This is interesting theoretically but the amount of access required is pretty high, this is hardly an exploitable zero day. [But] it certainly is a super interesting paper and presents a bunch of work for chip designers.

Meanwhile, skeevy420 references an older meme—but it checks out:

Yo dawg, we heard you had a vulnerability mitigator so we designed a vulnerability to mitigate your vulnerability mitigator.

Source: securityboulevard.com


14 June 2022

Serious Credit Warning Issued For Millions Of iPad, iPhone Users

Beta code from the first release of iOS 16 has already leaked a new HomePod and a potentially exclusive iPhone 14 Pro upgrade, but it also contains a feature users have been warned about using.

Posting on The Conversation, Rajat Roy, Associate Professor of the Bond Business School, Bond University, has warned iPhone and iPad owners that the new 'Apple Pay Later' service baked into iOS 16 has potentially serious financial consequences — particularly for your credit rating.

In Apple's own words: "Apple Pay Later provides users in the US with a seamless and secure way to split the cost of an Apple Pay purchase into four equal payments spread over six weeks, with zero interest and no fees of any kind... Apple Pay Later is available everywhere Apple Pay is accepted online or in-app, using the Mastercard network."

It sounds convenient and Roy notes Apple stands to make significant income from this "zero interest" service as well as learn a lot about its users' spending patterns:

"As Apple’s customers increasingly start to use the Pay Later service, it will gain from merchant fees. These are fees which retailers pay Apple in exchange for being able to offer customers Apple Pay. In addition, Apple will also gain valuable insight into consumers’ purchase behaviours, which will allow the company to predict future consumption and spending behaviour."

But Roy argues that the harsh reality of Apple Pay Later is it opens the door for everyday users into the murky world of unregulated finance which "does not bode well for all customers."

Source: forbes.com

12 June 2022

'Spineless' ACCC supporting Google's monopoly

‘Fight the fight themselves’: Aussie start-up Unlockd’s lonely battle against Google

That there’s no love lost between Matt Berriman and Australia’s competition regulator isn’t surprising. It was the beginning of 2019 when the Australian Competition and Consumer Commission began to examine how and why Google kicked Unlockd off its platforms; since then, the founder of the Melbourne-based advertising start-up has been waiting for — even expecting — the enforcement action to begin.

But Berriman has heard nothing but crickets — despite the ACCC’s stated concerns about Big Tech’s often fraught relationship with third-party companies using their platforms. Then, this year, the ACCC quietly shut down its Unlockd investigation, putting an end to any hope that it would pursue Google over the matter, leaving administrators of the now defunct start-up to focus on legal action of their own in the US.

Unlockd founder Matt Berriman.Credit:Simon Schluter

The ACCC’s hard pass on this enforcement opportunity is the most recent setback for a company that had been ready to revolutionise global digital advertising and had attracted $60 million in commitments from high-profile investors led by Lachlan Murdoch. And now, Berriman believes the regulator’s caution in taking on Google could harm the prospects of other Australian tech start-ups.

“For what was a pretty clear case, it was disappointing [the ACCC] took so long and then didn’t take action”, Berriman said in a recent interview, adding that the probe had been a “long, slow and cumbersome process”, despite the antitrust regulator’s wealth of knowledge on how digital platforms can squeeze out rivals.

The ACCC had become a “toothless tiger” whose enforcement timidity will allow Google to “continue to unlawfully destroy or affect businesses … without any repercussions,” Berriman said.

But close observers believe the ACCC’s decision not to get involved in the Unlockd case doesn’t mean the regulator has lost interest in allegations that tech giants — whether Amazon, Google or Meta platforms — may be denying start-ups access to their services in a bid to harm real or potential competitors.

‘Investigation and court proceedings are lengthy and necessarily retrospective, seeking to address harms after they have occurred.’

Gina Cass-Gottlieb, ACCC chair

Instead, the ACCC appears to be keeping its powder dry, allowing for the aggrieved start-ups to file their own court actions and watching how things shake out. This means the ACCC could avoid investing its limited resources in enforcement that may ultimately not be significant enough to put the fear of God into tech giants planning to place nascent start-ups in a headlock.

And if there was any doubt about this enforcement strategy, ACCC chair Gina Cass-Gottlieb used a speech at a conference in Berlin this month to hammer home the point.

“Investigation and court proceedings are lengthy and necessarily retrospective, seeking to address harms after they have occurred”, Cass-Gottlieb said. “To successfully prosecute a case, we often must narrow allegations and ignore broader concerns with conduct. This is particularly problematic in digital platform cases where market power is multifaceted, needs to be assessed across multiple markets and produces consumer as well as competition harms.”

According to some observers, competition enforcement of digital platforms has become a game of chicken. The ACCC appears determined to hold back until it’s certain of getting deterrence bang for its buck, while limiting its lawsuits to privacy-based concerns under consumer law. As Cass-Gottlieb has said, competition cases are simply a lot harder for the ACCC to win.


That’s why attention in Australia is now shifting towards court action involving tech companies claiming to have been treated unfairly — and in violation of competition law — by the platforms.

The move by Unlockd against Google in a US federal court in California, along with the Australian lawsuit filed against Meta by local tech start-up Dialogue Consulting, has now become the pitch on which the competition regulatory game is being played. Unlockd’s claim against Google, alongside Dialogue’s lawsuit targeting both Meta’s Facebook and Instagram platforms, boils down to basic provisions contained in both US and Australian competition law.

Watchdog lurking

Before Google wrote to Berriman in 2018 to announce it was barring Unlockd from its app store, things had been looking up for the Australian start-up. By availing itself of the Google Play store and Google’s AdMob services, it had built a business model around allowing users of handsets using the Android operating system to receive advertising on their locked phone screens, in return for vouchers and other promotional offers.

But just as Unlockd and Berriman had been preparing to go public, Google pulled the plug, saying the company hadn’t met the terms and conditions for access to its app store; despite a successful attempt to obtain an injunction in a UK court, Unlockd was brought to its knees and is now considered unlikely to ever be revived.

Unlockd has never accepted Google’s contractual arguments and is telling the US Northern District Court of California that it was kicked off the platform because the search giant had its own plans to set up an advertising service; Google’s 2020 investment in Indian start-up Glance, which provided the same ad-tech services as Unlockd, was all part of the platform’s masterplan, according to the lawsuit. The case had been facing a Google motion to dismiss on July 14, but just this week that date was pushed back to September.

Meanwhile, Melbourne-based Dialogue was experiencing comparable problems with Meta. The start-up’s Sked Social service had been designed to help companies schedule their social-media postings on both Facebook and Instagram; and, again, things were going very well, until they weren’t.

ACCC chair Gina Cass-Gottlieb.Credit:Michael Quelch

Despite years of dealing successfully with Meta and the Meta-owned Instagram, the platform suddenly changed tack. Citing contractual violations, Meta banned all Dialogue employees from its platforms — a move that could have destroyed the business, had it not been for a Federal Court of Australia injunction forcing Meta to suspend the ban.

In both cases, the competition law logic of the start-up’s claims was clear. Unlockd alleges Google shut it down because the tech giant intended to launch an advertising app of its own; Dialogue claims that Meta, which at the time had no comparable social-media scheduling service, also wanted to sink a future rival. Both cases are predicated on the assumption that the tech giants should operate their platforms as neutral venues on which all players — including the platforms’ parent companies — should compete on an equal footing. Neither Meta nor Google responded to requests for comment.

Dialogue has chosen to pursue the matter in Australia and has already secured something of a breakthrough, with the Federal Court rejecting Meta’s claim that the dispute was a contractual matter that should be resolved in a California arbitration court. The Australian judges appear adamant that any allegation that the 2010 Competition and Consumer law had been violated should be resolved in Australia.

With all antitrust cases involving digital platforms, the ACCC appears to be lurking in the background, contemplating its next move. In the Australian lawsuit brought by Epic Games, the US company behind Fortnite, against what it alleges are Google’s restrictive policies in its App Store, the ACCC reared its head, filing an “amicus” brief against Google’s ultimately unsuccessful attempt to have the case moved to a court in California.

Uphill battle

Both the Unlockd and Dialogue challenges, as well as the lawsuit filed by the better-resourced Epic, can be read as companies feeling forced to take legal action, when Big Tech either decided to flick the switch on their access to the platforms or threatens to do so.

It’s an odd situation for start-ups to find themselves in. On the one hand, they are pitted against the business practices of the tech giants — in Epic’s case, the grievance is with Apple and Google’s app stores; but on the other they still have access to a user base and a profitable business model.

This is where the game of chicken comes into play. The smaller tech companies need to ask themselves whether legal action is worth it — and in the case of both Unlockd and Dialogue, either pushed to the curb entirely or facing closure because of the platforms’ behaviour, the answer is clearly “yes”. But for other companies feeling aggrieved but not facing an existential crisis, keeping their heads down and waiting for either ACCC enforcement or even new tech-focused antitrust legislation may be a preferable option.

As to why Australian tech start-ups would fight these battles in the US, one explanation is that only US courts can provide them with the significant payout they deserve. Unlockd’s administrators, for example, had commenced legal action in both the UK and in Australia’s Federal Court, only to discontinue it and focus on the US, where the start-up’s revenue streams had been greater.

The problem with the ACCC’s wait-and-see approach is that no matter where the civil lawsuits against the platforms are lodged, start-ups taking on the world’s largest and most powerful technology companies face enormous challenges. The platforms play for time wherever possible, relying on seemingly unlimited resources to fight the competition law allegations every step of the way. This could dampen the willingness of cash-strapped start-ups to take on tech giants — something that may ultimately force Cass-Gottlieb to scrap the game of chicken and get directly involved both in the courtroom and through new regulatory measures. The ACCC declined to comment.

Meanwhile, Berriman appears to have given up on the ACCC, saying the antitrust enforcer had earlier indicated to him that it wanted to take action but “baulked at the last moment, [noting] we were using resources in US to pursue civil proceedings”.

“[The ACCC] had more than enough evidence,” Berriman said. “Unfortunately, it appears there were wider considerations other than just the merit of Unlockd’s case at play and they decided to prioritise other matters... It appears they decided to leave it up to us to fight the fight.”

TheAge - 11 Jun 2022