Australia's National ID System Will Be Awful... And Then Great
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Island.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
The Australian Government plans to build a digital trust and identity infrastructure spanning the entire economy. The initiative aims to fill a real need as there is no robust way to prove your real-world identity online, despite it being a common and important requirement.
The Minister for Government Services, Bill Shorten, announced the Trust Exchange or TEx initiative last week. The unstated/apparent hope for the TEx is that it becomes the standard for Australians to prove their identity and confirm personal attributes across government and the private sector. Part of the intent of TEx is that robust verification is done with less sharing of personal information.
"TEx would take all the hassle out of finding dozens of documents to prove who you are when you're doing things like setting up a bank account or buying a mobile phone or even trying to rent a property", Shorten said. "TEx will connect the bank or telco or real estate agent with your digital wallet and you then consent to share only the identity attributes or credentials you choose to."
People would be able to decide what information they share, on a per transaction basis.
For example, in a speech at the National Press Club, Shorten stepped through how a person would prove that they were of legal drinking age at a bar:
"The plan with TEx is that they'd just hold their phone to a tap-to-pay style machine and a digital token will be sent to the club vouching for their identity and that they’re over 18. Not even their actual age is disclosed, merely that they are over 18. The token will be a valuable promise to the club, but of zero value to a cybercriminal because the confirmation token will not contain any personal information."
The TEx system would also give businesses a way to be certain of their customers' identities without having to store documents such as licences and passports. These are currently captured by some businesses to meet know-your-customer requirements.
The TEx is a proof of concept at this stage and there is no substantial technical detail available. In the first instance TEx will build upon myGovID, the government's digital identity system that's used to access some government services. In the longer term TEx won't be a government-only system, but will also include private sector involvement.
From a cyber security perspective, the system could replace the multitude of identity systems that the business community as a whole uses with a more secure government-endorsed system that would require less sharing of personal data. One major benefit would be the reduction in attack surface, with organisations holding a lot less personal data.
The proliferation of federated login systems provided by companies including Apple, Meta and Google, among others, demonstrates there is consumer demand for easy-to-use login services. But you can't use 'sign in with Apple' or its equivalents to create a bank account, for example, and there are a number of significant transactions where know-your-customer regulations or business imperatives mean that an online identity must be matched to a real person.
Being government-backed, the TEx could deliver that higher level of assurance — providing your passport to the government to confirm your real-world identity when creating a digital ID doesn't seem a stretch given the government issued the document in the first place.
So there is definitely an opportunity to make Australia's identity verification processes more secure and easier, but there is cause for concern.
Australia already has a digital identity project that once aimed to achieve similar goals, Australia Post's Digital ID. Run by an Australian government-owned corporation, this project started in 2017 and even won an award in 2018 for being the best federal government IT project.
Progress on the federal government's digital ID program has also been slow and bounced between different government departments, which is never a good sign. However, enabling legislation for the government's digital ID plans passed earlier this year. (TEx builds on the broader digital ID).
This legislation sets standards for digital ID service providers, establishes the Australian Consumer and Competition Commission as regulator of the scheme and provides for penalties if participants don't comply with standards or privacy safeguards. It provides assurances about what can and can't be done with consumer's data.
The Australian Government has been burnt twice with previous national identity projects. The Australia Card in 1985, and the Access Card in 2006 both ended in failure. It also has a poor track record delivering large-scale technology projects. The current myGovID iOS app has a 1.5 star rating on Apple's App Store with one review saying "if I could give less than 1 star I would". Not exactly confidence inspiring.
We expect that the project will be a short-term failure and long-term success. The system will be opt-in and, combined with the typical clunkiness of government-built systems, will take a long time to get traction. But there is a real need for robust online verification tied to real-world identity that a government-built service should fill.
What's a Little Spying Between Friends?
While some commentators interpret ongoing reports of Chinese-backed cyber espionage targeting Russian organisations as evidence of a breakdown of the countries' 'no limits' friendship, spying between allies is common or even standard practice.
Last week, Kaspersky reported on a campaign it linked to the China-based APT27 and APT31 groups. The Russian security firm described the campaign as "a series of ongoing targeted cyberattacks on dozens of computers at Russian government organisations and IT companies".
Although Kaspersky didn't directly attribute the campaign to Chinese government cyber espionage actors, it is just the latest in a series of reports from a variety of security firms describing Chinese targeting of Russian organisations.
There are several reasons this consistent targeting doesn't indicate a fraying in the relationship between Russia and China.
From a Chinese perspective, even a 'no-limits' friendship doesn't mean that Russia is going to share all its secrets. The dynamic here is that countries share intelligence deliberately and selectively. So Russia shares information with China when it is mutually advantageous and withholds information that would advance Chinese interests at Russia's expense. This information, of course, would be of intense interest to the Chinese state.
This dynamic applies even to very close allies that routinely share high-level intelligence (and Russia and China are not formal allies). So even amongst close allies there are still valuable secrets.
Espionage between allies is just a thing that happens and is not that unusual. During World War 2, for example, the British were trying to break US diplomatic codes up until the Pearl Harbour attack in December 1941.
More recently, material leaked by Edward Snowden in 2013 describes the interception of the then German Chancellor Angela Merkel's mobile phone by the NSA. This allegation resulted in some pretty serious repercussions and illustrates the risks of being caught spying on friends.
When it comes to China spying on Russia, however, Russia simply doesn't have any leverage to meaningfully complain, no matter how much it might dislike being spied on. Russia increasingly relies on China to provide a lifeline for its Russian economy and supply dual-use technologies that are used to manufacture weapons for its war effort in Ukraine. China has it over a barrel.
Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- Play Store security is good enough: Google has decided to shut its Play Store bug bounty program. When Google informed developers of its decision, it said improved security efforts had resulted in the program turning up fewer actionable vulnerabilities. A spokesperson told CyberScoop the program had "achieved its goal" of encouraging app developers to run their own security programs.
- Cyber security standards for aircraft: The US Federal Aviation Administration (FAA) proposed new cyber security rules for aircraft this week. The goal of the new rules is to harmonise cyber security criteria that until now have been addressed piecemeal using special conditions, while maintaining the same level of safety.
- AI not disinformation gamechanger: Meta's latest quarterly Adversarial Threat Report says that, so far at least, "GenAI-powered tactics provide only incremental productivity and content-generation gains to the threat actors, and have not impeded our ability to disrupt their influence operations".
Sponsor Section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Brian A. Coleman, Senior Director at Pfizer for Insider Risk, Information Security, Digital Forensics Expert. Brian goes over all the Island features that have made the browser a favourite tool to secure older corporate apps, either by blocking insecure features or adding logging capabilities where they didn't exist.
See also Island's primer on why and how to choose an enterprise browser.
Shorts
US Government Confirms Iran is Targeting Presidential Campaigns
The FBI, CISA and the ODNI confirmed Iran was targeting the presidential campaigns of both political parties, including "the recently reported activities to compromise former President Trump’s campaign, which the IC [intelligence community] attributes to Iran".
The statement stops short of confirming that the hack and leak operation we covered last week was carried out by Iran. However, CNN reports:
Some US officials were uncertain that the same IRGC-backed [Islamic Revolutionary Guard Corps] group that did the hacking had leaked the documents, according to two sources familiar with the matter, because the group is not known for leaks. However, investigators studying the AOL account have been able to link its digital infrastructure to the same Iranian hacking group, one of the sources said.
Google's Crypto Fraud Legal Merry-Go-Round
A Florida woman is suing Google after she claims to have lost close to USD$5m to a fraudulent cryptocurrency app she downloaded from the Google Play Store. According to The Block, Vaca's lawsuit says she only downloaded the app Yobit Pro because she believed Google was successfully preventing scam apps from being available on the Google Play Store.
In April Google sued two developers for loading 87 fraudulent crypto apps into the Play Store.
Faking Your Own Death With a Database Entry
A Kentucky-based hacker, Jesse Kipf, was this week sentenced to 81 months in prison for charges related to faking his own death by hacking into state death registry systems. According to the US Department of Justice:
…in January 2023, Kipf accessed the Hawaii Death Registry System, using the username and password of a physician living in another state, and created a "case" for his own death. Kipf then completed a State of Hawaii Death Certificate Worksheet, assigned himself as the medical certifier for the case and certified his death, using the digital signature of the doctor. This resulted in Kipf being registered as a deceased person in many government databases. Kipf admitted that he faked his own death, in part, to avoid his outstanding child support obligations.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how the cybersecurity industry is very strange when compared to other professional fields such as doctors and accountants.
From Risky Biz News:
Hardware backdoors found in Chinese key cards: A security researcher has discovered secret hardware backdoors in RFID key cards manufactured by a major Chinese company.
The backdoors can allow threat actors to clone affected smart cards within minutes and access secure areas. They impact smart cards manufactured by Chinese company Shanghai Fudan Microelectronics that were built using MIFARE Classic chips from NXP.
The chips have been on the market since 1994 and have been widely used over the past decades to create smart key cards and access badges in hotels, banks, government buildings, factories, and many other places.
But in a paper published last week, Quarkslab's Philippe Teuwen says that while researching FM11RF08S cards, he found what proved to be a secret backdoor baked inside Fudan cards.
He discovered the backdoor while fuzzing the card's command sets and noticed that the card was answering to undocumented instructions on a specific range.
[more on Risky Business News]
Ransom campaign hits cloud servers: A threat actor is hacking and extorting companies that have misconfigured their cloud server infrastructure.
The data extortion campaign has been taking place since earlier this year and involves a large-scale scan of the internet for companies that have exposed their environment variable files. Also known as .ENV, these files act as a centralised location for storing configuration data by multiple software solutions.
Security firm Palo Alto Network says the attacker has been scanning the internet for ENV files, extracting login credentials, and accessing cloud servers.
The attacker has allegedly scanned more than 230 million unique servers and successfully retrieved 90,000 environment variables—with around 7,000 of these being access keys associated with cloud services.
[more on Risky Business News]
After botched comms, there's now a timeline for the Azure mandatory MFA rollout: After making a mess of its comms earlier this year in May, Microsoft has published a more detailed timeline about its plan to enforce multi-factor authentication for all users accessing Azure and other admin portals.
The company says that by October this year, MFA will be required to access the Azure portal, Microsoft Entra admin center, and Intune admin center.
Admins will receive emails and notifications in the Azure Service Health portal to enable MFA for their accounts or face losing access to their paid services.
Microsoft joins the ranks of AWS and Oracle as cloud services that require mandatory MFA to access admin accounts.
[more on Risky Business News]