Threat report from Australian Cyber Security Centre, Data Breach notification report by Information Commissioner and report of 61 million records breached worldwide in August 2021 point to cyber attacks being a growing problem

September 16, 2021

A confluence of reports highlights the dismal state of security preparedness in Australia in particular and throughout the developed world generally.

It governance calculates that in August there were 84 cyber attacks which results in 60,865,828 records being breached.  Of that number T Mobile suffered a hack which affected 53 million records.

Yesterday the Australian Cyber Security Centre (ACSC) released its Annual threat report for 2020 – 2021 which reports that over 67,500 cyber crime reports were made in the last 12 months. And the ACSC acknowledges that the figure could, and probably is, higher.  Probably Read the rest of this entry »

Fairfax Media Publications Pty Ltd v Voller; Nationwide News Pty Limited v Voller; Australian News Channel Pty Ltd v Voller [2021] HCA 27 (8 September 2021): defamation, publication of comments on social media

September 12, 2021

The High Court in Fairfax Media Publications Pty Ltd v Voller; Nationwide News Pty Limited v Voller; Australian News Channel Pty Ltd v Voller [2021] HCA 27 with a 5:2 majority rejected an appeal by media outlets against a ruling that they were liable for comments to their articles on a Facebook page.

FACTS

The appellants each maintain a public Facebook page on terms of use agreed with Facebook which:

  • is used to share content and connect with Facebook users.
  • is publicly accessible to users, who are able to view and comment on content posted to that page [5].

The use of the Facebook pages usually involves:

  • the posting of a hyperlink to a news story,
  •  a headline,
  • a comment
  • an image.
  • readers being invited to:
    • “Like”,
    • “Comment”  which are made by users appear on the page and are available to be seen by all Facebook users who can see the page
    • “Share” the post [6]

 Facebook Page administrator

  • could:
    • prevent, or
    • block,

the posting of comments by third parties

  • could not block all posts on a public Facebook page  [7].
  • could delete comments after they were posted but this would not prevent publication
  • could “hide” most comments, through the application of a filter, which would prevent publication to all except the administrator which could then be assessed by an administrator [7]

The trial judge found the appellants were publishers.

DECISION

MAJORITY

KIEFEL CJ, KEANE AND GLEESON JJ

Their Honours, as did all judges in this decision, undertook a very comprehensive review Read the rest of this entry »

South Australia uses facial recognition and geolocation data for quarantine checks.

September 7, 2021

The adjective “Orwellian” is both overused and misused.  It is often tagged onto a complaint which does not describe a situation, idea, or societal condition that George Orwell identified as being destructive to the welfare of a free and open society. It is commonly used by someone to label an argument or, often government, proposal which he or she finds disagreeable.  Unfortunately the South Australian Governments use of an app to geo locate and have facial recognition is for those in quarantine is Orwellian. And how this trial became reality demonstrates the dismal state of policy development and exclusion of any input from the community. 

It is relevant to note that South Australia has no Privacy Act.  There is no regulator to deal with privacy breaches, of which this app has the potential for many.  It is a dismal failure of public policy and panic over prudence.  That there has been no outcry from the polity within Australia is a poor reflection on the state of debate here.  The Civil Society’s response has been inconsistent but largely ineffectual.  The New South Wales Council for Civil Liberties has criticised it on the basis that safeguards are not in place (SA facial recognition app trial should not go ahead without safeguards). It is a weak response that accepts that “..it was possible for facial verification to be conducted safely and appropriately, with the right safeguards.”  Really!  There is more than a few well regarded privacy and other experts who wouldn’t even accept that proposition.  It is a weak and unimpressive Read the rest of this entry »

Call for privacy controls on Tik Tock

July 27, 2021

In today’s Age the National Children’s Commissioner in TikTok: Time’s up to protect children’s privacy highlights the alarming privacy invasive practices of Tik Tok as well as the cumulative data collecting on children through social media and other sources.  While the impetus of the story was on Tik Tok’s focus on children there is not much new to Anne Hollands’ piece.  Social media sites have been in the business of collecting personal information since their inception. Google’s business model is predicated on collecting and aggregating data through alogorithms so as to sell targeted advertising.

Hollands’ concern about Tik Tok and other sites collecting personal information without proper consent is well placed.  The ACCC has similar concerns.  The potential problem is part of her solution, to have provisions in the Privacy Act requiring anyone collecting children’s data to have some form of best interests of children provision relating to the collection and use of that data. The problem with this approach is that it creates additional protections for specific types of data.  The resulting danger is that there will be silos of strong protection amidst weak protection overall.  That is what happens in the United States of America.  There the Children’s Online Privacy Protection Act (“COPPA”).  COPPA sets stringent requirements on websites or services directed at children,  strong health records protections with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and even protections over records of video renting with the Video Privacy Protection Act of 1988.  But many other areas of activity in the USA have weak privacy protections at the Federal level.

The chronic problem is weak privacy protections Read the rest of this entry »

New cyber security rules proposed. Another discussion paper on privacy and cyber security. A good paper, the question is whether anything will come of it.

July 18, 2021

On 13 July 2021 the Federal Government released a comprehensive discussion paper titled Strengthening Australia’s cyber security regulations and incentives as part of its attempts to make the digital economy more resilient.  The focus is on cyber security.  It summarises the issues and raises options across the broad subject headings of:

  • Governance standards for largebusinesses
  • Minimum standards for personal information
  • Standards for smart devices
  • Labelling for smart devices
  • Responsible disclosure policies
  • Health checks for small businesses
  • Protecting consumers
  • Clear legal remedies for consumers

As papers go it is comprehensive and a good resource in itself as it sources US, UK and European actions (which are far ahead of Australia’s) in cyber security.  But there is nothing stated in the report which hasn’t been written before.  It is candid enough to state that the primary current regulatory framework of the Privacy Act 1988, the Australian Consumer Law and the Corporations Act as well as other more specialised acts are not effective in this area.  Refreshingly the Paper highlights the dissatisfaction with the Information Commissioner’s approach to enforcement of the Privacy Act stating Read the rest of this entry »

National Institute of Standards and Technology has released a guid on securing the Industrial Internet of Things

April 23, 2021

The National Institute of Standards and Technology (NIST) is part of the US Department of Commerce.  It is enormously influential in setting standards, worldwide, in the cyber security sphere.  That is relevant in privacy protections as well.  Overnight the NIST released a guideline for comment, Securing the Industrial Internet of Things: Cybersecurity for Distributed Energy Resources.

It is a very topical release and deals with a difficult area of cyber security.  The industrial internet of things involves multiple devices.

The goals of the guide are:

  • remotely monitor and control utility-owned and customer-managed DER assets
  • protect and trust data and communications traffic of grid-edge devices and networks
  • capture an immutable record of control actions across DERs
  • support secure edge-to-cloud data flows, visualization, and continuous intelligence

The guide is aimed to have Read the rest of this entry »

Facebook suffers significant data breach all the while the Government proposes to require people to provide more personal information to it

April 7, 2021

Facebook, hardly the paragon of virtue, has had a data breach involving more than 500 million people. The latest firm estimate is it involved 533 million.  The data published on line includes names, phone numbers, email addresses, account IDs and biographies.  According to the Record the information leaked included phone numbers which are not public for most profiles.  Plenty of material to doing a bit of identity theft. 

The leak involved an attacker using a vulnerability in the Facebook contacts importer features.  The attackers were able to link random phone numbers to specific users.  As is commonly the case these days the attacker remained and collected data until Facebook detected the process and cut of access. The attack occurred 2 years ago, though Read the rest of this entry »

Ransomware gangs targeting businesses which hold cyber insurance policies

March 23, 2021

I recently gave a presentation on data breaches where I highlighted as a trend the matuation of ransomeware strategies and attacks.  This is point raised in the Cyber Security Industry Advisory Committee report, I posted on recently, titled Locked Out: Tackling Australia’s ransomware threat. Hackers are known to target businesses with cyber insurance and make demands in line with the coverage of the policy. That presupposes knowledge of policy details, acquired from the target businesses or the insurer or its brokers.  

In a wide ranging, techy speak and a little shambolic interview on The Record  an anonymous member of  REvil, a hacking group,  confirms that businesses with cyber insurance are Read the rest of this entry »

Minister for Home Affairs releases ransomware paper by Cyber Security Industry Advisory Committee

March 22, 2021

When in doubt set up a committee.  Beyond meeting a committee should prepare a paper.  The Cyber Security Industry Advisory Committee is no different.  The Minister for Home Affairs announced the establishment of the Committee on 20 October 2020. Its specific role is to help guide the introduction of Australia’s Cyber Security Strategy 2020 which was announced on 6 August 2020.

The Committee has prepared a paper on Ransomware, Locked Out: Tackling Australia’s ransomware threat which was released by the the Minister for Home Affairs, Peter Dutton MP on 10 March 2021.

Even though Ransomware has been a favoured weapon by cyber criminals for some time the problem is now chronic.  As an example only, yesterday the BBC reported in Russian pleads guilty to Tesla ransomware plot where a Russian offered a Tesla employee a million dollars to infect the company with ransomware.

The report is Read the rest of this entry »

Data breach of surveillance cameras operated by Verkada allowing hackers to access live feeds of schools, aged care facilities and child care centres. Australian operations affected.

March 12, 2021

Surveillance cameras, baby cameras and other monitoring devices connected to the internet have been particularly prone to cyber attack.  They are attractive targets, successful hacks result in high profile press coverage and huge embarrassment for both the users and the manufacturers of the device. The motivations are varied.  In 2014 hackers remotely turned on baby cameras and shouted obscenities at parents and their babies. I wrote about the vulnerabilities of these devices in 2016.  In 2019 G Post raised the similar issue with Yes, Your Video Baby Monitor Can Be Hacked. No, You Don’t Have to Stop Using It. 

For all of that forewarning and knowledge of the attractiveness of surveillance cams being target of hacking and the well known vulnerabilities that could be addressed Verkada, a provider of cameras and surveillance equipment has been the subject of a massive data breach.  The ABC Read the rest of this entry »