The danger of cyber attack and need for proper cyber security highlighted by the attack on Nine which crippled its Sydney operation

March 28, 2021

The Australian magazine had a big piece on cyber security titled Why the world is under cyber-attack.  It touches all the bases, malicious attacks are on the rise, they are growing in sophistication, they are attacking infrastructure, ransomware is on the rise and governments are becoming ever bigger players.  Not too much new though it is quite an involved piece with a dystopian bent.

The unfortunate thing about pieces like this is that it does not seem to move governments to properly regulate through adequate legislation and then ensure the agency or whatever other body is charged with regulation actively regulates.  That is happening on a more adequate level in Europe and even in the United Kingdom.  In the United States the regulation is patchy.  In Australia it is lamentable.  The Privacy Act is replete with carve outs and over broad exemptions.  The Information Commissioner is congenitally timid and ineffective.  Which bodes badly for the state of cyber protection for Australian busineses.  And on that note it is relevant to see the Australian reports that Nine Network’s Sydney office has been hit by a cyber attack which Read the rest of this entry »

Assistant Defence Minister sounds alarm on cyber attacks

March 25, 2021

In today’s Australian Andrew Hastie, Assistant Defence Minister, has taken up the call in an Australian article, Cyber war puts business at risk of costly attack, that Australian businesses are at risk of being the subject of a cyber attack.  The context of this call is the continuing exploitation of  Microsoft Exchange zero day vulnerabilities that is causing real problems for businesses worldwide and leading to some spectacular ransomware attacks. The article is Read the rest of this entry »

Ransomware gangs targeting businesses which hold cyber insurance policies

March 23, 2021

I recently gave a presentation on data breaches where I highlighted as a trend the matuation of ransomeware strategies and attacks.  This is point raised in the Cyber Security Industry Advisory Committee report, I posted on recently, titled Locked Out: Tackling Australia’s ransomware threat. Hackers are known to target businesses with cyber insurance and make demands in line with the coverage of the policy. That presupposes knowledge of policy details, acquired from the target businesses or the insurer or its brokers.  

In a wide ranging, techy speak and a little shambolic interview on The Record  an anonymous member of  REvil, a hacking group,  confirms that businesses with cyber insurance are Read the rest of this entry »

Minister for Home Affairs releases ransomware paper by Cyber Security Industry Advisory Committee

March 22, 2021

When in doubt set up a committee.  Beyond meeting a committee should prepare a paper.  The Cyber Security Industry Advisory Committee is no different.  The Minister for Home Affairs announced the establishment of the Committee on 20 October 2020. Its specific role is to help guide the introduction of Australia’s Cyber Security Strategy 2020 which was announced on 6 August 2020.

The Committee has prepared a paper on Ransomware, Locked Out: Tackling Australia’s ransomware threat which was released by the the Minister for Home Affairs, Peter Dutton MP on 10 March 2021.

Even though Ransomware has been a favoured weapon by cyber criminals for some time the problem is now chronic.  As an example only, yesterday the BBC reported in Russian pleads guilty to Tesla ransomware plot where a Russian offered a Tesla employee a million dollars to infect the company with ransomware.

The report is Read the rest of this entry »

Western Australian Parliament is hit with cyber attack during recent State election

March 17, 2021

The growth in cyber attacks is hardly news.  Even cyber attacks by state agencies is not novel.  There have been explicit warnings by governments and reports in the media to that effect.  What is relatively new is the brazenness of the attacks by state players and the prolonged nature of those attacks and the motivation for those attacks.  Cyber attacks are becoming more overtly political.

On that note the ABC Reports that China is suspected of a cyber attack on the Western Australian Parliament during the last state election.   The source of entry was the weakness discovered Read the rest of this entry »

Data breach of surveillance cameras operated by Verkada allowing hackers to access live feeds of schools, aged care facilities and child care centres. Australian operations affected.

March 12, 2021

Surveillance cameras, baby cameras and other monitoring devices connected to the internet have been particularly prone to cyber attack.  They are attractive targets, successful hacks result in high profile press coverage and huge embarrassment for both the users and the manufacturers of the device. The motivations are varied.  In 2014 hackers remotely turned on baby cameras and shouted obscenities at parents and their babies. I wrote about the vulnerabilities of these devices in 2016.  In 2019 G Post raised the similar issue with Yes, Your Video Baby Monitor Can Be Hacked. No, You Don’t Have to Stop Using It. 

For all of that forewarning and knowledge of the attractiveness of surveillance cams being target of hacking and the well known vulnerabilities that could be addressed Verkada, a provider of cameras and surveillance equipment has been the subject of a massive data breach.  The ABC Read the rest of this entry »

Data breaches everywhere with 2.3 billion records breached worldwide in February 2021 and the grand total of 539 breaches to the Australian Information Commissioner between July – December 2020. A lack of credibility in the Australian mandatory data breach notification scheme.

March 7, 2021

It governance has provided its list of data breaches and cyber attacks in February 2021, estimating that 2.3 billion records were breached. The cyber attacks range from the relatively modest in number, with 208 records of the Watermark Retirement Communities residents across 10 states being affected, to the catastrophically large attack, involving millions of user records of Raychat being destroyed and the records of 102 million consumers of two mobile operators in Brazil.  There were also other significant data breaches, including 400 million records of a delivery company, Bykea, being leaked in Pakistan and Australia’s Oxfam discovered that its database of 1.7 million records were being offered for sale on a hacker forum. The humiliating Oxfam data breach required it to issue the now all too familiar sort of candid post of where matters are at on 1 March 2021 which Read the rest of this entry »

On Line Safety Bill 2021 introduced and speeding through the Parliamentary process with some concerns about haste and possible unintended consequences

March 4, 2021

The Online Safety Bill 2021, was introduced into Parliament on 24 February 2021. The Minister’s Second Reading Speech is found here.  It will, if passed, replace the Enhancing Online Safety Act 2015 through the enactment of the Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021.

It is legislation that is relevant who practice defamation and privacy law.

The Bill with the explanatory memorandum are extensive documents. There are 240 clauses.    Zdnet in Bill establishing cyber abuse takedown scheme for adults enters Parliament provides quite a good overview of the proposed legislation providing:

A new Online Safety Bill that extends the cyber takedown function to adults and cuts takedown response times in half has made its way into Australian Parliament. Read the rest of this entry »

Today is data privacy day…a lot more work to do beyond reminding people of the need to keep data private and secure

January 28, 2021

Thursday 28 January 2021 is Data Privacy Day. It is also the 40th anniversary of Convention 108 and the 15th edition of the Data Protection Day.

The National CyberSecurity Alliance aptly describes what the day is about where it states:

Data Privacy Day is a global effort — taking place annually on January 28th — that generates awareness about the importance of privacy, highlights easy ways to protect personal information and reminds organizations that privacy is good for business. Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is observed annually on Jan. 28.

Data Privacy Day is the signature event in a greater privacy awareness and education effort. Year-round, NCSA educates consumers on how they can own their online presence and shows organizations how privacy is good for business.

In 2021, NCSA is encouraging individuals to “Own Your Privacy” by learning more about how to protect your valuable data online, and encouraging businesses to “Respect Privacy”, which advocates for holding organizations responsible for keeping individuals’ personal information safe from unauthorized access and ensuring fair, relevant and legitimate data collection and processing. These themes are encouraged through the below messaging and calls to action:

The Victorian Information Commissioner marked the day by Read the rest of this entry »

Significant data breach from Ambulance Tasmania through interception of its paging service with data of patients who contact ambulances published on line

January 8, 2021

Ambulance Tasmania has suffered a massive data breach. According to the ABC’s Tasmania Police called in after ambulance patient details published online personal information of every Tasmanian who called the Tasmanian Ambulance Service since November 2020 has been accessed and posted on line by a third party.  The specific nature of the breach is unknown but it was to the paging system.  What makes this breach so damaging is that the data accessed is sensitive information, relating to a person’s health status as well as that person/s age, gender and address.

What is both surprising and disturbing is that the data hacked from Ambulance Tasmania has been publicly visible since November last year.

What is less surprising is that it appears that previously deficiencies had been identified in the communications system and processes.  That is quite a common situation.  The problems are apparent but there is no incentive to attend to those problems because time and money can be spent elsewhere which provides more immediate benefit and the legal consequences of a data breach are small because the legislation is weak and the regulators are timid.

The Government response follows the dreary, obsolete path adopted by many Australian Government agencies of the responsible minister being concerned, referring Read the rest of this entry »