Australian websites attacked by a cryptojacking attack….

February 12, 2018

There is a positive in all of the attacks in cyberspace… the English vocabulary has grown and become enriched by new terms.  Ever heard of cyrpojacking.  It is a form of malware (another gift to the mother tongue to describe malicious software) which forces computers to mine cryptocurrency which generates profits for the hacker.  Australian Government sites have been successfully breached through a browser plug in provided by a third party.  Hackers inserted Coinhive into the plug in which hijacked the processing Third Party vulnerabilities are a chronic problem for businesses and government because their internal controls are not easily supervised and audited but their services are necessary.

The Guardian in Cryptojacking attack hits Australian government websites reports that in Australia the Victorian Parliament website has been compromised as has the Queensland Ombudsman, the City of Casey and the South Australian City of Unley Council. These types of breaches highlight which organisation and agencies have been less diligent with Read the rest of this entry »

Mandatory Data breach notification laws come into effect in 2 weeks, 22 February 2018

February 9, 2018

With the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017  Australia will have a mandatory data breach notification law.  It comes into effect from 22 February 2018 (though some practitioners believe it comes into effect on 23 February).

In summary the scheme as enacted int Part IIIC of the Privacy Act obliges organisations covered by the Privacy Act and agenices  to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. A notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner must also be notified of eligible data breaches.

That is the starting point.

It is a complex piece of legislation which requires careful consideration of the exemptions and consideration of what may or may not constitute serious harm.

Cabinet files found in an ex Government filing cabinet…a familiar story of appalling data security practices

February 1, 2018

There is quite a buzz about the ABC’s scoop in obtaining Cabinet documents stretching across a number of recent Australian Governments.  It has resulted in a cornucopia of stories which have found their way into the media in the last few days.  It is a hell of a scoop.  The documents were not “leaked” by government or opposition insiders or a disgruntled public servants.  They were found in an old second hand filing cabinet bought by a punter at an op shop who passed them onto the ABC.  This is hardly a new story.  I Read the rest of this entry »

Former ASIO boss warns that Australia’s cyber defence is weak and uncoordinated…hardly a revelation with weak privacy and data security laws and even weaker regulation of those laws

January 19, 2018

It is enough to make a cat smile how the obvious poor state of cyber defence across the board is breathlessly reported as a revelation, again and again.  And how nothing really changes even though the problem grows worse each year.

The ABC reports in Australia’s cyber defences ‘relatively weak, uncoordinated’, former ASIO boss David Irvine warns in a submission through the Australian Cyber Security Research Institute that that Australia’s ability to counter cyber threats and criminal activity is relevantly week and uncoordinated.  That is not surprising, coming from a former public servant of long standing, the proposal is single Commonwealth led Co operative Agency.  The proposed entity will Read the rest of this entry »

YouTube personality wins revenge porn case in UK relying on breach of confidence, misuse of private information and harassment.

January 18, 2018

There are limits to legislation criminalising revenge porn, the publication of  revealing or sexually explicit images or videos of a person posted on the Internet without the consent of the subject in order to cause them distress or embarrassment, without providing the victim with an actionable cause of action.  The first limitation is that a complaint to the police may not result in a prosecution.  The burden of proof is much higher.  In some cases proving the accused took the image or posted it may be an issue though in the typical revenge porn scenario that is not common problem.  The other potential problem from the point of view of the victim is that how a matter is dealt with is a matter for the prosecution, whether in the form of a plea and the agreed statement of facts and the submissions on penalty. That is not to say the prosecution are less than professional but matters are resolved all the time.  While the victim may be kept informed the call is always the prosecutions to make.   What is required is an actionable civil claim by victims, in the form of either a statutory or common law basis, under the tort of invasion of privacy.  And that is what is missing in Australian law.  Claims in Australia must rely on equity, breach of confidence and misuse of private information, to bring a civil claim.  That was what Ms Chambers did because at the time of the acts giving rise to her action the Supreme Court had not recognised a tort of invasion of privacy, which it did subsequently.  It is a more complicated and unwieldy form of action which is very much a second best option to a tortious claim.  Australia remains one of the few places in the common law world without a specific actionable right to enforce privacy rights.  It remains a significant gap in the law and a ongoing failure of public policy.

The BBC reports that Chrissy Chambers, described as a Youtube celebrity, brought an action against an ex partner who posted 6 videos on a pornographic site after they broke up, from December 2009 until January 2012.  Ms Chambers found out about the posting in June 2013.  Her efforts to bring criminal charges were unsuccessful, primarily because a criminal offence relating to revenge porn had not been enacted at the time of the posting.   She commenced proceedings in the UK High Court and obtained a settlement involving an undisclosed sum of money, her costs, destruction of images held by the defendant and the copyright to the images Read the rest of this entry »

UK Government opts for sensible approach in permitting researchers test anonymisation measures

January 14, 2018

The mantra by regulators that data which is anonymised can be used for research and published has resulted in significant embarrassment when said anonymisation resulted in re identification. It has spawned a busy subset of academic articles on how this happens and generally advising caution, see for example All or Nothing: The False Promise of Anonymity in the Data Science Journal.

 Re identification occurs were there has been insufficient de identification and the methods of re identifying are generally one or both of pseudonym reversal or by combing data sets.

In Australia the Government introduced the Privacy Amendment (Re-identification Offence) Bill 2016.  If enacted it will prohibit the Read the rest of this entry »

NSW Government data security inadequate according to report

December 28, 2017

The Fairfax press in Personal information held by NSW government exposed to cyber crime risk reports that 2/3rds of NSW Government agencies do not comply with their obligations to secure data.

The 82 page report provides insight but the chronic and deep seated flaws in data handling and cyber security practices are all too common.  A lack of training and what limited access to data should mean,  a lack of in depth protections which detect breaches from both outside and within, inadequate legislation with ineffective enforcement and inadequate training which leads to a poor privacy culture are the foundations upon which these problems develop.

It is curious that the report was released on 20 December and only reported on 28 December 2017.  Given the issue is so serious it is almost certain to disappear into the ether over the Christmas break.  Maybe it wasn’t so curious after all.

The New South Wales Audit Office released a press release on Read the rest of this entry »

Merry Christmas and my traditional reprint of Yes, Virginia there is a Santa Claus..

December 25, 2017

I wish all readers, regular, occasional and first timer, a happy and holy Christmas.

Since I was a school kid I was impressed with the Editorial of the New York Sun titled Yes, Virginia there is a Santa Claus.  It was first published on 21 September 1897.

It is a wonderful piece of writing.  Clear, concise and full of warmth without being mawkish. It can read a number of levels, starting with the intended reader, the 8 year old Virginia O’Hanlon.  As prose it makes the current offerings in Australia, and elsewhere, dreary and bloated by comparision.

The story of the author is impressive in and of itself.

It is also proudly optimistic.  A mindset we all should have, no matter how hard it can be.

To write as well as Francis Pharcellus Church, the author, would be a wonderful achievement.

Merry Christmas.

The article provides:

We take pleasure in answering thus prominently the communication below, expressing at the same time our great gratification that its faithful author is numbered among the friends of The Sun:

Dear Editor—

I am 8 years old. Some of my little friends say there is no Santa Claus. Papa says, “If you see it in The Sun, it’s so.” Please tell me the truth, is there a Santa Claus?

Virginia O’Hanlon
115 West Ninety Fifth Street

Virginia, your little friends are wrong. They have been affected by the skepticism of a skeptical age. They do not believe except they see. They think that nothing can be which is not comprehensible by their little minds. All minds, Virginia, whether they be men’s or children’s, are little. In this great universe of ours, man is a mere insect, an ant, in his intellect as compared with the boundless world about him, as measured by the intelligence capable of grasping the whole of truth and knowledge.

Yes, Virginia, there is a Santa Claus. He exists as certainly as love and generosity and devotion exist, and you know that they abound and give to your life its highest beauty and joy. Alas! how dreary would be the world if there were no Santa Claus! It would be as dreary as if there were no Virginias. There would be no childlike faith then, no poetry, no romance to make tolerable this existence.

We should have no enjoyment, except in sense and sight. The external light with which childhood fills the world would be extinguished.

Not believe in Santa Claus! You might as well not believe in fairies. You might get your papa to hire men to watch in all the chimneys on Christmas Eve to catch Santa Claus, but even if you did not see Santa Claus coming down, what would that prove? Nobody sees Santa Claus, but that is no sign that there is no Santa Claus. The most real things in the world are those that neither children nor men can see. Did you ever see fairies dancing on the lawn? Of course not, but that’s no proof that they are not there. Nobody can conceive or imagine all the wonders there are unseen and unseeable in the world.

You tear apart the baby’s rattle and see what makes the noise inside, but there is a veil covering the unseen world which not the strongest man, nor even the united strength of all the strongest men that ever lived could tear apart. Only faith, poetry, love, romance, can push aside that curtain and view and picture the supernal beauty and glory beyond. Is it all real? Ah, Virginia, in all this world there is nothing else real and abiding.

No Santa Claus! Thank God! He lives and lives forever. A thousand years from now, Virginia, nay 10 times 10,000 years from now, he will continue to make glad the heart of childhood.

It has been eulogised regularly since then, such as by the New York Times on the 100th anniversary of the publication.  A nice article but nothing of the simplistic brilliance of the original.

A refreshing and timely story on the Commonwealth bank accused of misleading the Privacy Commissioner and the Privacy Commissioner cops criticism in handling that deception

December 20, 2017

Tonight’s 7.30 program has a story, titled  Commonwealth Bank accused of misleading the Privacy Commissioner about a privacy complaint where the sting is the Commonwealth Bank failing to provide proper disclosure of documents. The determination is Read the rest of this entry »

Cybersecurity risks with the internet of things

Legislatures, and courts, being slow to fill gaps in the law is hardly a news story.  And it is axiomatic that there is legislative inertia in the face of new technologies. The history of road rules for motor vehicles is a classic example.  But the inertia and failure to respond to the threat of cyber attack has been a protracted and sad story of public policy failure.  Hacking, phishing, spoofing and any number of attacking a network has existed as long as the internet has been publicly accessible.  Protecting against that has been ad hoc and generally Read the rest of this entry »