Peter A Clarke

On day 4 after the attack on Nine the media is still churning out bromides of advice together with dark warnings of things to come.  Because all of this was unknown until now! Yeah right. That involves running around looking for a talking head to give a standard form warning.  And the Australan does just that with Cyber attacks: banks, super ‘only a matter of time’, warns APRA.  It is a better than average Henny Penny piece with the end is nigh being a strong theme.  Good dramatic reading but not all that rewarding journalism.  What is not done, and journalists should be doing, is looking at the state of regulation, inadequate, the effectiveness of the regulator, lacking and what needs to be done, a long list that has been repeated with montonous regularity in Law Reform Commission reports, an ACCC report and by commentators such as myself for years.  Meanwhile at the Age, a Nine publication, there is a “Feel our Pain” piece titled How the Nine cyber attack is affecting The Age and a quasi investigative piece as to the source of the attack with Is a nation state or disruptive criminals behind the Nine cyber attack? And the Age editorial Cyber attack on Nine sends a broader warning is a waffly piece about cyber attacks and then proceeds to do an analysis of “..the deeper threats they pose.”  As if this hasn’t been a significant problem for years.  And typical of many Australian organisations refers to the Government response, in the form of the Cyber Security Strategy and cash for security agencies. Yes that is important but ultimately the key is that organisations must have adequate protections, strategies in place.  The most relevant sentence is the last, “All businesses …should assume that their systems may someday be targeted for attack and make sure they have the proper protective measures and training in place.”  And that is where Nine is coy.  It is unlikely that the hackers would have successful placed malware into Nine’s systems without there being a failure in Nine’s cybersecurity; a failure to patch, a successful phishing or spear fishing attack or access via a trusted secondary supplier which had access privileges.  Put simply, Nine was successfully attacked because of its negligence in one way or another. It should be candid and explain what happened in detail so others can learn.  That is common practice overseas. It is also a fair bet that Nine did not have a comprehensible Date Breach Response Plan.  Not uncommon but still unforgiveable.  So the response, no doubt heroic, was a cobbled together hot mess of on the fly responses.  Nine has probably been poorly served by its Board of Directors in not putting enough effort and money into its cyber security defences and strategies, its managers in not having a Data Breach Response Plan (which has been wargamed on a regular basis to see how well it operates) and its lawyers in not having a review of its compliance with APP 11 of the Privacy Act 1988, which requires organisations to maintain proper data security (not just of the cyber variety).  My sympathy for Nine is very limited.  Outside of a few industries, too many organisations regard privacy as an afterthought and the legal obligations in protecting personal information as a secondary matter.

The editorial provides:

For the employees of The Age and the wider Nine Entertainment group, the cyber attack that began in the early hours of Sunday morning has been disruptive and challenging. The attack targeted Nine’s corporate network, but has affected Channel Nine in Sydney and mastheads including The Age. We have managed to improvise solutions using back-up technology at every turn but, as such attacks on companies and online platforms become more frequent, it is important to look beyond the drama they cause to grasp the deeper threats they pose.

Rather than having garment rentng jeremiads about the state of the world and why people are being mean to the media publications like the Age should engage in more serious coverage.  Stories along those lines would go to the state of the nation’ cybersecurity and discover that organisations do little to protect themselves because the perceived risk is small and the consequences of not complying with inadequate legislation are minimal.  Perhaps a start would be to review an article such as the US article In wake of giant software hacks, application security tactics due for an overhaul.  This piece descends into some detail at least.

Part of any proper investigation would look at the ineffectiveness of the Australian Information Commissioner’s office, a governmental backwater if there ever was one.  Businesses and agencies don’t comply with the law because they know the cop on the beat is in the station house asleep at his desk. When ASIC falls down in its regulatory duties it is called to account.  The Australian Information Commission doesn’t even engage with its obligations and receives no scrutiny.  It has polished its image to a fine sheen and that has gulled the media.  No one every said the Privacy Commissioners and then Information Commissioners weren’t nice.  They were and are.  Its just that they have been not much good.

Unfortunately in terms of data protection and enforcement Australia is the land of the lotus eaters.  Nothing much has Read the rest of this entry »

It is quite the month where things “have to change” according to the modern day seers, journalists of our national dailies. I will confine my observation to the cyber attack on Nine last weekend. It has spurred a flurry of reporting fizzing with excited commentary on this Ransomware thing that causes such chaos as knocking live Sunday morning programming out of the park. We are now into day 3 of the media’s voyage of discovery that behind the headline and bland unimaginative by the numbers reporting cyber attacks are serious and can do real damage. Damage like in the analog world if a semi trailer drove through the front gate of Nine’s headquarters and onto the main studio and then blew up. So now Nine has been attacked it embarks upon a serious analysis of what happened and why with Why was Nine hacked and how do cyber attacks actually work?  And the Australian runs a piece Nine hack a ‘wake up call’ because, I guess, the threat wasn’t known before. I mean, Really!  And being the serious media types as they are the ABC gives a quick tutorial on the ups and downs of cyber attack (The sort of thing I have been doing for a decade) as if it were a first year undergrad reading from newly acquired lecture notes.  It is all rather confected outrage.  The problem has been well known for a very long time, digitally speaking, and the players Read the rest of this entry »

For the proverbial 15 minutes cyber attacks are now the focus of Australian media in light of the cyber attack that laid low Channel Nine in Sydney on Sunday.  Perhaps a slight exaggeration.  But data security issues are dealt with quite superficially in the main.

The Australian reports that the Nine cyber attack could cost $1million in remediation costs.  The cyber attack was a ransomware attack without the ransom.  That is the malicious software encrypted files but the attackers did not demand payment, the ransom, in exchange for the decryption key.

I never cease to be amazed how the reporting of insights from experts on how the data breach may have occurred, the problems with data security and the need to improve has such a breathless quality.  It is as if it has been discovered for the first time.  I have been posting on this and other cyber security and privacy issues for more than a decade.

But now cyber security is a hot topic the Australian reports on another cyber attack, this time on Taylor wines.  As usual Read the rest of this entry »

The Australian magazine had a big piece on cyber security titled Why the world is under cyber-attack.  It touches all the bases, malicious attacks are on the rise, they are growing in sophistication, they are attacking infrastructure, ransomware is on the rise and governments are becoming ever bigger players.  Not too much new though it is quite an involved piece with a dystopian bent.

The unfortunate thing about pieces like this is that it does not seem to move governments to properly regulate through adequate legislation and then ensure the agency or whatever other body is charged with regulation actively regulates.  That is happening on a more adequate level in Europe and even in the United Kingdom.  In the United States the regulation is patchy.  In Australia it is lamentable.  The Privacy Act is replete with carve outs and over broad exemptions.  The Information Commissioner is congenitally timid and ineffective.  Which bodes badly for the state of cyber protection for Australian busineses.  And on that note it is relevant to see the Australian reports that Nine Network’s Sydney office has been hit by a cyber attack which Read the rest of this entry »

In today’s Australian Andrew Hastie, Assistant Defence Minister, has taken up the call in an Australian article, Cyber war puts business at risk of costly attack, that Australian businesses are at risk of being the subject of a cyber attack.  The context of this call is the continuing exploitation of  Microsoft Exchange zero day vulnerabilities that is causing real problems for businesses worldwide and leading to some spectacular ransomware attacks. The article is Read the rest of this entry »

I recently gave a presentation on data breaches where I highlighted as a trend the matuation of ransomeware strategies and attacks.  This is point raised in the Cyber Security Industry Advisory Committee report, I posted on recently, titled Locked Out: Tackling Australia’s ransomware threat. Hackers are known to target businesses with cyber insurance and make demands in line with the coverage of the policy. That presupposes knowledge of policy details, acquired from the target businesses or the insurer or its brokers.  

In a wide ranging, techy speak and a little shambolic interview on The Record  an anonymous member of  REvil, a hacking group,  confirms that businesses with cyber insurance are Read the rest of this entry »

When in doubt set up a committee.  Beyond meeting a committee should prepare a paper.  The Cyber Security Industry Advisory Committee is no different.  The Minister for Home Affairs announced the establishment of the Committee on 20 October 2020. Its specific role is to help guide the introduction of Australia’s Cyber Security Strategy 2020 which was announced on 6 August 2020.

The Committee has prepared a paper on Ransomware, Locked Out: Tackling Australia’s ransomware threat which was released by the the Minister for Home Affairs, Peter Dutton MP on 10 March 2021.

Even though Ransomware has been a favoured weapon by cyber criminals for some time the problem is now chronic.  As an example only, yesterday the BBC reported in Russian pleads guilty to Tesla ransomware plot where a Russian offered a Tesla employee a million dollars to infect the company with ransomware.

The report is Read the rest of this entry »

The growth in cyber attacks is hardly news.  Even cyber attacks by state agencies is not novel.  There have been explicit warnings by governments and reports in the media to that effect.  What is relatively new is the brazenness of the attacks by state players and the prolonged nature of those attacks and the motivation for those attacks.  Cyber attacks are becoming more overtly political.

On that note the ABC Reports that China is suspected of a cyber attack on the Western Australian Parliament during the last state election.   The source of entry was the weakness discovered Read the rest of this entry »

Surveillance cameras, baby cameras and other monitoring devices connected to the internet have been particularly prone to cyber attack.  They are attractive targets, successful hacks result in high profile press coverage and huge embarrassment for both the users and the manufacturers of the device. The motivations are varied.  In 2014 hackers remotely turned on baby cameras and shouted obscenities at parents and their babies. I wrote about the vulnerabilities of these devices in 2016.  In 2019 G Post raised the similar issue with Yes, Your Video Baby Monitor Can Be Hacked. No, You Don’t Have to Stop Using It. 

For all of that forewarning and knowledge of the attractiveness of surveillance cams being target of hacking and the well known vulnerabilities that could be addressed Verkada, a provider of cameras and surveillance equipment has been the subject of a massive data breach.  The ABC Read the rest of this entry »

It governance has provided its list of data breaches and cyber attacks in February 2021, estimating that 2.3 billion records were breached. The cyber attacks range from the relatively modest in number, with 208 records of the Watermark Retirement Communities residents across 10 states being affected, to the catastrophically large attack, involving millions of user records of Raychat being destroyed and the records of 102 million consumers of two mobile operators in Brazil.  There were also other significant data breaches, including 400 million records of a delivery company, Bykea, being leaked in Pakistan and Australia’s Oxfam discovered that its database of 1.7 million records were being offered for sale on a hacker forum. The humiliating Oxfam data breach required it to issue the now all too familiar sort of candid post of where matters are at on 1 March 2021 which Read the rest of this entry »