Peter A Clarke

Along with the Federal Government the New South Wales Parliament has commenced an inquiry into Artificial Intelligence.

The terms of reference Read the rest of this entry »

Another report stating what has long been understood by those involved with cyber security and privacy law; cybercrime is a chronic problem that is getting worse. The Report covers a broader range of cyber crimes including on line abuse and harassment, which was 27% of the reported cyber crimes in in the survey.The Report by the Australian Institute of Criminology makes for sobering reading. It is a comprehensive report, at 113 pages.

The harms from cyber crime are significant.  That makes it all the more concerning that there is such poor education on how to recognise some forms of cyber crime, such as ransomware and fraud and cyber scams.  The loss to business from data breaches puts into sharp relief the need for individuals and businesses to maintain proper cyber defences.  The lax state of affairs is as much due to poor regulation and enforcement as it is on poor education.

The Abstract provides:

This is the first report in the Cybercrime in Australia series, which aims to provide a clearer picture of the extent of cybercrime victimisation, help-seeking and harms among Australian computer users. It is based on a survey of 13,887 computer users conducted in early 2023. In the 12 months prior to the survey, 27 percent of respondents had been a victim of online abuse and harassment, 22 percent had been a victim of malware, 20 percent had been a victim of identity crime and misuse, and eight percent had been a victim of fraud and scams. Overall, 47 percent of respondents experienced at least one cybercrime in the 12 months prior to the survey—and nearly half of all victims reported experiencing more than one type of cybercrime. Thirty-four percent of respondents had experienced a data breach. Cybercrime victimisation was not evenly distributed, with certain sections of the community more likely to have been a victim, and certain online activities associated with a higher likelihood of victimisation.

Most cybercrime victimisation went unreported to police or to ReportCyber, meaning official statistics significantly underestimate the size of the problem. Satisfaction with the outcomes of these reports was mixed, and relatively few reports resulted in an offender being apprehended. Rates of help-seeking varied and were influenced by the perceived seriousness of cybercrime and knowledge of how and where to report it.

The financial losses experienced by victims were wide ranging. Some victims reported losing large sums of money, but most victims reported relatively small financial losses. This report measures, for the first time, the harms experienced by individual victims and small businesses that extend beyond these financial costs. Twenty-five percent of respondents were negatively impacted by cybercrime in the 12 months prior to the survey, while 22 percent of respondents who owned or operated a small to medium business said their business was negatively impacted by cybercrime.

The Scope of the report was described in these Read the rest of this entry »

The Singapore Cyber Security Agency has released its Cyber Landscape Report. The results are hardly surprising.  Phishing and ransomware are chronic problems.  They are growing in both volume and intensity.

The reports findings provides:

Key Malicious Cyber Activities in 2022

1. 1. Phishing. There were around 8,500 phishing attempts reported to the Singapore Cyber Emergency Response Team (SingCERT) in 2022, more than double the 3,100 cases handled in 2021. More than 50 per cent of reported cases involved URLs ending with “.xyz” – a popular top-level domain (TLD)¹ among threat actors given its low cost and limited restrictions on usage. The average length of reported phishing links decreased by almost half, suggesting that threat actors are using URL shortener services more frequently to mask their malicious intent and track the click-through rate of their phishing campaigns. The most commonly-spoofed were Banking and Financial Services, Government and Logistics. More than 80 per cent of reported phishing sites masqueraded as entities within the Banking and Financial Services sector. They are often targets of phishing attacks as they are trusted institutions which hold sensitive and valuable information such as personal details and login credentials. Overall, the increase in reported phishing attempts mirrored global trends, with multiple cybersecurity vendors observing that phishing activities grew substantially in 2022. In all, SingCERT facilitated the takedown of 2,918 malicious phishing sites in 2022.
   2. Ransomware incidents. Ransomware remains a major issue both in Singapore and globally, with cybersecurity vendors reporting a 13 per cent increase in ransomware incidents worldwide in 2022. In Singapore, the number of reported ransomware cases saw a slight decrease with 132 cases reported to CSA in 2022, compared to the 137 cases reported in 2021. The cases affected mostly Small-and-Medium Enterprises (SMEs) from sectors such as manufacturing and retail, as they may hold valuable data as well as Intellectual Property (IP), which cybercriminals often seek to extort and monetise for financial gain. Many of such firms also lack dedicated resources to counter cyber threats.
   3. Infected Infrastructure². In 2022, CSA observed 81,500 infected systems in Singapore, a decrease of 13 per cent from 94,000 in 2021. Despite a sharp growth of infected infrastructure observed worldwide, Singapore’s global share of infected infrastructure fell from 0.84 per cent in 2021 to 0.34 per cent in 2022. While this decrease in infected infrastructure in Singapore points to an improvement in cyber hygiene levels, the absolute number of infected systems in Singapore remains high. The top three malware infections on locally-hosted C&C servers were Colbalt Strike, Emotet and Guloader, while Gamarue, Nymaim and Mirai were the top three malware found on locally-hosted botnet drones, accounting for nearly 80% of Singapore IP addresses infected by malware in 2022. 
   4. Website Defacements. 340 ‘.sg’ websites were defaced in 2022, a decrease of 19 per cent from 419 in 2021. Most victims were SMEs. The downward trend could be attributed to hacktivist activities moving to other platforms with potentially wider reach, such as social media. In general, a downward trend in global website defacements was observed – with the exception of Ukraine and Russia, which have seen hacktivist activities spike amidst the ongoing conflict, including the defacement of more than 70 Ukrainian government websites just before hostilities broke out.

Read the rest of this entry »

In the 1980s it was fashionable in the The Federal Government to create tsars. The term signified that they were doing something important and had enhanced powers. There were drug tsars and education tsars. The terminology was a bit unfortunate. Tsars historically had a habit of coming unstuck in horrible ways. Nothing like that happened in America but not much was done either. Australia is not nearly so grandiose. In Australia the tradition is to appoint directors or co ordinator. In that tradition the Government has announced the appointment of Air Marshal Darren Goldie AM CSC as the innuagural National Cyber Security Coordinator. The position is administrative. It is probably a good idea however the real need for improvement in cyber security is at the ground level with organisations and agencies applying fit for purpose programs, keeping them up to date and training staff to avoid making mistakes that lead to a data breach. Not nearly enough of that is being done.

The consequences of a major data breach are rarely minor or quickly resolved. The cost of remediation is almost always significant. Litigation is a common offshoot. Medibank is facing a significant class action suit. Finally there are usually more than one regulator which can take action. In this case the Australian Prudential Authority has taken action against APRA forcing Medibank to increase its capital adequacy requirement to $250 million.

Chapter 10 of the Attorney General’s Privacy Act Review Report considers the operation of Privacy Policies and Notice obligations when collecting personal information.

A Privacy Policy is a critically important document for compliance under the Privacy Act 1988.  Privacy policies are part of most privacy legislation across most jurisdictions.  They serve an important function of informing people how their personal information will be handled, That doesn’t mean they are free of controversy.  Privacy policies are commonly criticized for being unduly complicated, very long and often a model of opacity rather than transparency. Some organisations have excellent policies designed provide useful information.  Others are mass of legalese which defy easy understanding.

Australian Privacy Principle (“APP”) 1 requires:

• entities to maintain a ‘clearly expressed’ and ‘up-to-date’ privacy policy that addresses the matters listed in APP 1.4.
• per he APP Guidelines a ‘clearly expressed’ privacy policy should be:
  • ‘easy to understand (avoiding jargon, legalistic and in-house terms),
  • easy to navigate,
  • only include information that is relevant to the management of personal information by the entity’.
• an APP entity to regularly review and update its privacy policy to ensure that it reflects the entity’s information handling practices.
• an APP entity to take such steps as are reasonable in the circumstances to make its privacy policy available:
  • free of charge and
  • ‘in such form as is appropriate.’
• that where an individual requests a privacy policy in a particular form, the APP entity must take reasonable steps to accommodate that request.
• APP entities to make a privacy policy available by publication on a website.
• where it is foreseeable that the privacy policy may be accessed by individuals with accessibility needs, or where individuals request a copy of the privacy policy in an accessible form, appropriate accessibility measures should be put in place.

APP 5 requires Read the rest of this entry »

The World Economic Forum has released Adopting AI Responsibly: Guidelines for Procurement of AI Solutions by the Private Sector. It has also launched the AI Governance Alliance for Responsible Generative AI. The Guidelines are part of a growing set of guidelines and rules. The US President released a BluePrint for an AI Bill of Rights in October last year. That is a long way from government regulation.

At this stage the talk is greater than the action. The US President met with tech leaders a few days ago and raised concerns about the risks posed by AI to Security and the Economy amongst other areas. Even though Europe has taken strong initial steps and is ahead of the United States no jurisdiction has complete fit for purpose Read the rest of this entry »

The EU is far ahead of Australia in regulating privacy and cyber security through both the GDPR and rules and guidances for good cyber security practices. The United States is well served by the publications of the National Institute of Science and Technology.

The European Union Agency for Cybersecurity has released Good Practices for Supply Chain Cybersecurity.  It is a long and complex document but particularly relevant given the spate of data breaches in Australia.  It is relevant to note that the document makes regular reference to NIST guidances.  I regularly post on NIST guidances.

• between 39 %  and 62 %  of organisations were affected by a third-party cyber incident.
• supply chain compromises were the second most prevalent initial infection vector identified in 2021. and accounted for 17 % of the intrusions
• in 2021, 66 % of the supply chain attacks the suppliers did not know, or were not transparent about, how they were compromised
• Around 62 % of the attacks on customers took advantage of their trust in their supplier. In 62 % of the cases, malware was the attack technique employed. When considering targeted assets, in 66 % of the incidents, attackers focused on the suppliers’ code in order to further compromise targeted customers.
• 86 % of the surveyed organisations implement information and communication technology / operational technology (ICT/OT) supply chain cybersecurity policies.
• 47 % allocate budget for ICT/OT supply chain cybersecurity.
• 76 % do not have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
• 61 % require security certification from suppliers, 43% use security rating services and 37% demonstrate due diligence or risk assessments. Only 9 % of the surveyed organisations indicate that they do not evaluate their supply chain security risks in any way.
• 52 % have a rigid patching policy, in which only 0 to 20 % of their assets are not covered. On the other hand, 13.5 % have no visibility over the patching of 50 % or more of their information assets.
• 46 % patch critical vulnerabilities within less than 1 month, while another 46 % patch critical vulnerabilities within 6 months or less.
• only 24 % of the surveyed organisations have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
• 59 % of the surveyed organisations that have TRM policies in place also have a dedicated budget or budget line for supply chain security
• regarding cybersecurity risk mitigation techniques:
  •   61 % of the surveyed organisations preferred security certificates,
  • 43% preferred  security risk rating services
  • 37% used due diligence or risk assessments
  • 9 % did not evaluate their supply chain security risks in any way.

1. Although organisations understand the significance of supply chain security, they do not allocate the necessary resources for ICT/OT supply chain cybersecurity.
2. Even when they invest in ICT/OT supply chain cybersecurity projects, the majority do it without clear governance corporate structures which ideally should take into account the costs and benefits of implementing ICT/OT supply chain cybersecurity practices and controls.
3. Organisations with formalised ICT/OT supply chain cybersecurity corporate procedures are the minority of the surveyed sample.
4. Banking is the sector with most established ICT/OT supply chain cybersecurity policies and dedicated budget and FTEs
5. Classification of a supply chain incident as such is cumbersome due the lack of concrete criteria.
6. Certifications are the most preferred way for organisations to follow suppliers’ cybersecurity practices; however, they are accompanied by high costs, especially for non-cybersecurity relevant vendors.
7. The surveyed organisations agree that common cybersecurity requirements for products and services would be beneficial for the market.
8. There is room to improve the visibility of the organisations over their information assets.
9. The majority of surveyed organisations do not have a vulnerability management system which covers all organisational assets.
10. Vulnerability management and testing of products contribute to better ICT/OT supply chain cybersecurity posture.

Large data breaches are rarely resolved quickly. That is why I am so surprised that organisations with the means and structures are so complacent with their data security. The focus is minimal compliance rather than security that is fit for purpose. The HWL data breach will be a long and excruciating process. The latest development is that data belonging to NAB have been found on line. See the Australian’s story NAB the latest to be confirmed as victim of HWL Ebsworth hack, with bank data leaking online . Beyond the revelation that the NAB has been affected the article itself is something of a reheating of earlier reporting. 

NAB has been motivated to issue a statement which provides:

“We are aware that HWL Ebsworth, a law firm engaged by NAB for some legal services, has been impacted by a cyber-attack. NAB’s systems were not impacted and remain secure. We are working with HWLE as they continue to get more information in relation to the content of these matters.”

There will be more statements like this from affected HWL Ebsworth clients (or ex clients). 

Based on the limited information provided to date it appears that the transfer of documentation from clients to the firm was not through access provided to the firm, as often happens with third party services providers working with an entity.  In those circumstances the danger is the initial hack will give rise to another hack as permissions and authorisations are stolen and used to access the other organisation.  Here HWL Ebsworth and its clients probably adopted the more traditional, and logical, means of transfer of documents.  The clients provided Read the rest of this entry »

it is usual practice for hacker gangs to publish names and other data taken from an organisation if a ransom is not paid. Sometimes it is done even without a demand for ransom. It is a malicious act but that is what criminal gangs do. So it is hardly extraordinary that Black Cat has done that with the data stolen from HWL Ebsworth. In that case it has published only a third of the data stolen. That is possibly because Black Cat retains hope that a ransom will be paid for the balance of the documents or that it wants to extend the pain it wants to inflict upon HWL Ebsworth. Another well practised option is to negotiate with organisations and agencies affected by the data breach. Alternatively it could sell the remaining data to interested players. It is impossible to say and Black Cat is not in the business of advertising its moves so it is a matter of wait for the next move. And it will come.

The BBC reports in Hacker gang Clop publishes victim names on dark web on another instance of he odious practice of publishing names on the dark web as a result of a mass hack. It is a slightly different approach, posting names rather than a document drop per se. Publish the names before public disclosure of the stolen data. Clop found a zero day vulnerability on the MOVEit site.  Because MOVEit is a platform designed to transfer data between organisations Clop had access to masses of data stored on MOVEit’s platform which it stole. The data belonged to a number of organsiations and institutions.  Bleeping Computer covers the story well with Clop ransomware gang starts extorting MOVEit data-theft victims. 

There is a strong similarity between the HWL Ebsworth and the MOVEit data breaches.  In both cases the value to the hackers of the data stolen is that it comes from a range of entities rather than the data belonging to the entity breached.  In HWL Ebsworth’s case Black Cat downloaded data belonging to clients and other entities from 2,000 data sites within the firm’s system.  In MOVEit’s case Clop stole data from its platform.  The intent is the same, using Read the rest of this entry »