Peter A Clarke

Multi factor authentication is a critical part of any cyber security. While it is becoming standard with many larger organisations it is poorly understood and even more poorly implemented. The National Institute of Science and Technology (“NIST”) has released a report on multi factor authentication for Criminal Justice Information Systems. Very specific perhaps but the contents of the report have a broader application.

The abstract provides:

Most recent cybersecurity breaches have involved compromised credentials. Migrating from single-factor to multi-factor authentication (MFA) reduces the risk of compromised credentials and unauthorized access. Both criminal and noncriminal justice agencies need to access criminal justice information (CJI); to reduce the risk of unauthorized access, the Criminal Justice Information Services (CJIS) Security Policy now requires the use of MFA when accessing CJI. This document provides practical information to agencies that are implementing MFA, reflecting on lessons learned from agencies around the country and from CJI-related technology vendors.

The report is worth reading.  Some interesting Read the rest of this entry »

The National Institute of Science and Technology has published the final version of NIST Internal Report (IR) 8349, Methodology for Characterizing Network Behavior of Internet of Things (IoT) Devices. and a draft of NIST IR 8536, Supply Chain Traceability: Manufacturing Meta-Framework.

Understanding the scope of the Internet of things and how the network operates is key to determining its cyber security requirements.   This 47 page report is worth consideration.  The Internet of Things will become more not less ubiquitous and more and not less prone to cyber attacks.  The Supply Traceability paper is also important but more specific and technical.

Internet of Things

The summary provides:

Characterizing and understanding the expected network behavior of IoT devices is essential for cybersecurity; it enables the implementation of appropriate network access controls to protect the devices and the networks on which they are deployed. Device characterization techniques that describe the communication requirements of IoT devices, in support of the NCCoE Securing Home IoT Devices Using Manufacturer Usage Description (MUD) project, can aid in securing devices and their networks. 

To properly secure networks, network administrators need to understand what devices are on the network and what network communication each device requires to perform its intended functions. In the case of networks that include IoT devices, it is often difficult to identify each individual device, much less know what network access is required by each device to other network components (and what access other network components need to each device). Read the rest of this entry »

Hanson Chambers in South Australia have been hit with a cyber attack. The chambers has 8 barristers; 3 silks and 5 juniors. And one associate member, acting as a mediator. The breach is serious with correspondence and court documents being stolen and listed on the Lynx ransomware site. It has been reported in cyberdaily.au in Exclusive: South Australian barristers’ chambers listed on Lynx ransomware’s leak site.  

The cyberdaily article Read the rest of this entry »

Sam and Brittany Groth have issued proceedings in the Federal Magistrates Court against the Herald and Weekly Times alleging a breach of privacy. Or more accurately a breach of the statutory tort of serious invasion of privacy. The Court number is VID1130/2025 and there are 3 respondents; the Herald and Weekly Times, Stephen Drill and Sam Weir. The story is covered by 3AW (with audio) in Deputy opposition leader launches legal action over controversial reporting. The Australian Financial Review also covers it Read the rest of this entry »

In late July 2025 the Attorney General, Michelle Rowland, said to the Australian Financial Review that the Privacy Act was not fit for the digital age”. She later said during an an appearance on Sky News’ Sunday Agenda regarding the Privacy Act that “..Well, this is the second tranche of privacy reforms. I think it’s fair to say, Andrew, that Australians are sick and tired of their personal information not only being exploited for benefit by third parties, but also the way in which that information is not being protected. We’ve seen that in recent times with data breaches, both by Australian companies as well as multinational tech giants.”

Modern reform often begins with Ministers making noises about the need to address this or that reform.  Putting the issue onto the agenda.  In the privacy context that was done in 2022 – 2023.  The 2022 Privacy Act Review Report proposed 116 recommendations to reform the Privacy Act 1988.

The government accepted 38 of the proposed reforms and agreed to 68 in principle.  It said it would implement the changes in phases.  The first tranche, as it became known, was found in the Privacy and Other Legislation Amendment Act 2024 which passed in November 2024 and became law on 10 December 2024.  It implemented 23 of the reforms, including the introduction of a statutory tort of privacy, anti-doxxing offences and a new tiered civil penalty regime, as well as the development of a new Children’s Privacy Code, which is currently the subject of consultation undertaken by the Office of the Australian Information Commissioner (OAIC). The  obligation to disclose the use of personal information for automated decision making will commence in December 2026.

The Attorney General has now dropped two not very subtle hints that more privacy reform is required.  Nothing detailed about the what and the when but that is not required.  Starting the conversation is the key.  Given the Government has already responded to a report’s recommendation going from discussion to action is a short step.

As to when the second tranche will be introduced into Parliament as a Bill is the subject of some speculation.  It is a more comprehensive  set of reforms and some are Read the rest of this entry »

Cryptographic keys are a key part of any proper protection of an organisation’s operations. And the compromise of those keys can have catastrophic effect on an organisation. The ACSC has developed a guide to assist organisations develop a Key Management Plan to deal with internal and external threats. It should be used in conjunction with appropriate NIST standards.  The guidance contains references, by way of hyperlink, to other guidances and publications.  They should be read as well.

The guide relevantly provides:

The world is increasingly relying on online services, digitalisation of data and interconnected systems, cyber security is a vital way in which we protect critical sectors. Good security hygiene keeps participants from making mistakes and makes it harder for malicious cyber actors to cause damage. One important aspect of cyber security is cryptographic keys and secrets management systems. Cryptographic keys and secrets are required for services that secure data, provide integrity, confidentiality, non-repudiation and access control. Cryptographic keys and secrets are a critical asset of many organisations and a core component of cyber security, which must be carefully managed and protected throughout their life cycle.

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and the Department of Industry Science and Resources (DISR) have developed this guide to help organisational personnel in understanding the threat environment and the value of implementing secure keys and secrets management to make better informed decisions.

The compromise of any private key or secret can have significant, or even severe, negative operational, financial and reputational impacts on an organisation. Organisations must seek to implement mitigations to ensure their organisational keys and secrets are protected and so they are positioned to respond quickly and effectively in the case of a security incident. Read the rest of this entry »

The National Institute of Science and Technology (NIST) provides invaluable support to those developing privacy and data security controls for businesses and government agencies. On 6 June 2025 Donald Trump issued an executive order titled SUSTAINING SELECT EFFORTS TO STRENGTHEN THE NATION’S CYBERSECURITY AND AMENDING EXECUTIVE ORDER 13694
AND EXECUTIVE ORDER 14144. Previous Presidents have issued Executive Orders to deal with threats to cyber security.

In response to the Executive Order the NIST  revised its catalog of security and privacy controls, focusing on improving the security and reliability of software updates and patches.  They are:

• SP 800-53 Release 5.2.0 which addresses multiple aspects of the software development and deployment process, including software and system resiliency by design, developer testing, the deployment and management of updates, and software integrity and validation. 
• updates to the control catalog through the Cybersecurity and Privacy Reference Tool (CPRT), which allows downloads of machine-readable formats, including OSCAL and JSON.

The Executive Order provides:

By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C. 1601 et seq.), section 212(f) of the Immigration and Nationality Act of 1952 (8 U.S.C. 1182(f)), and section 301 of title 3, United States Code, it is hereby ordered:

Section 1.  Amendments to Executive Order 14144.  Executive Order 14144 of January 16, 2025 (Strengthening and Promoting Innovation in the Nation’s Cybersecurity), is hereby amended by: Read the rest of this entry »

The Safetrac saga continues apace with allegations that it installed listening devices without consent or updating its surveillance policy. The AFR reports on these concerning developings in Safetrac surveillance installed without staff agreement: HR manager. Safetrac installed the Teramind program. Teramind proudly admits that itts program is designed to Monitor, analyze, and manage employee activity to prevent insider threats, safeguard sensitive information, and optimize team performance.According to the piece Safetrac used microphones of employees’ laptops to record sound close to their computer from 15 April until 2 June 2025.  Not so coincidentally the statutory tort of serious invasion of privacy came into effect on 10 June 2025. It amended its policy on use of surveillance equipment from 4 sentences to 2 pages.  Whether that is sufficient to constitute proper awareness and consent is another story.

And interesting issue may be whether Safetrac used the Teramind program while monitoring compliance on behalf of some of its clients employees laptops and whether they were aware of it.

The article provides:

Read the rest of this entry »

The fact that there is effective surveillance technology in the market does not mean it should be used. Pegasus spyware can be remotely and covertly be installed on mobile phones running IOS and Android. It is marketed as being used for fighting crime and terrorism. And it could even be sold as a supervision tool by companies. But because the way it operates is via secrecy and is effectively a form of spying it has not been used by businesses but rather is used by autocratic governments to spy on journalists and dissidents. There is other software which is less pernicious than Pegasus but can spy on individuals through the use of their computers. That intrudes into people’s privacy.  And enter Safetrac which according to the AFR’s quite brilliant article titled Company turned laptops into covert recording devices to monitor WFH has used a used software to eavesdrop on staff, for up to 10 hours a day, and video them as well. Safetrac claims to have provided notice and got consent. The notice is 4 sentences in a policy and some commentary during a “Town Hall.” That is inadequate. The fact that the surveillance picked up non work related sounds, such as private conversations and out of hours will also make its actions privacy instrusive. This story is not over.  The Privacy Commissioner has jurisdiction to consider whether there has been a breach of an Australian Privacy Principle of the Privacy Act 1988.  If the recordings took place after 10 June 2025 then those affected may have a cause of action for the statutory tort of serious invasion of privacy.  Even if not there are options in equity.  

The article provides:

Read the rest of this entry »

There are strong protections for childrens’ privacy in the USA, notably COPPA. There is also a constant pressure to collect personal information to assist in targeting ads. Google was accused collecting personal information when children accessed You Tube without parental consent. It is reported by Reuters in Google settles YouTube children’s privacy lawsuit. It is also covered by Malwarebytes with Google settles YouTube lawsuit over kids’ privacy invasion and data collection. While a settlement of $30 million is a large figure in absolute terms it is important to note that Alphabet, Google’s owner, posted a net income of $62.7 billiion on $186.7 billion in the first half of 2025.  

The Reuters article provides:

Google will pay $30 million to settle a lawsuit claiming it violated the privacy of children using YouTube by collecting their personal information without parental consent, and using it to send targeted ads.

Read the rest of this entry »