Ransomware attacks have surged early this year according to databreach today with Cybercrime: Ransomware Attacks Surging Once Again based on a report by the NCC Group.  it’s findings are that:

• Ransomware attacks increased 53% compared with February, representing continued growth since the start of the year
• The most targeted sectors continue to be Industrials (34%), Consumer Cyclicals (21%), and Technology (7%)
• The most targeted regions were North America (44%) and Europe (38%) – a return to the usual split after seeing both regions with a similar number of victims in February
• The most prolific ransomware variants were again Lockbit 2.0 (96 victims) and Conti (71 victims)

An interesting, and worrying development, is that the percentage of data being restored after paying the demanded ransom has dropped.  On average only 61% of the data is restored whereas 65% was restored in 2020. the key caveat to reporting on ransomware is that the figures are notoriously spongey.  Many affected businesses don’t report attacks if they pay the ransom.

To show that the threat is real in the US the ransomware group going by the name Conti posted on the dark web data belonging Elgin County which had been hit by a ransomware attacked.  Yesterday Austin Peay State University admitted to being a victim of a ransomware attack.  This is the twelfth US institute of higher education being successfully targeted by ransomware gangs Read the rest of this entry »

Yesterday the Australian Competition and Consumer Commission (“ACCC”) yesterday released Interim Report No s – General online retail marketplaces.

In broad compass the report covers, as its brief description states:

• intensity of competition in the relevant markets
• trends in online shopping and general online retail marketplaces
• the conduct of marketplaces in their roles as platforms to facilitate interaction between third party sellers and consumers; including, where marketplaces also supply their own products on their platform, the impact that these sales and associated practices may have on competition with third-party sellers
• relationships between marketplaces and third party sellers
• relationships between marketplaces and consumers, as well as third party sellers and consumers.

The report necessarily deals with the issue of data collection and privacy.  It does not contain any new insight or previously unknown fact or issue however it does synthesise and summarise the relevant issues.  All too often these issues are not considered with this level of focus.  In that regard it relevantly states Read the rest of this entry »

The Singapore Personal Data Protection Commission has imposed a $35,000 fine on GeniusU for failing to prevent unauthorised access and exfiltration of personal information of 1.26 million.  It is a significant data breach for Singapore in terms of numbers of individuals affected.  Singapore has a population of a little over 5 million. 

As is all too common there were more than one mistake in GeniusU’s cyber security set up.  The likely entry was through the use of a developer’s password.  Once in it was easy to exfiltrate the data.  It was stored in the codebase of its GitHub environment.  

The decision summary relevantly Read the rest of this entry »

In Bioaction Pty Ltd v Ogborne, in the matter of Bioaction Pty Ltd [2022] FCA 436 the Federal Court considered, for the first time by the courts, the deeming provisions of sections 105A and 105B of the Corporations Act regarding service applications to set aside a statutory demand within the 21 day time limit,.  

FACTS

By originating process filed on 3 February 2022, the plaintiff, Bioaction Pty Ltd, sought an order setting aside a statutory demand pursuant to s 459G of the Corporations Act dated 12 January 2022 served by the defendant, Gordon Ogborne (“Ogborne”) [5].

Bioaction  specialises in the design, manufacturing and installation of systems to eliminate or mitigate odorous, hazardous and corrosive gases & Ogborne was its Chief Financial Officer / Chief Operating Officer from December 2019 until November 2021, when he was made redundant [7].

Ogborne and Bioaction were in dispute as to his entitlements where Ogborne claimed he was entitled to any additional sum [8].

On 13 January 2022, Ogborne served the statutory demand on Bioaction seeking payment of $240,688.31 being unpaid:

• salary,
• superannuation,
• salary in lieu of termination,
• annual leave and
• redundancy

pursuant to an employment contract [9].

The statutory demand was Read the rest of this entry »

The National Institute of Standards and Technology has released a preliminary draft guide on ensuring the transference from 4G to 5G is managed properly managed, in particular dealing with adequate cyber and cloud security and privacy protections.

As to be expected, this 83 page document is highly technical however it is a valuable asset for those practising in the privacy and cyber security space.

The Abstract provides:

Organizations face significant challenges in transitioning from 4G to 5G usage, particularly the need to safeguard new 5G-using technologies at the same time that 5G development, deployment, and usage are evolving. Some aspects of securing 5G components and usage lack standards and guidance, making it more challenging for 5G network operators and users to know what needs to be done and how it can be accomplished. To address these challenges, the NCCoE is collaborating with technology providers to develop example solution approaches for securing 5G networks. This NIST Cybersecurity Practice Guide explains how a combination of 5G security features and third-party security controls can be used to implement the security capabilities organizations need to safeguard their 5G network usage.

It defies easy summation.

In the broad the proposed Read the rest of this entry »

It is something of a persistent myth that authors can hide behind pseudonyms and publish defamatory statements with impunity.  If, as demonstrated in Colagrande v Kim [2022] FCA 409 a plaintiff is determined enough there is high probability of obtaining sufficient information to identify the author and convince a court that that person is the correct defendant in a subsequent defamation proceeding. Jagot J ordered a very significant award against the respondents.

FACTS

Dr Colagrande (“Colagrande”) a Australian trained doctor who is highly qualified:

• in 1999 completing a training Fellowship with the Cambridge Private Hospital in Cambridge, United Kingdom i
• in 2002, becoming an Honorary Fellow in Aesthetic Plastic and Reconstructive Surgery at Addenbrooke’s Public Hospital in Cambridge, United Kingdom
• in 2005, gaining a Fellowship in Cosmetic Surgery from the European Academy of Cosmetic Surgery
• in 2005,  establishing a clinic at Mermaid Beach, Gold Coast, Queensland where he mainly performed cosmetic procedures, health assessments and well-being programs.

In February 2017 Dr Colagrande pleaded not guilty to a charge of  indecent assault of a patient, to which he was found not guilty [5]. On 5 June 2018 the Queensland Court of Appeal quashed that conviction and the prosecution entered a nolle prosequi (a formal abandonment of the charge) on 7 June 2018 [5].

Colagrande had an account with the RateMDs website, a Doctor rating site with over 40 million visits every year. Members of the public can post entries relating to doctors on the RateMDs website [6].

In early 2019 when Colagrande Read the rest of this entry »

Yesterday the National Institute of Standards (“NIST”) released Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments, Hardware-Enabled Security: Policy-Based Governance in Trusted Container Platforms and Hardware Enabled Security: Machine Identity Management and Protection and Hardware-Enabled Security:Policy-Based Governance in Trusted Container Platforms.

The guides are highly technical but include useful practical methodologies on cyber security.  They are a valuable resource.  In Australia there is nothing equivalent at this level of detail. 

Trusted Cloud

The abstract Read the rest of this entry »

It is sign of how mainstream satellites have become and part of the the consumer economy that the National Institute of Standards and Technology (“NIST”) starts the process of developing guidelines for cybersecurity relating to the operation of satellite.  The NIST has released “Satellite Ground Segment: Applying the Cybersecurity Framework to Assure Satellite Command and Control”.   

While the number of satellite operators is relatively, if not absolutely, small guides such as these have a broader application for those who take cyber security seriously. 

The NIST abstract provides:

Space operations are increasingly important to the national and economic security of the United States. Commercial space’s contribution to the critical infrastructure is growing in both volume and diversity of services, as illustrated by the increased use of commercial communications satellite (COMSAT) bandwidth, the purchase of commercial imagery, and the hosting of government payloads on commercial satellites. The U.S. Government recognizes and supports space resilience through numerous space policies, executive orders, and the National Cyber Strategy. The space cyber-ecosystem is an inherently risky, high-cost, and often inaccessible environment consisting of distinct yet interdependent segments. This report applies the NIST Cybersecurity Framework to the ground segment of space operations with an emphasis on the command and control of satellite buses and payloads.

The objectives of guide Read the rest of this entry »

Wired reports that the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI released an advisory about the a malware toolset which can interfere with industrial control systems.  Given Australia has just passed an updated critical infrastructure legislation this is a particularly relevant development.  The state of protection by Australian organisations is generally poor, legislation notwithstanding.

The advisory Read the rest of this entry »

The health industry always features prominently with data breaches and commensurate poor privacy and data security practices.  To show the consequences of one, entirely avoidable, lapse upon a poorly protected organisation note that salutory example of the data breach at the Christie Clinic in Illinois.  A single email account was compromised resulting in unauthorised access and resulting in the personal information of 503,000 individuals.  It is the third largest recorded health data breach thus far in 2022.  It is Read the rest of this entry »