The National Institute of Standards and Technology release the Introduction to Cybersecurity for Commercial Satellite Operations

March 17, 2022

It is interesting to see the National Institute of Standards and Technology recently release an Introduction to Cybersecurity for Commercial Satellite Operations.  It is too interesting not to post on even if the chances of working on cyber security for satellites is probably a little bit removed from most practitioners experience.  Put another way, I am not expecting a call from Elon Musk to do some cyber security work on a Space X satellite.  That said, the principles are as applicable to more terrestrial equipment. 

The rationale for the paper is pithily described in the abstract stating:

Space is a newly emerging commercial critical infrastructure sector that is no longer the domain of only national government Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space – including those affecting commercial satellite vehicles – need to be understood and managed alongside other types of risks to ensure safe and successful operations.

The NIST recommends using the cybersecurity Framework to develop a profile that involves:

Step 1: Establish Scope and Priorities.  While it is Read the rest of this entry »

The National Institute of Standards and Technology release Ransomeware Risk Management; a Cybersecurity Framework Profile and quick start guide

March 11, 2022

Ransomware remains an ongoing, growing and developing form of malware that is particularly damaging to businesses.  Ransomware encrypts an organization’s data and demands payment as a condition of restoring access to that data. It can also be used to steal  information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware attacks target the organization’s data or critical infrastructure, disrupting or halting operations and posing a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and attempt to restore operations themselves. The Australian Cyber Security Centre has provided some guidances on how organisations can minimise the risk of suffering a ransomware attack and what to do when attacked. In my experience many organisations do not have regard to this or any other guidance until it is too late.  Given the potential disastrous impact of a ransomware attack this is false economy.

By far and away the best source of guidance and practical assistance are the publications put out by the US National Institute of Standards and Technology (“NIST”). NIST recently released Ransomware Risk Management: A Cybersecurity Framework Profile.  It is a very useful and timely document. The abstract provides:

Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the public. This Ransomware Profile identifies the Cybersecurity Framework Version 1.1 security objectives that support identifying, protecting against, detecting, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of events.

Through a table it sets out the appropriate ISO/ID.AM/NIST guides against issues and explains how the guides operate.

Also released with it was a White Paper titled Getting Started with Cybersecurity Risk Management: Ransomware.

With the threat of ransomware growing, this “quick start guide” will help organizations use the National Institute of Standards and Technology (NIST) “Ransomware Risk Management: A Cybersecurity Framework Profile” to combat ransomware. Like the broader NIST Cybersecurity Framework, which is widely used voluntary guidance to help organizations better manage and reduce cybersecurity risk, the customized ransomware profile fosters communications and risk-based actions among internal and external stakeholders, including partners and suppliers.

The Framework provides a very useful section containing basic ransomware tips Read the rest of this entry »

Information Commissioner releases privacy guidance on Healthcare identifiers on digital vaccination certificates

March 10, 2022

The Information Commissioner has issued privacy guidance on individual Healthcare Identifiers (“IHIs”) on vaccination certificates. This in addition to the guideline titled Privacy guidance for businesses collecting COVID-19 vaccination information issued on 12 November 2021.

The guidance Read the rest of this entry »

Information Commissioner releases Notifiable Data Breaches Report for the period July – December 2021

The Information Commissioner has released the latest report on notifiable data breaches for the second half of 2021.  There were 464 data breaches from July to December 2021.  A total of 464 data breaches throughout all of Australia for a 6 month period. According to itgovernance there were 5.1 million records breached worldwide in February 2022 alone. Why there is such a ridiculously low number reported to the Commissioner is ample evidence of how flawed the data breach regime remains. 

There are a number or reasons for this failure in public policy.  A starting point is =the limited coverage of the Privacy Act.  The small business exemption as well as the journalist and political party exemption leaves a large part of the economy which collects, holds and uses data outside of the coverage.  The Data Breach Notification Scheme is self assessment using a long list of factors to determine whether there has been serious harm.  For some organisations Read the rest of this entry »

Re Slodyczka & Farren Pty Ltd (Costs) [2022] VSC 102 (4 March 2022): application for costs by the defendant; where presumption of insolvency rebutted, multiple defences relied upon

March 9, 2022

The postscript to Re Slodyczka & Farren Pty Ltd [2022] VSC 102 is a decision by Associate Justice Hetyey regarding costs of the application. 

FACTS

in the substantive judgment  the plaintiff’s application to wind up the defendant in insolvency was dismissed.

The relevant facts for the purpose of considering a costs order were:

  • whilst the matter was commenced by originating process filed on 11 April 2021, there were delays and adjournments [2] resulted in two previous costs orders being made being:
    • on 7 July 2021, consent orders were made which, among other things, required the plaintiff to pay the defendant’s costs thrown away by reason of an adjournment of the hearing originally scheduled that day (‘the first costs order’).
    • at the next hearing date, on 27 July 2021, it was adjourned at the request of the defendant to enable it to put on supplementary material on the question of solvency, including audited accounts for the 2019/2020 and 2020/2021 financial years. The plaintiff’s costs of the hearing be reserved (‘the second costs order’).

The defendant opposed the winding up application on the following alternative bases [4]:

(a) service of the plaintiff’s statutory demand dated 3 February 2021 (‘the statutory demand or the demand’) was defective;

(b) the defendant was solvent and could displace the statutory presumption of insolvency;

(c) the defendant should be given leave pursuant to s 459S of the Corporations Act2001 (Cth) (‘theCorporations Act’) to oppose the winding up application on a ground or grounds it could have relied on for the purpose of an application to set the demand aside. The grounds sought to be raised were: (i) there was a genuine dispute about the amount of the debt claimed in the statutory demand in accordance with s 459H(1)(a); (ii) the defendant had an offsetting claim for the purpose of s 459H(1)(b) of the Corporations Act; and (iii) the demand was defective and a substantial injustice would be caused to the defendant if the demand was not set aside pursuant to s 459J(1)(a) of the Corporations Act; and

(d) pursuant to s 467(1)(a) of the Corporations Act, the Court should dismiss the plaintiff’s application as a matter of discretion.

In the substantive judgment the court held that, [5]:

  • the defendant failed to rebut the presumption of service of the statutory demand under s 29(1) of the Acts Interpretation Act 1901 (Cth).
  • the defendant succeeded in displacing the statutory presumption of insolvency on the basis that it was cash flow positive and balance sheet solvent. The proceeding was dismissed on this basis.
  • the defendant’s application under s 459S of the Corporations Act was not granted because the grounds sought to be raised in respect of the plaintiff’s debt were not material to proving solvency however  had the defendant failed to establish solvency the corut would haveultimately have granted it leave
  • the defendant could not to pursue its argument that the Court should dismiss the plaintiff’s application in accordance with the Court’s discretion under s 467(1)(a) of the Corporations Act because of a lack of proper notice to the plaintiff Read the rest of this entry »

Statutory demands. update Re Amville Constructions Pty Ltd [2022] VSC 65 (17 February 2022), Re Slodyczka & Farren Pty Ltd [2022] VSC 19 (1 February 2022) & Re Wynyard Victoria Pty Ltd [2022] VSC 81 (24 February 2022); insolvency, service, setting aside statutory demands, ss 459A, 459C, 459G, 459H, 459J, 459P, 459S of Corporations Act.

March 6, 2022

Associate Justice Heytey has had a busy start to the year with 2 decisions regarding applications under the Corporations Act 2001; Re Slodyczka & Farren Pty Ltd [2022] VSC 19 and Re Amville Constructions Pty Ltd [2022] VSC 65.  Associate Justice Gardiner considered an application to set aside a statutory demand in Re Wynyard Victoria Pty Ltd [2022] VSC 81.

Re Slodyczka & Farren Pty Ltd [2022] VSC 19

The key issue in this application was whether there was proper service of a statutory demand and whether the presumption of insolvency was rebutted. 

FACTS

Slodyczka & Farren Pty Ltd (‘the defendant’) was first registered on 14 December 2015. In response to the COVID-19 pandemic, it commenced a business in March 2020 for the manufacture and sale of face masks.  Between April 2020 and August 2020, Lion & Horn Pty Ltd (‘the plaintiff’) providing it with marketing services to sell of its masks [1].

In early February 2021, the plaintiff purportedly served the defendant with a statutory demand dated 3 February 2021, which claimed the sum of $36,091.77 in relation to an outstanding invoice dated 28 August 2020 for its marketing services . The defendant did not comply with the demand within the 21-day statutory period.

By originating process filed on 11 April 2021, the plaintiff sought to wind up of the defendant pursuant to ss 459A and 459P of the Corporations Act 2001 (Cth) relying upon the statutory presumption of insolvency contained within s 459C(2)(a) of the Corporations Act.

The Court framed the questions for consideration as being, at [9]:

(a) was service of the statutory demand effective?

(b) is the defendant solvent?

(c) should the Court grant the defendant leave pursuant to s 459S(2) of the Corporations Act to oppose the winding up application on one or more grounds that the defendant could have relied upon in seeking to set aside the demand, but did not so rely? Further, is such a ground material to proving the Company is solvent?; and

(d) should the Court dismiss the plaintiff’s application under s 467(1)(a) of the Corporations Act as a matter of discretion?

DECISION

Service

In reviewing the legislation and legal principles the court Read the rest of this entry »

EU activates cyber rapid response team in response to Ukrainian crisis

February 23, 2022

The European Union has activated its cyber security team to help Ukrainians from Russian cyber attacks.  Actually, more Russian cyber attacks given the US attributed a DDoS cyber attack on the Ukrainian Ministry of Defence to the Russian Main Intelligence Directorate.  On the back of that the Australian Government issued a joint media release by Ministers Andrews, Payne and Dutton (is there an election in the air?) saying the same thing as the US providing:

The Australian Government joins the United States and the United Kingdom in publicly attributing the cyber attacks against the Ukrainian banking sector on 15 and 16 February 2022 to the Russian Main Intelligence Directorate (GRU).

In consultation with our partners, the Australian Government assesses that the GRU was responsible for these distributed denial of service (DDoS) attacks.

The Australian Government stands in solidarity with Ukraine and our allies and partners to hold Russia to account for its ongoing unacceptable and disruptive pattern of malicious cyber activity.

The international community must not tolerate Russia’s misuse of cyberspace to undermine Ukraine’s national security, sovereignty and territorial integrity by seeking to disrupt essential services, businesses and community confidence.

Russia’s actions pose a significant risk to global economic growth and international stability.

The global community must be prepared to shine a light on malicious cyber activity and hold the actors responsible to account. All members of the international community – including Russia – should abide by existing international law and norms of responsible state behaviour which apply in cyberspace. Australia calls on all countries to honour and uphold their commitments.

Australia is committed to upholding the rules-based order online, just as we do offline, and supporting our partners in the face of cyber threats.

Australia will continue providing cyber security assistance to the Ukrainian Government, including through a new bilateral Cyber Policy Dialogue and further cyber security training for Ukrainian officials.

Australia commends the swift action taken by Ukrainian authorities and the private sector to substantially mitigate the impacts of this incident.

Governments, the private sector and households must remain vigilant about the ongoing threats we face in cyberspace.

The Government is taking concrete action to protect Australians against cyber criminals, investing $1.67 billion over 10 years to build new cybersecurity and law enforcement capabilities to protect Australian businesses and communities, and passing new laws to protect our critical infrastructure assets from malicious cyber attacks.

This was picked up in the Australian’s Australia offers cyber security aid to Ukraine. 

The reality of modern conflict is that cyber attacks are Read the rest of this entry »

NSW QR Code data breach involving publication of 500,000 addresses on state government website..a recurring problem for state and local government bodies

The SMH reports that there has been a data breach by NSW  Department of Consumer Service in the publication of 500,000 addresses on a government website.  According to the NSW Government the NSW information Commissioner was advised the day after it became aware of the information being in the public domain and that the Commissioner stated that this did not constitute a privacy breach.  That story is based on a Nine News expose. As is the way the embarrassment of the breach is compounded by the negative coverage, going as far as the UK.

If there is some humour to be found in this all too familiar type of breach it is that NSW legislated to ban police from accessing QR code check in data in November last year. 

The SMH article Read the rest of this entry »

Data breach of Oklahoma City Police results in rape kit information being exposed..about as bad as it gets

It has long been the practice of authorities to provide maximum privacy to complainants in sexual assault and rape cases.  In Australia and most overseas common law jurisdictions reporting of rape cases does not identify the victim.  The report that data from rape kits of victims who alleged they were sexually assaulted are the subject of a data breach is devastating to those individuals.  It also undermines the confidence in the police procedure.  It may also prejudice the prosecution of cases where that data is a crucial piece of evidence.  

What is more than passing strange is that the data breach took place on 18 November 2021 but details of that breach were only provided this week.  The handling of the breach has been dreadful with the the Police Department stating that “certain sensitive personal and health-related information” may have been compromised.  DNA Solutions took a different tack stating “The data did not include social security numbers, driver’s license information, or financial information. We have notified individuals or organizations whose data may have been impacted directly.” DNA Solutions stated what was not included in the data taken or exposed but does not say whether personal information was taken.  That is a non answer answer. 

There have been some very significant data breaches involving DNA data.  On 29 November 2021 DNA Diagnostics Center Inc in Maine USA notified the Attorney General that there had been a data breach, from 24 May until 28 July 2021, which affected 2,102,436 people.  In July 2019 it was reported that a DNA-testing service Vitagene Inc. left thousands of client health reports exposed online for years with more than 3,000 user files remaining accessible to the public on Amazon Web Services cloud-computer servers until 1 July 2019. The reports included genealogy reports which included customers’ full names alongside dates of birth and gene-based health information, such as their likelihood of developing certain medical conditions. Back in 2017 Ancestry.com had a huge, by those standards, data breach involving 300,000 credentials exposed. 

The article related to the Oklahoma breach Read the rest of this entry »

Merry Christmas and yes there is Santa Claus

December 25, 2021

As is tradition I wish all a very Merry Christmas.  Probably a celebration more keenly appreciated and felt this year than most.  This second year of COVID has been a grind and more difficult than 2020 when we first exerienced the effect of restrictions. 

As is my practice I republish one of the most heartfelt and brilliantly written paean to the Christmas celebration and optimism and being unafraid to reject cynicism of our current age; Yes, Virginia: There is a Santa Claus.  It is as apt today as it was in 1897. More so.  The prose is wonderful and little wonder it is history’s most reprinted newspaper editorial.

The article provides:

DEAR EDITOR: I am 8 years old.
Some of my little friends say there is no Santa Claus.
Papa says, ‘If you see it in THE SUN it’s so.’
Please tell me the truth; is there a Santa Claus?

VIRGINIA O’HANLON.
115 WEST NINETY-FIFTH STREET.

VIRGINIA, your little friends are wrong. They have been affected by the skepticism of a skeptical age. They do not believe except they see. They think that nothing can be which is not comprehensible by their little minds. All minds, Virginia, whether they be men’s or children’s, are little. In this great universe of ours man is a mere insect, an ant, in his intellect, as compared with the boundless world about him, as measured by the intelligence capable of grasping the whole of truth and knowledge.

Yes, VIRGINIA, there is a Santa Claus. He exists as certainly as love and generosity and devotion exist, and you know that they abound and give to your life its highest beauty and joy. Alas! how dreary would be the world if there were no Santa Claus. It would be as dreary as if there were no VIRGINIAS. There would be no childlike faith then, no poetry, no romance to make tolerable this existence. We should have no enjoyment, except in sense and sight. The eternal light with which childhood fills the world would be extinguished.

Not believe in Santa Claus! You might as well not believe in fairies! You might get your papa to hire men to watch in all the chimneys on Christmas Eve to catch Santa Claus, but even if they did not see Santa Claus coming down, what would that prove? Nobody sees Santa Claus, but that is no sign that there is no Santa Claus. The most real things in the world are those that neither children nor men can see. Did you ever see fairies dancing on the lawn? Of course not, but that’s no proof that they are not there. Nobody can conceive or imagine all the wonders there are unseen and unseeable in the world.

You may tear apart the baby’s rattle and see what makes the noise inside, but there is a veil covering the unseen world which not the strongest man, nor even the united strength of all the strongest men that ever lived, could tear apart. Only faith, fancy, poetry, love, romance, can push aside that curtain and view and picture the supernal beauty and glory beyond. Is it all real? Ah, VIRGINIA, in all this world there is nothing else real and abiding.

No Santa Claus! Thank God! he lives, and he lives forever. A thousand years from now, Virginia, nay, ten times ten thousand years from now, he will continue to make glad the heart of childhood.