Data is assessed by our team members

Investigations can reveal some very sensitive & personal data. This intel is assessed by us & closely guarded used only for the purpose of fullfilling the needs of our clients to achieve the results we are commissioned to undertake More »

Team leader heads a group of professional investigators on the ready

We are proud to have access to the finest team members & discreet qualified persons who pride themselves in obtaining results for our clients where others fail. More »

The latest technology & equipment allow us to keep our finger on the intel pulse

Scientific apparatus & technical staff allow us to get sensitive & usefull information by utilizing the latest technology in getting information for our clients.The storage, use & availability of this data is done with great care More »

Communications between team members & networks is critical

In these days of world wide communications being at a peak of efficiency, the task of passing on & receiving information in the blink of an eye becomes possible between our team members & the network we have access to More »

Team leader & CEO of the intel agencies group is Donna-Lee Sapiecha Eyers

Donna-Lee is here at her graduation law degree ceremony proudly supported by her mother Karen, her sister Sharah-Lee & father Henry More »

 

Mobile phone tracking firm exposed millions of Americans’ real-time locations. Is Australia in the loop??

The bug allowed one Carnegie Mellon researcher to track anybodies mobile cell phone in real time

A bug allowed anyone to skip a consent requirement in a cell phone location tracking site. (Image: ZDNet)

A company that collects the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located — without obtaining their consent.

Earlier this week, we reported that four of the largest cell giants in the US are selling your real-time location data to a company that you’ve mare than likely never heard of before.

Read also: Evidence of stingrays found in DC, Homeland Security says

The company, LocationSmart, is a data aggregator and claims to have “direct connections” to cell carriers to obtain locations from nearby cell towers. The site had its own “try-before-you-buy” page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user. When we tried with a colleague, we tracked his phone to a city block of his actual location.

But that website had a bug that allowed anyone to track someone’s location covertly without their permission.

“Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location,” said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone conversation.

“The implication of this is that LocationSmart never needed consent in the first place,” he said. “There seems to be no security oversight here.”

The “try” website was pulled offline after Xiao discreetly disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon.

US cell carriers are selling access to your real-time phone location data

The company embroiled in a privacy row has “direct connections” to all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint — and Canadian cell networks, too.

Read More

Xiao said the bug could have exposed nearly every cell phone customer in the US and Canada, some 200 million customers.

The researcher said he started looking at LocationSmart’s website following ZDNet’s report this week, which followed a story from The New York Times that revealed how a former police sheriff snooped on phone location data from Securus, a customer of LocationSmart, & not having a warrant.

The sheriff has pleaded not guilty to charges of unlawful surveillance.

Xiao said one of the APIs used in the “try” page that allowed users to try the location feature out was not validating the consent response properly. Xiao said it was “trivially easy” to skip the part where the API sends the text message to the user to obtain their consent.

“It’s a surprisingly simple bug,” he said.

Xiao showed ZDNet a video of a script he built exploiting the bug in the company’s API.

LocationSmart did not promptly respond to a request for comment.

Xiao verified the bug with a few people he knew. Brian Krebs, who first reported the story earlier today, also verified the bug with a number of people who allowed him to test the bug.

“None of them got any notification that their location was being tracked,” he said.

“I had a friend who was driving around Hawaii and [with permission] pinged the location and I could watch the marker move around the island,” he said. “It’s the kind of thing that sends eirrie chills down your spine.”

Read also: Stingray spying: 5G will protect you against surveillance

Sen. Ron Wyden (D-OR), who last week called on the cell carriers to stop exchanging data with third parties, offered a statement.

“This leak, coming only days after the lax security at Securus was exposed, demonstrates how little companies throughout the wireless ecosystem value Americans’ security,” said Wyden.

“It represents a clear and current danger, not just to privacy but to the financial and personal security of every American individual. Because they value profits above the privacy and safety of the Americans whose locations they traffic in, the wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone,” he said.

Wyden said the dangers from LocationSmart and other companies “are boundless.”

“If the FCC refuses to act after this revelation then future crimes against Americans will be the commissioners’ heads,” he said.

We reached out to the cell providers — AT&T, Verizon, and Sprint — which all said they were investigating. T-Mobile did not respond to a request for a reaction.

But this recently disclosed bug shows the carriers are yet to cut off any access — if at all.

www.freephonelink.net

www.ispysite.com

Henry Sapiecha

YouTube & Facebook are struggling to keep billions under control

YouTube, Facebook and many other media platforms are facing some issues: a lot of undesirable material is distributed through their channels. That has always been the case but, recently, it has become a threat since extremists of all sorts have begun to utilise their channels to spread propagandist and violence-glorifying content. As new privacy laws are passed and advertising sponsors put on the pressure, the media giants have to either discover better ways to handle the deluge of user posts or risk hefty fines. Artificial intelligence (AI) has been touted as the magic silver bullet but are algorithms really the solution?

To give you an idea of the scale I’m referring to: 500 hours of video content are uploaded to YouTube every single minute – and counting. It would require hundreds of thousands of workers to review and, if necessary, delete them. And it’s a golden opportunity to become a big employer – Google has the funds after all! Instead of just a measly 80,000 employees world-wide, 2,500,000 additional jobs could be created to give back a few of those billions to society. Naturally, that’s out of the question. Profits would be declining and share holders surely threaten with self-immolation. That’s why Google is leaving this issue in the arena of technology.

Here’s the plan: human workers have flagged 2 million videos for deletion by adding certain markers to further specify the cause. Self-learning machines analyze the data and scan both audio and video tracks to learn about humans and objects in context (or situations). Even text overlays along with political or religious symbols are recognized. The objective: to find and remove violence-glorifying content, terrorist propaganda, hate speech, SPAM and, naturally, nudity.

Today, AI artificial intelligence has already replaced much of the human workforce.

The algorithms are continuously refined with each iteration. Which videos are showing a bombing, swastika or uncovered female breast? In the past, censors were already quite swift when it came to pornography but other illegal content is now also slowly being focussed on. Affected videos are marked and later wiped from the portal. Of over 8 million recently deleted videos, a whopping 6,6 million were identified through AI while human workers and user feedback did the rest. Many videos hadn’t even become publicly viewable yet, while the video portal is celebrating, the devil is in the detail.

Lately, problem cases have been piling up since the technology doesn’t always act as intended. War crime documentaries that serve to foster education were erroneously deleted and so were historical movies. The algorithms detected the depiction of inhuman practices but failed to grasp the intention behind the movies. Such are the limits of AI to this day: it can spot questionable content but it can’t decipher the rationale behind it (yet). The same applies to nudity: nude paintings, as common in the fine arts, also met with disapproval from the virtual jury and were likewise deleted. After all, how can algorithms tell the difference between artful nudity and obscene home videos? It seems the system can’t do without common (human) sense just yet.

Which of the countless online videos contain illegal content?

Satire is also beyond a machine’s understanding & comprehension. While many of us can laugh at Monty Python’s Nazi jokes, computers are totally devoid of any sense of humour. The closer the jokes stick to the “original”, the quicker they’ll face auto delete. That’s why many users see signs of of a digital inquisition on the horizon. Though they welcome YouTube’s struggle to no longer be a cesspool of extremist, hateful or confused minds, they criticize the shotgun approach exhibited by the AI. Today, investigative journalists, researchers or organizations that document war & other crimes are facing permanent suspension of their channels. Even G-rated garden party videos are deleted because the AI misinterprets bare skin. By contrast, videos uploaded by pedophiles stay up because these people know how to exploit the AI’s weaknesses through subtlety. No algorithm can decipher the many possible shades to a topic (yet). Google had penalised my site with no adsense adverts because I document crimes here www.crimefiles.net

It seems, human workers will remain indispensable for some time to come to evaluate said shades and YouTube will have to comply with some form of binding standard to stay relevant. They will also have to be more open & transparent: presently, users receive no explanation as to why their videos were blocked. YouTube has vowed to respond faster to questions and to provide insights into the implementation of their guidelines. That should be a given, but, in the case YouTube, it actually means progress. They’ve also recruited added staff, if only in dribs & drabs. Apparently, YouTube themselves don’t trust their AI too much and that’s at least comforting.

What we should maybe like to know: is do we believe AI artificial intelligence to be adopted here or is common (human) sense still necessary?

www.spy-drones.com

Henry Sapiecha

Government’s plan to spy on all Australians exposed in leaked letters

It may shortly be far easier for government spies to access your private data. Photo source: Pixabay

We’re constantly being advised to protect our data and information online, but it turns out there may be even a greater threat & cause for concern.

An exclusive report by The Sunday Telegraph reveals our online data may not even be safe from the Australian Government. Australian citizens may soon be subjected to secret digital monitoring by the top cyber spy agency in the country with no warrant rerquired for accessing all your info when they feel like it.

This means everything from text messages to emails and even bank statements could be accessed in secret under the radical new proposed plan. The Sunday Telegraph viewed the secret letters between the heads of Department of Home Affairs and Defence. The letters detail possible new powers for the Australian Signals Directorate (ASD).

As the current rules stand, intelligence is not to be produced on Australian citizens. Having said that, the Australian Federal Police and domestic spy agency ASIO can investigate people with a warrant and also seek help from the ASD if needed in what are deemed to be extreme cases.

If the proposal is passed, it would be up to Defence Minister Marise Payne and Home Affairs Minister Peter Dutton to allow spying to occur. Furthermore, they could approve cases without Australia’s top law officers being aware of it.

The Sunday Telegraph believes Dutton hasn’t yet presented Payne with any formal proposals for changes to the legislation. If passed though, spies would be given permission to secretly access information relating to an Australian citizens’ financial data, health information and phone records. A change in law would mean it’s also illegal for government agencies and private businesses to hold back any information that could hinder the security measures.

The Sunday Telegraph believes the reason for the data crackdown would be to stop terrorism, child exploitation and other serious crimes being conducted both here in Australia and overseas.

Several times in recent months online data and its safety has made headlines. Earlier this year, Facebook came under fire for breaching privacy data rules. As it stands, anything you share or access online remains there, even if you delete it.

This means any photos, emails, website history, online comments and videos you upload or view are stored away somewhere in cyberspace. Worryingly, any information shared on a social media platform such as Facebook will remain with the company, even if your profile is deleted.

What are your thoughts? Have you concerns that your private information could be secretly accessed by spies and the government? Do you think it’s really to protect Australians, or just another feeble excuse for the government to gain more information about us? Big brother is going too far this time one would think. Write to your MP.

Henry Sapiecha

Iranian and Chinese hackers target Australian universities and NGOs

Cyber activity in China is increasing big time, despite cyber non-aggression treaties, and Iran is on the cyber search for intellectual property.

Australian universities have been targeted by hackers with connections to Iran in recent months, and “a number of investigations” are in progress, according to cybersecurity firm CrowdStrike.

“There are a lot of things that are happening geopolitically that are driving a lot of attacks,” the company’s vice president for technology strategy Michael Sentonas told journalists in Sydney earlier this month. “There are things happening in China, in Russia, in Iran, there are things happening in North Korea, that [are] directly having an impact to all of us on the internet.”

CrowdStrike has called out this blurring of cyber tradecraft with what they’re calling “cyber statecraft” in their 2018 Global Threat Report, released on Monday.

“Obviously Iran has a specific interest in Saudi Arabia. There’s a number of diplomatic disputes. Iran, heavily embargoed, want access to a lot of intellectual property they may not necessarily be able to get. There are groups that are linked [to Iran] and are seeking for a lot of that intel,” Sentonas stated.

“There’s been quite a number of universities in Australia, over the last several months, that have been targeted, with adversaries looking to get intellectual property that would be of benefit to certain groups and government departments in Iran. We’ve been directly impacted by that, and there’s a number of investigations going on across the country.”

CrowdStrike has also seen an increase in cyber activity originating from the Chinese republic, even though Australia and some other western nations had signed what were essupposedly cyber non-aggression treaties with China in 2015 and 2016.

“In 2017, we saw a lot of action again, activity targeted at what I would call a soft target. An NGO. A think tank,” Sentonas said.

“They’re great people to target, because you have people that were once in government. You have academics. You have people researching economic policy. They’re working on defence projects. They are in technology and medical advancement. That would be interesting to a particular group or country that maybe doesn’t want to do that research. Or if you’re a think tank that is working on, for example, Chinese economic policy, what if you want to know what that think tank is researching?”

The Russian cyber actor Fancy Bear, which was active in the lead-up to the US election in 2016, has also been busy.

“That group is continuing to be very, very active, and they are looking at essentially destabilising our democratic institutional legitimacy. They are trying to do misdirection etc,” Sentonas said.

The rise of such cyber disinformation was predicted by David Irvine, former director-general of the Australian Security Intelligence Organisation (ASIO), and former head of the Australian Secret Intelligence Service (ASIS), in later half of 2016.

CrowdStrike reports that ransomware will continue to be a major trend for nation-state and criminal actors. They also point to a cyber trickle-down effect.

“These techniques are recycled. Once they’ve been used once, they do get used again, and they get shared, and it adds complexity to the average organisations around the world,” Sentonas said.

Flinders University Australia

Related Coverage

Australian Home Affairs thinks its IT is safe because it has a cybermoat

For a department that is focused on protecting borders, it seems virtual border protection is missing in action.

Australian decryption legislation will not undermine ‘legitimate encryption’: Home Affairs

Calling government proposals to seek decryption of communications a “backdoor” is a cartoon-like assumption, according to Secretary of the Department of Home Affairs Michael Pezzullo.

ASD gives Dimension Data protected-level cloud certification

The multinational is the first overseas player awarded the certification from the agency responsible for foreign signals intelligence and information security in Australia.

US-CERT recently issued a major cybersecurity warning for the Olympic Games (TechRepublic)

Hackers may capitalize on the Olympics to spread messages and steal personally identifiable information. Fans and athletes must remember that they are responsible for their own cybersecurity.

Unsecured Amazon S3 buckets are prime cloud target for ransomware attacks (TechRepublic)

Thousands of S3 buckets are incorrectly configured as being publicly writable, making them a cinch to exploit.

Henry Sapiecha

The online certificate security issue & the parties involved

Google is angry. Each time Google is enraged, Chrome, the market leader among browsers, is readied for war. This time, it’s about certificates, a cornerstone of the Internet and data security. With the upcoming versions 66 (scheduled for April) and 70 (October), Google seeks to make the web more secure – and tries to settle a few scores in the process.

Read on to learn why many sites will soon be flagged as “insecure” and disappear from the top search results!

Google is trying to make the web a safer place, perhaps out of self-interest to some degree (i.e. product maintenance) but also because there’s a real need for tighter security. Since the Internet is international and decentralized, there is no single regulatory body. That’s why, every now and then, companies team up with states to effect change, or IT giants (in this case: Google) use their dominance to shove things through on their own initiative. First, sites without HTTPS encryption will come under fire. HTTPS encryption is essential to exchange data securely.

Without encryption, anything sent through the Internet is readable as plain text by anyone with network access – a perfect opportunity for man-in-the-middle attacks. HTTPS allows web servers and clients to establish an encrypted connection that is hard to crack while giving users the certainty that the sites they visit are authentic. This is indicated by a padlock symbol next to the URL in the address bar. Clicking the lock reveals additional details about the certificate and its owner.

In the past, HTTPS certificates were like status symbols and only used by large online stores, banks and government institutions while the rest could only pray and hope for the best. Certificates were expensive and hard to set up which is why smaller sites either shunned the effort or simply couldn’t afford it. Over the past few years, HTTPS certificates have dropped in price and campaigns like “Let’s Encrypt” even gave them out for free now. Does that mean all is OK?

Not quite, since around a third of sites either can’t or won’t participate. Some web hosters only accept expensive certificates issued by commercial providers – maybe because they don’t want to fall out of favor with them. In other cases, site providers simply have no motivation to use HTTPS, and I can understand that as long as those sites are run by private individuals. Anyway, Google has now begun to tighten the reins. Sites that do not use HTTPS will soon be marked “Not secure” in Chrome which may scare off a few users. Firefox will join in the effort starting with version 60 and other browser developers will likely follow suit. And as if that wasn’t enough, affected sites will also be downranked in Google’s search results and we all know that no-one ever looks past page 1 of those results!

In this light, the clash between Google and Symantec feels almost personal. It can be objectively said that Symantec has engaged in some shady practices when issuing certificates in the past. Back in 2015 when three certificates were made out in Google’s name (without their knowledge), Symantec already received a sharp rebuke. In 2017, Google then accused Symantec of having incorrectly issued over 30,000 certificates without proper verification of future holders. Others received certificates for domains they didn’t own. Imagine what criminals could do with a certificate issued in the name of a bank or a big online store!

Again, this trust erosian will carry dire consequences. As of April 17, Chrome will display a warning for certificates created by Symantec before June 2016 and notify users that their connections are insecure and prone to interception. If this happened to an online store, it would be a disaster. In October, these warnings will be further escalated even though there will be no blocking (yet). It’s reasonable to assume that search rankings will also be adjusted accordingly resulting in further downranking. So far, many big names including Tesla are directly or indirectly affected.

As always on the Internet, reactions are mixed. One side praises Google for their security work and accuses Symantec of bringing the “holy grail” of online certificates into disrepute (Whom can you trust once HTTPS is no longer secure?) while others see Google crossing the line. They argue that Google is trying to distract from their own problems like various data security issues in their products. And anyway, who made Google a law unto itself? Yes, they have considerable grunt in the market place but does this give them the right to put millions of web sites at a disadvantage and to harm a company like Symantec with over 11,000 employees? Does the end justify the means in this case?

www.money-au.com

www.profitcentre.net

Henry Sapiecha

How to become a great spy agency in the 21st century: Incubate startups..!!

What results when a top secret intelligence agency turns to entrepreneurs to assist in the building of new tools to protect a nation from cyberattacks? This is it….

Intelligence agencies are great at finding out and keeping secrets, and at working patiently in the shadows. Startups are good at promoting themselves, moving fast, and breaking things—in an effort to build the next big technology. It’s hard to think of two mindsets that are further apart.

However in a world of constantly evolving cybersecurity threats, Britain’s GCHQ spy agency decided to open a startup accelerator to bridge the gap between the two: to see, if it was a little more open, it could help the private sector build tools to prevent cyberattacks in the future..

Britain’s Government Communications Headquarters (GCHQ) has a century-long history of helping to protect the country from threats, both international and domestic.

Although it wouldn’t be known as GCHQ for decades to come, its work began during World War I when a number of intercept stations were established to seize and decrypt messages sent by Germany and its allies. Its most famous incident came in early 1917 when analysts were able to intercept and decrypt a telegram sent by the German foreign minister Count Zimmermann, in which was revealed that Germany planned to reward Mexico with US territory if it joined the war. The release of the message was one of the factors which brought the United States’ firepower into the war.

During World War II, the organisation, then called the Government Code and Cypher School (GC&CS), was located at Bletchley Park where it tirelessly undertook to decrypt Hitler’s “unbreakable” ciphers—work credited with shortening the war significantly.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (TechRepublic cover story)

Following the war and having outgrown its previous site, GC&CS was renamed GCHQ. Its headquarters were moved just outside of Cheltenham, Gloucestershire, in the west of England, where it remains today.

It now has 6,000 staff and an annual budget of £2.6bn, while still being tasked to keep Britain safe from a variety of threats including terrorism, serious crime, espionage, and cyberattacks, as well as providing support to law enforcement and the military when required.

But its work is not without controversy. In 2013, whistleblower Edward Snowden lifted the lid on PRISM, an expansive online surveillance programme by GCHQ, along with the US National Security Agency. The programme collected data on all online and telephone communications made inside the UK.

But while the agency is best known for snooping, it also has a secondary role in providing security advice.

“We’re a security organisation. If you drive past us you see a lot of razor wire and that can sometimes create an internal, introverted culture,” said Chris Ensor, deputy director of cyber skills and growth at the National Cyber Security Centre (also known as NCSC, the cybersecurity arm of GCHQ).

“For the last 100 years, GCHQ has had an intelligence mission and a security mission. It’s the intelligence which is portrayed in the news or in films like James Bond and we’re always the spy centre. But actually we’ve had a security mission for a long, long time,” said Ensor.

Threats to national security evolve over time and today cyberattacks are considered to be among the biggest risks to the country—alongside terrorism, espionage, and weapons of mass destruction.

That means GCHQ’s security mission has extended to protecting the UK from cyberattacks and hackers, particularly those targeting critical national infrastructure. Indeed, the NCSC was set up to tackle cyberthreats, replacing three separate cybersecurity organisations: the Centre for Cyber Assessment, Computer Emergency Response Team UK, and GCHQ’s information security arm.

Hackers steal around $400M from Cryptocurrency System ICOs

ICOs are risky, possibly quite lucrative, and also a top target for threat actors looking to cash in.

Anti piracy button on  keyboard.

Cyberattackers have managed to line their pockets with almost $400 million in cryptocurrency by targeting ICOs, a new report states.

According to a new research report (.PDF) by Ernst & Young, over 10 percent of all funds changing hands during these events have been lost or stolen.

This equates to roughly $400 million in cryptocurrency from $3.7 billion in funding between 2015 and 2017.

Initial Coin Offerings (ICOs), or token sale events, have garnered the interest of investors in recent years. The events are an opportunity to fund cryptocurrency or Blockchain-related projects and companies and can prove lucrative in the long term

ICOs have been popular enough to outstrip venture capital investments in Blockchain projects in recent years, despite the potential risks.

These events may be of interest to investors, but they are also a red flag for threat actors looking to cash in fraudulently.

Ethereum marketplace Enigma was gearing up for its ICO when a phishing campaign scammed $500,000 out of investors, while ICOs launched by CoinDash, Veritaserum, and EtherParty were all compromised by attackers a year ago.

These are only the most high-profile names to be targeted through ICOs, however, as the report found a total of 372 ICOs have been attacked in the last two years.

Hackers have been able to steal an average of $1.5 million per month through ICOs, and the report suggests that attackers “are attracted by the rush, absence of a centralized authority, blockchain transaction irreversibility and information chaos” of such events.

“Project founders focus on attracting investors and security is often not prioritized,” the report says. “Hackers successfully take advantage — the more hyped and large-scale the ICO, the more attractive it is for attacks.”

The most common attacks are the substitution of wallet addresses at the time of the event — as we saw with CoinDash — the unauthorized access of private keys and the theft of funds from both wallets and exchanges.

The most common attack vector is phishing, then also by Distributed Denial-of-Service (DDoS) attacks, direct website compromise, employee attacks, and exchange hacking.

Calls have been made for more regulation and tighter security surrounding ICOs, with regulators worldwide now thrashing out methods to legislate these events and protect investor funds.

“As ICOs continue to gain popularity and leading players emerge globally, there is a risk of having the market swamped with quantity over quality of investments,” said Paul Brody, EY Global Innovation Blockchain Leader. “These high-risk investments and the complexity of ICOs need to be managed to ensure their credibility as a means of raising capital for companies, entrepreneurs and investors alike.”

Read also: Venezuela asks other countries to adopt oil-backed cryptocurrency

On Monday, US Securities and Exchange Commission (SEC) regulator Jay Clayton warned businesses not to jump on the Blockchain bandwagon or offer ICOs without the expertise and regulatory support & backing.

The US agency has added ICOs and companies which have changed their name to something Blockchain or cryptocurrency-related without cause to their watch lists in the face of market disruption and surge share pricing due to the trend.

www.scamsfakes.com

ooo

Henry Sapiecha

Australia takes over Solomon Islands under water communications internet fibreoptic cable amid spies’ concerns about China

Australia’s spy agencies were so concerned about the security and strategic risks posed by a plan for Chinese firm Huawei to build an internet cable linking the Solomon Islands to Sydney that the Turnbull government will now largely pay for the project itself.

The Department of Foreign Affairs has confirmed it has taken responsibility for the undersea fibreoptic cable, including paying for the bulk of the project – which will cost tens of millions of dollars – through the overseas aid program.

The cable will provide fast and reliable internet to the small Pacific island nation, which now relies on satellites.

The step is highly significant as it shows the lengths to which the Turnbull government was willing to go to ensure the cable project could go ahead without Huawei’s involvement.

The Solomon Islands under former prime minister Manasseh Sogavare signed up Huawei Marine to lay the cable connecting to Sydney. But Australia made it clear to Honiara that it had security concerns about the Chinese telco plugging into Australia’s internet backbone, with Nick Warner, the head of spy agency ASIS, personally warning Mr Sogavare last June.

Huawei has previously been banned on the advice of Australian security agency ASIO from being involved in the National Broadband Network.

Mr Sogavare was replaced as prime minister in November by Rick Hou, a former senior World Bank adviser who is well respected in Australia. Mr Hou had been highly critical of the circumstances in which Huawei Marine was awarded the contract under his predecessor.

A spokeswoman for the Department of Foreign Affairs told Fairfax Media the government has entered into a contract with the Australian telecommunications firm Vocus to commence the initial work.

“They will undertake a scoping study and identify potential solutions to bring high-speed telecommunications to the Solomon Islands,” she said.

“The bulk of the funding for this project will come from Australia’s Official Development Assistance program.”

She said the Solomons project would be consolidated with a project to lay a new cable connecting Papua New Guinea with Australia, creating “significant efficiencies on cost”. The cost of the Solomons project alone has previously been estimated at $86 million.

According to the federal government’s AusTender website, Vocus is being paid $2.8 million for the scoping study for both the Solomon Islands and PNG. The department spokeswoman said that this study would more accurately define the final cost.

Fairfax Media understands Australia was concerned about the security implications of Huawei being involved in connecting to Australia’s critical infrastructure, but also more broadly about a Chinese firm – even a private sector one – extending Chinese influence into the Pacific through the cable project.

The Solomons originally identified a British-American company to do the work and had secured backing from the Asian Development Bank. But the previous government abruptly switched to Huawei, prompting the ADB to pull out, saying that the “Huawei contract was developed outside of ADB procurement processes”.

A Huawei spokesman said: “We’ve been advised by the Solomon Islands Submarine Cable Company that Chinese development has been contracted to undertake a scoping study but that’s all they have said to us.”

Jonathan Pryke, a Pacific islands expert at the Lowy Institute, applauded Australia’s move, saying that it made strategic and security sense while also providing much-needed development.

“There’s clearly a strategic objective to this project. It’s to make sure there’s no opportunity for third players like China or a Chinese company like Huawei to swoop in and provide a cable to PNG or the Solomons that could affect strategic interests and compromise Australia’s security.”

He said Chinese development would be welcome in the Pacific if it were more transparent and added there had been concerns in the Solomon Islands about the opaqueness of the Sogavare government’s deal with Huawei Marine.

The cable company’s CEO, Keir Preedy, was not available for comment. Mr Hou’s office did not respond to email requests for comment.

Henry Sapiecha

Notifiable Data Breaches initiative: Preparing to disclose a data breach in Australia

Australia’s Notifiable Data Breaches scheme will come into force next month. Here is what it means and how it will affect organisations, and individuals, in Australia.

WHAT IS THE NOTIFIABLE DATA BREACHES SCHEME?

Australia’s Notifiable Data Breaches (NDB) scheme comes into effect on February 22, 2018, and as the legislative direction is aimed at protecting the individual, there’s a lot of responsibility on each organisation to secure the data it holds.

The NDB scheme falls under Part IIIC of the Australian Privacy Act 1988 and establishes requirements for entities in responding to data breaches.

What that means is all agencies and organisations in Australia that are covered by the Privacy Act will be required to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.

Tax file number (TFN) recipients, to the extent that TFN information is involved in a data breach, must also comply with the NDB.

In addition to notifying individuals affected, under the scheme, organisations must provide advices on how those affected should respond, as well as what to do now their information is in the wild. The Australian Information Commissioner, currently Timothy Pilgrim, must also be notified of the breach.

“The NDB scheme formalises an existing community expectation for transparency when a data breach occurs,” Pilgrim told ZDNet. “Notification provides individuals with an opportunity to take steps to protect their personal information, and to minimise their risk of experiencing harm.”

Intelligence agencies, not-for-profit organisations or small businesses with turnover of less than AU$3 million annually, credit reporting bodies, health service providers, and political parties are exempt from the NDB.

Read more: Former ASIO head questions why political parties are exempt from breach disclosure

WHAT CONSTITUTES A DATA BREACH?

In general terms, an eligible data breach refers to the unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.

Examples of a data breach include when a device containing customers’ personal information is lost or stolen, a database containing personal information is hacked, or personal information is mistakenly provided to the wrong person.

An employee browsing sensitive customer records without any legitimate purpose could constitute a data breach as they do not have authorised access to the information in question.

The NDB scheme uses the phrase “eligible data breaches” to specify that not all breaches require reporting. An example of this is where Commonwealth law prohibits or regulates the use or disclosure of information.

An enforcement body — such as the Australian Federal Police (AFP), the police force or service of a state or a territory, the Australian Crime Commission, and the Australian Securities and Investments Commission — does not need to notify individuals about an eligible data breach if its CEO believes on reasonable grounds that notifying individuals would be likely to prejudice an enforcement-related activity conducted by, or on behalf of, the enforcement body.

Although not required all the time to disclose a breach, a spokesperson for the AFP told ZDNet the AFP would be complying with its notification obligations in all circumstances where there are no relevant exemptions under the Act.

See also: Privacy Commissioner to probe Australian government agencies on compliance

If the Australian Information Commissioner rules the breach is not bound by the NDB scheme, organisations may not have to disclose it any further.

In addition, data breaches that are notified under s75 of the My Health Records Act 2012 do not need to be notified under the NDB scheme as they have their own binding process to follow, which also lies under the umbrella of the OAIC.

Read more: OAIC received 114 voluntary data breach notifications in 2016-17

DETERMINING SERIOUS HARM

As the NDB dictates an objective benchmark in that the scheme requires a “reasonable person” to conclude that the access or disclosure is “likely to result in serious harm”, Melissa Fai, special counsel at Gilbert + Tobin, told ZDNet that in assessing the breach, an organisation should interpret the term “likely” to mean more probable than not — as opposed to merely possible.

“Serious harm” is not defined in the Privacy Act; but in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

Information about an individual’s health; documents commonly used for identity fraud including a Medicare card, driver’s licence, and passport details; financial information; and a combination of types of personal information — rather than a single piece of personal information — that allows more to be known about an individuals can cause serious harm.

In assessing the risk of serious harm, entities should consider the broad range of potential kinds of harm that may follow a data breach.

THE NOTIFICATION PROCESS

Agencies and organisations that suspect an eligible data breach may have occurred must undertake a “reasonable and expeditious assessment” based on the above guidelines to determine if the data breach is likely to result in serious harm to any individual affected.

If an entity is aware of reasonable grounds to believe that there has been an eligible data breach, it must promptly notify individuals at risk of serious harm and the commissioner about the breach.

Organisations disclosing a breach must complete the Notifiable Data Breach statement — Form which can be found here.

The notification to affected individuals and the commissioner must include the following information: The identity and contact details of the organisation, a description of the data breach, the kinds of information concerned, and recommendations about the steps individuals should take in response to the data breach.

Those affected are to be notified within 30 days of the breach’s discovery, during which time the entity can conduct its own investigation on the breach. 30 days is the absolute maximum.

The NDB scheme, however, provides entities with the opportunity to take steps to address a data breach in a timely manner, and avoid the need to further notify — including notifying individuals whose data has been somewhat exposed.

See also: Privacy Commissioner finds Australia more confident in reporting breaches to police

FAILING TO DISCLOSE A BREACH

Failure to comply with the NDB scheme will be “deemed to be an interference with the privacy of an individual” and there will be consequences.

Gilbert + Tobin’s Fai explained that if an organisation is found to have hidden an eligible data breach, or is otherwise found to have failed to report an eligible data breach, such failure will be considered an interference with the privacy of an individual affected by the eligible data breach, and serious or repeated interferences with the privacy of an individual can give rise to civil penalties under the Privacy Act.

If the data breach that the organisation has failed to report is serious, or if the organisation has failed to report an eligible data breach on two or more separate occasions, Fai explained the OAIC has the ability to seek a civil penalty order against the organisation of up to AU$2.1 million, depending on the significance and likely harm that may result from the data breach.

“Of course, an organisation must also consider the risk of reputational damage to its brand and the commercial damage that might flow from that, particularly given the growing importance to an organisation’s bottom line of consumer trust in an organisation’s data management policies and processes and its ability to respond quickly, effectively, and with integrity to data breaches,” Fai added.

“The effects of the data breach on Equifax last year and its response are a case in point.”

See also: Massive Equifax data breach exposes as many as 143 million customers

THE ROLE OF THE INFORMATION COMMISSIONER AND THE OAIC

The commissioner has a number of roles under the NDB scheme, which includes receiving notifications of eligible data breaches; encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance; and offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.

The OAIC has published guidelines on the scheme, which also includes information on how to deal with the aftermath of a breach.

HOW DID THE NDB COME ABOUT?

The federal government finally passed the data breach notification laws at its third attempt in February 2017.

A data breach notification scheme was recommended by the Joint Parliamentary Committee on Intelligence and Security in February 2015, prior to Australia’s mandatory data-retention laws being implemented.

HOW TO GET READY

According to Gilbert + Tobin, organisations should be at the very least getting familiar with what data they have, where it is kept, and who has access to it.

Read more: NetApp warns privacy is not synonymous with security

Assessing existing data privacy and security policies and procedures to make sure organisations are in a position to respond appropriately and quickly in the event of a data breach is also important.

“This should include a data breach response plan which works across diverse stakeholders in an organisation and quickly brings the right people — such as from IT, legal, cybersecurity, public relations, management, and HR — together to respond effectively,” Fai told ZDNet.

It wouldn’t hurt to continuously audit and strengthen cybersecurity strategies, protection, and tools to avoid and prevent data breaches.

“It is also important that an organisation’s personnel are aware of the NDB scheme. Personnel need appropriate training, including to identify when an eligible data breach may have occurred and how to follow an entity’s policies and procedures on what to do next,” Fai explained, adding this also extends to suppliers and other third-parties that process personal information on their behalf.

DOES YOUR BUSINESS HAVE A EUROPEAN CONNECTION?

From May this year, the General Data Protection Regulation (GDPR) will come into play, requiring organisations around the world that hold data belonging to individuals from within the European Union (EU) to provide a high level of protection and explicitly know where every ounce of data is stored.

Organisations that fail to comply with the regulation requirements could be slapped with administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The laws do not stop at European boundaries, however, with those in the rest of the world, including Australia, bound by the GDPR requirements if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

See more: How Europe’s GDPR will affect Australian organisations

The GDPR and the Australian Privacy Act share many common requirements, but there are a bunch of differences, with one crucial element being the time to disclose a breach.

Under the NDB scheme, organisations have a maximum of 30 days to declare the breach; under the GDPR, organisations have 72 hours to notify authorities after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

“In sum, if an Australian organisation is subject to the GDPR regime when it comes into effect in May this year, it needs to comply with its obligations under both regimes — although the two regimes contain different requirements, they are not mutually exclusive,” Fai added. “However, when it comes to data breaches, the high watermark of compliance is complying with the European regime.”

Read also: What is GDPR? Everything you need to know about the new general data protection regulations

HOW TO PREVENT A DATA BREACH

Any organisation that has purchased a security solution from a vendor knows that there is no silver bullet to completely secure an organisation.

“When it comes to data breaches, everybody is looking for something, a product, a process, a standard to prevent them completely. Unfortunately, this isn’t possible,” Symantec CTO for Australia, New Zealand, and Japan Nick Savvides told ZDNet.

“The first thing any organisation should do is understand that data breaches are not always preventable but they are mitigatable. Whether the data breach is a result of a compromise, malicious insider, or even a well-meaning insider accidentally leaking information, mitigations exist.”

Breaking the mitigations into three parts, Savvides said the first is dealing with a malicious attacker, the second is having information-centric security which he said applies to all scenarios, and the third mitigation category is the response plan.

“Most organisations don’t have very effective response plans for a data breach event. They might have a plan, but from what has been seen, the plans are generally very academic in nature rather than practical and often get bypassed in the case of a real event,” he explained.

“Organisations need to have processes for having incidents reported, a clear plan on who to involve, what process to follow, and a clear PR message.

Savvides said it is clear that users value transparency and clear speech rather than ambiguous legalese responses some organisations have produced.

“The commencement of the scheme is also a timely opportunity for organisations to take stock of the personal information they collect and hold, and how it is managed,” Pilgrim added. “By ensuring personal information is secured and managed appropriately, organisations can reduce the likelihood of a data breach occurring in the first place.”

PREVIOUS DATA BREACHES IN AUSTRALIA

Henry Sapiecha

The Many Tactics Used By The Secret Service 2 VIDEOS

VIDEOS SHOW THE SECRET SERVICE AT WORK IN THE USA

PRESIDENTS-WEAPONS-COUNTERFEITING & MORE

USA SECRET SERVICE HAS SECRET PROTECTION TACTICS

Henry Sapiecha