Monthly Archives: July 2018

Some major Australian websites that aren’t secure

RENOWNED cyber security expert Troy Hunt has shamed some of Australia’s most visited websites for not being secure.

Among those that don’t encrypt the data travels between users and the website include Australia’s Bureau of Meteorology website, AFL.com.au, Whirlpool.com.au and the ABC website.

These websites are among a minority that do not use HTTPS – the secure version of the web’s underlying data transfer protocol. The ‘S’ part of the acronym is the important bit.

It stands for Hyper Text Transfer Protocol Secure and is the protocol over which data is sent between your browser and the website that you are connected to.

The ‘S’ on the end means that communication between your browser and the website is encrypted before it travels online.

Web browsers such as Internet Explorer, Firefox and Chrome display a padlock icon in the address bar in front of the web address to indicate that an HTTPS connection is in effect.

Alternatively, websites like the ABC and the BOM site rely on HTTP which doesn’t scramble the data passing between you and the site.

The information in the address bar warns users the website is not secure.

WHY ARE THESE WARNINGS COMING NOW?

Nothing about the way these websites work has changed but from today Google’s new Chrome web browser is listing all unencrypted sites as explicitly “not secure” in front of the web address. The change is part of the tech giant’s release of Chrome 68.

Google first began warning people about sites that use HTTP in early 2017 by displaying the “not secure” warning for sites that collected passwords and credit card information. The company has also subtlety favoured HTTPS-enabled sites in its search results since 2014.

Despite the push for greater encryption on the web, Mr Hunt and his colleague wanted to compile a list of major websites that still didn’t use HTTPS.

“After all the advanced warnings combined with all we know to be bad about serving even static sites over HTTP, what sort of sites are left that are neglecting such a fundamental security and privacy basic?” he wrote in his latest blog post.

The most visited Australian sites that remain unsecured as identified by Troy Hunt.

Many other, less visited sites, including the Government’s Australian Bureau of Statistics website also rely on HTTP.

About 20 per cent of the world’s 500 most popular websites are still using the non-secure protocol.

If you’re not entering any password or sharing personal data on these websites, then you don’t really need to worry too much as the risk that your security could be compromised is fairly minuscule.

But because the data carried between your device and the web server can be accessed by someone else on the network, theoretically cyber-criminals can work to intercept that information and devise ways to steal useful data or insert their own code or malicious adverts.

www.scamsfakes.com

Henry Sapiecha

How Mr.Google has kept 85K of their employees from getting phished since 2017

Physical security keys in place of passwords have proven effective for Google and other large sites.

Google has successfully kept more than 85,000 employees from getting phished on their work-related accounts since way back to 2017. According to reporting from KrebsOnSecurity, physical security keys are to thank for these successes.

Security keys are physical USB-based devices that can be used as an alternative to the standard two-factor authentication (2FA) process.

SEE: Information security policy (Tech Pro Research)

A 2FA process is meant to ensure that if a thief steals a user’s password, they aren’t able to access the user’s account because they don’t have an additional factor (e.g., the user’s mobile device) needed to complete the login process.

The security key process proves more secure. According to the report, security keys function on a multi-factor authentication known as Universal 2nd Factor (U2F). The key allows the user to log in by inserting the USB device and pushing a button on the device, which means that without the physical key, a malicious actor cannot successfully log in as the employee. This doesn’t mean that Google employees haven’t possibly clicked on a malicious link in an email, for example, but that the phishing attempt didn’t successfully exfiltrate any company data.

In addition to Google, many other high-profile sites including Facebook, GitHub, and Dropbox are supporting similar U2F processes, according to the report. U2F is currently supported by Google Chrome, Mozilla Firefox, and Opera. However, the report noted that U2F is not enabled by default in Firefox.

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)

Software giants Microsoft and Apple have yet to roll out support for U2F browsers, but Microsoft said its upcoming Edge browser will support U2F later this year, according to the KrebsOnSecurity report. Apple hasn’t announced any plans yet on whether or not its standard Safari browser will support U2F.

Until a U2F system is commonplace and supported by all sites, users can protect themselves from phishing attacks by following these 10 tips from TechRepublic’s Brien Posey.

The big takeaways for tech leaders:

  • Google successfully protected its 85,000 employees from getting phished on their work accounts by utilizing physical security keys as part of a 2FA strategy.
  • U2F processes could become commonplace within the next few years as large companies are beginning to adopt the security measure that U2F processes offer.

www.scamsfakes.com

Henry Sapiecha

Australian ‘My Health Record systems ‘collapse under more opt-outs than expected

When the countries citizens rush to opt out of an Australian government service, it says something about their levels of trust in the offering. When the system falls over under heavy load, it proves them right.

Australians attempting to opt out of the government’s new centralised health records system online have been met with an unreliable website. Those phoning in have faced horrendous wait times, sometimes more than two hours, often to find that call centre systems were down as well, and staff unable to help.

The Australian Digital Health Agency (ADHA), which runs the My Health Record system, is reportedly telling callers that they weren’t expecting the volume of opt-outs.

“On hold with @MyHealthRec for well over 1.5 HOURS to opt out without providing my drivers license/passport number. Turns out their entire backed system has crashed and they are telling support staff to just punch peoples details into the website files. Confidence inspiring!” tweeted one caller.

“The person i’m speaking to is stressed as f***. Its their first day. I feel bad for her but she also has no idea what’s going on and puts me on hold every time I ask something that’s not on the script.”

The problems started early on Monday, the first day of the three-month opt-out period before digital health records are created automatically.

“Call operator Laura answers. Pleasantly & politely tells me she can help. Uses my Medicare number to locate my record. But can’t change alter my record as system down. She apologizes, guesses this is why I’m having trouble online and suggests I try again later,” tweeted Dr Leslie Cannold at 7.29am.

Cannold, a research ethicist and health regulator, said she’d like to see government prove the value of My Health Record, as well as their capacity to keep it secure, before she opts in to have one. The system should also be designed to allow users to withdraw their record at any time. Currently, opting out merely marks your data as “unavailable”, while actually keeping it on the system until 30 years after your death.

Must read: The Australian government and the loose definition of IT projects ‘working well’

Those opting out have cited a wide range of privacy and security concerns — something this writer thinks is completely understandable. The ADHA’s Dr Steve Hambleton has downplayed the risks.

“I can absolutely categorically state that none of the apps and none of the use of the My Health Record data will be able to be sold to third parties — that’s absolutely prohibited,” he said.

And yet earlier this month, the My Health Record partner app HealthEngine was caught doing exactly that.

We know full well that prohibiting something doesn’t mean it won’t happen.

Some of those opting out were concerned that the ADHA website used Google’s reCAPTCHA, which works by sending data offshore for analysis, potentially including personal data.

“The Privacy Policy linked from the opt-out page says ‘We will not disclose or store overseas any personal information you give us, but that’s not how reCAPTCHA works,” wrote consultant Justin Warren.

“reCAPTCHA watches what you do on the page via injected JavaScript controlled by Google, which sends info to ‘an Advanced Risk Analysis backend for reCAPTCHA that actively considers a user’s entire engagement with the CAPTCHA — before, during, and after’ …

“Personally I think the devs just wanted to use modern web tools to prevent bots from spamming the page, and it didn’t occur to them to think about the privacy concerns because they never do on other, less sensitive, websites. Which is just the kind of careful handling of sensitive data you want from a centralised national database of the entire population’s health information.”

Others were concerned that their health records could be disclosed in court under section 69 of the My Health Records Act 2012, or to law enforcement agencies without a warrant under section 70.

Law enforcement access can be provided if the ADHA “reasonably believes that the use or disclosure is reasonably necessary” for “the prevention, detection, investigation, prosecution, or punishment of criminal offences” or “the protection of the public revenue”, among other reasons. The “enforcement bodies” with access are defined in the Privacy Act 1988, and are much broader than those authorised under the telecommunications data retention legislation.

“[The Australian public service] needs to understand that statutory interpretations aren’t just for days in court, proper governance of your interpretation means stating it openly and legitimating it,” tweeted Darren O’Donovan, senior lecturer in administrative law at La Trobe University.

“The objective criteria are key because ‘reasonable belief’ of ‘reasonable necessity’ is [a] pretty forgiving standard.”

So far, the government has spent more than AU$4 billion on the digital health records system, which started life as the “personally controlled e-health records” (PCEHR) project in the 2010-2011 federal Budget.

Only 1.9 percent opted out of the initial trial involving 1 million people. The ADHA therefore projected that around 500,000 Australians would opt out during the three-month window.

The system was originally planned to be opt-in, but poor adoption rates led to the government flipping it to an opt-out system. Victoria’s then privacy commissioner David Watts called that a fundamental breach of trust.

“I actually designed the regulatory system for e-health in Australia, and I swore black and blue … that we would never be an opt-out system, and always be an opt-in. And of course it’s now an opt-out system in order to drive take-up of e-health, because AU$4 billion had been spent on it and very few people had registered,” Watts told a privacy conference in 2016.

One might think that after a series of Australian government IT disasters, they’d have planned more carefully for an unexpected overload and have a strategy in place for crisis communications.

But as of 16:00 AEST on Monday, the ADHA’s social media accounts were showing nothing but a generic promo, and even that wasn’t posted until lunchtime.

The Australian government still seems to have a real problem with computers. Those opting out of My Health Record would seem wise to be doing so.

Previous Coverage

Cancelled My Health Record data to be kept in limbo

Those choosing to opt-out of the My Health Record service will still have their data visible if they reactivate their account.

Less than 2 percent of My Health Record trial users opted out

Perhaps more worryingly, the use of privacy controls is sitting under the 0.1 percent mark.

My Health Record stands up cybersecurity centre to monitor access

Those who choose to keep their My Health Record will also have a real-time log of who has accessed their information.

My Health Record opt-out period from July 16 to October 15, 2018

The window for Australians to opt out of an electronic health record has been announced by the government.

My Health Record secondary data must stay in Australia and not be used for ‘solely commercial’ reasons

The Australian government’s My Health Record data use guidelines require the data governance board to make case-by-case decisions on how the private data can be used.

RELATED LINKS

www.newcures.info

www.scamsfakes.com

www.crimefiles.net

www.sunblestproducts.com

www.policesearch.net

www.money-au.com

Henry Sapiecha

 

Australians need to think about doing this immediately to protect their heath data records

A NEW system of digitised, comprehensive medical records for everyone in this country is set to come into effect shortly but Australians are being warned about potential privacy and security issues.

The Federal Government’s new My Health Record system will create a personal medical history file for every Australian.

People’s medical records will be stored on a national database under the scheme, to be viewed by patients, doctors and other medical staff at any time. That is, unless you opt out – which you can do for a three-month period beginning today.

The scheme has been a long time in the making and medical professionals are quick to point out the potential benefits to patient care they say it will provide. However advocacy groups such as Digital Rights Watch have expressed concerns about the security of the My Health Record initiative, and are urging everyone to opt out.

“No guarantees have being given that individual citizen’s personal information will be kept safe and secure,” Digital Rights Watch chairman Tim Singleton Norton warned.

“Health information is incredibly attractive to scammers and criminal groups.

“There are also concerns of the current or future access being granted to private companies.”

Australian Medical Association (AMA) president Dr Tony Bartone says the system will move the industry from a “prehistoric” way of information sharing and collate data that is already in the hands of the medical industry, albeit not linked or even digitised.

“It will bring data presently located in many different sections of the health system … and attempt to bring it into an online repository in the one spot,” he told news.com.au. “Your health data is already in various portals. What isn’t there yet is this online, connected repository … that will facilitate a communication data storage revolution.”

The system has been styled on similar efforts by other countries and has been many years in the making.

“The journey has been a torturous one,” Dr Bartone said. “This is the end result of many, many years of collaboration and reviewing what has been done in a lot of other parts of the world.”

The data will be available on demand to a raft or medical professionals who work in healthcare – around12,800 health organisations and up to 900,000 health workers.

The opt-out period begins today and ends on October 15.

The service does give individuals a level of control over how the information is used. A PIN can be placed on individual patient summaries that are uploaded to a file, however that can be broken in emergency situations using an override function.

“Access is predicated by your allowance, or your permission, to view that record,” Dr Bartone said.

“The important thing that has to happen over the next three months is not so much that you opt out but understanding if you don’t opt out, how to manage your profile … you can block, you can hide pieces or entire chapters of your health file.”

For those concerned about misuse, patients can set up alerts to monitor who is accessing the data and see where the information is being used.

Police will also be able gain access to the information under certain circumstances, including, but not limited to, if there is reasonable belief it could be helpful in the prevention or detection of a crime or to protect government revenue.

Health insurance companies will not have any access to the My Health Record of patients. “Insurance companies have got Buckley’s to no chance of being able to use the system,” Dr Bartone said.

“They’ve been specifically prohibited and the legislation will not change in that respect. I can’t imagine a situation where our elected officials would allow that to happen.”

Accessing a record without authorisation can result in prison time and up to $126,000 in fines.

But with a significant portion of data breaches in Australia occurring in the healthcare sector (roughly a quarter of those reported) and the Government’s past failures in securing certain confidential health data, many commentators are worried about the potential risk to patients of having their health data accessed.

The Government’s Australian Digital Health Agency responsible for the scheme has played down the security concerns touting the fact that patients can control who has access to their file.

But in an interview with Fairfax, the agency’s Dr Steve Hambleton said he couldn’t rule out the possibility of security breaches occurring on the platform – something which cyber security experts have labelled as an inevitability, particularly given the coveted nature of health data among criminals and fraudsters.

Freelance technology journalist Ben Grubb, who often writes about data security, is among those who have decided to opt out.

“My decision to opt out comes after consulting several healthcare professionals, privacy and computer security experts, the Government, and patients who stand to benefit from having a record,” he wrote.

“I concluded that any benefit I would personally get from having a digital record would be negligible compared to the risks of it being accessed by unauthorised parties.”

But despite privacy and security concerns, doctors are saying the new system will improve emergency treatment and help save many lives.

The National Rural Health Alliance said My Health Record would save lives in regional Australia, and urged people not to opt out.

“If you live outside a major city, you have far less access to health services, and are more likely to delay getting much needed medical treatment. That means you’re more likely to end up being hospitalised,” National Rural Health Alliance CEO Mark Diamond said in a statement.

“A My Health Record means that all your important health information is at the fingertips of your doctor, nurse or surgeon.”

The opt-out period begins today, ending on October 15. By the end of the year, every Australian who has not opted out will have a My Health Record created for them.

HOW TO OPT OUT

If you don’t want a digital file containing your health records, you will need to click the ‘Opt out now’ button on the opt-out page of the Government’s My Health Record website.

You will need your Medicare card and driver’s licence to verify your identity, and provide personal details such as your name and date of birth.

Once you have completed the opt-out process, you cannot cancel your request. However, if you decide later that you would like a My Health Record, you can create one at any time.

RELATED LINKS

www.scamsfakes.com

www.crimefiles.net

www.newcures.info

www.money-au.com

Henry Sapiecha