Category Archives: COUNTRIES

Iranian and Chinese hackers target Australian universities and NGOs

Cyber activity in China is increasing big time, despite cyber non-aggression treaties, and Iran is on the cyber search for intellectual property.

Australian universities have been targeted by hackers with connections to Iran in recent months, and “a number of investigations” are in progress, according to cybersecurity firm CrowdStrike.

“There are a lot of things that are happening geopolitically that are driving a lot of attacks,” the company’s vice president for technology strategy Michael Sentonas told journalists in Sydney earlier this month. “There are things happening in China, in Russia, in Iran, there are things happening in North Korea, that [are] directly having an impact to all of us on the internet.”

CrowdStrike has called out this blurring of cyber tradecraft with what they’re calling “cyber statecraft” in their 2018 Global Threat Report, released on Monday.

“Obviously Iran has a specific interest in Saudi Arabia. There’s a number of diplomatic disputes. Iran, heavily embargoed, want access to a lot of intellectual property they may not necessarily be able to get. There are groups that are linked [to Iran] and are seeking for a lot of that intel,” Sentonas stated.

“There’s been quite a number of universities in Australia, over the last several months, that have been targeted, with adversaries looking to get intellectual property that would be of benefit to certain groups and government departments in Iran. We’ve been directly impacted by that, and there’s a number of investigations going on across the country.”

CrowdStrike has also seen an increase in cyber activity originating from the Chinese republic, even though Australia and some other western nations had signed what were essupposedly cyber non-aggression treaties with China in 2015 and 2016.

“In 2017, we saw a lot of action again, activity targeted at what I would call a soft target. An NGO. A think tank,” Sentonas said.

“They’re great people to target, because you have people that were once in government. You have academics. You have people researching economic policy. They’re working on defence projects. They are in technology and medical advancement. That would be interesting to a particular group or country that maybe doesn’t want to do that research. Or if you’re a think tank that is working on, for example, Chinese economic policy, what if you want to know what that think tank is researching?”

The Russian cyber actor Fancy Bear, which was active in the lead-up to the US election in 2016, has also been busy.

“That group is continuing to be very, very active, and they are looking at essentially destabilising our democratic institutional legitimacy. They are trying to do misdirection etc,” Sentonas said.

The rise of such cyber disinformation was predicted by David Irvine, former director-general of the Australian Security Intelligence Organisation (ASIO), and former head of the Australian Secret Intelligence Service (ASIS), in later half of 2016.

CrowdStrike reports that ransomware will continue to be a major trend for nation-state and criminal actors. They also point to a cyber trickle-down effect.

“These techniques are recycled. Once they’ve been used once, they do get used again, and they get shared, and it adds complexity to the average organisations around the world,” Sentonas said.

Flinders University Australia

Related Coverage

Australian Home Affairs thinks its IT is safe because it has a cybermoat

For a department that is focused on protecting borders, it seems virtual border protection is missing in action.

Australian decryption legislation will not undermine ‘legitimate encryption’: Home Affairs

Calling government proposals to seek decryption of communications a “backdoor” is a cartoon-like assumption, according to Secretary of the Department of Home Affairs Michael Pezzullo.

ASD gives Dimension Data protected-level cloud certification

The multinational is the first overseas player awarded the certification from the agency responsible for foreign signals intelligence and information security in Australia.

US-CERT recently issued a major cybersecurity warning for the Olympic Games (TechRepublic)

Hackers may capitalize on the Olympics to spread messages and steal personally identifiable information. Fans and athletes must remember that they are responsible for their own cybersecurity.

Unsecured Amazon S3 buckets are prime cloud target for ransomware attacks (TechRepublic)

Thousands of S3 buckets are incorrectly configured as being publicly writable, making them a cinch to exploit.

Henry Sapiecha

How to become a great spy agency in the 21st century: Incubate startups..!!

What results when a top secret intelligence agency turns to entrepreneurs to assist in the building of new tools to protect a nation from cyberattacks? This is it….

Intelligence agencies are great at finding out and keeping secrets, and at working patiently in the shadows. Startups are good at promoting themselves, moving fast, and breaking things—in an effort to build the next big technology. It’s hard to think of two mindsets that are further apart.

However in a world of constantly evolving cybersecurity threats, Britain’s GCHQ spy agency decided to open a startup accelerator to bridge the gap between the two: to see, if it was a little more open, it could help the private sector build tools to prevent cyberattacks in the future..

Britain’s Government Communications Headquarters (GCHQ) has a century-long history of helping to protect the country from threats, both international and domestic.

Although it wouldn’t be known as GCHQ for decades to come, its work began during World War I when a number of intercept stations were established to seize and decrypt messages sent by Germany and its allies. Its most famous incident came in early 1917 when analysts were able to intercept and decrypt a telegram sent by the German foreign minister Count Zimmermann, in which was revealed that Germany planned to reward Mexico with US territory if it joined the war. The release of the message was one of the factors which brought the United States’ firepower into the war.

During World War II, the organisation, then called the Government Code and Cypher School (GC&CS), was located at Bletchley Park where it tirelessly undertook to decrypt Hitler’s “unbreakable” ciphers—work credited with shortening the war significantly.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (TechRepublic cover story)

Following the war and having outgrown its previous site, GC&CS was renamed GCHQ. Its headquarters were moved just outside of Cheltenham, Gloucestershire, in the west of England, where it remains today.

It now has 6,000 staff and an annual budget of £2.6bn, while still being tasked to keep Britain safe from a variety of threats including terrorism, serious crime, espionage, and cyberattacks, as well as providing support to law enforcement and the military when required.

But its work is not without controversy. In 2013, whistleblower Edward Snowden lifted the lid on PRISM, an expansive online surveillance programme by GCHQ, along with the US National Security Agency. The programme collected data on all online and telephone communications made inside the UK.

But while the agency is best known for snooping, it also has a secondary role in providing security advice.

“We’re a security organisation. If you drive past us you see a lot of razor wire and that can sometimes create an internal, introverted culture,” said Chris Ensor, deputy director of cyber skills and growth at the National Cyber Security Centre (also known as NCSC, the cybersecurity arm of GCHQ).

“For the last 100 years, GCHQ has had an intelligence mission and a security mission. It’s the intelligence which is portrayed in the news or in films like James Bond and we’re always the spy centre. But actually we’ve had a security mission for a long, long time,” said Ensor.

Threats to national security evolve over time and today cyberattacks are considered to be among the biggest risks to the country—alongside terrorism, espionage, and weapons of mass destruction.

That means GCHQ’s security mission has extended to protecting the UK from cyberattacks and hackers, particularly those targeting critical national infrastructure. Indeed, the NCSC was set up to tackle cyberthreats, replacing three separate cybersecurity organisations: the Centre for Cyber Assessment, Computer Emergency Response Team UK, and GCHQ’s information security arm.

Australia takes over Solomon Islands under water communications internet fibreoptic cable amid spies’ concerns about China

Australia’s spy agencies were so concerned about the security and strategic risks posed by a plan for Chinese firm Huawei to build an internet cable linking the Solomon Islands to Sydney that the Turnbull government will now largely pay for the project itself.

The Department of Foreign Affairs has confirmed it has taken responsibility for the undersea fibreoptic cable, including paying for the bulk of the project – which will cost tens of millions of dollars – through the overseas aid program.

The cable will provide fast and reliable internet to the small Pacific island nation, which now relies on satellites.

The step is highly significant as it shows the lengths to which the Turnbull government was willing to go to ensure the cable project could go ahead without Huawei’s involvement.

The Solomon Islands under former prime minister Manasseh Sogavare signed up Huawei Marine to lay the cable connecting to Sydney. But Australia made it clear to Honiara that it had security concerns about the Chinese telco plugging into Australia’s internet backbone, with Nick Warner, the head of spy agency ASIS, personally warning Mr Sogavare last June.

Huawei has previously been banned on the advice of Australian security agency ASIO from being involved in the National Broadband Network.

Mr Sogavare was replaced as prime minister in November by Rick Hou, a former senior World Bank adviser who is well respected in Australia. Mr Hou had been highly critical of the circumstances in which Huawei Marine was awarded the contract under his predecessor.

A spokeswoman for the Department of Foreign Affairs told Fairfax Media the government has entered into a contract with the Australian telecommunications firm Vocus to commence the initial work.

“They will undertake a scoping study and identify potential solutions to bring high-speed telecommunications to the Solomon Islands,” she said.

“The bulk of the funding for this project will come from Australia’s Official Development Assistance program.”

She said the Solomons project would be consolidated with a project to lay a new cable connecting Papua New Guinea with Australia, creating “significant efficiencies on cost”. The cost of the Solomons project alone has previously been estimated at $86 million.

According to the federal government’s AusTender website, Vocus is being paid $2.8 million for the scoping study for both the Solomon Islands and PNG. The department spokeswoman said that this study would more accurately define the final cost.

Fairfax Media understands Australia was concerned about the security implications of Huawei being involved in connecting to Australia’s critical infrastructure, but also more broadly about a Chinese firm – even a private sector one – extending Chinese influence into the Pacific through the cable project.

The Solomons originally identified a British-American company to do the work and had secured backing from the Asian Development Bank. But the previous government abruptly switched to Huawei, prompting the ADB to pull out, saying that the “Huawei contract was developed outside of ADB procurement processes”.

A Huawei spokesman said: “We’ve been advised by the Solomon Islands Submarine Cable Company that Chinese development has been contracted to undertake a scoping study but that’s all they have said to us.”

Jonathan Pryke, a Pacific islands expert at the Lowy Institute, applauded Australia’s move, saying that it made strategic and security sense while also providing much-needed development.

“There’s clearly a strategic objective to this project. It’s to make sure there’s no opportunity for third players like China or a Chinese company like Huawei to swoop in and provide a cable to PNG or the Solomons that could affect strategic interests and compromise Australia’s security.”

He said Chinese development would be welcome in the Pacific if it were more transparent and added there had been concerns in the Solomon Islands about the opaqueness of the Sogavare government’s deal with Huawei Marine.

The cable company’s CEO, Keir Preedy, was not available for comment. Mr Hou’s office did not respond to email requests for comment.

Henry Sapiecha

Notifiable Data Breaches initiative: Preparing to disclose a data breach in Australia

Australia’s Notifiable Data Breaches scheme will come into force next month. Here is what it means and how it will affect organisations, and individuals, in Australia.


Australia’s Notifiable Data Breaches (NDB) scheme comes into effect on February 22, 2018, and as the legislative direction is aimed at protecting the individual, there’s a lot of responsibility on each organisation to secure the data it holds.

The NDB scheme falls under Part IIIC of the Australian Privacy Act 1988 and establishes requirements for entities in responding to data breaches.

What that means is all agencies and organisations in Australia that are covered by the Privacy Act will be required to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.

Tax file number (TFN) recipients, to the extent that TFN information is involved in a data breach, must also comply with the NDB.

In addition to notifying individuals affected, under the scheme, organisations must provide advices on how those affected should respond, as well as what to do now their information is in the wild. The Australian Information Commissioner, currently Timothy Pilgrim, must also be notified of the breach.

“The NDB scheme formalises an existing community expectation for transparency when a data breach occurs,” Pilgrim told ZDNet. “Notification provides individuals with an opportunity to take steps to protect their personal information, and to minimise their risk of experiencing harm.”

Intelligence agencies, not-for-profit organisations or small businesses with turnover of less than AU$3 million annually, credit reporting bodies, health service providers, and political parties are exempt from the NDB.

Read more: Former ASIO head questions why political parties are exempt from breach disclosure


In general terms, an eligible data breach refers to the unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.

Examples of a data breach include when a device containing customers’ personal information is lost or stolen, a database containing personal information is hacked, or personal information is mistakenly provided to the wrong person.

An employee browsing sensitive customer records without any legitimate purpose could constitute a data breach as they do not have authorised access to the information in question.

The NDB scheme uses the phrase “eligible data breaches” to specify that not all breaches require reporting. An example of this is where Commonwealth law prohibits or regulates the use or disclosure of information.

An enforcement body — such as the Australian Federal Police (AFP), the police force or service of a state or a territory, the Australian Crime Commission, and the Australian Securities and Investments Commission — does not need to notify individuals about an eligible data breach if its CEO believes on reasonable grounds that notifying individuals would be likely to prejudice an enforcement-related activity conducted by, or on behalf of, the enforcement body.

Although not required all the time to disclose a breach, a spokesperson for the AFP told ZDNet the AFP would be complying with its notification obligations in all circumstances where there are no relevant exemptions under the Act.

See also: Privacy Commissioner to probe Australian government agencies on compliance

If the Australian Information Commissioner rules the breach is not bound by the NDB scheme, organisations may not have to disclose it any further.

In addition, data breaches that are notified under s75 of the My Health Records Act 2012 do not need to be notified under the NDB scheme as they have their own binding process to follow, which also lies under the umbrella of the OAIC.

Read more: OAIC received 114 voluntary data breach notifications in 2016-17


As the NDB dictates an objective benchmark in that the scheme requires a “reasonable person” to conclude that the access or disclosure is “likely to result in serious harm”, Melissa Fai, special counsel at Gilbert + Tobin, told ZDNet that in assessing the breach, an organisation should interpret the term “likely” to mean more probable than not — as opposed to merely possible.

“Serious harm” is not defined in the Privacy Act; but in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

Information about an individual’s health; documents commonly used for identity fraud including a Medicare card, driver’s licence, and passport details; financial information; and a combination of types of personal information — rather than a single piece of personal information — that allows more to be known about an individuals can cause serious harm.

In assessing the risk of serious harm, entities should consider the broad range of potential kinds of harm that may follow a data breach.


Agencies and organisations that suspect an eligible data breach may have occurred must undertake a “reasonable and expeditious assessment” based on the above guidelines to determine if the data breach is likely to result in serious harm to any individual affected.

If an entity is aware of reasonable grounds to believe that there has been an eligible data breach, it must promptly notify individuals at risk of serious harm and the commissioner about the breach.

Organisations disclosing a breach must complete the Notifiable Data Breach statement — Form which can be found here.

The notification to affected individuals and the commissioner must include the following information: The identity and contact details of the organisation, a description of the data breach, the kinds of information concerned, and recommendations about the steps individuals should take in response to the data breach.

Those affected are to be notified within 30 days of the breach’s discovery, during which time the entity can conduct its own investigation on the breach. 30 days is the absolute maximum.

The NDB scheme, however, provides entities with the opportunity to take steps to address a data breach in a timely manner, and avoid the need to further notify — including notifying individuals whose data has been somewhat exposed.

See also: Privacy Commissioner finds Australia more confident in reporting breaches to police


Failure to comply with the NDB scheme will be “deemed to be an interference with the privacy of an individual” and there will be consequences.

Gilbert + Tobin’s Fai explained that if an organisation is found to have hidden an eligible data breach, or is otherwise found to have failed to report an eligible data breach, such failure will be considered an interference with the privacy of an individual affected by the eligible data breach, and serious or repeated interferences with the privacy of an individual can give rise to civil penalties under the Privacy Act.

If the data breach that the organisation has failed to report is serious, or if the organisation has failed to report an eligible data breach on two or more separate occasions, Fai explained the OAIC has the ability to seek a civil penalty order against the organisation of up to AU$2.1 million, depending on the significance and likely harm that may result from the data breach.

“Of course, an organisation must also consider the risk of reputational damage to its brand and the commercial damage that might flow from that, particularly given the growing importance to an organisation’s bottom line of consumer trust in an organisation’s data management policies and processes and its ability to respond quickly, effectively, and with integrity to data breaches,” Fai added.

“The effects of the data breach on Equifax last year and its response are a case in point.”

See also: Massive Equifax data breach exposes as many as 143 million customers


The commissioner has a number of roles under the NDB scheme, which includes receiving notifications of eligible data breaches; encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance; and offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.

The OAIC has published guidelines on the scheme, which also includes information on how to deal with the aftermath of a breach.


The federal government finally passed the data breach notification laws at its third attempt in February 2017.

A data breach notification scheme was recommended by the Joint Parliamentary Committee on Intelligence and Security in February 2015, prior to Australia’s mandatory data-retention laws being implemented.


According to Gilbert + Tobin, organisations should be at the very least getting familiar with what data they have, where it is kept, and who has access to it.

Read more: NetApp warns privacy is not synonymous with security

Assessing existing data privacy and security policies and procedures to make sure organisations are in a position to respond appropriately and quickly in the event of a data breach is also important.

“This should include a data breach response plan which works across diverse stakeholders in an organisation and quickly brings the right people — such as from IT, legal, cybersecurity, public relations, management, and HR — together to respond effectively,” Fai told ZDNet.

It wouldn’t hurt to continuously audit and strengthen cybersecurity strategies, protection, and tools to avoid and prevent data breaches.

“It is also important that an organisation’s personnel are aware of the NDB scheme. Personnel need appropriate training, including to identify when an eligible data breach may have occurred and how to follow an entity’s policies and procedures on what to do next,” Fai explained, adding this also extends to suppliers and other third-parties that process personal information on their behalf.


From May this year, the General Data Protection Regulation (GDPR) will come into play, requiring organisations around the world that hold data belonging to individuals from within the European Union (EU) to provide a high level of protection and explicitly know where every ounce of data is stored.

Organisations that fail to comply with the regulation requirements could be slapped with administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The laws do not stop at European boundaries, however, with those in the rest of the world, including Australia, bound by the GDPR requirements if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

See more: How Europe’s GDPR will affect Australian organisations

The GDPR and the Australian Privacy Act share many common requirements, but there are a bunch of differences, with one crucial element being the time to disclose a breach.

Under the NDB scheme, organisations have a maximum of 30 days to declare the breach; under the GDPR, organisations have 72 hours to notify authorities after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

“In sum, if an Australian organisation is subject to the GDPR regime when it comes into effect in May this year, it needs to comply with its obligations under both regimes — although the two regimes contain different requirements, they are not mutually exclusive,” Fai added. “However, when it comes to data breaches, the high watermark of compliance is complying with the European regime.”

Read also: What is GDPR? Everything you need to know about the new general data protection regulations


Any organisation that has purchased a security solution from a vendor knows that there is no silver bullet to completely secure an organisation.

“When it comes to data breaches, everybody is looking for something, a product, a process, a standard to prevent them completely. Unfortunately, this isn’t possible,” Symantec CTO for Australia, New Zealand, and Japan Nick Savvides told ZDNet.

“The first thing any organisation should do is understand that data breaches are not always preventable but they are mitigatable. Whether the data breach is a result of a compromise, malicious insider, or even a well-meaning insider accidentally leaking information, mitigations exist.”

Breaking the mitigations into three parts, Savvides said the first is dealing with a malicious attacker, the second is having information-centric security which he said applies to all scenarios, and the third mitigation category is the response plan.

“Most organisations don’t have very effective response plans for a data breach event. They might have a plan, but from what has been seen, the plans are generally very academic in nature rather than practical and often get bypassed in the case of a real event,” he explained.

“Organisations need to have processes for having incidents reported, a clear plan on who to involve, what process to follow, and a clear PR message.

Savvides said it is clear that users value transparency and clear speech rather than ambiguous legalese responses some organisations have produced.

“The commencement of the scheme is also a timely opportunity for organisations to take stock of the personal information they collect and hold, and how it is managed,” Pilgrim added. “By ensuring personal information is secured and managed appropriately, organisations can reduce the likelihood of a data breach occurring in the first place.”


Henry Sapiecha

The Many Tactics Used By The Secret Service 2 VIDEOS




Henry Sapiecha

Amazon gives record amount of client data to US law enforcement

The company’s fifth transparency report reveals more customer data was handed to US law enforcement in the first-half of last year than ever before.

Law enforcement requests for Amazon’s cloud customers has gone up, but the company still won’t say if Echo has been wiretapped. (Image: CNET/CBS Interactive)

Amazon has turned over a record amount of customer data to the US government in the first-half of last year in response to demands by law enforcement.

The retail and cloud giant quietly posted its latest transparency report on Dec. 29 without notice — as it has with previous reports — detailing the latest figures for the first six months of 2017.

The report, which focuses solely on its Amazon Web Services cloud business, revealed 1,936 different requests between January and June 2017, a rise from the previous bi-annual report.

The company received:

  • 1,618 subpoenas, of which the company fully complied with 42 percent;
  • 229 search warrants, of which the company fully complied with 44 percent;
  • 89 other court orders, of which the company fully complied with 52 percent.

It’s not clear why there was a spike in requests during the half-year period. An Amazon spokesperson declined to comment.

Amazon also confirmed it had 75 requests from outside the US through a mutual legal assistance process, in which it partially complied with two cases. The remaining cases were rejected. But the company didn’t say which countries made the requests.

Amazon said it did not receive any content removal orders during the period.

As in previous reports, the company refused to say if it had received a national security brief during the period. Tech companies are barred from disclosing exactly how many of these letters they receive, but companies can under their First Amendment right to freedom of speech say if they have not received one.

Amazon instead preferred to say it had received between zero and 249 national security requests.

The company’s transparency reports do not take into account any other data-related business units, such as if authorities have obtained data wiretapped or submitted through its Amazon’s Echo products.

Law enforcement has, since Echo’s inception, looked at ways to obtain data from the voice-activated assistant. Amazon has largely resisted efforts by police to obtain data from the always-listening product, but acquiesced in one homicide investigation after the suspect did not object to the turning over of his Echo data.

Henry Sapiecha

Five Eyes, Nine Eyes & 14-Eyes Countries and VPNs Important to know when using (or planning to use) a VPN

The content herein is part of an article published in a VPN site where at the end of this short introduction there will be a link to take you to a lot more viewpoints & info. ENJOY.

This article will discuss available VPNs in relation to the 5 Eyes, the 9 Eyes and the 14 Eyes government surveillance alliances.

Encryption is the only way to protect private communications. While there are encrypted messaging systems that can be used for direct correspondence, virtual private networks (VPNs, also based on encryption) are the best tools for hiding internet activity, such as which websites are visited. Again, there are valid reasons to do so: to protect the privacy of religion, sexual orientation and sensitive medical conditions; all of which can be inferred from visited websites.


During the second world war, US and UK intelligence agencies worked closely on code-breaking. After the war, the UK center at Bletchley Park evolved into the Government Communications Headquarters (GCHQ). The American service evolved into the National Security Agency (NSA). In 1946, the working relationship between the two countries was formalized in the UKUSA agreement. It worked on signals intelligence (SIGINT); that is, the interception and analysis of adversarial telecommunications.

In order to provide global coverage for communications interception, Australia, New Zealand and Australia joined the UK and the USA – and became known as the Five Eyes.

However, such is the NSA’s global dominance of intelligence gathering, other countries have sought to cooperate in return for specific ‘threat’ information from the NSA. This has led to other SIGINT groupings: the 9 Eyes and the 14 Eyes.

The operation of these intelligence agencies was long kept secret. As global communications have increased – and as perceived threats have grown (first in the Cold War between east and west and more recently in the ‘war on terror’), the 5 Eyes in particular began to secretly use technology to gather everything for later analysis. GCHQ, for example, had a secret project called Mastering the Internet. None of this was publicly known.

In 2013, NSA whistleblower Edward Snowden leaked thousands of top secret NSA and GCHQ documents showing, for the first time, the extent to which national governments spy on everybody. It is always done in the name of ‘national security’, and both the relevant agencies and their governments insist on their right to do so.


Henry Sapiecha

Labor senator Sam Dastyari warned wealthy Chinese donor Huang Xiangmo his phone was tapped

Labor senator Sam Dastyari warned Chinese Communist Party-linked political donor Huang Xiangmo last year that his phone was likely tapped by government agencies, including the US government.

Before the two spoke, Mr Dastyari gave Mr Huang counter-surveillance advice, saying they should leave their phones inside and go outside to speak.

The face-to-face meeting between the pair in the grounds of Mr Huang’s Mosman mansion in Sydney last October came several weeks after Mr Dastyari quit the frontbench over his dealings with Mr Huang.

It also occurred after ASIO briefed senior political figures, including from the Australian Labor Party, that Mr Huang was of interest to the agency over his opaque links to the Chinese government.

Security agencies have the capacity to use mobile phones as surveillance devices without a user’s knowledge.

A Canberra source with knowledge of the meeting said on background that Mr Dastyari blamed the US government for the scandal that earlier enveloped him and Mr Huang and said he was the subject of surveillance, including by the US government.

Details of the phone tap warning and other dealings involving the pair have been collected by national security officials, Fairfax Media has confirmed, and the revelations are likely to spark debate about sweeping reforms proposed by the Turnbull government to counter foreign interference in Australia.

Attorney-General George Brandis said the revelation raised questions about Mr Dastyari’s loyalty.

“This comes at a time when members and senators are under intense scrutiny over whether they hold dual citizenship. Of the 226 Australians elected at the 2016 federal election, the person whose allegiance to Australia is most in question is Sam Dastyari,” Mr Brandis said.

The Mosman meeting occurred more than a month after media reports in early September last year that ASIO’s top spy, Duncan Lewis, had warned Labor “that some of their donors had strong links to the Chinese Government”.

Those same media reports also detailed dealings between Mr Dastyari and Mr Huang. Among them were that Mr Huang had paid a $5000 legal bill for Mr Dastyari, and that Mr Huang had told a Chinese Communist Party newspaper that “political demands and political donations” should be linked.

Also among the revelations that damaged Mr Dastyari were comments he reportedly made at a press conference with Mr Huang that contradicted Labor policy on the South China Sea, and echoed Beijing’s policy position.

These events led to Mr Dastyari’s resignation from the Labor frontbench on September 7 last year.

Two Labor sources have also confirmed that, shortly after these events, Opposition Leader Bill Shorten warned Mr Dastyari through a “back channel” that ASIO had concerns about Mr Huang. Mr Shorten’s office declined to answer questions about if or when this occurred, although a source with first-hand knowledge of the ASIO warning relayed to Mr Dastyari said it was generic and did not contain any classified information known to Mr Shorten.

On Monday, Fairfax Media asked Mr Dastyari why he had told Mr Huang his phone was tapped, and why he advised him to move outside his house and not to speak near his phone.

Mr Dastyari responded: “I reject any assertion that I did anything other than put to Mr Huang gossip being spread by journalists.”

Fairfax Media also asked Mr Dastyari why he met Mr Huang in person, rather than calling him, and why he thought a face-to-face meeting was appropriate weeks after the extensive public reporting about ASIO’s concerns regarding Chinese Communist Party-connected donors.

Mr Dastyari said: “After the events of last year, I spoke to Mr Huang to tell him that I did not think it was appropriate that we have future contact. I thought it was a matter of common courtesy to say this face to face.”

Mr Dastyari has since begun his public rehabilitation, and was promoted to deputy senate whip in February.

Mr Dastyari said on Monday: “I have never received a security agency briefing, or received any classified information about any matter, ever. I’ve never passed on any protected information – I’ve never been in possession of any.”

His statement did not address what fellow Labor officials had told him about Mr Huang.

Mr Huang, a billionaire property developer, has close ties to the Chinese consulate in Sydney and, until the weekend, headed a Sydney organisation aligned with the Chinese Communist Party’s political lobbying and propaganda agency, the United Front Work Department.

On Saturday, Mr Huang stepped down as chairman of the Australian Council for the Promotion of the Peaceful Reunification of China (ACPPRC), and was lauded as a “banner” and likened to a patriotic flag who had made “heroic achievements” in the past year.

On September 14, 2016, weeks prior to the Mosman meeting, US ambassador John Berry said the US was concerned about Chinese government involvement in Australian politics, in remarks reported in connection to Mr Dastyari’s dealings with Mr Huang.

On September 28, also prior to the meeting, Mr Huang dispatched members of the ACPPRC for a meeting in Beijing with a senior Chinese government official, who directed the members to “make allies to obtain international support” and contribute to the “great revitalisation of the Chinese nation”.

ASIO began an assessment of Mr Huang’s citizenship application in early 2016. The application remains blocked by ASIO and, earlier this year, national security officials interviewed Mr Huang at a secure Sydney CBD location.

Fairfax Media and Four Corners have previously revealed that after the citizenship request first stalled in early 2016, Mr Huang asked Mr Dastyari to intervene on his behalf. Mr Dastyari or his office called immigration officials four times in the first six months of 2016, but the senator has described this contact as routine.

The Turnbull government is planning to introduce news laws this year to counter foreign interference from Beijing and other nations and require agents or official advocates of foreign governments to register under a foreign agents registration act. The latter reform may concern ex-senior Liberal and Labor figures who work for companies or institutions controlled or directed by Beijing or its proxies.

A former intelligence officer told Fairfax Media that the instruction to Mr Huang to talk not within the vicinity of his phone amounts to counter-surveillance advice. Mr Dastyari is a security-conscious member of federal parliament who, along with many colleagues, uses encrypted applications to communicate.

Henry Sapiecha

Australia likely to get its own GDPR

Everyone in the Australian cybersecurity ecosystem has a role to play to ensure the security of the nation, according to Nationals Senator Bridget McKenzie.

The mandatory data breach notifications laws coming into effect in Australia next year will be followed by other laws to ensure everyone in the digital ecosystem — including government divisions, large corporates, small to medium-size enterprises (SMEs), and consumers — are playing their role in keeping Australia “cyber secure”, according to Senator Bridget McKenzie.

McKenzie, who is the chair of the Foreign Affairs, Defence, and Trade Legislation Committee, likened cyber breaches to the “system of disease in the pre-industrial revolution that just swept through”.

“Cyber breaches have the capacity to wipe out industries, wipe out systems, wipe out communities, if every member of that community or that cyber ecosystem isn’t following best practice when it comes to keeping their information secure,” McKenzie told ZDNet at the Australian Computer Society’s Reimagination Thought Leaders’ Summit.

“It’s not just defence’s job or ASIO’s or DSTO’s or the government’s indeed, but every SME and private homeowner needs to have an eye for cybersecurity, making sure their data’s safe.”

McKenzie said mandatory data breach notifications laws, set to come into effect next year, is a step towards keeping organisations alert and accountable, with other laws expected to be introduced in Australia in the upcoming years, possibly similar to those coming into effect next year in the European Union.

The European Union’s (EU) General Data Protection Regulation (GDPR) will require organisations around the world that hold data belonging to individuals from within the EU to provide a high level of protection and explicitly know where every piece of data is stored.

Organisations that fail to comply with the regulation requirements could be fined up to €20 million, or, in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year — whichever is higher.

“No longer can you say, ‘Oh I’ll leave it to someone else because the flow-on effects, the interconnectedness, the Internet of Things, is such that if one member of that web, if you like, has a security breach, it has flow-on effects for everybody involved,” McKenzie said.

Additionally, Australians need to have the confidence that they can share private information such as their health details and not have it end up in the public sphere, otherwise the nation will not be able to experience the full benefits of technology, McKenzie said.

Shadow Minister for the Digital Economy Ed Husic said, however, that the government has a long way to go in building that confidence, given 50,000 Australians have been affected by a government data breach that occurred in October. He noted that the breach was not a technological error, but a human error.

“How do we build consumer or citizen confidence about protection of privacy?” Husic said. “50,000 people were affected by a data breach across government, releasing details of passwords and credit cards. It’s not all tech related … people often blame tech for this. It’s people and the way that they use data and it’ll be interesting to see the details that come out on this in the next few days.”

“This data breach occurred back in October, no public explanation of it, no detail about what was known, what was being done to fix it. If we want people to be confident that data is being used well by government, then the government’s got a long way to go to build that confidence.”

Husic added that the government needs to lead by example; it should be notifying the public about data breaches if it wants businesses to do the same.

“[The government’s] got to do some things itself. And you can’t lecture business about getting focused on cybersecurity if you’re losing your own moral authority … because you’re not looking after data within your own batch,” he said.

McKenzie believes in Australia’s growing status as a cybersecurity hub, saying that the nation is equipped with the right expertise in this area. She added that Australia is in the process of creating a strong cybersecurity industry capable of exporting.

“Our law enforcement and intelligence agencies are world-class. We’re also part of Five Eyes, which means we have a lot of access to information and technology and collaboration opportunities,” she said. “We lead the world in quantum computing … and it [has the] potential to contribute further to security of data and security of communications particularly in the intelligence and defence spheres.

“We’ve really got some technical expertise, but also I think a richness around governance frameworks and excellence in regulatory frameworks that can also assist other governments and other organisations worldwide to understand best practices in the area.”

In September, Ambassador for Cyber Affairs Dr Tobias Feakin communicated a similar sentiment, saying Australia has an international standing in cybersecurity, and brings “key qualities” to the table.

Australia has also played a role in the creation of international peacetime norms for cyberspace, including chairing the first United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) in 2013, and helping develop the 11 international norms agreed to in subsequent UN GGE meetings.

“We have regional knowledge beyond most. We have a trusted diplomatic brand, and that’s something that we intend to capitalise on. We have strategic and economic interests in the region. And we have long-standing development partnerships across the region already,” Feakin said at the second annual SINET61 conference in Sydney.

“We need to capitalise on those, make the most of them. Not just for us as a government, [and] for regional partners as well, but also for our private sector … We see this issue as central to our economic future,” he said.

“It’s only this year that it’s just reached the point, of tipping over, to 50 percent of all internet users living in the Asia-Pacific. But really, still, there’s huge economic growth to unravel there, because still 60 percent of all households don’t have internet coverage.”

Last month, launching the International Cyber Engagement Strategy, Foreign Minister Julie Bishop said that for the purpose of national security, cyberspace cannot be an ungoverned space.

“Just as we have international rules that guide how states behave, and how states should behave towards each other, the international rules-based order that’s been in place for about 70 years, so too must states acknowledge that activities in cyberspace are governed by the same set of rules as military and security activities in traditional domains,” Bishop said in October.

“The 2016 US presidential election focused the world’s attention on the potential for cyber operations to interfere with democratic processes. This cannot be allowed to continue. It strikes at the very heart of the sovereignty of nations.”

According to the International Cyber Engagement Strategy, Australia will develop an international “architecture for cooperation” including mechanisms to respond to unacceptable behaviour in cyberspace in a timely manner.

“Australia’s responses to malicious cyber activity could comprise law enforcement or diplomatic, economic, or military measures as appropriate for the circumstances. This could include, but is not restricted to, offensive cyber capabilities that disrupt, deny, or degrade the computers or computer networks of adversaries,” the strategy states.

The strategy also implies that the nation has the capability to identify the source of cyber attacks.

“Depending on the seriousness and nature of an incident, Australia has the capability to attribute malicious cyber activity in a timely manner to several levels of granularity — ranging from the broad category of adversary through to specific states and individuals,” the strategy states.

In September, the federal government pledged AU$50 million over seven years for the cybersecurity cooperative research centre (CRC), with over AU$89 million in further funding to come from 25 industry, research, and government partners.

The cybersecurity CRC will deliver solutions to increase the security of critical infrastructure, the government said at the time, which includes “frameworks, products, and approaches that will service existing and future ICT enterprises across a broad range of platforms and operating systems”.

Assistant Minister for Industry, Innovation and Science Craig Laundy said the activities of the cybersecurity CRC will contribute to the objectives laid out in Australia’s AU$240 million Cyber Security Strategy, which is aimed at defending the nation’s cyber networks from organised criminals and state-sponsored attackers.

Related Coverage

Just one day after its release, iOS 11.1 hacked by security researchers

The bugs were found in Apple’s Safari web browser.

With a physical key, Google says it can protect you from nation-state hackers

When two-factor doesn’t cut it against the most sophisticated adversary, Google thinks it has an answer.

IoT security: Keeping users on their toes means staying on yours

IoT has introduced new vulnerabilities that can put your network at risk. Providing users with ongoing security training — and examples that relate to their work — will help keep your data safe.

Hacking group targets banks with stealthy trojan malware campaign

Stolen credentials are used to launch attacks which include the ability to stream live video of the screens of infected users.

This destructive wiper ransomware was used to hide a stealthy hacking campaign

“ONI” ransomware deployed on hundreds of machines in an effort by attackers to cover tracks of “Night of the Devil” campaign — which exploited leaked-NSA exploits.

Henry Sapiecha

Malaysia data breach compromises 46.2M mobile numbers

Suspected to have originated from a 2014 attack, the breach is estimated to affect 46.2 million mobile numbers and compromise data such as home addresses and SIM card information.

A massive cybersecurity breach is reported to have compromised personal data of 46.2 million mobile numbers in Malaysia, exposing details such as home addresses and SIM card information.

The breach affected both postpaid and prepaid numbers as well as subscribers from all major mobile carriers in the country, including Maxis, Altel, Digi, and Celcom, according to The local website earlier this month said it received information that personal data linked to millions of Malaysians were being peddled online.

Apart from customer data from local telcos, it added that the information included those that belonged to various websites such as, Malaysian Medical Association, and Malaysian Housing Loan Applications. Leaked data from, for instance, contained the candidate’s login name, nationality, and hashed passwords.

Timestamps in the compromised data suggested that the breach occurred between 2014 and 2015, said Lowyat.

Commenting on the breach, Darktrace’s Asia-Pacific managing director Sanjay Aurora said such “low and slow” attacks could lay stealthily in networks for years without anyone noticing. He added that traditional defense tools would not be able to identify and block such attacks.

“Lateral movements are incredibly difficult to catch, with attackers spending an average of 260 days in a network before striking,” Aurora explained. He pointed to the need for machine learning tools that could learn on-the-job and dynamically tweak its analysis based on new information.

“Alongside this, there needs to be a cultural change,” he added, stressing the need to stop victim-blaming so businesses would not fear coming forward.Lowyat

Lowyat said it had handed the information to industry regulator, Malaysian Communications And Multimedia Commission, which later released a statement confirming it was investigating the incident.

According to local reports, Communications and Multimedia Minister Datuk Seri Salleh Said Keruak said the police also was involved in the investigation.

Malaysia has a population of some 31.2 million, so some subscribers likely will hold more than one compromised mobile number. The report added that the list may contain inactive numbers as well as temporary ones issued to visitors to the country.

Henry Sapiecha