Category Archives: DATA ACCESS & STORAGE

Canberra gives ‘decryption’ yet again another crack with draft legislation

The Australian government is still committed to ‘no backdoors’, publishing draft legislation that will force internet companies to assist law enforcement in decrypting messages sent with end-to-end encryption.

The Australian federal government has finally outlined in detail how it plans to access encrypted communications, publishing draft legislation more than a year since Prime Minister Malcolm Turnbull announced his intentions to do so.

In a bid to address the “serious challenges posed by current communications technology to law enforcement and national security investigations”, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 [PDF] is described by the government as demanding “critical assistance” from the communications industry thus enabling law enforcement to effectively investigate serious crimes in this digital era.

The Bill, opened to the public for consultation, introduces measures that the government said will greatly improve the ability of agencies to access intelligible communications content and data.

As outlined in the explanatory document [PDF], three reforms will help achieve such purpose, with the first enhancing the obligations of domestic providers to give “reasonable assistance” to Australia’s key law enforcement and security agencies, extending assistance obligations to offshore providers supplying communications services and devices in Australia.

The Bill will also introduce new computer access warrants for law enforcement that will enable them to “covertly obtain evidence directly from a device”, while also strengthening the ability of law enforcement and security authorities to overtly access data through existing search and seizure warrants.

Turnbull, along with his then Attorney-General George Brandis, announced plans in July last year to introduce the legislation that would force internet companies to assist law enforcement in decrypting messages sent with end-to-end encryption.

Questioning whether the proposed legislation was technically possible, wet asked the prime minister if the laws of mathematics would trump the laws of Australia.

“The laws of Australia prevail in Australia, I can assure you of that,” Turnbull told us. “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”

During his media rounds, Turnbull made sure he let Australia know that his intention was to protect the nation against terrorism and to protect the community from criminal rings such as those involved in paedophilia, rather than nutting out the technical specs of the laws modelled on the UK’s snoopers’ charter.

With the legislation’s oversight now given to the Minister for Law Enforcement and Cyber Security Angus Taylor, his statement on Tuesday focused on protecting Australians with the legislation, saying again that technologies including encryption are increasingly being used by paedophiles, terrorists, and organised criminals to conceal their illicit activities.

“We know that more than 90 percent of data lawfully intercepted by the Australian Federal Police now uses some form of encryption. This has directly impacted around 200 serious criminal and terrorism-related investigations in the last 12 months alone,” he said.

“We must ensure our laws reflect the rapid take-up of secure online communications by those who seek to do us harm. These reforms will allow law enforcement and interception agencies to access specific communications without compromising the security of a network.”

According to Taylor, the measures in the Bill “expressly prevent” the weakening of encryption or the introduction of backdoors.

“I am committed to maintaining the integrity of Australians’ personal information, devices, and communications,” he continued.

“Our first priority is keeping Australians safe and these measures will go a long way to ensure that criminals cannot hide.”

The draft legislation is open for public discussion until September 10, 2018.

PREVIOUS AND RELATED COVERAGE

Australia’s semantic sleight of hand on encrypted messaging revealed

Newly-released documents confirm that the Australian government’s commitment to ‘no backdoors’ to weaken encryption algorithms doesn’t preclude backdoors elsewhere in the secure messaging pipeline.

Australian government committed to ‘no backdoors’: Taylor

‘We simply don’t need to weaken encryption in order to get what we need,’ says cyber security minister Angus Taylor, but trust in our civilisation is crumbling.

Thou shalt be secure: RSA says you can’t force private sector to break encryption

RSA’s VP and GM of Global Public Sector Practice Mike Brown believes there’s a better way to thwart terrorism than breaking end-to-end encryption, as recently proposed by the Australian government.

Australia called out as willing to undermine human rights for digital agenda

A report from AccessNow has asked Australia to change its course and lead the way in serving as a champion for human rights instead of against.

www.ozrural.com.au

Henry Sapiecha

Australian ‘My Health Record systems ‘collapse under more opt-outs than expected

When the countries citizens rush to opt out of an Australian government service, it says something about their levels of trust in the offering. When the system falls over under heavy load, it proves them right.

Australians attempting to opt out of the government’s new centralised health records system online have been met with an unreliable website. Those phoning in have faced horrendous wait times, sometimes more than two hours, often to find that call centre systems were down as well, and staff unable to help.

The Australian Digital Health Agency (ADHA), which runs the My Health Record system, is reportedly telling callers that they weren’t expecting the volume of opt-outs.

“On hold with @MyHealthRec for well over 1.5 HOURS to opt out without providing my drivers license/passport number. Turns out their entire backed system has crashed and they are telling support staff to just punch peoples details into the website files. Confidence inspiring!” tweeted one caller.

“The person i’m speaking to is stressed as f***. Its their first day. I feel bad for her but she also has no idea what’s going on and puts me on hold every time I ask something that’s not on the script.”

The problems started early on Monday, the first day of the three-month opt-out period before digital health records are created automatically.

“Call operator Laura answers. Pleasantly & politely tells me she can help. Uses my Medicare number to locate my record. But can’t change alter my record as system down. She apologizes, guesses this is why I’m having trouble online and suggests I try again later,” tweeted Dr Leslie Cannold at 7.29am.

Cannold, a research ethicist and health regulator, said she’d like to see government prove the value of My Health Record, as well as their capacity to keep it secure, before she opts in to have one. The system should also be designed to allow users to withdraw their record at any time. Currently, opting out merely marks your data as “unavailable”, while actually keeping it on the system until 30 years after your death.

Must read: The Australian government and the loose definition of IT projects ‘working well’

Those opting out have cited a wide range of privacy and security concerns — something this writer thinks is completely understandable. The ADHA’s Dr Steve Hambleton has downplayed the risks.

“I can absolutely categorically state that none of the apps and none of the use of the My Health Record data will be able to be sold to third parties — that’s absolutely prohibited,” he said.

And yet earlier this month, the My Health Record partner app HealthEngine was caught doing exactly that.

We know full well that prohibiting something doesn’t mean it won’t happen.

Some of those opting out were concerned that the ADHA website used Google’s reCAPTCHA, which works by sending data offshore for analysis, potentially including personal data.

“The Privacy Policy linked from the opt-out page says ‘We will not disclose or store overseas any personal information you give us, but that’s not how reCAPTCHA works,” wrote consultant Justin Warren.

“reCAPTCHA watches what you do on the page via injected JavaScript controlled by Google, which sends info to ‘an Advanced Risk Analysis backend for reCAPTCHA that actively considers a user’s entire engagement with the CAPTCHA — before, during, and after’ …

“Personally I think the devs just wanted to use modern web tools to prevent bots from spamming the page, and it didn’t occur to them to think about the privacy concerns because they never do on other, less sensitive, websites. Which is just the kind of careful handling of sensitive data you want from a centralised national database of the entire population’s health information.”

Others were concerned that their health records could be disclosed in court under section 69 of the My Health Records Act 2012, or to law enforcement agencies without a warrant under section 70.

Law enforcement access can be provided if the ADHA “reasonably believes that the use or disclosure is reasonably necessary” for “the prevention, detection, investigation, prosecution, or punishment of criminal offences” or “the protection of the public revenue”, among other reasons. The “enforcement bodies” with access are defined in the Privacy Act 1988, and are much broader than those authorised under the telecommunications data retention legislation.

“[The Australian public service] needs to understand that statutory interpretations aren’t just for days in court, proper governance of your interpretation means stating it openly and legitimating it,” tweeted Darren O’Donovan, senior lecturer in administrative law at La Trobe University.

“The objective criteria are key because ‘reasonable belief’ of ‘reasonable necessity’ is [a] pretty forgiving standard.”

So far, the government has spent more than AU$4 billion on the digital health records system, which started life as the “personally controlled e-health records” (PCEHR) project in the 2010-2011 federal Budget.

Only 1.9 percent opted out of the initial trial involving 1 million people. The ADHA therefore projected that around 500,000 Australians would opt out during the three-month window.

The system was originally planned to be opt-in, but poor adoption rates led to the government flipping it to an opt-out system. Victoria’s then privacy commissioner David Watts called that a fundamental breach of trust.

“I actually designed the regulatory system for e-health in Australia, and I swore black and blue … that we would never be an opt-out system, and always be an opt-in. And of course it’s now an opt-out system in order to drive take-up of e-health, because AU$4 billion had been spent on it and very few people had registered,” Watts told a privacy conference in 2016.

One might think that after a series of Australian government IT disasters, they’d have planned more carefully for an unexpected overload and have a strategy in place for crisis communications.

But as of 16:00 AEST on Monday, the ADHA’s social media accounts were showing nothing but a generic promo, and even that wasn’t posted until lunchtime.

The Australian government still seems to have a real problem with computers. Those opting out of My Health Record would seem wise to be doing so.

Previous Coverage

Cancelled My Health Record data to be kept in limbo

Those choosing to opt-out of the My Health Record service will still have their data visible if they reactivate their account.

Less than 2 percent of My Health Record trial users opted out

Perhaps more worryingly, the use of privacy controls is sitting under the 0.1 percent mark.

My Health Record stands up cybersecurity centre to monitor access

Those who choose to keep their My Health Record will also have a real-time log of who has accessed their information.

My Health Record opt-out period from July 16 to October 15, 2018

The window for Australians to opt out of an electronic health record has been announced by the government.

My Health Record secondary data must stay in Australia and not be used for ‘solely commercial’ reasons

The Australian government’s My Health Record data use guidelines require the data governance board to make case-by-case decisions on how the private data can be used.

RELATED LINKS

www.newcures.info

www.scamsfakes.com

www.crimefiles.net

www.sunblestproducts.com

www.policesearch.net

www.money-au.com

Henry Sapiecha

 

Australians need to think about doing this immediately to protect their heath data records

A NEW system of digitised, comprehensive medical records for everyone in this country is set to come into effect shortly but Australians are being warned about potential privacy and security issues.

The Federal Government’s new My Health Record system will create a personal medical history file for every Australian.

People’s medical records will be stored on a national database under the scheme, to be viewed by patients, doctors and other medical staff at any time. That is, unless you opt out – which you can do for a three-month period beginning today.

The scheme has been a long time in the making and medical professionals are quick to point out the potential benefits to patient care they say it will provide. However advocacy groups such as Digital Rights Watch have expressed concerns about the security of the My Health Record initiative, and are urging everyone to opt out.

“No guarantees have being given that individual citizen’s personal information will be kept safe and secure,” Digital Rights Watch chairman Tim Singleton Norton warned.

“Health information is incredibly attractive to scammers and criminal groups.

“There are also concerns of the current or future access being granted to private companies.”

Australian Medical Association (AMA) president Dr Tony Bartone says the system will move the industry from a “prehistoric” way of information sharing and collate data that is already in the hands of the medical industry, albeit not linked or even digitised.

“It will bring data presently located in many different sections of the health system … and attempt to bring it into an online repository in the one spot,” he told news.com.au. “Your health data is already in various portals. What isn’t there yet is this online, connected repository … that will facilitate a communication data storage revolution.”

The system has been styled on similar efforts by other countries and has been many years in the making.

“The journey has been a torturous one,” Dr Bartone said. “This is the end result of many, many years of collaboration and reviewing what has been done in a lot of other parts of the world.”

The data will be available on demand to a raft or medical professionals who work in healthcare – around12,800 health organisations and up to 900,000 health workers.

The opt-out period begins today and ends on October 15.

The service does give individuals a level of control over how the information is used. A PIN can be placed on individual patient summaries that are uploaded to a file, however that can be broken in emergency situations using an override function.

“Access is predicated by your allowance, or your permission, to view that record,” Dr Bartone said.

“The important thing that has to happen over the next three months is not so much that you opt out but understanding if you don’t opt out, how to manage your profile … you can block, you can hide pieces or entire chapters of your health file.”

For those concerned about misuse, patients can set up alerts to monitor who is accessing the data and see where the information is being used.

Police will also be able gain access to the information under certain circumstances, including, but not limited to, if there is reasonable belief it could be helpful in the prevention or detection of a crime or to protect government revenue.

Health insurance companies will not have any access to the My Health Record of patients. “Insurance companies have got Buckley’s to no chance of being able to use the system,” Dr Bartone said.

“They’ve been specifically prohibited and the legislation will not change in that respect. I can’t imagine a situation where our elected officials would allow that to happen.”

Accessing a record without authorisation can result in prison time and up to $126,000 in fines.

But with a significant portion of data breaches in Australia occurring in the healthcare sector (roughly a quarter of those reported) and the Government’s past failures in securing certain confidential health data, many commentators are worried about the potential risk to patients of having their health data accessed.

The Government’s Australian Digital Health Agency responsible for the scheme has played down the security concerns touting the fact that patients can control who has access to their file.

But in an interview with Fairfax, the agency’s Dr Steve Hambleton said he couldn’t rule out the possibility of security breaches occurring on the platform – something which cyber security experts have labelled as an inevitability, particularly given the coveted nature of health data among criminals and fraudsters.

Freelance technology journalist Ben Grubb, who often writes about data security, is among those who have decided to opt out.

“My decision to opt out comes after consulting several healthcare professionals, privacy and computer security experts, the Government, and patients who stand to benefit from having a record,” he wrote.

“I concluded that any benefit I would personally get from having a digital record would be negligible compared to the risks of it being accessed by unauthorised parties.”

But despite privacy and security concerns, doctors are saying the new system will improve emergency treatment and help save many lives.

The National Rural Health Alliance said My Health Record would save lives in regional Australia, and urged people not to opt out.

“If you live outside a major city, you have far less access to health services, and are more likely to delay getting much needed medical treatment. That means you’re more likely to end up being hospitalised,” National Rural Health Alliance CEO Mark Diamond said in a statement.

“A My Health Record means that all your important health information is at the fingertips of your doctor, nurse or surgeon.”

The opt-out period begins today, ending on October 15. By the end of the year, every Australian who has not opted out will have a My Health Record created for them.

HOW TO OPT OUT

If you don’t want a digital file containing your health records, you will need to click the ‘Opt out now’ button on the opt-out page of the Government’s My Health Record website.

You will need your Medicare card and driver’s licence to verify your identity, and provide personal details such as your name and date of birth.

Once you have completed the opt-out process, you cannot cancel your request. However, if you decide later that you would like a My Health Record, you can create one at any time.

RELATED LINKS

www.scamsfakes.com

www.crimefiles.net

www.newcures.info

www.money-au.com

Henry Sapiecha

Government’s plan to spy on all Australians exposed in leaked letters

It may shortly be far easier for government spies to access your private data. Photo source: Pixabay

We’re constantly being advised to protect our data and information online, but it turns out there may be even a greater threat & cause for concern.

An exclusive report by The Sunday Telegraph reveals our online data may not even be safe from the Australian Government. Australian citizens may soon be subjected to secret digital monitoring by the top cyber spy agency in the country with no warrant rerquired for accessing all your info when they feel like it.

This means everything from text messages to emails and even bank statements could be accessed in secret under the radical new proposed plan. The Sunday Telegraph viewed the secret letters between the heads of Department of Home Affairs and Defence. The letters detail possible new powers for the Australian Signals Directorate (ASD).

As the current rules stand, intelligence is not to be produced on Australian citizens. Having said that, the Australian Federal Police and domestic spy agency ASIO can investigate people with a warrant and also seek help from the ASD if needed in what are deemed to be extreme cases.

If the proposal is passed, it would be up to Defence Minister Marise Payne and Home Affairs Minister Peter Dutton to allow spying to occur. Furthermore, they could approve cases without Australia’s top law officers being aware of it.

The Sunday Telegraph believes Dutton hasn’t yet presented Payne with any formal proposals for changes to the legislation. If passed though, spies would be given permission to secretly access information relating to an Australian citizens’ financial data, health information and phone records. A change in law would mean it’s also illegal for government agencies and private businesses to hold back any information that could hinder the security measures.

The Sunday Telegraph believes the reason for the data crackdown would be to stop terrorism, child exploitation and other serious crimes being conducted both here in Australia and overseas.

Several times in recent months online data and its safety has made headlines. Earlier this year, Facebook came under fire for breaching privacy data rules. As it stands, anything you share or access online remains there, even if you delete it.

This means any photos, emails, website history, online comments and videos you upload or view are stored away somewhere in cyberspace. Worryingly, any information shared on a social media platform such as Facebook will remain with the company, even if your profile is deleted.

What are your thoughts? Have you concerns that your private information could be secretly accessed by spies and the government? Do you think it’s really to protect Australians, or just another feeble excuse for the government to gain more information about us? Big brother is going too far this time one would think. Write to your MP.

Henry Sapiecha

Hackers steal around $400M from Cryptocurrency System ICOs

ICOs are risky, possibly quite lucrative, and also a top target for threat actors looking to cash in.

Anti piracy button on  keyboard.

Cyberattackers have managed to line their pockets with almost $400 million in cryptocurrency by targeting ICOs, a new report states.

According to a new research report (.PDF) by Ernst & Young, over 10 percent of all funds changing hands during these events have been lost or stolen.

This equates to roughly $400 million in cryptocurrency from $3.7 billion in funding between 2015 and 2017.

Initial Coin Offerings (ICOs), or token sale events, have garnered the interest of investors in recent years. The events are an opportunity to fund cryptocurrency or Blockchain-related projects and companies and can prove lucrative in the long term

ICOs have been popular enough to outstrip venture capital investments in Blockchain projects in recent years, despite the potential risks.

These events may be of interest to investors, but they are also a red flag for threat actors looking to cash in fraudulently.

Ethereum marketplace Enigma was gearing up for its ICO when a phishing campaign scammed $500,000 out of investors, while ICOs launched by CoinDash, Veritaserum, and EtherParty were all compromised by attackers a year ago.

These are only the most high-profile names to be targeted through ICOs, however, as the report found a total of 372 ICOs have been attacked in the last two years.

Hackers have been able to steal an average of $1.5 million per month through ICOs, and the report suggests that attackers “are attracted by the rush, absence of a centralized authority, blockchain transaction irreversibility and information chaos” of such events.

“Project founders focus on attracting investors and security is often not prioritized,” the report says. “Hackers successfully take advantage — the more hyped and large-scale the ICO, the more attractive it is for attacks.”

The most common attacks are the substitution of wallet addresses at the time of the event — as we saw with CoinDash — the unauthorized access of private keys and the theft of funds from both wallets and exchanges.

The most common attack vector is phishing, then also by Distributed Denial-of-Service (DDoS) attacks, direct website compromise, employee attacks, and exchange hacking.

Calls have been made for more regulation and tighter security surrounding ICOs, with regulators worldwide now thrashing out methods to legislate these events and protect investor funds.

“As ICOs continue to gain popularity and leading players emerge globally, there is a risk of having the market swamped with quantity over quality of investments,” said Paul Brody, EY Global Innovation Blockchain Leader. “These high-risk investments and the complexity of ICOs need to be managed to ensure their credibility as a means of raising capital for companies, entrepreneurs and investors alike.”

Read also: Venezuela asks other countries to adopt oil-backed cryptocurrency

On Monday, US Securities and Exchange Commission (SEC) regulator Jay Clayton warned businesses not to jump on the Blockchain bandwagon or offer ICOs without the expertise and regulatory support & backing.

The US agency has added ICOs and companies which have changed their name to something Blockchain or cryptocurrency-related without cause to their watch lists in the face of market disruption and surge share pricing due to the trend.

www.scamsfakes.com

ooo

Henry Sapiecha

Notifiable Data Breaches initiative: Preparing to disclose a data breach in Australia

Australia’s Notifiable Data Breaches scheme will come into force next month. Here is what it means and how it will affect organisations, and individuals, in Australia.

WHAT IS THE NOTIFIABLE DATA BREACHES SCHEME?

Australia’s Notifiable Data Breaches (NDB) scheme comes into effect on February 22, 2018, and as the legislative direction is aimed at protecting the individual, there’s a lot of responsibility on each organisation to secure the data it holds.

The NDB scheme falls under Part IIIC of the Australian Privacy Act 1988 and establishes requirements for entities in responding to data breaches.

What that means is all agencies and organisations in Australia that are covered by the Privacy Act will be required to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.

Tax file number (TFN) recipients, to the extent that TFN information is involved in a data breach, must also comply with the NDB.

In addition to notifying individuals affected, under the scheme, organisations must provide advices on how those affected should respond, as well as what to do now their information is in the wild. The Australian Information Commissioner, currently Timothy Pilgrim, must also be notified of the breach.

“The NDB scheme formalises an existing community expectation for transparency when a data breach occurs,” Pilgrim told ZDNet. “Notification provides individuals with an opportunity to take steps to protect their personal information, and to minimise their risk of experiencing harm.”

Intelligence agencies, not-for-profit organisations or small businesses with turnover of less than AU$3 million annually, credit reporting bodies, health service providers, and political parties are exempt from the NDB.

Read more: Former ASIO head questions why political parties are exempt from breach disclosure

WHAT CONSTITUTES A DATA BREACH?

In general terms, an eligible data breach refers to the unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.

Examples of a data breach include when a device containing customers’ personal information is lost or stolen, a database containing personal information is hacked, or personal information is mistakenly provided to the wrong person.

An employee browsing sensitive customer records without any legitimate purpose could constitute a data breach as they do not have authorised access to the information in question.

The NDB scheme uses the phrase “eligible data breaches” to specify that not all breaches require reporting. An example of this is where Commonwealth law prohibits or regulates the use or disclosure of information.

An enforcement body — such as the Australian Federal Police (AFP), the police force or service of a state or a territory, the Australian Crime Commission, and the Australian Securities and Investments Commission — does not need to notify individuals about an eligible data breach if its CEO believes on reasonable grounds that notifying individuals would be likely to prejudice an enforcement-related activity conducted by, or on behalf of, the enforcement body.

Although not required all the time to disclose a breach, a spokesperson for the AFP told ZDNet the AFP would be complying with its notification obligations in all circumstances where there are no relevant exemptions under the Act.

See also: Privacy Commissioner to probe Australian government agencies on compliance

If the Australian Information Commissioner rules the breach is not bound by the NDB scheme, organisations may not have to disclose it any further.

In addition, data breaches that are notified under s75 of the My Health Records Act 2012 do not need to be notified under the NDB scheme as they have their own binding process to follow, which also lies under the umbrella of the OAIC.

Read more: OAIC received 114 voluntary data breach notifications in 2016-17

DETERMINING SERIOUS HARM

As the NDB dictates an objective benchmark in that the scheme requires a “reasonable person” to conclude that the access or disclosure is “likely to result in serious harm”, Melissa Fai, special counsel at Gilbert + Tobin, told ZDNet that in assessing the breach, an organisation should interpret the term “likely” to mean more probable than not — as opposed to merely possible.

“Serious harm” is not defined in the Privacy Act; but in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

Information about an individual’s health; documents commonly used for identity fraud including a Medicare card, driver’s licence, and passport details; financial information; and a combination of types of personal information — rather than a single piece of personal information — that allows more to be known about an individuals can cause serious harm.

In assessing the risk of serious harm, entities should consider the broad range of potential kinds of harm that may follow a data breach.

THE NOTIFICATION PROCESS

Agencies and organisations that suspect an eligible data breach may have occurred must undertake a “reasonable and expeditious assessment” based on the above guidelines to determine if the data breach is likely to result in serious harm to any individual affected.

If an entity is aware of reasonable grounds to believe that there has been an eligible data breach, it must promptly notify individuals at risk of serious harm and the commissioner about the breach.

Organisations disclosing a breach must complete the Notifiable Data Breach statement — Form which can be found here.

The notification to affected individuals and the commissioner must include the following information: The identity and contact details of the organisation, a description of the data breach, the kinds of information concerned, and recommendations about the steps individuals should take in response to the data breach.

Those affected are to be notified within 30 days of the breach’s discovery, during which time the entity can conduct its own investigation on the breach. 30 days is the absolute maximum.

The NDB scheme, however, provides entities with the opportunity to take steps to address a data breach in a timely manner, and avoid the need to further notify — including notifying individuals whose data has been somewhat exposed.

See also: Privacy Commissioner finds Australia more confident in reporting breaches to police

FAILING TO DISCLOSE A BREACH

Failure to comply with the NDB scheme will be “deemed to be an interference with the privacy of an individual” and there will be consequences.

Gilbert + Tobin’s Fai explained that if an organisation is found to have hidden an eligible data breach, or is otherwise found to have failed to report an eligible data breach, such failure will be considered an interference with the privacy of an individual affected by the eligible data breach, and serious or repeated interferences with the privacy of an individual can give rise to civil penalties under the Privacy Act.

If the data breach that the organisation has failed to report is serious, or if the organisation has failed to report an eligible data breach on two or more separate occasions, Fai explained the OAIC has the ability to seek a civil penalty order against the organisation of up to AU$2.1 million, depending on the significance and likely harm that may result from the data breach.

“Of course, an organisation must also consider the risk of reputational damage to its brand and the commercial damage that might flow from that, particularly given the growing importance to an organisation’s bottom line of consumer trust in an organisation’s data management policies and processes and its ability to respond quickly, effectively, and with integrity to data breaches,” Fai added.

“The effects of the data breach on Equifax last year and its response are a case in point.”

See also: Massive Equifax data breach exposes as many as 143 million customers

THE ROLE OF THE INFORMATION COMMISSIONER AND THE OAIC

The commissioner has a number of roles under the NDB scheme, which includes receiving notifications of eligible data breaches; encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance; and offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.

The OAIC has published guidelines on the scheme, which also includes information on how to deal with the aftermath of a breach.

HOW DID THE NDB COME ABOUT?

The federal government finally passed the data breach notification laws at its third attempt in February 2017.

A data breach notification scheme was recommended by the Joint Parliamentary Committee on Intelligence and Security in February 2015, prior to Australia’s mandatory data-retention laws being implemented.

HOW TO GET READY

According to Gilbert + Tobin, organisations should be at the very least getting familiar with what data they have, where it is kept, and who has access to it.

Read more: NetApp warns privacy is not synonymous with security

Assessing existing data privacy and security policies and procedures to make sure organisations are in a position to respond appropriately and quickly in the event of a data breach is also important.

“This should include a data breach response plan which works across diverse stakeholders in an organisation and quickly brings the right people — such as from IT, legal, cybersecurity, public relations, management, and HR — together to respond effectively,” Fai told ZDNet.

It wouldn’t hurt to continuously audit and strengthen cybersecurity strategies, protection, and tools to avoid and prevent data breaches.

“It is also important that an organisation’s personnel are aware of the NDB scheme. Personnel need appropriate training, including to identify when an eligible data breach may have occurred and how to follow an entity’s policies and procedures on what to do next,” Fai explained, adding this also extends to suppliers and other third-parties that process personal information on their behalf.

DOES YOUR BUSINESS HAVE A EUROPEAN CONNECTION?

From May this year, the General Data Protection Regulation (GDPR) will come into play, requiring organisations around the world that hold data belonging to individuals from within the European Union (EU) to provide a high level of protection and explicitly know where every ounce of data is stored.

Organisations that fail to comply with the regulation requirements could be slapped with administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The laws do not stop at European boundaries, however, with those in the rest of the world, including Australia, bound by the GDPR requirements if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

See more: How Europe’s GDPR will affect Australian organisations

The GDPR and the Australian Privacy Act share many common requirements, but there are a bunch of differences, with one crucial element being the time to disclose a breach.

Under the NDB scheme, organisations have a maximum of 30 days to declare the breach; under the GDPR, organisations have 72 hours to notify authorities after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

“In sum, if an Australian organisation is subject to the GDPR regime when it comes into effect in May this year, it needs to comply with its obligations under both regimes — although the two regimes contain different requirements, they are not mutually exclusive,” Fai added. “However, when it comes to data breaches, the high watermark of compliance is complying with the European regime.”

Read also: What is GDPR? Everything you need to know about the new general data protection regulations

HOW TO PREVENT A DATA BREACH

Any organisation that has purchased a security solution from a vendor knows that there is no silver bullet to completely secure an organisation.

“When it comes to data breaches, everybody is looking for something, a product, a process, a standard to prevent them completely. Unfortunately, this isn’t possible,” Symantec CTO for Australia, New Zealand, and Japan Nick Savvides told ZDNet.

“The first thing any organisation should do is understand that data breaches are not always preventable but they are mitigatable. Whether the data breach is a result of a compromise, malicious insider, or even a well-meaning insider accidentally leaking information, mitigations exist.”

Breaking the mitigations into three parts, Savvides said the first is dealing with a malicious attacker, the second is having information-centric security which he said applies to all scenarios, and the third mitigation category is the response plan.

“Most organisations don’t have very effective response plans for a data breach event. They might have a plan, but from what has been seen, the plans are generally very academic in nature rather than practical and often get bypassed in the case of a real event,” he explained.

“Organisations need to have processes for having incidents reported, a clear plan on who to involve, what process to follow, and a clear PR message.

Savvides said it is clear that users value transparency and clear speech rather than ambiguous legalese responses some organisations have produced.

“The commencement of the scheme is also a timely opportunity for organisations to take stock of the personal information they collect and hold, and how it is managed,” Pilgrim added. “By ensuring personal information is secured and managed appropriately, organisations can reduce the likelihood of a data breach occurring in the first place.”

PREVIOUS DATA BREACHES IN AUSTRALIA

Henry Sapiecha

Amazon gives record amount of client data to US law enforcement

The company’s fifth transparency report reveals more customer data was handed to US law enforcement in the first-half of last year than ever before.

Law enforcement requests for Amazon’s cloud customers has gone up, but the company still won’t say if Echo has been wiretapped. (Image: CNET/CBS Interactive)

Amazon has turned over a record amount of customer data to the US government in the first-half of last year in response to demands by law enforcement.

The retail and cloud giant quietly posted its latest transparency report on Dec. 29 without notice — as it has with previous reports — detailing the latest figures for the first six months of 2017.

The report, which focuses solely on its Amazon Web Services cloud business, revealed 1,936 different requests between January and June 2017, a rise from the previous bi-annual report.

The company received:

  • 1,618 subpoenas, of which the company fully complied with 42 percent;
  • 229 search warrants, of which the company fully complied with 44 percent;
  • 89 other court orders, of which the company fully complied with 52 percent.

It’s not clear why there was a spike in requests during the half-year period. An Amazon spokesperson declined to comment.

Amazon also confirmed it had 75 requests from outside the US through a mutual legal assistance process, in which it partially complied with two cases. The remaining cases were rejected. But the company didn’t say which countries made the requests.

Amazon said it did not receive any content removal orders during the period.

As in previous reports, the company refused to say if it had received a national security brief during the period. Tech companies are barred from disclosing exactly how many of these letters they receive, but companies can under their First Amendment right to freedom of speech say if they have not received one.

Amazon instead preferred to say it had received between zero and 249 national security requests.

The company’s transparency reports do not take into account any other data-related business units, such as if authorities have obtained data wiretapped or submitted through its Amazon’s Echo products.

Law enforcement has, since Echo’s inception, looked at ways to obtain data from the voice-activated assistant. Amazon has largely resisted efforts by police to obtain data from the always-listening product, but acquiesced in one homicide investigation after the suspect did not object to the turning over of his Echo data.

Henry Sapiecha

Intel: We’ve found severe bugs in secretive Management Engine, affecting millions

An attacker can use Intel’s flaws to run malware that’s invisible to the operating system.

 Intel’s self-learning AI chip aimed at autonomous machines

Thanks to an investigation by third-party researchers into Intel’s hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers.

The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS).

Intel discovered the bugs after Maxim Goryachy and Mark Ermolov from security firm Positive Technologies found a critical vulnerability in the ME firmware that Intel now says would allow an attacker with local access to execute arbitrary code.

The researchers in August published details about a secret avenue that the US government can use to disable ME, which is not available to the public.

Intel ME has been a source of concern for security-minded users, in part because only Intel can inspect the firmware, yet many researchers suspected the powerful subsystem had bugs that were ripe for abuse by attackers.

Goryachy and Ermolov will present their research on an ME flaw at Blackhat in December, detailing how an attacker can run unsigned code in the microprocessor and remain invisible to the main CPU and any anti-malware software.

ME runs on its own microprocessor and, as a Google engineer recently revealed, a modified version of the MINIX operating system.

Google was so afraid of UEFI and Intel ME that it created NERF, or the Non-Extensible Reduced Firmware, which it uses to manage Chromebooks. NERF runs on a Linux kernel rather than MINIX and removes ME’s web server and IP stack, key EUFI drivers, and neuters the ability for ME and EUFI to self-reflash the firmware.

The ME engine supports Intel’s Active Management Technology (AMT), which allows admins to remotely manage and fix devices.

A flaw discovered this May in AMT, which affected chips from 2008, highlighted another problem: patching it required an ME firmware update on machines that hardware vendors had stopped supporting. Only enterprise machines with vPro were affected, but the bug prompted EFF’s demands for Intel to provide a way to disable ME.

Similarly, patching machines will depend on OEMs pushing Intel’s fixes to devices. So far, Intel only lists Lenovo as having fixes available.

To help users address the current batch of bugs, Intel has released a detection tool for Windows and Linux systems, which displays a risk assessment of the system. Intel says the bugs may affect PCs, servers, and IoT platforms.

The bugs affect systems using Intel’s 6th, 7th, and 8th Generation Core CPUs, a range of Xeon processors, as well the Apollo Lab Atom E3900 series, Apollo Lake Pentium, and Celeron N and J series chips.

Intel says the flaws would allow an attacker to “Impersonate the ME/SPS/TXE, thereby impacting local security feature attestation validity”.

The attacker could also load and execute arbitrary code that would be invisible to the user and operating system.

The highest severity issue was the flaw discovered by Goryachy and Ermolov, which concerned multiple buffer overflows in the ME’s kernel. Intel’s audit found several other high-severity buffer overflows in AMT in the ME firmware, TXE, and SPS.

One of the flaws it found would allow a remote attacker to execute arbitrary code if they had Admin access.

Intel unveils the 8th Gen Intel Core processor family and launches the first of the family on Monday, Aug. 21, 2017. The 8th Gen Intel Core processors are designed for what’s next and deliver up to 40% gen over gen performance boost. (Credit: Intel Corporation)

The bugs affect systems using Intel’s 6th, 7th, and 8th Generation Core CPUs, and a range of Xeon Celeron processors, among others. Image: Intel

Previous and related coverage

Researchers say Intel’s Management Engine feature can be switched off

Updated: Researchers have shown how Intel’s all-powerful Management Engine in its CPUs could be disabled.

MINIX: Intel’s hidden in-chip operating system

Buried deep inside your computer’s Intel chip is the MINIX operating system and a software stack, which includes networking and a web server. It’s slow, hard to get at, and insecure as insecure can be.

Shore up your defenses: Budget extra for an IT audit in 2018 [Tech Pro Research]

With the odds of a data breach on the rise, companies should consider increasing their IT audit budget for 2018. Auditors can spot and help remedy security holes that may have been overlooked.

Read more about Intel and security

Henry Sapiecha

Australia likely to get its own GDPR

Everyone in the Australian cybersecurity ecosystem has a role to play to ensure the security of the nation, according to Nationals Senator Bridget McKenzie.

The mandatory data breach notifications laws coming into effect in Australia next year will be followed by other laws to ensure everyone in the digital ecosystem — including government divisions, large corporates, small to medium-size enterprises (SMEs), and consumers — are playing their role in keeping Australia “cyber secure”, according to Senator Bridget McKenzie.

McKenzie, who is the chair of the Foreign Affairs, Defence, and Trade Legislation Committee, likened cyber breaches to the “system of disease in the pre-industrial revolution that just swept through”.

“Cyber breaches have the capacity to wipe out industries, wipe out systems, wipe out communities, if every member of that community or that cyber ecosystem isn’t following best practice when it comes to keeping their information secure,” McKenzie told ZDNet at the Australian Computer Society’s Reimagination Thought Leaders’ Summit.

“It’s not just defence’s job or ASIO’s or DSTO’s or the government’s indeed, but every SME and private homeowner needs to have an eye for cybersecurity, making sure their data’s safe.”

McKenzie said mandatory data breach notifications laws, set to come into effect next year, is a step towards keeping organisations alert and accountable, with other laws expected to be introduced in Australia in the upcoming years, possibly similar to those coming into effect next year in the European Union.

The European Union’s (EU) General Data Protection Regulation (GDPR) will require organisations around the world that hold data belonging to individuals from within the EU to provide a high level of protection and explicitly know where every piece of data is stored.

Organisations that fail to comply with the regulation requirements could be fined up to €20 million, or, in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year — whichever is higher.

“No longer can you say, ‘Oh I’ll leave it to someone else because the flow-on effects, the interconnectedness, the Internet of Things, is such that if one member of that web, if you like, has a security breach, it has flow-on effects for everybody involved,” McKenzie said.

Additionally, Australians need to have the confidence that they can share private information such as their health details and not have it end up in the public sphere, otherwise the nation will not be able to experience the full benefits of technology, McKenzie said.

Shadow Minister for the Digital Economy Ed Husic said, however, that the government has a long way to go in building that confidence, given 50,000 Australians have been affected by a government data breach that occurred in October. He noted that the breach was not a technological error, but a human error.

“How do we build consumer or citizen confidence about protection of privacy?” Husic said. “50,000 people were affected by a data breach across government, releasing details of passwords and credit cards. It’s not all tech related … people often blame tech for this. It’s people and the way that they use data and it’ll be interesting to see the details that come out on this in the next few days.”

“This data breach occurred back in October, no public explanation of it, no detail about what was known, what was being done to fix it. If we want people to be confident that data is being used well by government, then the government’s got a long way to go to build that confidence.”

Husic added that the government needs to lead by example; it should be notifying the public about data breaches if it wants businesses to do the same.

“[The government’s] got to do some things itself. And you can’t lecture business about getting focused on cybersecurity if you’re losing your own moral authority … because you’re not looking after data within your own batch,” he said.

McKenzie believes in Australia’s growing status as a cybersecurity hub, saying that the nation is equipped with the right expertise in this area. She added that Australia is in the process of creating a strong cybersecurity industry capable of exporting.

“Our law enforcement and intelligence agencies are world-class. We’re also part of Five Eyes, which means we have a lot of access to information and technology and collaboration opportunities,” she said. “We lead the world in quantum computing … and it [has the] potential to contribute further to security of data and security of communications particularly in the intelligence and defence spheres.

“We’ve really got some technical expertise, but also I think a richness around governance frameworks and excellence in regulatory frameworks that can also assist other governments and other organisations worldwide to understand best practices in the area.”

In September, Ambassador for Cyber Affairs Dr Tobias Feakin communicated a similar sentiment, saying Australia has an international standing in cybersecurity, and brings “key qualities” to the table.

Australia has also played a role in the creation of international peacetime norms for cyberspace, including chairing the first United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) in 2013, and helping develop the 11 international norms agreed to in subsequent UN GGE meetings.

“We have regional knowledge beyond most. We have a trusted diplomatic brand, and that’s something that we intend to capitalise on. We have strategic and economic interests in the region. And we have long-standing development partnerships across the region already,” Feakin said at the second annual SINET61 conference in Sydney.

“We need to capitalise on those, make the most of them. Not just for us as a government, [and] for regional partners as well, but also for our private sector … We see this issue as central to our economic future,” he said.

“It’s only this year that it’s just reached the point, of tipping over, to 50 percent of all internet users living in the Asia-Pacific. But really, still, there’s huge economic growth to unravel there, because still 60 percent of all households don’t have internet coverage.”

Last month, launching the International Cyber Engagement Strategy, Foreign Minister Julie Bishop said that for the purpose of national security, cyberspace cannot be an ungoverned space.

“Just as we have international rules that guide how states behave, and how states should behave towards each other, the international rules-based order that’s been in place for about 70 years, so too must states acknowledge that activities in cyberspace are governed by the same set of rules as military and security activities in traditional domains,” Bishop said in October.

“The 2016 US presidential election focused the world’s attention on the potential for cyber operations to interfere with democratic processes. This cannot be allowed to continue. It strikes at the very heart of the sovereignty of nations.”

According to the International Cyber Engagement Strategy, Australia will develop an international “architecture for cooperation” including mechanisms to respond to unacceptable behaviour in cyberspace in a timely manner.

“Australia’s responses to malicious cyber activity could comprise law enforcement or diplomatic, economic, or military measures as appropriate for the circumstances. This could include, but is not restricted to, offensive cyber capabilities that disrupt, deny, or degrade the computers or computer networks of adversaries,” the strategy states.

The strategy also implies that the nation has the capability to identify the source of cyber attacks.

“Depending on the seriousness and nature of an incident, Australia has the capability to attribute malicious cyber activity in a timely manner to several levels of granularity — ranging from the broad category of adversary through to specific states and individuals,” the strategy states.

In September, the federal government pledged AU$50 million over seven years for the cybersecurity cooperative research centre (CRC), with over AU$89 million in further funding to come from 25 industry, research, and government partners.

The cybersecurity CRC will deliver solutions to increase the security of critical infrastructure, the government said at the time, which includes “frameworks, products, and approaches that will service existing and future ICT enterprises across a broad range of platforms and operating systems”.

Assistant Minister for Industry, Innovation and Science Craig Laundy said the activities of the cybersecurity CRC will contribute to the objectives laid out in Australia’s AU$240 million Cyber Security Strategy, which is aimed at defending the nation’s cyber networks from organised criminals and state-sponsored attackers.

Related Coverage

Just one day after its release, iOS 11.1 hacked by security researchers

The bugs were found in Apple’s Safari web browser.

With a physical key, Google says it can protect you from nation-state hackers

When two-factor doesn’t cut it against the most sophisticated adversary, Google thinks it has an answer.

IoT security: Keeping users on their toes means staying on yours

IoT has introduced new vulnerabilities that can put your network at risk. Providing users with ongoing security training — and examples that relate to their work — will help keep your data safe.

Hacking group targets banks with stealthy trojan malware campaign

Stolen credentials are used to launch attacks which include the ability to stream live video of the screens of infected users.

This destructive wiper ransomware was used to hide a stealthy hacking campaign

“ONI” ransomware deployed on hundreds of machines in an effort by attackers to cover tracks of “Night of the Devil” campaign — which exploited leaked-NSA exploits.

www.scamsfakes.com

www.crimefiles.net

Henry Sapiecha

FBI Couldn’t Access Almost 7K Devices Because Of Encryption

The FBI hasn’t been able to retrieve data from more than half of the mobile devices it tried to access in less than a year, FBI Director Christopher Wray said Sunday, turning up the heat on a debate between technology companies and law enforcement officials trying to recover encrypted communications.

In the first 11 months of the fiscal year, federal agents were unable to access the content of more than 6,900 mobile devices, Wray said in a speech at the International Association of Chiefs of Police conference in Philadelphia.

“To put it mildly, this is a huge, huge problem,” Wray said. “It impacts investigations across the board—narcotics, human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation.”

The FBI and other  have long complained about being unable to unlock and recover evidence from cellphones and other devices seized from suspects even if they have a warrant, while technology companies have insisted they must protect customers’ digital privacy.

The long-simmering debate was on display in 2016, when the Justice Department tried to force Apple to unlock an encrypted cellphone used by a gunman in a terrorist attack in San Bernardino, California. The department eventually relented after the FBI said it paid an unidentified vendor who provided a tool to unlock the phone and no longer needed Apple’s assistance, avoiding a court showdown.

The Justice Department under President Donald Trump has suggested it will be aggressive in seeking access to encrypted information from . But in a recent speech, Deputy Attorney General Rod Rosenstein stopped short of saying exactly what action it might take.

“I get it, there’s a balance that needs to be struck between encryption and the importance of giving us the tools we need to keep the public safe,” Wray said.

In a wide-ranging speech to hundreds of police leaders from across the globe, Wray also touted the FBI’s partnerships with local and federal law enforcement agencies to combat terrorism and violent crime.

“The threats that we face keep accumulating, they are complex, they are varied,” Wray said, describing threats from foreign terror organizations and homegrown extremists.

Wray also decried a potential “blind spot” for intelligence gathering if Congress doesn’t reauthorize an intelligence surveillance law set to expire at the end of the year. The Foreign Intelligence Surveillance Act allows the government to collect information about militants, people suspected of cybercrimes or proliferation of weapons of mass destruction, and other foreign targets outside the United States. Intelligence and law enforcement officials say the act is vital to national security.

A section of the act permits the government, under the oversight of the Foreign Intelligence Surveillance Court, to target non-Americans outside the United States.

“If it doesn’t get renewed or reauthorized, essentially in the form that it already is, we’re about to get another blind spot,” Wray said

Henry Sapiecha