CyberWatch: Australia

Insight on how cyber risk is being mitigated and managed in Australia and across the globe.

 

1
Volkswagen, Israeli experts to establish automotive cybersecurity company
2
Have I been pwned?
3
Bitcoin operators exposed to cyber threats
4
Ashley Madison data breach joint findings released
5
Lawyers potential rich targets for hackers
6
Government committed to introducing Mandatory Data Breach Notification laws
7
Oracle’s Point-of-Sale division targeted by professional hackers
8
Sour Apple blasts the Banks for application to ACCC
9
Hackers to take the blame for Census?
10
The White House issues response guide to a cyber attack

Volkswagen, Israeli experts to establish automotive cybersecurity company

By Cameron Abbott and Rebecca Murray

The increasing connectivity of modern cars has enhanced the modern driving experience beyond what we could imagine only a few decades ago. However, with increasing connectivity comes an increasing risk. Features such as autonomous and intelligent parking and driving systems have increased the number of interfaces in vehicles and therefore the risk of malicious attack. To demonstrate how easily vehicles can be targeted, last year, two hackers developed a tool that can hijack a Jeep remotely over the internet. You can watch the remote hacking of the Jeep featured by WIRED here.

In response to this growing threat, Volkswagen along with three Israeli experts and their team are jointly establishing an automotive cyber security company. The newly founded CYMOTIVE Technologies will develop advanced cyber security for next generation connected cars. CYMOTIVE has announced that it aims to take an innovative and strategic approach to the significant technological challenges that will face the connected car and the development of the autonomous car in the future.

 

Have I been pwned?

By Cameron Abbott and Rebecca Murray

Information security blog {ride the lightning} has featured Troy Hunt’s “Have I been pwned” website which identifies whether your online account has ever been compromised in a data breach when you enter your account’s login ID.

Troy Hunt describes himself on his website as a Microsoft Regional Director, a Microsoft Most Valuable Professional awardee for Developer Security, blogger at troyhunt.com, international speaker on web security and the author of many top-rating security courses for web developers on Pluralsight. While we don’t know much about his site, it is reported to be safe and provides a very handy tool to determine if you have been unknowingly hacked. Of course, even if the site is legitimate, who is to say it won’t be breached? It’s just that it’s so useful.

See if you have been pwned here…and yes…we both have been.

 

Bitcoin operators exposed to cyber threats

By Cameron Abbott and Rebecca Murray

Reuters has reported that a third of bitcoin trading platforms have been hacked, and nearly half have closed since they entered the scene 6 years ago. This increasing risk for bitcoin holders is compounded by the fact there is no depositor’s insurance to absorb the loss. That approach heightens cybersecurity risks and also exposes the fact that bitcoin investors have little choice but to do business with under-capitalized exchanges.

This issue was evident when Bitfinex was hacked earlier this month and an estimated $70 million in bitcoin was stolen. The virtual bank’s customers were forced to share the losses resulting in a generalized loss percentage of 36.067%. Read our blog post on this hacking here.

Experts say trading venues acting like banks such as Bitfinex will remain vulnerable. These exchanges act as custodial wallets in which they control users’ digital currencies like banks control customer deposits. However, unlike their brick-and-mortar counterparts, when customers’ bitcoin accounts are hacked, there is currently no third party that can step in to deal with the theft. As a result, these underfunded exchanges require nearly perfect security.

Given this it is not surprising that certain governments around the world are exploring the possibility of central bank issued digital currencies using distributed ledger technology which could compete with the private digital currency systems such as bitcoin. Read more on this here.

Ashley Madison data breach joint findings released

By Cameron Abbott and Rebecca Murray

The Australian Privacy Commissioner, Timothy Pilgrim and The Privacy Commissioner of Canada, Daniel Therrien have released a joint report on the data breach of cheating website Ashley Madison which affected approximately 36 million Ashley Madison user accounts last year. Read our post on the breach here.

Controversially, despite the company not having a physical presence in Australia, the Commissioners found that Ashley Madison’s parent company Avid Life Media (ALM) was regulated as an “APP entity” due to the fact that it carried on business and collected personal information in Australia. This finding was based on the fact that ALM conducted marketing in Australia, targeted Australian residents for its services and collected the personal information of Australians.

ALM agreed to a number of enforceable undertakings to the Commissioner. Amongst other things, ALM has undertaken to augment its security framework, provide extensive security training for staff and cease its practice of retaining the information of users with deleted, deactivated or inactive accounts. Consistent with the trend in undertakings it requires independent verification of certain compliance steps. Find the undertakings here.

It also seeks to address the accuracy of the records, which is a challenge for a cheating website. Letting someone sign up using for example Tony Blair’s email address captured the attention of the regulators. They focused on the interests under Privacy laws of those whose email addresses were falsely added to the sign up. A confirming email with an option to opt out was not considered an adequate measure.

Read more about the report here.

Lawyers potential rich targets for hackers

By Cameron Abbott and Rebecca Murray

As the threat of cybercrime and cyber espionage continues to grow globally, the Law Council of Australia has announced that it will launch a national cyber security information campaign for the legal profession this year. Read the Law Council’s media release here.

The Law Council has been working in partnership with the legal profession, cyber security experts, and government to formulate the information initiative since it nominated cyber security as a key priority at the beginning of the year. Launch of the campaign is expected by the end of 2016.

The president of the Law Council, Stuart Clark, says cyber security is a ‘major problem’ for law firms and the government has an important role to play in raising awareness and providing information about the technology involved. We say, we like teasing large global companies about their security failings … as long as it’s not ours!!

Government committed to introducing Mandatory Data Breach Notification laws

By Cameron Abbott and Rebecca Murray

After much delay, a spokesperson for Attorney-General, George Brandis has said the government is committed to introducing the Mandatory Data Breach Notification laws this year. We will be sure to look out for it during the next term of Parliament. You can find more information on the proposed scheme and its regulatory impact on the Attorney General’s Department consultation for Serious Data Breach Notification webpage.

 

Oracle’s Point-of-Sale division targeted by professional hackers

By Cameron Abbott and Rebecca Murray

Oracle confirmed last week that its security was breached by a Russian organized cybercrime group infamous for hacking retailers and banks. Alarmingly, Oracle’s MICROS point-of-sale credit card payment system was one of the systems targeted in the attack. While the impact of the breach is still being investigated, the attack could have had wide impact. MICROS is one of the top three point-of-sale vendors worldwide and sells point-of-sale systems used at more than 330,000 cash registers globally.

It has been reported that Oracle became aware of the breach after its staff discovered malicious code on the MICROS customer support portal and systems. It is thought that the hackers installed malware on the troubleshooting portal in order to capture customers’ credentials as they logged in. Usernames and passwords could then be used to access customer accounts and remotely control MICROS point-of-sales terminals.

The attack has been linked to crime gang, Carbanak Gang, which has been accused of stealing more than $1 Billion from banks and retailers in the past. These guys clearly know what they are doing.

Sour Apple blasts the Banks for application to ACCC

By Cameron Abbott and Rebecca Murray

Last month we reported that three of Australia’s largest banks had collectively launched an application to the ACCC seeking permission to negotiate with Apple Inc. to install their own electronic payment applications on iPhones.

Apple has submitted a scathing response to the ACCC, warning that allowing the banks to negotiate will compromise the iPhone handset’s security, reduce innovation and blunt Apple’s entry into the payments market in Australia. Read Apple’s submission to the ACCC here.

Apple expressed particular concern about security risks, claiming that providing simple access to NFC antenna by banking applications would fundamentally diminish the high level of security of Apple devices. This concern is not unwarranted as it was recently revealed that hackers have found ways to intercept contactless mobile payments in Samsung’s latest Galaxy smartphones. While Samsung refuted this in a recent blog post, an attached Samsung FAQ revealed that it is possible for an attacker to skim a smartphone’s payment token and make fraudulent purchases.

Hackers to take the blame for Census?

By Cameron Abbott and Rebecca Murray

The Australian Bureau of Statistics (ABS) says that the 2016 online census form was subject to “four Denial of Service attacks,” which prompted the ABS to shut down its Census website as a security precaution on Tuesday night. Read the ABS’s media release here.

While the ABS maintains that 2 million forms were successfully submitted and safely stored, thousands of Australians were prevented from taking part in the Census due to the website crash. The ABS has revealed that it believes that the attacks came from overseas and were a deliberate attempt to sabotage the census. However, we are wondering if the entire Australian population accessing the website at the same time might look like a Denial of Service attack in its own right! If ever a system should have been robust enough to cope with such an attack it was this one.

Attorney-General George Brandis has stated that the security measures in place were “more than sufficient to protect individual privacy” and that “the cyber security operations centre has been engaged overnight…and is investigating the matter.”

The White House issues response guide to a cyber attack

By Cameron Abbott and Simon Ly

Last week, the White House issued the US government’s response guide to cyber attacks titled “Presidential Policy Directive – United States Cyber Incident Coordination”.

Billed to combat “malicious activity, malfunction, human error and acts of nature”, the Directive aims to provide a guide to handle significant cyber incidents while fostering the advancement of technology and innovation. The Directive has a five-level grading system. It has been reported that no hack attack has reached level 5 yet, with this being reserved for a “threat to infrastructure, government stability or American lives”.

If it wasn’t apparent already, this guide emphasises the growing risks of cyber attacks both to governments and companies. It will be interesting to see the Directive in action as the response to the Directive has been mixed, with some saying it doesn’t go far enough and that it simply codifies existing practices. This criticism seems a little unfair because you would hope that existing practices were relatively well thought through and thus not a bad standard to entrench.

For more information, you can access the White House’s press release here.

Copyright © 2016, K&L Gates LLP. All Rights Reserved.