Archive: 2018

1
So you plug your shiny Tesla in to charge…
2
Android users beware the 21st century Trojan horse
3
What do you need to know about the encryption killing legislation?
4
Cybersecurity: location, location, location
5
Encryption bill to give unprecedented power
6
Marriott Hotel – time to change your passwords!
7
China in breach of cyber-security pact
8
China’s main security agency linked to cyber intellectual property theft
9
Beware of third party data breaches
10
Time to opt out of having a My Health Record has been extended

So you plug your shiny Tesla in to charge…

By Cameron Abbott and Wendy Mansell

…and suddenly you are at risk of starting fires.

We all know that these days the Internet of Things is a favourite for cyberattacks, with the latest target being home charging stations for electric cars.

Many home charging stations are controlled remotely by mobile apps, which seem to provide the perfect opportunity for hackers to cause harm.

Hackers cleverly can infiltrate an account and turn charging off or even worse, they may change the current to the extent it can start a fire.

Once again the industry needs to take security seriously for IoT and have the same diligence as IT networks now do.

Android users beware the 21st century Trojan horse


Authors: Cameron Abbott and Sara Zokaei Fard

Here’s one to keep and eye out for – research from ESET has discovered an Android Trojan that attempts to steal funds from PayPal accounts. The malware is distributed by third-party apps rather than the Google Playstore. Once the app is launched, no functionality is provided. Instead, the app terminates and the icon is hidden. When the victim launches their PayPal App, the malware attempts to steal funds.

The interesting thing about this malware is that unlike most, it does not focus on phishing. This malware attacks the victim and attempts to instantly transfer money to the attacker’s account, when the user launches their PayPal App. The malware is able to hijack the legitimate PayPal App through the malware downloaded through the third-party app. This raises concerns of what applications on Android mobile devices will be attacked next.

What do you need to know about the encryption killing legislation?

By Cameron Abbott and Wendy Mansell

There are now three ways a government agency can gain access to encrypted information:

1. ask you to voluntarily help them
2. demand your help
3. force you build new functions in your systems to help them

As a company if you don’t comply you could be hit with a fine of up to almost $10 million dollars.

You do have a defence though – if the requests will undermine your encryption systems, making them inherently less secure you do not have comply.

If you would like to know more about how the new legislation will affect you feel free to contact us for any assistance or information.

Cybersecurity: location, location, location

Authors: Cameron Abbott and Sara Zokaei Fard

According to a report published by BitSight on 4 December 2018, “Are the New European Cybersecurity Regulations Working?”, Europe is one of the only exceptions to a global decline in security performance. There are regular occurrences of cybersecurity compromises around the world, with some sectors such as Technology consistently performing weaker than others. Companies in the Finance sector continue to be the world’s strongest cybersecurity performers, due to their high regulative overlay. While “continental cybersecurity performance continues to decline”, in Europe, cybersecurity performance is improving to an extent unlike any other continent in the world.

The General Data Protection Regulation (GDPR) officially went into effect in the European Union in May 2018. The GDPR is a landmark European Union law, that sets significant punitive fines at up to 4% of global revenue if organisations do not implement a broad set of cybersecurity requirements in certain circumstances. In the months following the implementation of the GDPR, European security performance has consistently improved and now significantly surpasses all other continents. In this same time frame, Oceania’s cybersecurity performance has spiralled downwards.

BitSight states “the chorus for GDPR-style regulation is growing internationally”. The statistics certainly support this.  However others argue that countries like the US demonstrate significant competitive advantage in developing highly valuable big data and social media intellectual property because of the lower regulatory environment encouraging innovators.  The value to economies of these industry segments is significant.

Encryption bill to give unprecedented power

By Cameron Abbott and Wendy Mansell

The Coalition government is attempting to pass large-scale decryption reforms which will give sweeping powers to law enforcement agencies for overt and covert computer access.

The reforms have caused significant controversy as they may force tech companies and communications providers to modify their services, creating “systemic weaknesses” for intelligence agencies to exploit. However many point out these same vulnerabilities may be utilised by criminals.

Further the potential repercussions of these reforms may undermine consumers’ privacy, safety and trust through unprecedented access to private communications. This could have anti-competitive effects, as the reputations of Australian software developers and hardware manufacturers will suffer within international markets.

At the same time, the harsh reality that terrorists and organised crime increasingly utilise these technologies to evade surveillance highlights a very clear problem for law enforcement authorities.

We won’t seek to suggest where the balance between these interests should lie, but the debate rages on. Stay tuned.

Marriott Hotel – time to change your passwords!

Authors: Cameron Abbott and Keely O’Dowd

 On Friday, 30 November 2018 the Marriott Hotel announced that it had suffered a data breach, we are all getting a little numb to large breaches but this one is one of the biggest in recent times.

The Marriott revealed that over a four year period, up to approximately 500 million guests who made a reservation using the Starwood reservation system for a hotel within the Marriott umbrella on or before 10 September 2014 may have had their data compromised. For approximately 327 million guests, information that may have been comprised includes a combination of name, address, phone number, email address, password, Starwood Preferred Guest account information, date of birth, gender, payment card numbers, arrival and departure information, reservation date and communication preferences.

Most hotel booking/POS systems have been attacked in recent years and these attacks have proven difficult to detect and trace through to understand the impact, it takes time and significant resources.  If you have used the Starwood reservation system – it is a good time to change the password and update passwords anywhere else you use those same or similar credentials.

China in breach of cyber-security pact

By Cameron Abbott and Wendy Mansell

It has been a fairly turbulent week in the cyber-espionage space following accusations that China’s Ministry of Security Services is behind the surge of intellectual property theft from Australian companies.

The news that the persistent attacks on Australian IP are perhaps a State sponsored campaign by the Chinese government is concerning as it suggests that China are in breach of several international and bilateral agreements.

In 2015, an agreement was made between Chinese President Xi Jinping and former President Obama, that the U.S and China would not steal intellectual property from one another for commercial gain. This was furthered at the November 2015, G20 Summit, where the cyber-theft of IP was accepted as the norm.

Following on from this in September 2017, former Prime Minister Malcolm Turnbull and Chinese Premier Li Kequiang promised that neither country would engage in cyber-theft of intellectual property and commercial secrets.

Reports of cyber-theft declined immediately after these agreements, however in recent months they have ramped up again.

A U.S Trade Representative report released this week confirms that despite any international agreements, China has continued engaging in cyber-espionage and the theft of intellectual property. Further the report states that not only is China likely to be in breach of these agreements, but the attacks have “increased in frequency and sophistication”.

Notably in July of this year, China was linked to the cyber-breach of Australian National University. This attack was particularly disturbing given that ANU is a leading university involved in key areas of Australian technological, scientific, defence and commercial research.  It is fascinating that cyber attacks and theft are a “norm” that is accepted within our overall international relationships.  Physical acts of a similar nature would not be so easily accepted.

China’s main security agency linked to cyber intellectual property theft

By Cameron Abbott and Wendy Mansell

In April 2017, PWC, in collaboration with BAE Systems’ published a report on “Operation Cloud Hopper”, which exposed a cyber espionage campaign being conducted by a China-based threat actor. The report suggests that Operation Cloud Hopper is almost certainly the same threat actor known as “APT10”, a Chinese group thought to be behind cyber-attacks against many countries including Japan, Canada and America.

Recently it has been reported that there are links between China’s Ministry of State Security (MSS) and Operation Cloud Hopper. These allegations are from U.S based firm CrowdStrike who have recognised ties between Operation Cloud Hopper and the MSS Tianjin Bureau.

There is no confirmation that the MSS is behind the Cloud Hopper attacks, however Dr Adrian Nish, Head of Threat of Intelligence at BAE Systems said that there is “no reason to doubt” the claims.

The term “Cloud Hopper” describes a technique where cyber espionage groups “hop” from cloud storage services and infiltrate Australian IT systems. Operation Cloud Hopper is responsible for the theft of intellectual property from a number of Australian companies, primarily focused on mining, engineering and professional services firms.

In a week full of news about China activities in the region, the suggestion of state sponsored hacking thefts is a salient warning to companies that their core intellectual property assets are at risk if not well secured.

Beware of third party data breaches

By Cameron Abbott and Keely O’Dowd

A study by Ponemon Institute found the percentage of US and UK companies that faced a data breach because of a vendor or third party is growing. In the US alone, 61% of surveyed respondents confirmed that their organisation had experienced a data breach caused by a third party, which is up 5% from last year and 12% from 2016.

Ponemon Institute’s research also found that 22% of surveyed respondents admitted they did not know if they had a third party data breach during the past 12 months and more than three quarter of companies thought third-party cyber security breaches were increasing.

These research findings suggest to us that businesses must do more to guard against third party data breach risks. This may involve:

  • conducting due diligence on third party vendors to assess their security and privacy practices as part of a procurement process and throughout the ongoing vendor relationship;
  • including robust privacy and data security clauses in contracts with third parties, including the requirement that the third party notify you of actual and suspected data breaches; and
  • keeping a register of all third party vendors your business engages and the types of personal, sensitive of confidential information the third party vendors accesses, stores or shares on behalf of your business.

The third party landscape is becoming increasingly complex and businesses need to better manage and understand what exactly their vendors are up to and doing to protect their data.

Time to opt out of having a My Health Record has been extended

By Cameron Abbott and Keely O’Dowd

Australians now have until 31 January 2019 to decide whether or not to have a My Health Record. The deadline to opt-out of having a My Health Record has been extended again.

Due to privacy and security concerns raised by various stakeholders and medical professionals, the Australian Government has proposed two sets of legislative changes to the My Health Record legislation to strengthen existing privacy protections set out in the legislation and established a Senate Committee inquiry to assess whether the My Health Record system is working and how it can be improved. In July this year, we blogged about the privacy and security concerns raised about the My Health Record system.

During the Senate Committee inquiry, it was revealed by the Office of the Australian Information Commissioner (OAIC) that since the My Health Record system commenced in July 2012, the OAIC has received 88 My Health Records mandatory data breach notifications and 11 mandatory data breach notifications. The data breaches generally involved incorrect information being uploaded to a My Health record.

It is evident to us that the My Health Record system has significant privacy and security issues that should be properly considered before the opt-out period ends. These issues are highlighted in the Senate Committee inquiry final report. In addition, the amending legislation designed to strengthen the privacy protections of the My Health Record system is still being debated in the Senate.

Extending the time for people to decide whether or not to opt-out of a My Health Record is a sensible approach. This gives individuals more time to properly understand the implications of having a My Health Record and for important privacy issues to be considered by the Australian Government.

However if ongoing concerns remain about the privacy and security protections of the My Health Record System by 31 January 2019, if in doubt, better to opt out!

Copyright © 2019, K&L Gates LLP. All Rights Reserved.