Archive:November 2018

1
China in breach of cyber-security pact
2
China’s main security agency linked to cyber intellectual property theft
3
Beware of third party data breaches
4
Time to opt out of having a My Health Record has been extended
5
US, Russia and China don’t pledge to fight cybercrime
6
Q3 Notifiable breaches industry league results: Health first … lawyers a solid third!
7
Cyber-attackers could exploit security flaw found in the embedded video function of Microsoft Word
8
Australia identified as the link in a major Chinese hack!
9
Ransomware, get your ransomware here, and you too can share in the profits!

China in breach of cyber-security pact

By Cameron Abbott and Wendy Mansell

It has been a fairly turbulent week in the cyber-espionage space following accusations that China’s Ministry of Security Services is behind the surge of intellectual property theft from Australian companies.

The news that the persistent attacks on Australian IP are perhaps a State sponsored campaign by the Chinese government is concerning as it suggests that China are in breach of several international and bilateral agreements.

In 2015, an agreement was made between Chinese President Xi Jinping and former President Obama, that the U.S and China would not steal intellectual property from one another for commercial gain. This was furthered at the November 2015, G20 Summit, where the cyber-theft of IP was accepted as the norm.

Following on from this in September 2017, former Prime Minister Malcolm Turnbull and Chinese Premier Li Kequiang promised that neither country would engage in cyber-theft of intellectual property and commercial secrets.

Reports of cyber-theft declined immediately after these agreements, however in recent months they have ramped up again.

A U.S Trade Representative report released this week confirms that despite any international agreements, China has continued engaging in cyber-espionage and the theft of intellectual property. Further the report states that not only is China likely to be in breach of these agreements, but the attacks have “increased in frequency and sophistication”.

Notably in July of this year, China was linked to the cyber-breach of Australian National University. This attack was particularly disturbing given that ANU is a leading university involved in key areas of Australian technological, scientific, defence and commercial research.  It is fascinating that cyber attacks and theft are a “norm” that is accepted within our overall international relationships.  Physical acts of a similar nature would not be so easily accepted.

China’s main security agency linked to cyber intellectual property theft

By Cameron Abbott and Wendy Mansell

In April 2017, PWC, in collaboration with BAE Systems’ published a report on “Operation Cloud Hopper”, which exposed a cyber espionage campaign being conducted by a China-based threat actor. The report suggests that Operation Cloud Hopper is almost certainly the same threat actor known as “APT10”, a Chinese group thought to be behind cyber-attacks against many countries including Japan, Canada and America.

Recently it has been reported that there are links between China’s Ministry of State Security (MSS) and Operation Cloud Hopper. These allegations are from U.S based firm CrowdStrike who have recognised ties between Operation Cloud Hopper and the MSS Tianjin Bureau.

There is no confirmation that the MSS is behind the Cloud Hopper attacks, however Dr Adrian Nish, Head of Threat of Intelligence at BAE Systems said that there is “no reason to doubt” the claims.

The term “Cloud Hopper” describes a technique where cyber espionage groups “hop” from cloud storage services and infiltrate Australian IT systems. Operation Cloud Hopper is responsible for the theft of intellectual property from a number of Australian companies, primarily focused on mining, engineering and professional services firms.

In a week full of news about China activities in the region, the suggestion of state sponsored hacking thefts is a salient warning to companies that their core intellectual property assets are at risk if not well secured.

Beware of third party data breaches

By Cameron Abbott and Keely O’Dowd

A study by Ponemon Institute found the percentage of US and UK companies that faced a data breach because of a vendor or third party is growing. In the US alone, 61% of surveyed respondents confirmed that their organisation had experienced a data breach caused by a third party, which is up 5% from last year and 12% from 2016.

Ponemon Institute’s research also found that 22% of surveyed respondents admitted they did not know if they had a third party data breach during the past 12 months and more than three quarter of companies thought third-party cyber security breaches were increasing.

These research findings suggest to us that businesses must do more to guard against third party data breach risks. This may involve:

  • conducting due diligence on third party vendors to assess their security and privacy practices as part of a procurement process and throughout the ongoing vendor relationship;
  • including robust privacy and data security clauses in contracts with third parties, including the requirement that the third party notify you of actual and suspected data breaches; and
  • keeping a register of all third party vendors your business engages and the types of personal, sensitive of confidential information the third party vendors accesses, stores or shares on behalf of your business.

The third party landscape is becoming increasingly complex and businesses need to better manage and understand what exactly their vendors are up to and doing to protect their data.

Time to opt out of having a My Health Record has been extended

By Cameron Abbott and Keely O’Dowd

Australians now have until 31 January 2019 to decide whether or not to have a My Health Record. The deadline to opt-out of having a My Health Record has been extended again.

Due to privacy and security concerns raised by various stakeholders and medical professionals, the Australian Government has proposed two sets of legislative changes to the My Health Record legislation to strengthen existing privacy protections set out in the legislation and established a Senate Committee inquiry to assess whether the My Health Record system is working and how it can be improved. In July this year, we blogged about the privacy and security concerns raised about the My Health Record system.

During the Senate Committee inquiry, it was revealed by the Office of the Australian Information Commissioner (OAIC) that since the My Health Record system commenced in July 2012, the OAIC has received 88 My Health Records mandatory data breach notifications and 11 mandatory data breach notifications. The data breaches generally involved incorrect information being uploaded to a My Health record.

It is evident to us that the My Health Record system has significant privacy and security issues that should be properly considered before the opt-out period ends. These issues are highlighted in the Senate Committee inquiry final report. In addition, the amending legislation designed to strengthen the privacy protections of the My Health Record system is still being debated in the Senate.

Extending the time for people to decide whether or not to opt-out of a My Health Record is a sensible approach. This gives individuals more time to properly understand the implications of having a My Health Record and for important privacy issues to be considered by the Australian Government.

However if ongoing concerns remain about the privacy and security protections of the My Health Record System by 31 January 2019, if in doubt, better to opt out!

US, Russia and China don’t pledge to fight cybercrime

By Cameron Abbott and Wendy Mansell

Fifty countries including Japan, Canada and many EU nations have come together with over 150 tech companies, pledging to fight against cybercrime. United State’s tech giants such as Facebook, Google and Microsoft have also joined the party.

The United States, Russia and China however have decided not to sign on. Each has no doubt very different reasons for this – the disappointment is mostly directed to the US. However it is a shame that Russia and China did not also feel the weight of the international community pressure to accept these principles.

The effort to combat cybercrime is being led by France, with French President Emmanuel Macron claiming that it is urgent that the internet is better regulated.

The countries and companies involved are fighting against illegal online activity like censorship, cyber interference in elections, hate speech and trade secrets theft.

The pledge has been made in a document titled the “Paris call for trust and security in cyberspace”.

Q3 Notifiable breaches industry league results: Health first … lawyers a solid third!

By Cameron AbbottKeely O’Dowd and Colette Légeret

The Office of the Australian Information Commissioner (OAIC) has released its third quarterly report of notifiable data breaches. This is the second OAIC report to be released covering a full quarter.

The report revealed that OAIC received 245 notifications of data breaches, marginally up from 242 notifications in the second quarterly report.

Some interesting figures from the OAIC’s report are as follows:

  • 18% of notifications were from health service providers, 14% were from the finance sector; 14% were from the legal, accounting and management services sector; 7% were from the private education sector, and 5% were from the personal services sector;
  • 85% of data breaches involved individual’s contact details, 45% involved financial details, 35% involved identity details, 22% involved health details, 22% involved tax file numbers, and 7% involved other types of personal information; and
  • 57% of data breaches were due to malicious or criminal attack, with 37% due to human error, and 6% due to system faults, with cyber incidents, namely compromised credentials or phishing being the main the cause of

Of the 245 data breaches, 58 affected only one individual – however, 7 affected more than 10,000 individuals.

These figures are a clear reminder of the need to ensure that your business is equipped to deal with data breaches. To learn more about this, take a look at this 60-second video by Cameron Abbott. With professional services ranking a solid third, we’ll take some of our own advice too!

Cyber-attackers could exploit security flaw found in the embedded video function of Microsoft Word

By Cameron Abbott and Colette Légeret

Cymulate, a leading provider of Breach and Attack Simulation solutions and a Gartner 2018 Cool Vendor, announced last week that its Security Research Team had uncovered a security flaw in the Microsoft Office Suite (Office) that may affect Microsoft Word (Word) users.

The Office security flaw identified is a JavaScript code execution within the embedded video component of Word. This has the potential to impact all users of Office 2016 and users of older Office versions. Cymulate noted that no configuration was required to reproduce the issue and no security warning is presented while opening the document with Word.

Read More

Australia identified as the link in a major Chinese hack!

By Cameron Abbott and Jessica McIntosh

According to the US, China is trying to advance its aviation manufacturing capability using stolen information – and the latest is…. the information is being stolen out of Australia!

An Australian IT company dubbed “Company L” has been placed smack bang in the middle of a major hacking case in the US where US authorities have very publically and powerfully accused China of using compromised domain names to steal important aviation technology, alarmingly this has been happening for the large part of the last five years.

Read More

Ransomware, get your ransomware here, and you too can share in the profits!

By Cameron Abbott and Colette Légeret

The expansion of the “service industry” into malware-as-as-service (MaaS), is not the only cyber-attack available online, Bleeping Computer found ransomware-as-a-service (RaaS), that not only uses FilesLocker malware and targets Chinese and American victims, it also offers users a sliding commission pay-scale that rises the more ransomware victims infected.

Bleeping Computer was put on the trail of this RaaS by security researcher, Neutral8✗9eR, who saw it being marketed through a Chinese malware forum on TOR.

Read More

Copyright © 2024, K&L Gates LLP. All Rights Reserved.