Archive: 2019

1
Bypassing the Castle Walls: Tactical Exploitation of America’s Vulnerable Grid
2
K&L Gates Supports Safer Internet Day 2019
3
Is Microsoft giving us a window to our personal data?
4
Biggest data leak in German history
5
Marriott Hotel reveals further details about records impacted by data breach; revises down number of affected records
6
Emergency warning system hacked

Bypassing the Castle Walls: Tactical Exploitation of America’s Vulnerable Grid

By Cameron Abbott, Max Evans and Wendy Mansell

A recent Wall Street Journal Report has detailed how America’s utility grid was hacked. The Department of Homeland Security has named Russia as responsible for the overwhelmingly complex and threatening campaign.

The scheme targeted energy companies affiliated with the government and was carried out in a sophisticated manner by initially focusing on small firms within the utility supply chain.

Early techniques involved planting malware on the websites of online publications likely to be read by employees of companies within the energy sector. The hackers would lace the online publications with malicious content allowing them to steal usernames, passwords and infiltrate company systems.

A number of small firms fell victim to these tactics giving the hackers broad access to company networks. Fake emails were subsequently sent out on behalf of the affected firms containing forged and malicious Dropbox links which captured usernames, passwords and other credentials. Further they used fake personas to send emails and pretended to be job seekers, by sending resumes containing tainted attachments to energy companies.

The hackers continued this technique of sending malware emails on behalf of firms until they reached the top of the supply chain. It was reported that on at least 8 occasions the hackers infiltrated companies who had access to the industrial control systems that run the grid.

An alarming aspect was the number of affected companies that remained oblivious of the penetration. The report is a useful description of the variety of methods used to tempt employees to expose their credentials. All too easy to do. These same techniques are regularly used by more pedestrian hackers. Two factor authentication and regular password resets remain measures to limit these threats but so many organisations do not use them.

We repeatedly counsel that employees are the last line of defence for your organisation. Circulating the Report may make an interesting read to remind them of the variety of ways they can be seduced to click an incorrect link.

K&L Gates Supports Safer Internet Day 2019

By Cameron Abbott and Wendy Mansell

Today is Safer Internet Day and K&L Gates is a proud supporter of this yearly international event which raises awareness of cyber issues and online safety concerns.

K&L Gates has a strong focus on promoting and advocating for a safer internet through the Cyber Civil Rights Legal Project. This project helps victims of non-consensual pornography known as ‘revenge porn’ by providing pro bono legal assistance to individuals suffering from these cybercrimes.

Revenge porn is a serious invasion of privacy and K&L Gates assists in having the images removed from the internet. This cyber epidemic is taking place around the world and due to K&L Gates global legal presence, these services can be provided to victims internationally.

K&L Gates further supports Safer Internet Day through the working relationship being built with the Office of the eSafety Commissioner,who is responsible for coordinating the event in Australia.

The theme for this year’s event is “Together for a better internet“, which encourages the development of respect, responsibility, reasoning and resilience skills when using the internet. K&L Gates is actively striving for a better internet through focusing on improving online safety and fighting against cybercrimes.

Is Microsoft giving us a window to our personal data?

By Cameron Abbott and Allison Wallace

We often blog on this page about personal information being breached, data being hacked, systems being compromised – and tell cautionary tales of the difficulties businesses can experience if they experience a data breach.

So what if there was a good news story? A way to know what information there is out there about you, so that if it is compromised, you can take control? Microsoft may just be working on such a solution.

Multiple websites (see here and here) have now reported on Microsoft’s “Project Bali” – which, although still in a private testing phase is accessible to a lucky few, by invite only.

The Project Bali website reportedly describes the tech giant’s project as “a new personal data bank which puts users in control of all data collected about them” and will allow users to “store all data (raw and inferred) generated by them ..[and] to visualise, manage, control, share and monetise the data”.

It is reported that the project was borne from a Microsoft Research paper in 2014 that delved into the concept of “Inverse Privacy” – allowing consumers to access the data that any given business holds about them, increasing transparency, something consumers value.

In theory, Project Bali seems like a good antidote to the increasing number of privacy incursions we are seeing (such as this and this). However, whether the idea is commercialised and becomes publicly available, only time will tell. We will keep you posted.

Biggest data leak in German history

By Rob Pulham, Warwick Anderson and Wendy Mansell

A 20 year old German man orchestrated a serious and sophisticated data breach which affected more than 1000 people.

The attack was focused on German and European politicians at all levels including German Chancellor Angela Merkel, President Frank Walter Steinmeier and hundreds of public figures and celebrities.

The 20 year old hacker took to Twitter to drip feed the information depicted as an advent calendar by releasing new data each day in December. Information exposed included contact details, credit card and financial information, chat records, photographs and other personal information.

Reuters’ reported that the hacker is a student who lives at home with his parents, has no formal computer education and was motivated by irritation over statements made by politicians and public figures.

The widespread nature of this attack has resulted in a number of government officials calling for tighter laws.

It is clear that no-one is safe from a data breach – even those elected representatives who enact the laws designed to protect against them.

Marriott Hotel reveals further details about records impacted by data breach; revises down number of affected records

By Warwick Andersen, Rob Pulham and Keely O’Dowd

Late last year the Marriott Hotel announced that it had suffered a data breach, which affected approximately 500 million guests who made a hotel reservation using its Starwood reservation system. Details about the data breach can be found in our previous blog.

Read More

Emergency warning system hacked

By Warwick Andersen, Rob Pulham and Allison Wallace

A new year, and a new hacking incident – this time, it was the Early Warning Network (EWN) – a text and email service used by councils around Australia to warn locals of emergency situations.

On its Facebook page, EWN stated that a hacker was able to access its system, sending out messages via text, email and landline stating that EWN had been hacked and that the receiver’s personal data was not safe. The message also included links to support email addresses and a website.

EWN said that the hack was quickly identified and systems shut down, with no-one’s personal information compromised during the attack. The attack is believed to have originated within Australia, involving compromised login details.

While EWN said that personal information was not compromised by this incident, it serves as a timely reminder for businesses to check and test their information security processes and data breach response plans – and if one isn’t in place, to implement one.  The Office of the Australian Information Commissioner reported that it received 550 notifications of data breaches from the time the notifiable data breach legislation commenced on 22 February 2018 to 30 September 2018.

If you’d like to find out more about the legislation, or what your business can do to protect itself, check out this 60-second video by Cameron Abbott.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.