Category: Privacy, Data Protection & Information Management

1
To encrypt or not encrypt? That is the question
2
Bypassing the Castle Walls: Tactical Exploitation of America’s Vulnerable Grid
3
K&L Gates Supports Safer Internet Day 2019
4
Is Microsoft giving us a window to our personal data?
5
Biggest data leak in German history
6
Marriott Hotel reveals further details about records impacted by data breach; revises down number of affected records
7
Emergency warning system hacked
8
So you plug your shiny Tesla in to charge…
9
Cybersecurity: location, location, location
10
Encryption bill to give unprecedented power

To encrypt or not encrypt? That is the question

By Cameron Abbott and Ella Richards

In response to the new controversial anti-encryption laws, Australian tech heavyweights have banded together to kick and scream over the restrictive implications the laws are already having on their industry.

Quick history lesson; the Assistance and Access Bill permit law enforcement to demand companies running applications such as Whatsapp to allow “lawful access to information”. This can be through either decryption of encrypted technology, or providing access to communications which are not yet encrypted. These ‘backdoors’ are intended to provide the good guys with the opportunity to fight serious crime, however there’s serious fear that in reality, these doors could throw out privacy or let in unwanted guests.

While the legislation states that backdoors should only be created if it doesn’t result in any ‘systemic weakness’; this is yet to be defined in a concrete and informative way. Industry points out that once created any such measure has the potential to be exploited by others. There is no such thing as a “once” only back door.

There is little doubt that this will end up in litigation as larger industry players challenge the abstract concepts in the legislation against the reality of their technology.

StartupAUS, an industry group of tech executives, have made several recommendations to amend the legislation. Even though they’re not holding their breath for any significant changes, they’re demanding more transparency around the requirements. Their recommendations include scrapping the requirement for an employee to build capabilities to intercept communications, tightening the scope of ‘designated communication providers’, giving oversight on how companies will be targeted and increasing what constitutes a ‘serious offence’.

Australia’s legislative response to the problem faced by law enforcement is one of the most heavy handed in the democratic world, and now has the world of technology companies with their significant impact on our economy watching the latest debate on reforms with great concern.

Bypassing the Castle Walls: Tactical Exploitation of America’s Vulnerable Grid

By Cameron Abbott, Max Evans and Wendy Mansell

A recent Wall Street Journal Report has detailed how America’s utility grid was hacked. The Department of Homeland Security has named Russia as responsible for the overwhelmingly complex and threatening campaign.

The scheme targeted energy companies affiliated with the government and was carried out in a sophisticated manner by initially focusing on small firms within the utility supply chain.

Early techniques involved planting malware on the websites of online publications likely to be read by employees of companies within the energy sector. The hackers would lace the online publications with malicious content allowing them to steal usernames, passwords and infiltrate company systems.

A number of small firms fell victim to these tactics giving the hackers broad access to company networks. Fake emails were subsequently sent out on behalf of the affected firms containing forged and malicious Dropbox links which captured usernames, passwords and other credentials. Further they used fake personas to send emails and pretended to be job seekers, by sending resumes containing tainted attachments to energy companies.

The hackers continued this technique of sending malware emails on behalf of firms until they reached the top of the supply chain. It was reported that on at least 8 occasions the hackers infiltrated companies who had access to the industrial control systems that run the grid.

An alarming aspect was the number of affected companies that remained oblivious of the penetration. The report is a useful description of the variety of methods used to tempt employees to expose their credentials. All too easy to do. These same techniques are regularly used by more pedestrian hackers. Two factor authentication and regular password resets remain measures to limit these threats but so many organisations do not use them.

We repeatedly counsel that employees are the last line of defence for your organisation. Circulating the Report may make an interesting read to remind them of the variety of ways they can be seduced to click an incorrect link.

K&L Gates Supports Safer Internet Day 2019

By Cameron Abbott and Wendy Mansell

Today is Safer Internet Day and K&L Gates is a proud supporter of this yearly international event which raises awareness of cyber issues and online safety concerns.

K&L Gates has a strong focus on promoting and advocating for a safer internet through the Cyber Civil Rights Legal Project. This project helps victims of non-consensual pornography known as ‘revenge porn’ by providing pro bono legal assistance to individuals suffering from these cybercrimes.

Revenge porn is a serious invasion of privacy and K&L Gates assists in having the images removed from the internet. This cyber epidemic is taking place around the world and due to K&L Gates global legal presence, these services can be provided to victims internationally.

K&L Gates further supports Safer Internet Day through the working relationship being built with the Office of the eSafety Commissioner,who is responsible for coordinating the event in Australia.

The theme for this year’s event is “Together for a better internet“, which encourages the development of respect, responsibility, reasoning and resilience skills when using the internet. K&L Gates is actively striving for a better internet through focusing on improving online safety and fighting against cybercrimes.

Is Microsoft giving us a window to our personal data?

By Cameron Abbott and Allison Wallace

We often blog on this page about personal information being breached, data being hacked, systems being compromised – and tell cautionary tales of the difficulties businesses can experience if they experience a data breach.

So what if there was a good news story? A way to know what information there is out there about you, so that if it is compromised, you can take control? Microsoft may just be working on such a solution.

Multiple websites (see here and here) have now reported on Microsoft’s “Project Bali” – which, although still in a private testing phase is accessible to a lucky few, by invite only.

The Project Bali website reportedly describes the tech giant’s project as “a new personal data bank which puts users in control of all data collected about them” and will allow users to “store all data (raw and inferred) generated by them ..[and] to visualise, manage, control, share and monetise the data”.

It is reported that the project was borne from a Microsoft Research paper in 2014 that delved into the concept of “Inverse Privacy” – allowing consumers to access the data that any given business holds about them, increasing transparency, something consumers value.

In theory, Project Bali seems like a good antidote to the increasing number of privacy incursions we are seeing (such as this and this). However, whether the idea is commercialised and becomes publicly available, only time will tell. We will keep you posted.

Biggest data leak in German history

By Rob Pulham, Warwick Anderson and Wendy Mansell

A 20 year old German man orchestrated a serious and sophisticated data breach which affected more than 1000 people.

The attack was focused on German and European politicians at all levels including German Chancellor Angela Merkel, President Frank Walter Steinmeier and hundreds of public figures and celebrities.

The 20 year old hacker took to Twitter to drip feed the information depicted as an advent calendar by releasing new data each day in December. Information exposed included contact details, credit card and financial information, chat records, photographs and other personal information.

Reuters’ reported that the hacker is a student who lives at home with his parents, has no formal computer education and was motivated by irritation over statements made by politicians and public figures.

The widespread nature of this attack has resulted in a number of government officials calling for tighter laws.

It is clear that no-one is safe from a data breach – even those elected representatives who enact the laws designed to protect against them.

Marriott Hotel reveals further details about records impacted by data breach; revises down number of affected records

By Warwick Andersen, Rob Pulham and Keely O’Dowd

Late last year the Marriott Hotel announced that it had suffered a data breach, which affected approximately 500 million guests who made a hotel reservation using its Starwood reservation system. Details about the data breach can be found in our previous blog.

Read More

Emergency warning system hacked

By Warwick Andersen, Rob Pulham and Allison Wallace

A new year, and a new hacking incident – this time, it was the Early Warning Network (EWN) – a text and email service used by councils around Australia to warn locals of emergency situations.

On its Facebook page, EWN stated that a hacker was able to access its system, sending out messages via text, email and landline stating that EWN had been hacked and that the receiver’s personal data was not safe. The message also included links to support email addresses and a website.

EWN said that the hack was quickly identified and systems shut down, with no-one’s personal information compromised during the attack. The attack is believed to have originated within Australia, involving compromised login details.

While EWN said that personal information was not compromised by this incident, it serves as a timely reminder for businesses to check and test their information security processes and data breach response plans – and if one isn’t in place, to implement one.  The Office of the Australian Information Commissioner reported that it received 550 notifications of data breaches from the time the notifiable data breach legislation commenced on 22 February 2018 to 30 September 2018.

If you’d like to find out more about the legislation, or what your business can do to protect itself, check out this 60-second video by Cameron Abbott.

So you plug your shiny Tesla in to charge…

By Cameron Abbott and Wendy Mansell

…and suddenly you are at risk of starting fires.

We all know that these days the Internet of Things is a favourite for cyberattacks, with the latest target being home charging stations for electric cars.

Many home charging stations are controlled remotely by mobile apps, which seem to provide the perfect opportunity for hackers to cause harm.

Hackers cleverly can infiltrate an account and turn charging off or even worse, they may change the current to the extent it can start a fire.

Once again the industry needs to take security seriously for IoT and have the same diligence as IT networks now do.

Cybersecurity: location, location, location

Authors: Cameron Abbott and Sara Zokaei Fard

According to a report published by BitSight on 4 December 2018, “Are the New European Cybersecurity Regulations Working?”, Europe is one of the only exceptions to a global decline in security performance. There are regular occurrences of cybersecurity compromises around the world, with some sectors such as Technology consistently performing weaker than others. Companies in the Finance sector continue to be the world’s strongest cybersecurity performers, due to their high regulative overlay. While “continental cybersecurity performance continues to decline”, in Europe, cybersecurity performance is improving to an extent unlike any other continent in the world.

The General Data Protection Regulation (GDPR) officially went into effect in the European Union in May 2018. The GDPR is a landmark European Union law, that sets significant punitive fines at up to 4% of global revenue if organisations do not implement a broad set of cybersecurity requirements in certain circumstances. In the months following the implementation of the GDPR, European security performance has consistently improved and now significantly surpasses all other continents. In this same time frame, Oceania’s cybersecurity performance has spiralled downwards.

BitSight states “the chorus for GDPR-style regulation is growing internationally”. The statistics certainly support this.  However others argue that countries like the US demonstrate significant competitive advantage in developing highly valuable big data and social media intellectual property because of the lower regulatory environment encouraging innovators.  The value to economies of these industry segments is significant.

Encryption bill to give unprecedented power

By Cameron Abbott and Wendy Mansell

The Coalition government is attempting to pass large-scale decryption reforms which will give sweeping powers to law enforcement agencies for overt and covert computer access.

The reforms have caused significant controversy as they may force tech companies and communications providers to modify their services, creating “systemic weaknesses” for intelligence agencies to exploit. However many point out these same vulnerabilities may be utilised by criminals.

Further the potential repercussions of these reforms may undermine consumers’ privacy, safety and trust through unprecedented access to private communications. This could have anti-competitive effects, as the reputations of Australian software developers and hardware manufacturers will suffer within international markets.

At the same time, the harsh reality that terrorists and organised crime increasingly utilise these technologies to evade surveillance highlights a very clear problem for law enforcement authorities.

We won’t seek to suggest where the balance between these interests should lie, but the debate rages on. Stay tuned.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.