Category: Uncategorized

1
Q4 NOTIFIABLE DATA BREACHES CONTINUE TO RISE
2
Android users beware the 21st century Trojan horse
3
What do you need to know about the encryption killing legislation?
4
Encryption bill to give unprecedented power
5
Australia identified as the link in a major Chinese hack!
6
Apple calls for comprehensive US privacy laws.
7
Move over Mirai – Torii is tipped to be the new botnet boss
8
Privacy Standardization in the United States: We Need Consensus
9
FAKE APPS FIND A WAY TO GOOGLE PLAY!
10
Eureka! California Just Adopted a Strong Consumer Privacy Law

Q4 NOTIFIABLE DATA BREACHES CONTINUE TO RISE

By Cameron Abbott, Rob Pulham and Ella Richards.

The Office of the Australian Information Commissioner (OAIC) has released its fourth quarter report of notifiable data breaches between October – December 2018.

The report exposed that the OAIC received 262 notifications of data breaches, which has increased from the 245 notifications that were reported the previous quarter. Below are the key findings from their report:

  • The OAIC report identified the top five sectors who reported data breaches. Private health service providers reported 54 breaches, the finance sector reported 40 breaches, professional services reported 23 breaches, private education providers reported 21 breaches and the mining and manufacturing industry has made its first appearance with a reported 12 breaches.
  • 85% of data breaches involved individual’s contact details, 47% involved financial details, 36% involved identity details, 27% involved health details, 18% involved tax file numbers, and 9% involved other types of personal information.
  • The sources of breach varied, with 64% of data breaches due to malicious or criminal attack, 33% due to human error, and 3% due to system faults.
  • The report also breaks down the breach types per industry. Interestingly, the finance sector experienced the most malicious cyber attacks, and human error dominated the healthcare sector.

Even though 60% of the total breaches involved personal information of 100 individuals or fewer, there were a couple of notifications affecting a significantly higher number of individuals (including one that affected more than 1 million individuals). Human error breaches resulting in the unauthorised disclosure of personal information (via unintended release or publication) impacted an average of more than 17,000 individuals per breach (though this average seems likely to have been skewed by some particularly large breaches), and the failure to securely dispose of personal information affected an average of 300 individuals per breach.

Most data breaches resulted from malicious attacks which gain access through compromised credentials (such as phishing emails or stolen username and passwords). So, if you believe that the email from your CEO requesting your bank details for your exorbitant raise is legitimate, think again!

Android users beware the 21st century Trojan horse


Authors: Cameron Abbott and Sara Zokaei Fard

Here’s one to keep and eye out for – research from ESET has discovered an Android Trojan that attempts to steal funds from PayPal accounts. The malware is distributed by third-party apps rather than the Google Playstore. Once the app is launched, no functionality is provided. Instead, the app terminates and the icon is hidden. When the victim launches their PayPal App, the malware attempts to steal funds.

The interesting thing about this malware is that unlike most, it does not focus on phishing. This malware attacks the victim and attempts to instantly transfer money to the attacker’s account, when the user launches their PayPal App. The malware is able to hijack the legitimate PayPal App through the malware downloaded through the third-party app. This raises concerns of what applications on Android mobile devices will be attacked next.

What do you need to know about the encryption killing legislation?

By Cameron Abbott and Wendy Mansell

There are now three ways a government agency can gain access to encrypted information:

1. ask you to voluntarily help them
2. demand your help
3. force you build new functions in your systems to help them

As a company if you don’t comply you could be hit with a fine of up to almost $10 million dollars.

You do have a defence though – if the requests will undermine your encryption systems, making them inherently less secure you do not have comply.

If you would like to know more about how the new legislation will affect you feel free to contact us for any assistance or information.

Encryption bill to give unprecedented power

By Cameron Abbott and Wendy Mansell

The Coalition government is attempting to pass large-scale decryption reforms which will give sweeping powers to law enforcement agencies for overt and covert computer access.

The reforms have caused significant controversy as they may force tech companies and communications providers to modify their services, creating “systemic weaknesses” for intelligence agencies to exploit. However many point out these same vulnerabilities may be utilised by criminals.

Further the potential repercussions of these reforms may undermine consumers’ privacy, safety and trust through unprecedented access to private communications. This could have anti-competitive effects, as the reputations of Australian software developers and hardware manufacturers will suffer within international markets.

At the same time, the harsh reality that terrorists and organised crime increasingly utilise these technologies to evade surveillance highlights a very clear problem for law enforcement authorities.

We won’t seek to suggest where the balance between these interests should lie, but the debate rages on. Stay tuned.

Australia identified as the link in a major Chinese hack!

By Cameron Abbott and Jessica McIntosh

According to the US, China is trying to advance its aviation manufacturing capability using stolen information – and the latest is…. the information is being stolen out of Australia!

An Australian IT company dubbed “Company L” has been placed smack bang in the middle of a major hacking case in the US where US authorities have very publically and powerfully accused China of using compromised domain names to steal important aviation technology, alarmingly this has been happening for the large part of the last five years.

Read More

Apple calls for comprehensive US privacy laws.

By Cameron Abbott and Jessica McIntosh

It’s uncomfortable to think one of the world’s biggest business leaders has this week stood up and told us all ”our own information from the everyday to the deeply personal is being weaponized against us with military efficiency” what’s more uncomfortable, these powerful words are only a small snippet of a seriously forceful and passionate speech Tim Cook delivered in Brussels on Wednesday.

Read More

Move over Mirai – Torii is tipped to be the new botnet boss

By Cameron Abbott and Jessica McIntosh

It’s been hailed a true example of the evolution of IoT malware with researchers from security vendor Avast last week explaining in detail just how persistent and powerful this “new” strain of botnet can be. According to Avast, Torii is a “level of sophistication above anything they have seen before”.

For us, it’s newly found cutting-edge techniques and features mean it is a threat to EVERY type of computer and device…it’s a threat to all of us.

Read More

Privacy Standardization in the United States: We Need Consensus

By Susan P. Altman

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced this month that it has launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk relating to protecting privacy in complex networking environments. The goal of the project is to develop a privacy framework that can deliver practical tools for developers of innovative technologies (such as IoT and AI) that will ultimately yield stronger privacy protections for individuals. NIST, which promotes innovation and industrial competitiveness, has had great success with broad adoption of its Cybersecurity Framework Version 1.1 released earlier this year, according to Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan. It is now sponsoring outreach efforts throughout the U.S. to gather the best ideas for a useful and effective privacy framework.
NIST correctly notes that cybersecurity is central to managing privacy risk, but not sufficient in itself. Privacy professionals both inside and outside the U.S. are responding to (and perhaps leading) consumer privacy expectations with positions that NIST politely understates as reflecting “multiplying visions.” A framework of balanced standards for building privacy protections into technology design will benefit society broadly.
NIST, which focuses on standards for technology developers, is only one of several U.S. agencies addressing privacy concerns. For example, the U.S. Department of Commerce’s National Telecommunications and Information Administration is currently engaged in gathering input in order to formulate core, high-level principles on data privacy with a stated goal of avoiding contributing to a fractured and stifling regulatory landscape. And of course, the Federal Trade Commission, the big dog in consumer protection enforcement, continues its efforts to protect consumer privacy while critically analyzing the economic impact of such protection on competition and innovation.

FAKE APPS FIND A WAY TO GOOGLE PLAY!

By Cameron Abbott and Jessica McIntosh

Over the last two months a string of fake banking apps have hit the Google Play store, leaving many customers wondering whether they have been affected by the scam. A report by security firm ESET found users of three Indian banks were targeted by the apps which all claimed to increase credit card limits, only to convince customers to divulge their personal data, including credit card and internet banking details. The impact of this scam was heightened as the data stolen from unsuspecting customers was then leaked online by way of an exposed server.

The report claims these apps all utilise the same process:

  1. Once the app is downloaded and launched a form appears which asks the user to fill in credit card details (including credit card number, expiry date, CVV and login credentials)
  2. Once the form is completed and submitted a pop up customer service box is displayed
  3. The pop up box thanks users for their interest in the bank and indicates a ‘Customer Service Executive’ will be in contact shortly
  4. In the meantime, no representative makes contact with the customer and the data entered into the form is sent back to the attacker’s server – IN PLAIN TEXT.

The ESET report alarming revealed that the listing of stolen data on the attacker’s server is accessible to anyone with the link to the data, this means sensitive stolen personal data was available to absolutely anyone who happens to comes across it.

Whilst, the reality is any app on your personal smartphone may place your phone and personal data at risk, (as discussed here ‘Research Reports say risks to smartphone security aren’t phoney‘)

Customers can mitigate risk by:

  • only using their financial institutions official banking apps, these are downloadable from the relevant institution’s official website;
  • paying attention to the ratings, customer reviews when downloading from Google Play;
  • implementing security controls on your smartphone device from a reputable mobile security provider; and
  • contracting their financial institution directly to seek further guidance on the particular banking apps in use.

 

It cannot be overlook, whilst Google Play moved quickly to remove the apps we query how it was so easy for cyber criminals to launch fake apps on Google Play in the first place.

Eureka! California Just Adopted a Strong Consumer Privacy Law

By Susan P Altman

While the rest of us were still recovering from the May 25 effective date of the EU’s General Data Protection Regulation (GDPR), California, the most populous and largest economy of any of the United States, confidently adopted a broad consumer privacy law. The California Consumer Privacy Act of 2018 (CCPA) was enacted June 28 and becomes operative on January 1, 2020. Unlike existing industry-specific U.S. privacy laws, the CCPA has a broad overall scope, more like the GDPR. It ensures California residents the right to know what information about them is being collected and sold or disclosed, to reject the sale of their personal information, to access the information, and to receive equal service and price, even if they exercise their privacy rights.

Unlike the GDPR, the CCPA does not extend to extra-territorial coverage. The CCPA applies only to for-profit businesses doing business in California and sets certain thresholds for business activity and size, thereby protecting most of the Silicon Valley start-up community from the cost of compliance. The CCPA protects the rights of “consumers,” who are natural persons residing in California, and generally does not apply to California residents while they are outside of California.

A business that is required to comply with CCPA will need to update its website, and include a conspicuous link on the homepage to a page titled, “Do Not Sell My Personal Information.” In addition, the website must describe the consumer’s privacy rights and annually update its privacy policy to reflect current practices. Consumers will be able to opt-out of collection practices; although children (or their parents) must opt-in. Consumers must be able to contact businesses regarding their collected information. Amendments and corrections to the CCPA are expected.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.