Cyber Law Watch – Page 34 – Insight on how cyber risk is being mitigated and managed across the globe

Blockchain Successfully Used in Commercial Leasing Transaction

Jul 24 2017

After years of research and development, ANZ and Westpac have succeeded in utilising blockchain technology for bank guarantees in a commercial leasing transaction. The banks teamed with IBM and shopping centre operator Scentre Group to digitise the paper-based process using distributed ledger technology.

Currently, bank guarantees are usually in the form of a physical letter is that printed on bank letterhead and signed for authenticity. The tenant surrenders the guarantee to the landlord, which the landlord later uses to demand payment from the bank in the event the tenant defaults. This process brings with it several difficulties, such as the requirement to keep the physical document safe from damage and theft, and the potential for forgery.

The use of blockchain technology will allow both parties to rely on the shared ledger as a single non-disputable source as to the existence and status of a bank guarantee, saving time and costs in document management and tracking of the guarantee’s status. Encryption of all records on the ledger ensures that only the parties to the transaction can view its contents, maintaining its confidentiality. In addition, the technology gives landlords the ability to request a new guarantee on behalf of the lender – for example, where incorrect names were provided to the bank, requiring rectification – something not available in the current paper-based process.

While this transaction was intentionally limited in scope as a proof-of-concept, its success means that the solution can be transferable to a broader context, such as the ASX’s plan to replace the CHESS equities settlement system with blockchain technology.

Read the full whitepaper here.

Australia Affected By Global Ransomware Attacks

Jun 30 2017

By Cameron Abbott and Ling Zhu

Despite Australia seemingly avoiding the brunt of the attacks by the WannaCry ransomware crippling computer systems around the world last month, a few Australian organisations have not emerged unscathed.

Victoria Police has revealed 280 speed cameras around Victoria were exposed to WannaCry between June 6 and June 22. Although the cameras were not connected to the internet, the ransomware was unintentionally introduced to the system through a USB device during maintenance. The police reported that the ransomware caused the cameras to continually reboot, however it is unclear whether this resulted in inaccurate readings. Initially, only 55 speed and red-light cameras were thought to be infected, however that has since increased to 280 cameras. Subsequently, 1,673 infringement tickets will be withdrawn, with another 5,500 pending tickets to be embargoed. Now don’t get excited and start drag racing – the police intend to continue operating the cameras, with embargoed and new tickets to be issued once they confirm that cameras are taking accurate readings.

Meanwhile in Hobart, Cadbury chocolate factory has stopped production following its parent company, Mondelez International, being affected by the similar “Petya” ransomware. The US-based Mondelez International suffered a global IT outage overnight, with all network computers being infected. Australian workers were unable to begin production in the Cadbury factory on June 28, as many processes are automated and controlled by computers. It is uncertain when the global system will be restored.

Now speed cameras is one thing, but affecting chocolate production is way out of line!

A reminder that both WannaCry and Petya exploit vulnerabilities that have been patched – you just have to load those security releases. A call out to all the chocolate producers of the world – load your patches for the sake of us all!

New Petya Ransomware Attacks Global Law Firm

Jun 27 2017

By Cameron Abbott and Edwin Tan

Just a month after the WannaCry ransomware infected devices around the globe, a new strain calling itself Petya has struck overnight. Petya looks and operates the same way as WannaCry, locking out users from their systems and demanding a ransom of US$300 in order to decrypt files stored on the device. To spread across devices, Petya utilises exactly the same vulnerability used in WannaCry, patched by Microsoft in March 2017.

Organisations in Europe have been the worst hit, with the ransomware slowly spreading to the United States, and to Australia this morning as organisations boot up their computers. The Prime Minister of Ukraine has called the attack on his country “unprecedented”, with the government’s computer network going down, and the state power distributor being disrupted.

A global law firm has also been hit by Petya, with its offices in the UK, Europe, the Middle East and the US all affected by the attack. This continues a worrying trend of law firms being breached as of late, potentially exposing thousands of clients to commercial and legal risk.

We cannot emphasise enough the importance of keeping all devices and systems patched and up-to-date. Unfortunately, it seems that organisations around the globe, even those professing to be experts in cybersecurity, are still unprepared to deal with cyber-attacks and mitigate their risks.

The UK National Cyber Security Center has released guidance to help both home users and organisations limit the impact of ransomware attacks. It can be read here.

Time is Running Out – Compliance with new EU Data Protection Rules (GDPR)

Jun 22 2017

By Cameron Abbott and Edwin Tan

Companies are failing to prepare adequately for the new EU General Data Protection Regulation (GDPR) coming into effect on 25 May 2018, less than a year from today.

A partner at Crowe Horwarth was quoted in the Financial Times as saying that a recent survey found that over 60% of financial services companies were only just starting to get ready for GDPR, or were still trying to understand the gaps they needed to address. This is a particular concern as long timeframes may be needed to remedy any identified gaps, particularly where legacy IT systems are used. In addition, other companies are viewing the GDPR as a “nuisance”, treating it as a check-box ticking exercise rather than a serious compliance issue.

The GDPR will require companies to adopt much stricter procedures and processes when handling customer data. The maximum fine for non-compliance is 4 percent of the previous year’s annual global turnover, or €20 million, whichever is the greater. In addition, company executives can also face criminal penalties if deemed responsible for data breaches.

Companies must start work immediately on implementing changes required by the GDPR in order to avoid exposure to significant liability. Read more about the GDPR here.

DDoS Attacks On The Rise

Jun 20 2017

By Cameron Abbott and Edwin Tan

Distributed Denial of Service (DDoS) attacks leverage compromised devices to generate a flood of traffic, overwhelming online services and rendering them unresponsive. DDoS services are widely available on the internet, with research by Trend Micro finding that the small cost of US$150 can buy a DDoS attack for a week. (It also brings organised crime into your life – but that’s a different point!)

The latest statistics from Cisco reveal that the number of DDoS attacks grew by 172% in 2016. Combine this with an average DDoS attack size of 1.2Gbps, capable of taking most organisations offline, and there is real cause for concern among cyber security experts. It is hard to trace DDoS attacks to their proprietors, as the majority of devices used in attacks belong to innocent users.

Organisations must understand the risk and impact posed by DDoS attacks, and implement mitigation strategies that promote business continuity in the face of these attacks. Industry peers must share knowledge where appropriate, and keep government agencies adequately informed, to deter hackers from launching a DDoS attack.

Cisco expects that the number of DDoS attacks in the future will only get worse, with 3.1 million predicted attacks in 2021 globally. Read Cisco’s press release here.

Apple Distributors Arrested for Allegedly Selling Customer Personal Information

Jun 09 2017

By Cameron Abbott and Edwin Tan

On Wednesday, police in China’s Zhejiang province released a statement reporting the arrest of 22 third-party Apple distributors for allegedly selling customer data on the black market. Officials claim that the suspects searched an internal Apple database to obtain sensitive information, such as names, Apple IDs and phone numbers.

Each sale was for between 10 yuan to 180 yuan (A$1.95 to A$35.17). The entire scam was reportedly worth more than 50 million yuan (about A$9.8 million).

It is presently unclear whether there were victims outside of China, or how many people were affected by the breach.

No doubt these events will raise concerns worldwide about distributors’ access to customer data when it flows through the supply chain. Companies will need to have strong guarantees in place with their distributors, in relation to the handling and security of data, in order to reduce their risk of breaches when data leaves their control.

Users wishing to add an extra layer of security to their Apple ID can try utilising two-factor authentication, as set out by Apple here.

Together we are stronger – Australia and Singapore partner up on cybersecurity

Jun 06 2017

By Cameron Abbott and Allison Wallace

A freshly inked Memorandum of Understanding between Australia and Singapore will see the two countries strengthen their cybersecurity through a joint effort to build a secure and resilient cyber space.

The two-year partnership which was signed last week, will see Singapore’s Cyber Security Agency work with the Australian government to conduct regular information exchanges on cyber threats, share best practices to promote innovation in cyber security, and build cyber security capabilities. Read More

Law Firms Must Step Up Security or Risk Exposure: $8,895,560 Fine for Law Firm Hackers

May 24 2017

By Cameron Abbott and Edwin Tan

On 5 May 2017, a federal district court in New York ordered four people involved in breaching the networks of two law firms and stealing confidential information to pay approximately $8.9 million in fines.

According to the Securities and Exchange Commission, the hackers installed malware on the law firms’ networks, enabling them to view and copy data held by the law firms. The stolen data included emails revealing the details of clients considering mergers or acquisitions. Armed with this information, the hackers purchased shares in those companies ahead of public announcements, quickly amassing profits of almost $3 million.

There are concerns that hackers consider law firms as “low risk, high reward” targets, as a successful breach can reveal sensitive information about a multitude of clients such as trade secrets and financial data. These breaches can result in firm clients being exposed to massive commercial and legal risk.

One can be cynical at expenditure on security, let’s face it, it means less money in partners’ pockets – but cases like this are a salient warning of the hidden costs of getting security wrong!

Australia and China to Cooperate Against Cybercrime

May 24 2017

By Cameron Abbott and Edwin Tan

On 21 April 2017, Australian and Chinese Government representatives attended the inaugural Australian-China High-Level Security Dialogue. The Dialogue was launched to promote discussion between the two countries in the areas of counter-terrorism, cybercrime and other important security issues.

According to a joint statement by both parties, Australia and China reaffirmed their commitment to cooperate on cybersecurity issues. The key commitments include:

supporting the work of the UN Group of Governmental Experts and to act in accordance with its reports;
establishing an information-sharing mechanism to assist in combating cybercrime and preventing cyber incidents that could cause problems between the countries;
working together against internet distribution of child sex abuse material, e-mail scams and other transnational cybercrime activities;
discussing options for joint operations against cybercrime; and
exchanging cybersecurity delegations and regulatory documents to enhance understanding, cooperation and mutual trust.

The second High-Level Security Dialogue session will be held in China in the first half of 2018. One imagines that this is a tricky dialogue to foster, but clearly Australia takes the view of better off having China “in the tent than out”. Read the joint statement here.

“WannaCry” Ransomware Attack Causes Disruption Globally – with the worst yet to come

May 15 2017

By Cameron Abbott and Edwin Tan

A ransomware known as “WannaCry” affected 200,000 people in 150 countries over the weekend, locking computer files and demanding payment to release them. As of this morning, Australia and New Zealand users seem to have avoided the brunt of the attack, with the Federal Government only confirming three reports of Australian companies being affected. Not that ransomware attacks tend to be the subject of reporting – there is quite a high rate of payment of affected users as the pricing is deliberately cheaper than most alternatives unless your back-up process is very good.

The ransomware utilises vulnerabilities in out-of-date, unpatched versions of Microsoft Windows to infect devices. It spreads from computer for computer as it finds exposed targets, without the user having to open an e-mail attachment or click a link as is commonplace in most attacks. Ransom demands start at US$300 and doubles after three days.

The U.K. National Health Service (NHS) was among the worst hit organisations, forcing hospitals to cancel appointments and delay operations as they could not access their patients’ medical records. The Telegraph suggested that 90 percent of NHS trusts were using a 16 year old version of Windows XP which was particularly vulnerable to the attack. More attacks are anticipated throughout the working week as companies and organisations turn on their devices.

The U.K. National Cyber Security Center has released guidance to help both home users and organisations limit the impact of the attacks. It can be read here.