News round-up Sept 2020 — Thousands of licence details exposed online, HeathEngine to pay $2.9mil, and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.


The round-up

It’s a veritable smorgasbord – our latest roundup includes incidents traversing cloud security, phishing, extortion, distributed denial of service attacks and insider threat. We also look at a particularly egregious breach of trust by a healthcare website.

Key articles:

Data breach exposes tens of thousands of NSW driver’s licences online

Summary: A cache containing about 54,000 NSW drivers licences was found online by a Ukrainian security consultant. The data was linked to an unnamed private business that apparently failed to configure privacy settings appropriately on cloud storage.

Key risk takeaway: As we reported in May, misconfigurations of cloud services is one of the rising reasons behind data breaches – and so it has come to pass that tens of thousands of NSW drivers have been outed. The story here is a little more complex though, as it’s the NSW Government that has come under scrutiny for a lack of disclosure and notification to impacted residents – even though it was an unaffiliated third-party commercial operator that made the security bungle. It illustrates the complexity of responding to a data breach in the era of third-party data sharing, and the complex expectations that define what is trustworthy behaviour. Scenario planning can go a long way to being prepared for these contingencies and having well-thought out responses.

Tags: #cloudsecurity #notification


HealthEngine to pay $2.9 million for misleading reviews and patient referrals

Summary: Health directory and online booking site HealthEngine has been ordered to pay $2.9m in penalties after admitting that it disclosed personal information of over 135,000 patients to third party private health insurance brokers without adequately disclosing this to customers.

Key risk takeaway: Privacy Officers now need to consider consumer law risks when reviewing or drafting any communications or notices about how customer information will be handled. Failure to clearly communicate how personal information will be used and disclosed may amount to misleading and deceptive conduct (whether or not it also breaches the Australian Privacy Principles). The Australian Competition and Consumer Commission (ACCC) has become increasingly active in the privacy space since the conclusion of its Digital Platforms Inquiry in June 2019. HealthEngine may be the first casualty of this new focus on consumer privacy harms, but it’s unlikely to be the last. The Commission currently has two separate cases pending against Google alleging misleading and deceptive conduct in relation to privacy, and ACCC Chairman Rod Sims says there are plenty more in the works.

Tags: #ACCC #ACL #Privacy #Penalties


New Zealand Stock Exchange suffers day four disruption following DDoS attacks

Summary: A distributed denial of service (DDoS) that hit the exchange halted trading and prevented the publishing of market updates.

Key risk takeaway: So-called “DDoS extortions” have been around for a few years, but the recent attacks are being seen as among the most dangerous and targeted. The attack on NZX was one of many reported DDoS attacks against global financial service providers, with the criminal gang responsible demanding Bitcoin payments as extortion fees to stop their attacks. Where DDoS in the past has targeted public websites, a particular characteristic of recent attacks is the targeting of back end infrastructure, which can be potentially more disruptive. DDOS mitigation services should be considered for any business, particularly those with a high profile (where a website outage would be particularly damaging) or those that operate critical online services (where even a short outage would have substantial impact).

Tags: #ddos #cybercrime


SANS shares details on attack that led to their data breach

Summary: SANS Institute suffered a data breach after an employee fell for a phishing attack, resulting in more than 500 emails containing approximately 28,000 records of personal information being forwarded to attackers.

Key risk takeaway: SANS is a leading provider cyber security training for organisations around the world, so perhaps the lesson from its breach is, rather humbly, “there but for the grace of god, go I.” The attack draws on a rising phishing attack method – OAUTH phishing – where targeted users receive what looks like a legitimate shared document. Upon clicking the email request, they are typically asked to provide their credentials (eg to O365) and grant various permissions to a third-party app. This grants access to the app’s developer/owner – which is an attacker. Read more about OAUTH app examples here, ironically on a SANS discussion forum. Options to defend against this form of attack include preventing employees from being able to install unverified OAUTH apps and, of course, testing staff ability to detect this form of phishing via phishing simulations.

Tags: #phishing #oauth


Former Uber Security Chief Charged With Concealing Hack

Summary: Uber’s former head of security has been charged with attempting to conceal a hack that exposed the email addresses and phone numbers of 57 million drivers and passengers.

Key risk takeaway: CISOs around the world may be sleeping a little less comfortably, with the action brought by US prosecutors underscoring how much personal accountability is carried by those running security functions. At the heart of the criminal complaint is that former Uber CSO Joe Sullivan failed to disclose a major breach to regulators in 2016, even as it was being investigated for an earlier breach. A particularly notable callout by the prosecution team was that the “cover-up” prevented law enforcement learning about the hackers and being in a position to disrupt their activities – which included going on to “hack other companies in a way similar to what they had done to Uber”. This suggests that authorities view a company’s responsibility to disclose breaches not only in terms of its duty to its own customers, but also in terms of its important to protecting the broader economy.

Tags: #CISO #crisisplanning #cybercrime


A Tesla Employee Thwarted an Alleged Ransomware Plot

Summary: A Tesla employee rejected a US$1m offer to install malware on Tesla’s network, reporting the bribe to Tesla instead.

Key risk takeaway: Insider threat is perhaps one of the less covered threats to organisations’ systems and data – perhaps this story might lift it in prominence given the hype and attention usually associated with Elon’s electric enterprise. The story affirms the willingness of cybercriminals to coax their way into a network in any way possible – whether through sophisticated technical or cyber means or more old-fashioned coaxing and cajoling. Insider threats of the malicious (versus accidental) kind are challenging to defend against. Technical measures include strong access controls and monitoring (especially for critical systems) and data loss prevention tools. Equally important are human measures such as background checks, and creating a culture in which employees feel comfortable reporting anomalous behaviour.

Tags: #insiderthreat

News round-up July 2020 — European court decision on international data transfers, software vulnerabilities, and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.


The round-up

This month saw some big plays in the world of privacy – most notably the striking down by a European Court of a mechanism for international data transfers. We look at the implications for Australia organisations coming out of the judgement. This month we’re also reminded of the inherent vulnerability of software via stories about backdoors in Chinese tax software, a flood of critical patches released for popular enterprise software products and, of course, more yarns about ransomware.

Key articles:

Chinese bank requires foreign firm to install app with covert backdoor

Summary: Tax software required to be used by organisations that conduct business in China has been found to have been infected with malware.

Key risk takeaway: This discovery by security researchers is a cautionary tale for any business with operations in China. Dubbed “GoldenSpy”, the backdoor in the tax software reportedly allowed the remote execution of commands on infected computers. A similar backdoor was later discovered in the other of the two Chinese-government authorised tax software products. Concerns have long been raised about the invasive security provisions levelled at western businesses by China, though the covert nature of this incursion is rather more sinister. The FBI warns that companies in healthcare, chemical and finance sectors are in particular danger. Echoing the FBI’s advice, businesses should ensure they patch critical vulnerabilities on their systems, monitor applications for unauthorised access and protect accounts through multi-factor authentication.

Tags: #cyberhygiene #cyberespionage


Europe’s top court strikes down flagship EU-US data transfer mechanism

Summary: The EU-US Privacy Shield, a key framework for regulating transatlantic data transfers, has been declared invalid by the Court of Justice of the European Union with immediate effect. Alternative international data transfer mechanisms remain valid subject to additional obligations imposed upon companies.

Key risk takeaway: Though primarily focused on transatlantic transfers, the Court’s judgement will also give pause to Australian organisations that use Standard Contractual Clauses (SCCs), a key tool for Australia-EU data transfers. Whilst confirming that SCCs remain a valid means for international data transfers under the GDPR, the Court’s judgement imposes an onus on companies relying on SCCs to undertake case-by-case determinations on whether foreign protections are adequate under EU standards and whether additional safeguards are required.

Tags: #privacy #GDPR


Apple Just Crippled IDFA, Sending An $80 Billion Industry Into Upheaval

Summary: Apple’s shift to requiring opt-in consent for IDFAs, a unique identifier which enables advertisers to track user behaviour across apps for targeting and attribution purposes, threatens to upend the mobile advertising ecosystem.

Key risk takeaway: Apple continues to brandish its privacy-centric approach as a key competitive asset and brand differentiator. This latest move was announced alongside a series of privacy-conscious updates and has been celebrated by privacy advocates as a fundamental step towards greater user transparency and control over use of their data. The change involves users now receiving explicit prompts requiring opt-in consent, as opposed to these controls being buried within Apple’s settings. The update has particular implications for both Facebook and Google, whose ad-tech services depend on aggregating large troves of data with IDFAs. Meanwhile, in another fillip for privacy advocates this month, the public broadcaster in the Netherlands has published data showing that it grew ad revenue after ditching ad trackers and moving to contextual ads.

Tags: #privacy #trust


Twitter partially shut down as hackers compromise 45 high profile accounts

Summary: In a coordinated attack, hackers gained control of dozens of high-profile Twitter accounts, including former US President Barack Obama, US presidential candidate Joe Biden, Amazon CEO Jeff Bezos, Elon Musk, Apple and many others.

Key risk takeaway: While the hackers’ motivations here appear to have been rather benign (to propagate a bitcoin scam message), their unprecedented access could have had much more serious consequences. Imagine a nation state with full control of these compromised accounts, intent on derailing an election. It should raise the question for any organisation – what damage could a hacker do with access to your internal tools? The methods behind the attack were also relatively standard: social engineering to gain access to an internal customer support tool, which they used to reset account passwords. No zero-day cyber-gymnastics here. The obvious lesson here is ‘back to basics’ – training and awareness and restricted privileges. The deeper concern is how Twitter and other social media have become so central to our democracies – failures of this kind cannot be allowed to happen.

Tags: #socialengineering #databreaches #geopolitics


2020 is on track to hit a new data breach record

Summary: Troy Hunt’s ‘Have I been Pwned’ database reaches 10 billion records, while a new report estimates that 8.4 billion records were exposed in the first quarter of 2020 alone.

Key risk takeaway: The internet is now awash with compromised credentials, making password re-use a greater threat than ever. If you’ve already used a given password before, the likelihood is it’s now out there somewhere and can be used to compromise your account. This threat to account security is compounded by the continued rise of phishing and social engineering attacks, particularly in the new COVID-19 normal. The rapid switch to remote working combined with the uncertainty of the pandemic have given rise to effective new phishing lures such as fake pandemic updates or notifications from popular remote working applications. And so, the parade of data breaches continues. From dating apps, to hotel chainsairlinestelcos and many others, news of data breaches have become part of the background hum of our industry.

Tags: #databreaches


Garmin confirms ransomware attack, keeps quiet on possible Evil Corp. involvement

Summary: Garmin said while there was no indication attackers accessed customer data, the attack did interrupt website functionality, customer support services, user apps and corporate communications. This was again one of many ransomware attacks this month.

Key risk takeaway: This particular attack draws attention to the incredibly precarious position ransomware victims find themselves in regarding ransoms. Enduring widespread disruption to services due to WastedLocker ransomware, Garmin reportedly was faced with a US$10 million ransom to decrypt its files. Reports also claim that Russian gang Evil Corp was behind the attack. The gang’s members have been sanctioned by the US government, making any dealings with them illegal. Services are now back online and Garmin has not confirmed whether it paid the ransom. We also learned this month that ransomware gangs are a patient bunch – spending long periods of time within the networks they have breached in order to gather as much information as possible to maximise leverage in ransom demands.

Tags: #ransomware


US cyber officials urge patching of bug affecting up to 40K SAP customers

Summary: A critical vulnerability in SAP applications could affect up to 40,000 customers.

Key risk takeaway: Patch your critical systems! The last month has seen a rash of patches released for serious vulnerabilities in widely used systems. In addition to the SAP bug, software company Citrix announced yet more bugs (but with fixes), as did Microsoft, Palo Alto Networks and F5 Networks products. Respected guidance such as the Australian Government’s Essential Eight strategies recommends timely patching as a foundational security practice. In practice, many organisations struggle to prioritise the many, many security fixes that increasingly require acting on. The last month will only have further compounded the headaches of systems administrators (and likely intensified their pleas for more attention to secure coding practices).

Tags: #vulnerabilitymanagement

News round-up June 2020 — PM’s cyber strategy announcement, ransomware attacks and email scammers

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.


The round-up

“Imagine if we could get the Prime Minister to yell ‘cyber’?”
Security leaders preparing to go cap-in-hand for FY21 budgets could only have dreamed of the platform their portfolios would get this month. In this month’s round-up we take a look at the PM’s announcement, and watch as ransomware and business email compromise jostle for the mantle of most damaging cyber threat.

News round-up May 2020 — Ransomware formally registered as business risk and security report on cyber attackers

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.


The round-up

In our latest round-up, we get a fresh angle on some familiar threats. The rise of ransomware over recent years has seen it elevated as a formally registered business risk, while new research seeks to explain why phishing continues to work so well. A new security report also gives us insight into what’s motivating cyber attackers, and into one of the fastest growing reasons that data breaches are occurring.

News round-up April 2020 — Privacy and security issues with COVID-19

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.


The round-up

COVID-19 is creating a heady and swirling vortex of news, information and disinformation. In this edition we cut through to the key privacy and security issues of the pandemic, including the Government’s contact tracing app and the new risks and scams that security leaders need to be thinking about. We also check in on how cybercriminals are attending to business-as-usual.

Key articles:

ACSC issues FUD-busting COVID-19 WFH guide

Summary: In light of new and more pronounced cyber security vulnerabilities brought on by the workforce’s wholesale transition to working from home, the Australian Cyber Security Centre issued its own official guidance.

Key risk takeaway: Security leaders in businesses right across the economy are responding to working arrangements and circumstances radically different to those for which they devised their risk mitigation strategies and activities. For the many professionals working from home, the ACSC’s tips include being aware of COVID-19 related cyber threats and scams (see next story), adopting strong passphrases and use of multi-factor authentication. Security teams also need to account for the different risk profile that results from a highly distributed workforce working in non-corporate environments. Risks to manage more closely include user adoption of unsanctioned video conferencing platforms and ensuring users connect to networks securely. Other emerging considerations include the need to revisit security provisions in technologies hastily purchased during the pandemic and sharpening governance over “shadow IT”, as workers install and use their own (non-sanctioned) applications to continue to perform their duties in non-standard conditions.

Tags: #securityhygiene #securityawareness #securityriskassessment


Continued widespread reports of COVID-19 malicious scams

Summary: Authorities and businesses around the world are observing a massive surge in internet scams related to the coronavirus pandemic. Says one security professional: “I’ve never seen this volume of phishing. I am literally seeing phishing messages in every language known to man.”

Key risk takeaway: It’s the pandemic edition of the usual refrain – humans are the critical front-line in defending against cyber-attacks. Businesses must take strong steps to make their employees aware of the explosion in COVID-19 themed scams and phishing attacks, which are being deployed to drop malware, steal information and facilitate financial fraud. Thousands of new coronavirus-themed web domains, which are used as phishing sites and to spread malware, are being registered every day. The Australian Signals Directorate is muscling up for the fight, as are US law enforcement authorities and even an army of volunteer cyber defenders.

Tags: #securityawareness


Australia launches COVIDSafe contact tracing app

Summary: The Australian Government launched an app to support health professionals perform contract tracing on individuals that test positive to coronavirus. The Government app faced intense scrutiny over the app’s handling of privacy and security considerations.

Key risk takeaway: The public’s heightened expectations of privacy and transparency in new technologies and services – particularly those involving sensitive information (such as health status) – are brought to the fore in the public conversation surrounding the COVIDsafe app. The Government’s previous mis-steps in adequately addressing privacy and security considerations in technology deployments (eg. Census, My Health Record) have demonstrably impacted this rollout, reflecting the importance of service providers building trust over an extended period. A privacy impact assessment on the app – which made 19 recommendations, the bulk of which were accepted – has helped in some part to ameliorate some of the privacy concerns (read elevenM’s Melanie Marks view of some of these privacy risks here). An auxiliary consideration for organisations will be how they deal with employee queries about the app, particularly in relation to installing it on work-issued mobile devices.

Tags: #privacy #privacyimpactassessment


Zoom bolsters software security in latest move to reassure users

Summary: Video conferencing platform Zoom has faced intense criticism over poor security and privacy practices, leading to “do not use” edicts from everywhere from governments to major corporations.

Key risk takeaway: When your startup’s moment finally comes, will a complacent attitude to privacy and security be your undoing? Widespread self-isolation has certainly been a godsend for video conferencing platforms like Zoom. But despite a massive surge in users, Zoom’s reputation has taken a thorough battering. Like Standard Chartered has done overseas, we’re aware of major Australian organisations issuing guidance to staff to refrain from using Zoom, especially for official business. Zoom has had to move fast to issue mea culpas and patch security and privacy holes. For major developers of digital services and budding start-ups alike, a more efficient and less painful strategy is to bake in good practices through approaches such as privacy-by-design and secure coding.

Tags: #privacybydesign #securecoding


IT services behemoth Cognizant suffers attack by Maze ransomware

Summary: While we’re all pre-occupied with COVID-19, one group (sadly) is carrying on as though everything is normal: ransomware gangs. In the past month foreign exchange business Travelex, insurer Chubb and technology consultancy Cognizant were all revealed to have been hit with ransomware.

Key risk takeaway: Ransomware might be overshadowed now by that other virus, but by no means has it gone away. We wrote in February of the havoc Maze ransomware gangs were already wreaking in 2020. And the fact that cybercriminals are now offering discounts on their services should remind us all that they’re determined to be a viable force throughout and beyond the pandemic. The Cognizant incident – in addition to reminding us of the importance of endpoint protection and detection tools, highlights a couple of considerations. First, the incident affected Cognizant clients, illuminating the issue of supplier risk. Organisations should consider quickly disabling system access for any infected supplier. Second, the particularly aggressive public extortion strategy used by Maze attackers – in which sensitive data is stolen before being encrypted, and its public release threatened if the victim doesn’t pay the ransom – highlights the need for a clear public communications strategy for cyber incidents.

Tags: #solvingransomware #crisiscommunications #crisiscommunications

News round-up March 2020 — COVID-19 influence on cyber security, privacy and digital risk

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.

The round-up

First and foremost, we wish all our clients and friends the best in these challenging times. We hope your families are well and that your businesses are finding a way to move forward through the current crisis.

Given the present saturation of COVID19-related news, we considered avoiding the topic altogether in this edition of the news roundup, as a way to help our readers step back from the crisis and dip back into business as usual.

The reality, as we’re all appreciating, is that our collective response to the pandemic is unprecedented. It dominates all spheres of our lives – work, home, socialising, shopping and parenting. “Business as usual”, as it used to be, doesn’t really exist at this moment.

So in this month’s round-up, which takes a slightly different form, we look at how COVID-19 is influencing the spheres of cyber security, privacy and digital risk.


Key themes:

Security and privacy at the heart of changed ways of working

COVID-19 has heralded an unparalleled change in working conditions, most strikingly marked by large volumes of staff working from home, in accordance with social distancing and isolation guidelines issued by authorities.

Working from home isn’t new, but the scale is unprecedented. IT and security teams have scrambled to ensure that the sizeable increase in numbers of staff working remotely – including many that haven’t done it before – doesn’t translate to an unpalatable increase in security and privacy risks.

Recommendations have been widely published online to promote secure working from home practices, including use of secure networking tools such as VPNs and access controls such as multi-factor authentication. Some also see the current circumstances as an opportunity to introduce stringent IT architectures that will promote greater security long after the crisis subsides.

While technical measures are critical, we can’t underscore how important it is for organisations to also speak to their staff. Issue clear advice about the need to maintain secure practices when working from home, and the continuing importance of protecting the information of customers and of the organisation. As executives increase their conversations with staff at this time about how their companies are handling the crisis, security and privacy teams must also strive to have security and privacy priorities included in these communications.

The highs and lows of humanity

The image of people fighting off the elderly for toilet paper crystallises how the pandemic has, sadly, illuminated some of the worst in human behaviour.

So it was in the cyber realm. Very quickly after the pandemic took hold, authorities observed a spike in COVID-19 themed phishing and scam emails. Also discovered were coronavirus health-apps laced with malwarehijacked routers steering users to malicious COVID-19 sites and the disrupting of online services that the public will increasingly come to rely on.

The expansion of cybercrime infrastructure – such as the registering of new domains, and burgeoning pool of potential money mules – further suggests we could face these new risks for a sustained period.

All the more reason for businesses to start educating their staff now, not least because a state of heightened fear, anxiety and constant desire for new information likely increases susceptibility to threats such as phishing.

For a while, it did seem that cyber-criminals might have an attack of conscience, with some peddlers of ransomware vowing to lay off health care companies. A series of hospital-related attacks showed that to be a false dawn.

While there may be no honour among cyber thieves, there is valour in our industry worth celebrating. Many security researchers are volunteering to support healthcare providers fighting hackers, while a number of security vendors are providing free tools to help their customers be more secure. Some professionals have even set up an online cyber school for flustered home-schooling parents to help teach their kids cyber security.

Cyber workers are essential

As healthcare staff fight valiantly on the frontlines of this pandemic, it’s not unlikely that many of us in professions far removed from hospitals and health clinics are second-guessing how important our jobs are today.

Of course, PM Scott Morrison has declared that all workers are “essential” workers. But for those wanting something more specific , US President Trump also issued guidance this month on exactly what roles make up the essential critical infrastructure workforce.

A number of cyber security roles were defined the list, including workers performing cyber security functions at healthcare facilities and energy providers. The inclusion of these roles in this list affirms that cyber security functions play a critical role in the functioning of society, even in the event of a pandemic-related lockdown.

A stoush between public health and privacy?

If the importance of cyber security was re-affirmed in the previous section, privacy may have taken a backseat, at least momentarily. Various governments, seeking to arm themselves with the information needed to contain the pandemic, have turned quickly to our personal data.

In some countries, like the US, this at least kicked up an ethical conversation. In other jurisdictions, like SingaporeTaiwan and Israel, the public health imperative appears to have overridden any appetite for discussion.

But one should never be too quick to declare privacy dead. Privacy was built for this. Principles such as necessity, proportionality, reasonableness and transparency are more important than ever for governments that will need to maintain public trust throughout a sustained state of emergency.

One of the first tasks for privacy advocates on the other side of this crisis will likely be to ensure that privacy concessions made in the name of necessity are rolled back as the emergency subsides (as signaled here). Beyond that, there will also be an opportunity to re-assess and refine prevailing attitudes to privacy and seek to reframe conversations where the discussion is framed as a choice between privacy and health.