Tag Archives: Australia

Security news for the Week Ending September 20, 2019

A New Trend?  Insurers Offering Consumers Ransomware Coverage

In what may be a new trend, Mercury Insurance is now offering individuals $50,000 of ransomware insurance in case your cat videos get encrypted.  The good news is that the insurance may help you get your data back in case of an attack.  The bad news is that  it will likely encourage hackers to go back to hacking consumers.  Source: The Register.

Security or Convenience Even Applies to Espionage

A story is coming out now that as far back as 2010  the Russians were trying to compromise US law enforcement (AKA the FBI) by spying on the spies.

The FBI was tracking what Russian agents were doing but because the FBI opted for small, light but not very secure communications gear, the Russians were able crack the encryption and listed in to us listening in to them.  We did finally expel some Russian spy/diplomats during Obama’s presidency, but not before they did damage.  Source: Yahoo

And Continuing the Spy Game – China Vs. Australia

Continuing the story of the spy game,  Australia is now blaming China for hacking their Parliament and their three largest political parties just before the elections earlier this year (sound familiar?  Replace China with Russia and Australia with United States).

Australia wants to keep the results of the investigation secret because it is more important to them not to offend a trade partner than to have honest elections (sound familiar?).  Source: ITNews .

The US Government is Suing Edward Snowden

If you think it is because he released all those secret documents, you’d be wrong.

It is because he published a book and part of the agreement that you sign if you go to work for the NSA or CIA is an agreement that you can’t publish a book without first letting them redact whatever they might want to hide.  He didn’t do that.

Note that they are not suing to stop the publication of the book – first because that has interesting First Amendment issues that the government might lose and they certainly do not want to set that precedent and secondly, because he could self publish on the net in a country – like say Russia – that would likely flip off the US if we told Putin to shut him down.  No, they just want any money he would get. Source: The Hacker News.

 

HP Printers Phone Home – Oh My!

An IT guy who was setting up an HP printer for a family member actually read all those agreements that everyone clicks on and here is what they said.

by agreeing to HP’s “automatic data collection” settings, you allow the company to acquire:

… product usage data such as pages printed, print mode, media used, ink or toner brand, file type printed (.pdf, .jpg, etc.), application used for printing (Word, Excel, Adobe Photoshop, etc.), file size, time stamp, and usage and status of other printer supplies…

… information about your computer, printer and/or device such as operating system, firmware, amount of memory, region, language, time zone, model number, first start date, age of device, device manufacture date, browser version, device manufacturer, connection port, warranty status, unique device identifiers, advertising identifiers and additional technical information that varies by product…

That seems like a lot of information that I don’t particularly want to share with a third party that is going to do who knows what with it.  Source: The Register.

Private Database of 9 Billion License Plate Events Available at a Click

Repo men – err, people – are always looking for cars that they need to repo.  So the created a tool.  Once they had that, they figured they might as well make some money off it.

As they tool around town, they record all the license plates that they can and upload the plate, photo, date, time and location to a database that currently has 9 billion records.

Then they sell that data to anyone who’s check will clear.  Want to know where your spouse is?  That will cost $20.  Want to get an alert any time they see the plate?  That costs $70.  Source: Vice.

Election Commission Says That It Won’t Decertify Voting Machines Running Windows 7

Come January 2020, for voting machines running Windows 7 (which is a whole lot of them) will no longer get security patches unless the city or county pays extra ($50 per computer in the first year and then $100 per computer in the second year) for each old computer.  Likely this means a whole lot of voting machines won’t get any more patches next year.

The nice folks in Washington would not certify a voting machine running an operating system that is not supported, but they won’t decertify one.  That, they say, would be inconvenient for manufacturers and cities.   I guess it is not so inconvenient for foreign nations to corrupt our elections.  Source: Cyberscoop

News Bites for the Week Ending December 7, 2018

Australian Parliament Passes Crypto Back Door Law Overnight

Politics always wins.  After the Prime Minister said that the opposition party was supporting terrorism, the opposition completely folded after claiming that Parliament would implement amendments after the first of the year.

Since politicians lie about 99.99% of the time, the party in power is now saying that they only might, possibly, consider some amendments.

It is not clear what software companies will do if asked to insert back doors.  One thing that is likely true is that they won’t tell you that they have inserted back doors into your software.  Source: The Register.

 

Sotheby’s Home is the Latest Victim of Magecart Malware

Magecart is the very active malware that has been found in hundreds of web sites and which steals credit card details from those sites before they are encrypted.

Sotheby’s, the big auction house, says that if you shopped on the site since, well, they are not sure, your credit card details were likely stolen.

They became aware of the breach in October and think that the bad guys had been stealing card data since at least March 2017.

Eventually governments will increase the fines enough (Uber just got fined $148 million – we are talking REALLY large fines) that companies will make the decision that it is cheaper to deal with security than pay the fines.  GDPR will definitely help in that department with worst case fines of up to 4% of a company’s global annual REVENUE (not profit).

Sotheby’s acquired the “Home” division about 8 months ago, so, like the Marriott breach, the malware was there when they acquired the company and their due diligence was inadequate to detect it. Source: The Register.

 

Sky Brazil Exposes Info on 32 Million Customers Due to User Error

I continue to be amazed at the number of companies that can’t seem to do the simple things right.

Today is it Sky Brazil, the telecom and Pay-TV company in Brazil.

They were running the open source (which is OK) search tool Elastic Search, made it exposed to the Internet and didn’t bother to put a password on it.  Is password protecting your data really that hard?  Apparently!

What was taken – customer names, addresses, email, passwords (it doesn’t say, so I guess they were not encrypted), credit card or bank account info, street address and phone number, along with a host of other information.

After the researcher told them about their boo-boo, they put a password on in quickly.  We are not talking brain surgery folks. How hard is it really to make sure that you put a password on your publicly exposed data?

Apparently the data was exposed for a while, so the thought is that the bad guys have already stolen it.  Nice.  Source: Bleeping Computer.

 

Yet Another Elastic Search Exposure – Belonging to UNKNOWN

Maybe this is elastic search week.  Another group of researchers found a data trove of elastic search data, again with no password.  Information on 50 million Americans and over 100 million records.

Information in this case is less sensitive and probably used to target ads.  The info includes name, employer, job title,  email, phone, address, IP etc.  There were also millions of records on businesses.

In this case, the researchers have no idea who the data belongs to, so it is still exposed and now that they advertised the fact that it is there, it probably has been downloaded by a number of folks.

That kind of info is good for social engineers to build up dossiers on tens of millions of people for nefarious purposed to be defined later.  Source: Hackenproof.

 

Microsoft Giving Up on Edge?  Replacing it with Chrome?

If this story turns out to be true – and that is unknown right now – that would be a bit of a kick in the teeth to Microsoft and a huge win for Google.

Rumor is that the Edge browser on Windows 10, which is a disaster, along with Microsoft’s Edge HTML rendering engine are dead.  Rumor is that Microsoft is creating a new browser, code named Anaheim,  based on the open source version of Chrome (called Chromium) which also powers the Opera and Vivaldi browsers.

If this is true, Google will effectively own the browser market or at least the browser engine market.  That could make them even more of a monopoly and a target for the anti-trust police.  Source: The Hacker News.

 

Turnabout is Fair Play

While the Democratic party seems to have escaped major hacks in this election cycle, apparently, the Republicans didn’t fare as well.

Several National Republican Congressional Committee senior aides fell to hackers for months prior to the election.  The NRCC managed, somehow, to keep it quiet until after the election, even though they had known about it for months.

Once way they kept is quiet is by not telling Speaker Paul Ryan,  Majority Leader Kevin McCarthy or other leaders about it.

In fact, those guys found out when the media contacted them about the breach.  I bet they are really happy about being blindsided.

Anyway, the cat is out of the bag now and the NRCC has hired expensive Washington law firm Covington and Burling as well as Mercury Public Affairs to deal with the fall out.  I suspect that donors are thrilled that hundreds of thousands of dollars of their donations are going to controlling the spin on a breach.

Whether the hack had anything to do with the NRCC’s losses in the past election is unknown as is the purpose of hacking the NRCC.  It is certainly possible that the hackers will spill the dirt at a time that is politically advantageous to them.  I don’t think this was a random attack.  Source: Fox News.

 

Another Adobe Flash Zero-Day is Being Exploited in the Wild

Hey!  You will never guess.

Yes another Adobe Flash zero-day (unknown) bug is being exploited in the wild.  The good news is that it appears, for the moment, to be a Russia-Ukraine fight. The sample malware was submitted from a Ukraine IP address and was targeting a Russian health care organization.  Now that it is known, that won’t last long.

The malware was hidden inside an Office document and was triggered when the user opened the document and the page was rendered.

Adobe has released a patch.  Source: The Hacker News.

Australia Is On The Fast Path to Ban Encryption Without Backdoors

While this is still a bit like Jello (R) waiting to congeal, the Australian Assistance and Access Bill is designed to require back doors in encrypted communications like Whats App and iMessage.

COMPANIES THAT DEVELOP SOFTWARE THAT USE END TO END ENCRYPTION NEED TO PAY ATTENTION TO WHAT HAPPENS SO THAT THEY CAN MAKE APPROPRIATE BUSINESS PLANS.

The party in power is trying to ram the bill through Parliament in 4 days and the opposition labor party is playing politics – maybe supporting it maybe not.

Continuing the political bull-poop, the prime minister said that the Labor party is “happy” for terrorists to plot attacks using encrypted messages.  I don’t recall ever hearing the Labor party ever say anything remotely close to that.

They are saying that if the bill passes, the Australian software industry will be toast as anyone from another country will assume that any Australian software is riddled with security holes to keep the police happy.  Who would buy that software?

One proposal is to limit the back doors to terrorism and child trafficking, but i have no idea how, technically, you could possibly do that.

It is also possible that such a law would conflict with provisions of other foreign laws such as the U.S. Cloud Act and possibly even GDPR.

The bigger question is whether big software players like Apple and Facebook will buckle and build in back doors to protect a tiny bit of the world market to keep Australia happy.

One possibility is what we had in the U.S. in the 90s, which is two versions of software – one for the Australian market, full of security holes but legal in Australia, and one for the rest of the world.  The disadvantage of this is that vendors would need two sets of software and maybe some amount of separate infrastructure.  It is also not clear how you would stop Australians from downloading the other version.

Another possibility, although less likely, is that companies Apple and Facebook will abandon the Australia market.  After all, in the grand scheme of things, it is not a big part of their revenue.  For the moment, they are lobbying against it and other than that, keeping their collective mouths shut.

The Australian government is saying that they need to ram this legislation through Parliament because of the heightened risk during the Christmas holiday, although it is completely inconceivable that even if the bill passes that companies would do anything in time for Christmas.

The government is trying to scare people into passing the bill without any review by saying if they don’t that lives are in jeopardy, but when asked if there is a specific problem they answer no.  After all, they have not had this capability for the last 10 years, why will waiting 30 days mean the end of life on the planet?

The proposed law would require companies to add back doors unless adding back doors would create systemic weaknesses – whatever that means.

Information for this post came from ZDNet and Sky News.

Of course, since politicians are not, for the most part, technically savvy, they appear to have missed the issue of open source software, which we have seen grow in popularity among terrorists in the Middle East.  With open source there is no company to haul into court and it is likely impossible to stop the distribution of open source source located outside of a country’s borders.

Stay tuned.

 

 

 

Australia Introduces Bill Requiring Tech Companies Worldwide to Include Encryption Back Doors in their Software

This could get interesting.  The Australian Telecommunications and other Legislation Amendment (Assistance and Access) Bill 2018 would require tech companies to decrypt communications on request and even require tech companies to build back doors into their software if they don’t already have them.

Of course, like all governments (think GDPR), the bill does not stop at Australia’s border and would, in theory, require companies worldwide to comply.  It is not clear what leverage they have against a company that does not have a legal entity in Australia.

It is not clear how they would get Hamas or ISIS to obey their law, so while the law, if enacted, would weaken protections for law abiding citizens worldwide and would possibly allow them to intercept the communications of dumb terrorists, it will do nothing to protect us against smart terrorists – the ones we really need to be concerned about.

The bill defines a designated communications provider as any foreign or domestic communications providers, device manufacturers, component manufacturers, application providers and traditional carriers and carriage service providers.

That means that everything from your email to a physical device that supports encryption is up for grabs.

In explaining the bill the government mentions companies like Facebook, Instagram, Signal, Telegram and even web site logins.

The bill calls for three levels of hacking to be provided on demand:

  1. Technical assistance request – this one is voluntary.  If a company wants to, it can cooperate.
  2. Technical assistance notice – this one requires a company to decrypt stuff that they have the technical ability to decrypt.
  3. Technical capability notice – this one requires the company to build a new back door into the security of their product and somehow secretly get the user to install the new hacked version of the software.  However, the bill says that this back door cannot remove encryption.  HUH?!

The first two are not a big deal.  The last one is a killer.

Australia’s Minister for Law Enforcement and Cyber Security said that this bill would allow law enforcement to access your data without compromising the security of the network.

The Minister did not want to go anywhere near the words encryption back door, but technically that is the only way to accomplish what they are asking for.  The Minister said that tech companies would be able to provide access without weakening security,  He didn’t suggest how this is possible.  It is not.

He said that we are ensuring we don’t break the encryption systems of the company;  so we are only asking them to do what they are capable of doing.  Item 3 above tells companies to do what is not currently possible, so either he has not read the bill, doesn’t understand the bill or is lying.  Take your pick.   The Minister of Magic is convinced that he can do that without breaking the encryption of the technology companies.

On the other side, the tech companies like Apple, Facebook and Google danced around the conversation giving it a wide berth.  They do have a challenge since they don’t want to appear to support terrorists while, at the same time, they know what the government is asking is impossible without compromising the security and privacy of their customers worldwide.  If they give this capability to Australia, what is their justification for not giving it to China or Russia or any other country that asks?

The Australian Prime Minister, Malcolm Turnbull said “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”  Apparently, he thinks the laws of physics are optional in his country.

Currently, this is only a bill, so who knows what will happen, but if passed, companies will need to make some very uncomfortable decisions.

Since Australia is a small market, one option for bold companies would be to block the use of their services to residents of that continent.  Remember that there are fewer people in Australia than, say, in Canada or even in just the sate of Texas and a little more than half the population of California.  That being said, businesses rarely like to turn away customers, even if it means violating their core principals, so it will be interesting to see what companies like Apple choose to do.

Information for this post came from CNet.