Australian InfoSec News – January 2016

This edition is very brief just a catch up after holidays, and particularly intense contract. I nearly let this issue go but once I started reviewing what happened in January, I decided for me it was worth reviewing the month for my own professional purposes.

As promised I’ve started to track data loss and privacy related breaches, as well as the more traditional information security incidents, as this reflects the growing expansion and expectations of the information security professionals’ role.

If you have any suggestions or comments they are welcome.

Hope you all had a good Christmas (if we can remember back that far).

Steve…K.

Round Up

InfoSec advice from my local bottle shop
InfoSec advice from my local bottle shop

Other than the information security breaches, Melbourne Health at the Royal Melbourne Hospital being the most notable in January, the main reason to why I think January was important was the reports on the inevitable scope creep around the 61 agencies after warrantless access to Australian telecommunications metadata.

Melbourne Health Virus Takedown
From my faulty recollection I believe it has been awhile since we’ve had a good old school virus/malware takedown on this scale. I won’t going any further into the incident here, I’ll just refer to a good Life Hacker article on this:

Last week, a virus attack on the computer system of one of Melbourne’s largest hospital networks. It is cause for concern not only because it affected machines running Microsoft’s Windows XP, an operating system no longer supported by the software giant, but because a large number of businesses and individuals still using it. – Robert Merkel

Anyone out there still running Windows XP?

Warrantless Access Australian Metadata
Ok, deep breath….

This was always going to happen, and people tend to forget just who had access in the old scheme. The best article I’ve seen on this with the list of agencies requesting access now and who had access before.

Australia Post, the RSPCA of Victoria, and the Victorian Taxi Services Commission are among 61 agencies in Australia seeking warrantless access to metadata stored by telcos.

Good to see the RSPCA is a key part of our war on terror.

My view: Over all my view is a bit more accommodating and not just limited to the terrorism stuff. If an individuals life is at direct threat, then access the data. If not, get a warrant.

 

InfoSec Incidents

This months Information Security related incidents that were reported in the media in Australia. A full list of Incidents can be found on the Australian Information Security Incidents page.

Jan 30, 2016
Telstra privacy breach leaves customer’s voicemail exposed.
A new second hand phone owner (also a Telstra customer, who wishes to remain anonymous), explained that when the iPhone 5 was powered off and then on again, it downloaded the previous owners voicemail messages to the phone’s inbuilt visual voicemail app, where he could then browse and listen to them in full, even though the phone was “fully” wiped before resale.

Jan 19, 2016
Australian Hyatt hotels hacked, guest credit card details stolen
Hyatt Hotels is the latest hotel chain to fall victim to hackers stealing sensitive credit card information from guests around the world, including flagship properties in Australia. The Park Hyatt Sydney, Grand Hyatt and Park Hyatt in Melbourne, Hyatt Hotel Canberra and Hyatt Regency Perth were among the hotels targetted over a six month period from July to December 2015, along with Hyatt hotels in Hong Kong, China, Singapore, the USA and

Jan 19, 2016
Australian Federal Police accidentally gave victim’s details to alleged attacker.
The Australian federal police accidentally revealed the personal details of an assault victim to the alleged perpetrator, risking the safety of the complainant and his family, according to an AFP risk assessment. The lapse is one of seven serious privacy and security breaches the AFP has suffered since 2012. Details of the breaches, which have all been referred to the privacy commissioner, have been obtained under freedom of information laws (FoI) by Guardian Australia.

Jan 19, 2015
A Canberra psychology clinic accidentally reveals clients’ personal details in email.
A Canberra psychology clinic has apologised after it accidentally shared personal details of hundreds of patients in a group email. The incident has triggered an angry response from clients who say the email was a serious breach of privacy and eroded the trust of patients who sought confidential psychological help.

Jan 20, 2016
PDF redaction is hard, NSW Medical Council finds out the hard way.
Australian public sector agencies have a persistent problem trying to redact PDFs: this time, the guilty party is the Medical Council of NSW. The council breached the privacy of a doctor and her son, the Medical Tribunal found earlier this month, because it mishandled redacting their names out of a PDF it published on its Website.

Jan 20, 2016
Victorian MP ‘likes’ porn after Twitter hack.
A Victorian MP says someone hacked his Twitter account and liked tweets of pornographic images. Creative Industries Minister Martin Foley tweeted an apology to his followers on Tuesday for the “disgusting material”.

Jan 20, 2016
Virus takes down Melbourne Health’s computer system.
Last week, a virus attack on the computer system of one of Melbourne’s largest hospital networks. It is cause for concern not only because it affected machines running Microsoft’s Windows XP, an operating system no longer supported by the software giant, but because a large number of businesses and individuals still using it

 

InfoSec News Stories from Australia

These are the stories I’ve tracked in December. Subscribe to @isgrcadvisor on Twitter for the extended twitter feed.

Jan 30, 2016
Telstra privacy breach leaves customer’s voicemail exposed.
#InfoSec #Breach #Telco #Privacy

Jan 30, 2016
Parents of Ayr teen who took her own life lobby for legislative change | Townsville Bulletin.
#SocialJustice #Online

Jan 30, 2016
Australia: Alanah Pearce forwards online trolls’ messages on to their parents.
#Online #SocialJustice #SocialMedia

Jan 30, 2016
Australian employers can spy on workers’ emails without warning.
“Not sure about this”-SK
#InfoSec #Privacy #AusLaw

Jan 30, 2016
Indonesia spies on citizens, stores info in Australia?
#InfoSec #Privacy #Spy #Security

Jan 30, 2016
Australia: #Cyber #Security Growth Centre to be established.
“Shoutout to @SandraRagg fighting the good fight”

Jan 30, 2016
Dating safely – RSVP
“Paradoxically for research purposes only, maybe.”
#Online #Dating #Scam #Awareness

Jan 30, 2016
New biometric collection powers in Australia in February.
#InfoSec #Security #Biometric #Privacy #Law #Data

Jan 30, 2016
Australian businesses facing up to cyberwar need the right kinds of clouds.
http://www.zdnet.com/article/australian-businesses-facing-up-to-cyberwar-need-the-right-kinds-of-clouds/
#InfoSec #Cloud #Cyberwar #Security

Jan 30, 2016
The need for cyber security skills in Australia balloons.
#InfoSec #Education #Security #Cyber

Jan 30, 2016
Australian model warning girlfriends of guys who send penis pictures.
#Online #SocialMedia #Privacy #SocialJustice

Jan 29, 2016
eHealth NSW looking at next generation of security professionals.
#Health #InfoSec #Education #ACS #Security

Jan 29, 2016
Victoria: Why the taxi industry wants your metadata.
#InfoSec #Privacy #Metadata #Data

Jan 29, 2016
NAID-A/NZ calls for better data disposal.
#InfoSec #Privacy #data #InfoMgt

Jan 29, 2016
Australian Banks want tech giants to sign mobile security code.
#InfoSec #Standards #Banking #Finance #Security

Jan 28, 2016
OAIC ‏@OAICgov
Safeguard your customers’ #privacy by using #OAIC’s 10 #tips to protect their personal information: http://bit.ly/1KyXdTz
#DPD2016

Jan 28, 2016
#InfoSec #Password advice today from my local bottle shop.

Jan 28, 2016
International Data Privacy Day: How Secure Are You?
#Privacy

Jan 28, 2016
#DPD2016 is about respecting #privacy, safeguarding data and enabling trust. See #OAIC website for useful resources: http://bit.ly/VsJto1

Jan 28, 2016
Melbourne Hospital Hack Highlights Risk Of Sticking With Windows XP.
#infosec #hack #virus

Jan 28, 2016
Safeguard your privacy this summer: link between social media and break-ins.
#security #infosec #socialmedia #online

Jan 28, 2016
Cyber bullies should be prosecuted under Tasmania’s criminal code: Law Reform Institute
#cyber #auslaw #socialmedia

Jan 28, 2016
The Australian Government May Be Making Closed-Door Deals to Get Your Data.
#infosec #privacy #data #cloud

Jan 28, 2016
Australia: Four Tips to Improve Your Customers’ Data Security.
#data #security #infosec #privacy

Jan 27, 2016
Kay Lam-MacLeod ‏@Idealaw
Digital journalist warns returning students to prepare for online bullying after 8 rape threats a day.

Jan 28, 2016
Cassandra Cross ‏@DrCassCross
Cassandra Cross Retweeted ConsumerProtectionWA
It’s encouraging to see such a large reduction in losses though $4.9 million shows there is still work to be done
Cassandra Cross added,
ConsumerProtectionWA @ConsumerWA WA: Romance/relationship fraud tops list of scam types with $4.9 million lost in 2015 but it’s a 55% reduction compared to 2014. #Perthnews

Jan 20, 2016
Lani Refiti ‏@LaniRefiti
Great to interview jodie siganto today for @aisa_national on mandatory breach reporting. Will put it up on Youtube this week #cybersecurity

Jan 22, 2016
Secure Computing ‏@SCMagazineAU
Telstra trials data encryption of intercity backbone network: Promises simpler security for data traffic.

Jan 27, 2016
Australian Medical watchdog trawling metadata ‘jeopardises patient privacy’.
#privacy #infosec #medical #data

Jan 22, 2016
Rachael Falk ‏@rachael_falk
Rachael Falk Retweeted AFP National Media
Take note- ‘we’d never send traffic infringement notices by email’ #scam
Rachael Falk added,
AFP National Media @AFPmedia This email is a #scam. We’d never send traffic infringement notices by email. Don’t pay money or click any links.

Jan 27
The Mandarin ‏@TheMandarinAU
The ABS will retain your name and address after the 2016 @ABSCensus. But it was told not to. #auspol #privacy

Jan 20, 2016
PDF redaction is hard, NSW Medical Council finds out the hard way.
#InfoSec #Privacy #Medical

Jan 20, 2016
Victorian MP ‘likes’ porn after Twitter hack.
#InfoSec #SocialMedia #Hacked #SecurityIncident #Online

Jan 20, 2016
The best way to take on cyberbullies? Be reasonable.
#Cyber #Online #SocialMedia #CyberBullies

Jan 20, 2016
AGD stops Australia Post going cyber-Clouseau.
#InfoSec #MEtaData #Privacy #Governance #Data

Jan 20, 2016
Telcos say more changes needed to security reforms.
#Telco #ISP #InfoSec #Governance

Jan 20, 2016
Australia not prepared for cyber war; response to threats ‘slow and fragmented’.
#InfoSec #CyberWar #Cyber #Security

Jan 20, 2016
Australia: No agencies temporarily allowed to access telecommunications metadata.
#InfoSec #Privacy #Metadata

Jan 20, 2016
Virus takes down Melbourne Health’s computer system.
#InfoSec #SecurityIncident #Virus #Security

Jan 19, 2016
Online fraudsters top Aussie cybercrime blacklist.
#Security #CyberCrime #Online #Scam #Fraud #InfoSec

Jan 19, 2016
Leanne O’Donnell ‏@MsLods
Threshold of ‘serious contraventions’ of the law is already in TIA Act (s 5E). It should be applied to data retention regime asap. #AusLaw

Jan 19, 2016
Cassandra Cross ‏@DrCassCross
Cassandra Cross Retweeted sir jester
Come on people, 123456 is not a password!! It is the only thing between your account and the outside world. Respect it
Cassandra Cross added,
sir jester @sirjester Same list, different year! If you see your password on this list, change it immediately (via @thejournal_ie) http://jrnl.ie/2555689

Jan 19, 2016
Cassandra Cross ‏@DrCassCross
Cassandra Cross Retweeted Author Elina Juusola
Book launch this Friday on one woman’s survival of romance fraud. A powerful and brave story which is all too common
Cassandra Cross added,
Author Elina Juusola @ejuusola #loveonthelinebook #launch register @avidreader4101. @chrisHcoaching @DrCassCross @stanup2scams @PornHarmsKids

Jan 19, 2015
A Canberra psychology clinic accidentally reveals clients’ personal details in email.
#privacy #compliance #InfoSec

Jan 19, 2016
Malcolm Turnbull Wants You To Mock ISIS Online.
#Security #SocialMedia #Online @TurnbullMalcolm

Jan 19
61 agencies after warrantless access to Australian telecommunications metadata.
#InfoSec #Privacy #Metadata #Telco
http://www.zdnet.com/article/61-agencies-after-warrantless-access-to-australian-telecommunications-metadata/

Jan 19, 2016
Australian Federal Police accidentally gave victim’s details to alleged attacker.
#Privacy #FOI #data

Jan 19, 2016
Australian Hyatt hotels hacked, guest credit card details stolen
#InfoSec #Hack #Breach #Security

Jan 15, 2016
A Witch Who Casts Viruses Out of Computers With Magic
“Not OZ #InfoSec News but had to tweet” – SK

Jan 7, 2016
eSafety Office ‏@eSafetyOffice
We’re offering free customised online safety presentations for community groups across Australia. Register here http://bit.ly/1O5K4Fh

Jan 13, 2016
‏@qld_oic
Get Ready Qld gov agencies! Find out more about handling personal information in an emergency at http://www.oic.qld.gov.au/emergency #privacy

Jan 14, 2016
Australia: Vengeful retrenched employee allegedly took top trade secrets with her.
#InfoSec #InsiderThreat #HR

Jan 14, 2106
Australian Study: Cyber bullies hounding public servants.
#QUT #Cyber #Online #SocialMedia #Government

Jan 14, 2016
Australians join international protest against government ‘backdoors’ in encryption.
#Privacy #InfoSec #Security

Jan 14, 2016
Australia: Freelancer contests $20,000 privacy breach fine from OAIC.
#Privacy #Breach #InfoSec

Jan 14, 2016
Sydney man accused of making rape threats on Facebook pleads not guilty.
#AusLaw #Online #SocialMedia #Facebook
http://www.theguardian.com/australia-news/2016/jan/12/sydney-man-accused-of-making-threats-on-facebook-pleads-not-guilty

Jan 12, 2016
Australian small businesses shouldn’t be excused on #data #breach reporting, experts say @tyronmiller.
#InfoSec

Jan 5, 2016
Paul Farrell
An interesting determination from @OAICgov of breach of privacy laws over disclosure of tax/account information.

Jan 5, 2016
BOOK REVIEW: Surveillance. This begins with, “The day Australia lost its cyber innocence”.
#privacy #infosec #cyber

Jan 5, 2016
Australian InfoSec News – December 2015.
#privacy #InfoSec #AusLaw #security #Australia

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s