Australia's on-again, off-again debate about data breach notification
laws is on again, courtesy of a report into financial system
regulation, at least until the government cans the idea (again).
Register readers will recall that a Privacy Alerts bill was proposed by the previous government before the 2013 election, then delayed, re-introduced in March, and abandoned in June by the current government.
Now, the federal government's Financial System Inquiry has issued an interim report (PDF) that recommends the government re-examine the issue.
As
the report states “Access to growing amounts of customer information
and new ways of using it have the potential to improve efficiency and
competition, and present opportunities to empower consumers. However,
evidence indicates these trends heighten privacy and data security
risks”.
To cover these risks, the report unequivocally backs
“mandatory data breach notifications to affected individuals and the
Australian Government agency with relevant responsibility under privacy
laws”.
At the same time, the report seems to take issue with
current attitudes to cloud computing – particularly in relation to
offshore storage of Australian data. The Australian Prudential
Regulatory Authority, it says, should be advised of “continuing industry
support for a principles-based approach to setting cloud computing
requirements”, and the government should review record keeping rules
that currently inhibit “cross-border information flows”.
Digital
identities are also highlighted in the report, with the government urged
to pursue “a national strategy for promoting trusted digital
identities”.
The FSI is seeking comment on the interim report until 26 August 2014, and has until November 2014 to issue its final report
Wednesday, 16 July 2014
Flaw in Google's Dropcam sees it turned into SPYCAM
Hackers could inject fake video into popular home surveillance kit
Dropcam and use the system to attack networks, researchers Patrick
Wardle and Colby Moore say.
The wide-ranging attacks were tempered by the need for attackers to have physical access to the devices but the exploits offer the chance to inject video frames into cameras - handy for home robberies - intercept video, and exploit the Heartbleed vulnerability to pull passwords and SSL server's private key.
Dropcam makes a video monitoring platform and was last month snapped up by Google's Nest Labs for $US555 million.
Wardle (@patrickwardle) and Moore (@colbymoore) of security firm Synack, California, reverse-engineered Dropcam hardware and software and discovered vulnerabilities that could allow malware to be implanted on the devices which would attack home or corporate networks.
"If someone has physical access, it's pretty much game over," Wardle told DarkReading.
"The camera is vulnerable to client-side Heartbleed attacks. You could spoof the Dropcam DNS server, and the camera would beacon out."
The duo will describe how Dropcam could morph into an attack point within a users' network during a talk Optical surgery; Implanting a Dropcam at the upcoming DEF CON 22 conference in Las Vegas next month.
They would recount their reverse-engineering effors which lead to the "full compromise of a DropCam" that with physical access and "some creative hardware and software hacks" would allow any malware to be persistently installed on the devices. The duo would also reveal how to infect Windows or Mac OS X boxes that were used to configure hacked Dropcams.
Wardle said the cameras should be subject to the same security checks as regular computers given their capabilities and vulnerabilities.
Dropcam was found to be running Heartbleed-vulnerable versions of OpenSSL and the Unix utility suite BusyBox
The wide-ranging attacks were tempered by the need for attackers to have physical access to the devices but the exploits offer the chance to inject video frames into cameras - handy for home robberies - intercept video, and exploit the Heartbleed vulnerability to pull passwords and SSL server's private key.
Dropcam makes a video monitoring platform and was last month snapped up by Google's Nest Labs for $US555 million.
Wardle (@patrickwardle) and Moore (@colbymoore) of security firm Synack, California, reverse-engineered Dropcam hardware and software and discovered vulnerabilities that could allow malware to be implanted on the devices which would attack home or corporate networks.
"If someone has physical access, it's pretty much game over," Wardle told DarkReading.
"The camera is vulnerable to client-side Heartbleed attacks. You could spoof the Dropcam DNS server, and the camera would beacon out."
The duo will describe how Dropcam could morph into an attack point within a users' network during a talk Optical surgery; Implanting a Dropcam at the upcoming DEF CON 22 conference in Las Vegas next month.
They would recount their reverse-engineering effors which lead to the "full compromise of a DropCam" that with physical access and "some creative hardware and software hacks" would allow any malware to be persistently installed on the devices. The duo would also reveal how to infect Windows or Mac OS X boxes that were used to configure hacked Dropcams.
Wardle said the cameras should be subject to the same security checks as regular computers given their capabilities and vulnerabilities.
Dropcam was found to be running Heartbleed-vulnerable versions of OpenSSL and the Unix utility suite BusyBox
GCHQ leak lists UK cyber-spies' hacking tools
More than 100 codenamed projects are defined in the leaked GCHQ document
A document that appears to list a wide variety of GCHQ's cyber-spy tools and techniques has been leaked online.
It indicates the agency
worked on ways to alter the outcome of online polls, find private
Facebook photos, and send spoof emails that appeared to be from
Blackberry users, among other things.The document is alleged to have been among those leaked by former US intelligence analyst Edward Snowden.
One expert said the release, published on the site Intercept, was "damaging".
Alan Woodward, a security consultant who has done work for GCHQ, the UK's intelligence agency, said: "If you read the mission statement of any signals intelligence organisation, all the listed techniques are what you'd expect them to be doing.
"But it's very unhelpful for the details to leak out because as soon as you reveal to people how something is being done they can potentially take steps to avoid their information being collected.
The leaked document lists the techniques in the style of the online encyclopaedia Wikipedia
Glenn Greenwald, the journalist who published the latest document, noted in his article that an earlier inquiry by the European Parliament's Civil Liberties Committee had called into question the "legality, necessity and proportionality" of the data-collection activities of GCHQ and the US National Security Agency (NSA), for which Mr Snowden worked.
He also highlighted that the article's publication coincided with the start of a legal challenge brought by Privacy International, Liberty and other civil rights groups that claimed the UK's security agencies had acted unlawfully.
However, GCHQ denies it is at fault.
"It is a longstanding policy that we do not comment on intelligence matters," it said in a statement.
"Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the Parliamentary Intelligence and Security Committee."
Swamp donkey More than 100 projects are included in the document, which appears to be from a Wikipedia-style listing for GCHQ's Joint Threat Research Intelligence Group.
The leak indicates that GCHQ created a tool to help agents make use of Second Life
For example, the ability to send an audio message to a large number of telephones and/or "repeatedly bomb" a target number with the same message is called Concrete Donkey - the name of a weapon in the video game Worms.
Other examples include:
- Angry Pirate - a tool to permanently disable a target's account on their computer
- Bomb Bay - the capacity to increase website hits/rankings
- Cannonball - the ability to send repeated text messages to a single target
- Gestator - a tool to make a message, normally a video, more visible on websites including YouTube
- Glitterball - software to help agents carry out operations in Second Life and other online games
- Birdstrike - Twitter monitoring and profile collection
- Fatyak - public data collection from the business-focused social network LinkedIn
- Spring Bishop - a tool to find private pictures of targets on Facebook
- Changeling - the ability to spoof any email address and send messages under that identity
- Bearscrape - a tool to extract a computer's wi-fi connection history
- Miniature Hero - the ability to source real-time call records, instant messages and contact lists from Skype
- Swamp donkey - a way to send a modified Excel spreadsheet document that silently extracts and runs malware on the target's computer
- Underpass - a tool to change the result of online polls
This is another traditional part of the work of spy agencies but one they prefer to keep clandestine and therefore "deniable".
According to the documents, this appears to range from disrupting an individual's online activity to broader "information operations" to influence opinion in other countries.
What is not clear from the document is how far these capabilities have actually been deployed and put into action and against whom.
Almost every state is secretly developing capabilities to disrupt their opponents in cyberspace but they do not like talking about them or having them revealed in public.
The document states it was last modified in July 2012, but includes a note saying: "We don't update this page anymore, it became somewhat of a Chinese menu for effects operations."
Staff are instead directed to an alternative page, which has not been leaked.
"The accusation that GCHQ has been manipulating polls and influencing and distorting political discourse is incredibly serious," said Emma Carr, acting director of the Big Brother Watch campaign group.
"The UK is always the first to point the finger at countries if there is a whiff of corruption or interference within a democratic process, so if senior ministers are aware that this is taking place then this absolutely stinks of hypocrisy.
"It is essential that the government directly addresses these accusations, otherwise they are at risk of losing the international moral high ground."
CNET attacked by Russian hacker group
CNET was informed about the hack attack via a Twitter conversation
A
Russian hacker group has attacked the news site CNET. It later said it
stole usernames, encrypted passwords and emails for more than one
million users.
CNET said a representative from the group - which calls itself 'w0rm' - informed it about the hack via a Twitter conversation.A spokeswoman for CBS Interactive - the owner of CNET - said the firm had "identified the issue and resolved it".
According to CNET, w0rm offered to sell the database for 1 Bitcoin, or $622.
But it added that the hacking group said the plan to sell the database was to gain attention and "nothing more".
Improve security? The representative of the group claimed that it hacked CNET servers to improve the overall security on the internet.
The group has claimed to have successfully hacked the BBC last year, as well as websites of Adobe and Bank of America.
It says that by targeting high-profile websites it can raise awareness of security issues.
"[W]e are driven to make the Internet a better and safer [place] rather than a desire to protect copyright," the representative said in a Twitter exchange with CNET.
On Monday, the representative offered a security solution to CNET by tweeting: "#CNET I have good protection system for u, ping me".
According to CNET, 27.1 million unique users visited its desktop and mobile sites in the US in June this year.
Subscribe to:
Posts (Atom)