Tuesday, October 17, 2017
We Seem To Be Having More Than Our Fair Share Of Data Breaches And Leaks! All Is Not Well!
First this appeared:
Published: October 11 2017 - 12:58PM
A world-leading corporate consultancy and technology outsourcer left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both the provider and its thousands of clients.
Fairfax Media can reveal that Accenture — one of the world's largest corporate consulting and management firms that has offices across Australia, and is also behind the national e-health record system — inadvertently allowed files belonging to its clients to be publicly available.
While there is no evidence to suggest that Australia's e-health system was compromised by Accenture's unsecured servers, Fairfax Media can reveal that data belonging to ASX-listed Caltex Australia was exposed as part of the huge trove of highly sensitive information left unsecured.
At a size of 137 gigabytes, one exposed data set contained large information dumps that included credentials, some of which appear to be for Accenture clients. IT company UpGuard, founded by Australians and based in Mountain View California, revealed the breach on Wednesday in a blog post and told Fairfax Media that Caltex Australia data was exposed.
"This cloud leak of Accenture's internal data, including access credentials that could potentially have been used to attack clients, highlights the sad truth of cyber risk in 2017: nobody is safe," UpGuard co-CEO Mike Baukes told Fairfax Media.
"If the biggest corporations on Earth cannot keep critical internal data from being exposed due to internal misconfigurations, this has got to tell you something about how unequipped most enterprises are to effect cyber resilience across their IT operations, and secure not only the data of other major corporations but, inevitably, of the individual customers most victimised by data exposures."
While many of the passwords contained in the exposed data were hashed — or mathematically transformed into an alphanumeric string — a collection of nearly 40,000 plaintext passwords was found present in one of the database backups. Access keys for Enstratus, a cloud infrastructure management platform, were also found exposed, potentially leaking the data of other tools coordinated by Enstratus. Information about Accenture's ASGARD database, as well as internal Accenture email info, are also contained in a set of the data.
Accenture behind Australia's e-health system
Most concerning about the exposure is the fact that Australia's Department of Health and Ageing selected Accenture to design and implement Australia's Personally Controlled Electronic Health Record (PCEHR) system in August 2011. The initiative spans all Australia-based health systems and enables patients to manage care and records.
Fairfax Media does not suggest that Australia's e-health record system has been breached.
Australia's electronic health record system is opt-out, with Australians having to manually remove themselves from it if they don't want a health record that is accessibe by many Australian health professionals and available via the online myGov portal.
Asked whether Accenture should be trusted with Australia's e-health record system given the exposure, an Accenture employee who declined to be identified said simply: "No."
Lots more here:
Then we had a Defence Contractor spring a leak!
A hacked Australian Defence subcontractor lost 30GB of highly sensitive documents on projects including the Joint Strike Fighter (JSF) program and the P-8 Poseidon “submarine killer” plane, as well as detailed designs of Australian Navy ships.
The government only disclosed the hack on Tuesday and has so far offered scant details.
But the Australian Signals Directorate (ASD) yesterday revealed a far more detailed post-mortem of its investigation into the hack in a presentation to the AISA national conference in Sydney.
ASD incident response manager Mitchell Clarke revealed that the attacker managed to gain “full, unfettered access to the environment” of the victim.
It is believed the attacker was “an APT [advanced persistent threat] group or nation state group”.
The ASD dubbed the attacker “APT Alf” after the Alf Stewart character in Australian soap opera Home & Away. “He’s just an angry dude,” Clarke said.
The victim was described as an Australian aerospace engineering firm “four levels of subcontracting down” from primary contractors to local and US Defence agencies, including Boeing and Lockheed Martin.
It was unclear exactly who the subcontractor had been working for.
The company had been vetted to work on US military projects through a scheme known as International Traffic in Arms Regulations (ITAR), though Clarke noted the vetting process is not particularly thorough.
Most of the 30GB of data that APT Alf managed to exfiltrate related to high-profile allied Defence projects.
The data included sensitive details of the Joint Strike Fighter (JSF) project being pursued by the US and its allies, including Australia.
The hacker also gained access to details of Lockheed’s C-130 planes, the Boeing P-8 Poseidon plane which is used for “long-range anti-submarine warfare”, Boeing’s Joint Direct Attack Munition (JDAM) smart bombs, and of “a few Australian naval vessels”.
“We found one document that was like a wire diagram of one of the Navy’s new ships,” Clarke said.
“You could zoom in down to the captain’s chair and see that it’s one metre away from the [navigator’s] chair – all very good exfil for the actor.”
What follows is a detailed account of what is known about the breach, from the perspective of the ASD who – along with CERT Australia – was jointly involved in forensic investigation of the hack, and in helping the victim to secure its network.
Both ASD and CERT Australia were tipped off to the incident by an undisclosed “partner organisation” at the start of November 2016, though the actual infiltration happened in July that year.
“The partner knew about the activity in July; it just took them a long time to go through the legal and regulatory processes to tell us,” Clarke said.
Vastly more here:
And we had the responsible Minster tell us some stats with 15% more cyber incidents (that we know about) than last year:
Release Date: 10 October 2017
Today, business for cybercriminals is booming.
People are falling for online scams, email phishing, identity theft, credit card fraud, and ransomware at an alarming rate.
Yet these crimes continue to fly under the public radar.
This must change.
Last time I spoke at the National Press Club on cyber security, I highlighted the real threats to our national interest. I stated that cyber espionage is alive and well. I told you that threats to our Government systems and critical infrastructure were real. I warned that the risk of cyber terrorism will become a reality in a few years’ time.
All of this remains true.
Today, in launching the Australian Cyber Security Centre’s (ACSC) 2017 Threat Report, I would like to highlight how cyber security is not just the business of national security but something that must become second nature to all Australians.
Cyber security is not just the domain of our intelligence agencies or our Defence Forces to protect against stolen secrets and cyber-attacks.
Cyber security is as relevant for mums and dads, small business owners and local communities to keep their data, their money, and their identities secure.
This ACSC 2017 Threat Report is important because it gives us a clear understanding of the state of the cyber risks to our nation and to our local communities.
It allows us to see what we are doing right, what needs to be addressed and the priorities we need to immediately focus on.
The ACSC in the last 12 months has identified 47,000 cyber incidents, a 15 percent increase on last year.
Over half of these incidents were online scams or fraud, which saw an increase of over 22 percent.
In contrast, only one instance of cybercrime has fallen, the prevalence of illegal or prohibited material. This is down 3.1 percent.
Lots more here:
It is hard to believe that it is not on for one and all and that the Government really has a balloon like problem with one leak being fixed as two others appear!
The sooner sensitive information is made much more distributed and better managed – to reduce the scale and frequency of attacks the better – and don’t even think of trusting Government with any more data than you have to!
These two articles explains why.
Authored by Hugo Wilcken
IN May of 2017, Britain’s National Health Service was hit by a particularly virulent cyberattack. Within just hours, thousands of computers and medical devices – including magnetic resonance imaging scanners, theatre equipment and blood storage refrigerators – had been contaminated by a virus known as WannaCry, triggering a digital lockdown to prevent further spread. Patient records were compromised and the problem became so serious that some hospitals had to turn away non-critical emergencies and divert ambulances to unaffected emergency departments, often many miles away.
WannaCry was what is known as ransomware, or a virus that typically encrypts a computer’s entire hard drive and then asks the user for a ransom fee to unlock it. Selling ransomware is one of the fastest growing businesses in the darker reaches of the internet, and while health care providers are by no means the only victims, they are a particular target.
“In the United States, around 88% of ransomware attacks have been against health care providers,” Dr Zubair Baig, a senior lecturer in cybersecurity at Perth’s Edith Cowan University, told MJA InSight.
Dr Baig, who is the co-author of a recent article on security attacks on electronic health systems, said that the most important thing health organisations can do to counter the threat of ransomware attacks is to craft a document that clearly explains to health practitioners what to do and what not to do when they receive suspect emails.
“It could be an email that appears to come from a legitimate source, but turns out not to be. If it has an attachment and you can’t verify the email’s legitimacy, do not open the attachment and report the incident to the IT department of your organisation,” Dr Baig said.
Ransomware is one of the greatest cybersecurity threats for health care providers, but it’s not the only one. A Viewpoint just published in JAMA outlines a number of other issues, including theft of patient medical information, denial-of-service attacks which freeze networks, and the hacking of medical devices such as insulin pumps or pacemakers.
Clinicians must practise “cyber hygiene”, writes the New York-based Dr Mark Jarrett. This includes changing passwords on a regular basis, ensuring software is up to date, and installing cybersecurity software. Doctors should never assume that just because their practice is small, that they will not be a target of hackers or malware.
“The promise of improved care from a digital world will be broken, and patients could be placed at risk if cybersecurity is not made a priority issue.”
But, according to Dr Bernard Robertson-Dunn, an electronics engineer who chairs the Health Committee of the Australian Privacy Foundation, cybersecurity is not just an issue of greater vigilance on the part of health care providers. It’s also about how digital infrastructures are designed in the first place.
He points to the Australian government’s controversial My Health Record as an example of how not to digitally store and transmit patients’ records.
“The problem is that the government has implemented a system where if doctors want to share medical data, they first have to give them to the government, which centralises all the data. That creates a honeypot that is very attractive for hackers to hack into,” Dr Robertson-Dunn said.
“You don’t want centralised data, because they’re too vulnerable to hacking and, in any case, it’s unnecessary. The information should stay with the people who create and need it, and it should be shared among them.”
and second here:
The federal government is clearly sold on big data and is combining massive stores of sensitive public information. It needs to bring the public along but while privacy concerns abound, there’s little sign that many Australians share the enthusiasm.
The federal government is increasingly keen on big data, whether it’s used in academic research, private business or its own bureaucracy, but appears unsure of how to bring the public with it and establish confidence that it can be trusted to balance the benefits with risks to privacy.
A lot of people in government, business and research are very clear on the value of big data and keen to maximise its value by combining and sharing as much of it as possible to create the largest possible statistical resources.
This value is often explained in general terms as though it were self-evident that statistics are good, so more accurate and insightful statistics can only be a good thing. This generally fails to excite the general populace about the potential of valuable social and economic insights or useful new apps that rely on openly shared data.
At the same time, concerns about the erosion of individual privacy that has occurred at an accelerating pace over the past 20 years have grown and are now widely held. The level of concern, expressed dramatically through last year’s Census boycott movement, outweighs the level of explicit enthusiasm for big data analytics.
The Commonwealth has a growing list of data-related projects and is trying to sell their expected benefits. Assistant Minister for Digital Transformation Angus Taylor, who recently announced the Digital Transformation Agency had taken over responsibility for the “high value” data.gov.au and NationalMap platforms, plays the unofficial role of chief data evangelist.
Lots more here:
The right to simply be left alone is sure under attack in good old OZ!
Posted by Dr David G More MB PhD at Tuesday, October 17, 2017