明けましておめでとございます！
Happy New Year from Security-Samurai.net!

Some interesting articles that recently caught my eye on the impending changes to the Privacy Act in Australia (courtesy of itnews.com.au):

Is your IP address personal information?

The Privacy Act and the cloud

Consent and the Privacy Act in the Big Data era

Are you ready for a data request deluge?

The posts raise some interesting points (such as is your IP address or mobile phone number PII?) and highlight some of the challenges Governments now face when trying to legislate privacy today.

After a few recent high-profile data breaches, and all the global cyberwar press, here in Japan a Cyber Defence Unit (CDU) is being created, but not without what appears to be warranted criticism.

No word on whether it will also include animal handlers for their incident investigation team.

I think I speak for us all when I say we expected any Japanese military (or SDF) related unit with the word "cyber" in it's name to include more of this kind of thing...!

The Australian Attorney-General's office has released the long-awaited Australian Privacy Breach Notification discussion paper [pdf]

It seems to be generating interesting discussion both for and against.

I have commented previously on data breach legislation and haven't really changed my view. The only thing I'd add is that maybe the 'public shaming' fallout isn't as bad as it used to be, simply as the result of so many companies being hacked.

It is interesting that Information Security is back on the political agenda in Australia, as it is to in the United States with President Obama considering using an executive order to reinstate the "Cybersecurity" bill that was previously defeated in the US Senate. Probably not surprising though, as it is an election year....

I haven't read the AG's discussion paper in detail yet, but will hopefully get to it this weekend and provide my thoughts.

The New Zealand Government has suffered a major data breach...or have they? From the initial reporting it seems more like they had a gaping vulnerability that was found by a freelance journalist and blogger (Keith Ng) - although he had admitted to downloading the data and apparently then wiping it.

So what can we learn from the published details?

The breach was through physical access to kiosk terminals
Despite the fact the kiosks have internet access, there is nothing I've seen so far to indicate the data was steal-able from the internet. Physical access is always going to be trouble, so extra care needs to be taken. (of course if their remaining network security was as poor as this kiosk example, it may well have been even easier to steal this information for afar...)

The kiosk terminals had full MS Office suite installed.
The obvious question is why? Never install any software you don't need. In this case Kevin Ng used the MS Office 'open file' dialog to access the underlying file structure to move and copy files.
This leads to a greater question of why did the (I assume) auto-logon account even have permissions to access to any file location with sensitive data.....

The Kiosk terminals could access other internal network shares.
Again, why? Once again least privilege was not applied here. If all the kiosks needed was intranet/internet access - then that is all they should be able to access. Bare minimum permissions - once again 'least privilege'. In fact they should have been on an isolated network (in a perfect world), but at the very least, firewalled from the sensitive stuff.

The kiosk terminals allowed the use of USB mass storage devices
Obviously a bad idea. Even if you needed to allow Joe Public to upload data, the USB ports can be set to read only via a registry setting. Better still, disable them completely (physically if need be). One can only wonder if the terminals also allowed booting from USB.....

The Kiosks were running Windows 2000 and XP.
Considering they were installed 'just over a year ago' I really hope the reporter got it wrong. Windows 2000? Really? XP is bad enough, but at least it will be supported for a few more years. Windows 2000 support ended quite a while ago - which means no security updates or patches (which makes enabling USB drives even worse....)

There is also some discussion about whether Keith should be charged. Personally I think he didn't need to go as far as downloading data and "taking it home for analysis" in order to confirm the poor security state of the kiosks. But he wouldn't be the first to be prosecuted for embarrassing a government or organization who publicized their poor security...

*edit*: I rather like this opinion piece on the matter. It is probably closer to the mark than we'd like to think. Keith did get 'tipped off' about the vulnerability. Could it have been a disgruntled (or perhaps outraged) insider?

2011 has almost come to a close, and it may well be remembered as the year when data breaches truly went mainstream.

Vodafone kicked off the year, exposing customer data through shared/poor passwords on an internet accessible customer management system. Vodafone went into damage control, resetting employee passwords daily and eventually some staff were fired as a result.

Then came Sony! Sony's massive multiple breaches (aka the 'sownage') made ongoing front page news and caused plenty of concern in boardrooms around the world due to it's scope and the high-profile nature of the target (I mean, who doesn't have a Sony product at home somewhere!?!).

Less noteworthy for many outside the industry, but a bombshell for those of us in it, was the RSA data breach. When the company whose technology is used to secure millions was so easily penetrated and 'something' stolen (did they ever give a clear indication as to what?), many people started questioning the security of their multi-factor authentication provider. RSA offered new tokens and assured all was well - until Lockheed Martin was breached and pointed the finger at the RSA attackers.
Showing hacking knows no industry vertical boundaries, email marketing giant Epsilon was also popped, exposing the details of many customers of some of then world's top companies.

Closer to home, web hosting provider Distribute.IT was pwned and driven out of business in a particularly malicious and destructive attack. While the cops got their man, it was too late for many of the company's customers who lost all of their data.

Corporate 'hacking' made the mainstream news - or indeed was the mainstream news - when Rupert Murdoch's News of the World UK newspaper was outed as having been routinely hacking voicemail messages of celebrities and victims of crime. The main outrage was the claim that journalists had deleted voicemails of an abducted young girl  - a claim that has now been claimed to be inaccurate. Nonetheless the scandal was enough to have Murdoch shut down the paper, and not rule out shutting down a second.

Journalist hackers have been in trouble here in Australia as well, with the Melbourne Age Newspaper under investigation for hacking a database of a political party.

Certificate Authorities weren't immune either, with Diginotar hacked and issuing valid certificates for bad guys. The end result was game over for the Dutch CA, but with unverified claims from the hacker that he's pwned other CAs as well.

High profile data breaches came to Japan in 2011, first it was Sony (as mentioned above), followed by the Japanese parliament and defence contractor Mitsubishi Heavy Industries. Japanese Parliamentarians were reported to be using their personal devices to store confidential government data which has other implications all of their own.

Proving that no good deed goes unpunished, First State Super in Australia provided a textbook-like lesson on how not to deal with reported vulnerabilities in web applications by attempting to shoot the messenger. Thankfully a rethink meant the messenger was spared, but the public humiliation remained, along with the potential loss of a multi-million dollar deal.

Australia's biggest Telco, Telstra, helped keep data loss in the news when it was revealed an internal customer database was accidentally exposed to the internet. Perhaps having learnt the lesson of First State Super, Telsta declined to shoot any messengers and reacted fairly swiftly, taking down the site and contacting 60,000 effected customers. However, it wasn't enough to avoid an investigation by the Privacy Commissioner, nor a phishing campaign.

I'm sure there were others that escape me at the moment, but nonetheless these examples alone show that data loss and intrusion were big news in 2011. With more press comes a growing customer awareness that companies may not be securing personal data as the public expects and perhaps a growing pressure from consumers for companies to meet higher data protection standards. Or will increased awareness and reporting mean we end up with 'breach fatigue' where data breaches become so common consumers just tune out?

Here in Australia, data protection (or 'cybersecurity') recently moved from the Attorney Generals Office to the Department of Prime Minister & Cabinet (an area which has had it's own problems in the past), so it remains to be seen what (if any) legislative changes are made here and whether we end up with any kind of mandatory breach notification laws or legislated security controls.

Time will tell! Onwards to 2012!

 I think anyone working in corporate IT (and especially security) is dealing with the headaches of the 'iPad invasion' (which extends well beyond Apple's 'must-have' products to all things new and shiny).

While I can understand the clamor of users who want the newest gadgets (IT staff can be the worst offenders), there is always the need to balance the implementation of such devices with the overall security requirements of the organization.

It's easy to argue that companies should just allow BYOD policies and protect the data rather than the perimeter or the endpoint, actually implementing these changes for many organizations can be a daunting task; and expensive in terms of dollars and manpower; with the business benefits not always apparent  - in terms of productivity rather than simply goodwill.

This recent article about the trial of iPads by the Western Australian Government highlights many of the problems faced today. I am personally appalled at the parliamentarians who "threatened "industrial action" if iPads were not considered in the list of devices available as part of their laptop allowance" and who are quoted as saying: "We told them, 'If you don't give it to us, we will turn around and pass a law so you will give it to us!'".
Way to abuse your powers, jerk.

Sharing Government documents was also highlighted as a problem with parliamentarians using cloud storage service dropbox (which has had it's own security problems), claiming "We are only one FOI [Freedom of Information] request away from having to hand it over anyway...So it's not something we have been focusing on".
If that is the case, why protect any parliamentary documents at all? Post everything on a public website. Because it's not like governments ever deny FOI requests.

Threatened abuse of lawmaking powers and throwing taxpayer dollars on a device based more on marketing than an actual use-case. I'm just glad I don't live in W.A....

A friend passed this report [pdf] into Information Systems Security from the Western Australian Auditor General.

Key findings:

• Fourteen of the 15 agencies we tested failed to detect, prevent or respond to our hostile scans of their Internet sites. These scans identified numerous vulnerabilities that could be exploited to gain access to their internal networks and information.
• We accessed the internal networks of three agencies without detection, using identified vulnerabilities from our scans. We were then in a position to read, change or delete confidential information and manipulate or shut down systems. We did not test the identified vulnerabilities at the other 12 agencies.
• Eight agencies plugged in and activated the USBs we left lying around. The USBs sent information back to us via the Internet. This type of attack can provide ongoing unauthorised access to an agency network and is extremely difficult to detect once it has been established.
• Failure to take a risk-based approach to identifying and managing cyber threats and to meet or implement good practice guidance and standards for computer security has left all 15 agencies vulnerable:
• Twelve of the 15 agencies had not recognised and addressed cyber threats from the Internet or social engineering techniques in their security policies.
• Nine agencies had not carried out risk assessments to determine their potential exposure to external or internal attacks. Without a risk assessment, agencies will not know their exposure levels and potential impacts on their business.
• Seven agencies did not have incident response plans or procedures for managing cyber threats from the Internet and social engineering.
• Nearly all the agencies we examined had recently paid contractors between $9 000 to $75 000 to conduct penetration tests on their infrastructure. Some agencies were doing these tests up to four times a year. In the absence of a broader assessment of vulnerabilities, penetration tests alone are of limited value, as our testing demonstrated. Further, they are giving agencies a false sense of security about their exposure to cyber threats.

Some serious findings indeed, but it's good to see the Government performing thiese kind of assessments and trying to get some traction on remediation of findings.

Whilst reading the report consider how well your organization would have fared in this type of assessment.

I also found the link for the 2010 report [pdf]  for comparison.

The Australian is reporting on a preview of a report from the Kokoda Foundation that "paints a damning and frightening picture of a complacent nation that has not grasped the scale of the threat posed by cyber hackers to national security, the economy and personal privacy".

Some interesting points made by the article are that "Australia has the fifth-highest level of malware infections in the world" and "the country still lacks a whole-of-nation, government-led integrated long-term National Cyber Strategy and Plan".

The latter point is not really surprising. Does it sound more familiar if it is changed to "the organization still lacks a whole-of-company, executive-led integrated long-term Information Security Strategy and Plan"?
From my discussions with friends in the security industry, once you get outside of the big banks and major financial institutions, Information Security in Australia is still commonly an afterthought or an 'IT Problem'. Hopefully this attitude is changing, especially with the incredible amount of reporting on incidents sich as Wikileaks.

The Kokoda Foundation report should be available later this month.

The House Standing Committee on Communications have released the results of their findings into Cybercrime in a report entitled Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime.

I haven't had a chance to digest the near 300-page document yet, but news.com.au has reported some interesting excerpts from it:

Among its final 34 recommendations were:

— The creation of an around-the-clock cyber crime helpline.

— Changes to the law to make unauthorised installation of software illegal.

— Companies who release IT products with security vulnerabilities should be open to claims for compensation by consumers.

That last point seems to be the most potentially controversial and problematic, but I'll hold judgement until I've had a chance to read the entire report...