The week in security: Privacy Act changes kick in as Telstra, Immigration busted

New requirements around the handling of personally identifiable information came into effect after months of preparation, although many companies were still trying to figure out the implications of the Privacy Act 1988 changes.

Experts warned that healthcare and point-of-sale vulnerabilities would be tested under the new laws, which came into effect even as European politicians approved a new data-protection law – although critics were quick to point out that the law falls short of making large companies report breaches.

Every public and private-sector organisation needs to consider the ICT security controls required to ensure compliance with the new regulations, with one high-profile chief privacy officer warning that it must be a multi-disciplinary effort across IT, engineering, legal and business organisations. And, for its part, Australian firm Ground Labs launched Data Recon, a tool for finding personally identifiable information hidden in corporate networks.

The potential consequences of a breach became painfully clear after dozens of asylum seekers announced they would sue Australia's Department of Immigration and Citizenship after it leaked their personal details online. A UK citizen-action group was up in arms after a healthcare provider uploaded sensitive healthcare data to a Google cloud service for analysis. And, a Symantec security expert revealed, criminals are still trying to trick Web users into loading malware using digital certificates stolen from now-defunct certificate authority DigiNotar in 2011.

Telstra released its first transparency report and revealed it had received around 40,000 requests for customers' personal information in 2013. Yet it was Telstra's own significant breach of personal data, feted by the Office of the Australian Information Commissioner (OAIC) on the eve of the new privacy laws, that got the carrier even more attention.

A report from FireEye – which announced a $US460 million ($A510 million) secondary offering to fund expansion – found that email attacks have given way to Web malware, which is now favoured 5 to 1 by cybercriminals. Figures from Twitter confirmed the trend as email-borne attacks dropped from 110 million per day to a few thousand. Many of the growing number of Web attacks are in the form of malware-bearing Web ads, which outpaced pornography for the first time to become this year's biggest threat to mobile users.

Little wonder, with malicious advertising offering a broad reach and quick rewards for malware authors. Yet malware is only one part of the online criminal profile, with the 'dark web' rising in profile and seediness.

Compromised Bitcoin exchange Mt Gox filed for bankruptcy in the US even as revelations suggested it had stayed open despite knowledge of large-scale theft from its Bitcoin reserves. The incident has many people wondering whether digital currencies can ever be secure.

Meanwhile, compromised ex-NSA employee Edward Snowden called on attendees at SXSW to do whatever they can to make the NSA's job a bit harder. The security staff at US retailer Target might have done more of the same, with McAfee suggesting the hackers had detailed knowledge about its network. Target also revealed, tellingly, that it had detected but dismissed early signs of the breach.

A California court ordered that phone records collected by the government not be destroyed until further notice, contradicting the recent order of that country's secret Federal Intelligence Surveillance Court. Ironically, big data is still a new frontier for most public-sector authorities, experts note.

Malware, however, is apparently not, as the NSA faced accusations it was planning to intentionally infect millions of computers with surveillance software, although US lawmakers declined to quiz the new head of the NSA about the allegations.

Even where lawmakers were clamping down on alleged computer fraud, the allegations were shaky, one legal expert warned.

Meanwhile, the world watched as Malaysia Airlines flight MH370 seemingly disappeared into thin air with numerous tech executives aboard, as some experts warned that the episode showed technology is the weakest link in air transport.

Closer to home, a large DDoS attack capitalised on WordPress's pingback feature even as experts warned that DDoS attacks are still a significant threat and likely to grow further as hackers plan massive NTP amplification attacks.

Also in security, researchers said they had figured out how to bypass secured Internet connections to access personal information. Others figured out how to bypass a security protection in Apple's iOS 7. Such breaches are likely to become even more common for organisations that decide to stick with Windows XP – which was revealed to be even more vulnerable in the latest Patch Tuesday update – after Microsoft withdraws support for the operating system next month. Yet hackers are already doing pretty well with current software, pocketing over $US400,000 ($A443,000) on the first day of the Pwn2Own hacking contest and managing to compromise all major browsers.

Tags security

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Custom Defence against targeted attacks

Deep Discovery is uniquely designed for threat detection, real-time intelligence, adaptive protection, and rapid response to combat targeted attacks and Advanced Persistent Threats (APTs).

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.