The week in security: Privacy Act changes kick in as Telstra, Immigration busted

New requirements around the handling of personally identifiable information came into effect after months of preparation, although many companies were still trying to figure out the implications of the Privacy Act 1988 changes.

Experts warned that healthcare and point-of-sale vulnerabilities would be tested under the new laws, which came into effect even as European politicians approved a new data-protection law – although critics were quick to point out that the law falls short of making large companies report breaches.

Every public and private-sector organisation needs to consider the ICT security controls required to ensure compliance with the new regulations, with one high-profile chief privacy officer warning that it must be a multi-disciplinary effort across IT, engineering, legal and business organisations. And, for its part, Australian firm Ground Labs launched Data Recon, a tool for finding personally identifiable information hidden in corporate networks.

The potential consequences of a breach became painfully clear after dozens of asylum seekers announced they would sue Australia's Department of Immigration and Citizenship after it leaked their personal details online. A UK citizen-action group was up in arms after a healthcare provider uploaded sensitive healthcare data to a Google cloud service for analysis. And, a Symantec security expert revealed, criminals are still trying to trick Web users into loading malware using digital certificates stolen from now-defunct certificate authority DigiNotar in 2011.

Telstra released its first transparency report and revealed it had received around 40,000 requests for customers' personal information in 2013. Yet it was Telstra's own significant breach of personal data, feted by the Office of the Australian Information Commissioner (OAIC) on the eve of the new privacy laws, that got the carrier even more attention.

A report from FireEye – which announced a $US460 million ($A510 million) secondary offering to fund expansion – found that email attacks have given way to Web malware, which is now favoured 5 to 1 by cybercriminals. Figures from Twitter confirmed the trend as email-borne attacks dropped from 110 million per day to a few thousand. Many of the growing number of Web attacks are in the form of malware-bearing Web ads, which outpaced pornography for the first time to become this year's biggest threat to mobile users.

Little wonder, with malicious advertising offering a broad reach and quick rewards for malware authors. Yet malware is only one part of the online criminal profile, with the 'dark web' rising in profile and seediness.

Compromised Bitcoin exchange Mt Gox filed for bankruptcy in the US even as revelations suggested it had stayed open despite knowledge of large-scale theft from its Bitcoin reserves. The incident has many people wondering whether digital currencies can ever be secure.

Meanwhile, compromised ex-NSA employee Edward Snowden called on attendees at SXSW to do whatever they can to make the NSA's job a bit harder. The security staff at US retailer Target might have done more of the same, with McAfee suggesting the hackers had detailed knowledge about its network. Target also revealed, tellingly, that it had detected but dismissed early signs of the breach.

A California court ordered that phone records collected by the government not be destroyed until further notice, contradicting the recent order of that country's secret Federal Intelligence Surveillance Court. Ironically, big data is still a new frontier for most public-sector authorities, experts note.

Malware, however, is apparently not, as the NSA faced accusations it was planning to intentionally infect millions of computers with surveillance software, although US lawmakers declined to quiz the new head of the NSA about the allegations.

Even where lawmakers were clamping down on alleged computer fraud, the allegations were shaky, one legal expert warned.

Meanwhile, the world watched as Malaysia Airlines flight MH370 seemingly disappeared into thin air with numerous tech executives aboard, as some experts warned that the episode showed technology is the weakest link in air transport.

Closer to home, a large DDoS attack capitalised on WordPress's pingback feature even as experts warned that DDoS attacks are still a significant threat and likely to grow further as hackers plan massive NTP amplification attacks.

Also in security, researchers said they had figured out how to bypass secured Internet connections to access personal information. Others figured out how to bypass a security protection in Apple's iOS 7. Such breaches are likely to become even more common for organisations that decide to stick with Windows XP – which was revealed to be even more vulnerable in the latest Patch Tuesday update – after Microsoft withdraws support for the operating system next month. Yet hackers are already doing pretty well with current software, pocketing over $US400,000 ($A443,000) on the first day of the Pwn2Own hacking contest and managing to compromise all major browsers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about AppleFireEyeGoogleGround LabsMalaysia AirlinesMcAfee AustraliaMicrosoftNSASymantecTelstra Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts