The Weekly Cybers #23
Medibank and Optus cyber practices slammed, Australia’s FOI regime also, and yet more new eSafety rules.
Welcome
The prospect of nuclear reactors in Australia dominated the news from Canberra this week, but it’s outside the scope of this newsletter, so what else?
Court filings highlight the shoddy cybersecurity which led to the data breaches at both Medibank and Optus. Our freedom of information processes cop some criticism. And the eSafety Commissioner registers two new industry standards.
Surprise! Australia’s FOI regime is a bit meh
Australia’s freedom of information (FOI) regime suffers from informational bottlenecks, inadequate resources, and a lack of understanding or commitment to FOI principles, according to a new report from Monash University.
The report, The culture of implementing Freedom of Information in Australia, highlights both a lack of funding and cultural problems.
A culture of “damage control” and reluctance to release sensitive information was found to create significant challenges for FOI coordinators, who struggle to comply with legislation while perpetually underfunded in terms of staffing. The report underscores the critical need for adequate funding to support FOI processes, promoting transparency and the effective operation of FOI Acts.
The report also notes a “concerning lack of engagement from government ministers”.
Meanwhile the independent MP for Indi, Helen Haines, reckons the Albanese government is More secretive than the Morrison government.
Third big-4 bank joins ConnectID
ANZ has become the third bank to join ConnectID, the verifiable credentials service operated by Australian Payments Plus — which also runs eftpos, BPAY, and the National Payments Platform branded as Osko.
The first two big banks on board were NAB and CBA.
ConnectID is one of a handful of service providers certified under the government’s Trusted Digital Identity Framework (TDIF), a system which predates modern digital wallets and verifiable credentials.
This regime will soon be replaced by the Australian Government Digital ID System (AGDIS) following the passing of the new Digital ID Act earlier this year.
The government is currently running an open consultation on how the new system will work, including accreditation rules and data standards. Submissions close this coming Tuesday 25 June.
eSafety standards tackle “worst of the worst”
On Friday the eSafety Commissioner registered two new industry standards to tackle those now-familiar phrases, “worst-of-the-worst online content” and “child sexual abuse and pro-terror material” — the so-called Class 1A and Class 1B material.
As the Guardian reports, the commissioner’s office says it “does not advocate building in weaknesses or back doors to undermine privacy and security on end-to-end encrypted services”.
That said, watch out for language such as the phrase “upload moderation” used by the European Union. This means monitoring the content on users’ devices before it becomes part of the “communication”, so technically the encryption hasn’t been broken.
EU proposal for on-device scanning withdrawn
The EU Council was due to vote on exactly such a proposal today, but the vote has been cancelled.
Meanwhile, I haven’t had a chance to read the actual codes in full, so I may have more to say next week.
Optus should’ve spotted hack potential years ago
The 2022 Optus data breach was facilitated by an access control coding error, according to documents (PDF) filed in the Federal Court this week.
The previous version of events, that hackers had broken into the Optus network through an internet-facing access point without authentication controls, is confirmed.
However the Australian Communications and Media Authority (ACMA) says that while there had been access controls previously, those controls had been weakened by a code change.
ACMA claims Optus should have known about the flaw four years earlier that they did, because they had at least three chances to find and fix the fault.
This case returns to the Federal Court for a case management hearing on 13 September.
Meanwhile Justice Jonathan Beach has said there’s a “possibility” that ACMA’s case against Optus could be merged with the class action being run by Slater & Gordon because there would likely be “overlapping issue” between the cases.
Are you finding this newsletter useful? Please do forward it to a friend or otherwise spread the word. Seeing the subscriber numbers steadily increasing is good for my self-esteem.
Also in the news
- As with Optus, the Medibank hack of August 2022 was also down to poor cyber practices, including no 2-factor authentication and a slow response, according to a court filing (PDF) from the Office of the Australian Information Commissioner (OAIC).
- You’ll be thrilled to know that Services Australia is unprepared for a “significant” cyber incident according to an ANAO audit. They haven’t even tested whether they can restore data from backups. The financial crime agency AUSTRAC didn’t fare well in that audit either.
- Officials from the National Disability Insurance Agency (NDIA) failed to declare a whole bunch of gifts from Salesforce as the company’s original $47 three-year contract was expanded to a four-year contract worth at least $100 million.
- Meanwhile, in yet another reflection on the government’s age assurance plans, Would face scanning technology keep Australian kids off social media? The UK regulator doubts it.
- From the Lowy Institute’s The Interpreter, a discussion of whether Australia should ban TikTok.
Data breaches and hacks of note
- “Sydney-based CRM provider Legrand CRM has confirmed that Hunters International exfiltrated data from its systems,” reports Cyber Daily.
- Also, rare-earth minerals company Iluka Resources was hit with a denial-of-service attack, but says no data was exfiltrated.
Inquiries of note
Nothing new that’s relevant to the remit of this humble newsletter.
Elsewhere
- A US judge has rejected Meta Platforms’ bid to dump a lawsuit by Andrew “Twiggy” Forrest, the mining billionaire whose image was used in scam adverts.
- From last week but still worth a read, an analysis of how the Australian Securities Exchange (ASX) blew $250 million on a daft blockchain project. This kind of hype-fuelled fiasco certainly won’t happen with AI, will it. Will it?
- Meredith Whittaker, president of the Signal Foundation which runs the secure messaging platform of that name, says she remains implacably opposed to the “disease” of surveillance and is “really proud we don’t have an AI strategy”.
- From MIT Technology Review, Why does AI hallucinate?.
- Crikey ($) reports that chatbots from OpenAI, Meta, and Google are repeating a political conspiracy theory about a legally suppressed list of high-profile Australian pedophiles. This is what happens when you just scoop up whatever’s on the internet.
What’s next?
Parliament resumes this Monday 24 June for a two-week run. We already have the draft legislation programs for the Senate and the House of Representatives.
The Reps will debate the Criminal Code Amendment (Deepfake Sexual Material) Bill, while the Senate intends to wrap up the Communications Legislation Amendment (Prominence and Anti-siphoning) Bill.
On Tuesday 25 and Friday 28 June there are public hearings for the Joint Select Committee on Social Media and Australian Society. A hearing was also held today, so watch out for news coverage across the weekend. Submissions to that inquiry close next Friday 28 June.
Any questions or comments? Just reply to this email. Cheers.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.