Cloud services hacked

Scams
21

Most people use easy to use cyrpto tools that use the common public key algorithims to currently encrypt their documents etc. Much of this will remain in a state that will be easily decrypted by Quantum computers. Much of the encrypted traffic in the World is now already captured by State & Business run organisations and while not currently able to be opened by them, will be at the very first opportunity they get. Most of us will not see the Quantum Comps until they have been well established by these organisations and have shredded any hope we had of privacy in any form.

I know there are ways to hopefully achieve post Quantum Computing safety but the rules have not been formalised and may yet take years to become mainstream while Quantum developments thunder ahead at increasing pace. Even with that belief in possible safety they still continue to err on the side of caution but saying that they “think” they will be secure as the mathematics to solve the equations is so difficult and keys will be much bigger and all this adds to complexity and security. But Quantum calculations run by these new breed computers may yet confound current thinking. This is why I say things will not be secure in that age.

5 Likes
22

Service categories (a rough probably incomplete optimistic overview):

  • Those that have been hacked which are public knowledge

  • Those that have been hacked where the hacking and spill has been covered up

  • Those that have been hacked and everyone is so-far blissfully unaware

  • Those next on the list for one of the above categories

There is one other mythical category:

  • Those which are secure and unhackable (exists only as a concept peddled by sales and marketing).

There’s probably more - I doubt any are reassuring :slight_smile:

The (numerous) people here who advocate the sparing sharing of personal information and backups are on the right path in my view, but lets not forget that the people behind these acts vary wildly in their abilities and resources/backing 
 not to mention where the targets are complicit 


3 Likes
23

When you apply for work you provide certain information
 you cannot not provide your full nae/ date of birth/ address and contact number

Then you tell them your gender and tell them if you have or have not criminal history and upload your documents. Provide the contact details of references if needed.

pretty standard.
The damage must be massive since they are still investigating and started on the 23rd.

Surprisingly some companies are still using them. Called one and they never called me back. Wanted a direct email address.
Start an application today and killed it as they are using Page UP will call them tomorrow.

4 Likes
24

Yes, this is true. I have heard a suggestion that certain governments are pressuring businesses to hand over certificates that are no longer in use. “It’s of no use to you any more, what harm can we do with it?” Well, you can read all that traffic you captured that was encrypted using that certificate!

That said, there are forms of security that will almost certainly remain unbreakable into the future, such as those that use ephemeral one-time key agreements. The effort needed to decrypt each and every data transfer that uses these is likely to be way too onerous even for states to be able to get much from them.

The final point to be made regarding quantum computing is that we do not know when it will be powerful enough to make us all insecure. I heard an estimate a few years ago, that certain government entities were - at least in the 1990s - about ten years ahead of the rest of the research community, in mathematics and encryption. If that remains the case (as the Snowden papers suggest in relation to breaking into systems), then those of us without Top Secret NoForn clearances may already be in big trouble and simply don’t yet know it. That said, encryption cyphers are generally retired several years before it is thought that they may become breakable. Enough years? I’m sorry, but you’re not cleared for that information.

2 Likes
25

PageUp People has finally revealed the quantum of data that may have been compromised by a recent breach, including what it says is a “very small amount” of password data held in clear text.

[
]

It has, to date, said its “current” password data holdings were safe, owing to its use of “industry best practice techniques including hashing and salting”.

It goes on 
 The cynic in me (and first hand experience with this kind of breach and the associated spin-doctors) leads me to suspect this was just a massive stuff-up, bad code, and a similarly massive cover-up.

4 Likes
26

it’s just the tip of the iceberg.

I do wonder why data 2007 and prior was bit encrypted and stored else where. 
 they are not telling us everything.

3 Likes
27

So does anyone know if some of the bigger online players like Seek ever used them?

3 Likes
28

ABC, Medibank, Banks, Westfiedl and many many more.

3 Likes
29

Coles
Telstra
Australia Post
Medibank
NAB
Tasmanian Government
University of Tasmania
Suncorp
ALDI Australia
Jetstar
Macquarie Group
Target
Scentre Group
Commonwealth Bank
Queensland Rail
Programmed

I reckon (a guess only) that Seek/etc have their own engines that will/have been/might be hacked/covered up/etc separately 
 :wink: it’s never a question of if, but when - and whether they can deny it happened 


Australian authorities helping PageUp People recover from a security incident say that while some data was likely accessed by an unauthorised party, there is no evidence so far that it was exfiltrated.

Really?

To date, PageUp People has never definitively said it was breached; only that “on the balance of probabilities” some data was accessed by an unknown attacker.

“the balance of probabilities” is code for “we reckon” ?

What that attacker did with - or can do with - any data accessed could be of limited value, the ACSC, OAIC and IDCARE jointly said.

“While recognising that investigations are ongoing and that the situation may therefore change, the ACSC emphasises that there is a significant distinction between information being accessed (which means there has been a systems breach) and information being exfiltrated by the offender,” it said.

“In other words, no Australian information may actually have been stolen.”

I’m having trouble not labelling that as ‘weasel words’ 
 if it was my account where the ‘information’ was ‘accessed’ I’d have a hard time seeing a difference between that and exfiltration in the pure sense of impact on my privacy - playing semantics isn’t very reassuring. I’m guessing they either know a lot more than they are telling, or think they do, or maybe a lot less and are clutching at straws 
 but my believe is what we are hearing is very very ‘sanitised’.

Also last night, PageUp People clarified its weekend disclosure that failed login attempt data up to 2007 may have exposed some password information in clear text.

It said last night that “a small number of PageUp error logs from before 2007 may have contained incorrect failed passwords in clear text”.

In other words, the log file contained mistyped versions of passwords rather than the actual passwords themselves.

Wow. Coding at it’s finest. Are we expected to believe this was the only part of the code written by a Muppet? :slight_smile:

This all leaves a very bad taste in my mouth because because of what I’ve been involved in. I think times are better now, with the oversight of ‘privacy’ (to the extent privacy even exists) - at least it might serve to keep some organisations honest, unlike back in the days when there was nothing. I’m still fairly convinced whistle-blowing would still be be career suicide, but that’s another story 


4 Likes
30

there are more companies.

I’ve received emails.

Tried applying for work and was re directed to pageup. so I killed it and called the company. was told ‘the problem is already resolved and it’s safe to use’.

Told the guy that it hasn’t been resolved and asked for direct email addy. that was Friday.

KPMG are using them as well. Called them to get their direct addy and no one called me back.

Some recruiters fell. Scares me as if you register with them they scan your Passport, Medicare card and some even a credit card to make to over 100 points. Then I don’t know where it is stored . Locally or on a cloud server.

4 Likes
31


 and the spin continues, but would we expect spin from MacGibbon? :wink:

Australia’s national cyber security adviser has blamed a “conflict of laws” for forcing PageUp People to disclose last month’s malware infection before it could properly assess the damage caused. Alastair MacGibbon told CEDA’s state of the nation conference in Canberra today that premature disclosure of the incident led to the Australian recruitment cloud service provider being “in a sense 
 victimised”.

So what is this ‘conflict of laws’ that forced ‘premature disclosure of the incident’ ?

“PageUp had to notify the UK market because their requirements are very tight - within 72 hours of a suspicion,” McGibbon said.

So they had to comply with the laws in a market where they also trade? That’s terribly reasonable isn’t it?

“[Australia’s] requirements aren’t as compulsive in the early stages [of an incident]."

Indeed. Our laws allow far more focus on the janitorial side of the incident in these apparently unimportant ‘early stages’. Once all the sweeping is completed, the dust has settled and the carpet is again flat on the floor (well, as flat as it can be with an incident under it) we can focus on telling people ‘the real story’ and patting the heroes on the back.

He said that having to report in the UK - as it has the “most onerous” laws - was “detrimental to PageUp”. “PageUp in a sense was victimised by having to report to the UK market on a matter, and then if they hadn’t reported in Australia at the same time then the allegation people would make is ‘you held back’, ‘you waited months’ because that’s how long you could do in Australia if you’re investigating activity before you came out,” he said.

Months of janitorial activities are possible in Australia 
 apparently 


The article goes on to further muddy the water about data exfiltration, which various commentators can neither confirm nor deny happened, but have their opinions - as if data exfiltration is the only bad thing that could happen (community perception of ‘data theft’ vs other compromise modes, including retaining access/control in-situ for example) 


The position I take is that no data is safe from the most determined and resourced players, it’s just safe enough, maybe, from parties likely to be casually interested 


3 Likes
32

It seems churches are jumping in on the data safety issue - I saw this poster when riding past a local church the other day, not that I believe a word of it :wink:

4 Likes
33

Some suggest God has a backup plan, but I reckon it will be hell to implement 
 :wink:

1 Like
34

I’m still getting emails telling me about the breach. Two arrived yesterday. Brings the total to 16

In the mean time while applying for work I was redirected to Page Up. Killed the connection and called the Co. They told me it was now safe, told them that investigation is still on going so no it is not safe. Asked for a direct email addy, they told me to use page up.

One place I will not be applying for.

3 Likes
35

So they held some password data in clear text but encrypted other password data? It doesn’t matter ‘how many’, what matters is they designed their system very poorly if this could happen at all!

There is an obvious problem with this theory: in order to read a website, information is transferred from it into your computer (i.e. exfiltrated). Are they saying data was accessed without this basic transfer and without being cached on the local hard drive?

I agree with @draughtrider that this sounds incredibly weaselly. I would expect better from an agency that was created in part (allegedly) to protect my data, and another that is responsible for my information’s privacy!

I have received emails from more than one Commonwealth Government recruiter, that used this company!

This statement from the head of the Australian Cyber Security Centre simply tells us all that Australia needs to tighten up its requirements beyond the alleged tightening that occurred earlier this year! It’s no sort of excuse.

Really, this whole incident - along with the laws that are supposed to protect us online - needs a much closer examination. At the moment all we are hearing from ‘official’ sources is ‘nothing to see here. Move along’.

3 Likes
36

in total I received about 25, but some are duplicates as if I applied a few times, they stored my data twice for same company
 clearly bad design.

in total 21 companies and counting.

Companies like HCF are still using PageUp
 Bupa have distanced themselves from PageUp.

2 Likes
37

Some tech companies in the US are beginning to realise that if they wish to protect their reputations and keep their customers they need to act fast when there is a possibility of a breach. This means notifying affected customers, setting up an information website, and apologising. Even when it turns out that the breach was not as bad as they thought, they have kept their customers on-side by being open and honest.

I do not normally find the US ‘inspirational’, but in this some companies are well ahead of the approach Australia is taking. The comparison could not be more different:

  • Clear communications vs. mixed messages
  • Advising all customers ASAP vs. “we have to tell you because of British law”
  • Apologising for and explaining what you know about the breach vs. “umm
 well, we wouldn’t really call it a breach per se. I mean, it was technically a breach but we don’t think we’ve lost anything of value - just a few old passwords. And I couldn’t possibly tell you what happened because ‘bad guys’.”
  • Explaining what you are doing to prevent future incidents, vs. “Incident? No, it wasn’t that bad. Really, mate - you can trust me.”
2 Likes
38

Page Up only disclosed to the public a week after the event
 they are telling companies and consumers that it’s ‘been isolated and now fine to use’ That annoys me.

Some companies are distancing themselves, good to see.

2 Likes
39

Indeed. I re-read 
 and re-read 
 and the words coming from these people are nothing short of breathtaking 
 I can’t imagine they even think what they are saying holds water, or that people will believe it, or accept it 
 but it all rolls on and there seems to be no accountability 


3 Likes
40

It is denial by assertion of fallacious and or vacuous arguments to avoid responsibility for a failure to properly and prudently undertake security analysis and protection of their data repositories and the processes they used.

3 Likes