Secrecy, privacy, security, intrusion

Yes, and so kind of AFR to paywall the content.

A link to the ACSC alert.
It indicates which products are affected.
There is no indication of the identities of the individual businesses affected. Similar to the previous advice by @person.

https://www.cyber.gov.au/acsc/view-all-content/alerts/exchange-server-critical-vulnerabilities

It’s indicated the majority are yet to apply the necessary Microsoft security patches.

As far as I have read to date the patches do not undo any damage or remove any potentially malicious code inserted by the foreign actors. This requires further action.

No patch can ever undo the potential damage from an exploit at this level (total system compromise). The only realistic option is to rebuild the server from scratch or to restore from known good backup.

I don’t know how they would know that. It seems that they scanned for vulnerable systems in Australia (about 7,000) but that may or may not also allow them to total up non-vulnerable systems.

As this bug has been known about since (at least) January, perhaps they scanned back then and can therefore easily calculate the number of systems extra that were vulnerable then but not vulnerable now.

Any such scanning can easily miss vulnerable systems if the system is vulnerable but the organisation still has better than average security thereby making the vulnerable system less obvious on the internet e.g. access from outside the organisation is only via VPN.

I could actually read the whole article when I posted it but something has changed.

I should have just posted the one on nine.com.au instead.

No thank you! That content is automatically blocked by my settings.

Not a problem with your decision re the use of the AFR article.

Just a shot across the bows of AFR for including the article behind it’s paywall. It’s this type of content with wide public interest that should be shared as a news item, due to the topic. If it was free to view, it might encourage some to see AFR as a useful source of content and subscribe. I’m not saying it is or is not good value/useful. I’ve not had access to it’s content or followed it for some time to offer a reliable opinion.

Part of the data compromised by the hackers is the “Exchange offline address book from compromised systems, which contains information about an organization and its users”. An address book may contain more than just the organisation’s user data but the data of those the organisation contacts or has dealings with outside

More on the hack done by the group HAFNIUM

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

The linked blog also contains a link to a script that allows an organisation to check log files to see if signs of compromise having occurred. Link is provided here in case a business wishes to test their Exchange server logs.

Another disgraceful case.

While Australia does not yet appear in the following report I often wonder when we will. India in 2020 was the most prolific Internet Access denial nation with 109 shutdowns of Internet (Net) access:

https://www.bloomberg.com/news/videos/2021-03-03/explain-this-internet-shutdowns-in-2020-video

There is more good reading on Access Now’s website, it may be enlightening to a few at the number of restrictions Countries are now placing on unfettered access to Digital communications:

CHOICE may even have some interest in the work of the Organisation.

Interested in Transparency Reporting?

They have an index and Telstra appear on it but Optus and TPG among others do not

Telstra’s linked info:

TPG’s concerning ToS re Personal info…in particular note (d) in the terms

"5.1 As part of your application and in connection with the provision of service to you, we may obtain from you private information about you.

TPG is required by law to collect certain Personal Information about you, including your name, address and telephone service number to provide it to the operator of the Independent Public Numbering Database (IPND). Information in the IPND is used to develop directories and to assist emergency service organisations.

5.2 We use our best endeavours to comply with a privacy policy which is available on our website or by contacting us. This policy governs the information we collect on you, how we use it and your rights to access it. You consent to us to collect and disclose your personal information including any unlisted telephone number and address from or to:

(a) any credit providers or credit reporting agencies to use the information for all purposes permitted by the Privacy Act (1988) including to obtain a credit report about you or your registered business, maintaining a credit information file about you, or notifying a default by you;
(b) any law enforcement agencies to use the information to assist them in the prevention or prosecution of criminal activities;
(c) to conduct ongoing credit management of your account;
(d) any of our shareholders, related entities, suppliers, agents or professional advisers for reporting, accounting, product supply and service, marketing and audit purposes;
(e) any upstream supplier to us to use the information for any purposes connected with the service or your use of the service; and
(f) any person who provides us with your username(s) or password(s).”

Username - or - Password?

What does that open up?

That they will tell anyone who knows my UserName who I am, where I live seems a bit of a stretch.

My experience suggests that when making a service call I need to prove my ID.

Yes, that’s a bit worrying. Does TPG use your email address as your user name?

Australia clearly needs its own version of the GDPR.

I have various ‘accounts’ where the username is one of the email address, an account number, the registered phone number, a random alphanumeric sequence they assign (a PIA!), and some the initial login is by email/phone number and then one has to pick their own username/password.

‘Australia’ might consider the variations to be a randomness sufficient to enhance overall security. Right it would.

As for the reassurance about credit agencies, (while unsaid, government agencies), and law enforcement, they may be among the top leakers as opposed to having been hacked, and their sole penalty seems to be a ‘bad boy’ notation, apology to the public, and someone deservedly or otherwise gets thrown under the train.

That (f) section in not contained in their Singapore list of releases, that ToS part 5 stops at (e). Why is it different for us? I don’t know but I certainly am worried about the language used throughout Section 5 of their ToS. Found what Optus provides in this way of disclosure clauses, maybe better, maybe worse and maybe the same depending on interpretation.

My point about (d) is that without any “authority” beyond being a shareholder (strictly speaking that means a single share) they can release all of a client’s data to them.

(b) means by it’s language they could release it to the Russian police, the Chinese police, or any Law enforcement agency tasked with dealing with dissidents etc. as long as by their law it is considered criminal activity.

At least in Telstra the concern for privacy is taken into account:

"

Under Australian law, the privacy of your personal information is strictly protected. To protect your privacy, Telstra carefully assesses each request and only discloses customer information if the request is in accordance with the law.

An agency requires a warrant to intercept content in real-time. For other information, agencies do not require a warrant but must meet the relevant legislative conditions. In the case of law enforcement agencies investigating a crime, they must be satisfied that the disclosure is reasonably necessary for the enforcement of criminal law and they must also consider the privacy implications of the disclosure.

When responding to lawful requests for customer information from agencies, we aim never to interfere with our customers’ legitimate use and enjoyment of our services."

Here is Optus’ disclosure policy

"

How we use your information

Administration and business operations

• Providing our products or services (and those of our business partners), communicating with you, managing your account and billing, and delivering customer or technical support.
• Developing, operating and improving our network, product, service and content offerings, and business processes.
• Security and verification purposes.
• Conducting internal investigations, including in relation to fraud and crime.
• Debt recovery purposes, such as assigning a debt you owe us.
• Employment-related purposes (e.g. verifying your work experience or undertaking criminal history checks when you apply for a job with us).
• Delivery, provision, installation or repair of your device, accessories or service, and maintenance of our products, systems and networks.

Marketing

• Communicating with you to market products and services we think might interest you (including those from our selected partners).
• Developing products and services that may be of interest to you.
• Communicating with you when you have previously expressed an interest in our products or services (e.g. when you have left an item in your online shopping cart).
• Conducting competitions or trade promotions, including with selected partners.

Analytics & Insights

• Deriving insights about you and who you interact with to identify market segments, market products and services, or carry out market research.
• Assessing the effectiveness of our marketing campaigns to optimise our marketing spend and to personalise our products, services, and marketing messages.
• Analysing audience ratings information and anonymous viewing and/or browsing data to understand how you and others engage with our products and services (including our content services).
• Supplementing, matching and analysing information about you with information from third party sources (e.g. from Facebook or Google) to learn more about your preferences and interests and to create aggregated market segments.
• We may de-identify information about you to use and share with our business partners. This information may be combined with other demographic information or anonymous identifiers, to develop aggregated insights to improve our products, services and offers to our customers.

Relevant advertising

• Delivering targeted advertising or other content which might interest you via websites, apps, online services and content services like Optus Sport, including through the use of third-party service providers such as ad-serving/targeting platforms.

Compliance

• Using your information as otherwise required or permitted by law.

When we share your information

We share your information with our business partners and selected third parties for the purposes outlined above, including:

• Our service providers (including our contact and service centres and sales agents).
• Our analytics and advertising-related organisations. This includes providers of ad-serving/targeting platforms and third-party proprietary measurement software, such as OzTAM and Nielsen.
• Our debt recovery agents and credit reporting bodies, such as Equifax and Illion.
• Other telecommunications companies (e.g. to administer number portability requests).
• Companies who collect information and data from cookies and other similar technologies.
• Companies working with us to prevent or investigate unlawful activity (particularly fraud and identity theft).
• Companies related to Optus including companies in the Singtel Group.
• Advertisers of third-party products and services for the purpose of selling or providing relevant advertising on our websites, apps, and other online services (including our content services like Optus Sport).

When we share your information, we put measures in place to ensure your information is kept confidential, used securely and only used for the purposes outlined above. We will not otherwise sell or share information that directly identifies you with any third-party for commercial purposes, unless you give us your express consent.

However, for commercial purposes, we may de-identify your information and share it so that our business partners may combine it with other information. We share this so that our business partners can provide analytical services and anonymised and aggregated insights to their customers and to us.

For example, we may de-identify information about customer characteristics and movements to a business customer so they can develop anonymised and aggregated insights and offer products and services based on these insights for transport planning purposes.

We also share your information:

• To comply with our legal obligations in response to warrants, subpoenas or similar lawful requests for this information (including from credit reporting bodies).
• For the purpose of a transfer, sale or restructure of some or all of our assets or business.
• With government and regulatory authorities and law enforcement agencies, as required or authorised by law.
• With the operator of the Integrated Public Number Database to assist with the provision of directories, emergency services and safeguard national security.
• With directory producers when you elect to have your information disclosed to such organisations. For example, if you choose to have a listed number.
• With emergency call service centres and relevant emergency service organisations.

In some cases, we may share your information with organisations (including some Singtel Group companies, service providers and third parties) located overseas for the purposes listed above (click here to find out where)."

The list of Countries from that link just above for Optus are:

“Singapore, India, Philippines, USA, Canada, the European Union (including the UK), the Bailiwick of Jersey, Mexico, Malaysia, Japan, Israel, Iceland and New Zealand”

All in all pretty open slather on your data being shared. Particularly as many of the terms use “we may” which just means they may choose to do something but may not as well such as the “we may de-identify” doesn’t mean they will.

Yes your TPG one is used as your “User name”.

One situation to avoid.

I would think all too common. The IT department is often the last to find out that someone has left the organisation. As the news article says:

lessons for Victorian public sector organisations on managing personnel security risks by maintaining robust off-boarding processes

Lessons for all organisations in reality. Public, private, Vic, anywhere else.

Should I laugh?
Should I cry?

Be very concerned. I expect a future version will have video capture capabilities to ensure everything remains mutual and agreeable, just in case one party changes its mind or doesn’t like something.

Then of course you’ll have to agree on safe words. It’s no use screaming “Don’t stop! Don’t stop! Don’t! Stop!” and expecting the agreement to cover such linguistic acrobatics.

And then use of the app will become mandatory in the future.

All in the name of “keeping us safe”.

An article warning persons to avoid divulging their private data online.

https://www.9news.com.au/national/online-safety-cyber-security-australians-targeted-by-criminals-personal-information-online/366473b7-1e97-4f70-a041-528031b25b1f

You wouldn’t have thought that such a warning would still be necessary but …