May 2016 – Cyber Law Watch

Yes it can cost you your job…even if you are the boss!

May 31 2016

The CEO of Austrian aerospace parts maker FACC, has been fired following a cyber fraud that cost the company 42 million euros (AUD $65 million). FACC also fired their CFO in February soon after the cyber fraud.

Executives are being held responsible for business’ cybersecurity measures, and while FACC declined to comment on the details of Walter Stephan’s shortcomings, their supervisory board concluded that Walter Stephan had “severely violate his duties, in particular in relation to the fake president incident”. It is likely that this violation is in reference to a lack of adequate cybersecurity procedures or protections, which would be considered essential for most businesses in this technologically integrated era.

So how was it done? The technique used to deceive FACC into handing over their money is known as a ‘fake president incident’. To put it simply, the hackers sent an email to an employee posing as the CEO, and requested that funds be transferred to a specified account for a fake acquisition project. It would appear the board figured it shouldn’t have been that easy.

More information about this cyber fraud can be found in an article by reuters.

Were you a LinkedIn member in 2012?

May 19 2016

By Cameron Abbott and Simon Ly

Following on from the well-publicised 2012 data breach, LinkedIn today announced that a data set relating to that hack containing over 100 million LinkedIn emails and passwords has now been released to the public. It appears at this stage that the hacker is trying to sell the emails and passwords on a dark web illegal marketplace.

At the time of the 2012 data breach, LinkedIn informed members to change their passwords. If you did and your details are part of the 100 million member details released, this is less problematic for you. However, the major caveat is that if you have been using that stolen password for your many other online accounts, it could open a can of worms for the hacking of more valuable accounts that you might hold.

For more updates, see LinkedIn’s official release here.

Former High Court judge Michael Kirby calls for privacy laws to deal with serious invasions of privacy

May 12 2016

By Cameron Abbott and Simon Ly

In a recent speech and comments made to Fairfax Media, former High Court of Australia judge Michael Kirby has taken aim at the current state of Australia’s privacy law regime in regards to serious invasions of privacy such as “revenge porn” and the kinds of privacy breaches often associated with the press.

Mr Kirby called upon the NSW parliament to legislate to protect its citizens in order to push the federal government to create a national standard. Mr Kirby’s comments follows the March 2016 report released by the NSW parliament titled “Remedies for the serious invasion of privacy in New South Wales” where the Upper House committee made a series of recommendations that a statutory cause of action be introduced in NSW that would enable people who have suffered a serious invasion of privacy to commence a civil action.

Taking an international view, this issue took the attention worldwide recently when then-ESPN reporter Erin Andrews was secretly filmed nude by a stalker while in her hotel room. Since then, Erin Andrews settled a claim with the hotel operator after having been awarded $55 million in March 2016.

For more information, please see NSW’s report here, which the government is expected to respond to by 5 September 2016.

Hacked accounts anyone?

May 09 2016

By Cameron Abbott and Giles Whittaker

Have you been hacked? If you are the user of a Google, Yahoo or Microsoft e-mail account then it is a possibility. Alex Holden, the founder and Chief Information Officer of Hold Security who discovered the hack has identified 272.3 million account credentials have been stolen. The majority of these accounts are users of Mail.ru which is Russia’s most popular e-mail service.

57 million Mail.ru account credentials had been hacked and Mail.ru “are now checking any combinations of usernames/passwords match users’ e-mails and are still active”, from initial checks there were no live combinations.

Google and Yahoo are yet to provide any response.

This recent hack, which was performed by a young Russian hacker who is more determined to become famous than rich from his recent efforts after only asking for 50 roubles (less than $1) for the entire dataset, is one of the biggest collection of stolen credentials since the attacks on major US banks and retailers two years ago. The information which was stolen, as suggest by Holden in an interview with Reuters is “potent [and] it is floating around in the underground…which can be abused multiple times.”

Some of the stolen credentials include those for employees of large US banking, manufacturing and retail companies. When considering that 22 percent of big data breaches come from stolen online credentials (according to a recent survey of 325 computer professional) and hacks of this nature typically allow for further break-ins or phishing attacks by accessing the contacts of each hacked account, the domino effect of a hack such as this is substantial. Furthermore, individuals that like to re-use their preferred passwords across multiple accounts have exposed themselves to additional hacks.

So what is the take away message? According to Will Harwood, founder and Chief Technology Officer of Silicon SAFE, the solution as he told Infosecurity is to put the “password data in a dedicated hardware supported database that only allows data to be stored and compared, never revealed.”

For more of Will Harwood’s security suggestions and the Infosecurity article click here.

To read more about Alex Holden’s discovery of the Russian hacker click here.

SWIFT’s assessment of Distributed Ledger Technologies

May 01 2016

By Cameron Abbott and Giles Whittaker

SWIFT and Accenture released their new paper into how Distributed Ledger Technologies (DLTs) could be used in financial services. The outcome of their assessment highlighted 8 key gaps between industry requirements and the current DLT solutions. The 8 critical factors to be addressed before widespread adoption of DLT’s include:

strong governance;
data controls;
compliance with regulatory requirements;
standardisation;
identity framework;
security and cyber defence;
reliability; and
scalability.

The potential use of these technologies is still unclear according to Fabian Vandenreydt the Head of Securities, Innotribe and the SWIFT Institute. However SWIFT has committed to working with the industry to identify areas in which the technology can provide the greatest benefit.

For more information about SWIFT’s position on DLTs or to download a copy of the paper visit here.

Archive:May 2016