Cyber wrap
9 Dec 2015|


Following on from Xi Jinping’s September state visit, Chinese Minister of Public Security Guo Shengkun met with US Secretary of Homeland Security Jeh Johnson, US Attorney General Loretta Lynch in Washington last week to discuss bilateral collaboration on cybercrime issues. The talks established guidelines around timely information sharing and cooperation on cyber-enabled crimes such as child exploitation, theft of trade secrets and terrorist communications. The US Justice Department has announced plans for a Sino-US cyber table-top exercise on cybercrime and network protection in order to enhance mutual understanding of each other’s cyber processes and procedures. A Cold War-era cyber hotline will also be established between Xi and Obama to enable better management of cyber incidents. Despite questions about the authenticity of China’s new found attitude on cyber collaboration, the value of this partnership will likely become clear between now and the second ministerial meeting planned for June 2016.

However, fingers are being pointed at China after the networks of Australia’s Bureau of Meteorology (BoM) were breached last week. BoM is a critical national asset, possessing one of the nation’s largest supercomputers and providing vital environmental monitoring such as weather forecast and water supply analyses. The agency is connected to multiple high-clearance departments, including Defence, and thus may have been targeted as the ‘soft point of entry’ into more strategic networks. Unsurprisingly, China’s foreign ministry spokeswoman Hua Chunying has denied claims that China was behind the breach. Despite the official statement from BoM emphasising that its systems remain ‘fully operational’, it’s suggested that the incident may take years and hundreds of millions of dollars to fix.

On a positive note, the Commonwealth Bank of Australia (CBA) and the University of NSW have announced a five-year partnership to address the national shortage of cybersecurity expertise. The $1.6 million deal will go towards a new cybersecurity lab, financial support for PhD students, and the development of an applied cyber engineering degree that teaches students to think like hackers. Ben Heyes, CBA’s chief information security and trust officer, cited the growing difficulty of staffing important cybersecurity roles in Australia as a key driver behind the partnership. The new cybersecurity course content will be made available to study for free online in an effort to inspire other universities to adopt a more creative and practical approach to cybersecurity education.

Global hacktivist group Anonymous has released the private details of more than 1,400 officials at the UN climate talks in Paris in response to the arrest of more than 200 protesters who took to the streets as part of the Global Climate March. The March had been banned in Paris, along with all other demonstrations, in wake of recent terrorist attacks in the French capital. The group breached the UN Framework Convention on Climate Change (UNFCCC) website, publishing the names, phone numbers, email addresses, encrypted passwords, answers to secret questions and office addresses of attendees on their website. The hack exploited a well-known database vulnerability, SQL injection, and the basic encryption techniques used to protect the information.

Public anxiety over the growing ‘Internet of Things’ has turned its attention to the vulnerability of networked toys. Cybersecurity researchers have discovered a series of fundamental security flaws in the software behind Mattel’s new talking doll, Hello Barbie. The wifi-connected doll, which can hold real-time conversations by uploading audio to the cloud in return for an artificial intelligence-generated response, apparently fulfils the dreams of children and hackers alike. The toy’s use of weak authentication mechanisms made it possible for hackers to eavesdrop on communication sent to the server, and the servers had also not been patched for the infamous POODLE bug that undermines secure connections. Those security problems had already been communicated to Mattel, who have since fixed the issues. However, this follows last month’s hack of Hong Kong toy-company, Vtech, and the subsequent release of personal details and photos of tens of millions of parents and children. As such, networked toys will probably continue to be viewed with suspicion by the public in the near future.