Cyber wrap
2 Nov 2016|

It was announced late last week that Australia’s biggest data breach to date had affected donors to the Red Cross Blood Service. A back-up database of 550,000 donor records (including names, contact details and behavioural questions around general wellbeing and sexual activities) was uncovered by an unknown person scanning websites for vulnerabilities. The information was provided to Troy Hunt, a cyber security blogger and Microsoft regional director, who then passed the information onto cyber incident response team AusCERT. The Red Cross has notified everyone affected by the breach, and believes that all known copies of the database have been deleted and has also engaged IDCARE to provide counselling and assistance to anyone affected by the breach.

The UK released its new five year Cyber Security Strategy yesterday, confirming that it will spend £1.9 billion over five years, previously announced in November last year, to implement new or strengthened initiatives across three key areas: defend, deter and develop. The Strategy warns that the UK will  ‘take the fight to those who threaten us in cyberspace’, and re-identifies a range of opportunities and challenges facing the UK’s cyber security

China’s controversial new Cyber Security Law has reached its final stages of approval, with state media announcing that the Standing Committee of China’s National People’s Congress would vote on the cybersecurity law this week after its third reading. This comes despite protests from foreign governments and businesses concerned about the requirement to store data in China and provide encryption keys to the Chinese government. The law will codify China’s extensive censorship regime and extends government control over key cyber security technologies. The Chinese government has stated that the law is required to protect the security of the state, but many of its provisions will also protect local technology firms and service providers from overseas competition.

Following last week’s DDoS attack on Dyn in the US, Singapore ISP StarHub was affected by two similar DDoS incidents on 22 and 24 October, where compromised devices were used to overwhelm the company’s domain name server. The company, which described the incident as ‘unprecedented in the scale, nature and complexity’,  has instituted a campaign of home visits by company technicians to update the security of customer devices. While the company hasn’t specifically blamed the Mirai botnet, its home visits will be changing default passwords and installing security patches and anti-malware software on customer devices such as webcams. John Ellis of Akamai told the Financial Times that the incident was probably not targeted at StarHub, but blowback from an incident targeted elsewhere that was routed through the company’s infrastructure.

Cyber security researchers from South Korea have reported an uptick in North Korean cyber espionage operations targeting defectors and human rights groups in South Korea. The surge in North Korean operations appears to have begun in August, immediately following the defection of senior diplomat Thae Yong-ho to the UK. The incidents also demonstrate a new North Korean technique of using Twitter to alert the hackers of compromised machines. North Korean hackers use spear phishing emails to trick users into installing malware Once installed, the malware beacons to the hackers via a Twitter account that the computer has been compromised, allowing the North Koreans to issue remote commands and exfiltrate the data they want. The North Koreans have also compromised popular defector chat rooms in order to monitor their communications. The researchers claim to have broken the encryption protecting the identity of the hacker’s IP address and pinged it to confirm that it’s located in Pyongyang.

And finally, in the same week that the FBI has announced that it’s again investigating emails linked to Hillary Clinton’s private server, it’s also emerged that the US domestic intelligence agency may be examining a ‘secret server’ owned by Donald Trump. Slate has interviewed a group of academics in the US who analysed the traffic between a Trump server in Manhattan and a Russian server. Their analysis noted that the activity aligned with office hours in Moscow and New York, that the very large server carries only a very small amount of traffic, and is set up to only receive messages from a limited range of IP addresses, indicating an attempt to shield the communications from scrutiny. Separately, Mother Jones has reported that the FBI has received information contending that the Russian government has tried to co-opt and assist Trump. The metadata analysis doesn’t provide a smoking gun, but the academics believe it strongly suggests that Trump is covertly communicating with the Kremlin.  The Trump campaign has denied any links to Russia, and other possibilities could provide a completely reasonable cause for the activity, including errant spam or a misdirected email trying to reach its destination, have been raised by analysts.