Cyber wrap
1 Mar 2017|

The Australian government has kept the cyber ball rolling this week, with the launch of the Joint Cyber Security Centre in Brisbane, the first of five slated capital city hubs worth $47 million in across the country. The joint cyber centres are designed as collaborative work spaces and an information sharing portal across government, business and law enforcement on cybersecurity issues. Cybersecurity centres haven’t been limited to Australia, with Microsoft opening up a Cyber Security Engagement Centre in Mexico, aiming to dismantle botnets and cybercrime organisations in Latin America.

New York State’s Stewart International Airport was confronted with an embarrassing discovery this week; a server backup drive had been left exposed to the internet since April 2016, potentially leaking 760GB of unsecured data, including internal e-mails, memos, “sensitive” TSA letters of investigation, and schematics of the airport and surrounding infrastructure. One file contained an unsecured list of usernames and passwords for the various systems at the airport, which reportedly could’ve been used to generate boarding passes to any destination for any traveller at the airport, even those on the no-fly list. The drive has since been secured, with no preliminary indications that data was copied from the drive.

Israeli Prime Minister Benjamin Netanyahu visited Australia last week, and issued a joint statement with Prime Minister Turnbull about the two countries’ commitment to bilateral cooperation in cybersecurity. In Israel, the Ministry of Justice’s Israel Law, Information and Technology Authority has formulated draft regulations to be discussed in the Knesset regarding data security, including a regulation to compel database owners to notify subjects regarding data breach events, similar to mandatory data breach notification regulations in the EU and, very recently, Australia.

Still in Israel, researchers from the Cyber Research Center at Ben-Gurion University demonstrated (in a report delightfully titled ‘LED-it-GO’) how to exfiltrate data from air-gapped computers by flashing hard-drive indicator lights up to 5,800 times a second to a nearby drone-mounted camera. Vulnerability researchers from Google and the Netherlands-based Centrum Wiskunde & Informatica announced that, after two years of research, they’d successfully mounted a ‘collision attack’ against the Secure Hash Algorithm-1 function, rendering it insecure. For a good breakdown of the specifics, as well as links to the supporting research, read this.

Google has again used Twitter to sound the alarm about a vulnerability on the Cloudflare Content-Delivery-Network. Cloudflare, an information security service provider that keeps clients safe from DDoS attacks, has since announced that their servers were leaking sensitive information. In a promising display of resilience and responsiveness, the source of the bug was shut down within 44 minutes and fixed completely within 7 hours, but concerns remain over data leaked from websites that used Cloudflare in the period from September 2016 till now.

As much as “fake news” has been trending in traditional media, the cyber-world has seen a crackdown on “fake accounts”, with the Philippines’ Senate set to debate a bill which would require social media networks to verify the identity of users who register for accounts, and mandating shut-down procedures for compromised accounts. US Customs and Border Protection officials are also beginning to ask incoming visitors for their social media accounts. Officials have maintained that the question is optional, and refusing to answer shouldn’t be cause for penalty, but critics are concerned about the increasing use of social media intelligence in routine border controls. Google has boosted the accessibility of its tools to manage fake accounts , opening up the Jigsaw Application Programming Interface (API), giving developers throughout the open source community access to anti-harassment machine learning tools (like their ‘toxicity meter’) to automatically detect insults, harassment and abuse hurled online. The developers hope that the tool will be used carefully to create “safe spaces” and restore open discussion on the internet, but critics have voiced their concerns about the implications for automated censorship and over-moderation.

And finally, ASPI was fortunate enough to host the Australian launch event, one of a series of launches around the world, for the Tallinn Manual 2.0 on International Law Applicable to Cyber Operations last Friday, hearing directly from the experts behind the manual. One of the experts was Professor Michael Schmitt, Senior Fellow at the NATO Cooperative Cyber Defence Center of Excellence, who also spoke to the ABC’s current affairs program PM about the manual. Check out the interview here.