Towards a post-privacy world: proposed bill would encourage agencies to widely share your data


Bruce Baer Arnold, University of Canberra

The federal government has announced a plan to increase the sharing of citizen data across the public sector.

This would include data sitting with agencies such as Centrelink, the Australian Tax Office, the Department of Home Affairs, the Bureau of Statistics and potentially other external “accredited” parties such as universities and businesses.

The draft Data Availability and Transparency Bill released today will not fix ongoing problems in public administration. It won’t solve many problems in public health. It is a worrying shift to a post-privacy society.

It’s a matter of arrogance, rather than effectiveness. It highlights deficiencies in Australian law that need fixing.




Read more:
Australians accept government surveillance, for now


Making sense of the plan

Australian governments on all levels have built huge silos of information about us all. We supply the data for these silos each time we deal with government.

It’s difficult to exercise your rights and responsibilities without providing data. If you’re a voter, a director, a doctor, a gun owner, on welfare, pay tax, have a driver’s licence or Medicare card – our governments have data about you.

Much of this is supplied on a legally mandatory basis. It allows the federal, state, territory and local governments to provide pensions, elections, parks, courts and hospitals, and to collect rates, fees and taxes.

The proposed Data Availability and Transparency Bill will authorise large-scale sharing of data about citizens and non-citizens across the public sector, between both public and private bodies. Previously called the “Data Sharing and Release” legislation, the word “transparency” has now replaced “release” to allay public fears.

The legislation would allow sharing between Commonwealth government agencies that are currently constrained by a range of acts overseen (weakly) by the under-resourced Australian Information Commissioner (OAIC).

The acts often only apply to specific agencies or data. Overall we have a threadbare patchwork of law that is supposed to respect our privacy but often isn’t effective. It hasn’t kept pace with law in Europe and elsewhere in the world.

The plan also envisages sharing data with trusted third parties. They might be universities or other research institutions. In future, the sharing could extend to include state or territory agencies and the private sector, too.

Any public or private bodies that receive data can then share it forward. Irrespective of whether one has anything to hide, this plan is worrying.

Why will there be sharing?

Sharing isn’t necessarily a bad thing. But it should be done accountably and appropriately.

Consultations over the past two years have highlighted the value of inter-agency sharing for law enforcement and for research into health and welfare. Universities have identified a range of uses regarding urban planning, environment protection, crime, education, employment, investment, disease control and medical treatment.

Many researchers will be delighted by the prospect of accessing data more cheaply than doing onerous small-scale surveys. IT people have also been enthusiastic about money that could be made helping the databases of different agencies talk to each other.

However, the reality is more complicated, as researchers and civil society advocates have pointed out.

Person hitting a 'share' button on a keyboard.
In a July speech to the Australian Society for Computers and Law, former High Court Justice Michael Kirby highlighted a growing need to fight for privacy, rather than let it slip away.
Shutterstock

Why should you be worried?

The plan for comprehensive data sharing is founded on the premise of accreditation of data recipients (entities deemed trustworthy) and oversight by the Office of the National Data Commissioner, under the proposed act.

The draft bill announced today is open for a short period of public comment before it goes to parliament. It features a consultation paper alongside a disquieting consultants’ report about the bill. In this report, the consultants refer to concerns and “high inherent risk”, but unsurprisingly appear to assume things will work out.

Federal Minister for Government Services Stuart Roberts, who presided over the tragedy known as the RoboDebt scheme, is optimistic about the bill. He dismissed critics’ concerns by stating consent is implied when someone uses a government service. This seems disingenuous, given people typically don’t have a choice.

However, the bill does exclude some data sharing. If you’re a criminologist researching law enforcement, for example, you won’t have an open sesame. Experience with the national Privacy Act and other Commonwealth and state legislation tells us such exclusions weaken over time

Outside the narrow exclusions centred on law enforcement and national security, the bill’s default position is to share widely and often. That’s because the accreditation requirements for agencies aren’t onerous and the bases for sharing are very broad.

This proposal exacerbates ongoing questions about day-to-day privacy protection. Who’s responsible, with what framework and what resources?

Responsibility is crucial, as national and state agencies recurrently experience data breaches. Although as RoboDebt revealed, they often stick to denial. Universities are also often wide open to data breaches.

Proponents of the plan argue privacy can be protected through robust de-identification, in other words removing the ability to identify specific individuals. However, research has recurrently shown “de-identification” is no silver bullet.

Most bodies don’t recognise the scope for re-identification of de-identified personal information and lots of sharing will emphasise data matching.

Be careful what you ask for

Sharing may result in social goods such as better cities, smarter government and healthier people by providing access to data (rather than just money) for service providers and researchers.

That said, our history of aspirational statements about privacy protection without meaningful enforcement by watchdogs should provoke some hard questions. It wasn’t long ago the government failed to prevent hackers from accessing sensitive data on more than 200,000 Australians.

It’s true this bill would ostensibly provide transparency, but it won’t provide genuine accountability. It shouldn’t be taken at face value.




Read more:
Seven ways the government can make Australians safer – without compromising online privacy


The Conversation


Bruce Baer Arnold, Assistant Professor, School of Law, University of Canberra

This article is republished from The Conversation under a Creative Commons license. Read the original article.

A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?



Paul Haskell-Dowland, Author provided

Paul Haskell-Dowland, Edith Cowan University and Brianna O’Shea, Edith Cowan University

Passwords have been used for thousands of years as a means of identifying ourselves to others and in more recent times, to computers. It’s a simple concept – a shared piece of information, kept secret between individuals and used to “prove” identity.

Passwords in an IT context emerged in the 1960s with mainframe computers – large centrally operated computers with remote “terminals” for user access. They’re now used for everything from the PIN we enter at an ATM, to logging in to our computers and various websites.

But why do we need to “prove” our identity to the systems we access? And why are passwords so hard to get right?




Read more:
The long history, and short future, of the password


What makes a good password?

Until relatively recently, a good password might have been a word or phrase of as little as six to eight characters. But we now have minimum length guidelines. This is because of “entropy”.

When talking about passwords, entropy is the measure of predictability. The maths behind this isn’t complex, but let’s examine it with an even simpler measure: the number of possible passwords, sometimes referred to as the “password space”.

If a one-character password only contains one lowercase letter, there are only 26 possible passwords (“a” to “z”). By including uppercase letters, we increase our password space to 52 potential passwords.

The password space continues to expand as the length is increased and other character types are added.

Making a password longer or more complex greatly increases the potential ‘password space’. More password space means a more secure password.

Looking at the above figures, it’s easy to understand why we’re encouraged to use long passwords with upper and lowercase letters, numbers and symbols. The more complex the password, the more attempts needed to guess it.

However, the problem with depending on password complexity is that computers are highly efficient at repeating tasks – including guessing passwords.

Last year, a record was set for a computer trying to generate every conceivable password. It achieved a rate faster than 100,000,000,000 guesses per second.

By leveraging this computing power, cyber criminals can hack into systems by bombarding them with as many password combinations as possible, in a process called brute force attacks.

And with cloud-based technology, guessing an eight-character password can be achieved in as little as 12 minutes and cost as little as US$25.

Also, because passwords are almost always used to give access to sensitive data or important systems, this motivates cyber criminals to actively seek them out. It also drives a lucrative online market selling passwords, some of which come with email addresses and/or usernames.

You can purchase almost 600 million passwords online for just AU$14!

How are passwords stored on websites?

Website passwords are usually stored in a protected manner using a mathematical algorithm called hashing. A hashed password is unrecognisable and can’t be turned back into the password (an irreversible process).

When you try to login, the password you enter is hashed using the same process and compared to the version stored on the site. This process is repeated each time you login.

For example, the password “Pa$$w0rd” is given the value “02726d40f378e716981c4321d60ba3a325ed6a4c” when calculated using the SHA1 hashing algorithm. Try it yourself.

When faced with a file full of hashed passwords, a brute force attack can be used, trying every combination of characters for a range of password lengths. This has become such common practice that there are websites that list common passwords alongside their (calculated) hashed value. You can simply search for the hash to reveal the corresponding password.

This screenshot of a Google search result for the SHA hashed password value ‘02726d40f378e716981c4321d60ba3a325ed6a4c’ reveals the original password: ‘Pa$$w0rd’.

The theft and selling of passwords lists is now so common, a dedicated website — haveibeenpwned.com — is available to help users check if their accounts are “in the wild”. This has grown to include more than 10 billion account details.

If your email address is listed on this site you should definitely change the detected password, as well as on any other sites for which you use the same credentials.




Read more:
Will the hack of 500 million Yahoo accounts get everyone to protect their passwords?


Is more complexity the solution?

You would think with so many password breaches occurring daily, we would have improved our password selection practices. Unfortunately, last year’s annual SplashData password survey has shown little change over five years.

The 2019 annual SplashData password survey revealed the most common passwords from 2015 to 2019.

As computing capabilities increase, the solution would appear to be increased complexity. But as humans, we are not skilled at (nor motivated to) remember highly complex passwords.

We’ve also passed the point where we use only two or three systems needing a password. It’s now common to access numerous sites, with each requiring a password (often of varying length and complexity). A recent survey suggests there are, on average, 70-80 passwords per person.

The good news is there are tools to address these issues. Most computers now support password storage in either the operating system or the web browser, usually with the option to share stored information across multiple devices.

Examples include Apple’s iCloud Keychain and the ability to save passwords in Internet Explorer, Chrome and Firefox (although less reliable).

Password managers such as KeePassXC can help users generate long, complex passwords and store them in a secure location for when they’re needed.

While this location still needs to be protected (usually with a long “master password”), using a password manager lets you have a unique, complex password for every website you visit.

This won’t prevent a password from being stolen from a vulnerable website. But if it is stolen, you won’t have to worry about changing the same password on all your other sites.

There are of course vulnerabilities in these solutions too, but perhaps that’s a story for another day.




Read more:
Facebook hack reveals the perils of using a single account to log in to other services


The Conversation


Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University and Brianna O’Shea, Lecturer, Ethical Hacking and Defense, Edith Cowan University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Can I still be hacked with 2FA enabled?



Shutterstock

David Tuffley, Griffith University

Cybersecurity is like a game of whack-a-mole. As soon as the good guys put a stop to one type of attack, another pops up.

Usernames and passwords were once good enough to keep an account secure. But before long, cybercriminals figured out how to get around this.

Often they’ll use “brute force attacks”, bombarding a user’s account with various password and login combinations in a bid to guess the correct one.

To deal with such attacks, a second layer of security was added in an approach known as two-factor authentication, or 2FA. It’s widespread now, but does 2FA also leave room for loopholes cybercriminals can exploit?

2FA via text message

There are various types of 2FA. The most common method is to be sent a single-use code as an SMS message to your phone, which you then enter following a prompt from the website or service you’re trying to access.

Most of us are familiar with this method as it’s favoured by major social media platforms. However, while it may seem safe enough, it isn’t necessarily.

Hackers have been known to trick mobile phone carriers (such as Telstra or Optus) into transferring a victim’s phone number to their own phone.




Read more:
$2.5 billion lost over a decade: ‘Nigerian princes’ lose their sheen, but scams are on the rise


Pretending to be the intended victim, the hacker contacts the carrier with a story about losing their phone, requesting a new SIM with the victim’s number to be sent to them. Any authentication code sent to that number then goes directly to the hacker, granting them access to the victim’s accounts.
This method is called SIM swapping. It’s probably the easiest of several types of scams that can circumvent 2FA.

And while carriers’ verification processes for SIM requests are improving, a competent trickster can talk their way around them.

Authenticator apps

The authenticator method is more secure than 2FA via text message. It works on a principle known as TOTP, or “time-based one-time password”.

TOTP is more secure than SMS because a code is generated on your device rather than being sent across the network, where it might be intercepted.

The authenticator method uses apps such as Google Authenticator, LastPass, 1Password, Microsoft Authenticator, Authy and Yubico.

However, while it’s safer than 2FA via SMS, there have been reports of hackers stealing authentication codes from Android smartphones. They do this by tricking the user into installing malware (software designed to cause harm) that copies and sends the codes to the hacker.

The Android operating system is easier to hack than the iPhone iOS. Apple’s iOS is proprietary, while Android is open-source, making it easier to install malware on.

2FA using details unique to you

Biometric methods are another form of 2FA. These include fingerprint login, face recognition, retinal or iris scans, and voice recognition. Biometric identification is becoming popular for its ease of use.

Most smartphones today can be unlocked by placing a finger on the scanner or letting the camera scan your face – much quicker than entering a password or passcode.

However, biometric data can be hacked, too, either from the servers where they are stored or from the software that processes the data.

One case in point is last year’s Biostar 2 data breach in which nearly 28 million biometric records were hacked. BioStar 2 is a security system that uses facial recognition and fingerprinting technology to help organisations secure access to buildings.

There can also be false negatives and false positives in biometric recognition. Dirt on the fingerprint reader or on the person’s finger can lead to false negatives. Also, faces can sometimes be similar enough to fool facial recognition systems.

Another type of 2FA comes in the form of personal security questions such as “what city did your parents meet in?” or “what was your first pet’s name?”




Read more:
Don’t be phish food! Tips to avoid sharing your personal information online


Only the most determined and resourceful hacker will be able to find answers to these questions. It’s unlikely, but still possible, especially as more of us adopt public online profiles.

Person looks at a social media post from a woman, on their mobile.
Often when we share our lives on the internet, we fail to consider what kinds of people may be watching.
Shutterstock

2FA remains best practice

Despite all of the above, the biggest vulnerability to being hacked is still the human factor. Successful hackers have a bewildering array of psychological tricks in their arsenal.

A cyber attack could come as a polite request, a scary warning, a message ostensibly from a friend or colleague, or an intriguing “clickbait” link in an email.

The best way to protect yourself from hackers is to develop a healthy amount of scepticism. If you carefully check websites and links before clicking through and also use 2FA, the chances of being hacked become vanishingly small.

The bottom line is that 2FA is effective at keeping your accounts safe. However, try to avoid the less secure SMS method when given the option.

Just as burglars in the real world focus on houses with poor security, hackers on the internet look for weaknesses.

And while any security measure can be overcome with enough effort, a hacker won’t make that investment unless they stand to gain something of greater value.The Conversation

David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Keep calm, but don’t just carry on: how to deal with China’s mass surveillance of thousands of Australians



Shutterstock

Bruce Baer Arnold, University of Canberra

National security is like sausage-making. We might enjoy the tasty product, but want to look away from the manufacturing.

Recent news that Chinese company Zhenhua Data is profiling more than 35,000 Australians isn’t a surprise to people with an interest in privacy, security and social networks. We need to think critically about this, knowing we can do something to prevent it from happening again.

Reports indicate Zhenhua provides services to the Chinese government. It may also provide services to businesses in China and overseas.

The company operates under Chinese law and doesn’t appear to have a presence in Australia. That means we can’t shut it down or penalise it for a breach of our law. Also, Beijing is unlikely to respond to expressions of outrage from Australia or condemnation by our government – especially amid recent sabre-rattling.




Read more:
Journalists have become diplomatic pawns in China’s relations with the West, setting a worrying precedent


Zhenhua is reported to have data on more than 35,000 Australians – a list saturated by political leaders and prominent figures. Names, birthdays, addresses, marital status, photographs, political associations, relatives and social media account details are among the information extracted.

It seems Zhenhua has data on a wide range of Australians, including public figures such as Victorian supreme court judge Anthony Cavanough, Australia’s former ambassador to China Geoff Raby, former NSW premier and federal foreign affairs minister Bob Carr, tech billionaire Mike Cannon-Brookes and singer Natalie Imbruglia.

It’s not clear how individuals are being targeted. The profiling might be systematic. It might instead be conducted on the basis of a specific industry, academic discipline, public prominence or perceived political influence.

It’s unlikely Zhenhua profiles random members of the public. That means there’s no reason for average citizens without a China connection to be worried.

Still, details around the intelligence gathering elude us, so best practise for the public is to maintain as much online privacy as possible, whenever possible.

Overall, we don’t know much about Zhenhua’s goals. And what we do know came from a leak to a US academic who sensibly fled China in 2018, fearing for his safety.

Pervasive surveillance is the norm

Pervasive surveillance is now a standard feature of all major governments, which often rely on surveillance-for-profit companies. Governments in the West buy services from big data analytic companies such as Palantir.

Australia’s government gathers information outside our borders, too. Take the bugging of the Timor-Leste government, a supposed friend rather than enemy.

How sophisticated is the plot?

Revelations about Zhenhua have referred to the use of artificial intelligence and the “mosaic” method of intelligence gathering. But this is probably less exciting than it sounds.

Reports indicate much of the data was extracted from online open sources. Access to much of this would have simply involved using algorithms to aggregate targets’ names, dates, qualifications and work history data found on publicly available sites.

The algorithms then help put the individual pieces of the “mosaic” together and fill in the holes on the basis of each individual’s relationship with others, such as their as peers, colleagues or partners.

Some of the data for the mosaic may come from hacking or be gathered directly by the profiler. According to the ABC, some data that landed in Zhenhua’s lap was taken from the dark web.

One seller might have spent years copying data from university networks. For example, last year the Australian National University acknowledged major personal data breaches had taken place, potentially extending back 19 years.

This year there was also the unauthorised (and avoidable) access by cybercriminals to NSW government data on 200,000 people.

While it may be confronting to know a foreign state is compiling information on Australian citizens, it should be comforting to learn sharing this information can be avoided – if you’re careful.

What’s going on in the black box?

One big question is what Zhenhua’s customers in China’s political and business spheres might do with the data they’ve compiled on Australian citizens. Frankly, we don’t know. National security is often a black box and we are unlikely ever to get verifiable details.

Apart from distaste at being profiled, we might say being watched is no big deal, especially given many of those on the list are already public figures. Simply having an AI-assisted “Who’s Who” of prominent Australians isn’t necessarily frightening.

However, it is of concern if the information collected is being used for disinformation, such as through any means intended to erode trust in political processes, or subvert elections.

For instance, a report published in June by the Australian Strategic Policy Institute detailed how Chinese-speaking people in Australia were being targeted by a “persistent, large-scale influence campaign linked to Chinese state actors”.

Illustration of surveillance camera with Chinese flag draped over.
In June, Prime Minister Scott Morrison announced China was supposedly behind a major state-based attack against several of Australia’s sectors, including all levels of government.
Shutterstock

Deep fake videos are another form of subversion of increasing concern to governments and academics, particularly in the US.




Read more:
Deepfake videos could destroy trust in society – here’s how to restore it


Can we fix this?

We can’t make Zhenhua and its competitors disappear. Governments think they are too useful.

Making everything visible to state surveillance is now the ambition of many law enforcement bodies and all intelligence agencies. It’s akin to Google and its competitors wanting to know (and sell) everything about us, without regard for privacy as a human right.

We can, however, build resilience.

One way is to require government agencies and businesses to safeguard their databases. That hasn’t been the case with the NSW government, Commonwealth governments, Facebook, dating services and major hospitals.

In Australia, we need to adopt recommendations by law reform inquiries and establish a national right to privacy. The associated privacy tort would incentivise data custodians and also encourage the public to avoid oversharing online.

In doing so, we might be better placed to condemn both China and other nations participating in unethical intelligence gathering, while properly acknowledging our own wrongdoings in Timor-Leste.The Conversation

Bruce Baer Arnold, Assistant Professor, School of Law, University of Canberra

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Private browsing: What it does – and doesn’t do – to shield you from prying eyes on the web



The major browsers have privacy modes, but don’t confuse privacy for anonymity.
Oleg Mishutin/iStock via Getty Images

Lorrie Cranor, Carnegie Mellon University and Hana Habib, Carnegie Mellon University

Many people look for more privacy when they browse the web by using their browsers in privacy-protecting modes, called “Private Browsing” in Mozilla Firefox, Opera and Apple Safari; “Incognito” in Google Chrome; and “InPrivate” in Microsoft Edge.

These private browsing tools sound reassuring, and they’re popular. According to a 2017 survey, nearly half of American internet users have tried a private browsing mode, and most who have tried it use it regularly.

However, our research has found that many people who use private browsing have misconceptions about what protection they’re gaining. A common misconception is that these browser modes allow you to browse the web anonymously, surfing the web without websites identifying you and without your internet service provider or your employer knowing what websites you visit. The tools actually provide much more limited protections.

Other studies conducted by the Pew Research Center and the privacy-protective search engine company DuckDuckGo have similar findings. In fact, a recent lawsuit against Google alleges that internet users are not getting the privacy protection they expect when using Chrome’s Incognito mode.

How it works

While the exact implementation varies from browser to browser, what private browsing modes have in common is that once you close your private browsing window, your browser no longer stores the websites you visited, cookies, user names, passwords and information from forms you filled out during that private browsing session.

Essentially, each time you open a new private browsing window you are given a “clean slate” in the form of a brand new browser window that has not stored any browsing history or cookies. When you close your private browsing window, the slate is wiped clean again and the browsing history and cookies from that private browsing session are deleted. However, if you bookmark a site or download a file while using private browsing mode, the bookmarks and file will remain on your system.

Although some browsers, including Safari and Firefox, offer some additional protection against web trackers, private browsing mode does not guarantee that your web activities cannot be linked back to you or your device. Notably, private browsing mode does not prevent websites from learning your internet address, and it does not prevent your employer, school or internet service provider from seeing your web activities by tracking your IP address.

Reasons to use it

We conducted a research study in which we identified reasons people use private browsing mode. Most study participants wanted to protect their browsing activities or personal data from other users of their devices. Private browsing is actually pretty effective for this purpose.

We found that people often used private browsing to visit websites or conduct searches that they did not want other users of their device to see, such as those that might be embarrassing or related to a surprise gift. In addition, private browsing is an easy way to log out of websites when borrowing someone else’s device – so long as you remember to close the window when you are done.

Smart phone displaying Google incognito mode
Private browsing can help cover your internet tracks by automatically deleting your browsing history and cookies when you close the browser.
Avishek Das/SOPA Images/LightRocket via Getty Images

Private browsing provides some protection against cookie-based tracking. Since cookies from your private browsing session are not stored after you close your private browsing window, it’s less likely that you will see online advertising in the future related to the websites you visit while using private browsing.

[Get the best of The Conversation, every weekend. Sign up for our weekly newsletter.]

Additionally, as long as you have not logged into your Google account, any searches you make will not appear in your Google account history and will not affect future Google search results. Similarly, if you watch a video on YouTube or other service in private browsing, as long as you are not logged into that service, your activity does not affect the recommendations you get in normal browsing mode.

What it doesn’t do

Private browsing does not make you anonymous online. Anyone who can see your internet traffic – your school or employer, your internet service provider, government agencies, people snooping on your public wireless connection – can see your browsing activity. Shielding that activity requires more sophisticated tools that use encryption, like virtual private networks.

Private browsing also offers few security protections. In particular, it does not prevent you from downloading a virus or malware to your device. Additionally, private browsing does not offer any additional protection for the transmission of your credit card or other personal information to a website when you fill out an online form.

It is also important to note that the longer you leave your private browsing window open, the more browsing data and cookies it accumulates, reducing your privacy protection. Therefore, you should get in the habit of closing your private browsing window frequently to wipe your slate clean.

What’s in a name

It is not all that surprising that people have misconceptions about how private browsing mode works; the word “private” suggests a lot more protection than these modes actually provide.

Furthermore, a 2018 research study found that the disclosures shown on the landing pages of private browsing windows do little to dispel misconceptions that people have about these modes. Chrome provides more information about what is and is not protected than most of the other browsers, and Mozilla now links to an informational page on the common myths related to private browsing.

However, it may be difficult to dispel all of these myths without changing the name of the browsing mode and making it clear that private browsing stops your browser from keeping a record of your browsing activity, but it isn’t a comprehensive privacy shield.The Conversation

Lorrie Cranor, Professor of Computer Science and of Engineering & Public Policy, Carnegie Mellon University and Hana Habib, Graduate Research Assistant at the Institute for Software Research, Carnegie Mellon University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Morrison’s $1.3 billion for more ‘cyber spies’ is an incremental response to a radical problem



Mick Tsikas/AAP

Greg Austin, UNSW

The federal government has announced it will spend more than a billion dollars over the next ten years to boost Australia’s cyber defences.

This comes barely a week after Prime Minister Scott Morrison warned the country was in the grip of a “sophisticated” cyber attack by a “state-based” actor, widely reported to be China.




Read more:
Morrison announces repurposing of defence money to fight increasing cyber threats


The announcement can be seen as a mix of the right stuff and political window dressing – deflecting attention away from Australia’s underlying weaknesses when it comes to cyber security.

What is the funding for?

Morrison’s cyber announcement includes a package of measures totalling $1.35 billion over ten years.

This includes funding to disrupt offshore cyber crime, intelligence sharing between government and industry, new research labs and more than 500 “cyber spy” jobs.

As Morrison explained

This … will mean that we can identify more cyber threats, disrupt more foreign cyber criminals, build more partnerships with industry and government and protect more Australians.

They key aim is to help the country’s cyber intelligence agency, the Australian Signals Directorate (ASD), to know as soon as possible who is attacking Australia, with what, and how the attack can best be stopped.

Australia’s cyber deficiencies

Australia certainly needs to do more to defend itself against cyber attacks.

Intelligence specialists like top public servant Nick Warner have been advocating for more attention for cyber threats for years.

Concerns about Australia’s cyber defences have been raised for years.
http://www.shutterstock.com

The government is also acknowledging publicly that the threats are increasing.

Earlier this month, Morrison held an unusual press conference to announce that Australia was under cyber attack.

While he did not specify who by, government statements made plain it was the same malicious actor (a foreign government) using the same tools as an attack reported in May this year.

Related attacks on Australia using similar malware were also identified in May 2019.

This type of threat is called an “advanced persistent threat” because it is hard to get it out of a system, even if you know it is there.




Read more:
Australia is under sustained cyber attack, warns the government. What’s going on, and what should businesses do?


All countries face enormous difficulties in cyber defence, and Australia is arguably among the top states in cyber security world-wide. Yet after a decade of incremental reforms, the government has been unable to organise all of its own departments to implement more than basic mitigation strategies.

New jobs in cyber security

The biggest slice of the $1.35 billion is a “$470 million investment to expand our cyber security workforce”.

This is by any measure an essential underpinning and is to be applauded.

The Morrison government wants to recruit more than 500 new ASD employees.
http://www.shutterstock.com

But it is not yet clear how “new” these new jobs are.

The 2016 Defence White Paper announced a ten year workforce expansion of 1,700 jobs in intelligence and cyber security. This included a 900-person joint cyber unit in the Australian Defence Force, announced in 2017.

The newly mooted expansion for ASD will also need to be undertaken gradually. It will be impossible to find hundreds of additional staff with the right skills straight away.

The skills needed cut across many sub-disciplines of cyber operations, and must be fine-tuned across various roles. ASD has identified four career streams (analysis, systems architecture, operations and testing) but these do not reflect the diversity of talents needed.

It’s clear Australian universities do not currently train people at the advanced levels needed by ASD, so advanced on-the-job training is essential.

Political window dressing

The government is promoting its announcement as the “nation’s largest ever investment in cyber security”. But the seemingly generous $1.35 billion cyber initiative does not involve new money.

The package is also a pre-announcement of part of the government’s upcoming 2020 Cyber Security Strategy, expected within weeks.

This will update the 2016 strategy released under former prime minister Malcolm Turnbull and cyber elements of the 2016 Defence White Paper.




Read more:
Australia is facing a looming cyber emergency, and we don’t have the high-tech workforce to counter it


The new cyber strategy has been the subject of country-wide consultations through 2019, but few observers expect significant new funding injections.

The main exceptions which may receive a funding boost compared with 2016 are likely to be in education funding (as opposed to research), and community awareness.

With the release of the new cyber strategy understood to be imminent, it is unclear why the government chose this particular week to make the pre-announcement. It obviously will have kept some big news for the strategy release when it happens.

The federal government is expected to release a new cyber security strategy within weeks.
http://www.shutterstock.com

The government’s claim that an additional $135 million per year is the “largest ever investment in cyber security” is true in a sense. But this is the case in many areas of government expenditure.

The government has obviously cut pre-planned expenses in some unrevealed areas of Defence.

Meanwhile, the issues this funding is supposed to address are so complex, that $1.35 billion over ten years can best be seen as an incremental response to a radical threat.

Australia needs to do much more

According to authoritative sources, including the federal government-funded AustCyber in 2019, there are a number of underlying deficiencies in Australia’s industrial and economic response to cyber security.

These can only be improved if federal government departments adopt stricter approaches, if state governments follow suit, and if the private sector makes appropriate adjustments.

Above all, the leading players need to shift their planning to better accommodate the organisational and management aspects of cyber security delivery.




Read more:
Australia is vulnerable to a catastrophic cyber attack, but the Coalition has a poor cyber security track record


Yes, we need to up our technical game, but our social response is also essential.

CEOs and departmental secretaries should be legally obliged to attest every year that they have sound cyber security practices and their entire organisations are properly trained.

Without better corporate management, Australia’s cyber defences will remain fragmented and inadequate.The Conversation

Greg Austin, Professor UNSW Canberra Cyber, UNSW

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Don’t be phish food! Tips to avoid sharing your personal information online



Shutterstock

Nik Thompson, Curtin University

Data is the new oil, and online platforms will siphon it off at any opportunity. Platforms increasingly demand our personal information in exchange for a service.

Avoiding online services altogether can limit your participation in society, so the advice to just opt out is easier said than done.

Here are some tricks you can use to avoid giving online platforms your personal information. Some ways to limit your exposure include using “alternative facts”, using guest check-out options, and a burner email.

Alternative facts

While “alternative facts” is a term coined by White House press staff to describe factual inaccuracies, in this context it refers to false details supplied in place of your personal information.




Read more:
Hackers are now targeting councils and governments, threatening to leak citizen data


This is an effective strategy to avoid giving out information online. Though platforms might insist you complete a user profile, they can do little to check if that information is correct. For example, they can check whether a phone number contains the correct amount of digits, or if an email address has a valid format, but that’s about it.

When a website requests your date of birth, address, or name, consider how this information will be used and whether you’re prepared to hand it over.

There’s a distinction to be made between which platforms do or don’t warrant using your real information. If it’s an official banking or educational institute website, then it’s important to be truthful.

But an online shopping, gaming, or movie review site shouldn’t require the same level of disclosure, and using an alternative identity could protect you.

Secret shopper

Online stores and services often encourage users to set up a profile, offering convenience in exchange for information. Stores value your profile data, as it can provide them additional revenue through targeted advertising and emails.

But many websites also offer a guest checkout option to streamline the purchase process. After all, one thing as valuable as your data is your money.

So unless you’re making very frequent purchases from a site, use guest checkout and skip profile creation altogether. Even without disclosing extra details, you can still track your delivery, as tracking is provided by transport companies (and not the store).

Also consider your payment options. Many credit cards and payment merchants such as PayPal provide additional buyer protection, adding another layer of separation between you and the website.

Avoid sharing your bank account details online, and instead use an intermediary such as PayPal, or a credit card, to provide additional protection.

If you use a credit card (even prepaid), then even if your details are compromised, any potential losses are limited to the card balance. Also, with credit cards this balance is effectively the bank’s funds, meaning you won’t be charged out of pocket for any fraudulent transactions.

Burner emails

An email address is usually the first item a site requests.

They also often require email verification when a profile is created, and that verification email is probably the only one you’ll ever want to receive from the site. So rather than handing over your main email address, consider a burner email.

This is a fully functional but disposable email address that remains active for about 10 minutes. You can get one for free from online services including Maildrop, Guerilla Mail and 10 Minute Mail.

Just make sure you don’t forget your password, as you won’t be able to recover it once your burner email becomes inactive.

The 10 Minute Mail website offers free burner emails.
screenshot

The risk of being honest

Every online profile containing your personal information is another potential target for attackers. The more profiles you make, the greater the chance of your details being breached.

A breach in one place can lead to others. Names and emails alone are sufficient for email phishing attacks. And a phish becomes more convincing (and more likely to succeed) when paired with other details such as your recent purchasing history.

Surveys indicate about half of us recycle passwords across multiple sites. While this is convenient, it means if a breach at one site reveals your password, then attackers can hack into your other accounts.

In fact, even just an email address is a valuable piece of intelligence, as emails are used as a login for many sites, and a login (unlike a password) can sometimes be impossible to change.

Obtaining your email could open the door for targeted attacks on your other accounts, such as social media accounts.




Read more:
The ugly truth: tech companies are tracking and misusing our data, and there’s little we can do


In “password spraying” attacks“, cybercriminals test common passwords against many emails/usernames in hopes of landing a correct combination.

The bottom line is, the safest information is the information you never release. And practising alternatives to disclosing your true details could go a long way to limiting your data being used against you.The Conversation

Nik Thompson, Senior Lecturer, Curtin University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

There is no specific crime of catfishing. But is it illegal?



http://www.shutterstock.com

Marilyn McMahon, Deakin University and Paul McGorrery, Deakin University

Twenty-year-old Sydney woman Renae Marsden died by suicide after she was the victim of an elaborate catfishing scam.

A recent coronial investigation into her 2013 death found no offence had been committed by the perpetrator, revealing the difficulties of dealing with this new and emerging phenomenon.

While we wait for law reform in this area, we think police and prosecutors could make better use of our existing laws to deal with these sorts of behaviours.

What is catfishing?

“Catfishing” occurs when a person creates a fake profile on social media in order to deceive someone else and abuse them, take their money or otherwise
manipulate and control them.

While statistics about the prevalence of catfishing are elusive, popular dating sites such as eHarmony and the Australian government’s eSafety Commission offer advice about spotting catfishers.




Read more:
From catfish to romance fraud, how to avoid getting caught in any online scam


Catfishing is also the subject of an MTV reality series, major Hollywood films, and psychological research on why people do it.

Dangerous, damaging but not a specific crime

There is no specific crime of catfishing in Australia. But there are many different behaviours involved in catfishing, which can come under various existing offences.

One of these is financial fraud. In 2018, a Canberra woman pleaded guilty to 10 fraud offences after she created an elaborate and false online profile on a dating website. She befriended at least ten men online, then lied to them about having cancer and other illnesses and asked them to help her pay for treatment. She obtained more than $300,000.

Catfishers create fake online profiles to deceive others.
http://www.shutterstock.com

Another crime associated with catfishing is stalking. In 2019, a Victorian woman was convicted of stalking and sentenced to two years and eight months jail after she created a Facebook page where she pretended to be Australian actor Lincoln Lewis. This case is currently subject to an appeal.

The grey area of psychological and emotional abuse

When catfishing doesn’t involve fraud or threats, but involves psychological and emotional manipulation, it can be more difficult to obtain convictions.

One of the most notorious cases occurred more than a decade ago in the United States. Missouri mother Lori Drew catfished a teenager she believed had been unkind to her daughter.




Read more:
Have you caught a catfish? Online dating can be deceptive


With the help of her daughter and young employee, Drew created a fake MySpace profile as a teenage boy and contacted the 13-year-old victim. Online flirting took place until the relationship was abruptly ended. The victim was told that “the world would be a better place without her”. Later that day, she killed herself.

Because the harm suffered by the victim was not physical but psychological, and had been perpetrated online, prosecutors had trouble identifying an appropriate criminal charge.

Eventually, Drew was charged with computer fraud and found guilty. But the conviction was overturned in 2009 when an appeal court concluded the legislation was never meant to capture this type of behaviour.

Renae Marsden’s case

The harm done to Marsden was also psychological and emotional. She was deliberately deceived and psychologically manipulated through the creation of a fake online identity by one of her oldest female friends.

Marsden thought she had met a man online who would become her husband. For almost two years, they exchanged thousands of text and Facebook messages. Marsden ended an engagement to another man so that she could be with the man she met online. They planned their wedding.

When he abruptly ended the relationship, Marsden ended her life.

The coroner described the conduct of Marsden’s catfisher as “appalling” and an “extreme betrayal”, but found that no offence had been committed. She observed:

Where ‘catfishing’ is without threat or intimidation or is not for monetary gain, then the conduct appears to be committed with the intent to coerce and control someone for the purpose of a wish fulfilment or some other gratification. Though such conduct may cause the recipient mental and or physical harm because it is not conduct committed with the necessary intent it falls outside the parameters of a known State criminal offence.

Existing laws like manslaughter could apply

We disagree with the coroner’s conclusion. We think that existing state criminal offences might capture some of this behaviour.

In particular, deliberately deceptive and psychologically manipulative online conduct, resulting in the death of a victim by suicide, could potentially make a perpetrator liable for manslaughter.

This is because a perpetrator who commits the offence of recklessly causing grievous bodily harm (which may include psychological harm), in circumstances where a reasonable person would realise this exposed the victim to an appreciable risk of serious injury, could be liable for the crime of “manslaughter by unlawful and dangerous act”.

Such prosecutions can and should be contemplated as an appropriate response to the serious wrongdoing that has occurred.

Where to from here?

Marsden’s parents are pushing for catfishing to be made illegal.

Teresa and Mark Marsden want catfishing to be made illegal.
Dean Lewis/AAP

The coroner chose not to recommend a specific offence of catfishing, noting:

there are complex matters which were not canvassed at the inquest which need to be taken into account before any coronial recommendation involving the introduction of criminal legislation.

But the report did recommend a closer look at making “coercive control” an offence.

Coercive control involves a wide range of controlling behaviours and could potentially criminalise the sort of psychologically and emotionally abusive conduct Marsden experienced.

It is also on the political agenda. In March, New South Wales Attorney-General Mark Speakman announced he would consult on possible new “coercive control” laws.




Read more:
It’s time ‘coercive control’ was made illegal in Australia


We note, however, that the coercive control discussion is happening in the context of domestic violence. Whether prospective new laws can or should extend to catfishing will require careful consideration and drafting.

While we wait for a new offence, we should also ensure that we make use of the laws we already have to protect people from the devastating damage that can be done by catfishing.The Conversation

Marilyn McMahon, Deputy Dean, School of Law, Deakin University and Paul McGorrery, PhD Candidate in Criminal Law, Deakin University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Trump’s Twitter tantrum may wreck the internet


Michael Douglas, University of Western Australia

US President Donald Trump, who tweeted more than 11,000 times in the first two years of his presidency, is very upset with Twitter.

Earlier this week Trump tweeted complaints about mail-in ballots, alleging voter fraud – a familiar Trump falsehood. Twitter attached a label to two of his tweets with links to sources that fact–checked the tweets, showing Trump’s claims were unsubstantiated.

Trump retaliated with the power of the presidency. On May 28 he made an “Executive Order on Preventing Online Censorship”. The order focuses on an important piece of legislation: section 230 of the Communications Decency Act 1996.




Read more:
Can you be liable for defamation for what other people write on your Facebook page? Australian court says: maybe


What is section 230?

Section 230 has been described as “the bedrock of the internet”.

It affects companies that host content on the internet. It provides in part:

(2) Civil liability. No provider or user of an interactive computer service shall be held liable on account of

(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or

(B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1).

This means that, generally, the companies behind Google, Facebook, Twitter and other “internet intermediaries” are not liable for the content on their platforms.

For example, if something defamatory is written by a Twitter user, the company Twitter Inc will enjoy a shield from liability in the United States even if the author does not.




Read more:
A push to make social media companies liable in defamation is great for newspapers and lawyers, but not you


Trump’s executive order

Within the US legal system, an executive order is a “signed, written, and published directive from the President of the United States that manages operations of the federal government”. It is not legislation. Under the Constitution of the United States, Congress – the equivalent of our Parliament – has the power to make legislation.

Trump’s executive order claims to protect free speech by narrowing the protection section 230 provides for social media companies.

The text of the order includes the following:

It is the policy of the United States that such a provider [who does not act in “good faith”, but stifles viewpoints with which they disagree] should properly lose the limited liability shield of subparagraph (c)(2)(A) and be exposed to liability like any traditional editor and publisher that is not an online provider …

To advance [this] policy … all executive departments and agencies should ensure that their application of section 230 (c) properly reflects the narrow purpose of the section and take all appropriate actions in this regard.

The order attempts to do a lot of other things too. For example, it calls for the creation of new regulations concerning section 230, and what “taken in good faith” means.

The reaction

Trump’s action has some support. Republican senator Marco Rubio said if social media companies “have now decided to exercise an editorial role like a publisher, then they should no longer be shielded from liability and treated as publishers under the law”.

Critics argue the order threatens, rather than protects, freedom of speech, thus threatening the internet itself.

The status of this order within the American legal system is an issue for American constitutional lawyers. Experts were quick to suggest the order is unconstitutional; it seems contrary to the separation of powers enshrined in the US Constitution (which partly inspired Australia’s Constitution).

Harvard Law School constitutional law professor Laurence Tribe has described the order as “totally absurd and legally illiterate”.

That may be so, but the constitutionality of the order is an issue for the US judiciary. Many judges in the United States were appointed by Trump or his ideological allies.

Even if the order is legally illiterate, it should not be assumed it will lack force.

What this means for Australia

Section 230 is part of US law. It is not in force in Australia. But its effects are felt around the globe.

Social media companies who would otherwise feel safe under section 230 may be more likely to remove content when threatened with legal action.

The order might cause these companies to change their internal policies and practices. If that happens, policy changes could be implemented at a global level.

Compare, for example, what happened when the European Union introduced its General Data Protection Regulation (GDPR). Countless companies in Australia had to ensure they were meeting European standards. US-based tech companies such as Facebook changed their privacy policies and disclosures globally – they did not want to meet two different privacy standards.

If section 230 is diminished, it could also impact Australian litigation by providing another target for people who are hurt by damaging content on social media, or accessible by internet search. When your neighbour defames you on Facebook, for example, you can sue both the neighbour and Facebook.

That was already the law in Australia. But with a toothless section 230, if you win, the judgement could be enforceable in the US.

Currently, suing certain American tech companies is not always a good idea. Even if you win, you may not be able to enforce the Australian judgement overseas. Tech companies are aware of this.

In 2017 litigation, Twitter did not even bother sending anyone to respond to litigation in the Supreme Court of New South Wales involving leaks of confidential information by tweet. When tech companies like Google have responded to Aussie litigation, it might be understood as a weird brand of corporate social responsibility: a way of keeping up appearances in an economy that makes them money.

A big day for ‘social media and fairness’?

When Trump made his order, he called it a big day for “fairness”. This is standard Trump fare. But it should not be dismissed outright.

As our own Australian Competition and Consumer Commission recognised last year in its Digital Platforms Inquiry, companies such as Twitter have enormous market power. Their exercise of that power does not always benefit society.

In recent years, social media has advanced the goals of terrorists and undermined democracy. So if social media companies can be held legally liable for some of what they cause, it may do some good.

As for Twitter, the inclusion of the fact check links was a good thing. It’s not like they deleted Trump’s tweets. Also, they’re a private company, and Trump is not compelled to use Twitter.

We should support Twitter’s recognition of its moral responsibility for the dissemination of information (and misinformation), while still leaving room for free speech.

Trump’s executive order is legally illiterate spite, but it should prompt us to consider how free we want the internet to be. And we should take that issue more seriously than we take Trump’s order.The Conversation

Michael Douglas, Senior Lecturer in Law, University of Western Australia

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Internet traffic is growing 25% each year. We created a fingernail-sized chip that can help the NBN keep up


<

This tiny micro-comb chip produces a precision rainbow of light that can support transmission of 40 terabits of data per second in standard optic fibres.
Corcoran et al., N.Comms., 2020, CC BY-SA

Bill Corcoran, Monash University

Our internet connections have never been more important to us, nor have they been under such strain. As the COVID-19 pandemic has made remote working, remote socialisation, and online entertainment the norm, we have seen an unprecedented spike in society’s demand for data.

Singapore’s prime minister declared broadband to be essential infrastructure. The European Union asked streaming services to limit their traffic. Video conferencing service Zoom was suddenly unavoidable. Even my parents have grown used to reading to my four-year-old over Skype.

In Australia telecommunications companies have supported this growth, with Telstra removing data caps on users and the National Broadband Network (NBN) enabling ISPs to expand their network capacity. In fact, the NBN saw its highest ever peak capacity of 13.8 terabits per second (or Tbps) on April 8 this year. A terabit is one trillion bits, and 1 Tbps is the equivalent of about 40,000 standard NBN connections.




Read more:
Around 50% of homes in Sydney, Melbourne and Brisbane have the oldest NBN technology


This has given us a glimpse of the capacity crunch we could be facing in the near future, as high-speed 5G wireless connections, self-driving cars and the internet of things put more stress on our networks. Internet traffic is growing by 25% each year as society becomes increasingly connected.

We need new technological solutions to expand data infrastructure, without breaking the bank. The key to this is making devices that can transmit and receive massive amounts of data using the optical fibre infrastructure we have already spent time and money putting into the ground.

A high-speed rainbow

Fortunately, such a device is at hand. My colleagues and I have demonstrated a new fingernail-sized chip that can transmit data at 40 Tbps through a single optical fibre connection of the same kind used in the NBN. That’s about three times the record data rate for the entire NBN network and about 100 times the speed of any single device currently used in Australian fibre networks.

The chip uses an “optical micro-comb” to create a rainbow of infrared light that allows data to be transmitted with many frequencies of light at the same time. Our results are published in Nature Communications today.

This collaboration, between Monash, RMIT and Swinburne universities in Melbourne, and international partners (INRS, CIOPM Xi’an, CityU Hong Kong), is the first “field-trial” of an optical micro-comb system, and a record capacity for such a device.

The internet runs on light

Optical fibres have formed the backbone of our communication systems since the late 1980s. The fibres that link the world together carry light signals that are periodically boosted by optical amplifiers which can transmit light with a huge range of wavelengths.

To make the most of this range of wavelengths, different information is sent using signals of different infrared “colours” of light. If you’ve ever seen a prism split up white light into separate colours, you’ve got an insight into how this works – we can add a bunch of these colours together, send the combined signal through a single optical fibre, then split it back up again into the original colours at the other end.




Read more:
What should be done with the NBN in the long run?


Making powerful rainbows from tiny chips

Optical micro-combs are tiny gadgets that in essence use a single laser, a temperature-controlled chip, and a tiny ring called an optical resonator to send out signals using many different wavelengths of light.

(left) Micrograph of the optical ring resonator on the chip. Launching light from a single laser into this chip generates over 100 new laser lines (right). We use 80 lines in the optical C-band (right, green shaded) for our communications system demonstration.
Corcoran et al, N.Comms, 2020

Optical combs have had a major impact on a massive range of research in optics and photonics. Optical microcombs are miniature devices that can produce optical combs, and have been used in a wide range of exciting demonstrations, including optical communications.

The key to micro-combs are optical resonator structures, tiny rings (see picture above) that when hit with enough light convert the incoming single wavelength into a precise rainbow of wavelengths.

The demonstration

The test was carried out on a 75-km optical fibre loop in Melbourne.

For our demonstration transmitting data at 40 Tbps, we used a novel kind of micro-comb called a “soliton crystal” that produces 80 separate wavelengths of light that can carry different signals at the same time. To prove the micro-comb could be used in a real-world environment, we transmitted the data through installed optical fibres in Melbourne (provided by AARNet) between RMIT’s City campus and Monash’s Clayton campus and back, for a round trip of 75 kilometres.

This shows that the optical fibres we have in the ground today can handle huge capacity growth, simply by changing what we plug into those fibres.

What’s next?

There is more work to do! Monash and RMIT are working together to make the micro-comb devices more flexible and simpler to run.

Putting not only the micro-comb, but also the modulators that turn an electrical signal into an optical signal, on a single chip is a tremendous technical challenge.

There are new frontiers of optical communications to explore with these micro-combs, looking at using parallel paths in space, improving data rates for satellite communications, and in making “light that thinks”: artificial optical neural networks. The future is bright for these tiny rainbows.


We gratefully acknowledge support from Australia’s Academic Research Network (AARNet) for supporting our access to the field-trial cabling through the Australian Lightwave Infrastructure Research Testbed (ALIRT), and in particular Tim Rayner, John Nicholls, Anna Van, Jodie O’Donohoe and Stuart Robinson.The Conversation

Bill Corcoran, Lecturer & Research Fellow, Monash Photonic Communications Lab & InPAC, Monash University

This article is republished from The Conversation under a Creative Commons license. Read the original article.