A state actor has targeted Australian political parties – but that shouldn’t surprise us



File 20190218 56243 para1s.jpg?ixlib=rb 1.1
Prime Minister Morrison said there was no evidence of electoral interference linked to a hack of the Australian Parliament House computer network.
from www.shutterstock.com

Tom Sear, UNSW

The Australian political digital infrastructure is a target in an ongoing nation state cyber competition which falls just below the threshold of open conflict.

Today Prime Minister Scott Morrison made a statement to parliament, saying:

The Australian Cyber Security Centre recently identified a malicious intrusion into the Australian Parliament House computer network.

During the course of this work, we also became aware that the networks of some political parties – Liberal, Labor and the Nationals – have also been affected.




Read more:
‘State actor’ makes cyber attack on Australian political parties


But cyber measures targeting Australian government infrastructure are the “new normal”. It’s the government response which is the most unique thing about this recent attack.

The new normal

The Australian Signals Directorate (ASD) – which incorporates the Australian Cyber Security Centre (ACSC) – analyses and responds to cyber security threats.

In January ASD identified in a report that across the three financial years (2015-16 to 2017-18) there were 1,097 cyber incidents affecting unclassified and classified government networks which were “considered serious enough to warrant an operational response.”

These figures include all identified intrusions. The prime minister fingered a “sophisticated state actor” for the activity discussed today.

Cyber power states capable of adopting “sophisticated” measures might include the United States, Israel, Russia, perhaps Iran and North Korea. Suspicion currently falls on China.

Advanced persistent threats

Cyber threat actors with such abilities are often identified by a set of handles called Advanced Persistent Threat or APTs.

An APT is a group with a style. They are identifiable by the type of malware (malicious software) they like to deploy, their methods and even their working hours.

For example APT28 is associated with Russian measures to interfere with the 2016 US election

Some APTs have even been publicly traced by cyber security companies to specific buildings in China.

APT1 or Unit 61398 may be linked to the intrusions against the Australian Bureau of Meteorology and possibly the Melbourne International Arts Festival. Unit 61398 has been traced to a non-descript office building in Shanghai.

The advance in APT refers to the “sophistication” mentioned by the PM.




Read more:
How we trace the hackers behind a cyber attack


New scanning tool released

The ACSC today publicly released a “scanning tool, configured to search for known malicious web shells that we have encountered in this investigation.”

The release supports this being called a state sponsored intrusion. A web shell is an exploitation vector often used by APTs which enables an intruder to execute wider network compromise. A web shell is uploaded to a web server remotely, and then an adversary can leverage other techniques like privileges and issue commands. A webshell is a form of a malware.

One well-known shell called “China Chopper” is delivered by a small web application, and then is able to “brute force” password guessing against the authentication portal.

If such malware was used in this incident, this explains why politicians and those working at Australian Parliament House were asked to change their passwords following the latest incident.

Journalism and social media surrounding incidents such as these pivot on speculation of how it could be an adversary state, and who that might be.

Malware and its deployment is close to a signature of an APT and requires teams to deliver and subsequently monitor. That the ACSC has released such a specific scanning tool is a clue why they and the prime minister can make such claims.

An intrusion of Australian Parliament House is symbolically powerful, but whether any actual data was taken at an unclassified level might not be of great intelligence import.

The prime minister’s announcement today suggests Australian political parties have been exposed.

How elections are hacked

In 2018 I detailed how there are a few options for an adversary seeking to “hack” an election.




Read more:
If it ain’t broke, don’t fix it: Australia should stay away from electronic voting


The first is to “go loud” and undermine the public’s belief in the players, the process, or the outcome itself. This might involve stealing information from a major party, for example, and then anonymously leaking it.

Or it might mean attacking and changing the data held by the Australian Electoral Commission or the electoral rolls each party holds. This would force the agency to publicly admit a concern, which in turn would undermine confidence in the system.

This is likely why today the prime minister said in his statement:

I have instructed the Australian Cyber Security Centre to be ready to provide any political party or electoral body in Australia with immediate support, including making their technical experts available.

They have already briefed the Electoral Commissions and those responsible for cyber security for all states and territories.

They have also worked with global anti-virus companies to ensure Australia’s friends and allies have the capacity to detect this malicious activity.

Vulnerability of political parties

Opposition Leader Bill Shorten’s response alluded to what might be another concern of our security and electoral agencies. He said:

… our party political structures perhaps are more vulnerable. Political parties are small organisations with only a few full-time staff, they collect, store and use large amounts of information about voters and communities.

I have previously suggested the real risk to any election is the manipulation of social media, and a more successful and secretive campaign to alter the outcome of the Australian election might focus on a minor party.

An adversary could steal the membership and donor database and electoral roll of a party with poor security, locate the social media accounts of those people, and then slowly use social media manipulations to influence an active, vocal group of voters.

Shades of grey

This is unlikely to have been the first attempt by a “sophisticated state actor” to target networks of Australian political parties. It’s best not to consider such intrusions as if they “did or didn’t work.”

There are shades of grey.

Adversaries clearly penetrated a key network and then leveraged access into others. But the duration of such a presence or whether they are even still in a network is challenging to ascertain. Equally, the government has not suggested data has been removed.

Recognition but no data theft may be a result of improved security awareness at parliament house and in party networks. The government and its administration have been taking action.

The Department of Parliamentary Services – that supplies ICT to parliament house – has improved security in “network design changes to harden the internal ICT network against cyber attack”.

This month a Joint Committee opened a new inquiry into government resilience following a report from the National Audit Office last year which found “relatively low levels of effectiveness of Commonwealth entities in managing cyber risks”.

Government response is what’s new

As the ASD and my own observation has noted, this is likely not the first intrusion of this kind – it may be an APT with more “sophisticated” malware than previous attempts. But the response and fall out from the government is certainly new.

What is increasingly clear is that attribution has become more possible, and especially within alliance structures in the Five Eyes intelligence network – Australia, Britain, Canada, New Zealand and the United States – more common.

Sometimes in cyber security it’s challenging to tell the difference between the noise and signal. The persistent presence of Russian sponsored trolls in Australian online politics, the blurring of digital borders with China and cyber enabled threats to our democratic infrastructure: these are not new.

Australia is not immune to the new immersive information war. Digital border protection might yet become an issue in the 2019 election. In addition to raising concerns our politicians and cyber security agencies will need to develop a strong and clear strategic communication approach to both the Australian public and our adversaries as these incidents escalate.The Conversation

Tom Sear, PhD Candidate, UNSW Canberra Cyber, Australian Defence Force Academy, UNSW

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Advertisements

‘State actor’ makes cyber attack on Australian political parties



File 20190218 56204 18qp4dj.jpg?ixlib=rb 1.1
While the government has not identified the state actor, China is.
being blamed.
Shutterstock

Michelle Grattan, University of Canberra

“A sophisticated state actor” has hacked the networks of the major
political parties, Prime Minister Scott Morrison has told Parliament.

Recently the Parliament House network was disrupted, and the intrusion
into the parties’ networks was discovered when this was being dealt
with.

While the government has not identified the “state actor”, the Chinese
are being blamed.

Morrison gave the reassurance that “there is no evidence of any
electoral interference. We have put in place a number of measures to
ensure the integrity of our electoral system”.

In his statement to the House Morrison said: “The Australian Cyber
Security Centre recently identified a malicious intrusion into the
Australian Parliament House computer network.

“During the course of this work, we also became aware that the
networks of some political parties – Liberal, Labor and the Nationals
– have also been affected.

“Our security agencies have detected this activity and acted
decisively to confront it. They are securing these systems and
protecting users”.

The Centre would provide any party or electoral body with technical help to deal with hacking, Morrison said.

“They have already briefed the Electoral Commissions and those
responsible for cyber security for all states and territories. They
have also worked with global anti-virus companies to ensure
Australia’s friends and allies have the capacity to detect this
malicious activity,” he said.

“The methods used by malicious actors are constantly evolving and this
incident reinforces yet again the importance of cyber security as a
fundamental part of everyone’s business.

“Public confidence in the integrity of our democratic processes is an
essential element of Australian sovereignty and governance,” he said.

“Our political system and our democracy remains strong, vibrant and is
protected. We stand united in the protection of our values and our
sovereignty”.

Bill Shorten said party political structures were perhaps more vulnerable than government institutions – and progressive parties particularly so.

“We have seen overseas that it is progressive parties that are more likely to be targeted by ultra-right wing organisations.

“Political parties are small organisations with only a few full-time staff, they collect, store and use large amounts of information about voters and communities. These institutions can be a soft target and our national approach to cyber security needs to pay more attention to non-government organisations,” Shorten said.

Although the authorities are pointing to a “state actor”, national cyber security adviser Alastair MacGibbon told a news conference: “We don’t know who is behind this, nor their intent.

“We, of course, will continue to work with our friends and colleagues, both here and overseas, to work out who is behind it and hopefully their intent”.

Asked what the hackers had got their hands on MacGibbon said: “We don’t know”.The Conversation

Michelle Grattan, Professorial Fellow, University of Canberra

This article is republished from The Conversation under a Creative Commons license. Read the original article.

What could a My Health Record data breach look like?



File 20180723 189308 dv0gue.jpg?ixlib=rb 1.1
Health information is an attractive target for offenders.
Tammy54/Shutterstock

Cassandra Cross, Queensland University of Technology

Last week marked the start of a three-month period in which Australians can opt out of the My Health Record scheme before having an automatically generated electronic health record.

Some Australians have already opted out of the program, including Liberal MP Tim Wilson and former Queensland LNP premier Campbell Newman, who argue it should be an opt-in scheme.

But much of the concern about My Health Records centres around privacy. So what is driving these concerns, and what might a My Health Records data breach look like?

Data breaches

Data breaches exposing individuals’ private information are becoming increasingly common and can include demographic details (name, address, birthdate), financial information (credit card details, pin numbers) and other details such as email addresses, usernames and passwords.

Health information is also an attractive target for offenders. They can use this to perpetrate a wide variety of offences, including identity fraud, identity theft, blackmail and extortion.




Read more:
Another day, another data breach – what to do when it happens to you


Last week hackers stole the health records of 1.5 million Singaporeans, including Prime Minister Lee Hsien Loong, who may have been targeted for sensitive medical information.

Meanwhile in Canada, hackers reportedly stole the medical histories of 80,000 patients from a care home and held them to ransom.

Australia is not immune. Last year Australians’ Medicare details were advertised for sale on the dark net by a vendor who had sold the records of at least 75 people.

Earlier this year, Family Planning NSW experienced a breach of its booking system, which exposed client data of those who had contacted the organisation within the past two and a half years.

Further, in the first report since the introduction of mandatory data breach reporting, the Privacy Commissioner revealed that of the 63 notifications received in the first quarter, 15 were from health service providers. This makes health the leading industry for reported breaches.

Human error

It’s important to note that not all data breaches are perpetrated from the outside or are malicious in nature. Human error and negligence also pose a threat to personal information.

The federal Department of Health, for instance, published a supposedly “de-identified” data set relating to details from the Medicare Benefits Scheme and the Pharmaceutical Benefits Scheme of 2.5 million Australians. This was done for research purposes.

But researchers were able to re-identify the details of individuals using publicly available information. In a resulting investigation, the Privacy Commissioner concluded that the Privacy Act had been breached three times.

The latest data breach investigation from US telecommunications company Verizon notes that health care is the only sector where the threat from inside is greater than from the outside. Human error contributes largely to this.

There are promises of strong security surrounding My Health Records but, in reality, it’s a matter of when, not if, a data breach of some sort occurs.

Human error is one of the biggest threats.
Shutterstock

Privacy controls

My Health Record allows users to set the level of access they’re comfortable with across their record. This can target specific health-care providers or relate to specific documents.

But the onus of this rests heavily on the individual. This requires a high level of computer and health literacy that many Australians don’t have. The privacy control process is therefore likely to be overwhelming and ineffective for many people.




Read more:
My Health Record: the case for opting out


With the default option set to “general access”, any organisation involved in the person’s care can access the information.

Regardless of privacy controls, other agencies can also access information. Section 70 of the My Health Records Act 2012 states that details can be disclosed to law enforcement for a variety of reasons including:

(a) the prevention, detection, investigation, prosecution or punishment of criminal offences.

While no applications have been received to date, it is reasonable to expect this may occur in the future.

There are also concerns about sharing data with health insurance agencies and other third parties. While not currently authorised, there is intense interest from companies that can see the value in this health data.

Further, My Health Record data can be used for research, policy and planning. Individuals must opt out of this separately, through the privacy settings, if they don’t want their data to be part of this.

What should you do?

Health data is some of the most personal and sensitive information we have and includes details about illnesses, medications, tests, procedures and diagnoses. It may contain information about our HIV status, mental health profile, sexual activity and drug use.

These areas can attract a lot of stigma so keeping this information private is paramount. Disclosure may not just impact the person’s health and well-being, it may also affect their relationships, their employment and other facets of their life.

Importantly, these details can’t be reset or reissued. Unlike passwords and credit card details, they are static. Once exposed, it’s impossible to “unsee” or “unknow” what has been compromised.

Everyone should make their own informed decision about whether to stay in My Health Record or opt out. Ultimately, it’s up to individuals to decide what level of risk they’re comfortable with, and the value of their own health information, and proceed on that basis.


The Conversation


Read more:
My Health Record: the case for opting in


Cassandra Cross, Senior Lecturer in Criminology, Queensland University of Technology

This article was originally published on The Conversation. Read the original article.

Pastor, daughter hacked to death in the Philippines


Three months after the deadly massacre of more than 20 Christian journalists in this island region of the Philippines, a lady pastor and her 12-year-old daughter, were brutally killed by still unidentified men in Datu Odin Sinsuat, Maguindanao, on Wednesday night, government authorities reported on Thursday, reports Noel Tarrazona, special correspondent to ASSIST News Service.

Juliet Catalan, 50, a pastor of the Born Again Christian group, was found in her backyard with several hack wounds to the head and body, according to Police Officer Ronaldo Patricio.

Patricio and Datu Odin Sinsuat, the local police chief, said Catalan’s daughter, Chelle, was found bloodied and dead inside the living room.

Meanwhile, the Philippine Daily Inquirer broadsheet reported that the twin killings could have occurred at about 9 p.m., on Wednesday, when neighbors alerted the police about what they described as "unusual yelling" inside the well-fenced compound of Catalan’s home in Barangay Dinaig.

Patricio said there was no indication of possible forced entry so the police believed the victims knew the attacker or attackers.

He said the killers had used a big axe, based on the injuries suffered by the victims.

Gammar Hassan, a respected Muslim leader doing missionary work amongst Christians, described the suspects as “violent and merciless.”

At the back of the compound is the Born Again chapel where the 50-year-old pastor was apparently heading to pray.

“She was found sprawling near the chapel,” Patricio said, indicating she ran toward the chapel during the attack.

Personal properties were scattered inside the house and police theorized the suspects were looking for something valuable.

The island region has the highest incidence of persecuted Christians doing missionary work. It was also in this region where a suspected man lobbed a bomb grenade at visiting Christian missionaries from the MV Doulos, while priests and missionaries have also been kidnapped.

Report from the Christian Telegraph