Our Aussie Cyber Security Act is going to be interesting to watch unfold not just in it's initial form, but as it evolves over the years. IMHO, great steps forward, but let's look at those arguments *against* it abc.net.au/news/2024-07-3…
"Business groups say the new disclosure rules, and the proposed $15,000 fines for failures to disclose a payment, could sink some small operators." - you only get fined if you don't disclose, so... don't hide the breach!
"They are also pushing back against the decision to include businesses with an annual turnover of more than $3 million, arguing the threshold is too low" - appx 90% of Aussies businesses have turnover <$3M/y, so the scope is still very small
"They might not know that they have this new obligation" - that's a pretty weak excuse, laws are constantly shifting, it's not hard to work out your obligations in the (still extraordinary) event that you're breached and ransomed
"We don't think that a mandatory reporting obligation or any further pressure needs to be put in place" - let's be clear: a business has had a breach, it has likely exposed customer data, they should *absolutely* be obligated to report not just to the regulator, but to customers
Whilst breached orgs are victims themselves, they have to wear the accountability. That's the cost of business in the digital era and we should increasingly hold them accountable when they try to conceal incidents at the expense of the individual victims and the community.
The writing is on the wall, I expect we'll see more and more pressure on transparency in the coming years. Who knows, it might even add some incentive to tighten things up *before* a breach happens. More on our gov's position (thread):
Something super weird happening right now: just been called by several totally different media outlets in the last few minutes, all with Windows machines suddenly BSoD’ing (Blue Screen of Death). Anyone else seen this? Seems to be entering recovery mode:
Let's start with what should be obvious: any infosec story that includes a headline about "largest", "greatest", "worst", or similar superlatives should be regarded with suspicion right from the outset. That said, let's delve into this one: cybernews.com/security/rocky…
Firstly to the title - "RockYou". This harks back a decade and a half to a 2009 data breach that exposed 34M records. It was particularly noteworthy as the passwords were in plain text: en.wikipedia.org/wiki/RockYou
Following this breach, the "RockYou password list" became almost the defacto standard list for password crackers. It's one of many breaches that seeded the data in @haveibeenpwned's Pwned Passwords list.
Firstly, this has come after @zackwhittaker's article which boils down to "it's stalkerware and it has appeared in a bunch of hotels it maybe shouldn't have and we know this because it has vulns disclosing what's captured and the company isn't responding" techcrunch.com/2024/05/22/spy…
It appears that in response to that piece, someone has gone and found a very easily exploitable bug that boiled down to a SOAP based API with an associated WSDL that documented the endpoints, one of which returned valid AWS creds
So this is an interesting one for several reasons. Firstly, the defacement which was obviously designed to antagonise a conservative media company. Maybe someone with an axe to grind, but definitely evidence of breach.
Then there are the 3 different classes of data set published at the bottom of the defacement, let's go through each by file name:
editors.json: this includes the name, personal email, phone and sometimes address of the journo. Given the politically charged nature of some of the content, PII exposure of this nature is extra concerning. It's now easy to match a story to someone's physical address and phone.
Alright folks, this is starting to smell like bullshit. Not the alleged breach (which smells bad for reasons I'll explain in a moment), but the "AI" line from both Europcar and the PR agency that just emailed me pitching someone's hot take on it. Here's why:
Firstly on the legitimacy of the data, a bunch of things don't add up. The most obvious one is that the email addresses and usernames bear no resemblance to the corresponding people names. For example:
Next, each of those usernames is then the alias of the email address. What are the chances that *every single username* aligns with the email address? Low, very low.
We often receive comments to the effect of “we want to purchase a @haveibeenpwned subscription but our company doesn’t allow us to use a credit card”. What is the financial reason behind this?
This is a very small portion compared to those that *do* pay by card, but why is this?
To add to this, having spent 14 years at Pfizer I’d see policies like this all the time. But it’s also not like there was a blanket ban: try going on a business trip and asking the person at the noodle shop you’re having lunch at to raise an invoice on 60 day terms 🤣
This also isn’t about traceability; spend the money, raise an expense claim with receipt, job done. I could understand if the answer was “because an invoice and wire transfer stops people randomly being stuff and puts procurement in control”, but they could still pay with a card.