Cloud Hosting

The cybersecurity of the Attorney-General's Department (AGD) has not been independently assessed by the Australian Signals Directorate (ASD) despite it being made an action item nearly four years ago.

The nation's Cyber Security Strategy of April 2016 said that government agencies "at higher risk of malicious cyber activity" would receive "independent cybersecurity assessments".

Adiscussion paper[PDF] for the 2020 strategy,releasedin September 2019, reported that "ASD has conducted active vulnerability assessments of a number of key government agencies".

But in written evidence given to the Senate Standing Committee on Legal and Constitutional Affairs this week, AGD revealed it wasn't one of them.

"ASD has not conducted an independent security assessment against Attorney-General's Department networks," it wrote.

"No additional funding has been provided to AGD for cybersecurity remediation activity."

AGD has vastly increased its spend on cybersecurity across the last four years, however.

From a base of AU$47,197 in 2015-2016, when they began tracking the annual operational spending of the IT Security Section, it rose to AU$225,826 in 2016-2017, then to AU$641,985 in 2017-2018. In 2018-2019, it declined slightly to AU$562,222.

"Other sections, projects, and activities make a substantial contribution to improving the overall cybersecurity posture, but are associated to other cost centres," AGD wrote.

But the department declined to answer specific questions about its compliance with theASD Essential Eightcybersecurity controls, citing security concerns.

"Publicly identifying details of any briefings provided to the Attorney-General on cybersecurity vulnerabilities on departmental networks would provide an individualised snapshot in time and may provide a heat map of vulnerabilities for departmental networks, which malicious actors may exploit and thus increase the agency's risk of cyber incidents," it wrote.

It's bad enough that most telecommunications interception warrants arenot approved by judgesbut by members of the Administrative Appeals Tribunal (AAT).

What's worse is that these less-qualified officials can spend mere minutes making their decision with no legal support from AAT staff.

After so little thought, and without further independent oversight, law enforcement agencies are free to use theircontroversial new powersunder the controversialTelecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.

They can issue a "voluntary" Technical Assistance Request (TAR) to get a communications provider to help access the contents of an encrypted communication. Or they can issue a compulsory Technical Assistance Notice (TAN) to the same end.

Someseven TARs or TANs were issuedby law enforcement in the first seven months of the Act's operations. The number issued by the spooky agencies, meanwhile, is unknown.

The concern, first raised byThe Saturday Papera year ago, is that AAT members mightmore readily approve warrantsthan judges, although there's no data on this one way or the other.

There have been concerns that many AAT members are political appointees with no legal qualifications. More than 60% of members appointed since 1 July 2015 are not legally trained, according to further AGD evidence to the Legal and Constitutional Affairs Committee.

And whilesection 5DAof theTelecommunications (Interception and Access) Act 1979states that only AAT members who are "enrolled as a legal practitioner of the High Court, of another federal court, or of the Supreme Court of a State or of the Australian Capital Territory" for at least five years are approved to issue warrants -- a lawyer with five years experience is not a judge.

"Some legal experts argue that judges are more experienced and therefore more qualified to assess warrant applications than a lawyer with five years' practising experience,"The Saturday Paperwrote.

"Key to this is the fact that during these warrant proceedings, there is no party making an opposing argument."

Judges are experienced in weighing up the pros and cons of a case to ensure fairness. Lawyers are experienced at arguing for their client's position. They're not the same.

Also concerning is the amount of support given to AAT members in this role: None.

The Senate was told that "members undertake these functions in a personal capacity (as apersona designata) and not as part of their duties as a member of the AAT".

"AAT staff do not provide any legal support in respect of applications considered by an AAT member under the Act," AGD wrote.

"The AAT and AAT staff provide limited assistance to facilitate the performance of these functions, particularly scheduling appointments."

Those appointments can be very brief indeed.

"Since 1 July 2015 the average (mean) length of all appointments with AAT members for warrant-related purposes is just 18 minutes," AGD wrote.

"The shortest amount of time recorded for an appointment that proceeded is 1 minute. The data is not subject to auditing."

Maybe the members spend hours of their own time wrestling over whether to approve each warrant. On that matter, your writer has a simple response: Prove it.

Either way, it might well be argued that one minute doesn't allow for a serious challenge to a warrant application's claimed merits.

Australia's health sector continues to be the most affected by data breaches, according to the Office of the Australian Information Commissioner (OAIC).

Some58 notifiable data breaches(NDBs) were received by the OAIC between 1 January 2019 and 31 March 2019.

"The OAIC's 2019-20 corporate plan includes a continued focus on the health sector, particularly centred on uplifting the health sector's security posture," it told the Senate this week.

In September 2019, the OAIC released aGuide to Health Privacy.

"[The OAIC] is currently undertaking an associated outreach and social media campaign. This campaign includes the development of a toolkit to assist health service providers improve their information handling practices," it said.

Also during Estimates in November, the OAIC was asked if it was conducting an investigation into an alleged AU$10 million international identity theft scam that had affected several of Australia's largest super funds, including REST Super, AustralianSuper, and HESTA.

"The Information Commissioner has not opened an investigation into the named organisations in relation to the media report of an alleged identity theft scam," the OAIC said.

It did add, however, that the maximum current penalty that the Federal Court can impose for a serious or repeated interference with privacy is AU$2.1 million for a body corporate.

In recent years, the OAIC has found it difficult to process Freedom of Information (FOI) requests promptly. A substantial increase in all types of requests has since widened the gap, resulting inincreased delays and backlogs.

This week the OAIC revealed that meeting the demand for FOI regulatory work would require nine more staff at a cost A$1.65 million a year, plus A$300,000 in the first year for accommodation.

Your writer is of the view that this is back-of-the-couch money, given that it would deliver a significant increase in government transparency.

Read the rest here:
How the B-Team watches over Australia's encryption laws and cybersecurity - ZDNet

The war against cybercrime is ongoing and should not be halted or terminated because cybercriminals are not on the verge of giving up any time soon. Rather, they seem to be getting tech savvier on a daily basis. (Read How Cybercriminals Use GDPR as Leverage to Extort Companies.)

Taking a look at the IC3 Complaint Statistics 2014-2018, it becomes very glaring that we are really facing a cyberwar across the globe.

Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.

IC3 statistics showing a significant increase in total losses during 2018 (source: FBI IC3)

Different technological and non-technological measures such as weak and strong passwords, single, double, and multi-factor authentication are being fashioned out to arrest the menace caused by hackers but due to the fact that technology itself is advancing rapidly, it will still take some level of work to be able to have full control of the situation. (Read Is Security Research Actually Helping Hackers?)

Some of the measures that have been posited to use in tackling cybercrime include:

While the zero-trust strategy is not technologically based, both VPN and blockchain are based on technology. Despite the fact that they may have their different shortcomings especially as even renowned VPN providers can have privacy issues the good news is that both have encryption as a feature.

Its rather unfortunate that despite all the effort being put in place to ensure that organizations, governments, and individuals are secured, it is the government that may be constituted a stumbling block in checkmating the activities of cybercriminals.

Get insights into data center priorities and IT trends.

Governments and law enforcement agents around the globe, especially in the Five Eyes (FVEY) intelligence alliance, are not relaxing in their efforts to ensure that there are encryption backdoors.

They claim this is necessary for the interests of national safety and security as criminals and terrorists increasingly use encrypted messages to communicate online.

The FVEY governments believe that there is a widening gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data, which they term "a pressing international concern." In their opinions, this clearly demands "urgent, sustained attention and informed discussion."

Encryption is the method by which your data is converted into a secret code that conceals the information's true meaning. (Read Trusting Encryption Just Got a Lot Harder.)

It's based on the science known as cryptography. Any data that is not encrypted in computing, unencrypted data is referred to as plaintext, while the encrypted data is called ciphertext.

You make use of encryption algorithms or ciphers to encode or decode messages. If an unauthorized party manages to intercept your encrypted data, the only way such data can be meaningful to the intruder is by haphazardly guessing which cipher was used to encrypt the message and also what keys were used as variables.

The best way to crack any encryption key is a brute-force attack. For example, AES with 256-bit keys has a key length that is 256-bit.

The possible number of combinations that can be used to crack this type of encryption can keep a hacker working throughout life without success. This makes encryption a very valuable asset and security tool.

Encryption can be said to be the basic block on which information technology (IT) assets are built and without it, cybercriminals will be having a field day as things are currently. Before going through the tunnel, your data gets encrypted with a special pre-configured algorithm.

Then going out of your device, the encrypted traffic goes via the tunnel to a blockchain or VPN server. The server contacts the requested Internet resource, traffic is decrypted and reaches the resource in an unencrypted way.

The process is the same backward: your data from the website is unencrypted, then it becomes encrypted and conveyed through the tunnel to you where it is finally decrypted.

The Federal Bureau of Investigation (FBI), are brimming hell on technology companies that offer end-to-end encryption (E2EE). Their argument is that such encryption restricts law enforcement from accessing data and communications even with a warrant.

The FBI described this issue as "going dark," and the U.S. Department of Justice (DOJ) is not taking it with a pinch of salt either. The DOJ is calling for what they termed "responsible encryption" that can be unbarred by technology companies under a court order.

Taking it to the extreme, Australia enacted a law that made it compulsory for visitors to render passwords for all digital devices when before entering the country. A five-year jail term is a punishment for failure to comply.

Even when you fail to have security behind your mind, the fact that you must meet up with the worlds best standards makes it mandatory for you to encrypt your data since you must meet compliance regulations.

Quite a number of organizations and standard bodies recommend or mandate that sensitive data must be encrypted in order to prevent unauthorized third parties or hackers from accessing the data.

A case in point is that of the Payment Card Industry Data Security Standard (PCI DSS) where it is absolutely necessary that merchants must encrypt customers' payment card data when it is both stored at rest and broadcasted over unrestricted channels.

Making use of link-level encryption, you have your data encrypted data when it leaves your network, decrypted at the next link, which may be a host or a relay point, and then its re-encrypted before it is sent to the next link. You have the advantage of using a different key or even a different algorithm for data encryption by each link.

This process keeps on repeating until your data gets to its destination.

The world is talking Cloud storage and hence the encryption of data in the cloud cannot be overemphasized. Cloud storage providers are able to encrypt data using encryption algorithms and the data is then placed in cloud storage.

The fundamental difference between cloud encryption and in-house encryption is that cloud customers must take time to learn about the provider's policies and procedures for encryption and encryption key management in order to ensure that encryption is in league with the level of sensitivity of the data being stored.

With Network-level encryption you are able to apply crypto services at the network transfer layer above the data link level but below the application level. The implementation of network encryption is facilitated through Internet Protocol Security (IPsec) as a set of protocols and authentication methods developed for data protection just at the dawn of the Internet, which is a set of open Internet Engineering Task Force (IETF) standards that, when used in conjunction, design a structure for private transmission over IP systems.

This is based on the quantum mechanical properties of particles to protect data. Going by the Heisenberg uncertainty principle which posits that the two identifying properties of a particle its location and its momentum cannot be measured without changing the values of those properties, quantum cryptography is strongly positioned to ensure the security of your data.

For this reason, its practically impossible to copy any quantum-encoded data since any attempt to access the encoded data will change the data. This will raise a red flag and the authorized parties to the encryption will be notified of the attempted breach.

E2EE ensures that any data being sent between two parties cannot be viewed by an attacker who may have one way or the other intercepted the communication channel. However, the use of an encrypted communication circuit, as provided by Transport Layer Security (TLS) between web client and web server software, is not always enough to ensure E2EE.

You should ensure that the actual content you are transmitting is encrypted by client software before being passed to a web client and decrypted only by the recipient. Examples of messaging apps that provide E2EE include Facebook's WhatsApp and Open Whisper Systems' Signal.

Its also possible for Facebook Messenger users to get E2EE messaging with the Secret Conversations option.

Looking at this succinctly from all angles, what the government is trying to do maybe for the intended good of the populace with encryption backdoors will clearly and overwhelmingly jeopardize the privacy and security of everyone. They should ponder on the gravity of cybercriminals exploiting these same backdoors they are clamoring for.

Without encryption backdoors, the cybercrime situation is barely containable as it stands. What will the scenario look like if we open up our last line of defense to them?

And this is exactly what we shall obtain. The risks are of mammoth proportions.

See the article here:
Encryption Backdoors: The Achilles Heel to Cybersecurity? - Techopedia

Representatives of the Senate and the Department of Justice from the United States seem like preventing head-to-head towards encryption messaging. Behind the noble trigger of kid safety, hides a large-scale liberticide threat, as solely the United States has the key.

According to the ZeroHedge web site, the legal professional common William Barr on the one hand, and the senator Lindsey Graham alternatively, each want prohibit full encryption from sender to recipient messages despatched through purposes comparable to WhatsApp, iCloud or Telegram.

"Although we use encryption to improve cybersecurity, we must ensure that we maintain the ability to legally access data and communications when necessary to respond to criminal activity. " William Barr

The drawback of making such again doorways, is that theyd contain a " grasp key " (or " golden key ") From decipherment. And who might guarantee us that this grasp key wont be used for dangerous actions, comparable to monitor conversations political dissidents, or leaders of huge overseas corporations? Not to say hackers who handle to get their fingers on it: it could give new that means to the expression "a treatment worse than the illness".

With the assist of senators Lindsey Graham and Richard Blumenthal, Barr needs to introduce a regulation known as EARN IT Act ".

Acronym for " An Act to get rid of extreme and common neglect of interactive applied sciences "(Just that!), It goals to make criminally accountable corporations in instances of kid abuse and exploitation, if these courier corporations dont transmit any proof associated to suspected customers.

A sneaky manner drive them to supply these well-known backdoors of their purposes (usable by all those that can have the gold key, whether or not theyre "good" or "bad"). And this might additionally, subsequently, additionally concern the case of nationwide safety pointsDo you see the wolf coming from afar?

In addition to the apparent threats to particular person freedoms, and the dangers of cybersecurity, such a regulation would even have implications eminently adverse for the cryptosphere.

Indeed, blockchain networks function on of the trade of worth and knowledge primarily based on encryption, carried out from begin to end.

Financial analyst Thomas Lee of Fundstrat, Explain in addition to :

"(If this bill) becomes reality, it would have a negative impact on cryptography and digital assets".

These needs for hypersurveillance, which all the time begin from "good intentions", additional scale back the freedoms and the safety of privateness of the overwhelming majority of harmless people. All that continues to be is to hope that this regulation which guarantees to be double-edged solely stays on the undertaking stage.

Continued here:
United States: a invoice towards end-to-end encryption? - Sahiwal Tv