Australia Requires Ransomware Victims to Declare Payments
A new Australian law requires larger companies to declare any ransomware payments they have made.
Entries Tagged "Australia"
Page 1 of 5
Australia Threatens to Force Companies to Break Encryption
In 2018, Australia passed the Assistance and Access Act, which—among other things—gave the government the power to force companies to break their own encryption.
The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These components include:
- Technical Assistance Requests (TARs): TARs are voluntary requests for assistance accessing encrypted data from law enforcement to teleco and technology companies. Companies are not legally obligated to comply with a TAR but law enforcement sends requests to solicit cooperation.
- Technical Assistance Notices (TANs): TANS are compulsory notices (such as computer access warrants) that require companies to assist within their means with decrypting data or providing technical information that a law enforcement agency cannot access independently. Examples include certain source code, encryption, cryptography, and electronic hardware.
- Technical Capability Notices (TCNs): TCNs are orders that require a company to build new capabilities that assist law enforcement agencies in accessing encrypted data. The Attorney-General must approve a TCN by confirming it is reasonable, proportionate, practical, and technically feasible.
It’s that final one that’s the real problem. The Australian government can force tech companies to build backdoors into their systems.
This is law, but near as anyone can tell the government has never used that third provision.
Now, the director of the Australian Security Intelligence Organisation (ASIO)—that’s basically their FBI or MI5—is threatening to do just that:
ASIO head, Mike Burgess, says he may soon use powers to compel tech companies to cooperate with warrants and unlock encrypted chats to aid in national security investigations.
[…]
But Mr Burgess says lawful access is all about targeted action against individuals under investigation.
“I understand there are people who really need it in some countries, but in this country, we’re subject to the rule of law, and if you’re doing nothing wrong, you’ve got privacy because no one’s looking at it,” Mr Burgess said.
“If there are suspicions, or we’ve got proof that we can justify you’re doing something wrong and you must be investigated, then actually we want lawful access to that data.”
Mr Burgess says tech companies could design apps in a way that allows law enforcement and security agencies access when they request it without comprising the integrity of encryption.
“I don’t accept that actually lawful access is a back door or systemic weakness, because that, in my mind, will be a bad design. I believe you can these are clever people design things that are secure, that give secure, lawful access,” he said.
We in the encryption space call that last one “nerd harder.” It, and the rest of his remarks, are the same tired talking points we’ve heard again and again.
It’s going to be an awfully big mess if Australia actually tries to make Apple, or Facebook’s WhatsApp, for that matter, break its own encryption for its “targeted actions” that put every other user at risk.
Australia Increases Fines for Massive Data Breaches
After suffering two large, and embarrassing, data breaches in recent weeks, the Australian government increased the fine for serious data breaches from $2.2 million to a minimum of $50 million. (That’s $50 million AUD, or $32 million USD.)
This is a welcome change. The problem is one of incentives, and Australia has now increased the incentive for companies to secure the personal data or their users and customers.
EDITED TO ADD (10/15): I got the details wrong. One, this is a proposed increase. Two, the amount of $50 million AUD is only applicable in very few cases.
FBI/AFP-Run Encrypted Phone
For three years, the Federal Bureau of Investigation and the Australian Federal Police owned and operated a commercial encrypted phone app, called AN0M, that was used by organized crime around the world. Of course, the police were able to read everything—I don’t even know if this qualifies as a backdoor. This week, the world’s police organizations announced 800 arrests based on text messages sent over the app. We’ve seen law enforcement take over encrypted apps before: for example, EncroChat. This operation, code-named Trojan Shield, is the first time law enforcement managed an app from the beginning.
If there is any moral to this, it’s one that all of my blog readers should already know: trust is essential to security. And the number of people you need to trust is larger than you might originally think. For an app to be secure, you need to trust the hardware, the operating system, the software, the update mechanism, the login mechanism, and on and on and on. If one of those is untrustworthy, the whole system is insecure.
It’s the same reason blockchain-based currencies are so insecure, even if the cryptography is sound.
BlackBerry Phone Cracked
Australia is reporting that a BlackBerry device has been cracked after five years:
An encrypted BlackBerry device that was cracked five years after it was first seized by police is poised to be the key piece of evidence in one of the state’s longest-running drug importation investigations.
In April, new technology “capabilities” allowed authorities to probe the encrypted device….
No details about those capabilities.
Cameras that Automatically Detect Mobile Phone Use
New South Wales is implementing a camera system that automatically detects when a driver is using a mobile phone.
EDITED TO ADD (12/13): The Dutch police are testing these, too.
Speakers Censored at AISA Conference in Melbourne
Two speakers were censored at the Australian Information Security Association’s annual conference this week in Melbourne. Thomas Drake, former NSA employee and whistleblower, was scheduled to give a talk on the golden age of surveillance, both government and corporate. Suelette Dreyfus, lecturer at the University of Melbourne, was scheduled to give a talk on her work—funded by the EU government—on anonymous whistleblowing technologies like SecureDrop and how they reduce corruption in countries where that is a problem.
Both were put on the program months ago. But just before the event, the Australian government’s ACSC (the Australian Cyber Security Centre) demanded they both be removed from the program.
It’s really kind of stupid. Australia has been benefiting a lot from whistleblowers in recent years—exposing corruption and bad behavior on the part of the government—and the government doesn’t like it. It’s cracking down on the whistleblowers and reporters who write their stories. My guess is that someone high up in ACSC saw the word “whistleblower” in the descriptions of those two speakers and talks and panicked.
You can read details of their talks, including abstracts and slides, here. Of course, now everyone is writing about the story. The two censored speakers spent a lot of the day yesterday on the phone with reporters, and they have a bunch of TV and radio interviews today.
I am at this conference, speaking on Wednesday morning (today in Australia, as I write this). ACSC used to have its own government cybersecurity conference. This is the first year it combined with AISA. I hope it’s the last. And that AISA invites the two speakers back next year to give their censored talks.
EDITED TO ADD (10/9): More on the censored talks, and my comments from the stage at the conference.
Slashdot thread.
New Australian Backdoor Law
Last week, Australia passed a law giving the government the ability to demand backdoors in computers and communications systems. Details are still to be defined, but it’s really bad.
Note: Many people e-mailed me to ask why I haven’t blogged this yet. One, I was busy with other things. And two, there’s nothing I can say that I haven’t said many times before.
If there are more good links or commentary, please post them in the comments.
EDITED TO ADD (12/13): The Australian government response is kind of embarrassing.
Kidnapping Fraud
Fake kidnapping fraud:
“Most commonly we have unsolicited calls to potential victims in Australia, purporting to represent the people in authority in China and suggesting to intending victims here they have been involved in some sort of offence in China or elsewhere, for which they’re being held responsible,” Commander McLean said.
The scammers threaten the students with deportation from Australia or some kind of criminal punishment.
The victims are then coerced into providing their identification details or money to get out of the supposed trouble they’re in.
Commander McLean said there are also cases where the student is told they have to hide in a hotel room, provide compromising photos of themselves and cut off all contact.
This simulates a kidnapping.
“So having tricked the victims in Australia into providing the photographs, and money and documents and other things, they then present the information back to the unknowing families in China to suggest that their children who are abroad are in trouble,” Commander McLean said.
“So quite circular in a sense…very skilled, very cunning.”
Cabinet of Secret Documents from Australia
This story of leaked Australian government secrets is unlike any other I’ve heard:
It begins at a second-hand shop in Canberra, where ex-government furniture is sold off cheaply.
The deals can be even cheaper when the items in question are two heavy filing cabinets to which no-one can find the keys.
They were purchased for small change and sat unopened for some months until the locks were attacked with a drill.
Inside was the trove of documents now known as The Cabinet Files.
The thousands of pages reveal the inner workings of five separate governments and span nearly a decade.
Nearly all the files are classified, some as “top secret” or “AUSTEO”, which means they are to be seen by Australian eyes only.
Yes, that really happened. The person who bought and opened the file cabinets contacted the Australian Broadcasting Corp, who is now publishing a bunch of it.
There’s lots of interesting (and embarassing) stuff in the documents, although most of it is local politics. I am more interested in the government’s reaction to the incident: they’re pushing for a law making it illegal for the press to publish government secrets it received through unofficial channels.
“The one thing I would point out about the legislation that does concern me particularly is that classified information is an element of the offence,” he said.
“That is to say, if you’ve got a filing cabinet that is full of classified information … that means all the Crown has to prove if they’re prosecuting you is that it is classified nothing else.
“They don’t have to prove that you knew it was classified, so knowledge is beside the point.”
[…]
Many groups have raised concerns, including media organisations who say they unfairly target journalists trying to do their job.
But really anyone could be prosecuted just for possessing classified information, regardless of whether they know about it.
That might include, for instance, if you stumbled across a folder of secret files in a regular skip bin while walking home and handed it over to a journalist.
This illustrates a fundamental misunderstanding of the threat. The Australian Broadcasting Corp gets their funding from the government, and was very restrained in what they published. They waited months before publishing as they coordinated with the Australian government. They allowed the government to secure the files, and then returned them. From the government’s perspective, they were the best possible media outlet to receive this information. If the government makes it illegal for the Australian press to publish this sort of material, the next time it will be sent to the BBC, the Guardian, the New York Times, or Wikileaks. And since people no longer read their news from newspapers sold in stores but on the Internet, the result will be just as many people reading the stories with far fewer redactions.
The proposed law is older than this leak, but the leak is giving it new life. The Australian opposition party is being cagey on whether they will support the law. They don’t want to appear weak on national security, so I’m not optimistic.
EDITED TO ADD (2/8): The Australian government backed down on that new security law.
EDITED TO ADD (2/13): Excellent political cartoon.
Sidebar photo of Bruce Schneier by Joe MacInnis.