Showing posts with label data. Show all posts
Showing posts with label data. Show all posts

Wednesday 5 July 2017

Would you trust these men with your personal health information?


The darknet vendor says they are “exploiting a vulnerability which has a much more solid foundation which means not only will it be a lot faster and easier for myself, but it will be here to stay. I hope, lol.” [The Guardian, 4 July 2017]
Left to Right: Minister for Human Services and Liberal MP for Aston, Alan Tudge
& Minister for Health and Liberal MP for Flinders, Greg Hunt

These two federal politicians have portfolio responsibility for some of the largest government databases in Australia.

One has portfolio responsibility for those sensitive e-health records which are due to be rolled out nationally on an opt-out basis by 2020.

This is how secure your personal information is on their watch…….


The Australian Federal Police is investigating reports Australians' personal Medicare details are being accessed and sold on the dark web, an apparent breach that has been labelled an "internet catastrophe".

According to a Guardian Australia report, an online vendor can pull up the full Medicare card details of any Australian on request — and is selling them for around $30 each — indicating a security hole somewhere in the health system.

Human Services Minister Alan Tudge said the government was taking the matter seriously. 

The sales are reportedly listed on an undisclosed dark web marketplace, in which the vendor claims to be "exploiting a vulnerability" in order to run software that pulls the data. The vendor calls it "the Medicare Machine".

"Leave the first and last name, and DOB of any Australian citizen, and you will receive their Medicare patient details in full", the listing says, adding that the nature of the security hole being utilised means the vendor will be "here to stay".

In a statement, Mr Tudge said any authorised access to Medicare card numbers was "of great concern" and his department was also conducting its own investigation. 

Medicare's database was always a honeypot waiting to be exploited once governments embraced data matching, data retention and data sharing with much enthusiasm but little understanding.

Once someone decides they want your Medicare details ID theft is now just 0.0089 bitcoin away - as is your abusive former spouse/partner or that anonymous stalker or Internet troll that has been making your life a misery.

UPDATE

Anthony Baxter, 4 July 2017:

You supply the person with name, date of birth and gender and around $30 of Bitcoin they'll give you the person's Medicare number. This is pretty bad, as it allows idemtity thieves to forge them - a Medicare card is usually worth 25 points on the standard 100 point ID check here. The AU govt had no idea this was happening until the journo from The Guardian let them know.

It turns out there's a portal that any health care provider can use to look up Medicare numbers this way. In case you've lost your card or whatever. Likely it's someone who works for one of them selling access, or someone's popped a PC there (more on that to come).

When asked, the relevant government minister (the same guy who presided over the Census fuckup last year (update: I misremembered, that was a different clown), the accidental publishing of PBS data that was poorly deidentified and the ongoing Centrelink robodebt nightmare) claimed it's OK because you can't get access to someone's medical records through the shiny new online electronic health records system with just a Medicare number. Aside from ignoring the ID theft issue there's a liiiiiittle bit of an issue here.

Guess what information you need along with the Medicare number to pull someone's medical records? Did you guess "name, date of birth and gender"? Collect your prize.

According to https://www.itnews.com.au/news/govt-blames-medicare-card-breach-on-traditional-crims-467502 the folks who did the Privacy Impact Assessment on the electronic health records system were told it would be secure because you needed Medicare number as well as name/DOB/gender and weren't told you could use the latter to look up the former.

It Gets Worse.

In theory you can only look up this stuff from a secure endpoint, with a client side certificate installed. Which in practice means maybe 20K PCs scattered across every doctors office in the country. Worse still, many of these client certs were originally sent out via unencrypted email, and a nontrivial number were "lost". And you reckon all or even a significant fraction of these 20K boxes are running modern Windows with up to date patches? Me neither. I can't count the number of times I've been left alone in a room with an unlocked doctor's PC while he went to check something.

It (Incredibly) Gets Even Worse.

They have a Two Factor Auth system which doctors are supposed to use. One of the ways to get the 2FA key is, and I wish I was joking here, email.

So get access to a box running some XP/Win7 version that's ludicrously unpatched that's also logged into the doctors email, collect health care records. Australian government cannot computer.

At the moment the electronic health records thing is opt-in, at some point next year they'll be moving to an opt-out scheme with a window to opt-out. There's an email form here https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/content/home where you can sign up to be notified when the window to opt the hell out is opened and I urge everyone to do so A
SAP.


UPDATE

The federal government was warned more than three years ago of security deficiencies surrounding personal Medicare data, with the Department of Human Services told it was not fully complying with spy agency rules.

Questioning the department's ability to keep the data safe from "security threats from external and internal sources", the government auditor made a series of recommendations in April 2014 but it is unclear if they were fully implemented.

Monday 26 June 2017

Can the CSIRO sink any lower?


“Collaborating with government. As a trusted adviser to government, our collaboration within the sector supports it to solve challenges, find efficiencies and innovate.” [CSIRO, Data61]

The Commonwealth Scientific and Industrial Research Organisation (CSIRO) is a federal government corporate entity ultimately responsible to the Australian Parliament.

It started life in the midst of global conflagration in 1916 and for most of its existence it was widely respected both in its country of origin and around the world.

Sadly that level of respect has been diminished in recent years as commercial imperatives saw it move away from its once proud boast that:


However, it had not yet become a low creature of right-wing political ideology.

Until now – when it appears willing to participate in enforcing punitive social policies, cynically presented in the guise of Budget measures by the Turnbull Coalition Government.

In particular, enabling the trial drug testing of income support applicants “based on a data-driven profiling tool developed for the trial to identify relevant characteristics that indicate a higher risk of substance abuse issues” which almost inevitably will target the poor and vulnerable.

Apparently the only matter holding the CSIRO back from full commitment to the trial is the matter of contract negotiations with the Dept. Of Social Security and/or Dept. of Human Services1.

The cost of this measure has reportedly been deemed by government to be “commercial-in-confidence”.

InnovationAus, 2 June 2017:

CSIRO has still not officially agreed to allow its Data61 analytics unit to become involved in the government’s highly contentious welfare drug testing program, a Senate estimates hearing has been told.

But the delay appears to be related to difficult contract negotiations – for which the research agency is well known – rather than the objections of staff or management to becoming involved in such a politically-driven program.

The Department of Industry, Innovation and Science and CSIRO appeared at the Senate estimates on Thursday morning.

The shocking concession that CSIRO has been in discussion to work on the drug-test project since April comes despite the organisation having specifically declined to confirm any knowledge of the project for weeks – let alone that it was actively negotiating a contract.

This is despite direct questions being put to CSIRO on multiple occasions for weeks.

The estimates hearing also revealed that Data61 has been called into the controversy plagued Social Services robo-debt project that has mistakenly matched debt to welfare recipients.

CSIRO digital executive director David Williams told shadow industry minister Kim Carr that while CSIRO was approached by the Social Services department about the welfare drug testing scheme in late April – less than a month before its involvement was prematurely announced by Cabinet Minister Christian Porter – it is still yet to officially sign on to the project.

“The Department of Social Services approached CSIRO in early April, wanting to implement a trial involving activity tested income support recipients across a small number of geographical areas,” Mr Williams told senate estimates.

“They asked for Data61’s support in doing the analysis to see whether predictive analytics could help them in that task.”

“Since that time we’ve been talking with the department, and scoped out a statement of work and we’ve looked at how we can implement that work should we sign a contract and proceed. At this moment we’re working through the procedures inside CSIRO.”

FOOTNOTE

1. The CSIRO already has a business relationship with the Australian Department of Human Services (DHS). Commencing in February 2017 the CSIRO and/or CSIRO Data61 conducted a Review of Online Compliance Systems, as well as supplying Specialist Data Science Services and Selection Methodologies Advice to the department. See; https://www.tenders.gov.au.

Tuesday 22 November 2016

Have an Optus, Vodaphone or Telstra mobile phone account? Your personal details may be on sale in Mumbai



The Sydney Morning Herald, 16 November 2016:

Corrupt insiders at offshore call centres are offering the private details of Australian customers of Optus, Telstra and Vodafone for sale to anyone prepared to pay.

A Fairfax Media investigation can reveal Mumbai-based security firm AI Solutions is asking between $350 and $1000 in exchange for the private information, but even more if the target is an Australian "VIP, politician, police, [or] celebrity".

AI Solutions is just one of potentially several private companies selling phone records, home addresses and other private details of Australian telecommunication company customers. They in turn have received the information from employees of the call centres used widely by Australian businesses.

Security industry sources said the practice has been long-standing. AI Solutions has told customers it has sold people's personal data for several years.

Optus has called in the federal police to investigate the data breach after it was contacted by Fairfax Media.

Optus, Telstra - which is holding an investor briefing in Sydney on Thursday - and Vodafone have stressed they are aware of the problem and have invested heavily in security procedures to counter it.

The revelation underscores the risks facing Australian consumers and businesses as a vast amount of personal or private data is collected and often stored offshore by service providers, financial institutions and government agencies.

It also raises fresh concerns about risks faced in using offshore call centres, where it may be more difficult to ensure data security.

AI Solutions actively markets its services to prospective Australian clients via an Indian businessman who uses the name Imran Khan. It is unclear if this is a false name.

But Fairfax Media has confirmed that AI Solutions has previously, and on numerous occasions, sold Australians' personal data to third parties.

It recently wrote to a Melbourne corporate intelligence and security company, boasting that it has a "long list" of Australian clients buying data from the offshore call centres.

"There are … 3 major telecom numbers details I can provide you. Telstra, Vodafone and Optus," the Indian company's representative wrote in a text message to a prospective client seen by Fairfax Media.

The company charges $350 to provide a person's home address and charges $1000 for a "full extract". This includes a person's home address, date of birth, alternative phone numbers and "more than 1 years billing statements" and "calling data history".

"And for VIP, politician, police, celebrity, charges are different," one message said.

While the data being illegally sold will not contain the actual content of text messages or what has been said during phone calls, it does contain information about who a person has called, the location at which a call is made and other sensitive data and metadata.

This information could be of use to companies engaged in corporate spying or intelligence gathering, private investigators, marketing firms and organised criminals seeking to engage in identity fraud, or to locate people. It is possible that foreign intelligence services could also use the data theft service.

The Indian firm requests payment via Western Union or Money Gram remittance services……

The Australian Federal Police said it had spoken with Optus and Vodafone and had subsequently provided information to Indian authorities.


Office of the Australian Information Commissioner, media release, 17 November 2016:

Statement by the Australian Information and Privacy Commissioner, Timothy Pilgrim, on personal information of Australian telecommunication customers

17 November 2016

I am concerned about allegations that personal information of Australian telecommunication customers is being offered for sale online. My office is making enquiries with Optus, Telstra and Vodafone to determine what further action I may take in this matter.

These allegations, and the community response they have generated, are a reminder that Australian customers expect businesses to handle their personal information in line with Australian law no matter where they operate. 

If anyone has privacy concerns about this incident they can contact my office on 1300 363 992 or enquiries@oaic.gov.au.

Tuesday 25 November 2014

What could possibly go wrong when the Abbott Government is creating Fortress Australia to protect us all from a veritable host of 'terrors'?


When the Abbott Government’s wider surveillance powers were passed by the Senate, the Australian public was being assured by both major parties that the sweeping ‘anti-terrorism’ legislation had built-in safeguards which would protect us all from over reach by intelligence agencies and police.

The good citizens of Tacoma in Pierce County, Washington, United States probably thought they were protected too. After all, didn’t the police need to get a warrant from a Superior Court judge?

The News Tribune article of 15 November 2014 shows just how easily a mockery can be made of surveillance laws:

Pierce County judges didn’t know until recently that they’d been authorizing Tacoma police to use a device capable of tracking someone’s cellphone.
Now they do, and they’ve demanded that police change the way they get permission to use their so-called cell site simulator.
From 2009 to earlier this year, the county’s Superior Court judges unwittingly signed more than 170 orders that Tacoma police and other local law enforcement agencies say authorized them to use a device that allows investigators to track a suspect’s cellphone but also sweeps cellphone data from innocent people nearby.
In August, the assistant chief of the Tacoma Police Department told The News Tribune that investigators never deployed the device — a cell site simulator, commonly known as a Stingray — without court authorization.
The newspaper since learned police never mentioned they intended to use the device when detectives swore out affidavits seeking so-called “pen register, trap and trace” orders allowing them to gather information about a suspect’s cellphone use and location…..
Neither the pen register orders nor the affidavits filed by law enforcement mentioned that police had a Stingray or intended to use it.
Instead, detectives used language commonly associated with requesting an order that would force a cellphone company to turn over records for a particular phone, and, where possible, the real-time location of the phone…..

The News Tribune 17 November 2014:
The Tacoma Police Department, which owns the Stingray, did not want to reveal it to the public. The FBI, which provided it, was leaning on the city to keep the technology secret. As a result, the judiciary that monitors investigations for constitutional abuses wasn’t aware of the kind of surveillance it was authorizing. However noble the motives, this was subterfuge….
But a Stingray — which employs technology known as cell site simulation — is so much more intrusive than conventional surveillance that it demands extra scrutiny. It pulls in cellphone transmissions from all callers in a given area and identifies the unique signatures of each phone…..
This could get spooky in a hurry. The Pierce County Superior Court now has another safeguard in place: Police must sign affidavits that they will not store data on people who are not targets of the investigation…..

Think this example of over reach is too far removed from Australia to matter? Think again…..

The Sydney Morning Herald reported on what is already occurring in Australia on 7 July 2014:

Australian federal and state police are ordering phone providers to hand over personal information about thousands of mobile phone users, whether they are targets of an investigation or not.
Fairfax Media has confirmed Australian law-enforcement agencies are using a technique known as a "tower dump", which gives police data about the identity, activity and location of any phone that connects to targeted cell towers over a set span of time, generally an hour or two.
A typical dump covers multiple towers, and mobile providers, and can net information about thousands of mobile phones.
The dumps are usually used in circumstances when police have few leads and can be a useful, powerful tool in tracking down criminals. But privacy advocates say that while they may be helpful to police, they also target thousands of innocent people and don’t have any judicial oversight.
In addition to no warrant being required to request a tower dump containing the mobile phone data of thousands of people to track down one or more criminals involved in a crime, privacy advocates also question what is being done to the data collected once an investigation is complete….

Wednesday 19 November 2014

Australian Information Commission finds Department of Immigration and Border Protection unlawfully disclosed personal information of asylum seekers


Office of the Australian Information Commission, media release on Wednesday, 12 November 2014:

Department of Immigration and Border Protection unlawfully disclosed personal information of asylum seekers

The Department of Immigration and Border Protection (DIBP) has been found in breach of the Privacy Act 1988, by failing to adequately protect the personal information of approximately 9,250 asylum seekers. They have also been found to have unlawfully disclosed personal information.
The Office of the Australian Information Commissioner (OAIC) was notified by the Guardian Australia on 19 February that a ‘database’ containing the personal information of 'almost 10,000' asylum seekers was available in a report on DIBP’s website. DIBP removed the report from its website within an hour of being notified. The report was available on DIBP’s website for approximately eight and a half days.

The categories of personal information compromised in the data breach consisted of full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons why the individual was deemed to be ‘unlawful’.

‘This incident was particularly concerning due to the vulnerability of the people involved,’ said Australian Privacy Commissioner, Timothy Pilgrim.

The breach occurred when statistical data was mistakenly embedded in a Word document that was published on DIBP’s website. The report was accessed a number of times, and was republished by an automated archiving service.

Mr Pilgrim said that OAIC’s investigation found that DIBP was aware of the privacy risks of embedding personal information in publications, but that DIBP’s systems and processes failed to adequately address those risks. This meant that DIBP staff did not detect the embedded information when the document was created or before it was published.  

‘This breach may have been avoided if DIBP had implemented processes to de-identify data in situations where the full data set was not needed,’ he said.

This data breach also demonstrates the difficulties of effectively containing a breach where information has been published online, and highlights the importance of taking steps to prevent data breaches from occurring, rather than relying on steps to contain them after they have occurred.

‘I have made a number of recommendations about how DIBP could improve their processes, including requesting that they engage an independent auditor to certify that they have implemented the planned remediation. I have asked DIBP to provide me with a copy of the certification and the report by 13 February 2015’, Mr Pilgrim said.

The OAIC is still receiving privacy complaints from individuals affected by the breach. The OAIC has received over 1600 privacy complaints to date, and these complaints are on-going.

Media contact: Ms Leila Daniels 0407 663 968 media@oaic.gov.au

Background

As this breach occurred prior to 12 March 2014, the Privacy Commissioner’s powers under the Privacy Act 1988 were limited to making recommendations.


Tuesday 24 June 2014

What the Abbott Government has been keeping secret from Australian voters


Quotes from an IT News article dated 20 June 2014:

* Negotiations started under Labor in 2013 and are continuing under the Coalition, with trade minister Andrew Robb strongly supportive of TISA.
Robb told The Age that the proposed deal opens up new opportunities for Australia and that he wants to achieve a level playing field for the country's busineses so that they can compete on the same terms as overseas entities.
The leaked text of the Financial Services Annex shows the deal would remove much of the current right the Australian government has to block foreign takeovers of Australian banks.
Foreign banks would also be allowed to set up shop in Australia without setting up local subsidiaries, and be allowed to import workers and IT and communications equipment on a temporary basis.
The Kelsey analysis notes that TISA goes beyond provisions in the controversial Trans Pacific Trade Agreement which has currently stalled after opposition from Japan on market access.
TISA could be close to being concluded. Yesterday, US Trade Representative Michael Froman said a basic outline of the deal is in place ahead of negotiations next week.

* Law professor Jane Kelsey of Auckland University analysed the leaked Financial Services Annex on Wikileaks, and said service industry lobbyists, mostly US based firms that dominate IT and communications technology, are campaigning to stop governments from being able to demand that data be stored and processed locally.
In article X.11, the EU and Panama proposed that a TISA party should not be able to prevent data transfers by financial institutions to overseas. This, Kelsey said, means signatories would not be able to adopt privacy and confidentiality measures that breach TISA provisions.
The US wants a more direct, full ban on countries' abilities to prevent transfer of financial data to services suppliers' usual places of business.
Holding data overseas means it's almost impossible for states to control how it is used, or to impose legal liability on financial services providers, Kelsey said. It also opens up the possibility of abuse by governments.


Today, WikiLeaks released the secret draft text for the Trade in Services Agreement (TISA) Financial Services Annex, which covers 50 countries and 68.2%1 of world trade in services. The US and the EU are the main proponents of the agreement, and the authors of most joint changes, which also covers cross-border data flow. In a significant anti-transparency manoeuvre by the parties, the draft has been classified to keep it secret not just during the negotiations but for five years after the TISA enters into force.
Despite the failures in financial regulation evident during the 2007-2008 Global Financial Crisis and calls for improvement of relevant regulatory structures2, proponents of TISA aim to further deregulate global financial services markets. The draft Financial Services Annex sets rules which would assist the expansion of financial multi-nationals – mainly headquartered in New York, London, Paris and Frankfurt – into other nations by preventing regulatory barriers. The leaked draft also shows that the US is particularly keen on boosting cross-border data flow, which would allow uninhibited exchange of personal and financial data.
TISA negotiations are currently taking place outside of the General Agreement on Trade in Services (GATS) and the World Trade Organization (WTO) framework. However, the Agreement is being crafted to be compatible with GATS so that a critical mass of participants will be able to pressure remaining WTO members to sign on in the future. Conspicuously absent from the 50 countries covered by the negotiations are the BRICS countries of Brazil, Russia, India and China. The exclusive nature of TISA will weaken their position in future services negotiations.
The draft text comes from the April 2014 negotiation round - the sixth round since the first held in April 2013. The next round of negotiations will take place on 23-27 June in Geneva, Switzerland.
Current WTO parties negotiating TISA are: Australia, Canada, Chile, Chinese Taipei (Taiwan), Colombia, Costa Rica, Hong Kong, Iceland, Israel, Japan, Liechtenstein, Mexico, New Zealand, Norway, Pakistan, Panama, Paraguay, Peru, South Korea, Switzerland, Turkey, the United States, and the European Union, which includes its 28 member states Austria, Belgium, Bulgaria, Cyprus, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.
China and Uruguay have expressed interest in joining the negotiations but so far are not included.
[1] Swiss National Center for Competence in Research: A Plurilateral Agenda for Services?: Assessing the Case for a Trade in Services Agreement, Working Paper No. 2013/29, May 2013, p. 10.
[2] For example, in June 2012 Ecuador tabled a discussion on re-thinking regulation and GATS rules; in September 2009 the Commission of Experts on Reforms of the International Monetary and Financial System, convened by the President of the United Nations and chaired by Joseph Stiglitz, released its final report, stating that "All trade agreements need to be reviewed to ensure that they are consistent with the need for an inclusive and comprehensive international regulatory framework which is conducive to crisis prevention and management, counter-cyclical and prudential safeguards, development, and inclusive finance."