June 2013 Newsletter

Check out our latest Securus newsletter to see what’s been happening in the security sphere. From mandatory disclosure of data breaches, to vulnerability management, a review of penetration testing to changes in the PCI standards, in this issue, there is something of interest for everyone!


Mandatory Data Breach Notification

With the discussion again starting about Australia’s position on Mandatory Data Breach Disclosure (http://bit.ly/1avVg7H), we presented the following to the government in 2012 when RFC was opened in regards to this potential legislation. What are your thoughts?


The following are our [Securus Global] thoughts on Mandatory Data Breach Notification, in response to the Discussion Paper: Australian Privacy Breach Notification (Oct, 2012).

Organisations most likely to be affected by the introduction of such laws also tend to already have better information security and privacy policies in place.

Where we are coming from: If you have good practices and controls in place, you’re probably also more likely to detect a breach and would, under these new laws, have to openly disclose. (Fair enough).

Continue reading

[Data Breach List] Telstra – May 2013

Oops: Google search reveals private Telstra customer data.

By Ben Grubb, Sydney Morning Herald, May 16, 2013

The personal information of thousands of Telstra customers has been found online using a Google search.

Lee Gaywood, 31, of Chelsea Heights in Victoria, contacted Fairfax Media about the information being freely accessible to anyone online after conducting a specific Google search that turned up Telstra spreadsheets.

The owner of marketing business SMS Broadcast, Mr Gaywood said he found the data when he was searching Google for telco carrier access codes, which he needs to know for his SMS service to work.

Data discovered included customer names, telephone numbers and in some cases home and business addresses.

[Data Breach] – Google – May 2013

Google hit by building automation security FAIL

Originally published by The Register – R. Chirgwin on 6 May 2013

The building housing Google Australia’s lavish Sydney headquarters is running the known-vulnerable Tridium Niagara building management system, and has been compromised by the Cylance researchers who have made Niagara their mission.

The researchers identified the underlying system – QNX on an embedded system – and extracted the admin password from the system’s config file. After that, as the company’s blog post explains, they were able to wander around the control environment pretty much at will.

Continue reading

[Data Breach] NZ Welfare Agency – Oct 2012

NZ ministry knew of massive data breach

Originally published by iTnews by Juha Saarinen on 15 Oct 2012.

Chose not to act after informant sought cash reward.

Revelations that members of the public could access confidential documents from kiosks installed at a New Zealand government welfare agency has blown into a national scandal, with data from multiple agencies, corporations and citizens leaked.

As reported on iTnews earlier today blogger Keith Ng was able to gain access to highly sensitive information – including invoices and personal contact data – from self-service kiosks installed by the New Zealand Work and Income welfare agency.

The data included invoices issued to the Ministry that featured information about children in state care.

For full article: http://www.itnews.com.au/News/319190,nz-ministry-knew-of-massive-data-breach.aspx

[Data Breach] – Fund Focus – Jan 2012

An Australian online investment website, Funds Focus, part of Wealth Focus owned by Sulieman Ravell, was temporarily shut down after being hit by a massive distributed denial of service (DDoS) attack.

The Russian masterminds that were behind the attack demanded the owner ransom money to stop the malicious operation that prevented the company from performing its tasks.

Read More: http://news.softpedia.com/news/Funds-Focus-Shut-Down-After-DDoS-Attack-Hackers-Demand-Ransom-246697.shtml

Also: http://www.scmagazine.com.au/News/286905,melbourne-it-hit-with-ddos-legal-threat.aspx

[Breach List] – Fairfax owned tradingroom.com.au – Feb 2012

The Fairfax-owned tradingroom.com.au is the latest financial services related website to be hit with a distributed denial-of-service attack (DDoS).

DDoS attacks make online services unavailable by flooding them with millions of requests for page views at once. They are used to cause business disruption to the targeted site, either by protest – known as hacktivism – or financial gain.

[Breach List] – ANZ bank’s E*Trade – Jan 2012

AUSTRALIA’S second-biggest online broking business, ANZ Bank’s ETrade, was forced to shut down over the Christmas-New Year period by a ”malicious” cyber attack offshore.

The shutdown was prompted by thousands of emails bombarding the broking site, in a denial-of-service attack. The lockout was first noticed by ETrade customers trying to access the site overseas, as the bank shut off access to all overseas users. It is understood that, as risk assessments were performed on individual countries, access was restored.

[Breach List] – Netfleet – Feb 2012

Computer hackers penetrate database of Netfleet, possibly accessing addresses and credit card numbers.

In an email to clients, Netfleet said: ”There appears to have been a security breach of our database … this may have resulted in unauthorised access to some of your customer account information, such as your name, email address, billing address, phone number and a cryptographically scrambled version of your credit card and expiry date.”