OAIC investigating Flight Centre customer data leak

Image credit: Flight Centre Firm is ‘co-operating’ with inquiries.

Travel agency Flight Centre is under investigation by the country’s privacy regulator after accidentally releasing personal information of an undisclosed number of its customers to third-party suppliers.

The firm confirmed last month that “human error” was behind the data breach.

It has not said how many customers were affected, nor what personal information was disclosed, though in a letter to customers it said “passport details” were included in the leak. 

The information was mistakenly sent to a “small number of potential third party suppliers for a short period of time”, Flight Centre said last month.

The Office of the Australian Information Commissioner on Friday revealed it had opened an investigation into the leak.

“Flight Centre is cooperating with the Office of the Australian Information Commissioner’s inquiries. Once the investigation has concluded a further statement will be published,” it said.

It encouraged Flight Centre customers concerned about their privacy to contact the OAIC directly.

Flight Centre has said it acted quickly to contain the information once it became aware of the breach, and was assured by suppliers that they had not retained copies of the data.

It offered to fund a credit report for those affected as well as 12 months of identity protection and credit monitoring. It also said it would reimburse any costs up to December 31 for those who wished to change their passport.

View the Original article

Advertisements

NBN customers targeted by scammers

Beware of connection offers and phishing attempts.

Scammers impersonating NBN Co have tricked several hundreds of people and caused tens of thousands of dollars in losses, the Australian Competition and Consumer Commission has warned.

The ACCC said scammers were calling people and offering to connect them to the NBN for a low price.

Payment is requested through Apple iTunes gift cards, but the connections are never completed.

Criminals have also impersonated NBN Co to trick users into giving remote access to their computers, the ACCC said.

Once remote access has been granted, the scammers steal valuable personal information, install malware, and demand payment to fix supposed problems.

The watchdog also warned about NBN fraudsters asking for sensitive personal information such as name, address, Medicare and driver’s licence numbers, which they will use for identity theft and other fraud.

Older Australians in particular are being targeted.

So far, the consumer watchdog’s Scamwatch scheme has received 316 complaints this year alone about NBN scammers who have caused almost $28,000 in losses.

The ACCC advised people not to sign up to the NBN via an unsolicited phone call, and not to agree to payments requested in iTunes gift cards.

People should also never give out personal, credit card, or online account details when called out of the blue, or give unknown individuals remote access to their computers.

View the Original article

LinkedIn exploit left millions exposed to malware

Vulnerabilities in LinkedIn’s messaging service now patched.

Exploits in LinkedIn’s security measures potentially allowed hackers to spread malicious files across the social networking site and infect millions of user PCs, researchers have found.

The Microsoft-owned professional networking site, which boasts over 500 million users in 200 countries, allows members to chat, share CVs and send job descriptions to others in their network using a messenger service.

Multiple vulnerabilities were identified in LinkedIn’s security measures that are designed to restrict the types of files uploaded to LinkedIn’s chat windows, according to security researchers at Check Point.

Typically these measures allow only a handful of extensions including pdf, text documents and jpegs, however, it was discovered that attackers could bypass these checks by uploading malicious files masquerading as accepted extensions.

These files were then capable of spreading throughout a user’s network of contacts and infecting any PCs connecting to those accounts.

The research identified four exploits in the LinkedIn security systems, including a limitation that failed to identify a malicious Power Shell script that was saved as a .pdf, which if downloaded, would remain undetected on a user’s PC.

 

View the Original article

Google mass-culls apps after malware found in Play Store

Two years and 100 million downloads later.

More than 500 apps have been yanked from Google’s Play Store after they were found to contain a software development kit (SDK) that could download malicious plug-ins at will.

The SDK is used by developers for in-app advertising, and is made by Chinese vendor Igexin.

It has been used in hundreds of games, weather, internet radio, image editor and other apps, which have been downloaded in excess of 100 million times.

Security vendor Lookout discovered that the Igexin advertising SDK could download and execute plug-ins capable of spying on users, and alerted Google to the threat.

So far, the plug-ins found by Lookout have exfiltrated users’ phone call logs. The data captured includes call lengths and the number dialled, as well as if the phone is is idle, ringing or off the hook, Lookout said.

As the malicious download capability was not created by developers using the SDK and not activated when the app was submitted to the Play Store, the threat was not detected by Google.

Lookout said the malicious functionality was fully controlled by Igexin, which could activate it at any time and download malware from a remote server controlled by the Chinese company.

The Igexin SDK appears to have been recognised as malicious since 2015, with security vendors such as Symantec adding detection for it then.

After being notified by Lookout, Google pulled more than 500 apps that feature the Igexin advertising SDK.

Google said it has improved security in its Android 8.0 operating system, which stops hostile downloader apps from operating without permission.

View the Original article

Exploit vendor offers large bounties for messaging app 0days

Up to US$500,000 on the table.

Controversial exploit vendor Zerodium is willing to pay up to half a million US dollars (A$632,128) for working remote code execution and local privilege escalation security flaws in popular secure messaging apps.

The company has added Telegram, Facebook Messenger, WhatsApp, Viber, WeChat and Signal to its bounty list for zero-day vulnerabilities.

It will also pay US$500,000 for working exploits against Apple’s iMessage as well as telcos’ text and multimedia messaging services.

Apple iOS 11 remote jailbreaks or bypassing of the operating system’s restrictions against running code with elevated privileges pay even more.

Zerodium has upped its offer to US$1.5 million for such exploits, but they have to be remote and with no user interaction such as clicking on links or opening files, else the bounty drops to US$1 million (A$1.26 milllion).

The exploit vendor also targets desktop operating systems, web browsers, and servers, as well as mobile phones from Apple, Android makers, and Blackberry.

Zerodium says it sells the exploits to governments which use them to track and capture criminals. It has denied the exploits are sold to repressive regimes. It also will not share the flaws with vendors so patches can be developed.

View the Original article

NBN Co to start DOCSIS 3.1 field trials in February

After wrapping up lab technology testing.

NBN Co is set to begin its first DOCSIS 3.1 field trials in February next year ahead of a planned commercial launch on the HFC network before the end of 2018.

The company ran its first lab tests on the technology back in June, and more are scheduled for this month.

But it will today unveil plans for limited field trials of DOCSIS 3.1 at four HFC nodes starting February 2018.

The exact location of the trials as well as other “finer details” are yet to be worked through, according to an NBN Co spokesperson.

“We’re really excited by the possibilities offered by DOCSIS 3.1,” the spokesperson said.

DOCSIS 3.1 is the next-generation standard for hybrid-fibre coaxial (HFC) networks.

The upgrade promises better speeds for users, but also “greater operational efficiencies and network diagnostics … and much higher spectrum efficiency, particularly in the upstream”.

Already, NBN Co has deployed network termination devices (NTDs) in homes in the HFC footprint which are capable of both DOCSIS 3.0 and 3.1.

NBN Co presently uses Arris equipment in its HFC network under a $400 million deal struck back in 2015. This gear was used to upgrade the existing Telstra HFC network and was initially meant also to upgrade the Optus HFC network, but much of this will instead be replaced outright with a fibre-to-the-curb network instead.

Arris’ network and cloud president Dan Whalen said his company was seeing both trials and deployments of DOCSIS 3.1 “ramping very quickly” in the US and Europe.

“We’re involved in trials and deployments with over seven different operators in North America today,” he said.

“In 2018 we see this quadrupling or quintupling the amount of DOCSIS 3.1 devices that are going to be deployed in the field.

“There’s a lot of build-up and field trials that have happened already and then we’ll really move into mass scale in 2018 and beyond.”

While the focus with NBN Co is around the DOCSIS 3.1 upgrade, Whalen said Arris was already discussing the next iteration of HFC beyond that, which is known as full duplex DOCSIS 3.1. It has a view towards achieving multi-gigabit speeds and greater efficiency than its predecessor.

“We’re already in discussions with NBN Co on full duplex DOCSIS 3.1, and what the requirements would be and when the timing is,” Whalen said.

“I’d say if it was available today NBN Co would be willing to deploy it, and

View the Original article

Brambles puts more money behind IoT venture

Data-driven supply chain work gets $21.4m.

Brambles is set to put millions more into a digital arm it set up last year and poached an SAP executive to run.

BXB Digital – which takes its name from the company’s ASX code – was set up as a business in early 2016, with a view to “apply technology to collect and transform data into services that track goods, optimise operations and improve supply chain efficiency”.

It is expected to touch both business and customer-facing parts of Brambles’ operations in 60 countries.

The company is best known for its iconic blue Chep pallets, which can be found in supply chains worldwide.

BXB Digital is based in Silicon Valley and is headed up by Prasad Srinivasamurthy, who was formerly the senior vice president of internet of things and customer innovation at SAP.

Though the digital arm had little resources to work with early on – US$800,000  (A$1 million) in its start-up year – that quickly ballooned to US$10.3 million (A$13 million) in 2017, the company said in financial filings today.

It will now get an even bigger budget for 2018; Brambles said it will invest US$7 million more than planned this coming year, bringing its total pot to US$17 million (A$21.4 million).

The company did not provide much detail on where the extra money would go, apart from into “smart asset and data analytics” works.

Recent job postings indicate a focus around “deep data science techniques”, IoT and cloud, as well as creating proof-of-concepts that enable the company to engage on innovation projects with its customers.

View the Original article

IBM data centre site may be bulldozed for apartments

Plant at Cumberland Forest (Credit: Shape Group) Plan clears local council.

An IBM data centre and office in western Sydney may have to make way for a new apartment complex and residential homes.

Mirvac – which owns the campus-style business park in West Pennant Hills that is leased to IBM – has lodged plans to convert the site into “600 dwellings”, comprising 400 units and 200 houses.

The property firm is understood to have originally sought a redevelopment of the site twice that density, but scaled back on multiple occasions after being refused permission by The Hills Shire Council.

Mirvac’s latest attempt, however, was ticked off by the council on July 25. The proposal has now been turned over to NSW government planners for approval and potential public consultation later this year.

In April, Mirvac Capital called the campus in its current form “not viable”.

“The buildings are redundant,” spokesperson Adrian Checchin told a local paper. “Jobs have been lost and they will not be replaced.”

A video shows the space was being shopped to prospective commercial real estate tenants around the same time.

The progression of the proposal to convert the space into residential housing, however, means IBM’s future at the site is now firmly in doubt – though the plan still needs to pass several hurdles before the vendor’s time is definitively up.

The Register reports that IBM’s Cumberland Forest data centre on the site is likely to be closed once the vendor’s lease expires in 2019, and that customers are being migrated out.

iTnews has sought verification with IBM.

The data centre is housed in several of the buildings onsite: the “main reception and data centre is housed in building A which comprises four levels, while satellite buildings B – G comprise a mixture of offices and data recovery suites”, according to a vendor that upgraded air conditioning at the site in 2008.

The site underwent a two-year set of works between 2008 and 2010 characterised as an “end-of-life upgrade” for what was already a 25-year-old facility.

The project also created “new floor space for

View the Original article

Petya ransomware hits global corporate earnings

Sales fall, halts drug production.

Costly cyber attacks are having a bigger impact on corporate earnings and are becoming a fact of life for companies as Oreo cookie maker Mondelez, drug maker Merck and others said that a destructive attack in the last week of the second quarter disrupted operations.

Mondelez, the world’s second-largest confectionary company, reported a 5 percent drop in quarterly sales on Wednesday, blaming shipping and invoicing delays caused by the June 27 attack of the worm, known as Petya.

Other Petya victims include Merck, which last week warned that Petya had halted production of some drugs, saying it has yet to understand the full costs associated with the attack.

The attack also slowed deliveries at FedEx Corp, disrupted port operations of shipping company Maersk and halted production lines at British consumer goods maker Reckitt Benckiser, according to accounts by those companies.

Investors should get used to hearing about cyber attacks during earnings calls, said Ian Winer, equity co-head at Wedbush Securities.

“The trend is accelerating,” Winer said. “As hackers get more sophisticated they are taking shots at major companies.”

More hackers are becoming adept at developing or finding malware to wipe data on computers, making them inoperable.

One mysterious group known as The Shadow Brokers in April dumped a trove of powerful hacking tools on the Internet, which security experts said were developed by the US National Security Agency.

Code the group released was used for spreading Petya and in the WannaCry attack in May on hospitals, businesses and governments worldwide.

Jake Dollarhide, head of Longbow Asset Management, which manages US$85 million in assets, said he expects cyber attacks to be as common as reports that a storm or oil prices hurt results.

“As stock market investors we have to accept this brand new reality in this new digital age,” Dollarhide said.

Petya is a destructive self-propagating “worm” capable of spreading quickly across computer networks, crippling computers by encrypting hard drives so that machines cannot run.

It has taken victims weeks to get factories and other critical systems back online because businesses must individually replace damaged hard drives.

Most businesses are inadequately protected from cyber attacks, said Tom Kellermann, chief executive of investment firm Strategic Cyber Ventures.

“The day of reckoning has come for shareholders,” Kellermann said.

View the Original article

Symantec sells TLS cert business to DigiCert

Billion-dollar deal.

Symantec has sold its troubled digital credentials business to private equity-backed firm DigiCert for US$950 million (A$1.2 billion) in cash.

The deal means Symantec website security and private key infrastructure subsidiaries such as Thawte, RapidSSL, Verisign and Geotrust – which have around 14 percent of the transport layer certificate issuance market – will be merged with DigiCert, a relative minnow with just 2.2 percent market share.

Symantec will hold a 30 percent stake in the merged business. The deal has been unanimously approved by the security vendor’s board, and is expected to be complete early next year.

DigiCert has been backed by private equity fim Thomas Bravo since 2015. The US-based company will grow its staff to 1000 with the acquisition of Symantec’s TLS business.

Symantec has been involved in a long-running feud with Google and other providers over its sloppy TLS certificate issuance practices.

The security vendor was accused of issuing thousands of fake certificates which could have been used to impersonate high-profile websites such as Google properties.

It resulted in Symantec-issued certificates being distrusted in Google’s Chrome, the world’s most popular web browser, from next year.

Symantec chief executive Greg Clark made no reference to the spat with Google, but said the sale of the TLS business would sharpen the security vendor’s focus on the enterprise and cloud.

“We carefully examined our options to ensure our customers would have a world-class experience with a company that offers a modern website PKI platform and is poised to lead the next generation of website security innovation,” he said in a statement.

“I’m thrilled that our customers will benefit from a seamless transition to DigiCert, a company that is solely focused on delivering leading identity and encryption solutions. Symantec is deeply committed to the success of this transition for our customers.”

View the Original article