Information Technology

There are as many as 100 claims to insurers over ransomware attacks every day, according to one estimate. And as the average ransomware attack can take anywhere from 60 to 120 days to move from the initial security breach to the delivery of the actual ransomware, that means hundreds of companies could have hackers hiding in their networks at any time, getting ready to trigger their network-encrypting malware.
So what are the early indicators for companies that are trying to spot a ransomware attack before they cause too much damage? Any what should they do if they discover an attack in progress?

More on privacy

Encryption of files by ransomware is the last thing that happens; before that, the crooks will spend weeks, or longer, investigating the network to discover weaknesses. One of the most common routes for ransomware gangs to make their way into corporate networks is via Remote Desktop Protocol (RDP) links left open to the internet.
SEE: Ransomware: Five reasons why your biggest security headache refuses to go away
“Look at your environment and understand what your RDP exposure is, and make sure you have two-factor authentication on those links or have them behind a VPN,” said Jared Phipps, VP at security company SentinelOne.
Coronavirus lockdown means that more staff are working from home, and so more companies have opened up RDP links to make remote access easier. This is giving ransomware gangs an opening, Phipps said, so scanning your internet-facing systems for open RDP ports is a first step.
Another warning sign could be unexpected software tools appearing on the network. Attackers may start with control of just one PC on a network – perhaps via a phishing email (indeed, a spate of phishing emails could be an indicator of an attack, and if staff are trained to spot them this could provide an early warning). With this toe-hold in the network, hackers will explore from there to see what else they can find to attack. 
That means using network scanners, such as AngryIP or Advanced Port Scanner. If these are detected on the network, it’s time to check in with your security team. If no one internally admits to using the scanner, it is time to investigate, according to tech security company Sophos, which has outlined some of the signs that a ransomware attack could be underway in a recent blog post. 
SEE: Inside a ransomware attack: From the first breach to the ransom demand
Another red flag is any detection of MimiKatz, which is one of the tools most regularly used by hackers, along with Microsoft Process Explorer, in their attempts to steal passwords and login details, Sophos said.
Once they’ve gained access to the network, ransomware gangs will often next try to increase their reach by creating administrator accounts for themselves, for example in Active Directory, and use that extra power to start disabling security software using applications created to assist with the forced removal of software, such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter, said Sophos. “These types of commercial tools are legitimate, but in the wrong hands, security teams and admins need to question why they have suddenly appeared,” the security firm said.
To stop this happening, companies need to look for accounts that are created outside of your ticketing system or account management system, said SentinelOne’s Phipps. Once the attackers have gained administrator powers, they then attempt to spread further across the network, using PowerShell.
The whole project can take weeks, and maybe even months, for the ransomware gangs to execute. That’s partly because the slower they move through the computer network, the harder they are to spot. And many security tools only record traffic on the network for a certain amount of time, which means if the hackers hold on for a while it becomes much harder for security teams to work out how they got into the system in the first place.
“It’s like a flight data recorder: if you wait long enough, it records over the attack and there’s no evidence they’ve figured that out,” said Phipps. “It makes it harder for people to figure out and do the investigation because all the security tools they have show no data on entry.”
There are also some clear signs that a ransomware attack is getting close to completion. The attackers will attempt to disable Active Directory and domain controllers, and corrupt any backups they can find, as well as disabling any software deployment systems that could be used to push patches or updates. “And then they’ll hit you with the attack,” said Phipps.
Sophos also noted that at this point the gang may attempt to encrypt a few devices just to see if their plan is going to work: “This will show their hand, and attackers will know their time is now limited.”
SEE: Ransomware: How clicking on one email left a whole business in big trouble
So how to stop the attackers once they are in? According to Phipps, the most important thing is to get control of the RDP sessions, because that stops the attackers coming in and cuts off their command-and-control access. Other steps, like forcing a password change across core systems, can be useful – but if the hackers are able to use RDP to get back into the network, steps like that will be undermined. It’s also important to monitor for unexpected admin accounts appearing, and firms should consider monitoring or limiting PowerShell usage. 
How can you make your organisation a harder, and therefore less attractive, target for ransomware gangs to consider? Keeping software patched and up to date is key here; many ransomware attacks rely on software flaws to work, but most of these flaws have long been fixed by software companies – you just have to administer the patch. For ransomware attacks that come via email, training staff not to click on random links, and combining strong passwords with two-factor authentication across as many systems as possible, will also help to deter or slow down attackers. More

Image: ZDNet
A security researcher has published details and proof-of-concept exploit code for a zero-day vulnerability in vBulletin, one of today’s most popular forum software.
The zero-day is a bypass for a patch from a previous vBulletin zero-day — namely CVE-2019-16759, disclosed in September 2019.
The previous zero-day allowed attackers to exploit a bug in the vBulletin template system to run malicious code and take over forums without needing to authenticate on the victim sites (a type of bug called a pre-auth RCE).
CVE-2019-16759 was disclosed on September 24, 2019, and a patch was provided the next day, on September 25.
New zero-day bypasses CVE-2019-16759 patch
However, in a blog post published late Sunday night, Austin-based security researcher Amir Etemadieh said the CVE-2019-16759 “was inadequate in blocking exploitation.”
The researcher said he found a simple way to bypass the patch and continue to exploit the same CVE-2019-16759 vulnerability, and published three proof-of-concepts in Bash, Python, and Ruby, to prove his point.
Neither the researcher nor MH Sub I, LLC, the company that commercializes the vBulletin forum software, have returned requests for comment seeking to find out if Etemadieh notified the vBulletin team before publishing details about the zero-day online. At the time of writing, there is no patch available.
Forums are a common target for hackers
Either way, the new zero-day code is live and has been broadly shared on social media sites like Reddit and Twitter, and inside hacking communities hosted on private forums and Discord channels.

0day RCE exploit on vBulletin 5xxdork ; intext:”Powered by vBulletin”POCcurl -s http://SITE/ajax/render/widget_tabbedcontainer_tab_panel -d ‘subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo shell_exec(“id”); exit;’#bugbounty #bugbountytips pic.twitter.com/DfqLivsskG
— h4x0r-dz (@h4x0r_dz) August 10, 2020

The publication of the September 2019 zero-day triggered a massive wave of vBulletin hacks last year, resulting in many companies disclosing security breaches over the following months.
Forums, in general, are some of the most sought after web technologies to hack. The reason why hackers put a primer on forums has to do with their purpose and the data they can steal.
Unlike most content management systems like WordPress, Drupal, or Joomla, online forums like vBulletin are built for the sole and primary purpose of managing online communities, and, as a result, hold large quantities of personal data.
A WordPress site may be used to run a wedding planner’s or a lawyer’s office website, but even the lowliest and unimportant forums have thousands of registered user profiles holding sensitive user details, along with user posts, personal messages, and sometimes even financial information, if the forums have pay-to-access features.
However, even if Etemadieh didn’t make it clear if he notified the vBulletin team about his plans to reveal a zero-day, the researcher says forum owners can prevent exploitation by making the following modifications to their discussion board settings.
Go to the vBulletin administrator control panel.
Click “Settings” in the menu on the left, then “Options” in the dropdown.
Choose “General Settings” and then click “Edit Settings”
Look for “Disable PHP, Static HTML, and Ad Module rendering”, Set to “Yes”
Click “Save”
At the time of writing, at least one forum was confirmed to have been hacked using this new zero-day, the forum of the DEF CON security conference, which just recently concluded over the weekend. More

Maybe you can remember dozens of complex passwords, I can’t. That’s why password managers, such as 1Password, Keeper, and LastPass, are so important. Now, AgilBits, 1Password’s parent company, has finally listened to their customers who have been asking for a Linux version for a decade. At long last, the company announced, “1Password is coming to Linux.”

Don’t get your credit cards out yet though. True, the first development preview version of 1Password is out now. But it’s not ready for prime-time yet. It’s not a finished product. “For example, the app is currently read-only: there is no item editing, creation of vaults, or item organization.”
So, if you want to test it, go for it. But it’s in no way, shape, or form ready for a production system or even your home setup. The company suggests that, for now, its Linux customers use 1Password X in their browsers.
So, why not just use 1Password X? Because 1Password will handle far more than just web passwords. You will also be able to use it with FTP, SSH, and SMB network passwords. 
On the backend, 1Password runs on Rust, a secure systems programming language that has made a lot of waves in the Linux community. For end-to-end encryption, it uses the open-source ring crypto library. This library’s code springs from the BoringSSL, OpenSSL fork. The application interface is being written with the React JavaScript library.
If you work on an open-source team which needs a password manager, the company will give you, and everyone on your team, a free account. To get it, simply open a pull request against its 1Password for Open Source Projects repo.
The program, when completed, will come with the following features:

Simple and secure installs using apt and dnf package managers 

Automatic Dark Mode selection based on your GTK theme 

Tiling window manager support and descriptive window titles 

Unlock with your Linux user account, including biometrics 

System tray icon for staying unlocked while closed 

X11 clipboard integration and clearing

Keyboard shortcuts 

Data export 

Unlock multiple accounts with different passwords 

Create collections to organize data across accounts and vaults 

All versions of 1Password work with your data files synced on 1Password’s servers. The company claims it doesn’t track users. But you can also save your passwords locally and sync your data file on a server on your own local area network or a Dropbox or iCloud account.
Want to check it out? Read the guide Get to know 1Password for Linux to get started. There are signed apt and rpm package repositories for Debian, Ubuntu, CentOS, Fedora, and Red Hat Enterprise Linux (RHEL). There’s also an AppImage available for other distributions. 1Password intends to support all major desktop Linux distros. 
After an initial 30-day free trial, a 1Password personal subscription costs $36 per year and comes with 1GB of personal storage. A five-user family subscription costs $60 annually. 1Password Business accounts add advanced access control, with activity logs and centrally managed security policies. These cost $96 per user per year, and include 5GBs of document storage and a free linked family account for each user. 
Related Stories: More

Since January 2020, a mysterious threat actor has been adding servers to the Tor network in order to perform SSL stripping attacks on users accessing cryptocurrency-related sites through the Tor Browser.
The group has been so prodigious and persistent in their attacks, that by May 2020, they ran a quarter of all Tor exit relays — the servers through which user traffic leaves the Tor network and accesses the public internet.
According to a report published on Sunday by an independent security researcher and Tor server operator known as Nusenu, the group managed 380 malicious Tor exit relays at its peak, before the Tor team made the first of three interventions to cull this network.
SSL stripping attacks on Bitcoin users
“The full extend[sic] of their operations is unknown, but one motivation appears to be plain and simple: profit,” Nusenu wrote over the weekend.
The researcher says the group is performing ” person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays,” and that they are specifically targeting users accessing cryptocurrency-related websites using the Tor software or Tor Browser.
The goal of the person-in-the-middle attack is to execute “SSL stripping” attacks by downgrading the user’s web traffic from HTTPS URLs to less secure HTTP alternatives.
Based on their investigation, Nusenu said the primary goal of these SSL stripping attacks was to allow the group to replace Bitcoin addresses inside HTTP traffic going to Bitcoin mixing services.
Bitcoin mixers are websites that allow users to send Bitcoin from one address to another by breaking the funds in small sums and transferring them through thousands of intermediary addresses before re-joining the funds at the destination address. By replacing the destination address at the HTTP traffic level, the attackers effectively hijacked the user’s funds without the users or the Bitcoin mixer’s knowledge.
A difficult attack to pull through
“Bitcoin address rewriting attacks are not new, but the scale of their operations is,” the researcher said.
Nusenu said that based on the contact email address used for the malicious servers, they tracked at least nine different malicious Tor exit relay clusters, added across the past seven months.

Image: Nusenu
The researcher said the malicious network peaked at 380 servers on May 22, when 23.95% of all Tor exit relays were controlled by the group, giving Tor users a one-in-four chance of landing on a malicious exit relay.
Nusenu said he’s been reporting the malicious exit relays to Tor admins since May, and after the latest takedown on June 21, the threat actor’s capabilities have been severely reduced.

Image: Nusenu
Nonetheless, Nusenu also added that since the last takedown “there are multiple indicators that suggest that the attacker still runs >10% of the Tor network exit capacity (as of 2020–08–08).”
The researcher suggested that the threat actor is likely to continue their attack as the Tor Project does not have a thorough vetting process in place for entities who can join its network. While anonymity is a core feature of the Tor network, the researcher argues that better vetting can be put in place for at least exit relay operators.
A similar attack took place in 2018
A somewhat similar attack like this one took place in 2018; however, it did not target Tor exit relays, but Tor-to-web (Tor2Web) proxies — web portals on the public internet that allow users to access .onion addresses usually accessible only via the Tor Browser.
At the time, US security firm Proofpoint reported that at least one Tor-to-web proxy operator was silently replacing Bitcoin addresses for users accessing ransomware payment portals intending to pay ransom demands — effectively hijacking the payment and leaving the victims without a decryption key, even if they paid the ransom. More

Data breach and record exposure search engine Have I Been Pwned is going open source. 

Developed and maintained by security expert Troy Hunt, the search engine has become increasingly popular over time as the volume of reported data breaches ramped up, prompted by legislation and demands for transparency by companies suffering such a security incident. 
When data breaches occur, financial records, sensitive corporate information, as well as personally identifiable information (PII) belonging to customers and clients, may be compromised or stolen. Data sets often appear for sale in the Dark Web for the purposes of card cloning or identity theft. 
TechRepublic: The secret to becoming an open source project lead
Members of the general public can submit their email addresses into the Have I Been Pwned search engine to find out if they have been “pwned,” and if their emails have been linked to a data breach, each one and a summary of what happened is displayed — as well as what information has been exposed. 
Since its launch in 2013, Hunt has poured more resources, including time and energy, into managing the search engine over time, expanding the service to include domain monitoring and breach alerts. 
At the heart, one main operator isn’t enough to ensure future scalability or sustainability, and with this in mind, Hunt previously attempted to find a buyer to help expand his life’s work. 
Unfortunately, the merger and/or acquisition process failed, and so Hunt has decided to pursue another alternative — opening up the Have I Been Pwned code base to the open source community. 
In a blog post on Friday, Hunt said that Have I Been Pwned has always been a community project, with every dataset contributed by others; Cloudflare providing free hosting for many of the search engine’s services, and code used by Have I Been Pwned drawing upon community contributions. 
“The single most important objective of that process was to seek a more sustainable future for HIBP and that desire hasn’t changed; the project cannot be solely dependent on me,” Hunt says. “Yet that’s where we are today and if I disappear, HIBP quickly withers and dies.”
See also: Best password managers for business in 2020: 1Password, Keeper, LastPass, and more
By going open source, Hunt says this will take the “nuts and bolts” of the service and “put them in the hands of people who can help sustain the service regardless of what happens to me.”
Have I Been Pwned was developed to improve the security landscape and give individuals impacted by a data breach the knowledge required to potentially improve their own security posture — such as by changing passwords linked to compromised accounts and to hammer the lesson home that passwords should not be re-used across different services. 
With this in mind, going open source would also contribute to this concept by opening up code to other eyes — increasing trust through transparency, and also potentially improving the platform’s own security via the discovery of vulnerabilities. 
“All that backlog, all those bugs, all the great new ideas people have but I simply can’t implement myself can, if the community is willing, finally be contributed back into the project,” the security expert added. 
CNET: The best home security camera to buy in 2020
Have I Been Pwned can’t simply be dumped on GitHub in its current state. Hunt is working with talent across open source and cloud systems to open up the code base incrementally, and so there is no fixed timeline for the platform to go fully from closed to open. 
When it comes to the data, even possessing it is a gray area, albeit one with value as a necessary element of the Have I Been Pwned platform. Hunt says that as the open source quest begins, it will be a challenge to make sure stringent privacy controls are in place, a doable but “non-trivial” task. 
“I’ve used the word “community” a lot […] and I can’t understate the importance of the role other people have played in the project’s success,” Hunt says. “I know this […] will be met with much enthusiasm because that’s what many of you have been telling me to do for a long time. I’ve listened, now it’s time to make it a reality.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Australian Competition and Consumer Commission (ACCC) has said warnings to consumers from banks over the use of screen scraping are not designed to lower competition in the local market, and are general security warnings.
Responding to the Questions on Notice from the Select Committee on Financial Technology and Regulatory Technology, the consumer watchdog said it had received complaints from two financial institutions on March 2 that framed the warnings as anti-competitive.
“The complaints express concern that by warning customers of these dangers, the major banks may have discouraged customers from engaging with third party neobanks or other financial service providers,” the ACCC said.
“The ACCC considered the detail of the complaints and the terms of the warnings by the major banks and decided not to commence an investigation. The alleged conduct involves general statements or warnings regarding potential security or safety risks associated with screen scraping and sharing passwords, and does not appear to have the purpose or effect of substantially lessening competition.”
The commission added it currently has six investigations looking into anti-competitive conduct in the finance sector, as well as working on a market study, and introducing the Consumer Data Right.
See also: Australia’s Consumer Data Right: Here’s everything you need to know
“All of this work is intended to enhance competition in the sector for the benefit of consumers including supporting and improving the capacity of new entrants and smaller businesses to compete in the financial services sector,” the ACCC said.
The committee heard split opinions in January on whether a prohibition on screen scraping — where customers hand over login information to a third-party to allow them to capture data directly from a web page — is needed.
“Screen scraping is bad technology. It’s just aided bad technology. It’s a way around barriers that exist, but it’s not actually trying to solve the underlying problem, which is helping people communicate and do what they want with their finances, pay the way they want,” head of corporate development at Melbourne-based fintech startup Airwallex Dave Stein said at the time.
“We don’t do that, we don’t use that, but for us, it’s a technology decision. We just don’t want to invest in a dated technology.”
Raiz Invest general counsel Astrid Raetze argued that screen scraping will always have two camps.
“There’s the banks and their views, and then there are fintechs who are not bank affiliated. Largely, the argument centres around the banks saying, ‘it’s bad, it’s wrong you have to shut it down’, and then there’s the fintechs who say, ‘we need it’,” she said.
“If you switch on open banking and turn off screen scraping … what you will do is hamstring the fintech industry.”
In March, the Committee shifted focus to the aftermath of the coronavirus pandemic.
Responding last month, the Australian Medical Association said e-prescriptions and telehealth should become lasting features of Australia’s health system, even once COVID-19 restrictions are eased.
“While the benefits of telehealth extend beyond mere cost savings, the permanent adoption of telehealth will reduce costs across the health system while improving patient outcomes,” the AMA said.
“Telehealth can also reduce the cost of providing health care when considering the costs associated with health professionals needing to travel for home visits, and the cost to the government for rural aeromedical evacuation and health care in institutions like correctional facilities.”
Related Coverage More

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

A group of elite hackers associated with the Iranian government has been detected attacking the US private and government sector, according to a security alert sent by the FBI last week.
While the alert, called a Private Industry Notification, didn’t identify the hackers by name, sources have told ZDNet that the group is tracked by the larger cyber-security community under codenames such as Fox Kitten or Parasite.
Iran’s cyber operations “spear tip”
A former government cyber-security analyst, now working for a private security firm, called the group as Iran’s “spear tip” when it comes to cyber-attacks.
He described the group’s primary task as having to provide an “initial beachead” to other Iranian hacking groups — such as APT33 (Shamoon), Oilrig (APT34), or Chafer.
To reach its goals, Fox Kitten primarily operates by attacking high-end and expensive network equipment using exploits for recently disclosed vulnerabilities, before companies had enough time to patch devices. Due to the nature of the devices they attack, targets primarily include large private corporations and government networks.
Once the hackers gain access to a device, they install a web shell or backdoor, transforming the equipment into a gateway into the hacked network.
According to reports published by cyber-security firms ClearSky and Dragos earlier this year, Fox Kitten has been using this modus operandi since the summer of 2019, when it began heavily targeting vulnerabilities such as:
Pulse Secure “Connect” enterprise VPNs (CVE-2019-11510)
Fortinet VPN servers running FortiOS (CVE-2018-13379)
Palo Alto Networks “Global Protect” VPN servers (CVE-2019-1579)
Citrix “ADC” servers and Citrix network gateways (CVE-2019-19781)
FBI warns of new attacks targeting F5 BI-IP devices
The FBI notification sent out to the US private sector last week says the group still targets these vulnerabilities, but Fox Kitten also upgraded its attack arsenal to include an exploit for CVE-2020-5902, a vulnerability disclosed in early July that impacts BIG-IP, a very popular multi-purpose networking device manufactured by F5 Networks.
The FBI doesn’t call the group by its public names, but makes references to their past attacks against Pulse Secure VPNs and Citrix gateways, and also warns companies that once the hackers gain access to their networks, they are very likely to provide access to other Iranian groups, or monetize networks that aren’t useful for espionage by deploying ransomware.
FBI officials also warn that this group isn’t targeting any particular sector, and any company running a BIG-IP device is likely to be targeted.
While the FBI asked US companies to patch their on-premise BIG-IP devices to prevent successful intrusions, FBI officials also shared details about a typical Fox Kitten attack, so companies can deploy countermeasures and detection rules:
“Following successful compromise of the VPN server, the actors obtain legitimate credentials and establish persistence on the server through webshells. The actors conduct internal reconnaissance post-exploitation using tools such as NMAP and Angry IP scanner. The actors deploy Mimikatz to capture credentials while on the network, and Juicy Potato for privilege escalation. The actors create new users while on the network; the FBI observed one account known to be created by the actors is “Sqladmin$”.
The actors use several applications for command and control (C2) while exploiting victim networks, including Chisel (C2 tunnel), ngrok, Plink, and SSHNET (reverse SSH shell). When tracking suspected C2 activity, the FBI advises that C2 activity with ngrok may be with external infrastructure associated with ngrok.”
Two confirmed victims
But while the FBI alert doesn’t say it, sources have told ZDNet that Fox Kitten attacks against BIG-IP devices have been successful.
A security researcher working for a US cyber-security firm told ZDNet that the FBI sent out the PIN alert last week after agents were called to investigate two successful intrusions where Fox Kitten hackers managed to breach US companies.
Due to non-disclosure agreements, the source could not identify the two companies, nor could they confirm these are the same “two compromises” mentioned in a similar alert sent out by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) on July 24.
Either way, Iran’s state-sponsored hacking groups aren’t the only threat actors that have targeted the BIG-IP vulnerability.
Multiple hacker groups began exploiting this bug within two days after details and proof-of-concept exploits became public, and in recent weeks, an exploit for the BIG-IP bug has even been spotted part of a Mirai-based DDoS botnet. More

Australia’s Inspector-General of Intelligence and Security (IGIS), currently Margaret Stone, has told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) that additional resources are still required to conduct its current remit.

The IGIS was stood up to ensure the legality and propriety of the Australian intelligence community’s actions.
The officer holder is charged with reviewing the activities of six Commonwealth intelligence agencies: The Australian Security Intelligence Organisation (ASIO), Australian Secret Intelligence Service, Australian Signals Directorate, Australian Geospatial-Intelligence Organisation, the Defence Intelligence organisation, and the Office of National Intelligence.
Under its remit is oversight of how ASIO uses its powers under the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act).
Stone, providing testimony to the committee for the last time before her retirement, said an additional five personnel are currently required to handle the workload that has arisen out of the TOLA Act.
She provided similar calls last year in a submission to the PJCIS.
Stone said currently, IGIS’ TOLA responsibilities are taking up a lot of the organisation’s time.
“As the committee knows even better than we do, the time involved in dealing with those is very significant and that suggestion as to what’s required is our best estimate, it’s a little bit better than a guess, but its an estimate, of what we would require,” she said.
With IGIS oversight to potentially be expanded to four more agencies that are considered as part of the intelligence community — the Australian Transaction Reports and Analysis Centre, the Australian Federal Police, the Department of Home Affairs, and the Australian Criminal Intelligence Commission — its workload would also significantly increase.
“If our jurisdiction was extended to those four agencies, then I think we would need this extra assistance, in addition to what we have for those four agencies,” Stone said. “We’re able to manage at the moment because there has been no final division on that jurisdiction.”
Currently, Stone said IGIS is meeting its needs temporarily by using existing resources. She agreed with Labor MP Kristina Keneally’s summary that setting aside whether or not IGIS does receive additional jurisdiction, the office cannot sustain the demand of its current legislative oversight roles.
“I think that’s right, because I think one needs to remember that the additional legislation with which we’re all aware, not only expands the scope of what we do, but in order oversee activities carried out under that legislation, it requires additional depth of investigation and it will also depend on usage by the agencies,” Stone said.
“So there are some unknowns and some knowns.
“With the increasing technical requirements for oversight, we will, for instance, need more technically competent or expert staff, we’ve got technically competent staff, but we will need more expertise than we presently have.”
Stone was appointed as IGIS on 24 August 2015 and her replacement is yet to be announced.
RELATED COVERAGE
IGIS asks ASIO be required to provide transparency in IPO regime
Australia’s Inspector-General of Intelligence and Security believes public concern shouldn’t be dealt with by keeping secrets.
IGIS highlights out of date thresholds for ASIO in International Production Orders Bill
The Inspector-General of Intelligence and Security has concerns that the International Production Orders Bill would give Australia’s spy agency powers that are a decade old and potentially unaligned with the current level of privacy intrusion involved for accessing telco data.
ASIO vows to consider privacy, proportionality, and human rights in IPO process
The agency said it will carry over existing, domestic methods to the International Production Orders Bill and resulting US CLOUD Act.
Terrorism, espionage, and cyber: ASIO’s omne trium perfectum
ASIO’s outgoing Director-General of Security reflects on the ‘security triptych’ that is of upmost concern to Australia’s national security. More