Information Technology

Livecoin has announced its closure following a cyberattack that allegedly compromised the firm’s infrastructure and exchange rate setup. 

As previously reported by ZDNet, the Russian cryptocurrency exchange claimed it had been hacked roughly around Christmas, with the alleged cyberattackers seizing control of Livecoin systems in order to tamper with exchange rate values. 
Bitcoin (BTC) exchange rates were changed from $23,000 at the time to over $450,000, and Ethereum grew from $600 to $15,000. Smaller cryptocurrency rates were also impacted. 
As Livecoin asked users to stop all activity, the threat actors began cashing out, reaping profit in the process. 
Livecoin claimed to have lost control of its “servers, backend, and nodes,” and was unable to stop the attack from occurring. The cryptocurrency exchange said law enforcement had been notified of the security incident. 
It has not yet been a full month since the alleged cyberattack and Livecoin is closing its doors permanently, citing damage in “technical and financial way[s]” for the decision. 
In an announcement posted to livecoin.news, the organization said there is “no way” to continue operations and any “remaining funds” will be paid to customers. 

Fund recovery plans or amounts are not yet public, beyond claimants being required to email the cryptocurrency exchange directly with their usernames and registration dates. Livecoin says that claims can be filed until March 17, 2021. 
As noted by Coin Telegraph, one apparent user of the service has posted what is claimed to be an extensive list of documentation and personal information to verify claimant identities, including passport/ID scans, selfies, places of residence, primary device data for logging in to Livecoin, and video footage. On Twitter, the request for this vast array of personal data has prompted speculation around its legitimacy.
“We apologize for an existing situation and ask you to keep calm, including your conversation with support officers,” Livecoin added. “Our service and team bear hard losses as well as our clients. In case of abuse and threats in conversation, the claim can be declined.”
Livecoin’s old website domain displays the message below, but no comment has been made concerning any potential ransomware attack.

Livecoin’s Telegram chat is currently alight with speculation. Some have suggested that an exit scam is in play, which is a popular method for cryptocurrency exchange operators to vanish with user funds while claiming external cyberattackers have stolen cryptocurrencies held by a victim organization.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image via Ben Maguire
Cyber-security firm Symantec said it identified another malware strain that was used during the SolarWinds supply chain attack, bringing the total number to four, after the likes of Sunspot, Sunburst (Solorigate), and Teardrop.

SolarWinds Updates

Named Raindrop, Symantec said the malware was used only during the very last stages of an intrusion, deployed only on the networks of very few selected targets.
Symantec said it encountered only four Raindrop samples in the cases it investigated until today.
Also: Best VPNs • Best security keys • Best antivirus 
Timeline of the SolarWinds supply chain attack
But to understand Raindrop’s role and position in these attacks, we must first go over the timeline of the entire SolarWinds incident.
Based on reports and information published by Microsoft, FireEye, CrowdStrike, and others, the SolarWinds intrusion is believed to have taken place in mid-2019 when hackers, believed to be linked to the Russian government, breached the internal network of SolarWinds, a Texas-based software maker.
The intruders first deployed the Sunspot malware, which they used exclusively inside SolarWinds’ own network. CrowdStrike said the attackers used the malware to modify the build process of the SolarWinds Orion app and insert the Sunburst (Solorigate) malware inside new versions of Orion, an IT inventory management system.

These trojanized Orion versions went undetected and were active on the official SolarWinds update servers between March and June 2020. Companies who applied Orion updates also unwittingly installed the Sunburst malware on their systems.
But the Sunburst malware wasn’t particularly complex and didn’t do much except gather info about the infected network and send the data to a remote server.
Even if around 18,000 SolarWinds customers got themselves infected with the Sunburst malware, the Russian hacking group carefully selected its targets and opted to escalate attacks only in a handful of cases, for the likes of high-profile targets such as US government agencies, Microsoft, or security firm FireEye.
When hackers decided to “escalate their access,” they used Sunburst to download and install the Teardrop malware [see past reports from Symantec and Check Point].
Raindrop — Teardrop’s sibling
But Symantec says that in some cases, the hackers chose to deploy the Raindrop malware strain instead of the more widely used Teardrop.
Despite being different strains, Symantec said the two backdoors had similar functionality, which the company described as being “a loader for [the] Cobalt Strike Beacon,” which the intruders later used to escalate and broaden their access inside a hacked IT network.
But while both Raindrop and Teardrop were used for the same purpose, Symantec said that some differences also exist between the two, most being under the hood, at the code level, best described in the table below:

Image: Symantec
The other major difference is how the two malware strains were deployed. 
Symantec said that the more widely used Teardrop was installed directly by the Sunburst malware, while Raindrop mysteriously appeared on systems where Sunburst was also found, with no direct evidence that Sunburst triggered its installation.
The US security firm said it’s currently investigating how Raindrop was installed.
The most obvious avenue is found in previous reports on the SolarWinds hacks that mentioned that hackers also used the Sunburst malware to run various fileless PowerShell payloads, many of which would leave minimal forensic evidence on infected hosts. While unconfirmed, it may be possible that Raindrop is the result of these operations.
But the lesson here is that security teams investigating SolarWinds incidents inside their networks now also need to scan for the presence of another malware strain — Raindrop.
The Symantec report released today includes indicators of compromise (IOCs) that the security firm has seen in the cases it investigated. More

Microsoft says it is stepping up security for users of Microsoft Defender for Endpoint by changing a key setting, switching the default from optional automatic malware fixes to fully automatic remediation. 
The change means that when Microsoft Defender for Endpoint detects malware on PCs on a network, the antivirus will automatically start analyzing all threats that are related to the alert, poring over files, processes, services, registry keys and all other areas where a threat could reside. 

More on privacy

“The result of an automated investigation started by an alert is a list of related entities found on a device and their verdicts (malicious, suspicious, or clean),” Microsoft explains on a blogpost. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
“For any malicious entity, the investigation will create a remediation action, an action that, when approved, will remove or contain a malicious entity that was found in the investigation. These actions are defined, managed, and executed by Microsoft Defender for Endpoint without the security operations team having to remotely connect to the device.”
The actions taken depend on what level of device automation has been configured. Previously, Microsoft Defender for Endpoint customers that opted into public previews were put on “Semi”, which required approval for any remediation. Soon, they’ll be moved to the “Full” configuration, which allows for Windows 10 to remediate threats automatically. 
With the setting at Semi, administrators might have more control, but as Microsoft points out, admins may lose valuable time to halt the malware from causing further damage, such as affecting other PCs. 

Microsoft has made some improvements to its automated malware detection since first releasing it. First, it’s boosted malware detection accuracy, so there should be fewer infections and false-positives. Additionally, it’s now got better automated investigation capabilities. 
“We have seen thousands of cases where organizations with fully automated tenants have successfully contained and remediated threats, while other companies, left with the default ‘semi’ level, have remained at high risk due to lengthy pending time for approval of actions,” the blog warned.
SEE: Windows 10 toolbar: Here’s how Microsoft is adding news, weather and traffic
According to Microsoft, customers using full automation have had “40% more high-confidence malware samples removed than customers using lower levels of automation.” 
This should leave security operations centers with more free time to deal with malware threats that require human intervention. 
From February 16, 2021, Microsoft will automatically upgrade organizations that opted for public previews in the Microsoft Defender for Endpoint to “Full-remediate threats automatically”. More

A newly identified botnet is targeting unpatched applications running on top of Linux systems, Check Point security researchers said in a report today.
First seen in November 2020, the FreakOut botnet has surfaced again in a new series of attacks this month.

Its current targets include TerraMaster data storage units, web applications built on top of the Zend PHP Framework, and websites running the Liferay Portal content management system.
Check Point says the FreakOut operator is mass-scanning the internet for these applications and then utilizing exploits for three vulnerabilities in order to gain control of the underlying Linux system.
All three vulnerabilities (listed below) are fairly recent, which means there’s a high chance that FreakOut exploitation attempts are succeeding as many systems could still be lagging behind on their patches.
CVE-2020-28188 – RCE in TerraMaster management panel (disclosed on December 24, 2020)
CVE-2021-3007 – deserialization bug in the Zend Framework (disclosed on January 3, 2021)
CVE-2020-7961 – deserialization bug in the Liferay Portal (disclosed on March 20, 2020)
Once the FreakOut bot gains access to a system, it’s immediate step is to download and run a Python script that connects the infected devices to a remote IRC channel where the attacker can send commands and orchestrate a varied list of attacks using the enslaved devices.
According to a Check Point technical report published today, the list of commands that FreakOut bots can run includes the likes of:
Gathering info on the infected system;
Creating and sending UDP and TCP packets;
Executing Telnet brute-force attacks using a list of hardcoded credentials;
Running a port scan;
Executing an ARP poisoning attack on the device’s local network;
Opening a reverse shell on the infected host;
Killing local processes; and more.

Check Point argues that these functions can be combined to perform various operations, like launching DDoS attacks, installing cryptocurrency miners, turning infected bots into a proxy network, or launching attacks on the internal network of an infected device.

Image: Check Point
However, right now, Check Point says the botnet appears to be in its infancy. Researchers said they were able to reverse engineer the malware and then access the IRC channel through which the operator controlled the entire botnet.
Stats shown in the IRC panel suggest the botnet is only controlling around 180 infected systems, but past figures showed it merely peaked at around 300.
Both are low numbers for a botnet but more than enough to launch very capable DDoS attacks.

Image: Check Point
Furthermore, Check Point said it also found several clues in the malware’s code that allowed it tracked down its creator, a person who goes online by the nickname of Freak.
Some clever sleuthing later, researchers said they were able to link this nickname to an older hacker acronym of Fl0urite, which was the creator of the now-defunct N3Cr0m0rPh, a similar botnet malware strain that was sold on hacking forums and targeted Windows devices.
According to a screenshot of past N3Cr0m0rPh ads, many of the older botnet’s features are identical to the ones found in the current FreakOut malware targeting Linux systems.

Image: Check Point More

US President Trump has signed an executive order demanding a security assessment of drones sourced from China and countries considered to be “foreign adversaries.”

As reported by Reuters, just before he steps down to be replaced by President-elect Joe Biden, Trump has ordered US agencies to perform a security assessment of drones involved in federal activities. 
Drones can be used by government agencies for a variety of purposes including mapping, disaster assistance, surveillance, infrastructure inspections, and for military functions.
The new executive order, signed on Monday, will require agencies to perform security risk assessments on drones made in any country considered a “foreign adversary,” which could include China, Russia, Iran, and North Korea. 
As noted by the news agency, the executive order also requires risk assessments to include any “potential steps” to mitigate risk; such as, “if warranted,” removing them entirely from federal service. 
Last year, the US Department of the Interior (DOI) grounded its entire drone fleet — except for use in emergency situations, such as rescue missions — while a national security risk assessment took place. 
In a similar fashion to Trump’s decree, US Secretary of the Interior David Bernhardt signed an order (.PDF) to encourage the use of locally-produced drones instead of any that are foreign-made. The reason cited in the order is that data collected and produced by the drones could be of value to “foreign entities, organizations, and governments.”

It is estimated that roughly 800 drones belonging to the DOI are either sourced from China or contain Chinese components. 
At the time, DJI, headquartered in Shenzhen, China, said the decision was “disappointing” as the order “treats a technology’s country of origin as a litmus test for its performance, security, and reliability.”
Last month, DJI was added to the US Commerce Department’s “Entity List” which bans trading with companies on the grounds of national security.
US agencies have displayed concerns over the use of drones since 2015. As drones began to carve a place into the consumer hobbyist sector, the US Department of Homeland Security (DHS) warned that adversaries could also adopt the technology to launch attacks. 
In 2019, with drones having been adopted for widespread governmental use, DHS alerts then pivoted to worries that drones were stealing sensitive data. The agency warned that drones “contain components that can compromise your data and share your information on a server accessed beyond the company itself.”
However, not every form of drone is created equally. In the same year, Trump revoked an executive order signed by Barack Obama in 2016 which required US intelligence chiefs to publish data on civilians killed by drone strikes outside of war zones. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The legislative framework that governs Australia’s intelligence community is “unnecessarily complex”. It leads to “unclear and confusing laws” for the intelligence officers who have to interpret and follow them.
So said the final report of the Comprehensive review of the legal framework of the National Intelligence Community in December 2019 — although the government didn’t publish it until a year later, in December 2020.
Comprehensive indeed: Even the unclassified version runs to more than 1,300 pages.
That review, conducted by former diplomat, public servant, and one-time ASIO chief Dennis Richardson, recommended that as far as electronic surveillance goes, Australia needs a whole new electronic surveillance Act.
As Richardson noted, when the core Telecommunications (Interception and Access) Act 1979 (TIA Act) was originally passed, it was just 19 pages long. But by the end of 2019, it had blown out to 411 pages.
“The TIA Act itself rests on outdated technological assumptions, and has become complex to the point of being opaque. We are not the first review to recommend its reform,” Richardson wrote.
“Technological change and convergence has resulted in telecommunications interception, covert access to stored communications and computers, and the use of optical and listening devices… becoming functionally equivalent.”

Currently, though, these activities are subject to “inconsistent limits, controls and safeguards” across the TIA Act, the Surveillance Devices Act 2004, and the Australian Security Intelligence Organisation Act 1979.
Richardson made dozens of recommendations for how such a new Act should work, and 203 recommendations in total.
It took an entire year for the government to respond, in part due to the COVID-19 pandemic’s impact on business, but eventually, in its formal response of December 2020, it agreed that such a reform was needed.
Indeed, the government agreed, or agreed in principle, to the vast majority of Richardson’s unclassified recommendations.
“The central area for reform is a new electronic surveillance Act, which will be a new landmark in Australia’s national intelligence legislation,” the government wrote.
“A new electronic surveillance Act will be generational in its impact. This legislation will require careful and detailed consideration, with extensive public consultation, to establish a framework that will support Australia’s intelligence collection and law enforcement agencies in the years to come.”
Which is all well and good, but it’ll take time. Five years and AU$100 million, according to the Richardson review.
That’s down to “the complexity of issues at play, the multitude of interested stakeholders at the Commonwealth, state and territory level and the controversy which attaches to what are, arguably, the most intrusive powers of the state”.
Indeed.
“A new Electronic Surveillance Act will take two-three years of very detailed work and drafting before being considered by Parliament, after which there will need to be a good two year implementation period to update IT systems, adjust procedures, and retrain staff,” Richardson wrote.
“It would also be possible for government to continue making ad hoc amendments to address individual challenges, as they arise. But kicking the can down the road will only make the reform exercise that much bigger and more complex when the time comes, as it surely will.”
At the start of 2021 it’s still all about ad hoc laws
Despite knowing about Richardson’s recommendations for a year, the government is still faffing about with a fat sack of ad hoc laws, most of which continue to be controversial.
Chief among them is the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, usually referred to as the TOLA Act or the AA Act.
The TOLA Act introduced that complicated regime with clumsy and confusing definitions through which intelligence and law enforcement agencies gained the ability to request or demand assistance from communications providers — all very broadly defined — to access encrypted communications.
A year later, the Labor opposition introduced its Telecommunications Amendment (Repairing Assistance and Access) Bill 2019, which goes part of the way to tidying up the mess, but in the view of your correspondent not far enough.
That Bill has yet to go anywhere, mostly because the Parliamentary Joint Committee on Intelligence and Security (PJCIS) was scheduled to conduct a review anyway.
PJCIS asked Australia’s then-Independent National Security Legislation Monitor (INSLM) Dr James Renwick to take a look.
His recommendations, made in a 316-page report [PDF], included setting up an independent body to oversee the approval of TOLA Act activities rather than agencies approving them themselves without judicial oversight.
PJCIS was supposed to complete its review by September 30, 2020, but there’s been no sign of it yet.
PJCIS is well behind schedule most of its other work too.
The committee’s review of Australia’s mandatory telecommunications data retention regime was due to report by 13 April 2020 but that report didn’t appear until October 28.
One of its recommendations was that the Department of Home Affairs “prepare national guidelines on the operation of the mandatory data retention scheme by enforcement agencies recommendations”. Because currently there aren’t any.
The recommended timeframe was a leisurely 18 months.
PJCIS is also reviewing the Telecommunications Legislation Amendment (International Production Orders) Bill 2020, which is all about exchanging telecommunications data with other countries.
There’s no sign of that report either, and no deadline has been given.
There’s yet another PJCIS review into the Telecommunications Sector Security Reforms (TSSR), which were all about “a regulatory framework to manage the national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities”.
Submissions to that review closed on 27 November 2020. No public hearings have been held yet, and once more there’s no deadline for the committee to report.
The Communications Alliance is worried about the potential for confusion because telcos’ requirements under TSSR overlap with those in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 which was introduced in December 2020.
There is, of course, another PJCIS review to deal with that, with submissions closing February 12 and a reporting deadline of April 11.
Finally, there’s the brand new Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 introduced in — you guessed it — December 2020.
This new law would hand a trio of new computer warrants to the Australian Federal Police and the Australian Criminal Intelligence Commission: A data disruption warrant, a network activity warrant, and an account takeover warrant.
There’s a PJCIS review into that Bill too, with submissions closing February 12, but again no deadline for the committee to report.
Then there’s the Identity-matching Services Bill 2019, which was all about sharing biometrics between federal and state agencies, which was so bad that PJCIS recommended a complete redraft. We’ve yet to see any progress on that.
A mess of the government’s own making
In hindsight it’s easy to see why Australia’s intelligence legislation is in such a mess: For nearly 20 years now, politicians on both sides have rushed through a series of ad hoc laws without proper oversight.
From the time of the terrorist attacks in the US on 11 September 2001, through to 1 August 2019, “Parliament passed more than 124 Acts amending the legislative framework for the NIC, making more than 14,500 individual amendments i.e. inclusive of the minor and technical,” Richardson wrote.
That’s more than one new Act every eight weeks and it’s fair to say that politics has often trumped good governance.
In December 2018, for example, despite all its bold speeches against the proposed TOLA Act, Labor caved in and passed it anyway.
“Let’s just make Australians safer over Christmas,” then-Labor leader Bill Shorten said.
“It’s all about putting people first.”
It was a decision for which they were subsequently roasted, and rightly so.
Laws, like puppies, aren’t just for Christmas.
10 years ago, when Labor was in government, the controversial Cybercrime Legislation Amendment Bill 2011, which was meant to being Australia into line with the Council of Europe Convention on Cybercrime, was found to be seriously flawed by the Joint Select Committee on Cyber-Safety.
The House of Representatives ignored nearly all of those recommendations. Instead, MPs rushed to correct a fatal flaw that would have seen the new law fail to achieve its stated purpose.
The current backlog of surveillance legislation, somehow simultaneously both rushed and delayed, seems unlikely to break from this pattern.
The Minister for Home Affairs, Peter Dutton, and his sprawling department seem either disinclined to, or incapable of, organising themselves in a way that provides both thoughtfully drafted legislation in a timely manner, and meaningful timeframes for public consultation.
Cutting judges out of the warrant process? Really?
Also concerning is Richardson’s recommendation to not strengthen judicial oversight of intelligence activities, but to lessen it.
“Recommendation 30: Ministers should continue to authorise ASIO and Intelligence Services Act agency activities. These authorisations should not also be subject to judicial or other independent authorisation,” he wrote.
The government agreed.
“Ministerial authorisations, together with IGIS [Inspector-General of Intelligence and Security] oversight, provide appropriate protections and accountability for intelligence warrants and authorisations, and should continue without additional judicial or other authorisation,” they wrote.
The Law Council of Australia has expressed “grave concern” about this.
“This would reinforce Australia”s status as a major outlier within the Five Eyes Alliance,” wrote Pauline Wright, the Law Council’s president.
“The United States, United Kingdom, Canada, and New Zealand all have judicial authorisation requirements for their intrusive intelligence collection-powers,” she wrote.
“For the public to have trust and confidence in covert activities it is essential the utmost independence and rigour applies when granting authorisations. Judicial authorisation is essential to creating and maintaining that state of trust.”
The Australian government’s challenge this year will be to unravel this tangle of laws. One might wonder whether they’re up for it.
Related Coverage More

Image: Optus
Optus has said that any changes made to Australia’s Privacy Act out of the review being conducted by the Attorney-General’s Department (AGD) should not focus on problems relating to the power of tech giants in Australia.
“Optus cautions against extrapolating the behaviour of global monopolistic companies to the behaviour of competitive firms across the wider Australian economy,” the Singaporean-owned telco said in a submission to the review.
“Optus submits that this review should be assessed within a competitive market framework. Any identified problem which gives rise to regulatory action must be a problem observable in effectively competitive markets. Problems arising from monopolistic behaviour are issues for competition law, not privacy law.”
The telco said any wholesale changes to the Act would lead to “substantial compliance costs and place a further drag on innovation and limit the benefits of digitalisation”, and therefore a high level of justification is needed.
One area where Optus said changes could be made was removing Part 13 of the Telecommunications Act — which prevents telcos from using the content of communications or personal information except in specified circumstance — as it has hamstrung local operators when competing against over-the-top (OTT) providers and tech giants.
“Telecommunications carriers are subject to greater obligations under these two telecommunications acts than under the general Privacy Act. However, these Acts do not apply to the dominant over-the-top providers such as Facebook, Google, Apple, etc. It is these OTT providers that have been subject to investigation by the ACCC and whose behaviour ultimately led to this review,” it said.
“Further, the favourable treatment of these multi-trillion dollar global companies over Australia-based and licensed telecommunications companies risks delaying the development of the Australian digital economy.”

Optus added that as Part 13 was written prior to the Privacy Act, and the wider economy now has privacy protections, it believes the section could now be removed.
In the October issues paper, AGD asked whether Australia has a “right to erasure”, which would be an analogue version to Europe’s right to be forgotten. On this point, Optus was firmly against it.
“There are significant technical hurdles to implement this for most sectors of the economy and much more research needs to be conducted,” the company said.
“Optus submits that the compliance cost of an express right to erasure in the Privacy Act is likely to far exceed the benefits that flow from the right. There is insufficient evidence of a problem which would justify the costs.”
Also in disagreement with the idea was Telstra. It said the existing Australia Privacy Principles meant companies were already required to delete data when it was no longer needed.
“The imposition of any obligation to automatically delete personal information may not always be practical or even possible, particularly considering the suggestion that technical information should be treated as personal information,” it said.
“Requiring network operators to routinely purge their networks of all technical information could also present operational risk if the information is needed for the proper functioning of those networks. Further, imposing an obligation to delete information may also create uncertainty for organisations who have legitimate reasons to retain what they have generated, such as to comply with other legal obligations (as is the case under the telco metadata retention regime) or in order to be able to effectively deal with and respond to customer queries and complaints.
“There are also cases where deletion of personal information of an individual would impact the accuracy or quality of personal information we hold about another individual, for example in the case of a joint account or transactions between individuals such as call records.”
Telstra further warned that if the review headed too far towards what the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry (DPI) recommended, then it would lead to increased regulatory burden with minimal benefit to consumers.
The incumbent Australian telco dismissed many of the changes the review was looking into, such as the definition of personal information; protections for de-identified, anonymised, or pseudonymised information; notification; or the introduction of a statutory tort or direct right of action.
“Information that has been de-identified should no longer be regarded as personal information and, therefore, should not be regulated under the Privacy Act as its use or disclosure should have no privacy-related consequences for any individual,” Telstra said.
“Any reforms intended to clarify this position should stop short of imposing a higher standard of ‘anonymisation’ whereby de-identified data may continue to be personal information until all possibility of re-identification has been eliminated. Given the practical challenges of achieving that standard, any such change could have a chilling effect on innovation whereby useful research and analytics currently carried out with very low risk to privacy could be prevented simply because it is not possible to absolutely eliminate all possibility of re-identification.”
In the opposing corner, security researcher Vanessa Teague said de-identification does not work.
“A person’s detailed individual record cannot be adequately de-identified or anonymised, and should not be sold, shared, or published without the person’s explicit, genuine, informed consent,” she said.
“Identifiable personal information should be protected exactly like all other personal information, even if an attempt to de-identify it was made.”
Elsewhere, the telcos agreed that current enforcement arrangements were theoretically sufficient, provided outfits like the Office of the Australian Information Commissioner (OAIC) and Telecommunications Industry Ombudsman were well resourced.
“A direct right of action has the capacity to divert consumers from OAIC’s complaint and investigative processes, which we believe are well-suited to complaints under the Privacy Act, and which already permit applications to the Federal Court of Australia by the OAIC and the consumer in appropriate circumstances,” Telstra said.
The telco said the average time to finalise a complaint to OAIC is under 5 months, while Federal Court action could take that long to hear a matter, let alone hand down a final decision.
Telstra added it would be good if state and federal privacy laws were harmonised, as well as surveillance device laws and health data records laws.
“Most individuals would expect the level of protection afforded to their personal information to be the same nationally,” it said. 
“Again, this harmonisation will make it easier for businesses to comply and for individuals to better understand their rights so they can exercise them. Alignment across jurisdictions would also provide wide ranging benefits including for industry as suppliers of systems that design and manage controls for these data across jurisdictions.”
Agreeing with the telco on the need to provide resourcing to OAIC, and little else, was the ACCC.
“At the heart of our submission is the view that, in order to protect consumers and address market failure, the Privacy Act requires fundamental redesign that goes beyond our DPI recommendations, so that it will better reflect the modern day realities of consumers’ increasing lives online,” the consumer watchdog said.
The ACCC said it was possible to create regulations for stronger privacy protections, consumer awareness, and obligations for business in such a way that the benefits would outweigh any compliance costs.
“The market failures and consumer protection issues related to privacy and consumer choice and control over data that we identified in the DPI are unlikely to be limited to digital platforms or the businesses and sectors we have since examined in our inquiries,” it said.
“A number of the DPI’s observations in relation to the data practices of digital platforms extend to businesses beyond search and social media digital platforms. This includes businesses in media and advertising services, customer loyalty schemes, and platforms providing online private messaging services. This informed our economy wide privacy reform recommendation in the DPI.”
Related Coverage More

The maintainers of OpenWRT, an open-source project that provides free and customizable firmware for home routers, have disclosed a security breach that took place over the weekend.

According to a message posted on the project’s forum and distributed via multiple Linux and FOSS-themed mailing lists, the security breach took place on Saturday, January 16, around 16:00 GMT, after a hacker accessed the account of a forum administrator.
“It is not known how the account was accessed: the account had a good password, but did not have two-factor authentication enabled,” the message reads.
The OpenWRT team said that while the attacker was not able to download a full copy of its database, the attack did download a list of forum users, which included personal details such as forum usernames and email addresses.
No passwords were included in the downloaded data, but citing an “abundance of caution,” OpenWRT administrators have reset all forum user passwords and API keys.
The project is now informing users that the next time they log into their accounts, they’ll need to go through the password recovery procedure. This process is also mandatory for those using OAuth tokens, who will need to re-sync their accounts.
Great phishing opportunity for supply chain attacks
Furthermore, OpenWRT admins are also warning forum users that they also might see an increase in email phishing attempts.

While some might argue about what’s so important about an OpenWRT forum account, the portal is often frequented by developers working for companies that sell OpenWRT-compatible routers or software.
Compromising a forum account on OpenWRT could be the first step towards escalating access into the internal networks of many hardware and software development companies.
As a result, the OpenWRT team is urging forum users not to click any links inside emails they receive claiming to come from its domain. Instead, users should type the forum’s URL (forum.openwrt.org) in their browser address bar by hand and access it this way instead.
OpenWRT admins said that only forum user data appears to have been compromised for now. The OpenWRT wiki, which provides official download links and information about how users could install the firmware on various proprietary router models, was not breached, based on current evidence. More