Information Technology

The agency responsible for oversight of My Health Record has revealed there were two incidents that compromised the medical records system during the 2019-20 financial year.
In its annual report, the Australian Digital Health Agency (ADHA) outlined how one matter reported to the Office of the Australian Information Commissioner (OAIC) involved a breach to the external IT infrastructure that supports the My Health Record System, but assured that no health information was stolen.
“This potential threat to the supporting IT infrastructure connected to the My Health Record system was identified and promptly addressed. There was no impact to the safety of health information in the system,” ADHA stated.
The other breach was in relation to unauthorised access to an individual’s My Health Record, which was reported by a state or territory authority. The ADHA said the incident involved an individual who was receiving treatment from a healthcare facility and the login used to access the record belonged to a member of the person’s treating team.
The number of breaches during 2019-20 was a significant improvement on last year’s 38 cases.
As of 30 June 2020, there were 22.8 million active records on the My Health Record system. A total of 1.75 million people accessed their record via the national consumer portal and a total of 810 million documents were uploaded to the My Health Record system.
During the financial year, ADHA said it also saw significant increases in pathology, diagnostic imaging, and dispense documents, which it attributed to increases in clinical software connections.
Nationally, 67% of private pathology labs were connected to the My Health Record system, which was short of the 80% target that ADHA had set out to achieve for 2019-20. Meanwhile, 23% of private diagnostic imagining practices connected and shared reports with the system, exceeding the 2019-20 target of 20%.
“Extensive engagement with private sector pathology and diagnostic imaging providers continued throughout 2019–20, supporting providers with their connection and software upgrade challenges. Negotiations with several larger organisations regarding their willingness to participate were ongoing, which accounted for the shortfall in private pathology participation for the year,” ADHA reported.
See more: The ADHA wants to end the use of fax machines in Australian healthcare
The financial report also outlined that due to the prioritisation of COVID-19 response activities across the health sector, it impacted on project delivery and resources. This included delaying the ability of a number of software providers to deliver enhancements for the ADHA’s secure messaging facility and the establishment of a formal governance arrangement to an implementation plan for the interoperability principles. 
During Senate Estimate on Monday, Department of Health officials revealed over 7 million Australians have now downloaded and registered for the COVIDSafe app but confirmed that the app was only used to trace 17 unique cases that were not otherwise identified by manual contact tracing.
“There hasn’t been a change in a number of additional unique contacts that have not been identified in an additional way since we last spoke to the COVID committee [on 29 September],” Department of Health Associate Secretary Caroline Edwards said.
Read: Health Minister says COVIDSafe is no dud while claiming 200 cases identified
Shadow Minister for Health Chris Bowen and Shadow Minister for Government Services Bill Shorten have, in turn, called the Morrison government out for spending money on an app that has produced little return.
“The government has spent up to AU$70 million on the COVIDSafe app, (most of it on marketing), for 17 traces,” they said. “This is AU$4 million per unique contact.”
The Department of Health was also questioned about the amount of money they spent on external contractors and consultants in 2019-20 during Senate Estimates on Monday.
In response, they outlined that Health had spent a total of AU$127.6 million on 899 contractors and engaged 282 consultants for a total contract value of AU$49.3 million as of 30 June 2020.
Of those, the five largest contracts were awarded to Health Consultants Pty Ltd for AU$1.6 million, KPMG for AU$1.5 million, NSW Council for Intellectual Disability at AU$890,000, and another two contracts were awarded to Pricewaterhouse Coopers for a value AU$1 million and AU$865,000 each.
On the question of whether external consultants or contractors were used to develop the COVIDSafe app, Edwards said the department only used external contractors for legal and privacy advice.
“The only external contract was the privacy assessment, so we got an external contractor to do the privacy assessment, which would be the appropriate thing to do. Most of the development of the actual technical material happened in the Digital Transformation Agency. We didn’t engage anybody for that,” she said.
Related Coverage More

The Australian Taxation Office (ATO) has a “red flag” feature, which serves up a “ping” whenever an individual or business has been suspected of having fraudulent activity conducted against their name or if their account has been compromised.
Facing Senate Estimates on Tuesday, ATO client engagement second commissioner Jeremy Hirschhorn explained that this ping was effectively a caveat on taxpayers’ affairs.
While Hirschhorn said there was no increase in fraudulent activity that could be directly tied to the COVID-19 pandemic, he said his teams have been very focused on fraud this year.
“Obviously there are new mechanisms of potential fraud across all the programs. We have found — I have previously testified to the level of fraud in the ERS program, which is at about 0.3% of applications on our country, which is a very, very low level of fraud. We have also been looking at JobKeeper and Cashflow Boost and have not found systemic fraud,” he said.
See also: ATO wants to verify citizens are alive and physically present for myGovID registrations
“We have found that there have been some individual opportunistic frauds but we have not identified a high level of fraud and part of that was the design feature of the measures which were designed to be available only to those who have a good lodgement and tax history, which made it harder for people to resurrect dormant entities.”
On the reports of fraud related to the federal government’s early access super scheme, Hirschhorn said the ATO has received a variety of suspicious matter reports from Austrac. But he also said there has been an increase of data breach-related fraud.
“There has also been a spate of — you know, when an organisation has its payroll data, amongst other data hacked, there have been a few hackings of companies which have meant that we have put more red flags on identity files,” he said.
In Australia, the Notifiable Data Breaches (NDB) scheme requires agencies and organisations that are covered by the Privacy Act to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.
In general terms, an eligible data breach refers to the unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.
In its last report, the Office of the Australian Information Commissioner revealed the total number of reported data breaches in Australia for the 2019-20 financial year was 1,050.
For the six months spanning January to June 2020, 518 breaches were notified under the NDB scheme. 124 of those breaches occurred during May, the most reported in any calendar month since the scheme began in February 2018.
Most of these were attributed to human error.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
RELATED COVERAGE More

The New South Wales government has set up a dedicated cyber and privacy resilience group as part of its vow to keep customer data safe.
The formation of a so-called, dedicated taskforce that will focus on cyber resiliency and privacy risks across government was in response to the cyber attack the state government suffered earlier this year, according to NSW Department of Customer Service Secretary Emma Hogan, who is the chair of the new group.
The breach resulted in 73GB of data, which comprised of 3.8 million documents, being stolen from staff email accounts. The breach impacted 186,000 customers.
“Since the breach was discovered in April, we’ve invested heavily in both helping customers recover and also in understanding what went wrong, how a hacker was able to access so much customer data entrusted to us, and how we can make sure this never ever happens again,” Hogan said, speaking at the Privacy Enhancing Technologies Summit for Data Sharing on Tuesday morning.
See also: Unknown commercial entity blamed for NSW driver’s licence data breach
Alongside setting up the group, Hogan added that the state government is also working with the Information and Privacy Commission NSW to “embed privacy principles within the way we work”.
“We’ve embraced the concept of ‘privacy by design’ to ensure that provisions and protections are built into our projects right from the start. Central to this is for agencies to undertake a privacy impact assessment for projects that might have privacy implications, together with a robust privacy reporting regime,” she touted.
She continued, saying that the state government has started to “incorporate elements of privacy enhancing technologies”, but admitted there was “obviously scope to do more”.
“So whenever you apply for some of that AU$1.6 billion [Digital Restart] funding, you will also need to be able to demonstrate how privacy enhancing technology measures will participate in it. Privacy enhancing technologies will continue to be a major part of our privacy measures now and into the future,” Hogan said.
In June, the state government announced its intentions to stand up a sector-wide cybersecurity strategy, which would supersede the cybersecurity strategy that was last updated in 2018.
The plan to create a new security document followed a AU$240 million commitment to improve NSW’s cybersecurity capabilities, including investments towards protecting existing systems, deploying new technologies, and increasing the cyber workforce.
Under that commitment, the NSW government announced it would stand up a cybersecurity vulnerability management centre in Bathurst, 200kms west of Sydney.
To be operated by Cyber Security NSW, the centre would be responsible for detecting, scanning, and managing online vulnerabilities and data across departments and agencies. 
Of that AU$240 million commitment, AU$60 million would also be spent to create an “army” of cyber experts. Minister for Customer Service Victor Dominello said at the time, the creation of a cyber army would see the scope of Cyber Security NSW broadened to incorporate small agencies and councils.
“The AU$60 million is not only a four-fold increase in spending on cybersecurity but allows Cyber Security NSW to quadruple the size of its team in the battle against cyber-crime,” Dominello said.
“Cyber Security NSW will train the next generation of cybersecurity experts and ensure there is a cross-government coordinated response, including advance threat intelligence sharing, cybersecurity training, and capability development.”
Related Coverage More

A hacker has stolen roughly $24 million worth of cryptocurrency assets from decentralized finance (DeFi) service Harvest Finance, a web portal that lets users invest cryptocurrencies and then farm the price variations for small profit yields.
The hack took place earlier today and was almost immediately confirmed by Harvest Finance administrators in messages posted on the company’s Twitter account and Discord channel.
According to these messages, a hacker invested large quantities of cryptocurrency assets in its service and then used a cryptographic exploit to siphon the platform’s funds to their own wallets.
In total, the hacker stole $13 million worth of USD Coin (USDC) and $11 million worth of Tether (USDT), according to a transaction ID singled out by Harvest Finance administrators in a subsequent post-mortem investigation.
Two minutes after the attack, the hacker also returned $2.5 million back to the platform, but the reasoning behind this operation remains unclear.
Company claims to have identified the attacker
In a message posted on its Discord channel, Harvest Finance claimed the attack left “a significant amount of personally identifiable information on the attacker” and described them as “well-known in the crypto community.”

In a series of messages posted on Twitter, Harvest Finance admitted that the attack took place because of a mistake on its part and left the door open for the attacker to return the funds without any consequences.
“We made an engineering mistake, we own up to it,” the company said.
“We do not have any interest in doxxing the attacker […]. People should have their privacy,” the company added. “You’ve proven your point. If you can return the funds to the users, it would be greatly appreciated by the community, and let’s move on.”

We made an engineering mistake, we own up to it. Thousands of people are acting as collateral damage
— Harvest Finance (@harvest_finance) October 26, 2020

The company is now offering a $400,000 bounty to anyone who finds a way to return the stolen funds. After the first 36 hours, the bounty will be lowered to $100,000.
“Please do not doxx the attacker in the process. We strongly advise to focus all efforts on ensuring that user funds are successfully returned to the deployer,” Harvest Finance said. More

Shares of networking traffic management technology vendor F5 Networks were up almost 6% in late trading this afternoon, after the company reported fiscal fourth-quarter revenue and profit that topped analysts’ expectations, and forecast this quarter higher as well. 
F5 CEO François Locoh-Donou said that “Going forward, we expect continued robust software growth from a more diversified base of subscription and SaaS revenue, a software subscription renewals flywheel that is starting to turn with momentum, and true-forward revenue opportunities on a significant percentage of our long-term software subscription contracts.”
Revenue in the three months ended in September rose 4.1%, year over year, to $615 million, yielding EPS of $2.43. That was above the average Wall Street estimate for $607 million and $2.37.
For the current quarter, the company sees revenue in a range of $595 million to $615 million, again, ahead of consensus for $592 million.
EPS is seen in a range of $2.26 to $2.38, better than the average estimate for $2.28. 
F5, based in Seattle and founded in 1996, is best known for its initial product, its BIG/IP network application traffic controller. The company for many years was an appliance vendor, but over time diversified its product offerings to provide both a virtual version that can be installed in an on-premise standard server setup, and also, in more recent years, a cloud based version.
F5 stock rose almost 6% in late trading to $132.85.

Tech Earnings More

Google has removed 15 of 21 Android applications from the official Play Store over the weekend following a report from Czech antivirus maker Avast.
The security firm said the apps were infected with a type of malware known as HiddenAds.
Discovered in 2019, this Android adware strain operates by showing excessive and intrusive ads and by opening mobile browsers on ad-heavy or promotional pages.
In a report published today, Avast malware analyst Jakub Vávra said the apps mimicked popular games, and the criminal group behind this operation relied on social media ads and marketing to draw users to their Play Store pages.
Once users installed any of these apps, the HiddenAds malware would hide the app’s icon (to make it difficult for users to delete the app in the future) and then start bombarding users with ads.
The names and Play Store URLs of all the 21 apps are available in this spreadsheet.

Six of the 21 apps are still available on the Play Store at the time of writing, such as: Shoot Them, Helicopter Shoot, Find 5 Differences – 2020 NEW, Rotate Shape, Cover art Find the Differences – Puzzle Game, and Money Destroyer.
Avast said the apps were downloaded by more than seven million users before it filed its report with Google last week.
Vávra said that it’s easy to fall for these apps and install one on your phone, but there are some patterns and giveaways that can help users identify possibly malicious apps.
“Users need to be vigilant when downloading applications to their phones and are advised to check the applications’ profile, reviews and to be mindful of extensive device permission requests,” Vávra said.
Furthermore, since many of these apps (games) are geared toward kids and usually advertised on social media networks, the Avast malware analyst also encouraged parents to speak and teach their kids about malware and online safety.
Today’s Avast report is just the latest in a long list of Google enforcements against malware operators who manage to sneak their malware past the Play Store’s defenses.
In recent months, Google has also removed 17 Android apps caught engaging in WAP billing fraud, then another 64, then three more, then 56 more apps part of an ad fraud botnet, then 240+ apps that showed out-of-context ads, then another 38 apps that also showed out-of-context ads, and finally, Google deactivated the accounts of six developers for uploading apps tainted with the Cerberus banking trojan. More

Image: Michael Bourgault
More than 100 smart irrigation systems were left exposed online without a password last month, allowing anyone to access and tamper with water irrigation programs for crops, tree plantations, cities, and building complexes.
The exposed irrigation systems were discovered by Security Joes, a small boutique security firm based in Israel.
All were running ICC PRO, a top-shelf smart irrigation system designed by Motorola for use with agricultural, turf, and landscape management.
Security Joes co-founder Ido Naor told ZDNet last month that companies and city officials had installed ICC PRO systems without changing default factory settings, which don’t include a password for the default account.
Naor says the systems could be easily identified online with the help of IoT search engines like Shodan.
Once attackers locate an internet-accessible ICC PRO system, Naor says all they have to do is type in the default admin username and press Enter to access a smart irrigation control panel.
Here, Naor says attackers can pause or stop watering events, change settings, control the water quantity and pressure delivered to pumps, or lock irrigation systems by deleting users.

More than 100 ICC PRO irrigation systems were left exposed online without a password last month when Naor first spotted this issue.
The security researcher said that more than half of the exposed systems were located across Israel, with the rest being spread across the entire globe.
Naor notified CERT Israel last month, which then contacted the affected companies, the vendor (Motorola), and also shared the findings with other CERT teams in other countries.
The exposure started getting better last week. Naor credited Motorola with this development after the company sent a letter to customers about the dangers of leaving irrigation systems exposed online.
As a result of these notifications, the number of internet-accessible ICC PRO instances started going down to 94 last week and to 78 today, as companies started putting their irrigation systems behind firewalls or on private networks.
However, while the situation improved, a large chunk of the systems that are still exposed online today still don’t have a password set up for the default account.
Not related to the April cyberattacks
Naor’s findings come after earlier this year the Israeli government said that Iranian hackers breached water management systems across Israel and tried to alter water levels. Luckily, the breached systems managed only agricultural pumps, most likely linked to irrigation systems.
Following these intrusions, the Israeli cyber-security agency INCD sent out a nationwide alert asking water supply and water treatment facilities to change passwords for their web-based management systems.
Naor said the irrigation systems he discovered last month were not linked to this April’s incidents.
“These systems were found by our monitoring rules that search for open administrative panels in Israel,” Naor told ZDNet.
“Security Joes are constantly on the lookout for emerging threats, trying to be one step ahead of the attackers. One of our missions is to search for administrative interfaces in-the-wild to ensure their resilience to drive-by attackers. We urge organizations and security firms to do the same,” he added.
A 2018 research paperA 2018 research paper, authored by an Israeli research team, argued that water irrigation systems could be targeted with botnet-like coordinated attacks to create water shortages in a certain area by emptying water reserves. More

“If they don’t listen to us, do they deserve it?” is the question being asked in a new study exploring modern attitudes surrounding the legitimacy of cybercriminal activities. 
Today, the breadth and scope of cyberattacks are vast. Unsecured cloud servers and data theft has created a lucrative trade in carding forums, identity theft and online fraud are rampant; the mass sale of PII dumps is common; ransomware attacks on hospitals cause patient deaths, attacks launched against utilities prompt city-wide blackouts, and state-sponsored groups covertly conduct cyberespionage for political or financial gain.
Often, cyberattack attribution can be difficult — but not always. So-called hacktivists, for example, may claim responsibility for website defacement and other kinds of attacks for political, religious, or social purposes. 
TechRepublic: New York financial watchdog calls for social media cybersecurity regulator after Twitter hack of Biden and Obama accounts
Over the past decade, hacktivism became commonly associated with the Anonymous collective and LulzSec offshoot, which opportunistically aligned with various social campaigns over the years, extending protests from the sidewalk to the digital realm. 
Website defacement, distributed denial-of-service (DDoS) attacks, and doxxing are common trajectories for these groups — with members often anonymous and based worldwide — and as using tools for these purposes became easily accessible and cheap, everyone from a black hat to a script kiddie could take advantage. 
It is important to note, however, that the general public can become collateral damage in such attacks if their online accounts or data is compromised.
Despite 2020 — and the overall year it has been — hacktivism incidents, on the whole, appear to have waned. However, as shown when Anonymous’ social media accounts suddenly gained millions of new followers during the Black Lives Matter protests sparked by the death of George Floyd, there may still be an undercurrent of support for such activities when social injustice is felt — or the belief that voices are being ignored. 
In a research paper, “If they don’t listen to us, they deserve it”: The effect of external efficacy and anger on the perceived legitimacy of hacking,” published September 30 in the academic journal Group Processes & Intergroup Relations, researchers have examined how disappointment in social systems could change how we view, and whether or not we would support, hacktivism. 
University of Kent academics Maria Heering, Giovanni Travaglino, Dominic Abrams, and Emily Goldsack conducted two studies in which participants were presented with “unfair” grading practices and the exploitation of their work in university and online platform settings.
They were then told that upper management was either willing or unwilling to investigate their complaint. 
See also: SEC issues Kik $5 million penalty over illegal cryptocurrency offering
In the next part of the study, participants were told that the authority’s website had been defaced and access was disrupted over the course of several days. 
Including responses from 259 undergraduates and 225 non-students, respectively, the studies build upon a “social banditry” framework proposed by Travaglino in 2017, in which “despite acting illegally,” the activities of ‘bandits’ that gave “otherwise voiceless masses with an opportunity to express their grievances” could secure the support of community members. 
When an authority was considered unresponsive and their complaints were not taken seriously, participants reported anger — and the perception of the legitimacy of the hacktivists’ attacks increased, making them “more likely to legitimize the hackers’ disruptive actions as a way to manifest their own anger against the organization.”
“Support for hackers is a key expression of vicarious dissent because hackers’ actions are highly visible and public, require expertise that laypeople do not generally have, and often (but not exclusively) may be aimed at government agencies, corporations and other powerful entities,” the paper reads. 
In other words, it may be that members of the general public that feel ignored and powerless in an unjust situation may be more inclined to support today’s digital Robin Hood figures — no matter other potential consequences, such as data loss or theft, operational disruption, business cost, or whether or not the criminal actions force an authority to rethink their position.
CNET: Voting by text or tweet isn’t a thing. Don’t be fooled
The team says that in the future, it may also be worth exploring how such ‘bandits’ may lose support, such as if their actions are seen as “selfish” rather than “getting back” at authority.
“While this study explored individuals’ feelings of anger, there is certainly more to be explored in this research area,” Heering commented. “For example, there might be important differences between the psychological determinations of individuals’ support for humorous, relatively harmless forms of hacking, and more serious and dangerous ones.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More