The Good, the Bad and the Ugly in Cybersecurity – Week 43

The Good

Regulators all around the world are imposing stricter data privacy and notification rules, but these can sometimes be difficult to comprehend without assistance or guidance. This is especially true regarding whether a data breach requires reporting or not. But some countries are taking the opposite approach: they first help to educate organizations, and only then will impose the laws. New Zealand’s Office of the Privacy Commissioner (OPC) has launched a new online tool enabling businesses and organisations to easily assess whether a privacy breach is notifiable.

Under the Privacy Act 2020, which comes into effect on 1 December, it will be mandatory for organizations to notify the regulator if a privacy breach has caused, or is likely to cause, serious harm. Failing to do could lead to a fine of of up to $10,000.

But how does one know if a breach can lead to such serious consequences? There’s the good news: They can use the free tool, aptly named “NotifyUs” to evaluate if a data breach can cause “serious harm”.

The Bad

The GRU, Russia’s Main Intelligence Directorate, is officially in charge of information collection, but according to many in the security industry, it is the main body that carries out offensive cyber operations against Russia’s enemies. This week, the EU, UK and USA have all acted to sanction the GRU in response to a number of recent offensive cyber campaigns.

The Council of the European Union imposed sanctions on two Russian citizens and a “military intelligence center” (aka APT group APT28 or “Fancy Bear”) due to cyberattacks targeting Germany’s parliament in 2015 and the Organization for the Prohibition of Chemical Weapons (OPCW) in 2018. The sanctions include a travel ban and asset freeze all over the EU. In addition, UK authorities reported that the GRU has conducted reconnaissance activities against the (now postponed) Tokyo 2020 Olympic games. The GRU targeted the Games’ organisers, logistics services and sponsors, as part of a long running campaign that had also targeted the 2018 Winter Olympic and Paralympic Games. The US government has also indicted six Russian military officers accused of several major cyber attacks including NotPetya and attempted sabotage of the 2018 Winter Olympics, causing at least $1 billion in global losses.

It seems these GRU officers were engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize various foreign targets, from the Ukraine and Georgia to elections in France and international efforts to hold Russia accountable for its use of the weapons-grade nerve agent, Novichok.

Sanctions or no, with the protection of the Russian state, we have no doubt these actors will continue to be wreak havoc on more international targets.

The Ugly

Installing security cameras is meant to increase the safety of your home, but ill-secured cameras can allow hackers unfettered access to your most private moments. Some of those abusing unsecured cameras are not content with the mere act of peeping into other people’s private lives, they also seek to monetize this capability. A Singaporean newspaper this week reported that a hacking group active on the messaging platform Discord is selling footage from more than 50,000 hacked IP cameras from homes in Singapore, Thailand, South Korea, Canada, Australia and some other parts of Asia like Bangladesh, India and Pakistan.

The group sells access to a hacked camera for $150, complete with tutorials on how to choose the “best” camera (meaning one that is most likely to show naked women or children) and how to record videos. Some of the recorded videos, which range from one to twenty minutes in length and show people of all ages, sans clothes, have been uploaded to porn websites. This is another reminder of the security and privacy risk of introducing smart devices, especially those with video and audio capture capabilities, into our homes without proper security measures.