Vodafone Australia hit by privacy breach

VODAFONE Australia launched an internal investigation into a security breach that has put invoicing and call records on a publicly accessible website protected only by passwords that are changed monthly. Allegedly, anyone with a Vodafone login could view sensitive personal data.

A Vodafone spokesperson claimed that customer details were not available on the internet. “Customer information is stored on Vodafone’s internal systems and accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password”.

Vodafone also faces the prospect of privacy concerns being investigated by the Office of the Privacy Commissioner. The commissioner has the power to conduct an investigation on behalf of affected customers and direct that compensation be paid to those affected. However, it appears that Commissioner doesn’t have the power to fine Vodafone directly for any data breach.

The main issue from preliminary reports is the fact that Vodafone allowed details of their customers including names, addresses, calls records and charges to be accessible via a public website. This data could be accessed by the use of passwords. It is unclear whether separate individuals were issued with the same log in details and password. This would cause difficulties in back tracking as to who exactly accessed which data and whether they had reasonable cause to do so.

A further issue is the extent of the records for the activity of those logging in to the system. Without a robust record to perform audits on, Vodafone will be unsure as to how many records have been accessed without authority and complicate any possible compensation issues. Vodafone declined to specify what logs are maintained, stating that they did not want to hand out information that could help hackers.

This incident came at a difficult time for Vodafone as it faces several possible lawsuits relating to alleged quality of service issues for customers in Australia, outages supposedly as a result of Vodafone’s 3G network upgrade.

System logs & Auditing
Keeping track of what your IT system is actually doing is one of the most important, but tedious, processes of good IT security management. Without sufficient logs as to the activity on your system [log-ins, activity, accessing files & DBs, downloads, change of data, emails etc], an effective and meaningful audit is not possible.

A suitable depth of logs is also a priority – if the logs are kept for just four weeks but the suspicious activity occurred two months ago, then again no useful audit can be undertaken. As the cost and physical size of storage media continues to drop dramatically, any security process should include a suitable catchment and depth of log activity.

The need for an audit is usually triggered by the following:

  • A reported security lapse from an investigation, physical inspection or alert from a third party, as was the case for Vodafone being tipped off by a journalist
  • Activity hits a specified event trigger – such as spike in activity for certain usernames or accessing areas which are not normally permitted
  • As required by the CIO or else an external audit team reviewing the system in line with procedures

Whenever a data breach is alleged or detected, one of the first steps for investigators is to review the logs for access to the system and data. Matching event logs to suspicious log-ins and activity is part and parcel of an audit. Other information such as physical access to buildings or certain offices, originating IP addresses and MAC addresses for machines may also be cross referenced as part of the audit to determine the nature and extent of the security breach.

Other important security steps for being able to mount an effective audit include:

  1. Passwords – all passwords should be changed periodically and previous passwords cannot be recycled
  2. Usernames – all usernames should be unique and utilise letters and numbers e.g. ANART22 or 25-IPIO to discourage guessing by hackers
  3. Usernames – they should also avoid being obvious, such as a users’ first or last name or else the name of the town or branch – e.g. David or Auburn.
  4. Log access errors – all incidents of unsuccessful log-ins should be conveyed to the user and administrator for review and detection of attempted hacking
  5. IP address – recording all originating IP addresses for log-ins and plot them geographically [though they may be spoofed]
  6. Account management – indicates when user accounts are added, modified or deleted in any way
  7. Object access – responds when certain sensitive files, folders and other system objects are opened, closed or otherwise “touched”
  8. Privilege use- records when users exercise privileges assigned to them beyond regular activity

Do you need to know more about our services and how Regents can assist you with preventing information loss and investigations into security breaches? Simply go to our Cyber Threats page or else our Contact Us for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

Indonesia has a new anti-corruption Czar

The new Indonesian anti graft czar, Busyro Muqoddas, was appointed in November 2010 for a one year period. Busyro Muqoddas has pledged to resolve difficult corruption cases that have led to some in the media claiming that the country’s fight against corruption has stalled.

Busyro Muqoddas promised that the Corruption Eradication Commission (KPK) would investigate all pending cases through to a conclusion. Busyro Muqoddas added that he wanted all stakeholders including the government, the media and the people to create a tradition of transparency. “Transparency means honesty. We must respect each institution’s authority, including the KPK’s.”

Busyro Muqoddas will have a hard time regaining the people’s trust in a once-respected agency that has seen its last chairman convicted of murder and a number of high-profile cases languish on the back burner due to an internal leadership crisis.

Busyro Muqoddas has only a year to turn around the Commission before he would have to undergo a new election for his post, should he want to put his name forward. Many observers have criticized the decision by the House of Representatives to limit Busyro’s tenure to just the remaining term of the sitting commissioners, which will expire next year.

Busyro, the former head of the Judicial Commission, could win popular support by meeting public demands for the KPK to take over the investigation of the scandal involving Gayus or the Bank Century bailout saga from other agencies. But gaining control over either of those complex cases would be hard as legal proceedings are already under way, with several suspects already convicted and sentenced.

Meanwhile, a number of Non Governmental Agencies have kept up the pressure on the government to continue the anti corruption investigations and the pursuit of senior officials. One of the popular agencies maintains the website http://antikorupsi.org/

Do you need to know more about our services and how Regents can assist you with anti corruption, graft or misconduct issues? Simply go to our Contact Us page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

When does unauthorised access to email become hacking?

In late December 2010 in the US state of Michigan, a man has been charged by Police under anti-hacking laws intended to combat the unlawful accessing and copying of data such as Intellectual Property, personal data or financial related information. However, the man is accused instead of logging into his wife’s email account without her permission and viewing her emails.

The man, Leon Walker, instead learned from the emails in his wife’s Gmail account that she was having an affair with her second husband. Walker decided to inform his wife’s first husband [this gets complicated] as there was an issue regarding the son of the first husband and Walker feared for the boy’s safety. When the first husband took action based on these emails, the wife reported Walker to the Police and he was arrested.

Walker’s arrest raises considerable queries over evidence obtained in relation to divorce and family court matters. Around half of US divorce cases centre on the disclosure of some form of electronic data such as emails, text messages or social networking posts. If the other side’s legal team can object to this data claiming that it was collected in an underhand way, then the evidence may be thrown out by the court. This could result in many family court and other civil matters being unable to proceed.

Walker has claimed that he and his wife shared the computer and that he merely looked at the emails and didn’t need consent. The wife claims that this isn’t so and that Walker had no right to look at the emails. It will be interesting to see how the court rules and whether any appeals will make precedence for future cases. Other cases have turned on whether an individual had actual or implied permission to view certain information on a computer, website or mobile phone.

Walker’s legal counsel stated that the prosecutor was using a law that was aimed at computer hackers attempting to steal data or compromise systems and instead applying it to a divorce matter. The main

This case has some similarities to that of a famous case involving the unofficial viewing of emails; that of former Governor of Alaska Sarah Palin’s Yahoo emails in 2008. In May 2010, David C Kernell was found guilty of obstruction of justice and unauthorised access to a computer. Kernell was alleged to have broken into the personal Yahoo email account of Sarah Palin by guessing her password reminder. Kernell had no relationship to Palin that could explain why he may have a reason to access her emails.

After accessing the yahoo account, Kernel then went on to post copies of Palin’s emails, addresses of her contacts, and family photos on Wikileaks. As Palin was running for Vice President at the time, this simple breach of security had serious ramifications for her campaign.

The obstruction of justice conviction related to the fact that Kernell had deleted evidence from his computer hard drive after investigations commenced in to identifying the person responsible for hacking into the Yahoo account.

When conducting an investigation that involves the viewing of electronic files and data, it is imperative that the provenance of the data be established. Does the investigator have the right or permission to copy, recover, analyse or view these files – from the owner or via a court order? Legal privilege issues should also be considered and legal advise should be sought if anything appears to uncertain. Failure to follow proper forensic computer procedures could result with the evidence being invalidated and the matter being dismissed by a court.

Do you need to know more about our services and how Regents can assist you with computer forensics? Simply go to our Computer Forensics page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.