Daily Archives: October 1, 2022

Australian Optus telco data debacle gets worse and worse – non-existent security and no govt regulation

Posted on by

[…]

The alleged hacker – who threatened to sell the data unless a ransom was paid – took names, birth dates, phone numbers, addresses, and passport, healthcare and drivers’ license details from Optus, the country’s second-largest telecommunications company.

Of the 10 million people whose data was exposed, almost 3 million had crucial identity documents accessed.

Across the country, current and former customers have been rushing to change their official documents as the US Federal Bureau of Investigation joined Australia’s police, cybersecurity, and spy agencies to investigate the breach.

The Australian government is looking at overhauling privacy laws after it emerged that Optus – a subsidiary of global telecommunications firm Singtel – had kept private information for years, even after customers had cancelled their contracts.

It is also considering a European Union-style system of financial penalties for companies that fail to protect their customers.

An error-riddled message from someone claiming to be the culprit and calling themselves “Optusdata” demanded a relatively modest US$1m ransom for the data.

[…]

That demand was followed by a threat to release the records of 10,000 peopleper day until the money was paid. A batch of 10,000 files was later published online.

As Optus and the federal government dealt with the fallout, the alleged hacker had a change of mind and offered their “deepest apology”.

“Too many eyes,” they said. “We will not sale data to anyone. We cant if we even want to: personally deleted data.”

Optus chief Kelly Bayer Rosmarin initially claimed the company had fallen prey to a sophisticated attack and said the associated IP address was “out of Europe”. She said police were “all over” the apparent release of information and told ABC radio that the security breach was “not as being portrayed”.’

Experts have said Optus had an application programming interface (API) online that did not need authorisation or authentication to access customer data. “Any user could have requested any other user’s information,” Corey J Ball, senior manager of cyber security consulting for Moss Adams, said.

[…]

Optus ‘left the window open’

The cyber security minister, Clare O’Neill, has questioned why Optus had held on to that much personal information for so long.

She also scoffed at the idea the hack was sophisticated.

“What is of concern for us is how what is quite a basic hack was undertaken on Optus,” she told the ABC. “We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”

[…]

Asked about Rosmarin’s comments that the attack was sophisticated, O’Neill said: “Well, it wasn’t.”

On Friday, prime minister Anthony Albanese said what had happened was “unacceptable”. He said Optus had agreed to pay for replacement passports for those affected.

“Australian companies should do everything they can to protect your data,” Albanese said.

“That’s why we’re also reviewing the Privacy Act – and we’re committed to making privacy laws stronger.”

[…]

Australia currently has a $2.2m limit on corporate penalties, and there are calls for harsher penalties to encourage companies to do everything they can to protect consumers.

In the EU, the General Data Protection Regulation means companies are liable for up to 4% of the company’s revenue. Optus’s revenue last financial year was more than $7bn.

[…]

Source: The biggest hack in history: Australians scramble to change passports and driver licences after Optus telco data debacle | Optus | The Guardian

If the government has no legal incentive to tighten security and privacy, then companies won’t invest in it.

Blizzard really really wants your phone number to play its games – personal data grab and security risk

Posted on by

When Overwatch 2 replaces the original Overwatch on Oct. 4, players will be required to link a phone number to their Battle.net accounts. If you don’t, you won’t be able to play Overwatch 2 — even if you’ve already purchased Overwatch. The same two-factor step, called SMS Protect, will also be used on all Call of Duty: Modern Warfare 2 accounts when that game launches, and new Call of Duty: Modern Warfare accounts.

Blizzard Entertainment announced SMS Protect and other safety measures ahead of Overwatch 2’s release. Blizzard said it implemented these controls because it wanted to “protect the integrity of gameplay and promote positive behavior in Overwatch 2.”

[…]

SMS Protect is a security feature that has two purposes: to keep players accountable for what Blizzard calls “disruptive behavior,” and to protect accounts if they’re hacked. It requires all Overwatch 2 players to attach a unique phone number to their account. Blizzard said SMS Protect will target cheaters and harassers; if an account is banned, it’ll be harder for them to return to Overwatch 2. You can’t just enter any old phone number — you actually have to have access to a phone receiving texts to that number to get into your account.

[…]

Blizzard said these phone notifications will be used to approve password resets — meaning someone else won’t be able to change your password without the notification code it’ll send to your mobile phone. Blizzard said it will also send you a text message if your account is locked out after a “a suspicious login attempt,” or if your password or security features are changed.

Source: Overwatch 2 SMS Protect: What is it? Why does Blizzard require my phone number? – Polygon

So this is a piece of ‘real’ information you have to give them – but what if you move country and mobile phone? what if you lose your mobile? what if they get hacked (again) and take your number? It’s either something that does get changed or is very hard to change. It shows you that basically Blizzard sees your data as something they can grab onto for free – you are  their product. Even though the games are technically free to play, in practice they make a killing off the items you buy ingame in order to be cool

They will probably get away with it though, just as they got away with installing spyware on your PC or when you attend their events under pretty flimsy pretenses.

FCC rules Satellites must be deorbited within five years of completing missions instead of 25 years

Posted on by

The US Federal Communications Commission (FCC) has adopted new rules to address the growing risk of “space junk” or abandoned satellites, rockets and other debris. The new “5-year-rule” will require low-Earth operators to deorbit their satellites within five years following the completion of missions. That’s significantly less time than the previous guideline of 25 years.

“But 25 years is a long time,” FCC Chairwoman Jessica Rosenworcel said in a statement. “There is no reason to wait that long anymore, especially in low-earth orbit. The second space age is here. For it to continue to grow, we need to do more to clean up after ourselves so space innovation can continue to respond.”

Rosenworcel noted that around 10,000 satellites weighing “thousands of metric tons” have been launched since 1957, with over half of those now defunct. The new rule “will mean more accountability and less risk of collisions that increase orbital debris and the likelihood of space communication failures.”

[…]

Source: Satellites must be deorbited within five years of completing missions, FCC rules | Engadget

Why 5 years? it’s still too long!