[AusNOG] Optus Hack

Wed Sep 28 10:10:58 AEST 2022

Talking about hashing and so on, there are some quite interesting
developments around being able to disclose with confidence to a consuming
entity some information about you without actually sharing the data. For
example one was being able to prove your age is greater than say 18 (at a
pub or club) but without actually disclosing your birthday. Others were
whether you had met some certification or other obligations. I know this
sometimes gets sucked into the whole cryptocurrency/blockchain thing  but I
don't think it has to be fully tied to that.

Anyway, the two podcasts I listened to on this have stimulated me to
looking into it a bit deeper -
https://twit.tv/shows/floss-weekly/episodes/685 (Sam Curren on DIDs and
DIDcomm) and https://twit.tv/shows/floss-weekly/episodes/686 (Dave Huseby
on Authentic Data)

Regards, Martin

MartinVisser99 at gmail.com

On Wed, 28 Sept 2022 at 09:45, John Edwards <jaedwards at gmail.com> wrote:

> It's within the industry's living memory that Australia's biggest telco
> used to publish a physical book with everyone's personal information in it.
>
> Most of our telco privacy legislation evolved from how things got in this
> book, which was an "open by default" model.
>
> The very first Optus retail customers were those who dialled an override
> code on a Telstra phone line for cheaper STD rates. Telstra then provided
> personal details for billing, even though no-one had an existing
> relationship with Optus..
>
> John
>
>
>
>
> On Tue, 27 Sept 2022 at 22:59, James Murphy <jamesmurphyau at me.com> wrote:
>
>> Looking over the Privacy Act and oaic.gov.au, I still can't see any laws
>> about a telco (or any business other than a credit reporting body) storing
>> this level of information - specifically a drivers license number or date
>> of birth (passport number isn't mentioned)
>>
>> "identification information" is the term that includes a drivers license
>> number and date of birth
>> "Credit information" is the term that includes "identification
>> information" about an individual (therefor includes drivers license number
>> and date of birth)
>>
>> There are only laws about how long a credit reporting body stores this
>> information. A credit provider (ie Optus) doesn't need to store it, but
>> does need to provide it to the credit reporting body - so they need to
>> collect it and share it but they don't need to store it.
>>
>> For the data a telco does need to store - which looks to be added in the
>> "Telecommunications (Interception and Access) Act 1979", they all talk
>> about "personal information" (which doesn't specifically include date of
>> birth or drivers license number, so you would be complying with that law if
>> you didn't store those pieces of data - provided you can reasonably
>> identify a person with the data you do store)
>>
>> From the Privacy Act:
>>
>> *personal information* means information or an opinion about an
>> identified individual, or an individual who is reasonably identifiable:
>> (a) whether the information or opinion is true or not; and
>> (b) whether the information or opinion is recorded in a material form or
>> not.
>> Note: Section 187LA of the Telecommunications (Interception and Access)
>> Act 1979 extends the meaning of personal information to cover information
>> kept under Part 5-1A of that Act.
>>
>>
>> So the argument that they need to store this by law - to me (a software
>> developer/techy who sometimes can spend hours reading shit like this trying
>> to pick holes in it - so: not a lawyer) - doesn't seem valid.
>>
>> If this is required by law, I would love to understand how (ie which
>> laws/acts cover it)
>>
>>
>>
>> On 27 Sep 2022, at 16:46, Serge Burjak <sburjak at systech.com.au> wrote:
>>
>> https://www.oaic.gov.au/privacy/the-privacy-act
>>
>> Covers it pretty well.
>>
>> On Tue, 27 Sept 2022 at 16:36, James Murphy <jamesmurphyau at me.com> wrote:
>>
>>
>> Does anyone know which laws cover the data they were keeping?
>>
>> Did a search for anything with "telecommunication" in the name (link),
>> found 71 results and downloaded 73 PDF files (C2022C00170
>> Telecommunications Act 1997 had 3 files, all others had 1 file), and can't
>> find anything that mentions keeping this level of data.
>>
>> The closest thing I found was in the following:
>>
>> C2022C00151 - Telecommunications (Interception and Access) Act 1979
>> C2015A00039 - Telecommunications (Interception and Access) Amendment
>> (Data Retention) Act 2015
>> C2021A00078 - Telecommunications Legislation Amendment (International
>> Production Orders) Act 2021
>>
>> which contained the following two sections that seem to cover
>> identification information - there doesn't seem to be anything that says
>> they need to collect or store to the level that Optus seems to have done..
>> Almost reads like you could store name and address (without DOB?) and that
>> would be adequate enough (but I'm not a lawyer so who knows).. Am I looking
>> in the wrong place/at the wrong laws?
>>
>> 13 Identification of a particular person
>> For the purposes of this Schedule, a particular person may be identified:
>> (a) by the person’s full name; or
>> (b) by a name by which the person is commonly known; or
>> (c) as the person to whom a particular individual transmission service is
>> supplied; or
>> (d) as the person to whom a particular individual message/call
>> application service is provided; or
>> (e) as the person who has a particular account with a prescribed
>> communications provider; or
>> (f) as the person who has a particular telephone number; or
>> (g) as the person who has a particular email address; or
>> (h) as the person who has a particular internet protocol address; or
>> (i) as the person who has a device that has a particular unique
>> identifier (for example, an electronic serial number or a Media Access
>> Control address); or
>> (j) by any other unique identifying factor that is applicable to the
>> person.
>>
>>
>> and
>>
>> 187AA Information to be kept
>> (1) The following table sets out the kinds of information that a service
>> provider must keep, or cause to be kept, under subsection 187A(1):
>> Item
>>
>> 1
>>
>> Topic
>>
>> The subscriber of, and accounts, services, telecommunications devices and
>> other relevant services relating to, the relevant service
>>
>> Description of information
>>
>> The following:
>>
>> (a) any information that is one or both of the following:
>>
>> (i) any name or address information;
>>
>> (ii) any other information for identification purposes;
>>
>> relating to the relevant service, being information used by the service
>> provider for the purposes of identifying the subscriber of the relevant
>> service;
>>
>> (b) any information relating to any contract, agreement or arrangement
>> relating to the relevant service, or to any related account, service or
>> device;
>>
>> (c) any information that is one or both of the following:
>>
>> (i) billing or payment information;
>>
>> (ii) contact information;
>>
>> relating to the relevant service, being information used by the service
>> provider in relation to the relevant service;
>>
>> (d) any identifiers relating to the relevant service or any related
>> account, service or device, being information used by the service provider
>> in relation to the relevant service or any related account, service or
>> device;
>>
>> (e) he status of the relevant service, or any related account, service or
>> device.
>>
>>
>>
>> On 27 Sep 2022, at 11:12, Nathan Brookfield <
>> Nathan.Brookfield at iperium.com.au> wrote:
>>
>> They’re legally obligated to retain it but why it’s on the API and why
>> it’s not encrypted.
>>
>> Looking at the data some fields are hashed and then repeated in the
>> bloody clear :(
>>
>> On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote:
>>
>> My understanding was that the data included the 100 points of ID info.
>> Why are they retaining this? Surely after confirming the 100 points there
>> only needs to be a record "100 points provided"=true and not retain the
>> actual details. This goes back to only keeping the private data you need.
>>
>> regards,
>> Glenn
>>
>> On 2022-09-27 10:49, Damien Gardner Jnr wrote:
>>
>> Personally, I find putting Authentication on my API endpoints to be a
>> FANTASTIC first step towards API security.  And then not even using
>> public IP addresses in test environments is a pretty good second
>> step..  </onlyhalfsarcasticherewhydoesthiskeephappening>
>> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery <bevan at slattery.net.au>
>> wrote:
>>
>> Hi everyone,
>> Obviously a big week in telco and cybersecurity.  As part of my work
>> I am on the Australian Cyber Security Industry Advisory Committee as
>> an industry representative.
>> I am keen to look at opening up a dialogue with more and more telco,
>> DC and Cloud CISO’s on what they are doing around this issue and
>> looking to take a proactive step towards best practice on customer
>> data and system security.
>> There will be some pretty serious consequences of this hack on the
>> industry and importantly we need to make sure we are as best placed
>> to help each other continually increase in security posture through
>> best practice, but also working with each other as an industry.
>> Are people keen on having a online/VC session sometime in the next
>> few weeks where like-minded industry participants get together and
>> discuss security, retention, encryption, threat detection etc.?  If
>> so, just ping me directly and if there is enough interest I will
>> send out an invitation to the list for a call.
>> Cheers
>> [b]
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at ausnog.net
>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>
>> --
>> Damien Gardner Jnr
>> VK2TDG. Dip EE. GradIEAust
>> rendrag at rendrag.net -  http://www.rendrag.net/
>> --
>> We rode on the winds of the rising storm,
>> We ran to the sounds of thunder.
>> We danced among the lightning bolts,
>> and tore the world asunder
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at ausnog.net
>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at ausnog.net
>> https://lists.ausnog.net/mailman/listinfo/ausnog
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at ausnog.net
>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at ausnog.net
>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at ausnog.net
>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20220928/9e5fe7a5/attachment-0001.htm>