[AusNOG] Optus Hack

Wed Sep 28 10:33:36 AEST 2022

So.... SSL for phone calls?

On Wed, Sep 28, 2022 at 10:32 AM Andrew Oakeley <andrew at oakeley.com.au>
wrote:

> Hi,
>
>
>
> > Providers also need to keep enough information to verify you are who
> you say you are when you make contact though and are required to ensure
> they don’t disclose information about your account to someone else, which
> is why many providers keep things like your Date of Birth on file.
>
>
>
> This should also cut both ways. There needs to be some way consumers can
> easily Identify that the provider calling them is actually who they say
> they are.
>
>
>
> I am sick of my bank and teleco calling me and saying “Before we go any
> further can you please tell me your date of birth so we can confirm we are
> talking to the right person”…. Well how about you confirm who you are
> before I disclose my DOB to someone who has randomly called me.
>
>
>
> Andrew
>
>
>
>
>
> *From:* AusNOG <ausnog-bounces at ausnog.net> *On Behalf Of *Jeremy Chequer
> *Sent:* Wednesday, 28 September 2022 7:45 AM
> *To:* James Murphy <jamesmurphyau at me.com>
> *Cc:* AusNOG Mailing List <ausnog at ausnog.net>
> *Subject:* Re: [AusNOG] Optus Hack
>
>
>
> Hi
>
>
>
> There are specific rules for prepaid regarding ID validation and documents
> which must be checked (
> https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627158).
> As a Credit Provider, they are also required to validate you are who you
> say you are before providing credit services. Additionally, telcos also
> have specific provisions for customer protection requiring credit checks to
> be run before certain services are provided.
>
>
>
> Providers also need to keep enough information to verify you are who you
> say you are when you make contact though and are required to ensure they
> don’t disclose information about your account to someone else, which is why
> many providers keep things like your Date of Birth on file. The requirement
> to hold PII is required to a degree and is even outlined in the TCP Code
> with Clause 3.7 covering the storage and security of said information.
>
>
>
> Hopefully, this attack will result in some changes not just in our
> industry but across the board. Maybe something like validating Licences,
> Medicare, etc against DVS (already commonly done) but then just keeping the
> Pass/Fail result and Check ID instead of keeping the full details on file
> could be a way to minimise the amount of data available in a breach like
> this, but I’m not sure if that would be enough to comply with some of the
> obligations.
>
>
>
> - Jeremy
>
>
>
> *From:* AusNOG <ausnog-bounces at ausnog.net> *On Behalf Of *James Murphy
> *Sent:* Tuesday, 27 September 2022 11:29 PM
> *To:* Serge Burjak <sburjak at systech.com.au>
> *Cc:* AusNOG Mailing List <ausnog at ausnog.net>
> *Subject:* Re: [AusNOG] Optus Hack
>
>
>
> Looking over the Privacy Act and oaic.gov.au, I still can't see any laws
> about a telco (or any business other than a credit reporting body) storing
> this level of information - specifically a drivers license number or date
> of birth (passport number isn't mentioned)
>
>
>
> "identification information" is the term that includes a drivers license
> number and date of birth
>
> "Credit information" is the term that includes "identification
> information" about an individual (therefor includes drivers license number
> and date of birth)
>
>
>
> There are only laws about how long a credit reporting body stores this
> information. A credit provider (ie Optus) doesn't need to store it, but
> does need to provide it to the credit reporting body - so they need to
> collect it and share it but they don't need to store it.
>
>
>
> For the data a telco does need to store - which looks to be added in the
> "Telecommunications (Interception and Access) Act 1979", they all talk
> about "personal information" (which doesn't specifically include date of
> birth or drivers license number, so you would be complying with that law if
> you didn't store those pieces of data - provided you can reasonably
> identify a person with the data you do store)
>
>
>
> From the Privacy Act:
>
>
>
> *personal information* means information or an opinion about an
> identified individual, or an individual who is reasonably identifiable:
>
> (a) whether the information or opinion is true or not; and
>
> (b) whether the information or opinion is recorded in a material form or
> not.
>
> Note: Section 187LA of the Telecommunications (Interception and Access)
> Act 1979 extends the meaning of personal information to cover information
> kept under Part 5-1A of that Act.
>
>
>
> So the argument that they need to store this by law - to me (a software
> developer/techy who sometimes can spend hours reading shit like this trying
> to pick holes in it - so: not a lawyer) - doesn't seem valid.
>
>
>
> If this is required by law, I would love to understand how (ie which
> laws/acts cover it)
>
>
>
>
>
>
>
> On 27 Sep 2022, at 16:46, Serge Burjak <sburjak at systech.com.au> wrote:
>
>
>
> https://www.oaic.gov.au/privacy/the-privacy-act
>
> Covers it pretty well.
>
> On Tue, 27 Sept 2022 at 16:36, James Murphy <jamesmurphyau at me.com> wrote:
>
>
> Does anyone know which laws cover the data they were keeping?
>
> Did a search for anything with "telecommunication" in the name (link),
> found 71 results and downloaded 73 PDF files (C2022C00170
> Telecommunications Act 1997 had 3 files, all others had 1 file), and can't
> find anything that mentions keeping this level of data.
>
> The closest thing I found was in the following:
>
> C2022C00151 - Telecommunications (Interception and Access) Act 1979
> C2015A00039 - Telecommunications (Interception and Access) Amendment (Data
> Retention) Act 2015
> C2021A00078 - Telecommunications Legislation Amendment (International
> Production Orders) Act 2021
>
> which contained the following two sections that seem to cover
> identification information - there doesn't seem to be anything that says
> they need to collect or store to the level that Optus seems to have done..
> Almost reads like you could store name and address (without DOB?) and that
> would be adequate enough (but I'm not a lawyer so who knows).. Am I looking
> in the wrong place/at the wrong laws?
>
> 13 Identification of a particular person
> For the purposes of this Schedule, a particular person may be identified:
> (a) by the person’s full name; or
> (b) by a name by which the person is commonly known; or
> (c) as the person to whom a particular individual transmission service is
> supplied; or
> (d) as the person to whom a particular individual message/call application
> service is provided; or
> (e) as the person who has a particular account with a prescribed
> communications provider; or
> (f) as the person who has a particular telephone number; or
> (g) as the person who has a particular email address; or
> (h) as the person who has a particular internet protocol address; or
> (i) as the person who has a device that has a particular unique identifier
> (for example, an electronic serial number or a Media Access Control
> address); or
> (j) by any other unique identifying factor that is applicable to the
> person.
>
>
> and
>
> 187AA Information to be kept
> (1) The following table sets out the kinds of information that a service
> provider must keep, or cause to be kept, under subsection 187A(1):
> Item
>
> 1
>
> Topic
>
> The subscriber of, and accounts, services, telecommunications devices and
> other relevant services relating to, the relevant service
>
> Description of information
>
> The following:
>
> (a) any information that is one or both of the following:
>
> (i) any name or address information;
>
> (ii) any other information for identification purposes;
>
> relating to the relevant service, being information used by the service
> provider for the purposes of identifying the subscriber of the relevant
> service;
>
> (b) any information relating to any contract, agreement or arrangement
> relating to the relevant service, or to any related account, service or
> device;
>
> (c) any information that is one or both of the following:
>
> (i) billing or payment information;
>
> (ii) contact information;
>
> relating to the relevant service, being information used by the service
> provider in relation to the relevant service;
>
> (d) any identifiers relating to the relevant service or any related
> account, service or device, being information used by the service provider
> in relation to the relevant service or any related account, service or
> device;
>
> (e) he status of the relevant service, or any related account, service or
> device.
>
>
>
> On 27 Sep 2022, at 11:12, Nathan Brookfield <
> Nathan.Brookfield at iperium.com.au> wrote:
>
> They’re legally obligated to retain it but why it’s on the API and why
> it’s not encrypted.
>
> Looking at the data some fields are hashed and then repeated in the bloody
> clear :(
>
> On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote:
>
> My understanding was that the data included the 100 points of ID info.
> Why are they retaining this? Surely after confirming the 100 points there
> only needs to be a record "100 points provided"=true and not retain the
> actual details. This goes back to only keeping the private data you need.
>
> regards,
> Glenn
>
> On 2022-09-27 10:49, Damien Gardner Jnr wrote:
>
> Personally, I find putting Authentication on my API endpoints to be a
> FANTASTIC first step towards API security.  And then not even using
> public IP addresses in test environments is a pretty good second
> step..  </onlyhalfsarcasticherewhydoesthiskeephappening>
> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery <bevan at slattery.net.au>
> wrote:
>
> Hi everyone,
> Obviously a big week in telco and cybersecurity.  As part of my work
> I am on the Australian Cyber Security Industry Advisory Committee as
> an industry representative.
> I am keen to look at opening up a dialogue with more and more telco,
> DC and Cloud CISO’s on what they are doing around this issue and
> looking to take a proactive step towards best practice on customer
> data and system security.
> There will be some pretty serious consequences of this hack on the
> industry and importantly we need to make sure we are as best placed
> to help each other continually increase in security posture through
> best practice, but also working with each other as an industry.
> Are people keen on having a online/VC session sometime in the next
> few weeks where like-minded industry participants get together and
> discuss security, retention, encryption, threat detection etc.?  If
> so, just ping me directly and if there is enough interest I will
> send out an invitation to the list for a call.
> Cheers
> [b]
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
> --
> Damien Gardner Jnr
> VK2TDG. Dip EE. GradIEAust
> rendrag at rendrag.net -  http://www.rendrag.net/
> --
> We rode on the winds of the rising storm,
> We ran to the sounds of thunder.
> We danced among the lightning bolts,
> and tore the world asunder
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20220928/1f9f354b/attachment.htm>