​Privacy Commissioner to probe Australian government agencies on compliance

Australian Information and Privacy Commissioner Timothy Pilgrim has said his office will be conducting assessments of Australian government agencies over the next 12 months in accordance with the Office of the Australian Information Commissioner’s (OAIC) commitments under the Privacy Act 1988.
Under the nearly 30-year-old Act, the OAIC has the power to conduct an assessment of any business or Australian government agency to help them understand their privacy obligations.
As mentioned in the OAIC’s Corporate Plan 2017-18, the probe will require the commissioner to encourage agencies and businesses to “respect and protect” the personal information of citizens that they handle.
The plan [PDF] details the OAIC’s intention to also conduct commissioner-initiated inquiries, which will see Pilgrim investigate an incident that may be an interference with privacy without first receiving a complaint from an individual.
Over the next 12 months, the OAIC also plans to develop and implement an Australian Public Service (APS) Privacy Governance Code, as well as a “maturity model” and a toolkit to allow government agencies to benchmark against and self-assess their privacy compliance performance.
Pilgrim’s office will also work with agencies, particularly the Department of Prime Minister and Cabinet, to ensure that the Australian government’s Public Data Policy Statement is implemented in a way that upholds the highest standards of privacy for individuals, the Corporate Plan published on Thursday explains.
In an effort to legislate around informing Australians of when their privacy has been breached, the federal government finally passed data breach notification laws at its third attempt in February, which will see people be alerted of their data being inappropriately accessed come February 2018 under the Privacy Amendment (Notifiable Data Breaches) Act.
The legislation is restricted to incidents involving personal information, credit card information, credit eligibility, and tax file number information that would put individuals at “real risk of serious harm”.
Notification laws apply only to companies covered by the Privacy Act, and sees intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties exempt from disclosing breaches.
In preparation of the legislation, the OAIC said it will be developing guidance and support tools for businesses and government agencies to help them fully comply, and it will also be educating the community about the commencement and operation of the data breach scheme.
The commissioner’s office will measure its public awareness through increased media and social media mentions about privacy rights, the plan explains.
Under another internal performance measurement, the OAIC has given itself a target of finalising 80 percent of data breach notifications within 60 days.
Also flagged in the Corporate Plan was the OAIC’s desire to continue the administration of the My Health Records data breach notification scheme, as well as new initiatives to review the privacy guidelines of the Medicare Benefits and Pharmaceutical Benefits Programs under s135AA of the National Health Act 1953 and the Privacy (Credit Reporting) Code 2014 over the next year.
Latest Australian news
Australians willing to pay for better broadband: NBN
​Queensland opens drone strategy consultation
NBN reduces peak funding to AU$51b
Queenslander pays AU$200k for NBN fibre

国农科技完成重大资产出售 2016年净利增逾30倍
NBN knocks back Telstra receipt monetisation plan


学习管理系统LMS 学员操作演示

Session Hijacking Bug Exposed GitLab Users Private Tokens

GitLab, the popular web-based Git repository manager, fixed a vulnerability recently that could have exposed its users to session hijacking attacks.
Daniel Svartman, a security researcher with Imperva, discovered the issue in May but couldn’t disclose it until Wednesday, after GitLab was able to patch the issue and confirm it had been fixed.
Related Posts
If an attacker had exploited the vulnerability they could have carried out a laundry list of nefarious activities, Svartman told Threatpost on Thursday.
“If an attacker successfully brute-forced an account, the attacker would be able to manage the account, dump the code, perform updates to it, and of course steal potentially sensitive information, such as new versions of software unreleased to the public,” Svartman said, “Also, in other scenarios, by performing updates to the code, the attacker would be able to embed any kind of malware into it.”
The researcher said in a disclosure he knew something was up when he saw his session token in his URL. All he had to do was copy and paste the token around to secure access to GitLab dashboard, account information, individual projects, and even website code.
CyberSecurity Law Introduction 网络安全法宣传视频系列

While having a session token out in the open like that, visible in a URL, is concerning enough, more alarming was Svartman’s second discovery: GitLab uses persistent private session tokens that never expire. If an attacker secured access to a user’s session token it wouldn’t expire, something that could let them stage an attack weeks or months after they stole it, with the victim left none the wiser.
The tokens were also only 20 characters long, something that left them susceptible to brute-forcing, according to the researcher.
“Given their persistent nature and the admin level access they granted, this added up to a real security concern,” Svartman wrote.
It’s unknown how long the vulnerability lingered until it was fixed, but Svartman notes that he wasn’t the first to point it out to GitLab; he also saw it mentioned on the company’s support forums.
When reached Thursday, GitLab told Threatpost there was no indication the vulnerability had been used to compromise an account.
Brian Neel, Security Lead at GitLab stressed that on its own the fact GitLab uses private tokens isn’t a problem.
According to Neel:
“This isn’t something that can be exploited directly. The existence of private tokens only becomes a problem when combined with a cross-site scripting or other vulnerability. Generally speaking, an account with a private token is at no more risk of compromise than if the tokens didn’t exist, unless another vulnerability is leveraged to steal the token. Most modern web services support the concept of a private token: AWS has access/secret keys, GitHub has access tokens, Digital Ocean has tokens, etc. The only real difference between their tokens and our private tokens is that they are limited to the API and typically encrypted. We support both of these options with personal access tokens. GitLab is currently phasing out private tokens in favor of personal access tokens.”
According to Svartman the company is also replacing private tokens with custom RSS tokens for fetching RSS feeds, something that should avoid leaking session IDs. In addition he says the company is “expanding personal access tokens that offer role-based access controls,” something that should bolster security as well.
GitLab fixed a similarly nasty command execution vulnerability in the repository last November, albeit in days, not months. The critical vulnerability could have let an authenticated user gain access to sensitive application files, tokens, or secrets. HackerOne cofounder Jobert Abma found the bug in late October and GitLab issued a fix a week later, on November 2.



A laughably insecure comment system has left US comms watchdog the FCC open to malware attack, and the agency doesn’t seem to know what to do about it.
The security hole was spotted by a 20-year-old US university student, who found that when someone applies to put a comment onto the FCC website, the system allows almost any file type to be uploaded to its servers. Given the large number of files that can harbor malware, the FCC is making itself a target. THe flaw appears to be at least five months old.
“The bloke who found this is scared to death,” Guise Bule, the security blogger who wrote about the hole, told The Register. “He’s not a computer security whizz, just someone who spotted the issue.”
The problem is that the FCC’s public API is available to anyone with an email address, and publicly documented. It allows files of up to 25MB can be uploaded – more than enough space for a very nasty package of goodies indeed.
People have already started having fun with the site, posting up a document designed to look like an FCC comment from the agency’s staff. The comment reads: “Dear American citizenry, We’re sorry Ajit Pai is such a filthy spineless cuck. Sincerely, The FCC”
It now appears that the practice has been stopped, but with one important caveat, according to Bule. The demonstration key the FCC provides still appears to work.
Looks like they either stopped sending out new API keys or their system’s overloaded. I tried requesting with two different email addresses.
— Liam Kirsh (@choicefresh) August 31, 2017
“The FCC comment system is designed to maximize inclusiveness and part of that system allows anyone to upload a document as a public comment, which is what happened in this case,” the agency told The Register.
“The Commission has had procedures in place to prevent malware from being uploaded to the comment system. And the FCC is running additional scans and taking additional steps with its cloud partners to make sure no known malware has been uploaded to the comment system.” ®

The Joy and Pain of Buying IT – Have Your Say


Cyber Security Law 网络安全法宣传视频《网络安全法》背景知识

BUF早餐铺 | 当红女星Instagram账号被黑发裸照;Turla APT组织攻击领事馆和大使馆;46.5万台心脏起搏器有安全漏洞;近3000个比特币挖矿机曝光


今天是 2017 年 9 月 1 日星期五,新的一月, BUF 早餐铺依然为大家送上美味大餐。今天份的早餐内容有:当红女星 Selena Gomez 的 Instagram 账号被黑,发布 Justin Bieber 裸照;Turla APT 组织的又一波行动:利用后门程序 Gazer 针对全球各地领事馆、大使馆发动攻击;瑞典 web 主机供应商Loopia遭遇严重数据泄露事故,客户数据全部被窃取 ;最新社工攻击:被黑的合法网站字体乱码,要求用户下载缺失字体却暗含恶意程序 ;46.5 万台心脏起搏器存在安全漏洞,需要进行固件更新才能修复 ;腾讯回应”微信发送原图泄露隐私”:与微信并无关;将近 3000 个比特币挖矿机通过 Telnet 端口暴露在网上,疑似来自中国;Firefox 57 有了新的安全防护,阻止 App 滥用辅助功能窃听用户。



美国著名歌手 Selena Gomez 的 Instagram 账号被黑,黑客还发了Justin Bieber 的裸照

美国著名歌手、演员 Selena Gomez 的 Instagram 账号最近被黑,黑客入侵其账号后还发了Justin Bieber 的三张裸照(前男友大戏)。据称,此次事件应该与近期的 Fappening 2017艳照门事件无关。这些 Justin Bieber 的裸照是 2015 年就泄露在网上的,黑客给这张照片搭配的文字是 “LOOK AT THIS NA LIL SHRIMPY”(看这只弱鸡)。当前 Selena 的 Instagram 账号有超过 1.25 亿粉丝,是 Instagram 粉丝数最多的账号。本周一晚间,此帐号被黑后很快就下线了,Selena 团队迅速反应,几分钟内重新拿到账号并删除了 Bieber 的裸照。当前尚不清楚 Selena 的 Instagram 账号是如何被黑的,媒体猜测可能是钓鱼所致。详情可看 FreeBuf 报道。[SecurityAffairs


Turla APT 组织的又一波行动:利用后门程序 Gazer 针对全球各地领事馆、大使馆发动攻击

ESET 安全研究人员最近发现一波新的恶意程序活动,主要针对的是全球范围内的领事馆、大使馆,用来对政府和外交官进行窃听。这波恶意程序活动从 2016 年开始活跃,利用一款名为 Gazer 的后门。研究人员认为攻击是由 Turla APT 黑客组织发动的,先前就有安全公司认为 Turla 与俄罗斯情报部门有关。Gazer 采用 C++ 编写,通过钓鱼邮件投递,劫持目标设备分两步走,首先投递 Skipper 后门,随后安装 Gazer 组件。

Gazer 后门

在以往的网络间谍活动中,Turla 也采用 Skipper 作为第一阶段,不过后续用的是 Carbon 和 Kazuar 后门——和 Gazer 存在诸多相似性。Gazer 会从远程 C&C 服务器获取加密命令,利用被入侵的合法网站作为代理,躲避检测。另外 Gazer 没有采用 Windows Crypto API,而是用 3DES 和 RSA 加密库对数据进行加密,再发往 C&C 服务器;还采用代码注入技术控制设备,长期隐蔽窃取信息;还有能力将恶意命令转发到相同网络中的其他设备上。ESET 发现,Gazer 主要窃听欧洲东南部和前苏联政治目标。研究人员表示 Gazer 已经在全球范围内感染了不少目标,大部分受害者位于欧洲。[TheHackerNews]

瑞典 web 主机供应商 Loopia 遭遇严重数据泄露事故,客户数据全部被窃取

瑞典主机服务提供商 Loopia 最近遭遇入侵,整个客户数据库都泄露了。Loopia 前两天已经确认了此次数据泄露事件,事故发生在 8 月 22 日,而到 8 月 25 日 Loopia 才通知其客户的。Loopia 在声明中说,攻击者窃取的客户数据包括个人和联系信息,还有 Loopia Kundzon 的哈希密码(但没有公布加密采用何种哈希算法),但不涉及邮箱、网站、数据库一类用户服务,而且也不存在支付卡信息泄露。当前 Loopia 已经对用户密码进行重置并敦促用户更新个人信息,同时表示,目前不清楚黑客是如何入侵系统的,事件仍在调查中。[ SecurityAffairs]




安全研究人员 MalwareBreakdown 近期发布一份社工分析报告,最新的这波攻击效仿了先前的 EITest HoeflerText 活动。当用户访问一家被黑的网站后,用户会收到通知,通知宣称系统缺少 Roboto Condensed 字体,需要用户下载安装字体包才能正常浏览网站。如果用户真的安装了所谓的“字体安装包”,就会感染木马下载器、keylogger 和挖矿机。


就攻击者来说,首先需要入侵一家合法网站,对其进行篡改,每个页面都加入 JS 恶意代码,导致页面文字成为乱码——看起来就像字体缺失一样。访客访问这家网站的时候,JS 就会显示缺失字体的警告,用户如果真的点击更新按钮,脚本会下载名为 chromefp60.exe(Firefox 则下载 mozillafp60.exe)的文件,用户执行后就会安装恶意程序 payload 了,不同类型的恶意程序包括门罗比挖矿机、Ursnif keylogger 和 Trojan.Downloaders。[来源: BleepingComputer]


FDA 美国食品药品监督管理局最近发出一份安全公告,提到大约 46.5 万台心脏起搏器设备存在安全问题,可被黑客入侵,需要进行关键软件更新才能解决问题。据说其中存在的漏洞可让黑客篡改设备设置,并将其关闭,这对病人而言会产生致命威胁。FDA 提到,未经授权的攻击者利用漏洞,以及可以买到的工具,就能篡改心脏起搏器的程序命令,导致电池快速耗尽或错误的调节控制。


这些存在漏洞的心脏起搏器是由 Abbott Laboratories 生产的(先前叫做 St. Jude Medical)。如果要修复漏洞,病人必须去找医生或者医疗供应商,进行固件更新——除了美国国内,美国国外还有 28 万台设备需要更新。值得一提的是,2016 年,Muddy Waters 曾经发布过一份 St. Jude Medical 生产的其他植入式设备存在安全问题的报告,而 St. Jude Medical 不仅不承认这份报告,还将其推上法庭。最终 FDA 进行调查确认了 Muddy Waters 报告的正确性。[来源:HackRead]



近日,据央视新闻客户端报道称,微信发送照片时选择“原图”传送会暴露个人的位置信息,经过修图软件处理后仍有显示。拍照时软件调用 Exif 中的 GPS 全球定位系统数据,这些来自于手机内部的传感器以及陀螺仪的数据,把拍照时的位置时间等记录下来。


对此,微信官方公众号回应称,任何智能手机拍摄的照片,都含有 Exif 参数,可以调用 GPS 全球定位系统数据,在照片中记录下位置、时间等信息。当用户把原始图片发送给其他人时,所附带的信息也一并发出去。所谓的地理位置信息泄露,与微信无关。此外,用户在朋友圈发送的图片都经过了系统自动压缩,不是原始图片,已不带位置信息。同时也提醒用户,注意个人信息保护,在智能手机“设置”中,关闭定位服务等隐私相关功能。[来源:新浪科技]



荷兰安全研究人员 Victor Gevers 最近发现 2893 个比特币挖矿机暴露在互联网上,而且相应 Telnet 端口没有密码。所有的挖矿机都在相同的矿池中处理比特币交易,看起来应该属于同一家组织。Gevers 表示,从暴露的挖矿机和设备的 IP 地址来看,这应该是中国政府旗下的某个组织。受影响的组织似乎很快就看到了 Gever 发的推特,并很快将暴露在外的设备保护了起来。


当前绝大部分挖矿设备都已经无法通过 Telnet 访问,毕竟 2893 个挖矿机能够产生的实际收益还是相当可观的,有一名 Twitter 用户表示这么多矿机如果挖莱特币,每天的收入可以超过 100 万美元。Gevers 当前还在调查为何这些设备会在这么长的时间内暴露在网上,还没有 Telnet 密码,似乎有人尝试在设备上安装后门或恶意程序,还有研究人员则表示这些设备可能是加入到了迅雷的共享带宽计划中。[来源:BleepingComputer]

Firefox 57有了新的安全防护,阻止App滥用辅助功能窃听用户

预计将在 11 月 14 日发布的 Firefox 57 会加入一项新的安全特性,可阻止辅助应用(accessibility apps)访问浏览器的数据。Accessibility 辅助特性实际上是为残障人士准备的。Firefox 的辅助特性可让某些特殊的辅助 App 连接到浏览器,将浏览器中的数据传递给残障人士。比如屏幕朗读器使用 Firefox 的辅助支持特性会将活跃 web 页面的内容、菜单、按钮、浏览器记录等朗读出来。但现在有应用利用此特性收集用户数据,Mozilla的工程师表示这样的应用还不少。所以新版 Firefox 在设置选项隐私项中加入了辅助活跃状态显示,并且提供关闭辅助特性的开关。

此外,Firefox 在 “about:support” 页面中也加入了辅助选项部分,如果辅助特性开启,这部分则会列出所有使用此特性的 App,这样用户就能发现窃听用户、恶意收集数据的 App了。值得一提的是,Firefox 57 将首度开始支持 WebExtensions 扩展系统。[来源:BleepingComputer]


AngelaY 编译整理,转载请注明来自 FreeBuf.COM



53% nulaxy无线车载调频蓝牙套件与显示器和USB充电器-交易提醒 http://www.chinacybersafety.com/201705302756.html
CyberSecurity Law Introduction 网络安全法宣传视频系列

A UK council has been fined £70,000 for leaving vulnerable people’s personal information exposed online for five years.
Nottinghamshire County Council posted the gender, addresses, postcodes and care requirements of elderly and disabled people in an online directory that was left accessible to world+dog. No usernames, passwords or any other access controls limited access to the sensitive information. Although the service users’ names were not included, a determined person would have been able to identify them.
The screw-up was only discovered when a member of the public inadvertently stumbled on the data using nothing more sophisticated than a search engine query. The person, who wasn’t required to log in, was concerned that it could be used by criminals to target vulnerable people or their homes. The breach was even more severe because it revealed whether or not elderly and vulnerable people were still in hospital.

In July 2011 the council launched its Home Care Allocation System (HCAS), an online portal allowing social care providers to confirm that they had capacity to support a particular service user. By the time the breach was reported to the Information Commissioner’s Office (ICO) in June 2016, the HCAS system contained a directory of 81 service users. Data of an estimated 3,000 people had been posted in the five years the system was online.
ICO head of enforcement Steve Eckersley said: “This was a serious and prolonged breach of the law. For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.
“Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable.” ®
The Joy and Pain of Buying IT – Have Your Say


国网东营市东营区供电公司:开展计算机技能培训 提升日常办公效率
巴西36车追尾相撞起火 致2死20伤

Palo Alto reports strong Q4 as it adds new customers

Palo Alto Networks reported strong fourth quarter earnings as the company saw strong demand and grew its customer base to more than 42,500.
The security company reported a net loss of $38.2 million, or 42 cents a share, on revenue of $509.1 million, up 27 percent from a year ago. Non-GAAP earnings were 92 cents a share for the fourth quarter.
Wall Street was expecting fourth quarter non-GAAP earnings of 79 cents a share on revenue of $487.3 million.
Palo Alto Networks aims to thwart credential theft |
Mark McLaughlin, CEO of Palo Alto, said it added about 3,000 new customers for a quarter. The company updated a bevy of products including a security service called GlobalProtect, a logging service and application framework.
In addition, CFO Steffan Tomlinson will retire.
For fiscal 2017, Palo Alto reported a net loss of $216.6 million, or $2.39 a share, on revenue of $1.8 billion, up 28 percent from a year ago. Non-GAAP annual earnings were $2.71 a share.

As for the outlook, Palo Alto projected first quarter revenue between $482 million to $492 million with non-GAAP earnings of 67 cents a share to 69 cents a share. For fiscal 2018, Palo Alto projected revenue between $2.12 billion and $2.16 billion, up 21 percent to 23 percent from 2017. Non-GAAP annual earnings will be about $3.24 a share to $3.34 a share.
The guidance was roughly in line with Wall Street expectations.


网络安全法宣传片 002 国家网络安全的现状与重要性概述

Astros A20 gaming headset ditches the A10s wires for more than twice the price

When Astro announced the budget-friendly A10 headset a few months ago, we hypothesized that it was only a matter of time until an A20 slotted into the remaining empty space. Sure enough, it’s here: The Astro A20, a wireless version of the A10.
The wired Astro A10 costs $60
ASTRO Gaming A10 Gaming Headset – Blue/Black
$59.99MSRP $60.00Viewon Amazon
Retailing for $150, the A20 features the same stripped-down design as the A10 but…wireless. That seems to be the only difference, though I’m judging by photos—I’ve yet to see the headset in person or test it out.
The price is a bit surprising. The A10 launched for $60, which seemed pretty damn competitive—only the discounted HyperX Cloud stands out in the same price tier, as mentioned in PCWorld’s roundup of the best gaming headsets. At $150 the A20 comes in more expensive than both the Logitech G533 and Corsair’s slate of wireless headsets (both the original Void and recently upgraded Void Pro lines).
[ Further reading: These 20 absorbing PC games will eat days of your life ] Astro
The Astro A20 wireless.

I haven’t spent much time with Corsair’s offerings recently, but the G533 (and Logitech G933 for that matter) at least are both loaded with features. The A20 seems pretty stripped down by comparison, with only a flip-to-mute mic and (I assume) volume control. No chat mix or anything that would’ve made the A20 stand out from the increasingly crowded $150 wireless headset market. And the situation’s even more confusing when you remember that Logitech bought Astro, so it’s literally competing with itself at this point. I guess they’re really counting on that Astro brand to move units.
Anyway, the A20 is apparently at Astro’s booth at PAX this weekend. I’m planning to stop by and get a few photos and hopefully test it out as best I can from the ultra-noisy show floor. We’ll keep you updated.
To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
try{performance.mark(“mark_article_body_rendered”);}catch(e){console.log(“Error saving performance mark — this function may not be supported in this browser”);}
Gaming Accessories
Hayden writes about games for PCWorld and doubles as the resident Zork enthusiast.




Mathew J. Schwartz reports:
Admitted Mirai malware mastermind Daniel Kaye, 29, has been extradited from Germany to the United Kingdom, where he faces charges that he launched cyberattacks against two of Britains biggest banks.
Kaye, a British national from Surrey, England, returned to Britain Wednesday in the custody of officers of the National Crime Agency – Britains national law enforcement agency – under a European arrest warrant.
Hes been accused of using an infected network of computers known as the Mirai#14 botnet to attack and blackmail Lloyds Banking Group and Barclays banks, according to the NCA.
Read more on BankInfoSecurity.
Mathew J. Schwartz报道:
承认该恶意软件的幕后策划niel Kaye,被从德国引渡到英国,在那里他面临的指控,他发动网络攻击对两家英国最大的银行。

他被指控利用被感染的计算机组成的网络称为未来# 14僵尸网络攻击和勒索莱斯银行集团和巴克莱银行,根据国家版权局。




Mathew J. Schwartz reports:
Mathew J. Schwartz报道:
Admitted Mirai malware mastermind Daniel Kaye, 29, has been extradited from Germany to the United Kingdom, where he faces charges that he launched cyberattacks against two of Britains biggest banks.
承认该恶意软件的幕后策划niel Kaye,被从德国引渡到英国,在那里他面临的指控,他发动网络攻击对两家英国最大的银行。
Kaye, a British national from Surrey, England, returned to Britain Wednesday in the custody of officers of the National Crime Agency – Britains national law enforcement agency – under a European arrest warrant.
Hes been accused of using an infected network of computers known as the Mirai#14 botnet to attack and blackmail Lloyds Banking Group and Barclays banks, according to the NCA.
他被指控利用被感染的计算机组成的网络称为未来# 14僵尸网络攻击和勒索莱斯银行集团和巴克莱银行,根据国家版权局。
Read more on BankInfoSecurity.


网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
开学季 海洋大学一90后女研究生抱娃报到