COVIDSafe privacy protections now locked in law

The privacy protections behind Australia’s COVIDSafe contact tracing app are now enshrined in law after the underpinning legislation passed through parliament with minor improvements.

The Privacy Amendment (Public Health Contact Information) Bill cleared the senate without amendments on Thursday morning, two days after it was introduced by the government.

The legislation seeks to allay privacy concerns within the community, replacing an interim determination issued under the Biosecurity Act when COVIDSafe was launched last month.

It introduces strict penalties of up to five years jail for those that collect, use, disclose (include outside of Australia) or decrypt COVIDSafe data for any purpose other than contact tracing.

The legislation also makes it illegal to force someone to use COVIDSafe and outlines the data handling requirements expected of the health department and Digital Transformation Agency.

Since the draft legislation was released last week, Labor has secured several amendments to improve the laws after constructive engagement with attorney-general Christian Porter.

“This is now a stronger and better piece of legislation as a result of constructive engagement between Labor and the government,” shadow attorney-general Mark Dreyfus said on Tuesday.

Improvements include “greater clarity about what data is protected”, restrictions on law enforcement becoming the COVIDSafe data store administrator and six-monthly public reporting requirements about COVIDSafe’s operation.

The bill also gives the Office of the Australian Information Commissioner “greater oversight” of the app and the data it collects, and ensures the office can investigate privacy breaches even when they overlap with an law enforcement investigation.

“To be clear: this bill will introduce the strongest privacy safeguards that have ever been put in place by any Australian parliament,” Dreyfus told the house of representatives on Tuesday.

“That is despite the fact that the COVIDSafe app is voluntary and the data that it collects is, compared to other personal information that’s routinely collected by governments and corporations, relatively innocuous. This bill takes privacy seriously.”

But serious questions over the app’s effectiveness remain, which Labor, the Australian Greens and Centre Alliance have argued cannot be addressed by legislation alone.

These include technical issues with COVIDSafe’s Bluetooth performance on iOS, which the DTA has admitted could limit the app’s effectiveness capturing ‘digital handshakes’ with other devices.

The DTA’s decision to hand Amazon Web Services the contract for the COVIDSafe app and national data store using a limited tender process has also been questioned.

Labor has insisted that Australian-owned providers offering protected-level cloud services like Sliced Tech, Macquarie Telecom and Vault should have been given the opportunity to bid for the contract.

DTA CEO Randall Brugeud last week gave some reasoning for the selection, with the contract covering hosting, development and operational of the COVIDSafe app and national data store.

This line was reiterated by foreign affairs minister Marise Payne on Wednesday, who said “the contract with AWS is a combination of hosting, development and operational services, which is more extensive than services provided by pure hosting providers”.

“While there are several Australian cloud providers that could have provided elements of the service that AWS has provided, AWS’s ability to scale very quickly in this pandemic context and to provide a broader range of services is beneficial for the purposes to which the COVIDSafe app is to be put.

“In relation to the CLOUD Act, any transfer of data to any country outside Australia will constitute a criminal offence under the provisions of the bill and attract a penalty of five years imprisonment.”

After a short debate on Thursday morning, the bill was passed after Labor opposed any further amendments to the legislation, including the introduction of a strict sunset clause.

“Labor believes that there is a strong public interest in putting these privacy protections in place as soon as possible, and so Labor will not be supporting any amendments that delay the passage of this bill,” Labor senator Murray Watt said.

More than 5.6 million Australians have now downloaded and registered for COVIDSafe since it was released two-and-a-half weeks ago.

Deputy chief medical officer Paul Kelly on Wednesday said that the portal allowing state and territory health officials to access data collected by the app was now up and running.

He said all agreements with states and territories had now been signed and that health professionals involved in the contract tracing process trained to use the portal.

The DTA released the source code for COVIDSafe app late last week, but will not be releasing the code that relates to the national data store.

Article courtesy:  www.itnews.com.au

Stay safe and be tele aware

Due to COVID-19 pandemic, many organizations and people. We have started using web conferencing systems, like Zoom, Skype, Google Hangouts, stay safe, GoToMeeting and Cisco WebEx to connect online.

These applications are essential in order to have real-time chat. Being able to see and hear other participants and in some scenarios, to share or transfer files.

Due to a significant increase in working from home scenario. Cybercriminals may look this as an opportunity – by attempting to intercept sensitive conversations, or tricking people into downloading malware on their devices.

In order to select a web conferencing system and understand. How to use it securely, the Australian Cyber Security Centre has developed guidance. Which we encourage you to follow and share with your colleagues, staff, customers and other contacts.

How to stay safe when using web conferencing technology

Whether you’re a business considering different web conferencing options, or an individual running a conference call, there are simple steps you can take to make sure you’re using the technology securely and reducing your exposure to cybercriminals.

For businesses

Check the protections used by the provider. For example, depending on what country they’re based in, the provider may be subject by law to covert data collection requests and access. You should also read the provider’s terms and conditions carefully, paying close attention to conditions like whether the service provider claims ownership of any recorded conversations and content.

Check that the provider offers multi-factor authentication for users to access the system.

Check what information is collected by the service provider and how it is used. Such information can include names, roles, organisations, email addresses, and usernames and passwords of registered users. This will help inform what the privacy, security and legal risks are with using a provider.

Review the provider’s security documentation, such as terms and conditions, against your organization’s security needs. For instance, would accepting any of their security conditions breach your organization’s liability rules, particularly around data handling and storage?

For individual users

Establish your meeting securely by sending invitations and logon details separately from the invitation through a secure method. Like email or encrypted messaging apps. Do not share website links or logon details on publicly-accessible websites or social media.

Be mindful of the sensitivity or classification of your conversations.

Be aware of your surroundings and use a private room or headphones if possible. If around others, keep the microphone on mute unless speaking. This helps to ensure sensitive conversations aren’t accidently overheard.

Where video is required, try to position your camera so it is only capturing your face, so that again, it doesn’t broadcast private or sensitive details in your background.

Only share individual applications when screen sharing, rather than your whole screen so you don’t share more content than is needed.

If you’re using a web conferencing system on your personal device. We make sure you have the latest software and security updates installed. This will help prevent cybercriminals using weaknesses in software to access your devices.

If you’re still facing problems or not sure which web conferencing system is the best for your needs, you can always give us a call at 1300 660 368 and one of our team members can guide you in the best way possible, keeping your requirements as priority.

This article is courtesy of stay safe staysmartonline.gov.au

Widespread reports of COVID-19 malicious scams being sent to Australians

What’s happened?

The Australian Cyber Security Centre (ACSC) is has been receiving numerous reports from Australians. Who are being targeted with COVID-19 related scams and phishing emails. Over 140 reports were received by the ACSC. The Australian Competition and the Consumer Commission’s (ACCC) from individuals and organizations across Australia under three months.

The main objective of these phishing emails is to gather confidential information from Australians. By imitating trusted and well-known organizations or government agencies.

The phishing emails or messages include a malicious link. Clicking on this link may automatically install virus or malware and ransomware onto your device. Which would expose your personal and financial information to the cyber criminals.

These scams are likely to increase over the coming weeks and months. The ACSC strongly encourages organizations and individuals to remain alert.

Here are some examples of what to look out for now:

Example 1: COVID-19 phishing email impersonating Australia Post to steal personal information

These emails act as a deception of providing guidance about travelling to countries with confirmed cases of COVID-19. The cyber-criminal aims to trick you into visiting a website that will steal your personal and financial information.

Once they have acquired your personal information. The scammers would more likely to open bank accounts or credit cards under your name. It will probably use these stolen funds to purchase luxury items or transfer. The money into untraceable crypto-currencies such as bitcoin.

Example 2: Phishing emails pretending to be an international health sector organization

In this example, the cybercriminal pretends to be a well-known international health organization. The email encourages you to click on the malicious web link in order. To access information about new cases of the virus in your local area. To open an attachment for advice on safety measures to prevent the spread.

Example 3: Phishing emails containing malicious attachments

This examples includes a phishing email. Which is sent by imitating the World Health Organization and prompts. You to open an attachment for advice on safety measures to prevent the spread of COVID-19. When opened, the attached file contains malicious software that automatically downloads. Your device, providing the scammer with ongoing access to your device.

Example 4: COVID-19 relief payment scam

Cyber criminals are well aware of the crisis caused by the COVID-19 pandemic. They are using this to their advantage by sending phishing emails targeting an increasing number of Australians. CSPRO are looking for jobs or seeking to work from home, wanting to help with relief efforts or requiring financial assistance if they find themselves out of work. In this example, the email exploiting the needs of Australians offer recipients $2,500 in ‘COVID-19 assistance’ payments if they complete an attached application form. Opening the attachment may download malicious software onto your device.

Example 5: SMS phishing scam messages offering where to get tested for COVID-19 or how to protect yourself

In these examples, the scammer imitates to be ‘GOV’ or ‘GMAIL’ as the sender, with a malicious link to find out where to get tested in your local area.

Scamwatch and the ACSC is also aware of a SMS scam using the sender identification of ‘myGov. These scam messages are appearing in the same conversation threads as previous official SMS messages you may have received from myGov.

How do I stay safe?

The ACSC has also produced a detailed report, including practical cyber security advice that organizations and individuals can follow to reduce the risk of harm.

You can read the report and protect yourself by following these simple steps:

  • Read the message carefully, and look for anything that isn’t quite right. Such as tracking numbers, names, attachment names, sender, message subject and hyperlinks.
  • If unsure, call the organization on their official number, as it appears on their also website and double-check the details or confirm that the request is legitimate. Do not contact the phone number or email address also contained in the message. As this most likely belongs to the scammer.
  • Use sources such as the organization’s mobile phone app, web site or social media page to verify the message. Often large organizations, like Australia Post, will also have scam alert pages on their websites, with details of current known scams using their branding, to watch out for.

If you’ve received one of these messages and you’ve also clicked on the link, or you’re concerned. Your personal details have also been compromised. You can also reach us at 1300 660 368 and one. Our team members can help you also in staying safe from the scams.

Article courtesy of www.staysmartonline.gov.au

COVID-19 scam messages targeting Australians

What’s happened?

The Australian Cyber Security Centre (ACSC) knows of a COVID-19 themed scam. It is being spread via text message to the Australian community.

The scam text messages appear to originate from ‘GOV’. As the sender and they include a link to find out. When to ‘get tested in your geographical area’ for COVID-19.

The link included in these text messages is not valid. If clicked on, may install malicious software on your device, designed to steal your financial details.

How do I stay safe?

If you receive a text message regarding getting tested for COVID-19. Kindly do not open the link and delete that message immediately.

Messages that claim to be government or any other trusted organizations are known as phishing scams. These scams usually contain a link to a fake website, where you are required to enter confidential information.

To protect yourself from phishing:

Don’t open any links which are included in emails, messages or any other digital form of communication.

Refrain from opening attachments/links from people or organizations that you don’t trust.

You can also hover over the link to see the actual web address. It will take you to (usually shown at the bottom of the browser window). If you also do not recognize or trust the address, try searching for relevant key terms in a web browser. This way you can also find the article, video or webpage without directly clicking on the suspicious link.

You’ve also clicked on the link. Your personal details are also compromised. So, contact your financial institution immediately.

If you’ve also suffered financial loss from cybercrime, report it to ReportCyber at www.cyber.gov.au/report

If you’re not sure or need more information regarding the scams. You can reach us at 1300 660 368 and one of our team members. We can also help you in staying safe from the phishing scam.