In today's slang, "pwned" refers to a hacker compromising someone's account or computer. 

Do you worry if someone has stolen your personal information online? It is not paranoia. Most Australians have had their personal data stolen, according to the Australian Government Cyber Security Centre. 

Today this can put you in danger of identity theft, fraud, spam, phishing and other online attacks. It is bad enough if it is you personally, but if it is your business, legally it is much worse.

For years, we have recommended a free and easy tool to help you stay safe online: Have I Been Pwned? This website lets you check if your email address has been in any data breaches. It then warns you whenever your personal information appears in new public data breaches.

Here is an example of its use and what motivated me to write this post. A client who took our advice got this email from them a few days ago.

He was shocked and quite confused. How did Luxottice get his information? He never dealt with them. He did not know who Luxottice were and how they had his birthday, email address, name, address, etc. I am sure many of the other 77 million people would like to know this too.

It is all fascinating stuff.

What can you do?

This is the advice we give our clients, and I am recommending our readers here to do. Sign up for Have I Been Pwned. It is a website that collects and analyzes data from different breaches, hacked accounts, leaked databases and dark web forums. It then lets you search for your email address to see if it has any data of your email address on the dark web. It then gives you information about when each data breach happened, the affected company, what of your data was exposed and the source of the violation.

Why should you use "Have I Been Pwned"?

It can warn you whenever your personal information appears in a public data breach.

For example, if I enter my email address on Have I Been Pwned, I see several times someone has released my information on the Dark Web.

One was in the LinkedIn breach of 2016. That would have been a severe breach, as my email and password were exposed in that incident. Someone could have gotten complete control of my LinkedIn account.

How to sign up for Have I Been Pwned?

Signing up for Have I Been Pwned is simple and free. All you need is an email address that you want to watch for data breaches. Here are the steps to sign up:

- Click on this link Have I Been Pwned

- Enter your email address in the search box and click "pwned?"

- If your email address has been in any data breaches, you will see a red message saying, "Oh no — pwned!" followed by a list of violations. If not, you will see a green message saying, "Good news — no pwnage found!"

- To sign up for notifications, click "Notify me when I get pwned" at the top of the page.

- Enter your email address again and click on "Verify".

- Check your inbox for a verification email from Have I Been Pwned and click on the link to confirm your subscription.

- You're done!

You will get an email whenever your email address appears in new public data breaches.

Please sign up for all the personal and business email addresses you care about. There is no limit.

If, for some reason, you do not like the service, well, you can remove your account, so there is no risk.

Now you are better covered in your online privacy.

More tips for your online security

- Use a password manager: A password manager is software that makes and stores strong passwords for all your online accounts. It can help protect your passwords from being stolen by hackers or keyloggers. Many password managers are available, I like Bitwarden, but there are many. Choose the one that suits your needs and preferences.

- Change your passwords: Even if you use a password manager. It would be best to change your passwords regularly, especially if they have been in a data breach. It will stop hackers from using your old passwords to access your accounts.

- Two-factor authentication is the best security now, but it's a real pain. If you use it even if someone knows your password, they won't be able to access your account without access to your mobile.

-On Facebook, I recommend setting up your page as secure. We have had clients whose Facebook accounts have been hacked.

- Use data minimization: Data minimization is sharing only the least personal information needed for a specific purpose by only giving relevant information. Don't give more than required to reduce the amount of personal data that could be exposed.

In your business, do this, too, if you need to verify someone's account and get a license for checking. Check the details on the license, but only make a copy if you have to.

Conclusion

Online privacy and security today are essential.

Today people are paranoid about data leaks as data breaches continue to get media attention. It seems now daily, just yesterday, we found out that what was reported as 320,000 people in Latitude finance is now includes almost 8 million people. So we now have the largest-known data breach of a financial institution in Australia. 

Millions of Australian and New Zealand customers have had their records stolen in a cyber attack on Latitude Financial, including up to 7.9 million driver's license numbers and 53,000 passport numbers, making it the largest-known data breach on a financial institution in Australia. Today a data leak can have serious repercussions; besides harm to a company's reputation. Today there can be considerable financial losses from legal consequences. As such, people are taking strong measures to avoid such incidents.

So what happens today as computer equipment is replaced and we have the old stuff to worry about?

More than reformatting a hard drive is required to ensure confidential data cannot be retrieved. This is because of what we call data remembrance.

It is a real worry; a study from MIT here showed that data remembrance is a real threat here. In this study, 158 disk drives were purchased through eBay. 29 of the 158 drives purchased didn't work at all, and of the rest 117 (91%) of the drives contained old data that could be recovered and read.  91% is a lot.

What I found interesting is that in the sensitive information retrieved from the disk drives were detailed personal and corporate financial records, medical records, and personal e-mails such as love letters and pornography. This sort of stuff, if you go in front of a court today, could cost heaps. This is why people realise today the importance of completely erasing confidential data before disposing of hard drives.

Just reformatting a hard drive is not a secure data destruction method because of data remembrance of sensitive information. If you want to stop data remembrance, you need to either use specialised software to do a data wipe or physically destroy the hard drive. 

The advantage of specialised software is that you can still have an asset, the hard drive to sell. The problem is just how good the data wipe is. Much software available today claims to permanently destroy data on the hard drive so that it cannot be retrieved or reconstructed. How good it is, I cannot say.

Now there are three options our client has. In order of security from least to best

The specialised software I like which gives good results is ccleaner.

Partial clean.

Often the computer cannot be reformated as the new owner will need it to use the computer. If so, delete everything that may be a security problem. Make sure it is all your documents; some can be very embarrassing. 

Then run ccleaner > disk wiper. It has the option to delete everything in free space. Select that with a complex wipe and at least three passes. That will shred everything that is deleted. If someone can crack that, they are very good at this. 

Wipe the hard drive

If you can wipe the whole hard drive, go into Drive wiper and select a complex three or 7-pass wipe. On a modern hard drive, it can take a long time. 

Physical destruction

Yet, more is needed by some, and they demand that we physically destroy the hard drive. The argument is that an old hard drive isn't worth much, and it is not worth the risk.

Physically destroying a is undoubtedly the most secure method to destroy its data. 

If you destroy your hard drive physically, it is vital to do so correctly. A strong mallet will work. If so, I recommend putting the hard drive in a strong bag because of flying fragments before banging it. We used a canvas bag, put the hard drive in it, and smashed it.  Then we put part of the remains of the hard drive in one bin and the rest of the pieces in another bin. It works well for us as two different waste disposal companies collect these bins.

Summary

> Data leaks can have serious repercussions, including financial losses and harm to a company's reputation.

> Confidential data can still be there after reformatting a hard drive due to data remembrance.

> Specialized software or physical destruction should be used

> Physically destroying a hard drive is the most secure method.

So far, Australia has experienced several notable cyberattacks, e.g. Optus and the more significant Medicare hack. These incidents have raised concerns about the vulnerability of Australians to cyberattacks. Not surprisingly, the government intends to act. It seems these incidents as showing a need for enhanced customer data security and cyber security measures.

Firstly let us put my qualifications on this up. I have an ISO 27001 Certification,

which now allows me to be a Lead Auditor for computer systems security.

The Probability of Being Affected by a Cyber Attack 

Quit high. Most computer systems today have experienced cyber-attacks. These attacks will continue. Want to see some, look in the spam filter of your email address for samples. 

Also, most of us have had our personal information compromised due to hacks. I was involved in the Optus data breach recently, a co-worker was hit by the medicare hack.

Overall it is almost certain you will be affected.

Proposed Changes to Australia's Cyber Security Laws 

We know that the security of customer information will be one of the main focuses of the proposed changes. Count on more significant penalties and enforcement. 

Although the implications of the changes for small and medium-sized businesses have yet to be released, security experts I asked feel that they will likely be based on the Australian Cyber Security Centre's Small Business Cyber Security Guide here.

> Supported windows system. Currently, you need the latest version of Windows 10 or Windows 11.

> That you run updated software applications. This may be a real problem, as many of us run old software versions. 

> Update security software. Windows defender is free and quite good.

> Regular backup of your business information. We have a free online backup procedure. Also, it would be best if you were using USB sticks. 

> Password security needs to be set up and used. In a breach, you must justify why the person had access to that information. They want access restricted where possible. This is so that employees and others do not accidentally or maliciously get hold of personal customer information. 

Now your computer and its POS System can be set to allow security settings based on an employee's role in the business. This approach gives you control over who has access to your information. We suggest you put this in place if it is not.

> Training in cyber security 

Cyber security training for your staff is needed. Fortunately, this training takes little time because most people now practice cyber-security practices. Simple procedures, like not clicking on suspicious emails, can be helpful, not divulging passwords and preventing unauthorised individuals from accessing your computers. Once you do it, write it in your diary, so you have a record of what you have done.

I am checking into this now to see if I can find a suitable course for our clients to look into.

Ransomware 

This deserves its own section. One proposed change that is raising concern is the government is thinking of prohibiting businesses from paying for ransomware. The idea here is to discourage ransomware attacks by stopping funding criminal activities. It has no chance of working as most ransomware comes from overseas, although it may reduce it somewhat.

If ransomware attacks your business, please advise us ASAP. This is to see what can be done. It must be done immediately as ransomware people will give you only a little time to act. 

Be aware that, often, even after paying the ransom, people cannot retrieve their information. That hurts because they have lost their data and now the ransom money too. 

Summing up

Everyone will need to pay more attention to computer security now, the proposed changes to cyber security laws make it more urgent. In Australia today, a slap of the wrist by the courts now is a few 100,000 dollars if they like you.

Your Improved Data Protection in your POS Software

You are lucky if you did not receive a notification last month on a data breach involving your personal information. Buy a lottery ticket now; it's a beauty. For the rest, it's time to upgrade your security, so your POS system's new version has an upgraded password controller.

Doing research, we discovered that Microsoft and Google now demand at least eight (8) characters; after some discussion, we adopted the Microsoft standard below as all our clients use it on their windows computers.

When someone enters a new password on the screen below, they will see the following.

A note highlighted in green contains what a password should have.

Now see the blue arrow.

It shows graphically, like a thermometer, how well the software rates the password. This allows you to check that your employee has made an acceptable password without you seeing their private password.

Red = no good
Yellow = almost passable
Green = Okay

We have made it optional that the password must be okay. It is your choice if you want to run with a substandard password. However, consider that the Australian Privacy Act 1988 (Cth) (Privacy Act), which is being upgraded, could soon have one of the most severe financial penalties for data privacy violations in the world. Fines for large businesses potentially reach hundreds of millions of dollars. How your small businesses will be affected is unclear now but if you want to know your company's status now, click here.

Big updates coming on your software over the Optus data breach

Australia has had the most significant data breach ever, affecting over nine million people in its history. What is clear is that the government intends to act on it, and the public wants them to. So our cybersecurity rules will go up, including enforcement and fines in the wake of a breach. We are talking here of a monumental shift in privacy legislation. We will probably get General Data Protection Regulation (GDPR) next year. So as the information comes forward, we also intend to change our POS software.

Let me clarify the problem now your customers' data legally doesn't belong to you. If you abuse it, you could be in trouble. 

If your customer list goes missing, you could be in trouble. So do not believe this is only for big business; it will affect anyone who stores people's data. 

The immediate problem is that many of our clients do not even have a clear picture of what data they actually have. There is so much there, and so many people have worked on it, so who knows what is there?

Although we cannot say yet what will be implemented. Based on overseas privacy issues, the questions that our clients need to investigate to protect themselves now:

-Why do we need the data that we have?
-What are we doing to make it secure?
-Where is it stored?
-How long will we hold the data? This is tough as different organisations have different demands. Some, like courts, want you to keep the information forever

An immediate action you need to take now is that every user of your POS System must use a password to get into your system. If you have not yet implemented passwords, do so now! If these passwords are a year old, change them.

It been a week since the Optus security breach was revealed and the internet in Australia is going wild over the biggest breach Australia has had, what do you think, comment here.

Many of you would have already received letters similar to this, cannot say I am very happy about it, what about you? It's good to know that my Optus stuff is safe but...

From the victims' point of view.

Here is the information that was stolen which includes:
-Customers' names
-Dates of birth
-Phone numbers
-Email addresses
-Addresses
-ID document numbers such as driver's licence or passport numbers

This information is enough for someone to get through most security checks over the phone, e.g. ATO, banks, etc. I doubt I can change my driver's licence number; the passport number is possible, but I cannot change my date of birth or address. I would be reluctant to change my email address. The other problem is that the old numbers are still valid in most places. Many ID checks will accept the old info.

What is troubling is that the hack started in 2017. Did anything weird happen to you with your accounts?

Probably the quickest way to check is with a free credit report

To guard against this, you can ask for a FREE credit report from any of the 3 Credit Report Agencies:

• Experian

• Illion

• Equifax

Since they each collect slightly different information, you may want to check all of them.

From Optus's point of view

Although still under investigation, this Optus breach is likely human error, as almost all my experiences are successful hacks. If so, it would have been avoidable with proper procedures. If so, there is no one for Optus to blame, so it will probably have to bear much of the cost besides the bad publicity.

Now multiple by 9.8 million people (high-case scenario) to get a feel of the potential costs. This cost is on the low side. It is estimated that a hack in business costs much more than this, more like $200 a person.

From your business point of view

Considering the size of this hack, there is no doubt that new laws will be coming to Australia. 

Currently, for a small or medium-sized business (SMB), the average cost of a breach in the US is $108,000. In Australia, it will be more. Just a lawyer and barrister for a few days will cost more. Do the figures yourself; an SMB business with 1,000 customers on its books at $200/account, and you have $200,000.

Some simple security checks could help to reduce the problem.

-Passwords stuck on the walls are not a good idea.
-Change passwords frequently.
-Implement security on your systems.
-As much as possible, never leave computers unattended.

For people who want better, we set up our users with an encrypted disk drive using VeraCrypt.

Anything under VeraCrypt without the correct password is unreadable. Doing this has a significant advantage because no one can read your information if your computer is lost or stolen.

It is so secure that I doubt anyone in Australia could break it.

Also, you may want to consider cyber insurance, but that is a story for another day. 

There are a lot of headlines about an internet server exploit, the Log4j.

The problem:

Many devices, e.g. cars, fridges, mobile phones, internet servers, etc., use java's programming language. Now, if a fridge, few would worry. A car, maybe.   But, if it is a server or mobile phone, what can happen is this. You do something on them. Now some of these might have a hacked version of Log4j. If so, a hacker may execute a command, e.g. to send them your account name and password.

The immediate problem is that not much can be done about it. How do you know if java is running? If so, is Log4j used? If so, what version of Log4j is used? If an old version, has it been hacked?

Solution:
None exists that is why everyone is worried. 

Once the word got out, we were not worried about our systems as we do not use java much. Then it turned out that we were possibly affected so we brought down all our systems and checked them. We were okay. 

We have checked our systems and they will not cause you problems with Log4j.

Also, I can tell you how to check it with a caveat that if this checking program here is hacked, you are opening yourself to a hack by running this. So only use it, if you must. I have used this on my computer, but our system administrator refuses to run it on our servers. 

As such, I am recommending our clients wait and be careful.

For example, I am not doing internet banking for a few days, and then I will change some of my internet passwords.

Update:

Log4j, now it turns out to be a bigger problem as it can get into the Cpanel, which is the guts of most of the internet. So the computer does not need even to be running java.

Also since this affects older versions, you need to be on the latest version of Windows 10. Microsoft no longer gives security updates for older versions of Windows 10.