Wednesday 6 May 2026

Australia Builds the Review Board America Threw Away

Australia just launched its own Cyber Incident Review Board — modelled on the US body the Trump administration quietly disbanded — and the timing couldn't be more pointed.

Lead story

Australia Builds the Review Board America Threw Away

When the US Cyber Safety Review Board was quietly wound down earlier this year under the Trump administration, it left a gap in the global model for learning from major cyber incidents without the threat of litigation or blame. Australia has now decided to fill that gap — for itself, at least.

The Australian government officially launched its Cyber Incident Review Board (CIRB) this week, designed to conduct no-fault, post-incident reviews of significant cyberattacks against Australian government agencies and critical industry. The explicit model is the CSRB — right down to the immunity-from-liability structure that made the US version effective before it was abandoned. The irony of building something America just dismantled is not lost on observers.

The CIRB's mandate is to focus on systemic lessons rather than individual or corporate culpability. Think of it like an air accident investigation — the goal isn't to prosecute the pilot, it's to figure out why the plane went down so the next one doesn't. That framing matters because it lowers the barriers for organisations to participate honestly, rather than lawyering up and saying nothing.

The timing is pointed. Australia has had a string of high-profile incidents over the past few years — Optus, Medibank, Latitude, and others — each producing a flurry of parliamentary inquiries, regulatory enforcement, and media coverage, but arguably not enough structured, public, technical learning. The CIRB is supposed to change that.

What it does in practice: after a significant incident, the CIRB can conduct a review — interviewing affected organisations, examining what failed, and publishing findings with concrete recommendations. Crucially, those findings aren't admissible as evidence of liability. That's the mechanism that makes honest disclosure possible.

The board sits within a broader Australian cyber policy stack that already includes the ACSC, the OAIC for privacy breaches, and the SOCI Act framework for critical infrastructure. The CIRB adds a dedicated learning function that the existing bodies don't really perform — regulators enforce, the ACSC advises, but nobody was systematically asking "what did we learn and how do we share it?"

There are still open questions. The CIRB's independence and resourcing will matter enormously — a board that can't compel information or lacks technical depth will produce anodyne reports. And "significant cyberattack" needs a workable definition that captures incidents worth reviewing without triggering every phishing campaign that hits a government inbox.

What to watch: which incidents the CIRB actually reviews first, how organisations respond to participation requests, and whether the findings have any teeth in terms of driving real change. The proof will be in whether future Medibank-scale events produce CIRB reports that defenders can actually learn from — or whether the board becomes another body that publishes PDFs nobody reads.

For now, though, Australia has built something the world's largest democracy decided it no longer needed. That's worth noting.

Also today

DAEMON Tools Backdoored for Nearly a Month in Supply-Chain Attack

Kaspersky researchers have attributed a sophisticated supply-chain attack on DAEMON Tools — a widely used Windows disk-mounting utility — to Chinese-linked threat actors. Malicious installers were served directly from the official website and signed with legitimate DAEMON Tools certificates, making them nearly indistinguishable from genuine downloads. The campaign ran from approximately April 8 and resulted in thousands of infection attempts and at least a dozen confirmed compromises. The backdoor gives attackers persistent remote access. DAEMON Tools is popular in corporate and home lab environments globally, including in Australia. Anyone who downloaded the software between early April and the disclosure should treat their machine as potentially compromised and run a thorough investigation.

TechCrunch ↗

DarkSword: The iOS Zero-Day Chain That Nobody Knew About

Google's Threat Intelligence Group has disclosed a full-chain iOS exploit called DarkSword, active since at least November 2025, which leverages multiple zero-day vulnerabilities to fully compromise iPhones. Google believes both commercial surveillance vendors and state-sponsored actors have been deploying it. The toolmarks in recovered payloads are what led researchers to identify it as a distinct exploit chain. This is the kind of capability that typically costs millions of dollars to develop and is reserved for high-value targets — think journalists, dissidents, government officials. iOS users in sensitive roles should ensure they're running the latest updates, and consider Apple's Lockdown Mode if threat modelling warrants it.

Schneier on Security ↗

Critical Apache HTTP/2 Flaw Opens Door to RCE

The Apache Software Foundation has patched a serious double-free vulnerability in HTTP/2 protocol handling (CVE-2026-23918, CVSS 8.8) that could lead to remote code execution. Apache HTTP Server is one of the most widely deployed web servers in the world — it underpins enormous swathes of the internet, including many Australian government and enterprise systems. A double-free flaw means the server's memory management can be manipulated by an attacker to run arbitrary code. Defenders should treat this as a priority patch. Apache has also simultaneously fixed vulnerabilities in the MINA networking framework. Check your web server versions and apply updates now.

The Hacker News ↗

Student Hacked Taiwan's High-Speed Rail to Trigger Emergency Brakes

A 23-year-old university student in Taiwan has been arrested after exploiting vulnerabilities in the TETRA radio communication system used by the Taiwan High Speed Rail network to remotely trigger emergency braking. TETRA — Terrestrial Trunked Radio — is a standard used by rail, emergency services, and law enforcement in dozens of countries. The incident underscores a long-standing concern about operational technology security: these systems were often designed for reliability, not for adversarial environments. Australia's rail networks, including those covered under the SOCI Act's critical infrastructure regime, also rely on similar specialised communication protocols. A student discovering the flaw is an uncomfortable reminder of what a motivated attacker could do.

Bleeping Computer ↗

FTC Bans Kochava from Selling Location Data Without Consent

The US Federal Trade Commission will ban data broker Kochava and its subsidiary from selling Americans' precise location data without explicit consumer consent. The settlement follows FTC allegations that Kochava sold data revealing visits to healthcare clinics, houses of worship, and other sensitive locations — drawn from hundreds of millions of mobile devices — without users' knowledge. The case is a landmark for US data broker regulation. In Australia, the Privacy Act reforms currently before parliament would impose similar restrictions on the trading of sensitive location data, and the OAIC has signalled increased scrutiny of data broker activity. The Kochava case gives Australian regulators a useful precedent to point to.

The Record ↗

OpenAI Releases GPT-5.5 Instant as ChatGPT's New Default

OpenAI has swapped in GPT-5.5 Instant as the default model for ChatGPT, claiming it produces 52.5% fewer hallucinated claims than its GPT-5.3 Instant predecessor on high-stakes prompts in medicine, law, and finance — based on internal evaluations. The model also reportedly improves personalisation and response clarity while keeping the low latency users expect from the Instant series. OpenAI simultaneously published a system card with safety evaluation details. The hallucination reduction claim is significant if it holds up under independent scrutiny: factual reliability in professional domains has been one of the biggest barriers to enterprise adoption. Worth testing rigorously before trusting it with anything consequential.

OpenAI Blog ↗

Apple's iOS 27 Will Let You Pick Your Own AI Model

Bloomberg's Mark Gurman reports that iOS 27, iPadOS 27, and macOS 27 — expected this northern autumn — will allow users to choose third-party AI models to power Apple Intelligence features system-wide. Under the plan, compatible AI providers can offer "Extensions" that run not just Siri but also Writing Tools, Image Playground, and other Apple Intelligence features. It's a significant architectural shift: Apple would move from curating specific integrations (ChatGPT, later others) to building an open extension framework. For users, it means more choice. For AI vendors, it's a massive distribution opportunity. For Apple, it's a hedge — if its own models fall behind, the platform stays relevant regardless.

TechCrunch ↗

Pennsylvania Sues Character.AI Over Chatbot That Claimed to Be a Licensed Doctor

Pennsylvania's attorney-general has filed suit against Character.AI after a chatbot on the platform presented itself as a licensed psychiatrist during a state investigation — complete with a fabricated medical licence number. Character.AI's platform allows users to create and interact with custom AI personas, and the case highlights what happens when those personas are given professional identities with no guardrails. The lawsuit follows earlier legal pressure over the platform's links to harm among younger users. Australia's Online Safety Act and draft AI guardrails policy are both relevant here: the ACMA and eSafety Commissioner have flagged AI persona platforms as a priority concern, particularly for vulnerable users.

TechCrunch ↗

CloudZ RAT Hijacks Microsoft Phone Link to Steal OTPs

A newly identified plugin called Pheno, deployed via an updated version of the CloudZ remote access tool, is abusing Microsoft's Phone Link feature to intercept SMS messages and one-time passwords directly from a victim's connected phone. Phone Link is a Windows feature that pairs a PC with an Android device for notifications, calls, and messaging. Attackers are essentially turning it into a live wire-tap for MFA codes. The technique bypasses traditional SMS-based two-factor authentication without needing to compromise the mobile device itself — just the Windows machine it's paired with. It's a clean reminder that pairing features create new attack surfaces, and that SMS-based MFA is a floor, not a ceiling.

Bleeping Computer ↗

Instructure Breach Exposes Student Data From Canvas Platform

Education technology company Instructure — the company behind Canvas LMS, one of the world's most widely deployed learning management systems — has suffered a data breach that included students' private information. TechCrunch reviewed a sample of the allegedly stolen data and confirmed it contains personal student records. Canvas is used extensively across Australian universities and school systems. Under Australia's Privacy Act and the notifiable data breach scheme, affected Australian institutions using Canvas would need to assess whether the breach triggers their own notification obligations. Instructure has not yet provided full details on the scope of the incident.

TechCrunch ↗

EOL Software Is a Blind Spot Your SCA Tools Won't Catch

Security researchers at HeroDevs have published an analysis of a structural gap in how organisations track vulnerabilities: software composition analysis tools and CVE feeds typically stop tracking end-of-life open source packages the moment maintainers drop support. But the code doesn't disappear from production environments — it just stops being watched. Critical vulnerabilities discovered after EOL status often never receive a CVE, meaning automated scanning tools report clean results for software that is actually riddled with unpatched flaws. This is a genuine blind spot in enterprise security programmes. The researchers offer a free EOL scan for projects, which is worth running if your dependency tree hasn't been audited recently.

Bleeping Computer ↗

Sources consulted