Making SUNRISE Contacts Secure

Tell me more about its security

Security is an important aspect of any database. This is true of sensitive information, such as contact information of individuals and organisations, financial information etc. You are storing data, of which some of it will be confidential and personal. Things like people's names, addresses, and even a photo are common data that can get stored in a CRM. With this in mind, we are independent of the major software manufacturers (Apple, Microsoft etc.), governments (and that includes China and the United States), and the military and intelligence organisations. We do this to ensure you get the security and privacy you deserve, not what others think you should have (and bypass it with a special "backdoor" access as most authorities would like to see). We make no apologies for this, as we think you should have high-level encryption capabilities for passwords, notes and any other sensitive text you feel is needed to be protected, whenever you need it. Password protection of the databases themselves come as standard, as well as careful programming to ensure no information can seep out without your consent (including our plug-ins). Our uncompromising desire to give you the best is what you get from us.

Just to give as an example, in a recent report released by the ANU on 2 October 2019, a highly sophisticated cyber attack took place on ANU servers on 8 November 2018 with further attempts to repeat the attack by the hackers until April 2019. ANU's information technology staff waited and watched for several weeks but noticed how sophisticated the hackers were in hiding digital evidence. It became evident the hackers were well-resourced and had support from a state or government actor hiding in some part of the world. A public announcement was made in June 2019 and new servers and firewalls were installed.

The attack began with an email sent to a staff member. The email exploited a weakness in Microsoft's flagship email app with its preview window in which the username and password could be accessed from a known location and viewed by the hackers. Using this information, the hackers successfully gained access to the human resources, financial management and student administration database. No attachments were opened, and it was not necessary for the message itself to be fully opened—just a preview.

The aim of the attack appears to involve an effort by some unknown and sophisticated third-party hacker(s) to identify specific individuals who are or were connected to the university in some way (i.e., approximately 700MB of personal data was taken from students and staff, including research fellows), either because they are involved in some kind of sensitive research that is affecting a certain government body, or the government involved wants information to use against certain individuals should those individuals visit a foreign country. Someone wanted to grab sensitive personal information from the contacts (e.g., residential addresses and phone numbers), as well as tax file numbers, bank account numbers, and anything else that could help the hackers identify and locate certain individuals in Australia, and needed this information going back as far as possible (the ANU administrators made the unfortunate decision to keep electronically on its network the personal details of everyone who had or was still working at the ANU for the last 19 years, or since 2000).

Of course, the Australian government would like to implicate China in the attack (as is usually the case nowadays, but it has not revealed evidence to support this claim). ANU officials were not informed and have been honest by saying it came from a "sophisticated actor" and a "state-sponsored entity". In other words, the ANU does not know exactly who was responsible.

However, most security experts know the Chinese government is usually more interested in stealing current intellectual property and identifying specific current Chinese nationals working at the ANU. Never historical contact information going back so far on everyone who has worked or still working at the ANU and to learn where they live. As Financial Review political correspondent Andrew Tillet said:

"The hackers also ignored intellectual property and research data despite seeing it on the system, with investigators concluding they were just focused on the [contacts] database."

This latest cyber attack with a strong focus on historical personal information would almost certainly have been done by the U.S. government. And for good reason too given our research work and links to the ANU.

To deal with this type of cyber attack, SUNRISE Contacts has been designed to only show you a text-based version of the email message for both plain text and HTML messages. In the event that you do decide to view a "preview" of the HTML message, our independently designed software will prevent your username and password from being secretly stolen. It is not stored in a separate file outside the database in a common location where hackers can figure out where it is and grab the file whenever they like.

How to make SUNRISE Contacts even more secure

For more information on how to make your experience with SUNRISE Contacts the most secure solution you can make it, download this PDF file.