There have been calls for an immediate independent review after a new Privacy International investigation revealed that police are secretly extracting large volumes of highly sensitive data from UK users’ phones – even those not suspected of any crime.
The Digital Stop and Search report builds on previous research from the Bristol Cable in January last year detailing how law enforcers were investing hundreds of thousands intrusive UFEDs (Universal Forensic Extraction Devices) from the likes of notorious Israeli vendor Cellebrite.
Privacy International received FOI responses from 47 police forces and 26 of them (55%) admitted using the technology, with a further 17% trialing or planning to trial it. The data extraction has been going on in some form for over six years.
Such tools can find data even the user may not know they have on their device, including: emails, messages, GPS locations, call data, photos, contacts, calendar info, web browsing, social media accounts, online banking, health and fitness data, cloud storage and much more.
It is extracted from self-service kiosks at the police station, from frontline support service ‘hubs’ serving several forces, or via portable mobile phone extraction kits when out and about, the report revealed.
Privacy International’s concern is that data is often extracted without the user’s knowledge, stored insecurely and for an indefinite time, and taken not just from suspects but also victims and witnesses – even for investigations of low-level crimes.
There’s confusion among the police over the legal basis for this activity, stemming from a lack of national and local guidance, PI claimed.
This can lead to serious procedural failings. A 2015 report from the Police and Crime Commissioner (PCC) for North Yorkshire Police claimed that poor training led to practices which undermined prosecution of murder and sexual assault cases. It also found serious breaches of data security practices, including failure to encrypt citizens’ data and the loss of files.
Tottenham MP, David Lammy, claimed the lack of transparency around police use of these tools is a serious cause for concern.
“My review of our criminal justice system found that individuals from ethnic minority backgrounds still face bias in parts of our justice system, and it is only because we have transparency and data collection for everything from stop and search incidents to crown court sentencing decisions that these disparities are revealed and we are able to hold those in power to account,” he argued.
“Given the sensitive nature and wealth of information stored on our mobile phones there is significant risk of abuse and for conscious or unconscious bias to become a factor without independent scrutiny and in the absence of effective legal safeguards.”
PI solicitor, Millie Graham Wood, added that it’s highly disturbing the police have the power take such sensitive information in secret from a user without even needing a warrant.
“The police are continually failing to be transparent with the thousands of people whose phones they are secretly downloading data from,” she argued.
“An immediate independent review into this practice should be initiated by the Home Office and College of Policing, with widespread consultation with the public, to find the right balance of powers for the police and protections for the public. Let’s be clear: at the moment, the police have all the power and the public have no protections.”
While adoption of cloud computing continues to surge, security concerns are showing no signs of abating. After several years of a downward trend, 90% of cybersecurity professionals confirm they are concerned about cloud security, up 11 percentage points from last year’s cloud security survey. The top cloud security challenges are protecting against data loss and leakage (67%), threats to data privacy (61%) and breaches of confidentiality (53%).
The 2018 Cloud Security Report from Crowd Research Partners, based on an online survey of cybersecurity professionals in the 400,000-member Information Security Community on LinkedIn, shows that a lack of qualified security staff and outdated security tools are significant obstacles to enabling a secure cloud posture at many enterprises. Only 16% of organizations report that the capabilities of traditional security tools are sufficient to manage security across the cloud, which is a 6% drop from 2017. A full 84% say traditional security solutions either don’t work at all in cloud environments or have only limited functionality.
Cybersecurity professionals are also struggling with visibility into cloud infrastructure security (43%), compliance (38%) and consistent security policies across cloud and on-premises environments (35%).
“While workloads continue to move into the cloud, the study reveals that cloud security concerns are on the rise again, reversing a multi-year trend,” said Holger Schulze, CEO of Cybersecurity Insiders and founder of the Information Security Community. “With half of organizations predicting a rise in cloud security budgets, protecting today’s cloud environments require more and better trained security professionals and innovative, cloud-native security solutions to address the concerns of unauthorized access, data and privacy loss, and compliance in the cloud.”
When it comes to the biggest perceived threats to cloud security, misconfiguration of cloud platforms jumped to the No. 1 spot in this year’s survey as the single biggest threat. This is followed by unauthorized access through misuse of employee credentials and improper access controls (55%), and insecure interfaces or APIs (50%).
On the defense side, for the second year in a row, training and certification of current IT staff (56%) ranks as the most popular path to meet evolving security needs. Fifty percent of respondents use their cloud provider’s security tools, and 35% deploy third-party security software to ensure the proper cloud security controls are implemented.
Meanwhile, encryption of data at rest (64%) and data in motion (54%) top the list of the most effective cloud security technologies, followed by security information and event management (SIEM) platforms (52%).
And finally, 49% of organizations expect cloud security budgets to increase, with a median increase of 22%.
Bad bots are used by competitors, hackers and fraudsters and are the key culprits behind web scraping, brute force attacks, competitive data mining, online fraud, account hijacking, data theft, spam, digital ad fraud and downtime. In 2017, bad bots accounted for 21.8% of all website traffic, a 9.5% increase over the previous year. Good bots increased by 8.7% to make up 20.4% of all website traffic.
According to Distil Networks’ fifth annual Bad Bot Report, which details the analysis of hundreds of billions of bad bot requests at the application layer, gambling companies and airlines suffer from higher proportions of bad bot traffic than other industries, with 53.1% and 43.9% of traffic coming from bad bots, respectively. E-commerce, healthcare and ticketing websites meanwhile suffer from highly sophisticated bots, which are difficult to detect.
A full 83.2% of bad bots report their user agent as web browsers Chrome, Firefox, Safari or Internet Explorer; 10.4% claim to come from mobile browsers such as Safari Mobile, Android or Opera.
Additionally, 82.7% of bad bot traffic emanated from data centers in 2017, compared to 60.1% in 2016. The availability and low cost of cloud computing explains the dominance of data center use.
“This year bots took over public conversation, as the FBI continues its investigation into Russia’s involvement in the 2016 US presidential election and new legislation made way for stricter regulations,” said Tiffany Olson Jones, CEO of Distil Networks. “Yet as awareness grows, bot traffic and sophistication continue to escalate at an alarming rate. Despite bad bot awareness being at an all-time high, this year’s Bad Bot Report illustrates that no industry is immune to automated threats and constant vigilance is required in order to thwart attacks of this kind.”
For the first time, Russia became the most blocked country, with one in five companies (20.7%) implementing country-specific IP block requests. Last year's leader, China, dropped down to sixth place with 8.3%.
In terms of tactics, the analysis found that account takeover attacks occur two to three times per month on the average website, but immediately following a breach, they are three times more frequent, as bot operators know that people reuse the same credentials across multiple websites.
About 74% of bad bot traffic is made up of moderate or sophisticated bots, which evade detection by distributing their attacks over multiple IP addresses or simulating human behavior such as mouse movements and mobile swipes.
Also, bots can be distributed on multiple hosts to perform automated distributed denial of service (DDoS) but can also be "low and slow," use browser automation or other evasion techniques to bypass existing web application security controls, such as IP blacklisting and rate limiting.
In the second half of 2017, nearly 40% of all analyzed industrial control systems (ICS) in energy organizations were attacked by malware at least once – closely followed by 35% of engineering and ICS integration networks.
The cybersecurity of industrial facilities remains an issue that can lead to very serious consequences affecting industrial processes, as well as businesses losses. While analyzing the threat landscape in different industries, Kaspersky Lab ICS CERT recorded that nearly all industries regularly experience cyber-attacks on their ICS computers. However, energy and engineering were attacked more than others.
The report found that for all other industries (manufacturing, transportation, utilities, food and healthcare) the proportion of ICS computers attacked ranged from 26% to 30% on average. The vast majority of detected attacks were accidental hits.
The sector that demonstrated the most noticeable growth of ICS computers attacked during the second half of 2017 (compared to the first half of 2017) was construction, with 31% attacked. The relatively high percentage of attacked ICS computers in the construction industry compared to the first half of 2017 could indicate that these organizations are not necessarily mature enough to pay the required attention to the protection of industrial computers. Their computerized automation systems might be relatively new, and an industrial cybersecurity culture is still being developed in these organizations, Kaspersky noted.
“The results of our research into attacked ICS computers in various industries have surprised us, said Evgeny Goncharov, head of Kaspersky Lab ICS CERT. “For example, the high percentage of ICS computers attacked in power and energy companies demonstrated that the enterprises’ effort to ensure cybersecurity of their automation systems after some serious incidents in the industry is not enough, and there are multiple loopholes still there that cybercriminals can use.”
Meanwhile, the lowest percentage of ICS attacks – 15% – has been found in enterprises specializing in developing ICS software, meaning that their ICS research/development laboratories, testing platforms, demo stands and training environments are also being attacked by malicious software, although not as often as the ICS computers of industrial enterprises. Kaspersky Lab ICS CERT experts point to the significance of ICS vendors’ security, because the consequences of an attack spreading over the vendor’s partner ecosystem and customer base could be very dramatic.
Among the new trends of 2017, Kaspersky Lab ICS CERT researchers discovered a rise in mining attacks on ICS. This growth trend began in September 2017, along with an increase in the cryptocurrency market and miners in general.
“But in the case of industrial enterprises, this type of attack can pose a greater threat by creating a significant load on computers, and as a result, negatively affecting the operation of the enterprise’s ICS components and threatening their stability," the firm noted.
Overall, from February 2017 to January 2018, cryptocurrency mining programs attacked 3% of industrial automation system computers, in most cases accidentally.
The number of vacancies for Data Protection Officers (DPOs) has surged by 709% since the rules of the General Data Protection Regulation (GDPR) were ratified nearly two years ago, according to Indeed.
The jobs site claimed in new figures that the nationwide recruitment drive has attracted the attention of job-seekers, with the number of candidates looking for such roles soaring 297% in the same period.
Appointing a Data Protection Officer is a key requirement of the new EU privacy laws and could result in a fine of up to 2% of global annual turnover or €10m, whichever is higher.
You will be required to appoint a DPO if you are a public authority, your core activities require “large scale, regular and systematic monitoring of individuals” or your core activities include “large scale processing of special categories of data or data relating to criminal convictions and offences.”
DPOs are essential to such organizations, responsible for monitoring internal compliance, advising on impact assessments and data protection obligations, and acting act as a contact point for data subjects and the supervisory authority.
As highly skilled independent experts in data protection, they command a significant salary, currently standing at an average of £47,483 – nearly double the average UK wage of £27,600, according to Indeed.
With the GDPR compliance deadline of May 25 fast-approaching, one company has launched a virtual DPO service designed to help organizations get in line before the cut-off date.
An outsourced team of cybersecurity and risk mitigation lawyers work alongside ThinkMarble’s in-house security analysts and incident responders to offer bespoke GDPR compliance services to firms.
Research from 2017 found that a fifth (22%) of organizations still hadn’t hired a DPO, and that more than half (52%) of these firms weren’t planning to until the second half of 2018 or beyond.
Information commissioner, Elizabeth Denham, claimed last year: “it’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm.”
However, the regulator is likely to take a dim view of organizations which haven’t taken the basic step of appointing a DPO before the May deadline.
Iran has hit back at US sanctions levied in response to alleged attacks on hundreds of global universities and a media company for financial gain.
The Mabna Institute is said to have stolen 31TB of IP and other valuable data from over 300 educational institutions in the US, UK, Germany, Japan, Israel and elsewhere.
The US government claimed on Friday that the Iranian military effectively outsourced the hacking work to the Institute in order to help domestic universities and research organizations gain access to non-Iranian scientific resources.
“Iran is engaged in an ongoing campaign of malicious cyber activity against the United States and our allies. The IRGC outsourced cyber intrusions to The Mabna Institute, a hacker network that infiltrated hundreds of universities to steal sensitive data,” said US Treasury under secretary Sigal Mandelker.
The two founders of the Institute were among the 10 people indicted, meaning they could face extradition to the US if they travel outside of Iran and their assets are subject to seizure by the US authorities. The Institute itself was also placed under sanctions.
Tehran’s foreign ministry spokesperson, Bahram Quassemi, condemned the sanctions as provocative and illegal, according to the BBC.
“The US will definitely not benefit from the sanctions gimmick, aimed at stopping or preventing the scientific growth of the Iranian people” he said in a statement.
Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, claimed the naming and shaming of the individuals continues a trend of state-sponsored attack attribution.
“By applying sanctions quickly against the Iranian hacker network involved in this incident, the United States is signalling that any cyber-attack against the country will have consequences,” he added.
“It is another recent example of the US both calling out malicious state-sponsored cyber behavior and taking action against it. However, the sanctions applied by the US Treasury Department will have very limited effect on people without US-based assets or bank accounts.”
The UK government is aiming to capitalize on the rise in online threats to sell the nation’s cybersecurity expertise worldwide, despite heavy criticism in the past for its own security failings.
Published on Monday, the Cyber Security Export Strategy aims to support the ongoing work of the 2016-21 National Cyber Security Strategy, which saw £1.9bn pounds of public spending committed to the sector.
The Department of International Trade (DIT) document sets out a plan to support UK companies bidding for contracts with overseas governments and CNI providers.
It also claims the DIT will “curate bespoke offers for the top buyers” in six sectors highlighted as those set to receive biggest investment in security over the coming years. It claims it will run trade missions and pitch UK companies to address identified capability gaps.
The third pillar of the DIT’s approach is to help improve global branding and marketing for UK cybersecurity companies, alongside new content on a great.gov.uk site.
The new strategy seems to be aimed primarily at supporting SMEs which could otherwise struggle to make an impact on the global stage. It claims UK Export Finance is available for those in need of monetary support to export goods and services.
The new strategy could be seen as a response to Brexit, which experts have argued will have a hugely negative impact on the UK’s cybersecurity industry.
It’s already claimed that hiring of European practitioners is getting harder for UK firms, and there are question marks over information sharing and other region-wide agreements currently benefiting UK businesses, not to mention the tariff-free trade of the single market.
However, the sight of the government attempting to tout its expertise in cyber around the globe is somewhat ironic considering the parlous state of NHS cybersecurity. The health service was decimated by WannaCry ransomware last year, and in February, a committee reported that all 200 Trusts had failed basic security tests.
In February 2017, parliament slammed the government’s cybersecurity efforts as uncoordinated, inconsistent and failing the wider public sector outside Whitehall.
However, most experts cautiously welcomed the new DIT strategy.
“It’s great to see the government acknowledge the strength of the UK cybersecurity sector. Against a backdrop of ever-evolving threats, growing digital transformation and regulatory pressures, there has never been such global demand for effective cybersecurity products and services,” said RedScan CTO, Andy Kays.
Thales eSecurity EMEA VP, Peter Carlisle, added that the strategy demonstrates a clear government commitment to collaboration with the private sector.
“By not only honing our skills here in the UK, but by exporting our expertise overseas too, this will ensure that we ward off attacks from foreign actors whilst simultaneously strengthening our own capabilities,” he claimed.
Others were more sceptical.
“The Cyber Security Export Strategy sends out a message in no uncertain terms that security is and will remain top of the agenda. With heightening tensions between foreign nations and an increasing risk of threat actors sabotaging businesses, governments, hospitals and schools, the UK has an opportunity to lead by example and grow an already burgeoning sector,” said Smoothwall corporate security specialist, Rob Wilkinson.
“But it smacks, too, of a country trying to rebuild its reputation following major breaches including WannaCry in the NHS, Petya and businesses like Wonga. A lot of work has to be done to keep organizations safe in this country as well as countries abroad.”
The criminal operation is reported to have hot banks in more than 40 countries and cost €1 billion since it first appeared in late 2013. Initially beginning with the Anunak malware, which targeted financial transfers and ATM networks of financial institutions: this was later updated to Carbanak and was used in until 2016.
“In all these attacks, a similar modus operandi was used,” the report said. “The criminals would send out to bank employees spearphishing emails with a malicious attachment impersonating legitimate companies. Once downloaded, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.”
The international police cooperation, coordinated by Europol and the Joint Cybercrime Action Taskforce, was central in bringing the perpetrators to justice, with the owner, coders, mule networks, money launderers and victims all located in different geographical locations around the world.
Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3), said: "This global operation is a significant success for international police cooperation against a top level cyber-criminal organization.
“The arrest of the key figure in this crime group illustrates that cyber-criminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cyber-criminality.”
Craig Young, computer security researcher at Tripwire, said: “These attacks were among the most sophisticated publicly reported bank robberies. The attackers used their malware to embed themselves into financial institutions where they would study processes and mannerisms for months before making a move to steal money. This allowed the attackers to simulate legitimate behavior so that they could siphon millions of dollars from a single institution without immediately raising alarms.”
Ross Rustici, senior director of intelligence services at Cybereason, called this “positive news for cybersecurity across the globe” as the manner in which this individual was caught continues to demonstrate the importance of public-private partnerships and the global nature of cybercrime.
“The inclusion of police agencies in at least five different countries demonstrate how difficult it can be to track a single actor through all of their online activity and the jurisdictional challenges law enforcement faces while pursuing these criminals,” he said.
Lucas claimed that Trustico “is suffering significantly as a result of the misrepresentation of the position” and is considering its position legally with respect to these issues and others in an effort to set the record straight “as it considers itself to have been unfairly and wrongly maligned.”
He claimed that Trustico was fully permitted under the terms of the Symantec subscriber agreement to take action to revoke certificates on customers’ behalf, and after DigiCert refused to revoke – stating that they would only do so by either performing a verification of control over the domain or receiving the private keys associated with the certificate – Trustico expressed to DigiCert its “significant discomfort with handing over the private keys to the certificates” as private keys are held by Trustico in trust, and so are secure.
Given its concerns, Trustico, acting in what it considered to be the best interests of its customers, selected to disclose the private keys so that DigiCert would perform a revocation as they were refusing to do so otherwise.
In an eight-point clarification, Lucas said that DigiCert knew that Trustico held (in trust) private keys of certain customers as a private key generating tool “has been a popular product offering for customers” and was developed in partnership with Symantec.
He added: “Trustico never deliberately exposed private keys. The revocation request was made in accordance with the Baseline Requirements and private keys were only provided under protest following DigiCert’s request for authentication purposes. Trustico intentionally provided private keys in a format which did not create risk to its customers.”
Lucas also said that notice was given to customers about revoking the certificates, but some notices ended up in junk mailboxes or rejected by hosts, and all affected customers were issued with a number of previous communications regarding the distrust issue.
“As the only party other than Trustico with access to the serial numbers for each certificate, only DigiCert was able to undertake a match of the keys provided to issued certificates (by reference to serial numbers),” Lucas said.
“Trustico believes there were no security concerns for customers in what it did. Providing the private key and serial number would have been a security concern; the provision of one but not the other did not present a risk.”
In the original story, the certificates issued by Trustico acting as a SSL certificate authority (CA) reseller for Symantec were revoked earlier this year after DigiCert chief product officer Jeremy Rowley said that Trustico “shared with us that they held the private keys and the certificates were compromised, trying to trigger the Baseline Requirement's 24-hour revocation requirement.”
At the time, Rowley said that Trustico had not provided any information about how certificates had been compromised, or how they acquired the private keys. “As is standard practice for a Certificate Authority, DigiCert never had possession of these private keys.” He clarified that certificates were only revoked if the private keys were received.
In clarification, Trustico said that “private keys were only generated at our customers request through the private key generating tool; this service was optional” and that all data was stored “in accordance with its obligations under data protection law and company policy.”
Microsoft is getting tougher on clients that do not update their software, as it outlines in its latest advisory. The tech giant has created CredSSP updates for security vulnerability CVE-2018-0886, which was originally patched on March 13 2018.
The CVE-2018-0886 security flaw is a remote code execution vulnerability that exists in the CredSSP. An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. The patch released by Microsoft addresses the vulnerability by correcting how CredSSP validate requests during the authentication process.
According to Microsoft’s latest advisory, the RDP update will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated from April 17 2018. It recommends that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible.
The vulnerability was originally flagged to Microsoft in August 2017 by Preempt. The company wrote that the flaw affected all Windows versions to date, and noted that the vastness of the issue was great given that “RDP is the most popular application to perform remote logins.” The company used internal research to highlight that almost all enterprise customers were using RDP and were at risk.
The Internet Engineering Task Force (IETF) has published its 1.3 version of the Transport Layer Security (TLS) protocol. The application allows client/server applications to communicate over the internet in a way that is designed to prevent eavesdropping, tampering and message forgery.
The IETF is a body of engineers from all over the world who collaborate on standards like this – and its approval of TLS 1.3 has been long in coming – over four years and 28 drafts.
According to a draft working document published on March 20, protocol 1.3 has several major differences from its predecessor. These include: removal of algorithms that are considered legacy, the addition of a 0-RTT mode, all public-key-based key exchanges now provide forward secrecy, all handshake messages after the ServerHello are now encrypted and new key derivation function re-designs, which allows easier analysis by cryptographers due to their improved key separation properties.
There might be potential concerns about 0-RTT data, as the security properties are weaker than those for other kinds of TLS data. Specifically, the document stated: “This data is not a forward secret, as it is encrypted solely under keys derived using the offered PSK.
“There are no guarantees of non-replay between connections. Protection against replay for ordinary TLS 1.3 1-RTT data is provided via the server's Random value, but 0-RTT data does not depend on the ServerHello and therefore has weaker guarantees. This is especially relevant if the data is authenticated either with TLS client authentication or inside the application protocol.”
The document continued to say that 0-RTT data cannot be duplicated within a connection (i.e. the server will not process the same data twice for the same connection) and an attacker will not be able to make 0-RTT data appear to be 1-RTT data, because it is protected with different keys.
One week after the Cambridge Analytica data breach went public, Facebook is continuing to lose trust with its users as many go to delete their accounts. However, for many users, the surprises keep coming, as they were shocked to find out Facebook had been collecting call records and SMS messages.
According to Ars Technica, a user from New Zealand, Dylan McKay was looking through data Facebook had collected, which he had downloaded from the social network site. While scanning through information the tech giant had about his contacts, McKay discovered that Facebook had about two years’ worth of phone call metadata from his Android phone, including names, phone numbers and the length of each call made or received.
Since this original flag, many users have also taken to Facebook with their own Facebook data archives.
Following the report by Ars Technica, Facebook posted a blog on March 25 2018, which said: “You may have seen some recent reports that Facebook has been logging people’s call and SMS (text) history without their permission. This is not the case.
“Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android. This helps you find and stay connected with the people you care about and provides you with a better experience on Facebook. People have to expressly agree to use this feature. If at any time, they no longer wish to use this feature they can turn it off in settings, or here for Facebook Lite users, and all previously shared call and text history shared via that app is deleted. While we receive certain permissions from Android, uploading this information has always been opt-in only.
“We introduced this feature for Android users a couple of years ago. Contact importers are fairly common among social apps and services as a way to more easily find the people you want to connect with. This was first introduced in Messenger in 2015, and later offered as an option in Facebook Lite, a lightweight version of Facebook for Android.”
The blog goes onto say that Facebook never sells the data, and the feature does not collect the content of users’ text messages or calls.