Nominations for the fifth annual Security Serious Unsung Heroes Awards are open.
Intended to recognize the people who significantly contribute to the information security industry, whether in the classroom, in law enforcement or within corporate organizations, nominations are now open and will remain open until August 31 2020. The Unsung Heroes Awards will take place on Tuesday October 13 via a virtual cocktail event.
A total of 14 awards are open for nomination, including a new award added this year to recognize those helping to keep UK businesses safe during the COVID-19 pandemic. The categories are:
- Captain Compliance
- Godfather/Godmother of Security
- Cyber Writer
- CISO Supremo
- Security Avengers (best team)
- Best Security Awareness Campaign
- Security Leader/Mentor
- Apprentice/Rising Star
- Best Educator
- Best Ethical Hacker/Pen Tester
- Channel Champion
- DevSecOps Trailblazer
- Data Guardian
- COVID Hero
The Unsung Heroes Awards, created by Eskenzi PR and Smile on Fridays, have been sponsored by KnowBe4, Protiviti and Qualys. Yvonne Eskenzi, director of Eskenzi PR and founder of the Security Serious Unsung Heroes Awards, said: “It's true that 2020 might feel like a year worth forgetting, but cyber-criminals certainly haven't given up. There must be some incredible superstars out there in cybersecurity keeping businesses and their remote workers safe – and we want to thank those people.
“We need everyone’s help to nominate those security professionals they think are worthy of acknowledgement and bring a little joy back into this year!"
Previous award winner Quentyn Taylor, director of information security EMEA for Canon Europe, said that it is really important to support these kinds of efforts. “The Unsung Heroes Awards recognize the real people in information security, not just the ones you see in the magazines every single time,” he said. “Not just the ones who get put on the news whenever there’s an incident, but the ones who maybe don’t have time to do that but are soldiering away in the background to make the world a safer place, and that’s why these awards have credibility.”
A scam cryptocurrency trading platform has been wound up by the courts after stealing £1.5m in clients’ funds.
Gpay Limited was incorporated on 30 August 2017, and later traded as Cryptopoint and XtraderFX, according to a statement from government agency The Insolvency Service.
It was finally closed down in the public interest last week by the High Court, after scamming countless novice traders who were drawn to the platform via online advertising.
These ads, often on social media, claimed that the platform was supported by experienced traders and innovative technology that could help even investors with no prior experience to make money.
They also falsely claimed that Gpay was endorsed by Martin Lewis, founder of MoneySavingExpert, and entrepreneurs from the hit TV show Dragons’ Den.
“Screw you! Piss off! And good riddance Gpay ltd,” Lewis said in a Facebook post linking to the government announcement.
Government investigators had found that at least 108 clients had lost almost £1.5m, in many cases despite having paid for insurance designed to protect them against any losses.
Those that tried to remove funds from their trading accounts were told that this wasn’t possible unless they sent across copies of photo ID, utility bill and debit/credit card. Such requests were apparently not necessary when the victims initially sent over their deposits.
Withdrawals would also be blocked if customers hadn’t traded with their deposited funds, according to the government.
“GPay persuaded customers to part with substantial sums of money to invest in cryptocurrency trading. This was nothing but a scam as GPay tricked their clients to use their online platform under false pretenses and no customer has benefited as their investments have been lost,” said Insolvency Service chief investigator, David Hill.
“We welcome the court’s decision to wind-up GPay as it will protect anyone else becoming a victim. This scam should also serve as a warning to anyone who conducts trading online that they should carry-out appropriate checks before they invest any money that the company is registered and regulated by the appropriate authorities.”
Facebook has discovered another back-end privacy issue which meant that thousands of apps continued to receive users’ personal information even after access should have automatically expired.
The social network’s vice-president of platform partnerships, Konstantinos Papamiltiadis, explained in a blog post that rules to limit developer access to Facebook user data were brought in several years ago.
“In 2014, we introduced more granular controls for people to decide which non-public information — such as their email address or their birth date — to share when they used Facebook to sign into apps,” he said.
“Later, in 2018, we announced that we would automatically expire an app’s ability to receive any updates to this information if our systems didn’t recognize a person as having used the app within the last 90 days.”
However, the firm recently discovered that some apps continued to receive previously authorized user data, even though they hadn’t used the app in 90+ days.
“From the last several months of data we have available, we currently estimate this issue enabled approximately 5000 developers to continue receiving information — for example, language or gender — beyond 90 days of inactivity as recognized by our systems,” Papamiltiadis continued.
“We haven’t seen evidence that this issue resulted in sharing information that was inconsistent with the permissions people gave when they logged in using Facebook.”
The issue was fixed within a day and he said that Facebook is introducing new Platform Terms and Developer Policies to improve transparency further with the developer community and ensure they “clearly understand their responsibility to safeguard data and respect people’s privacy.”
The social network has been tightening its restrictions on third-party developers since the Cambridge Analytica scandal in 2018. In September last year it announced the removal of tens of thousands of apps from hundreds of developers that were suspected of having the potential to abuse policies on user privacy and security.
Cybersecurity solutions company SonicWall has announced the appointment of Tristan Bateup as country manager for Ireland as the firm seeks to expand its presence and capabilities in the country.
Bateup has more than 10 years of experience in the cybersecurity industry, having previously spent five years managing SonicWall partner business at distributor Exertis before joining SonicWall to serve as strategic account manager for the UK and Ireland.
Will Benton, regional director, Northern Europe at SonicWall, said: “Tristan’s experience and skills have already proved invaluable in establishing our presence in Ireland since his appointment. SonicWall places great importance in its partner relationships, and Tristan’s strong experience on both sides of the relationship contributes to bringing us even closer to our partner network in Ireland.”
To address the needs of Ireland-based customers, SonicWall will be consolidating its channel strategy and expanding its partner base in the country, responding to the rising demand for enterprise cybersecurity solutions in the growing Irish economy and the strong competitive market.
“Ireland is growing strongly, and that brings security concerns,” Bateup explained. “Recently, Irish businesses have had to deal with increasingly insidious threats from cyber-criminals while adjusting to a 100% remote workforce. SonicWall has evolved its Boundless security offering to cover the skills and budget gaps caused by just such a scenario. So joining the team when today’s Irish customers need hyper-distributed IT is the right move at the right time.”
NTT Global Data Centers used to be called RagingWire, but the Japanese telco acquired a majority 80% stake in the business in 2014, buying the remaining stock in January 2018. In November 2019, the FTC accused the Nevada-based data storage company of not being honest about its participation in the EU-US Privacy Shield framework.
Privacy Shield is a legal framework that lets companies transfer consumer data from EU countries to the US. It imposes privacy conditions on those companies to ensure that they remain compliant with EU law. It replaced the prior Safe Harbor agreement that existed between the two countries after a legal challenge ended that arrangement.
The company also failed to meet a key Privacy Shield condition, according to the FTC complaint: after its certification lapsed, it didn't continue to apply the framework's protections to personal information collected while participating in the program.
The consent agreement says that NTT Global Data Centers will not misrepresent its role in government privacy programs again. It will also hire an independent third-party assessor to review its compliance for as long as it remains self-certified under Privacy Shield. It must also protect personal information it collects while operating under the framework even after its certification lapses, or return or delete that data.
The FTC's legal team reached the settlement agreement with the company in April 2020, suspending its lawsuit until FTC commissioners could consider the proposal. They voted 3-1-1 in favor, with one commissioner not participating and one dissenting.
The statement from those voting in favor said that the data center operator "was, in fact, touting its participation in Privacy Shield as a selling point."
As of today, the California state government is enforcing the California Consumer Privacy Act (CCPA). Companies that don't comply with the law can expect stiff penalties from the government, along with potential consumer lawsuits.
Although the CCPA was signed into law two years ago and has been in effect since January 1, there was a six-month grace period during which companies were expected to review their procedures and ensure that they complied with the regulations. Today marks the start of real enforcement, when the attorney general can hold businesses accountable for violations.
Industry had pressured the state government to delay the enforcement date as companies struggled to cope with the COVID-19 pandemic, but the government held firm. It submitted the final set of proposed regulations for approval under the CCPA on June 2.
Darren Wray, CTO at data privacy company Guardum, warned that California has a reputation for aggressively pursuing its regulations. "Regulators are almost certainly going to come down strongly on high-profile breaches or compliance failures to show they mean business," he said. "We can also expect to see an uptick in the number of consumer complaints when they are unhappy with how a company has handled their data. We will also see more social media shaming for large companies that have failed in their new CCPA duties."
From today, penalties against companies that violate the CCPA rules could cost companies $2,500 per individual violation, or $7,500 for intentional violations. The law also allows for consumer lawsuits with statutory payments of $100–$750 per violation.
This could all lead to soaring fines, warned Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals. "With companies collecting data about millions of California residents, the numbers add up quickly to sums that could dwarf the FTC's $5 billion settlement with Facebook," he said.
The law affects any person or organization doing business in California with over $25m in annual revenue, or any business collecting information on over 50,000 people or devices. Companies making more than 50% of their annual revenue from the sale of personal information also come under the CCPA.
Phishing scammers have targeted thousands of victims in an intricate cryptocurrency fraud, it was revealed this week. They used extensive information about the victims along with a complex multi-stage campaign that used fake news sites and celebrity names to lure them into a fraudulent investment scheme.
The online heist, discovered by Singapore-based threat hunting and intelligence company Group-IB, targeted victims across countries including the UK, Australia, South Africa, the US, and Singapore.
Victims receive a text message informing them of a news report about a lucrative new investment scheme. The message contains a URL supposedly pointing to a well-known media outlet. In fact, it is a unique short link to a redirect page. This page uses the short link to look up extensive personal data about the victim, including their name, phone number, and occasionally an email address.
The page sends this data when redirecting the victim to a fake news website tailored to look like a legitimate news site. The scammers even fake different news properties depending on the victim's location. UK residents are taken to a spoofed page from the Daily Mirror, for example.
The fake news story describes the cryptocurrency investment scheme, misleading the victim by attaching a celebrity to the story and claiming that they had made lots of money with it. All links in the article would take the victim to a site for the investment fraud. Links are customized with the victim's personal information as parameters, which the investment page uses to populate a registration form.
This would leave the victims with little to do other than click the submit button, at which point they are told they will be contacted via phone by a representative. They are also asked to fill their account with a minimum of 0.03 bitcoins.
This is not the first scam to hijack celebrity names in a bid to lend credence to a shady investment site. Group-IB identified a similar one in February. What's different about this one is the amount of personal information that the scammers already had about each victim, the company said. It has searched for this information on online marketplaces to no avail. The scammers may have purchased the information from a data broker, it mused.
Cryptocurrency scammers have a habit of hijacking well-known brands and names. One common tactic is to take over verified Twitter accounts to get that all-important blue badge, and then to alter the account name to make it look like a celebrity is writing the tweets. Scammers have used this tactic to hijack Elon Musk's name when luring people into cryptocurrency fraud.
Remote workers have become significantly more cybersecurity conscious since the COVID-19 lockdown began, according to a new study from Trend Micro. It found that nearly three-quarters (72%) of remote workers are more aware of their organization’s cybersecurity policies, and 85% now take instructions from their IT team seriously.
Additionally, 81% agreed that workplace cybersecurity is partly their responsibility, whilst 64% acknowledged that it is a security risk to use non-work applications on a corporate device.
The findings, taken from interviews with 13,200 remote workers across 27 countries, suggest that employees are increasingly recognizing the additional cyber-threats to businesses brought about the sudden shift to mass home working during the pandemic.
Despite this however, the report indicated that bad cybersecurity habits remain highly prevalent amongst remote workers. Over half (56%) of respondents admitted to using a non-work application on a corporate device, and 66% have uploaded corporate data to that application. Personal browsing using work laptops was found to be undertaken by 80% of remote workers, with just 36% fully restricting the sites they use, whilst 39% said they often or always access corporate data from a personal device.
A small proportion even admitted to watching/accessing porn (8%) and accessing the dark web on their work laptop (7%).
These kinds of risky behaviors appear to stem from attitude rather than ignorance, with 34% stating that they do not give much thought as to whether the apps they use are sanctioned by their organizations’ IT team.
Bharat Mistry, principal security strategist at Trend Micro, said: “It’s encouraging to see that so many take the advice from their corporate IT team seriously. Having said that, there are individuals who are either blissfully ignorant or worse still who think cybersecurity is not applicable to them and will regularly flout the rules. Hence having a one size fits all security awareness program is a non-starter as diligent employees often end up being penalized. A tailored training program designed to cater for employees may be more effective.”
Entries have now opened for the Tech Trailblazers Awards 2020, which recognize the achievements of outstanding early-stage tech companies around the world.
The awards are only available for smaller businesses and startups under six-years-old, and applicants must also be at C-series funding or below. Since the awards were launched in 2012, many previous winners have gone on to lucrative futures. In the ‘cloud’ category, seven former winners or runners up have been subsequently acquired, while winners or runners up in the ‘security’ category have gone on to collectively raise $722m in funding rounds.
There are 12 major enterprise categories that can be applied for in addition to three special categories, all of which are now open. The enterprise categories are as follows:
- Big data
- Developer tools
- Mobile technology
The three special categories are made up of female and male CxOs of the year, as well as the Firestarter award. Early-stage startup firms – those aged two years or under without VC funding – can apply for one of the tech categories for free via the new Firestarter bursary, which will automatically enrol them for the Firestarter award.
Rose Ross, founder of the Tech Trailblazers Awards, said: “This year’s process will be more comprehensive than ever. Entrants will have the opportunity to build their case with an executive interview for the Founders on Fire podcast and, in another first for the awards, shortlisted companies will be offered an opportunity to present a ‘Lightning Talk’ to the judges.
“The awards are a cracking opportunity for ambitious companies to present their innovations to the influential group of people that is our international judging panel.”
Infosecurity’s editor Michael Hill is confirmed as one of the judges for the awards.
Entries close on September 11 and the online entry process is powered by Judgify, making it easy to create and refine entries over a period of time prior to submitting.
A new version of Android malware, which exfiltrates and sends SMS messages, has been detected stealing financial and application data and reading account information and contact lists.
According to research by Cybereason, the malware, which it calls FakeSpy, is under constant development and has been active for over three years. Research found the attackers send fake text messages to lure victims into clicking on a malicious link, which directs them to a malicious web page and prompts them to download an Android application package (APK).
FakeSpy masquerades as a legitimate postal service application, and once installed, requests permissions so that it may control SMS messages and steal sensitive data on the device, as well as proliferate to other devices in the target device’s contact list.
The researchers determined that the developers are adding new features to the malware on a regular basis. “The newer version of FakeSpy uses new URL addresses for malicious communication with FakeSpy,” the research explained. “The function mainly uses a DES encryption algorithm to encode these addresses.”
Calling it “one of the most powerful information stealers on the market,” the Cybereason Nocturnus research team said the malware authors seemed to be putting a lot of effort into improving the malware, bundling it with numerous new upgrades that make it more sophisticated, evasive and well-equipped.
In terms of attribution, Cybereason's investigation suggests the threat actor behind the FakeSpy campaign is a Chinese-speaking group dubbed Roaming Mantis, a group that has led similar campaigns. It began by mainly targeting users in South Korea and Japan, and that has now extended more globalyl.
Jake Moore, cybersecurity specialist at ESET, said the fake text lure often works “as the victims expect an unknown number and – even if they haven’t ordered something – they assume the message is genuine, clicking through to any given links.”
Niamh Muldoon, senior director of trust and security at OneLogin, added: “The challenge for the individuals and organizations building delivery apps such as the ones targeted by the latest FakeSpy variation is building a process that enforces MFA without introducing too much end-user friction; balancing the risk and user-acceptance is key.”
Nominations are now open for the Outstanding Security Performance Awards (OSPAs) 2021.
The OSPAs are an independent and inclusive global awards scheme currently running in 13 countries to recognize and reward companies and individuals across the security sector. The awards present an opportunity to acknowledge role models and thought leaders who have made significant contributions to the industry and will be judged by high-profile professionals representing the many leading supporting associations and groups.
Professor Martin Gill, founder of the awards, said: “I encourage everyone working in the sector to submit at least one nomination; security too often operates under the radar and the OSPAs provide the opportunity to highlight and promote the pioneering work that is being carried out.”
Entry to the UK OSPAs is open and nominations are invited in the following categories:
- Outstanding In-House Security Manager/Director Outstanding Contract Security Manager/Director
- Outstanding Security Team Outstanding Contract Security Company (Guarding)
- Outstanding Security Consultant Outstanding Customer Service Initiative
- Outstanding Security Training Initiative Outstanding Security Installer/Integrator
- Outstanding Event Security Team Outstanding Security Partnership
- Outstanding Security Equipment Manufacturer Outstanding New Security Product
- Outstanding Security Officer Outstanding Young Security Professional
- Outstanding Cyber Security Initiative Lifetime Achievement Award
Nominations are open until October 1 2020 and shortlisted nominees will be announced in November. The awards ceremony will take place in the first quarter of 2021.
The Federal Communications Commission (FCC) has officially declared Chinese tech firms Huawei and ZTE national security risks, as part of its plans to remove the vendors’ equipment from US telecoms networks.
The FCC’s decision means that no carrier tapping the $8.5bn Universal Service Fund (USF), a government subsidy used mainly by smaller telcos often serving rural areas, can use the funds to purchase kit from the two Chinese firms.
“With today’s orders, and based on the overwhelming weight of evidence, the [FCC’s Public Safety and Homeland Security] Bureau has designated Huawei and ZTE as national security risks to America’s communications networks — and to our 5G future,” said FCC chairman Ajit Pai.
“Both companies have close ties to the Chinese Communist Party and China’s military apparatus, and both companies are broadly subject to Chinese law obligating them to cooperate with the country’s intelligence services.”
The FCC first revealed its plan back in October 2019, stating at the time that under the proposals the USF would not be allowed to pay for firms deemed a national security risk. It also suggested that existing USF recipients would have to be audited to see how many have Huawei/ZTE kit in place and how much it would cost to remove and replace it.
In March this year, a new law freed up $1bn to help smaller telecoms firms rip-and-replace Huawei and ZTE equipment.
Huawei and others have long argued that such plans are self-defeating as they will set US innovation back and represent poor value-for-money for taxpayers and consumers alike.
However, Pai struck a defiant tone in his prepared comments yesterday.
"The Bureau also took into account the findings and actions of Congress, the executive branch, the intelligence community, our allies and communications service providers in other countries,” he said.
“We cannot and will not allow the Chinese Communist Party to exploit network vulnerabilities and compromise our critical communications infrastructure. Today’s action will also protect the FCC’s Universal Service Fund — money that comes from fees paid by American consumers and businesses on their phone bills — from being used to underwrite these suppliers, which threaten our national security.”
Three-quarters of global CIOs are concerned about the proliferation of TLS certificates and the growing security risks associated with them, according to a new study from Venafi.
The security vendor polled 550 CIOs from the US, UK, France, Germany and Australia to better understand attitudes to the certificates increasingly used to protect data flowing to trusted machines.
Digital transformation efforts have led to an explosion of TLS certs to protect modern computing systems, but in so doing, the manual or semi-autonomous processes used to keep track of them are no longer fit-for-purpose.
That can lead to large numbers expiring without the knowledge of IT, exposing the organization to risk. A previous Venafi study revealed that IT professionals on average each found over 57,000 TLS machine identities that they did not know they had in their businesses and clouds.
More than half (56%) of CIOs polled in the new study said they worry about outages and business interruptions due to these expired certificates.
The problem is only set to get worse: 93% of respondents told Venafi that they had a minimum of 10,000 active TLS certificates, while 40% said they have over 50,000 currently in use. However, nearly all (97%) of CIOs estimated that the number of TLS certificates used by their organization would increase at least 10-20% over the coming year.
Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi, claimed that CIOs are likely still underestimating the number of TLS machine identities they currently have in use.
“As a result, they are unaware of the size of the attack surface and the operational risks that these unknown machine identities bring to their organization. Whether it’s debilitating outages from expired certificates, or attackers hiding in encrypted traffic for extended periods of time, risks abound,” he argued.
“The only way to eliminate these risks is to discover, continuously monitor and automate the lifecycle of all TLS certificates across the entire enterprise network — and this includes short-lived certificates that are used in the cloud, virtual and DevOps environments.”
UK lawmakers have called on the government to take action “without delay” to regulate social media, in a bid to tackle misinformation online.
The House of Lords Committee on Democracy and Digital Technologies reported on Monday that a “pandemic of misinformation” poses an existential threat to democracy, and that companies like Facebook and Google need to be held accountable.
The list of reforms set out by the committee included tighter regulation for political advertising to ensure it is brought into line with other forms of advertising in requirements for truth and accuracy.
Working with the Advertising Standards Authority, political parties should develop a code of conduct to ban inaccurate ads during times of elections and referendums, it said. Wildly inaccurate claims made by the Leave campaign, including that the NHS would receive an extra £350m per week if Britain left the EU, are believed to have influenced many to vote Brexit.
There should also be more transparency around who pays for specific political ads and beefed up powers for the Electoral Commission to fine £500,000 or 4% of total campaign spend for those breaking the rules.
The Lords also called on the government to push ahead with an online harms bill which would give regulator Ofcom the power to hold platform providers legally responsible for content produced by individuals with large numbers of followers. The regulator should be given powers to fine such companies 4% of global annual turnover or force ISPs to block serial offenders.
Ofcom should also be given the power to ensure online firms are transparent in how their algorithms work so they are not operating in a discriminatory manner, the committee said.
An independent ombudsman should be appointed to provide a point of contact for individuals to complain to in the event they feel let down by digital platforms.
Committee chair and Labour peer, David Puttnam, argued that the perils of misinformation have become clear during the COVID-19 crisis.
“We have set out a program for change that, taken as a whole, can allow our democratic institutions to wrestle power back from unaccountable corporations and begin the slow process of restoring trust,” he added.
“Technology is not a force of nature and can be harnessed for the public good. The time to do so is now.”
Catherine Stihler, chief executive of the Open Knowledge Foundation, argued that the only way to fight misinformation and disinformation is to make information open, so authorities like journalists and scientists can report the facts.
“Tech giants have a responsibility to increase transparency and work closely with fact checkers, but self-regulation is never going to be enough by itself – government intervention is required,” she added.
“The UK government should take account of public opinion and the recommendations in this report and work towards a future that is fair, free and open.”
Faulty Windows drivers are to blame for many attacks against ATM and point-of-sale (POS) devices, according to research from Portland, Oregon–based hardware security research company Eclypsium. In a report released this week, it built on previous research highlighting how attackers can exploit poorly designed third-party drivers to gain control over the kernel of Microsoft's operating system and the underlying device firmware. It went on to explain how people can exploit these vulnerabilities to target highly regulated devices.
The researchers found a vulnerable Windows driver exposing a Diebold Nixdorf ATM to attack after acquiring the computer used in the ATM, which controls critical components, including the cash cassettes. The hardware driver provided arbitrary access to I/O ports on the system, enabling it to access devices connected via the PCI interface. The system also used the driver to update the device's BIOS firmware, which could enable it to install a boot kit, they warned. The ATM vendor has already worked with Eclypsium to fix the problem, the report said.
This is not an isolated problem, the researchers warned. "These capabilities in a vulnerable driver could have a devastating impact on ATM or POS devices. Given that many of the drivers in these devices have not been closely analyzed, they are likely to contain undiscovered vulnerabilities," the report said.
Eclypsium drilled down into the specific driver problems that create problems for the Windows kernel in previous research. It named several vendors that had released vulnerable drivers for their devices.
For a long time, there was no way for Windows to mitigate these problems. That changed with the introduction of hypervisor-enforced code integrity (HVCI), which protects Windows from malicious code using built-in virtualization features. The problem is that this feature requires newer processors and isn't yet supported by many third-party drivers, they warned.
ATM hardware doesn't get replaced all that often, meaning that many of them won't be equipped with HVCI. Regulations also slow down the driver patching process, the researchers added. If a device is certified to external security standards, then any change that a vendor makes to its software or firmware could result in delays as it goes through the certification process again, they said.
Other security companies have also highlighted problems with patching ATM software. In a 2019 white paper about ATM security challenges, Fortinet pointed out that manual processes for patching ATMs might fall outside the scope of corporate patch management systems that banks use for conventional IT equipment. That can make it difficult for IT administrators to patch thousands of ATMs across a distributed infrastructure, it warned.
Attacks on ATM hardware (as opposed to the use of add-on skimming devices) are a perennial problem for banks. In September 2019, malware from the Lazarus Group was discovered targeting ATMs in Indian banks. Cash-out crews have also reportedly been targeting US ATMs with 'jackpotting' attacks, in which malware forces devices to continually dispense cash, since 2018.
Inappropriate data sharing continues to be a problem for companies, according to a survey from data discovery and auditing software vendor Netwrix. Although most companies have designated secure storage areas for their data, many find it leaking into insecure areas, its research found.
A quarter of companies have discovered data stored outside designated secure locations in the past year, according to the vendor's "2020 Data Risk & Security" report. It took them considerable time to discover the stray data, with 23% reporting that it lay undiscovered for weeks.
This data seems to make its way into insecure storage because employees don't follow data sharing policies, if they exist at all. According to the survey, 30% of systems administrators granted direct access to sensitive data based only on user requests. The results show up in audits and can lead to financial penalties. Of companies that experienced unauthorized data-sharing incidents, 54% ended up with non-compliance findings from audits.
Many companies don't keep tabs on user data access privileges, the survey found. He reported that a little over half of all organizations don't review these access privileges regularly.
This lack of visibility into access rights makes it hard to track data sharing. According to the survey, only half of all organizations are confident that employees are sharing data without the IT department's knowledge. Of those, 29% cannot track employee data sharing at all, making their claims difficult to prove.
The survey examined all stages of the data life cycle from creation through to disposal. It found poor practices at the data-creation stage that have direct implications for other stages such as data sharing. Nearly two-thirds of the survey respondents said that they couldn't confirm they only collect the minimum amount of customer data required. Of those, 34% are subject to the GDPR, which limits the amount of data they are allowed to collect. Companies that collect more customer data than they need to and fail to manage it properly later on compound their security risk.
The survey covered 1,045 IT professionals around the world, with the largest proportion (48%) coming from North America, followed by 26% from the EMEA region. Half the companies had 1,000 employees or fewer.
The US government has warned of a critical flaw in Palo Alto Networks equipment that could enable attackers to take over its devices with minimal skill.
The warning, issued by US Cyber Command, urged people to patch all devices affected by the vulnerability immediately. It said that foreign advanced persistent threat actors will attempt to exploit it soon.
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.
As a user of these products, US Cyber Command would have reason to worry about foreign nation-states targeting its networks and those of its partners. It is one of eleven unified commands at the US Department of Defense, and oversees the US military's cyberspace operations.
The vulnerability, CVE-2020-2021, concerns the authentication process in PAN-OS, which is the operating system driving Palo Alto firewalls. When authentication using the Security Assertion Markup Language (SAML) is enabled and the 'Validate Identity Provider Certificate' option is unchecked, the system doesn't verify signatures properly, enabling someone to gain unauthenticated access to protected resources over a network.
Although it has a severity of 10—the highest possible—this is not a remote code execution vulnerability. It would, however, allow an unauthenticated attacker with network access to web interfaces to log into its firewalls as administrator. The bug affects its PA and VM series next-generation firewalls, the company said in the vulnerability announcement.
This attack could be particularly damaging to customers now because they rely heavily on firewall and VPN access to serve employees working remotely during the COVID-19 pandemic.
The security hardware vendor said that it is not aware of any malicious attempts to exploit the vulnerability thus far.
Administrators can patch the vulnerability today by upgrading to new versions of the software. It has patched versions 8.0, 8.1, 9.0, and 9.1 with point releases to fix the problem. Alternatively, they can simply disable SAML authentication to eliminate the issue until they get the chance to fix it with a point upgrade, meaning that they would have to switch to another form of authentication.
This advisory comes almost exactly a year after Palo Alto announced a remote code execution flaw in its GlobalProtect Portal and Gateway interface products. That vulnerability, rated High with a CVSS score of 8.1, allowed attackers to execute arbitrary code without authentication. In April 2019, CMU-CERT also warned that the company's VPN software was storing cookies insecurely in log files.
A new standard for cybersecurity in the Internet of Things (IoT) has been unveiled today by the ETSI Technical Committee on Cybersecurity. It establishes a security baseline for internet-connected consumer products and for future IoT certification schemes. It is hoped the standard, titled ETSI EN 303 645, will help prevent large-scale, prevalent attacks taking place against smart devices.
Developed in collaboration with industry, academics and government, the standard aims to restrict the ability of cyber-criminals to control devices across the globe and launch DDoS attacks, mine cryptocurrency and spy on users in their own homes. This has become a major concern for the cybersecurity industry due to the growing prevalence of smart devices in households, many of which have security weaknesses.
Earlier this month, for example, an investigation by Which? found that 3.5 million wireless indoor security cameras across the world potentially have critical security flaws that make them vulnerable to hacking.
ETSI EN 303 645 outlines 13 provisions for the security of a wide range of IoT consumer devices and their associated services. These include children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances and smart home assistants.
Five specific data protection provisions for consumer IoT are also set out in the standard.
Mahmoud Ghaddar, CISO Standardization, commented: “Ensuring a better level of security in the IoT ecosystem can only be achieved if governments, industry and consumers collaborate on a common and reachable goal, and standardization bodies like ETSI have provided the right platform to achieve it for this standard.”
A number of manufacturers and IoT stakeholders have already developed products and certification schemes according to ETSI EN 303 645. Juhani Eronen, chief specialist at Traficom, added: “To date we have awarded the labels to several products including fitness watches, home automation devices and smart hubs. Being involved in the development of the ETSI standard from the start helped us a lot in building up our certification scheme. Feedback from companies and hackers has been very positive so far.”
The Indian government has banned over 50 Chinese-made smartphone apps including popular social title TikTok over concerns they may be stealing user data.
The 59 titles also include Twitter-like platform Weibo and WhatsApp clone WeChat, as well as a range of other browser, camera, news, entertainment and communications apps.
A government statement noted that the decision was taken due to fears that the apps were “prejudicial to sovereignty and integrity of India, defense of India, security of state and public order.”
These concerns were linked to fears over users’ data security and privacy.
“The Ministry of Information Technology has received many complaints from various sources including several reports about misuse of some mobile apps available on Android and iOS platforms for stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India,” it said.
Although the concerns may be genuine, the timing appears to be deliberate, coinciding with a period of heightened tensions between the two Asian giants after recent border clashes left 20 Indian soldiers dead.
According to the BBC, India is TikTok’s biggest foreign market with an estimated 120 million users.
However, the app has come in for criticism not only in India. In the US, the Pentagon banned its use by soldiers early this year on security concerns related to its Beijing-based owner ByteDance.
The Committee on Foreign Investment in the United States (CFIUS) has launched an inquiry into whether the user data TikTok collects represents a national security risk. If this becomes a full-blown investigation it could even put the sale of the title, which was originally a US app called Musical.ly, in jeopardy.
Concerns also swirl over the extent to which TikTok is influenced by Beijing, after it appeared to censor content linked to pro-democracy protesters in Hong Kong.
ProPrivacy digital privacy expert, Ray Walsh, argued that although New Delhi’s decision was probably taken for geopolitical reasons, it doesn’t mean it has no basis in privacy best practice.
“The decision will drastically reduce the amount of data passing from Indian citizens to Chinese authorities, via seemingly innocuous and hugely popular apps such as TikTok. These apps are known to harvest huge amounts of data from their users, resulting in covert international surveillance for the Chinese government,” he argued.
“Although the ban is likely to be controversial among Indian citizens, it may well cause other world leaders to consider whether they could or should impose similar sanctions.”
It remains to be seen how easy it is to enforce such a ban in practice.
A leading figure in a notorious cybercrime organization has pleaded guilty before a Nevada court to racketeering charges.
Russian national Sergey Medvedev — aka “Stells,” “segmed” and “serjbear” — pleaded guilty to conspiracy charges under the Racketeer Influenced and Corrupt Organizations Act (RICO), according to the Department of Justice (DoJ).
According to the indictment, the InFraud group he was a member of was founded in 2010 by 34-year-old Ukrainian Svyatoslav Bondarenko to be an expert in “carding” — the online trafficking of stolen personal and financial information.
“Under the slogan, ‘In Fraud We Trust,’ the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware and other illicit goods,” the DoJ said.
“It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information and other contraband were permitted to advertise to members.”
By March 2017 there were an estimated 10,900 registered members of InFraud. The DoJ claimed that during its seven-year history it made over $568m from its victims — financial institutions, merchants and individuals.
The group was finally taken down in early 2018 after police in Australia, the UK, France, Italy, Kosovo and Serbia swooped on 13 individuals thought to have key roles in InFraud. An indictment was subsequently released charging 36 suspected members.
Medvedev, 33, was extradited from Thailand after being arrested there during the 2018 international police crackdown.
The news comes just days after another Russian national, Aleksei Burkov, was sentenced to nine years behind bars for operating the Cardplanet website, which sold stolen card data.