A US tech company that manages popular family tree software has exposed tens of thousands of its users’ personal information online via a misconfigured cloud server, according to researchers.
A team from WizCase led by Avishai Efrat discovered the unsecured Elasticsearch server leaking 25GB of data linked to users of the Family Tree Maker software.
First released in 1989, it has had numerous corporate owners, including Broderbund, The Learning Company, Mattel and Ancestry.com, prior to Software MacKiev which is currently in charge of the code.
WizCase informed the US software company of the incident and, although it didn’t receive a reply, the incident was apparently remediated shortly after.
Among the details leaked to the public-facing internet were email addresses, geolocation data, IP addresses, system user IDs, support messages and technical details.
WizCase warned that a hacker could have used the information to craft convincing follow-on phishing attacks and identity fraud.
It also claimed the leaked comments and complaints could have given MacKiev’s competitors an opportunity to target unhappy customers, while technical details could be utilized in a different way.
“The leak exposed technical details about the system’s backend, which could help attackers leverage multiple cyber-attacks on Software MacKiev and its associated companies,” it was claimed.
“That way cyber-criminals can steal additional user data, infect the system with malware or even take complete control over parts of the systems.”
MacKiev is said to have developed the macOS version of Family Tree Maker since around 2010, and bought the Windows version of the software from Ancestry in 2016.
Some 60,000 users are thought to have been exposed in this privacy snafu.
It’s one of many such incidents resulting from configuration errors on internet-connected computing resources. Last week, WizCase disclosed similar issues in multiple e-learning platforms exposing nearly one million records.
Research from earlier this month found the same misconfigurations put the security and privacy of countless users of global dating apps at risk.
An alleged cyber-criminal has become the first Cypriot national to be extradited from the Republic of Cyprus to the United States.
Joshua Polloso Epifaniou, a resident of Nicosia, Cyprus, arrived at John F. Kennedy Airport in New York on July 17. The 21-year-old, who is wanted in two US states, was arrested in Cyprus in February 2018.
A five-count indictment filed in the Northern District of Georgia charges Epifaniou with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud and identity theft, and extortion related to a protected computer.
A second 24-count indictment filed in the District of Arizona accuses the Cypriot of conspiracy to commit computer hacking, obtaining information from a protected computer, intentional damage to a protected computer, and threatening to damage a protected computer.
The first indictment alleges that between October 2014 and November 2016, Epifaniou was part of a threat group that carried out ransomware attacks against a free online game publisher based in California, a New York hardware company, an online employment website headquartered in Virginia, and a sports news website based in Atlanta, Georgia, and owned by Turner Broadcasting System Inc.
Epifaniou and his co-conspirators are accused of gaining unauthorized access to each company's personal identifying information (PII) and threatening to publish the data online unless they received a ransom. The entities allegedly targeted by Epifaniou were defrauded of $56,850 in Bitcoin, while two victims incurred additional losses of $530k in remediation costs.
The second indictment accuses Epifaniou of carrying out a brute force attack against Arizona company Ripoff Report. After compromising the company's system, the Cypriot allegedly threatened to publish the private data it contained unless he received $90k.
It is further alleged that between October 2016 and May 2017, Epifaniou worked with an associate at “SEO Company,” a search engine marketing company based in Glendale, California, to identify companies that might want to pay for the removal of complaints posted about them on Ripoff Report’s website.
Epifaniou and his co-conspirator are accused of using their unauthorized access to Ripoff Report's database to erase at least 100 complaints, charging SEO Company’s “clients” approximately $3,000 to $5,000 for each removal.
Epifaniou is scheduled to go before US Magistrate Judge Alan Baverman in the Northern District of Georgia today for his arraignment.
A new strain of banking malware dubbed BlackRock has been detected by researchers at Threat Fabric.
An investigation into its origins has revealed BlackRock to be derived from the Xerxes banking malware. Xerxes was in turn spawned out of the LokiBot Android banking Trojan, first detected around four years ago.
The source code of the Xerxes malware was made public by its author around May 2019, making it possible for any threat actor to get their hands on it. Despite the code's availability, researchers found that the only Android banking Trojan based on Xerxes' source code that is currently operating appears to be BlackRock.
This malevolent new kid on the malware block steals credentials not only from banking apps but also from other apps designed to facilitate communication, shopping, and business. In total, the team found 337 Android apps were impacted, including dating, social networking, and cryptocurrency apps.
By throwing their nefarious campaign net so wide, researchers believe the malware's creators are attempting to exploit the increase in online socializing brought about by the outbreak of COVID-19.
"Technical aspects aside, one of the interesting differentiators of BlackRock is its target list; it contains an important number of social, networking, communication and dating applications," noted researchers.
"So far, many of those applications haven't been observed in target lists for other existing banking Trojans. It therefore seems that the actors behind BlackRock are trying to abuse the growth in online socializing that increased rapidly in the last months due to the pandemic situation."
BlackRock was first spotted back in May 2020. When the malware is launched on a device for the first time, its icon is hidden from the app drawer, making it invisible to the end user. The malware then asks the victim for the Accessibility Service privileges, often posing as a Google update.
Once the user grants the request, BlackRock starts granting itself the additional permissions required for the bot to fully function without having to interact any further with the victim. When done, the bot is functional and ready to receive commands from the C2 server and perform the overlay attacks.
“Unfortunately, this malware is particularly sophisticated and can camouflage itself as a genuine app to do some damaging spy work in the background,” commented ESET cybersecurity specialist Jake Moore.
“It is vital that users know what apps they are downloading, or they may risk unknowingly downloading something illicit.”
The impending move was jointly announced by both companies earlier today, along with the news that HelpSystems will acquire all outstanding shares of GlobalSCAPE for $9.50 per share in cash. This represents a 16% premium to the closing price for GlobalSCAPE stock on July 17, 2020.
The combined company, whose name has not yet been officially announced, is to focus on providing the most comprehensive collection of trusted security and automation solutions to customers worldwide.
HelpSystems is a Minnesota-based IT software company recognized as the biggest independent IBM software vendor in the world.
GlobalSCAPE has been creating secure managed file transfer (MFT) solutions from its San Antonio, Texas, headquarters for over two decades. Company CEO Robert Alpert said the upcoming merger between HelpSystems and GlobalSCAPE will be empowering.
“GlobalSCAPE’s offerings are a great fit with HelpSystems’ suite of security products,” said Alpert. “Our strength lies in moving mission-critical files both in and out of the cloud, coupled with our commitment to customer service and in helping organizations meet their cybersecurity and compliance needs. Joining HelpSystems solidifies and strengthens this promise.”
Alpert said that the achievements attained by GlobalSCAPE to date were derived from the excellence of the company's workforce.
“Our success is rooted in our people; the men and women of GlobalSCAPE are passionately dedicated to client success," said Alpert.
"The product and individual awards earned over GlobalSCAPE’s twenty-three-year history testify to our spirit of service. I am proud of our accomplishments, including our ability to return substantial capital to shareholders, with special dividends of $0.50 per share in May of 2019 and $3.35 per share in December of 2019, in addition to the $9.50 per share that holders will receive in the transaction with HelpSystems.”
The planned merger will augment HelpSystems’ data security business, which includes data loss prevention and data classification software.
CEO of HelpSystems Kate Bolseth said: “GlobalSCAPE’s MFT solution and expertise further strengthen HelpSystems’ growing cybersecurity business. Combining this with our data loss protection and data classification technology provides depth to our triple-threat defense against customer cybersecurity risks.”
The transaction is structured as a tender offer followed by a merger, valued at approximately $217m, including debt to be refinanced.
A new initiative intended to represent UK-based data protection officers (DPOs) has been launched to provide insight into the development of the privacy industry.
Managed by the DPO Center and the Data Protection World Forum, the index will aim to cover a range of topics including organizational strategy, resources, budgets, the response to current issues such as the COVID-19 pandemic and the importance of data protection as a single theme.
Rob Masson, chief executive of the DPO Center, said the index is intended to help shape the future of the sector, provide clarity on the key issues and ultimately deliver tangible and ongoing benefit to the industry.
Speaking on a webinar to launch the index, Masson said the intention of the index is to take a “snapshot” of the sector to give a unique picture of how the profession is maturing. Masson called the data protection sector collaborative but admitted that sometimes it is hard to gauge industry-wide opinion, and the events around the invalidation decision of Privacy Shield “show how quickly things can change.”
He said: “The intention of the index is that it is there to serve the industry in being able to give results and very detailed information about what is going on within the sector and where the important issues are, and it is there to act as a consistent and accurate guide and a barometer of opinions that are being expressed across the sector and across industries and organizations.”
He also said there is an intention to understand the issues in a more granular way, and it is “our opportunity to give the industry some sort of definite response and definitive action and guidance to how the issues in the sector are relevant to us and how they are being reacted to.”
Masson also explained that the concept is to provide a wider voice outside of the sector, as the profession continues to grow. “The profession continues to grow and it is because of the requirements and the complexity and the significance of data protection and the role of the DPO that it becomes more and more important,” he said. “We’ve seen a massive change in the last three years and seen how it is absolutely necessary for the role of the DPO to evolve and deliver more and more.”
If you are a data protection officer and you would like to join the anonymous panel that regularly contributes to the UK Data Protection Index, register here.
The UK government has failed to meet a crucial General Data Protection Regulation (GDPR) requirement in its COVID-19 Test and Trace program, putting people’s privacy rights at risk, according to the Open Rights Group (ORG).
This follows an admission by the UK’s Department of Health to the group that it has not conducted a data protection impact assessment (DPIA) – a GDPR requirement to identify and minimize data protection risks in projects that process personal information.
“The public can’t trust the program because a vital (and legally required) safety step known as a DPIA was dangerously ignored,” said the ORG in a statement.
Test and Trace was introduced in England on May 28 as part of the government’s strategy of easing COVID-19 lockdown restrictions. Under the initiative, the National Health Service (NHS) attempts to trace close recent contacts of anyone who tests positive for the virus, and if necessary, inform them that they need to self-isolate. This involves people being asked to provide sensitive data including their name, date of birth, postcode, who they live with and places they have recently visited, leading to privacy fears.
The ORG added: “The Test and Trace program has been rushed; private contractors have been employed to deliver it with large numbers of new employees. Many systems have been bolted together at short notice.
“We are doing everything we can to ensure the Test and Trace Program is made safe. That’s why we’re threatening legal action unless a proper DPIA is conducted immediately.”
In its letter to the ORG, the government said it was working with the Information Commissioner's Office (ICO) to ensure it is meeting its requirements under the GDPR.
Quoted by the BBC, a Department of Health spokesperson said: “NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.”
Jonathan Armstrong, partner at legal firm Cordery, commented: “A DPIA will be an essential element of any program like this and we know from the Facebook investigation in Ireland that a DPIA is important from a regulatory perspective.
“It is also important in establishing trust. Failing to do a DPIA becomes all the more important in this context – trust is key and any allegation that processing has taken place unlawfully destroys that trust.”
Darren Wray, CTO at Guardum, added: “The revelation that a DPIA was not performed as part of the track and trace project shows exceedingly poor governance and control. In the private sector, organizations are expected to ensure that data privacy and protection controls are a part of their business as usual processes, not something that is revisited in hindsight.”
UK consumers were targeted by a new phishing scam falsely purporting to be from leading UK supermarket Tesco, litigation firm Griffin Law has discovered.
The scam, which used a fake Facebook page as well as SMS and email communication, aimed to trick consumers into handing over their details and steal confidential and payment data.
The fraud began via an official-looking but fake Facebook page entitled ‘Tesco UK’ which shared images purporting to be from a Tesco warehouse, displaying packed boxes of HD TVs.
According to Griffin Law, the accompanying message said: “We have around 500 TVs in our warehouse that are about to be binned as they have slight damage and can’t be sold. However, all of them are in fully working condition, we thought instead of binning them we’d give them away free to 500 people who have shared and commented on this post by July 18.”
Unsuspecting users who then enthusiastically shared the post helped it to spread before receiving an email offering them the chance to ‘claim their prize.’ A button in the message linked victims to a landing page to enter their name, home address, telephone number and bank account details.
Griffin Law stated that at least 100 consumers have reacted to the Facebook page or received an email. The original fake Tesco Facebook page is now listed as ‘content unavailable.’
Tim Sadler, CEO, Tessian, said: “As the lines between people in our ‘known’ network and our ‘unknown’ networks blur on social media feeds and in our inboxes, it becomes incredibly difficult to know who you can and can’t trust. Hackers prey on this, impersonating a trusted brand or person to convince you into complying with their malicious request and they will also prey on people’s vulnerabilities.
“They know people are struggling financially during this [COVID-19] pandemic, so the offer of a free TV could be very attractive. However, as the saying goes, if it looks too good to be true...it probably is! Question the legitimacy of these messages and always verify the request or offer before clicking on the link.”
Two Uber drivers are taking the platform to court, arguing that it has failed to meet its GDPR obligations to reveal detailed profiling data about them and how it is used, according to reports.
The case will be launched today by the UK-based App Drivers and Couriers Union in the district court in Amsterdam, where the ride hailing giant’s European operations are headquartered.
The drivers, also based in the UK, want to know how the data and algorithms are used by the firm to make silent automated decisions about their jobs.
It is argued that only with greater transparency can gig economy workers like these challenge potential workplace discrimination and unfair treatment, and exercise important powers of collective bargaining over work and pay.
The kind of data they’re after includes information on any inappropriate driver behavior, late arrivals or missed ETAs, driver cancellations and other info on reliability, behavior and location, according to The Guardian.
“This is about the distribution of power. It’s about Uber exerting control through data and automated decision-making and how it is blocking access to that,” the drivers’ lawyer, Anton Ekker, is quoted as saying.
“The app decides millions of times a day who is going to get what ride: who gets the nice rides; who gets the short rides, but this is not just about Uber. The problem is everywhere. Algorithms and data give a lot of control but the people who are subject to it are often no longer aware of it.”
Uber argued in a statement that it works hard to provide personal data to individuals who request it, but that sometimes it either doesn’t exist or disclosing it would infringe the privacy rights of others.
“Under the law, individuals have the right to escalate their concerns by contacting Uber’s data protection officer or their national data protection authority for additional review,” it added.
Concerns have been raised in the past that national data protection authorities don’t have the in-house technical expertise or legal resources to challenge major tech companies with investigations.
Nearly one million records containing the personal information of online students have been leaked after cloud misconfigurations by five e-learning platforms, according to WizCase.
The VPN comparison site found four misconfigured and unencrypted AWS S3 buckets and one unsecured Elasticsearch server, compromising the details of countless e-learners, including many children, as well as their parents and teachers.
The personal information (PII) exposed included full names, home and email addresses, ID numbers, phone numbers, dates of birth and course/school information.
WizCase warned users of potential follow-on identity fraud, phishing attacks, stalking and blackmail.
“As many users whose data was leaked aren’t active on the sites anymore, they’re less likely to realize these companies still have their information,” it added.
“However, it’s still possible that their data can be used to aid in various types of online crimes. These dangers are even bigger since many of the users affected by the leaks are children and young people.”
The affected companies include Escola Digital, a Brazilian site that leaked 15MB of data, amounting to 75,000 records, although many came from 2016 and 2017.
South African site MyTopDog exposed over 800,000 records via a misconfigured S3 bucket, including documents related to business partner Vodacom School.
Kazakhstan-based Okoo leaked 7200 records via an Elasticsearch server, while US sites Square Panda (15,000) and Playground Sessions (4100) round-out the affected platforms.
WizCase urged users who may have had their data exposed in this way to regularly check for unusual activity on their accounts, to be extra cautious when receiving unsolicited emails and never to give out PII over the phone.
These incidents are widespread across virtually all industries, although the online learning sector has been booming of late thanks to COVID-related school closures across much of the world.
Earlier this month, WizCase revealed five dating apps in the US and Asia that had exposed millions of customer records through misconfigured Elasticsearch servers, MongoDB databases and AWS buckets.
Cybercrime offenses reported by individuals and businesses have risen 23% over the past year, according to the Office for National Statistics (ONS).
The UK government body explained that 26,215 incidents were referred to the National Fraud Intelligence Bureau (NFIB) by Action Fraud in the year ending March 2020.
The year-on-year increase was driven by a large uptick in the two highest-volume “computer misuse” types reported to Action Fraud. “Hacking – social media and email” saw a 55% increase from 12,894 offenses, and “computer viruses/malware” incidents soared by 61% to reach 6745 cases.
The double-digit increase in reported cybercrime came in spite of improvements to “internal case review processes” and an online reporting tool at Action Fraud in October 2018 which meant some offenses previously categorized as computer misuse are now being properly identified as fraud, ONS said.
On that note, when fraud is added to computer misuse, there was an increase of just 12% in cases reported to the NFIB over the period.
The ONS claimed that its Crime Survey for England and Wales (CSEW) is a more accurate indicator of true levels of cybercrime in the region as it includes incidents that go unreported to the police. However, it only captures incidents reported by individuals.
“In the year ending March 2020, CSEW-estimated computer misuse offences did not change from the previous year, remaining at around 900,000 offences,” it noted. Fraud reported to the survey also remained pretty static, at 3.7 million cases.
George Glass, head of threat intel at Redscan, argued that the data behind the ONS report is still beset by quality issues.
“I still think this latest Crime in England and Wales report paints an inaccurate picture of computer misuse and online fraud cases in the UK. Action Fraud has been branded not fit for purpose for its failures to review reports from scam victims,” he added.
“This is the reason that the reporting system has now been overtaken by the NCSC. You only need to look at the huge numbers of reports of COVID-19 related scams to know that the situation is far worse than represented by these latest statistics.”
Twitter has revealed the true extent of this week's large-scale cyber-attack that saw the accounts of multiple celebrities compromised.
The social media giant said a total of 130 accounts were targeted as part of a major cybersecurity incident that took place two days ago.
Following the attack, what appeared to be a Bitcoin scam was tweeted from the hijacked accounts of some of the world's most famous public figures, including former US president Barack Obama, Kanye West, Bill Gates, and former US vice president Joe Biden.
The fraudulent tweet posted from the highjacked accounts made it appear as though the victim was planning to give back to their community by making a financial donation. The post invited the victim's followers to give $1,000 in the next 30 minutes, tempting them with the lure that their donation would be doubled by the account's owner.
At first the attackers tweeted about the supposed charity drive from Bitcoin-related accounts, but it quickly spread to the accounts of public figures, including Elon Musk and Kim Kardashian West, and to the corporate accounts of Uber and Apple.
Spotted by many as an obvious scam, the Bitcoin charitable donation tweet fooled hundreds of Twitter users and earned the cyber-attackers over $100k.
In an effort to contain the attack, Twitter temporarily blocked all verified users from tweeting.
According to Twitter, the successfully compromised accounts represented a "small subset" of the total number of accounts the attackers had in their crosshairs.
The company has launched an investigation into the incident but has so far been unable to determine whether any private data was stolen. Such information could include the content of direct messages.
Providing an update to the situation via its official support account, Twitter stated: "We're working with impacted account owners and will continue to do so over the next several days. We are continuing to assess whether non-public data related to these accounts was compromised."
An investigation into the cyber-attack has been launched by the Federal Bureau of Investigation. It is believed that whoever was responsible was able to bypass account security protections by somehow gaining access to Twitter's own internal administration tools.
German law has been deemed inadequate at protecting the constitutional right of German citizens to privacy.
The federal Constitutional Court in Karlsruhe ruled that the extent to which the German police can access people's internet and cell phone data was unconstitutional and that the country's privacy laws need to be revised.
Currently, German law enforcement agencies investigating crimes or working to prevent terror attacks are permitted to access names, addresses, birth dates, and IP addresses from telecom companies, hospitals, and hotels without the approval of a judge. However, they are not allowed to access data regarding an individual's connections to other people.
The ruling comes after campaigners voiced a challenge to the country's existing privacy laws, requesting that German police should only be allowed to access phone and internet data if a crime is suspected and in the event of a specific danger.
Proving that the wheels of justice really do turn slowly, the first of two lawsuits created to challenge the police's access to data was filed to the court back in 2013. The suit, which was backed by 6,000 people, was brought by European Pirate party politicians Katharina Nocun and Patrick Breyer.
The plaintiffs complained that German police were routinely given access to data including PIN numbers and email passwords from a variety of sources when investigating relatively minor crimes.
Nocun and Breyer said that the sweeping access to users’ private data permissible under German law risked the creation of “a new secret police of the internet that can ransack and scan our most intimate thoughts.”
The Constitutional Court ruled that investigators can be given access to the data of users in principle, but that it needs to happen in a way that doesn't impinge on a citizen's right to privacy.
Following the court's ruling, the German government must now obey an order to reform the nation's Telecommunications Act by the conclusion of 2021. The Act was last revised in 1996.
Revision of the Act is likely to impact how a newly enshrined law designed to combat far-right extremism is upheld. The law requires Facebook, Twitter, and YouTube to report hate speech to police and delete harmful content within 24 hours of its being posted.
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has given all government agencies 24 hours to fix a critical vulnerability in Windows Server.
An emergency directive was issued yesterday instructing agencies to deploy patches or mitigations by 2pm EDT today to resolve the CVE-2020-1350 vulnerability, also known as SIGRed.
The flaw is a remote code execution vulnerability that exists in how Windows Server is configured to run the Domain Name System (DNS) Server role.
An unauthenticated attacker can exploit the vulnerability by sending malicious requests to a Windows DNS server. The attacker could then run arbitrary code in the context of the Local System Account.
According to the emergency directive, "CISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action."
A software update to mitigate this critical flaw in Windows Server operating systems was released on July 14 by Microsoft. Now CISA is ordering all government agencies to apply the fix to every Windows Server running the DNS role and to submit an initial status report by 2pm EST on Monday, July 20.
To Lamar Bailey, director of security research and development at Tripwire, the urgency of CISA's directive is understandable.
“CVE-2020-1350 (SIGRed) is one of the most serious vulnerabilities disclosed this year," commented Bailey. "It scores a CVSS score of 10."
CISA said it is "unaware of active exploitation of this vulnerability," but Bailey believes that even if this is the case, the situation could change in the immediate future.
"It is plausible to believe this is currently being exploited in the wild or will be very soon," said Bailey. "It is time to burn the midnight oil and get this patched ASAP.”
CISA's actions come after experts warned of the dangers of SIGRed earlier this week. Gill Langston, head security nerd at SolarWinds MSP, urged administrators to tackle the vulnerability as a "number one priority" after the patch was released on Tuesday.
US government agencies have until 2pm EST on Friday, July 24 to submit a completion report, confirming that the vulnerability has been neutralized.
Businesses should prepare for the post Privacy Shield era now, and get binding corporate rules (BCR) and standard contractual clauses (SCC) in place for their own data protection.
Speaking on a conference call after the earlier decision around Privacy Shield being declared invalid, Cordery partners Andre Bywater and Jonathan Armstrong called the announcement “among the most eagerly awaited” in the field of data protection.
Bywater advised listeners that it is worth them doing some due diligence “to see who they are sending data to so they are fully protected.” He said he had not expected Privacy Shield to be invalidated, and it has been declared invalid due to concerns around US domestic law and the access and use of European residents’ data.
With it appearing unlikely that there will be any type of grace period, he recommended putting in SCCs where there is an issue. An SCC is an obligation imposed on both the exporter and the importer of data between the EU and third countries to ensure that data transfer arrangements protect the rights and freedoms of data subjects.
Armstrong said it may be the case that SCCs are “probably the only game in town for people” and depending on national challenges, we “could end up with the nightmare where some authorities accept SCCs and some do not.”
Armstrong explained that he does not expect a new and improved version of the Privacy Shield, and while there are more groups that have brought challenges, he is not convinced there would be any short term solution. “We are in a different world post-GDPR, and there are more powers to enforce, so Data Protection Authorities (DPAs) have to step up,” he said. He also argued that any new version of Privacy Shield would “be likely to have more teeth as a result.”
Asked by Infosecurity if BCRs are a better option, Armstrong said they have a different foundation in GDPR and are specifically there to transfer data, but this cannot be done overnight and a sponsoring DPA will need to be found to approve it and take it to other regulators, and that process could take eight to nine months minimum. “It is not a quick fix and you will need interim plans,” he said.
Looking forward, Armstrong said that had Facebook still completed data transfers last night, it could have problems and this could be an overall concern for social media companies. “Most organizations have got to react today or tomorrow and have a plan, it will not be foolproof and include communications and FAQs,” he said.
“There may be some political fudge, and there may be a ‘keep calm and carry on’ message from (vice-president of the European Commission for Values and Transparency) Vera Jourova, as she has bigged-up privacy rights and this is a difficult political tightrope for her and enforcement will be proportionate to give her a chance to create a plan, but aggrieved individuals and pressure groups are not as patient as a regulator could be.”
Bywater said regulators will be taking a much closer look at SCCs and may ask to see them and see where you transfer data, “so take a closer look at what you have in place as this is not something that will go away.”
A new enforcement body could have the power to ban, recall or destroy insecure consumer IoT products, according to the latest government plans.
The UK is looking to take a global lead on IoT security with proposed legislation first published at the start of the year.
In an update yesterday it revealed that a new body would be set up to enforce the law, with powers to: temporarily ban sales while a product is tested, permanently ban insecure products and serve recall notices.
Under the proposals, it could also be granted the power to apply for a court order to confiscate or destroy a dangerous product or issue fines against the manufacturer.
Earlier in the year, the government revealed that the law will mandate three main security requirements for all smart gadgets sold in the UK.
These are: unique device passwords which are not resettable to factor defaults, a public point of contact at the manufacturer to report bugs to and clearly visible information stating the minimum length of time updates will be available for.
It remains to be seen how the UK would actually enforce a ban on the sale of non-compliant IoT kit, especially products manufactured abroad and sold online, as most are.
That hasn’t stopped the government trumpeting its efforts as a leader in this area: it claimed to have been instrumental in helping to develop the recently announced global ETSI standard for consumer smart devices.
The government is now requesting feedback from industry stakeholders to help it shape the final enforcement approach.
“Consumer IoT devices are increasingly delivering on their potential to improve consumers’ lives, with smart speakers, activity trackers and smart kitchen appliances a few notable examples,” said techUK CEO Julian David. “However, poor security practices have consistently slowed the adoption of these devices, acting as a barrier to UK citizens reaping the benefits of the latest innovations and products.”
More than 260,000 actors have had their personal data exposed thanks to yet another misconfigured cloud server.
Researchers at SafetyDetectives led by Anurag Sen discovered the unprotected Elasticsearch server, which contained 1GB of data, amounting to 9.5 million records.
It apparently belonged to New Orleans-based casting agency MyCastingFile.com, which has recruited actors for Terminator movies, TV show True Detective and other productions.
The “talent profiles” found in the trove included full names, residential and email addresses, phone numbers, dates of birth, height and weight, photographs and vehicle information.
In total, over 260,000 members had their data exposed in this way, including potentially actors under the age of 18, according to SafetyDetectives.
It warned that the leaked email addresses and personal data could be used to send convincing phishing emails impersonating MyCastingFile, in order to trick users into clicking through on malware downloads.
“Photographs provided by users can be harnessed to conduct scams involving facial recognition such as identity fraud, as well as being used to create multiple illegitimate profiles, to carry out what’s known as ‘catfishing’ — the act of luring someone into a relationship by means of a fictional online persona,” it added.
It’s believed the database was exposed since May 31 2020, but the researchers said the issue was fixed following their disclosure.
Pravin Kothari, founder and CEO of cloud security vendor CipherCloud, argued that avoiding misconfigurations in the cloud is increasingly challenging.
“These issues most frequently revolve around a lack of visibility into faulty controls, not a lack of effort,” he added.
“Perhaps the biggest hurdle, even greater than monitoring for risky configurations, as in this case, relates to better management of cloud data itself. We find that organizations are moving so fast to embrace cloud apps and infrastructure that they cannot maintain visibility into all the issues of data protection and access required to prevent subsequent breaches.”
The UK has accused Russia of interfering in the 2019 General Election by spreading online leaked government documents revealing negotiations with the US on trade.
A statement from the foreign secretary Dominic Raab branded the practice “completely unacceptable.
“On the basis of extensive analysis, the government has concluded that it is almost certain that Russian actors sought to interfere in the 2019 general election through the online amplification of illicitly acquired and leaked government documents,” it noted.
The documents, which eventually ended up in the hands of former Labour leader Jeremy Corbyn, detailed how the NHS was being used by the US as a bargaining chip in post-Brexit trade talks.
Raab avoided accusing the Kremlin of directly stealing the documents, which The Guardian claimed “are thought to have been obtained via a government special adviser’s personal email account.”
However, they were allegedly disseminated online by alleged Russian actors. They were posted first on Reddit last October by a user named “Gregoriator,” and then via Twitter by a user with the same name.
Social media analysts at Graphika reportedly claimed the spelling and grammatical mistakes in those posts are common to Russian language speakers, and the amplification techniques used are also said to be straight out of the Kremlin playbook.
The timing of Raab’s statement could be significant, as it comes ahead of a long-awaited intelligence report into whether Russia has influenced the democratic process in the UK, including the EU referendum.
Prime Minister Boris Johnson and senior ministers have long dismissed such claims and Johnson has delayed the report’s release for many months.
“Today’s government claim is an attempt to divert attention from the threat to the NHS and the Tory party links to Russian oligarchs expected to be revealed in the long-buried parliamentary Russia report,” said former Labour leader Corbyn yesterday.
The news comes as the National Cyber Security Center yesterday revealed that Russian hackers were actively attempting to steal IP related to US, UK and Canadian efforts to find a COVID-19 vaccine.
More than half of Canadians have fallen victim to a cybercrime, according to a new report by the Cybersecure Policy Exchange (CPX) at Ryerson University in Toronto.
In the report Advancing a Cybersecure Canada: Introducing the Cybersecure Policy Exchange, the CPX revealed that 57% of Canadians say that they have been a victim of a cybercrime.
This percentage is a significant increase from 2017, when, according to an Accenture survey, just 36% of Canadians reported being the target of a cybercrime attempt.
The findings came from a survey of 2000 Canadians conducted in mid-May 2020 that sought to understand the experiences, choices and priorities of the public toward their online safety.
Of the five types of cybercrime listed in the survey, the most commonly encountered was ransomware or an unintentionally installed or downloaded computer virus or piece of malware, with the former being experience by 8% of respondents and the latter by 31%.
Data breaches proved problematic for more than a quarter of those surveyed, with 28% reporting that their personal information had been exposed through a cybersecurity incident of this nature.
While the majority of those surveyed had not experienced a hack of an online account, 22% had fallen victim to this particular cybercrime. A malicious email or spoofed website had managed to deceive 13% of those surveyed.
With the publication of the report, the initiative hopes to stimulate a national debate around cybersecurity and digital privacy.
“We need urgent national policies that protect our security and digital privacy, while ensuring equal access for all,” said one of the report authors, Charles Finlay.
CPX maintains that there is an urgent need to address the security and privacy risks and vulnerabilities facing Canadians online.
“To do so, our governments, our public and private institutions, and all Canadians, must demonstrate leadership, to ensure that we create and implement balanced public policy that will drive innovation while responsibly protecting Canadians,” stated the authors of the report.
Online retail giant Amazon and tech leaders Microsoft and Google are reportedly being sued for allegedly violating a biometric privacy law in the state of Illinois.
Cases against the companies were brought on Tuesday by two residents of the Prairie State, Steven Vance and Tim Janecyk.
The plaintiffs allege that the three companies obtained a database from IBM that contained 100 million faceprint pictures scraped from the photo-hosting site Flickr.
IBM's Diversity in Faces database was released in January last year. The database was coded to describe the appearance of each subject and touted as a step toward eradicating bias in facial recognition.
Images added to the database were reportedly taken from Flickr without obtaining the consent of the individuals whose faces were photographed.
Collecting or storing scans of a consumer's facial geometry without their written consent is outlawed in Illinois under the Biometric Information Privacy Act, passed in 2008. Vance and Janecyk say their images were included in the data set without their consent, despite the fact that they identified themselves as residents of Illinois.
In four separate class-action lawsuits filed in two different states, the duo alleges that Amazon, Microsoft, Google parent Alphabet, and software company FaceFirst violated Illinois law by obtaining the IBM database "to improve the fairness and accuracy" of their own facial recognition technologies and products.
According to the suit, the defendants "chose to use and profit from biometric identifiers and information scanned from photographs that were uploaded from Illinois; managed via Illinois-based user accounts, computers and mobile devices, and/or created in Illinois.
"In doing so, [the defendants] exposed Illinois residents and citizens to ongoing privacy risks within Illinois, knowing that [their] conduct would injure those residents and citizens within Illinois."
The lawsuit against FaceFirst was filed in the Central District of California, while the complaint against Google parent Alphabet was brought in federal court in the Northern District of California. Suits against Amazon and Microsoft were filed in the Western District of Washington.
Vance and Janecyk brought a case against IBM earlier this year for allegedly breaking the same Illinois privacy law when they created the database. That case is pending in Illinois' federal district court.
The Federal Bureau of Investigation has issued a warning to air travelers to be wary of bogus US airport websites when booking flights online.
Cyber-supervisory special agent Conal Whetten spoke to members of the press on Wednesday to raise awareness regarding the creation of a number of websites cleverly faked to look like the real deal.
Whetten said these spoofed domains, which grow increasingly sophisticated as cyber-criminals hone their skills for mimicry, posed a real threat for travelers, airports and the aviation industry as a whole.
By establishing a malicious domain that appears to feature an organization’s logo, font, color scheme, and writing style, cyber-criminals are frequently able to fool users into thinking that they are on a site that is authentic and safe to use.
“They do this to steal personal and business data,” explained Whetten, “and US airports are an attractive target for cyber-actors because there is a rich environment of business and personal information.”
The malicious lookalike websites are created with domain names that are virtually the same as the site they are impersonating, often with just one character altered. This subtle difference can easily go undetected.
According to Whetten, criminals create these fake domains to spread malware capable of compromising a user’s personal or business data. The theft of this data can ultimately lead to identity theft and financial loss.
“They can use your social media lists to scam your friends and family, even order fraudulent purchases from online businesses, ultimately leaving you with the bill,” said Whetten.
The threat doesn’t stop once tickets have been booked, with criminals banking on airport users reaching for an IoT device at the airport to pass the time before they fly.
“Cyber-actors can capitalize on this sector by creating spoof domains and Wi-Fi networks, which can trick both passengers and airport operators into interacting with malicious websites or emails,” said Whetten.
The agent advised users to disable or remove all unnecessary software protocols and portals and to use multi-factor authentication where possible.
Describing just how widespread this particular cybercrime is, Whetten said: “Over 96% of companies suffer from domain spoofing attacks in one form or another.”