A US crackdown on perceived efforts by China to unfairly acquire US talent and R&D has stepped up a notch, with charges filed against a senior Harvard academic.
Charles Lieber, the chair of Harvard University’s department of chemistry and chemical biology, was arrested on Tuesday on one count of “making a materially false, fictitious and fraudulent statement.”
As principal investigator of the Lieber Research Group at Harvard, he has received $15m in government grants to research cutting-edge nanoscience techniques. However, such funding requires disclosure of any major foreign financial conflicts of interest.
It is alleged that, since 2011, Lieber has been a “strategic scientist” at Wuhan University of Technology (WUT), and that from 2012-17 he was a “contractual participant” in Beijing’s Thousand Talents Plan, which Washington claims is designed to recruit foreign science experts to steal research secrets.
He’s said to have made millions from these endeavors but allegedly lied about his involvement in both schemes. Lieber could be facing five years behind bars for making false statements to investigators.
Notably, Lieber’s case was published by the Department of Justice (DoJ) alongside that of two alleged Chinese spies who enrolled as students at US universities to steal research material.
Yanqing Ye is in fact a PLA lieutenant who studied at Boston University’s (BU) Department of Physics, Chemistry and Biomedical Engineering from October 2017 to April 2019, allegedly stealing info for military research projects and profiling US scientists for her bosses.
Zaosong Zheng conducted cancer-cell research at Beth Israel Deaconess Medical Center in Boston from September 2018 to December 2019, but was arrested trying to smuggle 21 vials of biological research out of the country on a flight to China. It’s claimed he wanted to publish the research results under his own name.
Visa fraud carries a charge of 10 years behind bars, as does acting as a foreign agent, and smuggling goods from the US.
The US Department of the Interior (DOI) has temporarily grounded its fleet of unmanned aircraft systems (UAS) while it checks whether equipment which is manufactured by foreign companies or contains parts made abroad represents a national security risk.
Drones are used by the DOI to protect national treasures and critical resources, in tasks such as: “emergency management; fighting wildland fires; conducting search and rescue; surveying Federal land; collecting research data; and assisting law enforcement, among others.”
“The [DOI] has been a leader in deploying UAS to better achieve its goals. These efforts include assessing, collecting, and maintaining information that relates to our critical American energy, transportation and defense infrastructure,” the DOI secretary David Bernhard said.
“In certain circumstances, information collected during UAS missions has the potential to be valuable to foreign entities, organizations and governments.”
While the drones remain grounded for all but emergency operations, the department will establish procedures for identifying which are made by foreign-owned companies or contain foreign-manufactured parts. DOI chiefs are being instructed to limit funds spent on such drones.
The temporary grounding measure was first flagged back in October 2019, so the latest order indicates persistent national security concerns in Washington. The overall effect appears to be rooting out and sidelining foreign kit in favor of US-made products.
“With this order, the department is taking action to ensure that our minimum procurement needs account for such concerns, which include cybersecurity, technological considerations and facilitating domestic production capability,” the order continued.
China is not mentioned by name in the order, but would be an obvious target here.
One of its biggest drone makers, DJI, contributes a small number of machines to the 800-strong DOI fleet.
“DJI makes some of the industry’s most safe, secure, and trusted drone platforms for commercial operators. The security of our products designed specifically for the DOI and other US government agencies have been independently tested and validated by US cybersecurity consultants, US federal agencies including the Department of Interior and the Department of Homeland Security, which proves today’s decision has nothing to do with security,” it said in a statement.
“We are opposed to the politically-motivated country of origin restrictions masquerading as cybersecurity concerns and call for policymakers and industry stakeholders to create clear standards that will give commercial and government drone operators the assurance they need to confidently evaluate drone technology on the merits of performance, security and reliability, no matter where it is made.”
Hackers compromised dozens of United Nations (UN) servers last summer in an attack which the world body kept a secret from its own employees, according to a new report.
The attack began in mid-July 2019 in what one senior UN IT official called a “major meltdown,” affecting servers in UN offices in Vienna and Geneva and the UN Office of the High Commissioner for Human Rights (OHCHR) headquarters in Geneva.
Some 400GB is thought to have been exfiltrated by the hackers, including Active Directory lists of users. Although it’s unclear exactly what other info was taken, the servers in question could have provided access to sensitive details on UN employees, and commercial contract data, according to The New Humanitarian.
The OHCHR in particular handles highly sensitive data on human rights activists which could land subjects in deep trouble with governments back home.
According to an internal report on the incident seen by AP, the hackers exploited a Microsoft SharePoint vulnerability to access the UN network although the type of malware is unknown, as is the location of the C&C servers used to exfiltrate the data. It’s also unclear how the attackers maintained presence on the network once inside.
Most controversially, the UN seems to have used its diplomatic immunity to keep the incident a secret, despite it raising serious questions under the GDPR.
Staff were told only to reset their passwords, but not why, it is claimed.
“As the exact nature and scope of the incident could not be determined, [the UN offices] decided not to publicly disclose the breach,” said UN spokesperson Stéphane Dujarric.
The level of sophistication used and motivation for striking at the heart of the UN’s human rights efforts indicates a nation state actor, according to experts.
Traditional cybersecurity measures may not be successful against nation state hackers, meaning firms must focus on detection and response, according to Exabeam senior security engineer, Joe Lareau.
“One critical step all of these entities can take now is to monitor for tactics, techniques and procedures (TTPs) specific to various state-sponsored groups,” he added.
“Overall, we recommend building and using ‘defense in depth’ — multiple layers of controls that involve staffing, procedures, technical and physical security for all aspects of the security program.”
The future of security and privacy should be focused on the person and the impact upon them.
Speaking to Infosecurity at the DigiCert Security Summit in San Diego, DigiCert CEO John Merrill said that security is about privacy and trust, and who is on the other side, and there is more awareness of privacy thanks to regulations like GDPR.
“Look at it from a global sense, the technology is outpacing a lot of people’s understanding of and government’s ability to deal with it,” he said. “Look at facial recognition issues, we’ve just found out that companies have been keeping data with facial recognition stored on their servers: how do we handle that? The answer is that we are more aware of it and the technologies are there in some cases, for the internet we seem to be doing a pretty good job.”
Merrill went on to say that “technology is evolving faster than our ability to cope with it,” so are we therefore struggling to chase an impossible dream of protection? “Whether it is impossible or not, it is a worthy goal as the majority of users on the internet are safe because of the protocols that have been put in place over the last 20-30 years,” he said. “So they are not 100% safe, but as technology evolves, you’re going to have items that you have to deal with from a security and privacy standpoint.
“We may be behind with technology, but that does not mean you should stop running to try and figure it out.”
Merrill added that people should be the focus of security and privacy, whether it is with facial recognition or with their ability to use the internet, or go to the bank or use a phone, it is something that we have to do.
A hacker has taken to Twitter to share design secrets they allegedly obtained by compromising American automotive and energy company Tesla.
Posting on the account @greentheonly on Friday night, a hacker who calls themself "Green" said that Tesla was planning to introduce new hardware to their S and X model cars.
Modifications that Green claims are in the cards include the introduction of new battery options and a suspension redesign.
According to Green, Tesla has added a wireless device charger to its two oldest car models. The charger is allegedly integrated into the center console. Green also claims to have uncovered plans for a new type of charging port.
Another interior change that the hacker says is coming to the S and X models is something Green describes as "new lumbar," which could possibly mean a redesign of the front seats.
Aside from the cosmetic changes, Green claims that Tesla plans to introduce two new battery types into both models, which the hacker claims will be available in several configurations. Other information allegedly hacked from Tesla by Green revealed that the company plans to introduce a new suspension option.
Tesla hasn't confirmed or denied the hacker's findings. The company, which is based in Palo Alto, California, has not announced any plans to update the Model S or the Model X.
Following Green's Twitter post, Tesla has however "quietly added a wireless phone charger to the list of standard features posted on its website," according to Autoblog.com.
Tesla traditionally waits until the last minute to load information regarding new features into its computer system in a bid to avoid data leaks from occurring. Both Green and Autoblog speculate that an announcement of the new features for the X and S could possibly be around the corner.
Green wrote on Twitter: "Tesla seemed to have realized no matter what they do stuff leaks through firmware so froze releases on week 40 and just backported absolute necessary stuff to limit leakage. And now past the new year this must be hw [hardware] they put into cars now/vsoon so cannot avoid it."
Tesla started building the Model S in 2012. Three years later, the company launched the Model X. Unique and cutting-edge in their time, both cars now compete in an expanding electric luxury car market that includes Porsche's Taycan, the Audi E-Tron, and the Jaguar I-Pace.
A panel of experts from Japan's Ministry of Internal Affairs and Communications proposed a set of emergency cybersecurity measures on Monday ahead of this year's Olympic and Paralympic Games.
The measures were shared amid fears that Japan will experience a surge in cyber-attacks while hosting the world-famous sporting event this summer.
After making a series of recommendations, the panel called for the government to draw up plans to introduce cybersecurity training at a local government level. The panel pointed out that while almost all central government bodies in Japan have received cybersecurity training, nearly half of all local governments have not been taught how to respond to a cyber-attack.
The panel called for the government to quickly determine whether adequate security measures were in place for devices installed in the country's transportation infrastructure and other important public facilities that may be vulnerable to cyber-attack because of their use of Internet of Things (IoT) technologies.
Any cybersecurity issues that arise following an examination of the security of these devices should be flagged and reported to administrators, who should then address the problem, advised the panel. The panel proposed that thorough cybersecurity checks be conducted on devices whose manufacturer-issued passwords have never been changed.
A further measure suggested by the panel was for any cyber-attacks that occur in Japan to be reported in a timely manner. They also called for organizations to practice information sharing.
In their emergency proposal, the experts wrote that "it is desirable to consider publishing information on cyber-attacks swiftly at the point in which leaks of personal information are suspected."
After highlighting the risk of data leaks from using Wi-Fi services, the panel called for the government to warn businesses and individuals against sharing any personal or confidential information when using Wi-Fi.
Japan has had seven years in which to prepare for the arrival of the 2020 Summer Olympics, officially known as the Games of the XXXII Olympiad, after being selected to host the world-famous sporting event on September 7, 2013.
The event, also known as the Tokyo Olympic Games, will take place between July 24 and August 9, 2020, in the nation's capital city. Tokyo will then host the Tokyo Paralympic Games from August 25 through September 6.
A South Carolina water company is recovering from a cyber-attack that took its phone and online payment systems offline for nearly a week.
The cyber-attack on Greenville Water triggered a payment system outage that began on Wednesday, January 22. Company spokesperson Emerald Clark said 500,000 customers were affected by the incident.
An investigation has been launched into the cyber-attack, the exact nature of which is yet to be revealed by Greenville Water. It's not yet known who targeted the water company or from where the attack was launched.
Greenville Water CEO David Bereskin said he was "fairly certain" that the utility's data had not been compromised as a result of the incident.
"We have been preparing for potential attacks for years and put specific protections in place to ensure the safety of our data and the integrity of our water," said Bereskin.
According to Clark, the cybersecurity incident has had little effect on data security. She said: "We have no reason to believe that any confidential information maintained on our systems have been accessed without authorization."
Clark added that Greenville Water does not store customers' credit card data.
According to a statement released to the media on Friday, experts "have taken immediate and appropriate action to reinforce existing security measures and to mitigate the potential impact, as well as determining its origin."
In the statement, Clark said that the incident "has not and will not impact or compromise the safety and delivery of water that is treated and maintained by our facilities."
When asked for comment on the cyber-attack by the Greenville News, Greenville County government affairs coordinator Bob Mihalic stated only that "Greenville County uses multiple methods of protecting data, hardware, and infrastructure from potential cyber-attacks."
Greenville Water's online payment system was back up and running on Monday afternoon, and its phone payment system was restored the following day. Greenville Water has assured customers that payments received late as a result of the attack will not lead to fines or the shutting off of their water supply.
"Our customer experience has been fully restored," states Greenville Water on its website. "We are continuing our investigation and will share additional details as they become available."
Security researchers are warning that the technology underpinning many smart city deployments is susceptible to a range of cyber-attacks, enabling hackers to sabotage infrastructure in potentially life-threatening raids.
IOActive’s latest research paper covers LoRaWAN, or the Long-Range Wide Area Network protocol which many low-powered IoT devices use to connect to the internet in scenarios such as smart cities, industrial IoT, smart homes, utilities, vehicle tracking and healthcare.
It claimed that the root keys used to encrypt communications between smart devices, gateways and network servers are poorly protected.
Hackers could extract keys by reverse engineering device firmware, grab hard-coded keys that ship with some open source LoRaWAN libraries, compromise vulnerable LoRaWAN network servers, or even guess the keys in some circumstances, the report claimed.
Once encryption keys are in their possession, the black hats could launch denial of service attacks, or replace legitimate with false comms data. This could cause connected infrastructure to break or even explode, putting lives at risk, IOActive claimed.
“Organizations are blindly trusting LoRaWAN because it’s encrypted, but that encryption can be easily bypassed if hackers can get their hands on the keys — which our research shows they can do in several ways, with relative ease, ” explained Cesar Cerrudo, IOActive CTO.
“Once hackers have access, there are many things they could potentially do – they could prevent utilities firms from taking smart meter readings, stop logistics companies from tracking vehicles, or prohibit hospitals from receiving readings from smart equipment. In extreme cases, a compromised network could be fed false device readings to cover up physical attacks against infrastructure, like a gas pipeline. Or to prompt industrial equipment containing volatile substances to overcorrect; causing it to break, combust or even explode.”
Worse still, the researchers claimed that there’s no way an organization could find out if its LoRaWAN network is being attacked or if encryption keys have been compromised.
That’s why IOActive has released a LoRaWAN Auditing Framework to help these firms pen test their deployments.
As many as 31 million stolen payment card records from a 2019 breach at convenience store chain Wawa could soon be on sale on a notorious dark web marketplace.
Stas Alforov and Christopher Thomas at threat intelligence firm Gemini Advisory claimed the upload of stolen data at the Joker’s Stash site began on Monday. Dubbed “BIGBADABOOM-III,” the dump has been linked to a breach at East Coast chain Wawa which was discovered in December last year.
Although the incident was revealed on December 10, attackers were apparently inside the network since early March, enabling them to make off with a huge trove of card numbers, expiration dates and cardholder names.
“Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time. It is comparable to Home Depot’s 2014 breach exposing 50 million customers’ data or to Target’s 2013 breach exposing 40 million sets of payment card data,” Gemini Advisory wrote.
“Notably, major breaches of this type often have low demand in the dark web. This may be due to the breached merchant’s public statement or to security researchers’ quick identification of the point of compromise. However, Joker’s Stash uses the media coverage of major breaches such as these to bolster the credibility of their shop and their position as the most notorious vendor of compromised payment cards.”
At the time of writing, 100,000 card records had been uploaded to the marketplace, including state geolocation information.
The full breach trove is estimated to feature 30 million US cards and around one million from other countries, which were lifted when cardholders visited Wawa outlets during the breach period.
A press release issued by Wawa on Tuesday did not reference the size of the data loss, but explained that the firm’s payment card processor, as well as affected card brands and issuers, had been notified to heighten fraud monitoring.
The firm also clarified that no user PINs or CV2 numbers were taken, and that the breach didn’t affect ATM transactions.
“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” it added.
Dell Technologies today announced that Adrian McDonald will become the company’s new EMEA president, effective February 3 2020.
McDonald brings over 30 years of IT leadership experience to the role and will be responsible for all businesses, including PCs, server, storage and services, across the Europe Middle East and Africa region. He will also continue in his role as global lead for the Mosaic Employee Resource Group at Dell Technologies, which represents and promotes cultural inclusion and the benefits of cultural intelligence.
“In a time of great change, Dell Technologies is ideally positioned to add value to customers and partners,” said McDonald, president EMEA, Dell Technologies.
“I’m incredibly excited for the future. We are at a tipping point for technology innovation. Computing will be more intelligent, personal and accessible in the 2020s, and this is going to have an even bigger impact on the world than the last decade, transforming how we live and work. Our customers understand this. They are not only looking to reimagine their businesses with the opportunities digital brings, but in many cases, undertake a dramatic transformation and I am looking forward to working with them and our partners to enable them to achieve this.”
Security experts have broadly welcomed the UK’s decision to allow Huawei to participate in non-core 5G network infrastructure, even if nearly half of consumers believe the Chinese firm represents a cyber-threat.
The government confirmed long-running rumors yesterday that it would defy Washington and allow the Shenzhen telecoms kit maker to contribute to its carriers’ 5G networks.
However, it appears to have dialed down tensions with the US by: designating the firm a “high risk” vendor, excluding it from core parts of the networks, nuclear sites, military bases and critical infrastructure and limiting its presence to no more than 35% of non-core networks.
National Cyber Security Centre (NCSC) CEO, Ciaran Martin, claimed the decision will give the UK “a very strong, practical and technically sound framework for digital security in the years ahead.
“The NCSC has issued advice to telecoms network operators to help with the industry rollout of 5G and full fiber networks in line with the government’s objectives,” he added.
“High-risk vendors have never been – and never will be – in our most sensitive networks. Taken together these measures add up to a very strong framework for digital security.”
This is despite some experts, such as Australian Signals Directorate director-general, Mike Burgess, warning that there is no distinction between core and non-core parts of a 5G network, meaning that a threat anywhere in the network could be hard to contain.
Malcolm Taylor, director of cyber advisory at ITC Secure and former GCHQ intelligence officer, welcomed the UK news as evidence of politicians listening to the UK’s security agencies, who have repeatedly claimed the Huawei risk is manageable.
A dedicated Huawei Cyber Security Evaluation Centre (HCSEC) staffed partly by GCHQ boffins has been running for years to scrutinize the firm’s products. Although it recently found serious security shortcomings, they were not thought to have been engineered deliberately.
“There is risk in using Huawei – the point is managing it. Already heavily monitored and managed, Huawei can expect to see that scrutiny only increase,” Taylor added.
“There is no hard evidence of any espionage using Huawei technology, globally, and Huawei senior figures have made this point again and again. The UK’s security apparatus believes the risk can be managed. What more do we need?”
Dimitris Mavrakis, research director at ABI Research, congratulated the UK for not being pressured by geopolitical tactics, and said it was a good compromise between security and 5G development.
“The fact that Huawei is quite well deployed for 5G in the UK means that it would be a massive disruption to stop or worse, remove this infrastructure. This could set UK operators years behind in the 5G market,” he continued.
“Plus, Huawei has already been well deployed for 4G across the UK. Even if Huawei is blocked for 5G, how can anyone guarantee that security-sensitive communications will go over these non-Huawei 5G networks, and not Huawei 4G networks?”
That said, a GlobalData poll this week revealed that UK consumers are virtually split down the middle in their view of Huawei: 47% said they thought the firm was a security threat while 53% did not.
The US Securities and Exchange Commission (SEC) has published a 10-page document detailing cybersecurity practices observed to be in use in the financial industry.
The observations were gathered by the SEC's Office of Compliance Inspections (OCIE) and are based on thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants.
OCIE issued the examination observations yesterday on the SEC website with the hope of providing firms with guidelines for how to strengthen their cybersecurity.
The observations highlight certain approaches taken by market participants in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. They also examine how companies have responded with resiliency in the wake of a cybersecurity incident.
While acknowledging that there is no one-size-fits-all approach when it comes to cybersecurity, OCIE recommended establishing an incident response plan and contacting local authorities or the Federal Bureau of Investigation (FBI) if an attack or compromise is discovered or suspected.
Training employees on how to detect threats was advised, along with implementing a mobile device management solution for the workplace that covered all devices used by employees under a "bring your own device" policy.
"Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency," said Peter Driscoll, director of OCIE.
"We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices."
To prevent data loss, OCIE recommended establishing a patch management program covering all software and hardware and verifying that the decommissioning and disposal of any hardware and software does not create system vulnerabilities.
"Data systems are critical to the functioning of our markets, and cybersecurity and resiliency are at the core of OCIE’s inspection efforts," said SEC chairman Jay Clayton.
"I commend OCIE for compiling and sharing these observations with the industry and the public and encourage market participants to incorporate this information into their cybersecurity assessments."
A British company that specializes in making skin, bone, and organ grafts has temporarily closed its manufacturing plant in America following a cybersecurity breach.
Regenerative medical technology company Tissue Regenix Group PLC said on Tuesday that its computer systems and a third-party IT service provider in the United States were accessed without authorization. No details were given regarding how the incident occurred or when the company became aware that it had been compromised.
Tissue Regenix responded to the cybersecurity incident by taking the affected system offline and shutting down operations at its plant in Texas. The company has appointed forensic cybersecurity specialists to investigate how and when the breach occurred and said that it is in talks with the relevant legal authorities.
The cybersecurity incident is not believed to have affected any of Tissue Regenix's operations in the UK and is not thought to have impacted the company's financial systems.
"Tissue Regenix has taken precautionary steps, including taking affected systems offline. This has restricted access to certain business operations, including the company's ability in the short-term to continue manufacturing in its United States facility, which has been taken offline whilst the incident is being investigated," said a Tissue Regenix spokesperson.
"The company is engaged with its third-party IT service provider, the relevant legal authorities and cyber security experts to rectify the incident as quickly as possible and to minimize any impact on its operations. The time required to resolve the incident is currently unknown."
According to Reuters, news of the breach caused the share price of Tissue Regenix to tumble by as much as 22%.
Tissue Regenix was formed in 2006 as an offshoot of the University of Leeds. The company is based in the historical city of York. Tissue Regenix set up its base in America in the tail end of 2012.
The medical technology product that Tissue Regenix is known for producing is a special kind of tissue that can be used to repair worn-out or diseased human body parts. The tissue has been designed in such a way that the patient's body is unlikely to reject a graft.
The cyber-attack has come at a particularly bad time for Tissue Regenix, which said last Wednesday that its funding is not guaranteed beyond April.
The Twitter accounts of America's National Football League (NFL) and 15 of its teams have been hacked just one week before the biggest football game of the 2019–2020 season.
The first team to be compromised was the Chicago Bears, whose account @ChicagoBears was hacked at 8:40 a.m. on Sunday morning.
Followers were shown an image of a man with a full, dark beard who was wearing the traditional Arabic head gear of a keffiyeh and an agal together. Along with the photo, hackers posted the caption: "Welcome to our new owner @Turki_alalshikh #ProBowl #Bears100 #ChicagoBears."
A Saudi "white hat" hacker group known as OurMine was quick to claim responsibility for the hacks, which the group said were carried out as a publicity stunt to "announce that we are back" and to "show people that everything is hackable."
Fans of rival American football team the Detroit Lions seized the opportunity afforded by the Bears hack to propose a trade. The account @PrideofDetroit tweeted at the Bears: "Hey, while you're still hacked @ChicagoBears, trade us Khalil Mack for a 6th rounder. Twitter is a binding contract."
The hackers decided to run with the joke and responded with "Done for 1$."
By 12:43 p.m. on Sunday, the Chicago Bears were back in control of their Twitter account and had posted a message apologizing to fans for the compromise.
OurMine allegedly compromised the official Twitter account of the NFL on Monday. In a statement released yesterday, the NFL said: "On Monday, the NFL Cybersecurity department became aware of a breach of league-related social media accounts. Targeted breaches and additional failed attempts were discovered across the league and team accounts.
"The NFL took immediate action and directed the teams to secure their social media accounts and prevent further unauthorized access."
NFL reporter Dov Kleiman began a Twitter thread of screenshots depicting all the NFL team accounts compromised in the OurMine hack. By his reckoning, a total of 15 teams were hacked, including the Green Bay Packers
Other teams to be hacked were the Kansas City Chiefs and the San Francisco 49ers, who are due to compete on February 2 in the Super Bowl LIV game, which will decide the champion for the NFL's 2019–2020 (and 100th) season.
An anonymous individual who responded to questions from NBC News via an email account linked with OurMine would not reveal how the group carried out the hack. The individual did, however, reveal their pick for Sunday's big game, predicting a victory for the Chiefs.
Three men have been arrested in Indonesia in a region-wide crackdown on gangs using the infamous Magecart digital skimming code, according to Interpol.
Its Operation Night Fury saw Interpol’s central ASEAN Cyber Capability Desk send reports to police in the affected countries, including six in southeast Asia.
One of these was Indonesia, where three men were arrested on suspicion of running Magecart C&C servers there.
According to Interpol, the suspects are thought to have been using the stolen card details to buy luxury goods and electronics and then resell them to launder their profits.
Singaporean police have also been able to disable two further C&C servers following intelligence gleaned from the operation, while investigations in other ASEAN countries are ongoing, Interpol said.
“Strong and effective partnerships between police and the cybersecurity industry are essential to ensure law enforcement worldwide has access to the information they need to address the scale and complexity of today’s cyber threat landscape,” said Interpol director of cybercrime, Craig Jones.
“This successful operation is just one example of how law enforcement is working with industry partners, adapting and applying new technologies to aid investigations, and ultimately reduce the global impact of cybercrime.”
This could well be the first time Magecart hackers have been arrested by police. Digital skimming code is now used by multiple groups around the world, making it harder for police to tackle.
The news comes just weeks after Interpol celebrated another win: a public-private partnership with Trend Micro led to the identification of over 20,000 routers in southeast Asia infected with crypto-mining malware.
Thanks to Operation Goldfish Alpha, police managed to reduce this number by 78% and efforts are continuing to identify the remaining compromised devices.
Staff in large enterprises send 136 emails per week to the wrong person, according to new data from Tessian released to coincide with today’s Data Protection Day.
The annual event was launched 13 years by the Council of Europe to recognize the date in 1981 that signatures were invited for Convention 108, the first legally binding international treaty on data protection.
However, despite the introduction of the GDPR nearly two years ago and the filing of over 160,000 breach notifications in the intervening period, poor data protection practices still appear to be rife.
Analyzing data from its global network of clients, Tessian claimed that corporate data is sent to unauthorized or personal email accounts nearly 200,000 times a year, for enterprises of 10,000 employees and up.
For large businesses of 1000 employees, the figure is nearly 20,000, while it drops again to around 5000 for SMBs.
Tessian CEO, Tim Sadler, claimed that human error is still the leading cause of breaches today — whether staff are deliberately breaking the rules or simply being negligent.
“Everyone has an email blunder story. After all, the average worker spends over a third of their working-week on email, so mistakes are bound to happen. But we’re seeing serious repercussions beyond just embarrassment over cc-ing the wrong person – more people are exposing personal and corporate data,” he added.
“These mistakes could see your data falling into the wrong hands and your company facing the regulator’s wrath under GDPR.”
Also known as Data Privacy Day in the US and elsewhere, the event is an opportunity to raise awareness among consumers and businesses of their respective online rights and responsibilities regarding data protection.
The GDPR has already done much to promote these within the EU and beyond, the European Commission claimed in a statement issued to mark the occasion.
“According to Eurobarometer results, the highest levels of awareness among citizens are recorded for the right to access their own data (65%), the right to correct the data if they are wrong (61%), the right to object to receiving direct marketing (59%) and the right to have their own data deleted (57%),” it revealed.
“Our priority and that of everyone involved should be to foster a harmonized and consistent implementation of data protection rules throughout the EU.”
However, the legislation remains a work in progress, according to Dob Todorov, CEO of HeleCloud.
“In truth, a chasm exists between the legal language used and the IT implementation needed to support it. And, while this chasm exists, some businesses will fail to meet the data protection standards that this regulation promotes — either accidentally or through the abuse of the grey areas,” he argued.
“As regulators look to hand out more fines, they should also focus on providing pragmatic and clear guidance at a technical level, without discriminating against current or future technologies.”
The UK government has unveiled a new consumer IoT law designed to prohibit the sale of smart products that fail to meet three strict security requirements.
Drawn up by the Department for Digital, Culture, Media and Sport (DCMS), the proposals would ensure all IoT kit sold in the UK allows users to set unique passwords and not revert them to any factory settings.
This would seem to combat the scourge of Mirai-like malware, which finds exposed devices on the internet and cracks them open with a list of popular default password choices.
Manufacturers of IoT devices would also have to provide a public point of contact so that anyone can report vulnerabilities and have them acted on “in a timely manner.”
The same IoT kit-makers would have to explicitly state the minimum length of time a device will receive security updates at point-of-sale, allowing consumers to decide whether they’re happy with vendor promises.
However, there’s no mention of enforcing a 'kitemark' for consumers which would allow buyers to easily spot whether products have met a minimum standard of security and quality. Such a standard technically exists in the UK, after the British Standards Institution (BSI) introduced one in May 2018, and at a European level, with the launch of ETSI TS 103 645 around a year ago.
It’s also unclear exactly how the UK would prohibit the sale of non-compliant IoT kit, especially items which can be sourced online from China and elsewhere. The majority of the world’s smart gadgets are not manufactured in the UK.
That said, the UK is still ahead of the US in its moves to drive regulation of an industry that exposes consumers and businesses to growing cyber risk.
“Consumer IoT devices can deliver real benefits to individuals and society, but techUK’s research shows that concerns over poor security practices act as a significant barrier to their take-up. TechUK is therefore supportive of the government’s commitment to legislate for cybersecurity to be built into consumer IoT products from the design stage,” argued techUK director of markets, Matthew Evans.
“TechUK has been working on these three principles for the past four years. We support the work to ensure that they are consistent and are influencing international standards.”
Carl Wear, head of e-crime at Mimecast, claimed that the UK push could have a beneficial impact on other parts of the world, although the nature of technology innovation would require revisions to the law.
“The legislation and any accompanying guidance will then need to be re-visited rapidly and updated to maintain an adequate minimum standard of security, as necessary,” he said. “I am certain that this move by the UK will likely prompt consideration of further regulation within other jurisdictions, in order to maintain trust in their own IoT and parity with the security of others.”
The UK’s proposals follow a “world first” voluntary code of practice introduced by the government in October 2018, on which the European standard was based.
US senators have proposed a bill that would drastically reform the surveillance practices of the National Security Agency (NSA) and increase oversight of government surveillance.
Titled The Safeguarding Americans’ Private Records Act, the bill was introduced on Thursday by Senators Ron Wyden, Zoe Lofgren, Pramila Jayapal, Warren Davidson, and Steve Daines.
According to a statement on Wyden's website, the changes proposed in the bill will "protect Americans’ rights against unnecessary government surveillance."
The bill comes ahead of the March 15 expiration of Section 215 of the Patriot Act, which the National Security Agency "used to create a secret mass surveillance program that swept up millions of Americans’ phone calls." The phone record program was terminated last year.
The bill prohibits the "warrantless collection of cell site location and GPS information as well as browsing history and internet search history and ensures that the government cannot conduct collection for intelligence purposes that would violate the Fourth Amendment in the criminal context."
Furthermore, the bill aims to establish the Foreign Intelligence Surveillance Act (FISA) process as the only process by which the government is allowed to carry out surveillance. By doing this, the bill intends to close what it describes as "secret law" loopholes that have allowed the US government to clandestinely conduct surveillance outside the FISA process in the past.
Other reforms proposed by the bill are the increase of congressional oversight of government surveillance activities with the addition of new public reporting requirements regarding Americans whose information has been collected under Sections 215 and 702 of the Patriot Act.
Commenting on the new bill, Jack Mannino, CEO at Virginia-based application security provider nVisium, said: "These are important steps towards protecting the civil liberties and Fourth Amendment rights of citizens. Intelligence agencies do important work, and it's necessary for them to be able to do their jobs, while preserving legal and moral boundaries. States, such as California, have passed legislation to protect internet privacy, and other states are quickly moving in the same direction. Overreaching surveillance erodes trust in the systems we use and our expectation of privacy."
A Canadian construction company that won military and government contracts worth millions of dollars has suffered a ransomware attack.
General contractor Bird Construction, which is based in Toronto, was allegedly targeted by cyber-threat group MAZE in December 2019. MAZE claims to have stolen 60 GB of data from the company, which landed 48 contracts worth $406m with Canada's Department of National Defense between 2006 and 2015.
In an email to the Canadian Broadcasting Corporation (CBC), a Bird Construction company spokesperson wrote: "Bird Construction responded to a cyber incident that resulted in the encryption of company files. Bird continued to function with no business impact, and we worked with leading cyber security experts to restore access to the affected files."
MAZE's modus operandi is to demand a ransom from its victim to secure the return of data that the group has stolen and encrypted. Victims are warned that failure to pay up will result in the data's publication. If a victim refuses to pay, MAZE's next move is typically to publish a small quantity of the data it claims to have stolen to show it means business.
According to Emsisoft threat analyst Brett Callow, MAZE has now published data it claims to have stolen from Bird Construction. The published files contain employees' personal data and information relating to Canadian company Suncor Energy, with which Bird Construction has worked on multiple projects.
Callow told Infosecurity Magazine: "Maze actually published some of Bird’s data. The files included documents relating to Suncor and records for a couple of Bird employees which included their names, home addresses, phone numbers, banking info, social insurance numbers, tax forms, health numbers, drug and alcohol test results—everything that a criminal would need to steal their identity. And all that info was posted on the clear web where anybody could’ve accessed it."
The published data, which Infosecurity Magazine has viewed, consisted of two large PDF files, each relating to a separate Bird Construction employee, plus documents detailing vehicle entry authorization and alcohol and drug testing procedures at Suncor.
Callow added: "The big question is: what else did MAZE get and did any of the data relate to Bird's government and military contracts?"
Bird Construction has not said whether a ransom was paid to its cyber-attackers. Callow advised any company that gets hit by ransomware not to pay up.
He said: "There is no way for a company to know that the data will be deleted after a ransom has been paid. In fact, it probably will not be deleted. Why would a criminal enterprise delete data that they may be able to use or monetize at a later date?"
Spring 2020 will see the launch of a new US cybersecurity resource designed to protect the space industry.
Space News reported last Thursday that the Space Information Sharing and Analysis Center, or Space ISAC, is currently in the process of setting up an unclassified portal where companies can share and analyze information on cybersecurity threats. The portal will go live in the tail end of spring.
The activation of the portal will mark the official start of operations for Space ISAC, which was formally established in April 2019 as a nonprofit organization during a classified session at the 35th Space Symposium in Colorado Springs, Colorado.
The need to establish a Space ISAC to secure commercial, government, and military space communications from cyber-attacks on global space assets was recognized by the Science & Technology Partnership Forum in 2017. The Forum shared its vision for the organization’s conception in April 2018 at the 34th Space Symposium.
Space ISAC was founded initially by Kratos Defense & Security Solutions. Ten other companies have since joined as founding members, though some wish to keep their connection with the organization under wraps. Firms that have made their membership of Space ISAC public include Booz Allen Hamilton, SES, Parsons Corp, Lockheed Martin, and MITRE, which all joined as founding members.
The senior vice president of Kratos and chairman of the board for Space ISAC, Frank Backes, said that once the new portal is in operation, Space ISAC will work to recruit and vet potential members. The organization is hoping to sign up as many as 200 member companies from the civil, commercial, and national security space sectors.
Annual membership fees will be $10,000 for silver membership, $25,000 for gold, and $50,000 for platinum; however, the organization will consider offering lower rates to small enterprises and startups.
Along with the portal, Backes said that Space ISAC intends to set up a "space systems vulnerability laboratory" for NCC analysts and ISAC members at the National Cybersecurity Center (NCC) in Colorado Springs.
Space ISAC plans to hold its first ever summit meeting at the NCC's Cyber Symposium in Denver on June 15 and 16 of this year.