Info Security
Charing Cross Gender Identity Clinic Data Leak Victims Could Claim £30,000 in Damages
Victims of the Charing Cross Gender Identity Clinic data breach – which occurred a year to the day yesterday – could be eligible to claim up to £30,000 each in damages, according to consumer action and data breach law firm Your Lawyers.
As was reported last year, the Charing Cross Gender Identity Clinic sent out mass emails to people using the CC function instead of the BCC function, mistakenly revealing the names and email addresses of close to 2000 people on its email list.
Your Lawyers has estimated that those most severely affected could receive up to £30,000 each in damages, whilst where there has been a catastrophic impact on the victim, awards could be higher.
Aman Johal, lawyer and director of Your Lawyers, said: “The Charing Cross Gender Identity Clinic severely breached patient trust through an inexcusable and completely preventable error. The sharing of sensitive and highly personal data could have an extremely negative impact on vulnerable people.
“Why organizations still rely on archaic methods of mass communication, when there is plenty of readily available software to use instead that will avoid a data leak, is absurd; especially given the additional clarity and focus that the GDPR has placed on data protection and information privacy since 2018.
“One year on, we continue to fight for justice for those affected. People deserve better when the consequences of a leak can be so damaging, and they are rightfully entitled to seek the compensation that they deserve.”
Consumers can sign up for legal representation here.
Scottish Cyber Awards 2021 Open for Entry
The Scottish Cyber Awards 2021 are now open for entry until November 25 2020.
The awards, now in their fifth year, celebrate the individuals and organizations working to make a difference to Scotland’s cybersecurity across public and private sectors. Individuals can vote for themselves/their organization or nominate someone who they feel is deserving.
Comprising 11 categories, the awards are set to take place on February 25 2021 at the Sheraton Grand Hotel and Spa in Edinburgh. New categories for 2021 include Cyber Educator of the Year, whilst other categories recognize the Best Cyber Startup, Outstanding Woman in Cyber and Best Cyber Breakthrough. On the night, judges will also recognize a Champion of Champions.
Jude McCorry, CEO of the Scottish Business Resilience Center (SBRC), which oversees the awards, said: “The cyber-resilience shown by individuals and businesses over the last 12 months has been inspiring. Unfortunately, cyber-attacks show no sign of slowing, but we know that Scotland is home to a united cyber-defense community.
“The Scottish Cyber Awards 2021 will recognize the dedication and commitment of those within the industry to combat threats that might not only impact their own organization, but the wider population. Now, more than ever, we need to honor the achievements of those in this community and I can’t wait to celebrate with you all.”
As part of the 2021 awards, the SBRC has brought together a new judging committee from across the emergency services, public sector and industry.
ACC McLaren, member of the judging panel and executive lead for organized crime, counter terrorism and intelligence, Police Scotland, added: “The Scottish Cyber Awards judging panel represents a cross section of those with a close relationship to all things cyber – whether that is in defining policy, combatting crime or shaping business resilience plans. The efforts of the few within the cybersecurity sector are there to benefit the many, and so it is fitting that we recognize the hard work being done in this area across the length and breadth of Scotland.”
More information on the awards and the entry/nomination processes can be found here.
Visa: New Baka Skimmer Designed to Avoid Detection
Visa has issued a warning about new digital skimming malware with a sophisticated design intended to circumvent detection by security tools.
The card giant said its Payment Fraud Disruption (PFD) group first discovered the “Baka” skimmer in February whilst analyzing a command and control (C2) server associated with the ImageID variant. PFD subsequently founded seven servers hosting the Baka skimming kit.
“While the skimmer itself is basic and contains the expected features offered by many e-commerce skimming kits (e.g. data exfiltration using image requests and configurable target form fields), the Baka skimming kit’s advanced design indicates it was created by a skilled developer,” it said.
“The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. PFD assesses that this skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with developer tools or when data has been successfully exfiltrated.”
It’s currently unclear just how widespread the threat is. Visa said that it has identified the malware on “several” merchant websites around the world using its eCommerce Threat Disruption (eTD) capabilities.
However, the firm issued several recommendations for e-commerce providers including: regular scans for C2 communications, close vetting of third-party code and Content Delivery Networks (CDNs), regular website scanning and testing for malware an vulnerabilities, regular patching of shopping cart and other software and web application firewalls (WAFs) to block malicious traffic.
Visa also recommended merchants to restrict access to administrative portals, deploy two-factor authentication and to consider using a fully hosted checkout solution separate from the main e-commerce site.
The news comes just days after RiskIQ identified 1500 sites that had been infected with the prolific Inter digital skimmer.
At the end of August, Group-IB uncovered a new group, dubbed “UltraRank,” which it said was responsible for compromising hundreds of sites and multiple supply chain providers over the past five years.
WordPress Sites Attacked in Their Millions
Millions of WordPress sites are being probed in automated attacks looking to exploit a recently discovered plugin vulnerability, according to security researchers.
Wordfence, which itself produces a plugin for the platform, revealed news of the zero-day bug at the start of September. It affects File Manager which, as the name suggests, is a plugin that helps users to manage files on their WordPress sites.
The plugin is installed on around 700,000 WordPress sites, and although Wordfence estimates that only around 37%, or 262,0000, are still running a vulnerable version, this hasn’t stopped attackers from trying their luck against a much larger number of users.
“Attacks against this vulnerability have risen dramatically over the last few days. Wordfence has recorded attacks against over one million sites today, September 4, 2020. Sites not using this plugin are still being probed by bots looking to identify and exploit vulnerable versions of the File Manager plugin, and we have recorded attacks against 1.7 million sites since the vulnerability was first exploited,” explained Wordfence’s Ram Gall.
“Although Wordfence protects well over three million WordPress sites, this is still only a portion of the WordPress ecosystem. As such, the true scale of these attacks is larger than what we were able to record.”
The vulnerability itself could allow a remote, unauthenticated user to execute commands and upload malicious files on a target site. Gall therefore urged users to patch the issue promptly by installing the latest version of the plug, v6.9.
“If you are not actively using the plugin, uninstall it completely,” he added. “Due to the breadth of file management functionality this plugin provides a user within the wp-admin dashboard, we recommend uninstalling the plugin when it is not actively being used.”
US Issues Cybersecurity Principles for Space Systems
The White House has issued a new set of cybersecurity principles designed to protect its commercial and critical infrastructure investments in space.
The Space Policy Directive-5 details a list of recommended best practices for securing the information systems, networks and “radio-frequency-dependent wireless communication channels” that together power US space systems.
“These systems, networks and channels can be vulnerable to malicious activities that can deny, degrade or disrupt space operations, or even destroy satellites,” the document stated.
“Examples of malicious cyber-activities harmful to space operations include spoofing sensor data; corrupting sensor systems; jamming or sending unauthorized commands for guidance and control; injecting malicious code; and conducting denial-of-service attacks.”
It added that such attacks could result in the loss of mission data, damage to space systems and loss of control over space vehicles such as satellites, space stations and launch vehicles, which could lead to collisions that generate dangerous orbital debris.
Amongst the recommended best practice principles was the use of “risk-based, cybersecurity-informed engineering” to develop and operate space systems, with continuous monitoring for malicious activity and of system configurations.
Other elements that will help ensure a good baseline of cybersecurity were: protection against unauthorized access to space vehicle functions, physical protection of command, control, and telemetry receiver systems, measures to counter communications jamming and spoofing, management of supply chain risks and improved collaboration between space system owners.
IT and OT systems on the ground should follow NIST best practices including logical/physical segregation, regular patching, physical security, restrictions on the use of portable media, AV software and staff awareness and training including insider threat mitigation.
In July, the US and UK accused Russia of testing “anti-satellite weaponry" in a marked escalation of tensions in space.
DDoS Attacks on Virtual Education Rise 350%
Distributed denial of service (DDoS) attacks against online educational resources are over three times more prevalent in 2020 than they were last year, according to new research by Kaspersky.
In a report published today, researchers found that between January and June 2020, the number of DDoS attacks affecting educational resources increased by at least 350%, compared to the corresponding months in 2019.
The largest month on month increase was noted in January, when attacks were up by 550%.
Globally, the total number of DDoS attacks increased by 80% in the first quarter of 2020, compared to Q1 2019, with attacks on educational resources accounting for a large portion of that growth.
DDoS attacks can last anywhere from a couple of days to a few weeks, causing significant operational disruption and, in the case of educational resources, denying students and staff access to critical materials.
Further findings of the report were that from January to June 2020, 168,550 unique Kaspersky users encountered a variety of threats distributed under the guise of popular online learning platforms/video conferencing applications.
Impacted platforms included Moodle, Zoom, edX, Coursera, Google Meet, Google Classroom, and Blackboard.
Educators also encountered a growing number of phishing pages and emails exploiting these educational online platforms in an attempt to get victims to download various threats.
An unprecedented uptake of online educational resources occurred in 2020, triggered by school closures around the world designed to slow the spread of COVID-19. Attackers seeking to exploit the speedy mass migration from physical to virtual learning have been targeting this vast new attack surface, which grew without full consideration of security best practices.
“Remote learning became a necessity for billions of students this past spring, and many educational institutions were forced to make the transition with little or no preparation,” said Alexander Gutnikov, security expert at Kaspersky.
“The ensuing increase in the popularity of online educational resources, coupled with this lack of preparedness, made the educational sector an ideal target for cyber-attacks. Moving forward this fall, as many schools and universities plan to conduct classes online—at least part of the time—it’s critical these organizations take steps to secure their digital learning environments.”
Americans Offered Free Virtual Tech Bootcamp
Marginalized Americans interested in pursuing a career in technology received a boost yesterday with the launch of a free online training program.
The Agile Testing Bootcamp is a six-week program geared specifically toward upskilling individuals with non-technical backgrounds to obtain high-paying, high-demand technical jobs in software testing.
The program was created by Los Angeles software firm QualityWorks and is sponsored by the Count Me In Revival Grant.
Participants will be taught the foundational tools and techniques of software testing and will also receive support to find jobs that match their new skills. Job sourcing, job placement, and ongoing professional development mentorship by professional coaches after graduation are all included in the program.
Applicants have until October 5, 2020, to apply for the immersive program, which is taught virtually via weekly live sessions. To be eligible for the free training, applicants must have at least three years of experience in a professional capacity, be interested in the tech space, and be looking for new career opportunities.
Positive discrimination practices are being applied to give preference to applicants who are not white and to people who have been displaced as a result of the outbreak of COVID-19.
A spokesperson for QualityWorks said: "Software Testing is one of the most in demand jobs in the tech market. There are currently over 9,000 unfulfilled jobs in the US alone. Our six-week immersive software testing bootcamp is designed to teach software testing from scratch for individuals without a tech background."
QualityWorks said software testing bootcamps can get people started in tech careers faster than coding bootcamps, as the learning curve is shorter.
Over the past decade, the company has trained more than 150 persons from diverse professional backgrounds to become software testing professionals.
“We have successfully concluded two installments of our Testing Bootcamp, training over 70 individuals, 90% of whom did not come from a technical background," said QualityWorks founder and CEO Stacy Kirk.
"We’ve proven that the model works, and so we are super excited to be able to extend the program to support black and minority communities by providing them with the skillset to land good jobs in tech."
Warner Music Group Discloses Data Breach
Warner Music Group has issued a data breach notification following a prolonged skimming attack on an undisclosed number of its e-commerce websites.
The cyber-attack was discovered by the multinational entertainment and record label conglomerate on August 5, 2020.
E-commerce websites that are hosted and supported by an external service provider in the US but operated by Warner were found to have been compromised by an unauthorized third party.
By installing data-skimming malware on the sites, the threat actor was able to access information being entered by customers.
Personal data compromised in the attack included names, email addresses, telephone numbers, billing addresses, shipping addresses, credit card numbers, card expiration dates, and CVC and CVV codes.
The as yet unidentified cyber-criminal accessed Warner customers' personal information entered into the affected websites during transactions made between April 25, 2020, and August 5, 2020. Payments made through PayPal were reportedly not affected by this incident.
A data breach notice sent by Warner to the affected customers stated that "any personal information" customers had entered into the affected websites "after placing an item in your shopping cart was potentially acquired by the unauthorized third party."
Warner said that it was prompt to inform relevant credit card providers and law enforcement of the breach. The company has not yet disclosed how many customers were affected by the incident.
Affected customers have been offered 12 months of identity monitoring services free of charge by Warner.
The cyber-attack comes three years after Warner fell victim to a phishing scam that resulted in the leak of 3.12 TB of internal data relating to Vevo, the company's premium music video provider.
“Digital skimming and Magecart attacks continue to be a lucrative source of revenue for hackers as they continue to seek large targets for maximum payouts. For example, data stolen from an attack on another e-commerce platform in 2019 was valued at $133M on the dark web," commented security evangelist at PerimeterX, Ameet Naik.
"Third-party platforms, scripts, and services are ideal targets for attackers because the techniques can be reused to steal data from multiple e-commerce sites."
Credit Card Skimmer Hits Over 1500 Websites
A digital skimming solution has been described as “one of the most prolific and impactful parts of the Magecart ecosystem.”
Reportedly used by several different Magecart actors, research by RiskIQ into the Inter skimmer found it had been used to steal payment data since late 2018, affecting around 1500 sites.
In particular, the Inter Skimmer comes with a dashboard to generate and deploy skimming code and back-end storage for skimmed payment data to enable easier attack deployment. RiskIQ also found connections to ransomware, fast flux DNS services, and suspicious domains potentially used for phishing or malware command and control activity.
Based on a predecessor known as JS Sniffer or SnifFall, which RiskIQ described as “fairly simplistic”, the company said much of the functionality of the Inter skimmer is similar to its predecessor as it copies out all the data entered into forms on the page by looking for fields tagged "input", “select,” or “textarea” before converting extracted payment data to JSON format and base64 encoding it.
RiskIQ said the main variations it has observed between variants of the Inter skimmer is increased use of sophisticated obfuscation, which is a trend among skimmers in general. “The Inter kit includes the ability to integrate an obfuscation service if the actor has access to an API key,” it said.
“Throughout our tracking of this skimmer we continue to see a wide variance in the amount of obfuscation employed. Some implementations use clear skimming code, while others employ encrypted obfuscation to try to hide their activity.”
“Since the Inter kit is licensed out to many different actors, we cannot say whether these activities are definitely connected to Sochi,” it said. “Still, we do know that the Inter kit is part of an ever-growing web of malicious activity.”
Sochi is reportedly the actor behind it, and has been active in skimming since at least 2016 and appears to have been involved in other cybercrime spaces since 2014. RiskIQ said this actor is also involved in a wide variety of malicious activity beyond their prolific digital skimmer, including malware development and financial fraud.
Sophisticated Phishing Scam Targeting Lloyds Bank Customers
Lloyds Bank customers are being targeted by a sophisticated email and SMS messaging phishing campaign, according to an investigation by law practice Griffin Law.
An estimated 100 people have reported receiving fake communication purporting to be from Lloyds, which is one of the largest banks in England and Wales.
In the email scam, a realistic-looking email using Lloyds logos and branding is distributed containing the subject header: “Alert: Document Report – We noted about security maintenance.” The message, which has spelling errors and some Chinese characters, claims that the recipient’s bank account has been compromised, stating: “Your Account Banking has been disabled, due to recent activities on your account, we placed a temporary suspension until you verify your account.”
Users are then redirected to a fraudulent site called Lloyds[Dot]bank[Dot]unusual-login[Dot]com, which attempts to trick visitors into believing it is legitimate through the use of official branding. The site then requests customers’ log-in details including passwords, account information and security codes and other person data.
In the SMS version of the scam, people received a text attempting to entice them into visiting the same fraudulent site. It says: “ALERT FROM LLOYDS: New device attempted to set up a payee to XXX. If this was NOT you, visit: Lloyds[Dot]bank[Dot]unusual-login[Dot]com.”
In a tweeted response to a user who informed them they had received the scam email, Lloyds Bank said: “This isn't a genuine message from us; it’s a scam. If possible, could you please forward this email or text message to us at: emailscams@lloydsbank.co.uk.”
Commenting on Griffin Law’s discovery, Chris Ross, SVP at Barracuda Networks, said: “Hackers often hijack the branding of legitimate companies in order to steal confidential financial data from unsuspecting victims.
“These scams can be very convincing, making use of official logos, wording and personalised details to lull the individual into a false sense of security. In most cases, the victim will be directed to a fraudulent but realistic looking website, where they are urged to enter account details, passwords, security codes and PIN numbers.
“Phishing attacks like this pose a huge risk both to individuals and the companies they work for, especially if hackers gain access to a business bank account. Tackling this problem requires robust policies and procedures as well as the latest email security systems in place to identify and block these scams before they reach the inbox.”
In July, Griffin Law uncovered a HSBC SMS phishing scam designed to trick victims into handing over details of their bank account.
Cybersecurity Incidents Account for a Third of ICO Reports in 2020
Just under 1500 incidents have been reported to the Information Commissioner’s Office (ICO) in the past nine months, with around a third classified as “cybersecurity incidents.”
According to 2020-21 statistics released this week, among the 1446 reported incidents, 412 were classified as cybersecurity incidents, and these include 266 instances of “data emailed to incorrect recipient,” 185 reports of “phishing” and 140 incidents of “data posted or faxed to incorrect recipient.” Fewer than 100 were down to “unauthorized access” (87), ransomware (61) and malware (16).
Overall, the numbers are improved from the 2019 report, and Rick Goud, CEO and founder of ZIVVER, commented that there was a 50% decline in reported data leaks. “In a period with increased cyber-threats, a big shift to working from home, with more digital communication and more employee behavior change – inevitably leading to more data leaks – this suggests that UK organizations don't see the necessity to comply with GDPR in terms of reporting data leaks, because the consequences of not complying are considered less costly than the alternative,” he said.
However, Martin Jartelius, CSO at Outpost24, argued that things are improving, as “users have never been this aware, firewalls and anti-virus this advanced or security frameworks as widely adopted.”
He also added that attackers have never been this efficient, and more actors are entering the criminal market space. “The reason phishing and ransomware are open and visible is that they, in part, are easy to detect; ransomware is very hard to miss for example, and users report attempted or successful phishing,” he said. “A good old fashioned data breach, such as an employee reading medical records of someone not their patient – often tops those lists in countries with stringent record keeping and audit trails.”
Sam Curry, chief security officer at Cybereason, said the state of overall security is about changes in rates, that the attackers still win too much and enjoy the expectation of victory too much, but the rate of improvement among defenders is growing faster and it’s about speed. “I believe changes in 2020 are going to help reverse the hacker advantage long term, but it’s still a fight and one we shouldn’t let up on,” he said.
Javvad Malik, security awareness advocate at KnowBe4, said it is “natural that some of the trends may have shifted slightly” considering the COVID-19 pandemic, and with many people working remotely, there has been a change in infrastructure, and many organizations have had to move services to the cloud, implement VPNs, MFA and a whole host of other technologies.
He continued: ““The good thing is that many of these security technologies are quite mature and offer good protection. However, email has been the favored attack vector for criminals for some time now, and phishing seems to have only increased since lockdown. Without colleagues to bounce opinions off, and with the many distractions that home working brings, it can be easy for employees to fall for phishing emails.
“Perhaps the biggest issue has been the psychological toll extended home working has taken on employees. Without clear boundaries between home and work life, it can be easy to make mistakes, or errors. So, emailing the wrong people, especially on BYOD laptops or computers which may autofill email addresses , is definitely something that can happen.
“While technology can solve many security issues, it cannot account for all human error. For example, people taking photos of their meetings (thus exposing meeting IDs or other sensitive info) and posting them on social media can also inadvertently leak sensitive information.”
NCSC: 60% Rise in Girls Applying to CyberFirst Summer Courses
There has been a 60% increase in the number of girls applying for online cybersecurity skills courses this year compared to 2019, according to the National Cyber Security Centre (NCSC), a part of GCHQ.
The NCSC stated on its website that the number of young people taking part in this year’s CyberFirst summer courses rose to a record-breaking 1770 after they moved from the classroom to online.
CyberFirst is a program of opportunities led by NCSC to help young people aged 11 to 17 years explore their passion for tech by introducing them to the world of cybersecurity.
Chris Ensor, NCSC deputy director for cyber-growth, said: “I’m delighted to see that more young people are exploring the exciting world of cybersecurity, and it’s especially encouraging to see such a level of interest from girls.
“Our online courses have provided new opportunities for teenagers of all backgrounds and we are committed to making cybersecurity more accessible for all.”
Schools minister Nick Gibb added: “This country has led the way in introducing computing into the national curriculum and a more rigorous computer science GCSE. The world renowned NCSC summer course is inspiring more young people to take up a career in a discipline so important for our country’s safety. I’m delighted too, that we are seeing more applications from girls, ensuring all talent is encouraged to pursue such a vital career.”
APT Group Targeting FinTech Sector Changes Method of Attack
APT group Evilnum, known for its targeting of financial technology companies via fake know your customer (KYC) documents, has undergone a significant change in tactics and armory recently that the FinTech sector must be made aware of, according to an investigation by Cybereason.
First identified back in 2018, Evilnum has upgraded its attack capabilities on multiple occasions. Its main purpose is to spy on its infected targets and steal information such as passwords, documents, browser cookies and email credentials.
Typically, Evilnum’s infection chain would begin with spear-phishing emails that deliver zip archives containing LNK files masquerading as images, which then drop a JavaScript Trojan with different backdoor capabilities.
According to Tom Fakterman, threat researcher at Cybereason, the group’s infection procedure has changed substantially in recent weeks. Instead of delivering four different LNK files in a zip archive that will be replaced by a JPG file, only one LNK is archived, which masquerades as a PDF containing several documents such as utility bills and credit card photos.
When the LNK file is executed, a JavaScript file is written to disk and executed, replacing the LNK file with a PDF. This version of the JavaScript is the first stage of the infection chain, which leads to the delivery of a new Python Rat developed by Evilnum, which has been dubbed PyVil RAT.
This new Python Rat was found to have several functionalities including keylogger, running cmd commands, taking screenshots and opening an SSH shell. It can also deploy new tools, adding further functionalities for the attack when needed.
Fakterman said: “This innovation in tactics and tools is what allowed the group to stay under the radar, and we expect to see more in the future as the Evilnum group’s arsenal continues to grow.”
In addition, Cybereason revealed Evilnum has ramped up its infrastructure recently, with the list of domains associated with its C2 IP address, which changes every few weeks.
Despite these changes, Fakterman noted that “the primary method of gaining initial access to their FinTech targets stayed the same: using fake KYC documents to trick employees of the finance industry to trigger the malware.”
Speaking to Infosecurity, Fakterman commented: “Evilnum has gone to great lengths to evade prevention-focused security tools which underscores the need for organizations to invest in effective detection and response capabilities that allow for deep threat hunting on the network in order to identify threats designed to bypass initial layers of security.
“In addition, enterprises should provide their employees with regular security awareness training to better them for cyber-risks such as phishing. Also, employees should never open attachments from suspicious sources or visit dubious websites and should send suspicious emails to the IT/security team for vetting.”
Australia Introduces Code of Practice for the Manufacture of IoT Devices
The Australian government has published voluntary best practice guidelines to help device manufacturers, IoT service providers and app developers improve the security of Internet of Things (IoT) devices. Developed jointly by the Department of Home Affairs and Australian Cyber Security Center (ACSC), the Code of Practice is described as the “first step in the Australian government’s approach to improve the security of IoT devices in Australia.”
It is expected there will be over 21 billion IoT devices connected to the internet by 2030, and the Australian government believes the new standards are necessary to “help raise awareness of security safeguards associated with IoT devices, build greater consumer confidence in IoT technology and allow Australia to reap the benefits of greater IoT adoption.”
IoT devices encompass an increasing number of everyday home items, such as smart TVs, security cameras and baby monitors. Yet there have been numerous concerns raised over potential security threats to these devices, such as hacking. For example, last month, a team of IBM hackers discovered a vulnerability in a component used in millions of IoT devices and in June an investigation by Which? found that more than 100,000 indoor security cameras across UK homes and businesses may have critical security flaws that make them vulnerable to hacking.
The new code outlines 13 principles for domestic and international IoT manufacturers to follow, with the Australian government recommending that the first three are prioritized. These are to ensure there are no duplicated or weak passwords, implement a vulnerability disclosure policy and keep software securely updated.
It added that the guidance aligns with and is built upon UK government guidance as well as being “consistent with other international standards.”
There have been increasing moves to bring in tighter regulation regarding the manufacturing of IoT devices around the world. Earlier this year, the UK government unveiled a new consumer IoT law designed to prohibit the sale of smart products that fail to meet three strict security requirements: unique device passwords which are not resettable to factor defaults, a public point of contact at the manufacturer to report bugs to and clearly visible information stating the minimum length of time updates will be available for.
Speaking to Infosecurity, Bruce Esposito, global strategist at One Identity, commented: “The Australian government’s new code of practice for IoT devices is a much needed and long overdue focus on securing consumer smart devices. After many years of reporting on high profile hacking, malware and viruses most consumers are aware of security threats to their personal computers. Consumers are more educated about protecting their home networks and computers and are cautious when confronted with requests for personal information. However, the same cannot be said about the ever increasing number of smart devices in the household.”
Although welcoming of the introduction of further new standards for IoT devices, Boris Cipot, senior security engineer at Synopsys, said there may be a need for a more international approach in the future: “While the issuance of governmental standards and/or guidance to manufacturers is a step in the right direction, even if there are general measures in which countries might have the same opinion, there are other measures that might differ.
“Therefore, a globally aligned IoT standard would need to be created which manufacturers around the globe would follow. This would also support the import and export of such devices, as well as the usage of a technology that is by all means a global technology and not limited to a specific country.”
KnowBe4 Adds Kevin Klausmeyer to Board of Directors
Security awareness training and simulated phishing platform provider KnowBe4 has announced it has added Kevin Klausmeyer to its board of directors. Klausmeyer is a veteran technology financial officer and board member and joins the KnowBe4 board as an independent board member.
Klausmeyer is currently on the boards of two public companies, Cloudera and Jamf, a recent IPO, wherein he chairs their audit committees. He began his career in public accounting, with Arthur Andersen, and subsequently held senior financial positions at several companies, including BMC Software and PentaSafe Security Technologies. He graduated with highest honors from the University of Texas.
“From the moment I met with the KnowBe4 team I knew it would be a great fit,” said Klausmeyer. “The KnowBe4 culture is one of professionalism, relentless quality and focus on the customer, while at the same time being fun and collaborative. I have long been aware of the KnowBe4 offerings, and I have yet to meet a customer who is not fully satisfied with the value proposition. I am thrilled to be a part of the KnowBe4 board of directors and am quite excited about the organization’s future!”
Commenting on the announcement, KnowBe4 CEO Stu Sjouwerman, said: “Kevin has many years of experience as a board member for several software companies, making him a perfect addition as an independent member to our board at KnowBe4. Adding someone with technology financial acumen helps to round out the diverse skill-sets of our board. We welcome his ideas and contributions, as they will make a positive impact on our organization.”
CISA Pushes Vulnerability Disclosure Policies
America's Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD) requiring the development and publication of vulnerability disclosure policies (VDPs).
A BOD is a compulsory direction to federal executive branch departments and agencies for purposes of safeguarding federal information and information systems.
BOD 20-01, officially finalized yesterday, requires most executive branch agencies to create a VDP and publish it as a public web page. Agencies have 180 calendar days after the issuance of the directive to comply.
Under the terms of the directive, the VDP must include which systems are in scope, the type of vulnerability testing allowed, and a description of how to submit vulnerability reports.
Agencies must also state in their VDP "a commitment to not recommend or pursue legal action against anyone for security research activities that the agency concludes represent a good faith effort to follow the policy, and deem that activity authorized."
The new directive is the first BOD in CISA's history to have been informed by a public comment round.
CISA asked for feedback from the public last November on an initial draft of BOD 20-01. Despite the feedback period's correlating with America's busiest holiday period, the agency received a substantial amount of feedback.
"We’d never done a public comment round on a directive before, but since the subject matter was 'coordination with the public,' this one merited it," said CISA assistant director Bryan Ware.
"And even though the comment round spanned every holiday from late November to early January, the quantity and quality of feedback was nothing less than stellar."
CISA received over 200 recommendations from more than 40 unique sources that included individual security researchers, academics, federal agencies, technology companies, civil society, and several members of Congress.
"Each one made the directive draft, its implementation guidance, and our VDP template better," said Ware.
"Several submissions asked whether the mobile apps that agencies offer to the public would be in scope of agency VDPs. That was something we hadn’t considered before—and concur with."
HackerOne CTO and co-founder Alex Rice described the finalized directive as "a pivotal milestone in the mission to restore trust in digital democracy and protect the integrity of federal information systems."
US Seizes Domains Used by Terrorists
Two domain names being used unlawfully by a terrorist organization to destabilize a foreign power have been seized by the United States.
The sites “Aletejahtv.com” and “Aletejahtv.org” are owned and operated by a United States company based in Scottsdale, Arizona, but were being utilized by Kata’ib Hizballah, an Iran-backed terrorist group active in Iraq.
On July 2, 2009, the US Secretary of Treasury designated Kata’ib Hizballah as a Specially Designated National for committing, directing, supporting, and posing a significant risk of committing acts of violence against coalition and Iraqi security forces.
On the same day, Kata’ib Hizballah was designated as a Foreign Terrorist Organization by the US Department of State for committing or posing a significant risk of committing acts of terrorism.
The domains “Aletejahtv.com” and “Aletejahtv.org” were seized on August 31, 2020, pursuant to a seizure warrant after they were determined to be acting as the group's media arm.
Kata’ib Hizballah used the sites to disseminate videos, articles, and photographs designed to further their political agenda. The sites also functioned as a live online television broadcast channel, Al-etejah TV.
Numerous articles published on “Aletejahtv.com” and “Aletejahtv.org” were written with the specific intention of destabilizing Iraq. The sites were also used by Kata’ib Hizballah for the purpose of recruiting others to their cause.
“Once again we see designated foreign terrorist organizations turning to the internet to push their message and recruit followers for their violent causes,” said John Demers, assistant attorney general for National Security.
“We will continue to fight terror recruitment and propaganda efforts in the digital world, as we do elsewhere.”
US Attorney for the District of Arizona Michael Bailey said that the Grand Canyon State had no space for terrorists.
“The District of Arizona is home to many successful technology companies whose goods and services are capable of being used by individuals across the world," said Bailey. "We will not allow members of terrorist organizations to illegally use those goods and services to further their propaganda and agenda.”
This seizure was investigated by the Department of Commerce, Bureau of Industry and Security.
US Surveillance Exposed by Snowden Ruled Unlawful
A surveillance program undertaken by America's National Security Agency has been ruled unlawful.
The program involved the collection of data from the private phone records of millions of Americans. It was exposed by whistleblower Edward Snowden, whose revelations were published by the Guardian newspaper.
Intelligence leaders who publicly defended the program have now been classed as liars following a ruling by the US Court of Appeals.
Snowden, who faces espionage charges in the United States, fled to Russia after blowing the whistle on the program in 2013. He is currently living in exile in Moscow.
After hearing about the court's ruling, Snowden said on Twitter: “I never imagined that I would live to see our courts condemn the NSA’s activities as unlawful and in the same ruling credit me for exposing them. And yet that day has arrived."
Senior US intelligence officials publicly denied that the NSA had ever wittingly gathered data from private phone records. Snowden's evidence, published online in 2013, proved these rebuttals to be false.
Defenders of the surveillance program argued that the ends justified the means, since the data it had illegally collected had been critical in uncovering domestic terrorism in the United States.
The information unlawfully gathered by the NSA led to the convictions of San Diego residents Basaaly Saeed Moalin, Ahmed Nasir Taalil Mohamud, Mohamed Mohamud, and Issa Doreh for providing aid to al-Shabab militants in Somalia.
Yesterday, the Court of Appeals for the Ninth Circuit said that the warrantless surveillance program had violated the Foreign Intelligence Surveillance Act.
Claims that the NSA had never knowingly collected data from private phone records were deemed by the court to be "inconsistent with the content of the classified records."
“Today’s ruling is a victory for our privacy rights,” the American Civil Liberties Union said in a statement.
"It makes plain that the NSA’s bulk collection of Americans’ phone records violated the Constitution.”
The ruling will not affect the convictions of Moalin and his fellow defendants as the court ruled that the illegal surveillance program had not tainted the evidence introduced at their trial.
Homeland Security to Propose Biometric Collection Rules
The Department of Homeland Security (DHS) is to propose a standard definition of biometrics for authorized collection, which would establish a defined regulatory purpose for biometrics and create clear rules for using the information collected.
A proposed expansion would modernize biometrics collection and authorize expanded use of biometrics beyond background checks to include identity verification, secure document production and records management.
The proposed rule would also improve the screening and vetting process and reduce DHS’ dependence on paper documents and biographic information to prove identity and familial relationships. It said the proposed rule would authorize biometrics collection for identity verification in addition to new techniques such as voice, DNA test results and iris and facial recognition technologies.
Ken Cuccinelli, senior official performing the duties of the deputy secretary for Homeland Security, said this proposed rule eliminates any ambiguity surrounding the Department’s use of biometrics, setting clear standards for how and why it collects and uses this information.
“Leveraging readily available technology to verify the identity of an individual we are screening is responsible governing,” he said. “The collection of biometric information also guards against identity theft and thwarts fraudsters who are not who they claim to be.”
Fausto Oliveira, principal security architect at Acceptto, said the use of biometrics, particularly facial recognition, has been publicized as a positive step forward, but the use of such biometric factors requires scrutiny and a legal framework. “Facial recognition is not by itself wrong, however it needs a comprehensive legal framework to protect individuals and an organization that supervises the application of this information, has a clear political mandate to supervise the agencies that deal with this type of information and the power to act to stop misuse of that information by federal entities,” he added.
“The collection of biometrics will not stop given the perceived value that it has for identification purposes. However, legislators need to intervene and create mechanisms that balance the need to know by justice departments against individual freedom, the right to be forgotten and the right to privacy.”
Joseph Carson, chief security scientist and advisory CISO at Thycotic, asked if the DHS will collect only a mathematical computation of biometrics, or if it collect the actual raw data, as this really increases both security and privacy risks. “It should also be clear on what it can and cannot be used for since limitations in scope should always be clear. It is important to note that biometrics are not a replacement for passwords but are improved and secure replacements for usernames as they are typically used for identifiers and not actual secrets. It should also be made clear on how long the data will be kept and whom it will be shared with.”
Carson said whilst biometrics improve identity proof, document verification and reduce password fatigue, they also introduce additional security risks that must be managed and secured using strong privileged access management. “It is important to protect the government, but at the same time, also protect the citizens,” he said. “When biometrics are abused, or stolen, it impacts the citizen for life and the company/government for a limited time.”
One Year Compliance Deadline for New Children’s Code
Online service providers, app developers and other relevant businesses have one year to comply with a new statutory code introduced on Wednesday to help protect children’s privacy.
The Age Appropriate Design Code or Children’s Code will apply to any business providing “online services and products” likely to be used by UK youngsters under 18, according to the Information Commissioner’s Office (ICO).
Following the GDPR-enshrined principle of “security by design,” the code will outline 15 standards for developers of online services so that its users have a “built-in baseline of data protection” when they visit a website or open an app.
“A generation from now we will all be astonished that there was ever a time when there wasn’t specific regulation to protect kids online. It will be as normal as putting on a seatbelt,” argued information commissioner, Elizabeth Denham.
“This code makes clear that kids are not like adults online, and their data needs greater protections. We want children to be online, learning and playing and experiencing the world, but with the right protections in place.”
Among the requirements are that geolocation is switched off by default, only a bare minimum of data is collected on children using such services, and that it is never shared unless there’s a compelling reason to do so.
Maximum GDPR fines of up to 4% of global annual turnover could theoretically be levied if firms break the code.
However, it is risk-based, which means certain organizations will have more to do than others. The ICO said those involved in developing and providing apps, connected toys, social media platforms, online games, educational websites and streaming services that use, analyze and profile children’s data will be most affected by the new rules.
The ICO is inviting feedback to help it tailor support as organizations adapt their products before the September 2, 2021 deadline.
Concerns over the online privacy of children have also surfaced in the US, where Google and YouTube last year agreed to pay $170m to settle a case brought by the FTC and New York Attorney General alleging they illegally harvested personal data on children.