Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2018

US to Ban China Mobile on Security Concerns

US to Ban China Mobile on Security Concerns

The Trump administration has told the Federal Communications Commission (FCC) to block China Mobile from entering the US telecoms market on national security grounds.

The state-backed telco has been tied up for seven years on an application for a Section 214 license to offer international voice traffic from the US to foreign countries, according to the Commerce Department’s National Telecommunications and Information Administration (NTIA).

However, it has been decided that granting such a license to a carrier funded by Beijing would present “unacceptable national security and law enforcement risks.”

“After significant engagement with China Mobile, concerns about increased risks to US law enforcement and national security interests were unable to be resolved,” said David Redl, assistant secretary for communications and information, in a statement.

“Therefore, the Executive Branch of the US government, through the National Telecommunications and Information Administration pursuant to its statutory responsibility to coordinate the presentation of views of the Executive Branch to the FCC, recommends that the FCC deny China Mobile’s Section 214 license request.”

China Mobile is the world’s largest mobile phone operator with nearly 900 subscribers, but the vast majority are located within the Middle Kingdom, where it makes most of its money.

That’s why this snub will not have the kind of impact on the firm that the recent sanctions against ZTE threatened.

However, it’s yet another sign of the growing technology Cold War developing between the world’s two superpowers.

A Trump-fuelled trade war continued with promises on Friday of further tariffs on $34bn worth of Chinese goods, which Beijing said it would respond in kind to.

In the meantime, Huawei continues to be investigated for possible sanctions violations which could also see it penalized by the US authorities.

The hard line approach by the Trump administration also threatens to force an acceleration in Xi Jinping’s plans to become completely self-sufficient in the production of core technologies like processors.

Source: Information Security Magazine

Facial Recognition IDs Capital Gazette Shooter

Facial Recognition IDs Capital Gazette Shooter

Though controversial and riddled with problems of a high false positive rate, facial recognition software led to a big win for police in Annapolis, Maryland, after a mass shooting at the Capital Gazette left five journalists dead and others wounded when a gunman attacked the newsroom.

After police took the suspected gunman into custody, a fingerprint database returned no results. The man reportedly had no identification on his person and refused to speak to investigators. According to the Washington Post, investigators ran his photo in Maryland’s facial recognition database, the Maryland Image Repository System (MIRS), and the system returned a match.

Unlike other cases, the Annapolis case resulted in great success and reportedly saved time as investigators tried to both identify a suspect and determine whether there were additional culprits. Anne Arundel County police chief Tim Altomare confirmed that they identified the suspect with help from other investigative techniques using facial recognition technology and confirmed there are no other suspects.

A 2013 effort to mitigate the problem of uncooperative suspects, who provide little or inaccurate information about their identities, awarded a grant to the Automated Regional Justice Information System (ARJIS), a consortium of 82 local, state and federal law enforcement agencies. Thus began their work to develop query systems to be used by law enforcement agencies based on facial recognition.

At the time, facial recognition was a fairly new concept. Originally, the ARJIS database contained over 1, 300,000 booking photos from San Diego County and more than 93,000 images from the booking system of the Chula Vista Police Department. According to the Electronic Frontier Foundation, use has increased rapidly without meaningful oversight.

Despite the debates over the accuracy of the technology, a former lieutenant commander with the New York City Police Department’s cold case squad told the Washington Post that this case will likely embolden advocates of the technology and bring attention to the technology from law enforcement agencies. 

“The facial recognition system performed as designed,” said Stephen T. Moyer, secretary of Maryland’s Department of Public Safety and Correctional Services (DPSCS), in a statement. “It has been and continues to be a valuable tool for fighting crime in our state.”

Source: Information Security Magazine

SAP Risk Not Understood by C-Level

SAP Risk Not Understood by C-Level

A new survey of executives and IT and security professionals found that far fewer executives are extremely concerned about SAP security, a stat that could be detrimental to developing sound cybersecurity strategies, according to ERP Maestro.

Given that enterprise resource planning (ERP) systems process so much transactional data and are often targets for attacks, Americas' SAP Users' Group (ASUG) conducted a May survey of C-level executives and IT and security professionals. Sponsored by ERP Maestro, the survey included responses from customers using both cloud and on-premise SAP solutions. SAP remains the dominant core ERP system used among ASUG members, and it is used to process 77% of the world’s transaction revenue.

The survey showed a sizable gap between executives and other professional groups in their perception of SAP security risks. The most substantial disparity exists between executives and those directly responsible for IT and security.

Only 25% of executives said that they were extremely concerned about security. That number is in stark contrast to the 80% of IT and security respondents whose concern level is in the range of very or extremely concerned.

“Dedicated security professionals understand the nuances of security and see it as a significant challenge. They likely have a more accurate assessment of their environment,” the report wrote. “The lack of concern among executive-level employees may indicate that more education is needed among this cohort to help increase understanding of the potential risks and insider threats.”

According to the survey, 82% of respondents said their systems have only minor vulnerabilities, while only 5% rated their systems as impenetrable and 8% did not know how to classify their systems. Additionally, of the respondents, one-third do not have a defined cybersecurity strategy.

“One of our biggest challenges, and also an objective in the work we do with SAP customers, is bridging the divide between executives and IT/security teams so that they are all on the same page when it comes to understanding their level of risk,” said Britta Simms, IBM's lead for Global Center of Competency SAP Security.

“That joint knowledge is crucial in forming comprehensive strategies and getting buy-in across the organization for the best prevention plans and tools. It’s also a competitive advantage.”

Source: Information Security Magazine

Fortnum & Mason: 23,000 Affected by Data Hack

Fortnum & Mason: 23,000 Affected by Data Hack

Luxury retailer Fortnum & Mason has become the latest big brand to be involved in a significant data breach after the company admitted the details of around 23,000 competition and survey participants had been compromised.

According to a spokesperson at Fortnum & Mason “At 17.26pm on Friday 29 June, Typeform, a company that provides services that we have used in the past to collect survey responses and voting preferences, notified us that they had suffered a data breach and unfortunately some of our data had been compromised.”

Those affected were competition and survey participants who inputted into a Typeform form.

“For the majority of people, only the email address has been exposed,” the spokesperson added. “For a smaller proportion of customers, other data such as address, contact number and social handle has been included. These forms did not request bank or payment details, or require passwords.”

No-one’s bank details or passwords have been involved, and money and accounts are safe, they said. “All those affected have been contacted.”

Fortnum & Mason was also quick to point out that there had been no breach of it's website, and that all of the data it holds was unaffected by the incident.

“We have disabled any and all Typeform forms existing on our website and will not work with Typeform until we are assured that; there is no further risk, that all our data has been removed from their servers and that their security measures have been improved. We have been informed that Typeform have fixed the root cause and are undertaking forensic investigations.”

Source: Information Security Magazine

Customer Bids Farewell to Typeform Post-Breach

Customer Bids Farewell to Typeform Post-Breach

Barcelona-based Typeform suffered a breach when an unknown third party accessed one of their servers and downloaded data. While the breach’s impact on the company's reputation cannot be fully measured yet, Monzo announced that they have ended their relationship with Typeform. 

On 27 June 2018, Typeform announced that an unidentified attacker reportedly downloaded a partial backup file. The file reportedly contained sensitive information on customers who had completed online forms before 3 May 2018. Any information collected after 3 May was not compromised. Those customers who were affected by the breach were informed via email by Typeform.

In their media alert, Monzo wrote, “Some personal data of about 20,000 people is likely to have been included in the [Typeform] breach. For the vast majority of people, this was just their email address. For a much smaller proportion of others, this may have included other data like their Twitter username or postcode.”

Even though Typeform said they responded immediately by fixing the source and preventing any further intrusion, the breach has already cost them one customer. 

“We have since been performing a full forensic investigation of the incident to be certain that this cannot happen again. The risk of reoccurrence is now deemed low enough to send out this communication,” the company wrote.

The company also confirmed that no bank details have been affected and that payment details, passwords and any customer subscription payment information remain safe. Additionally, any payment information that customers collected using Typeform’s Stripe integration has been deemed safe.

The breach has also created a potential problem for the Tasmanian Electoral Commission (TEC), who has used Typeform’s online forms for some of its election services. As the days unfold, electors will be contacted, but TEC added that the breach has no connection to the national or state electoral roll.

TEC publicly announced the breach in a 30 June media release, reporting that “Whilst some of the stolen elector data captured in some of these forms has already been made public, such as candidate statements for a local government by-election, it is believed that the breach also captured name, address, email and date of birth information provided by electors when applying for an express vote at the recent State and Legislative Council elections.”

Source: Information Security Magazine

Two-Fifths of UK CEOs See Cyber-Attacks as Inevitable

Two-Fifths of UK CEOs See Cyber-Attacks as Inevitable

Less than 40% of UK CEOs believe a successful cyber-attack on their company is inevitable, far fewer than their global counterparts, according to new research from KPMG.

The global consulting firm polled 1300 CEOs of “many of the world’s largest and most complex businesses,” including 150 UK business leaders.

It found that 39% of UK CEOs now believe a cyber-attack on their firm is a case of “when” not “if.” This reveals considerably more optimism than the 49% of global CEOs who claimed the same.

While the stats indicate a growing awareness among business leaders of the scale of the cybersecurity challenge facing organizations today, the figure would ideally be higher.

Most experts are agreed that a well-resourced and determined attacker will always have the upper hand over IT security teams.

Dean Ferrando, systems engineer manager at Tripwire, argued that the first step towards improving cyber resilience is for business leaders to understand that attacks are inevitable.

“With cyber defence, getting the basics right counts for a lot and the majority of successful attacks can be prevented with foundational security controls, like ensuring systems are securely configured and managing and patching vulnerabilities,” he added.

“Organizations should also have visibility into the devices and software they have on their networks as this will give a clear indication of what assets need to be protected effectively."

The KPMG research also threw up some strange contradictions. Only 40 percent of UK CEOs claimed that customer data protection was one of their most important personal responsibilities in driving long-term growth of the customer base. That’s despite the huge uptick in boardroom-level awareness that the GDPR has helped create.

However, the survey also revealed an overwhelming majority (74%) of those same CEOs believe that a strong cybersecurity strategy is critical to building trust with key stakeholders, compared to just 55% of global CEOs. A sizeable number (45%) also claimed to see the value in cybersecurity staff.

KPMG UK vice chair, Bernard Brown, claimed that CEOs are developing a more mature understanding of cybersecurity.

“Helped by non-executive directors (NEDs), they are beginning to ask more awkward and searching questions of their IT teams: what are the challenges that face us specifically, what risks are we carrying, what do we need to be resilient to a cyber-attack?” he added.

“Organizations are spending more time planning for worst case scenarios, running simulations and thinking in detail about how they would deal with the uncertainties that arise during a cyber breach.”

Source: Information Security Magazine