Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for August 2019

Smart Move: IDEX Shares Progress in Asia

Smart Move: IDEX Shares Progress in Asia

Norwegian company IDEX Biometrics is forging strong bonds with smart-card and payment specialists in Asia. 

IDEX shared its second quarter and half-year 2019 results in a recently issued corporate update in which the company announced a landmark multiyear, multimillion-dollar order for its dual-interface sensors. The report went on to highlight IDEX's collaborations with Tongxin Microelectronics Co. Ltd. (TMC) and PAX Technology Ltd. 

Chinese company TMC will be working with IDEX to create a biometric smart-card solution for end-customer implementation. In a three-way tech tryst, point of sales terminal provider PAX will be working with IDEX and with one of China's largest smart-card producers, Chutian Dragon, to run real-life transactions of biometrics smart cards compliant with Europay, Mastercard and Visa (EMV) using IDEX's dual-interface sensor.  

Also highlighted in the report were IDEX's progress toward certification and the company's attainment of some major manufacturing milestones, which included partnerships with Sian and Silone Cardtech, and a savvy supply agreement with leading global provider of cybersecurity products and solutions Feitian.

Despite its progress, the Norwegian company has yet to bring in the big bucks. In a separate brief, IDEX reported Q2 revenues of NKr0.4 million (about $44,600), an increase from revenues of NKr0.3 million in Q2 of 2018; and for the full first half of the 2019 fiscal year, revenues crossed the line at NKr1.7 million, compared to the much healthier NKr2.1 million banked over the corresponding period in 2018.

However, with comprehensive patents granted to IDEX Biometrics by the United States Patent and Trademark Office and by IP Australia, the company's future could be a much more lucrative story.  

IDEX CEO Stan Swearingen said: “The evolution of the biometric smart-card market is undoubtedly gathering pace and IDEX made great progress in the quarter. Our pipeline of commercial opportunities continues to grow, and we expect sensor shipments to increase significantly. We have developed important relationships with new customers in the ecosystem, and our biometric technology is proven and ready for mass deployment. I am highly confident that our strategy and technology leadership will deliver considerable success for all our stakeholders.”

Source: Information Security Magazine

Teenage Hacker-for-Hire Receives Prison Sentence

Teenage Hacker-for-Hire Receives Prison Sentence

A British teenager has been sentenced to 20 months in prison after selling his services as a freelance hacker.

Elliot Gunton of Mounteney Close, Norwich, England, pleaded guilty to hacking, money laundering and breaching a Sexual Harm Prevention Order imposed in 2016. The 19-year-old hacker-for-hire also pleaded guilty to hacking offences against an Australian Instagram account.

Gunton was sentenced at Norwich Crown Court on Friday, August 16, after pleading guilty at an earlier hearing. The teen was ordered to pay back more than £400,000 he made in cryptocurrency after supplying online personal data and hacking services. 

The court heard how police found cybercrime-enabling software on Gunton's laptop after a routine search of his home conducted in April 2018. The search had been carried out to ensure that the teen was complying with a Sexual Harm Prevention Order imposed by the court in 2016 for previous offences. 

Information found on the laptop revealed that Gunton had offered to pass on mobile phone numbers, which would allow third parties to intercept calls and texts to commit fraud. Police also found evidence of Gunton advertising compromised data for sale and offering his services as a hacker-for-hire. 

Officers were able to trace and seize £275,000 worth of cryptocurrency illegally earned by Gunton, who had failed to erase all trace of conversations he had held online in which he discussed criminal activities. 

Gutton received a 20-month custodial sentence but was immediately released form the court, as he had already served his sentence while on remand. He was ordered to pay back £407,359 and issued a 42-month Community Behaviour Order with strict terms dictating his access to the internet. 

The order bans Gunton from deleting his internet search history, from providing a false IP address, and from using cloud storage unless he notifies a police officer.

Detective Sergeant Mark Stratford said, "This was a complex investigation which relied on the expertise of officers and staff from the Norfolk and Suffolk Cybercrime Unit. This emerging type of criminality requires police investigators to be at the forefront of technological advancements in order to effectively combat the ever-growing paradigm of cybercrime."

Source: Information Security Magazine

BlackBerry Named Magic Quadrant Leader Four Years Running

BlackBerry Named Magic Quadrant Leader Four Years Running

Research giant Gartner Inc. has named BlackBerry a Magic Quadrant Leader for the forth consecutive year.

The Canadian multinational is one of six vendors to be handed the title in 2019 Gartner Magic Quadrant for Unified Endpoint Management Tools report. Other companies to emerge as leaders from the report are Citrix, IBM, Microsoft, VMWare and MobileIron, which were also awarded the title in 2018. 

Magic Quadrants are used to determine the relative positions of competing players in the major technology markets through proprietary qualitative data analysis. The result is that companies are placed in one of four categories: Leaders, Visionaries, Niche Players or Challengers. Vendors that emerge as Leaders have the highest composite scores for their completeness of vision and ability to execute. 

In the 2019 Magic Quadrant for Unified Endpoint Management Tools, Gartner's main focus was on a unified endpoint management (UEM) solution's ability to coexist with or assist in the migration away from client management tools (CMTs) and processes. This is because of the ongoing migration of PCs from legacy CMTs to UEM that Gartner stated it witnesses in a majority of end-user organizations.

BlackBerry’s UEM solutions have been adopted by leaders in highly regulated industries, including government, healthcare, energy and financial services. The solutions work by using machine learning and predictive analysis to securely enable the internet of things (IoT) with complete endpoint management and policy control for an enterprise fleet of devices and apps. 

The company’s latest offering, BlackBerry Intelligent Security, is the first cloud-based solution to harness the power of adaptive security. The tech allows IT teams to alter the security requirements and functionality of enterprise devices and apps based on a user’s real-world behavior and a risk score calculated via a combination of artificial intelligence (AI) and spatial data. And all this is achieved without leaving an additional software footprint.

Source: Information Security Magazine

Texas Ransomware Blitz: 23 Local Governments Affected

Texas Ransomware Blitz: 23 Local Governments Affected

The state of Texas has come under fire from a coordinated ransomware attack affecting over 20 local authorities.

The Texas Department of Information Resources (DIR) released an updated statement over the weekend detailing its response to the attacks, which occurred on Friday morning local time.

Some 23 local government agencies were hit by the attacks – which are said to have come from the same threat actor – although state IT systems and networks are not affected.

“Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time,” the statement noted. “It appears all entities that were actually or potentially impacted have been identified and notified.”

The Texas DIR urged computer users not to click through or open attachments on unsolicited emails, check email sender details, use unique and strong passwords on all accounts, alert supervisors about any suspicious activity, and take advantage of cybersecurity training.

Local government bodies are coming under increasing attack in the US, with cyber-criminals betting correctly that poor security practices and under-funding have left them particularly exposed to ransomware.

Over the past few months several cities in Florida have come under fire, with at least two, Lake City and Riviera Beach, choosing to pay a combined ransom of over $1m. In Texas, the city of Del Rio was hit in January, forcing public sector staff back to using pen and paper.

In Baltimore, which was also hit but refused to pay up, reports suggest the local authority may end up with a bill for as much as $18m.

Ransomware detections rocketed by 365% year-on-year in the second quarter of 2019, according to Malwarebytes. The vendor claimed in Q1 that virtually all of its detections were now related to attacks on businesses, as hackers focus their efforts on more lucrative targets.

Source: Information Security Magazine

Brooklyn Man Gets 57 Months for $1m Fraud Scheme

Brooklyn Man Gets 57 Months for $1m Fraud Scheme

A Brooklyn man has been sentenced to nearly five years behind bars after pleading guilty to a decade-long fraud and account takeover scheme that netted him over $1m.

Jason Mickel Elcock, aka “Prezzi,” pleaded guilty in March to a series of wire fraud and money laundering charges, as well as unlawful possession of a firearm.

Between 2008 and last year, Elcock and co-conspirator Shoshana Marie McGill bought stolen financial and identity data on tens of thousands of businesses and individuals, according to the Department of Justice.

They also obtained this material by hacking victims’ email accounts, bank accounts and password vaults.

The duo then monetized the stolen data by: buying goods online with victims’ card data, which they resold, opening new lines of credit in other people’s names, transferring money out of victim bank accounts, creating and cashing fraudulent checks in victims’ names and selling the data and check-making kit to other fraudsters in return for a cut of their earnings.

Elcock is also said to have deleted activity alerts and changed email account passwords to prevent victims receiving automated alerts about unauthorized transactions. He’s also said to have transferred victims’ phone numbers to ones under his control.

The decade-long scheme netted him and McGill $1.1m. Also seized from their flat were Rolex watches, laptops, tablets and smartphones, designer clothes, shoes and handbags, and other items.

In addition to his 57-month prison term, Elcock will get three years of supervised release, and has to pay back the $1.1m and restitution. McGill pleaded guilty on January 3 to conspiring to commit money laundering and was sentenced in June to five years’ probation.

“As criminals move to the digital frontier, law enforcement is following,” said NYPD commissioner, James O’Neill. “In this case, the NYPD is proud to have teamed with its FBI partners to bring this insidious criminal scheme to a close.”

Source: Information Security Magazine

UK ICO Investigates Facial Recognition Technology in King's Cross

UK ICO Investigates Facial Recognition Technology in King's Cross

The UK Information Commissioner's Office (ICO) has launched an investigation into the use of facial recognition technology in London's King's Cross. The announcement followed news of the technology's use at Granary Square, a large, private development in the area.

Granary Square is a 67-acre development comprising 50 buildings. Press reports detailing the use of facial recognition in security cameras at the site first surfaced on Monday. According to the Guardian, its developers, Argent, Hermes Investment Management and AustralianSuper, admitted to using facial recognition technology "in the interest of public safety and to ensure that everyone who visits has the best possible experience."

The ICO acknowledged media reports that facial recognition was in use around King's Cross and pledged to investigate, calling the technology "a potential threat to privacy that should concern us all." Use of facial recognition systems without people's knowledge is a particular worry, Information Commissioner Elizabeth Denham added.

"As well as requiring detailed information from the relevant organisations about how the technology is used, we will also inspect the system and its operation on-site to assess whether or not it complies with data protection law," Denham said in a statement.

“Put simply, any organisations wanting to use facial recognition technology must comply with the law – and they must do so in a fair, transparent and accountable way," she added. "They must have documented how and why they believe their use of the technology is legal, proportionate and justified."

This isn't the first time that privacy advocates have expressed concerns about the use of facial recognition technology in central London. In December, privacy campaigners attacked the Metropolitan Police force for using the technology in SoHo, Piccadilly Circus and Leicester Square.

In May, San Francisco voted to ban the use of facial recognition by city departments altogether, making it the first city to do so. Oakland, California, and Somerville, Massachusetts, followed suit. July saw the House of Commons Science and Technology Committee recommend a suspension of facial recognition trials by the UK Government until the technology can be properly evaluated.

Source: Information Security Magazine

1.5% of Web Logins Use Breached Credentials

1.5% of Web Logins Use Breached Credentials

It's official: 1.5% of web logins use breached credentials, according to research published by Google. The company analyzed its own data to reach that number, which it presented at the USENIX conference this week.

Many websites still rely on only a combination of username and password to grant users access. Large data breaches have leaked billions of these credentials online, and they have been documented in databases like cybersecurity researcher Troy Hunt's Have I Been Pwned. People who reuse their email and password combinations across different sites are therefore vulnerable to credential-stuffing attacks, in which cyber-criminals attempt to access multiple websites using their stolen credentials.

In February, Google published an extension to the Chrome browser called Password Checkup. When a user enters credentials into a website, Google checks them against a database of over four billion breached usernames and passwords, warning the user if those credentials have been stolen and published in the public domain.

In the first month of operation, almost 670,000 people participated in the service, logging in 21 million times. Of those logins, 1.5% involved breached credentials, the research found.

People reused breached credentials on over 746,000 distinct domains, Google said. Video streaming and adult websites were most at risk of hijacking. Up to 6.3% of logins at those sites relied on breached credentials. Comparatively, only 0.3% of logins involved breached passwords at financial sites, and only 0.2% at government sites, the company said in a blog post yesterday. This could be because those sites had stricter password requirements, said the report. You probably couldn't use your dog's name as a password on many government sites, unless your dog's name happened to be "hs#s8d77sD^a," it said.

The research found that users took steps to reset one in four (86%) of unsafe passwords flagged by the Password Checkup extension. Of the new passwords, 94% were as strong or stronger than the originals, and an encouraging 60% were strong enough to be secure against brute-force dictionary attacks, in which it would take an attacker over 100 million guesses to identify the new password.

Source: Information Security Magazine

Data Breach Numbers Skyrocket in 2019

Data Breach Numbers Skyrocket in 2019

The number of data breaches spiked dramatically in the first half of this year compared to previous years, according to a report from vulnerability intelligence company Risk Based Security. Its analysis found that breach numbers for the first six months of 2019 grew by 54% compared to the same period last year, while the number of exposed records grew 52%.

The growth in data breach volume bucks a trend that saw the number of breaches plateau in 2017 and 2018.

"The reason? Over 1,300 data leaks, mostly exposing email addresses and passwords, were documented in the first half of 2019," the report said. "Although these tend to be relatively small events, averaging fewer than 230 records exposed per incident, these leaks have contributed substantially to the number of access credentials freely available on the Internet."

The number of records exposed in 1H 2019 (4.19 billion) may be larger than in 2019 (2.74 billion), but historical record volumes are more erratic. The first half of 2017 saw six billion records exposed, the report said.

According to the report, eight breaches within the first half of this year accounted for 3.2 billion breached records, or 78.6% of the total. Three of the breaches were among the largest of all time.

Six of the top eight breaches stemmed from misconfigured databases or web applications: (982 million records), First American Financial (885 million), Cultura Colectiva (540 million), two unknown organizations in India and China (275 million and 202 million, respectively) and Justdial (100 million).

Web-based breaches like these are by far the most common in terms of exposed records, accounting for 79% of total breaches in the first half of the year.

Only two of the top eight – Dubsmash's 161 million record-breach and Canva's loss of 139 million records – were down to other hacking techniques.

The number of breaches doesn't tell the whole story, either. While the first half of this year yielded more breaches than ever before, the majority had a moderate to low severity score and exposed 10,000 records or fewer.

The type of data stolen also plays a part. Email addresses and passwords are still the primary records stolen, present in 70% and 65% of stolen data sets, respectively. These can be used for credential stuffing when shared across multiple sites, but they can also be changed, the report points out.

More critical data was less commonly stolen. Addresses, credit card and Social Security numbers were only stolen in 11% of attacks, with account numbers only showing up in 10%.

Source: Information Security Magazine

ECB Shuts Site After Subscriber Data Breach

ECB Shuts Site After Subscriber Data Breach

The European Central Bank (ECB) has been forced to shut down one of its websites following a cyber-attack which may have compromised customer data.

The bank said in a brief statement that hackers had compromised its Banks’ Integrated Reporting Dictionary (BIRD) website, which is hosted by an external third party.

It claimed that malware had been injected onto the server “to aid phishing activities.

“As a result, it was possible that the contact data (but not the passwords) of 481 subscribers to the BIRD newsletter may have been captured,” the statement continued.

“The affected information consists of the email addresses, names and position titles of the subscribers. The ECB is contacting people whose data may have been affected.”

The BIRD website is said to provide the banking industry with info designed to help produce statistical and supervisory reports.

The ECB said that as it is physically separate from any other external and internal ECB systems, no market-sensitive data has been affected by the incident.

The BIRD website has been closed until further notice and the European Data Protection Supervisor informed about the breach.

This isn’t the first time the ECB has been hit by hackers. In 2014, attackers managed to compromise a database containing website form data – stealing 20,000 email addresses which they then tried to hold to ransom.

The financial sector has always been a major target for hackers.

It has seen a 67% increase in security breaches over the past five years, with the average cost of cybercrime for financial institutions jumping $1.4m over the past year to reach $13m, according to an Accenture report from earlier this year.

Source: Information Security Magazine

Apache Struts Called Out For Incorrect Security Advisories

Apache Struts Called Out For Incorrect Security Advisories

A leading open source project has come under fire for issuing misleading security advisories which may have put customers of its software at unnecessary risk.

Security vendor Synopsys analyzed 115 separate releases for popular web application framework Apache Struts and matched them up against the relevant advisories from the open source project.

In total, 24 of the 57 Apache Struts security advisories – nearly half – made mistakes when listing the versions of the framework that were impacted by vulnerabilities.

In fact, 61 additional versions of Apache Struts were impacted by at least one previously disclosed vulnerability, potentially exposing users to attack.

“While our findings included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missed in the original assessment,” Synopsys argued.

“Given that development teams often cache ‘known good’ versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.”

On the plus side, the Apache Software Foundation and Apache Struts team were praised for their “diligence” in collaborating with Synopsys on fixing the mistakes. An updated Apache Struts Security Advisories page was published earlier this week.

Apache Struts will be known to many as the web app framework which Equifax failed to patch back in 2017, leading to a major breach of personal and financial information on more than half of all Americans and millions of UK consumers.

That incident has already cost the credit agency in excess of $1bn, as well as the jobs of the CEO and other senior executives.

Source: Information Security Magazine