Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

European Parliament Approves Mass ID Database Plans

European Parliament Approves Mass ID Database Plans

The European Parliament has approved plans to boost physical security by implementing a mass identity database, although privacy concerns persist.

The Common Identity Repository (CIR) will centralize the personal information of nearly all non-EU citizens in the EU’s visa-free Schengen region. The latter covers the vast majority of the EU except for Ireland and the UK, as well as Bulgaria, Croatia, Cyprus, and Romania.

The data — which will include fingerprints, names, addresses, photos and other info — will be consolidated from five separate systems, including databases of asylum seekers, short-stay visa applicants, and those with previous criminal convictions in the EU.

The idea is that it will enhance security in the region by minimizing information gaps and silos, helping law enforcers track terrorists and serious criminals who may otherwise be able to slip across borders undetected. Data on an estimated 300 million non-EU and some EU citizens will be stored in the CIR, according to reports.

“Global law enforcement agencies and border control personnel have been sharing information about people for decades, if not centuries,” argued John Gunn, CMO at OneSpan.

“CIR is a very positive move that will simply make the methods more timely, efficient, and effective resulting in speedier cross-border travels with less hassle and in greater safety for all as those with evil intent are more easily identified and stopped.”

However, other have voiced concerns that there are not enough safeguards to protect individual freedoms, and that the database could be a major target for hackers. EU privacy advisory body the Article 29 Working Party (WP29) explained these at length in a document last year.

“Regarding the Common Identity Repository (CIR), the WP29 is of the view that the cross-matching of various sources for identification and consolidating them in a new common database for the purpose of overall identification poses an additional interference with the rights to privacy and data protection,” it said.

“The WP29 is not convinced of the necessity and proportionality to establish such a mixed-purpose identification database including biometric data. Whether identity fraud is in practice such an essential threat to the internal security of the Union as to justify the central registering of biometric identifiers of all bona fide [third country nationals] TCN travellers, migrants and asylum seekers is not yet sufficiently established in terms of proportionality and therefore remain an issue of major concern.”

Source: Information Security Magazine

Addiction Center Patients Exposed in Privacy Snafu

Addiction Center Patients Exposed in Privacy Snafu

A large trove of personally identifiable information (PII) has been leaked by an addiction treatment center after researchers found another unsecured Elasticsearch database online.

Justin Paine, who is also a director of trust and safety at Cloudflare, blogged about his findings late last week, claiming to have found the offending database via a simple Shodan search.

As the data trove required no authentication to access, he was able to scroll through the 1.45GB of information. Although there were nearly five million documents contained in the database, they related in the end to around 146,000 unique patients.

Paine traced them back to Pennsylvania-based addiction treatment center Steps to Recovery.

“A leak of PII related to 146,316 unique patients would be bad on any day. It's particularly bad when it is something as sensitive as a addiction rehab center. Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible,” he argued.

“What could a malicious user do with this data? Based on the patient name it was simple to locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment.”

After a few cursory Google searches, he was also able to determine with “high confidence” a patient’s age, birthdate, address, previous addresses, family members’ names, their political affiliation, phone numbers and email addresses.

Despite contacting the firm about the privacy snafu at the end of March, Paine had received no response as of April 15 and there are concerns that it has still not notified patients about the risk of identity theft. However, a message he sent to the hosting provider was received and access to the database subsequently restricted.

It’s just the latest in a long line of incidents involving misconfigured Elasticsearch instances. One revealed in November last year exposed the PII of nearly 82 million Americans.

Source: Information Security Magazine

Cyber Readiness Worsens as Attacks Soar

Cyber Readiness Worsens as Attacks Soar

The number of organizations in Europe and the US that have been hit by a cyber-attack over the past year has soared to over three-fifths (61%), according to a new report from Hiscox.

The global insurer today released the results of its Hiscox Cyber Readiness Report 2019, which is compiled from interviews with over 5300 cybersecurity professionals in the US, UK, Belgium, France, Germany, Spain and the Netherlands.

It revealed a sharp increase in the number of firms suffering an attack, up from 45% in the 2018 report. In the UK, the figure rose from 40% to 55%.

There was also a rise in the number of small (from 33% to 47%) and medium-sized businesses (36% to 63%) reporting an attack, across the US and Europe.

Two-thirds of firms (65%) on average claimed to have been hit by supply chain cyber incidents.

Average losses were also up by 61%: from $229,000 last year to $369,000 this, a figure exceeding $700,000 for large firms versus just $162,000 in 2018.

Although cybersecurity spending went up by 24% over the past year to reach $1.45m, only 10% of responding organizations were classed as “experts” in terms of their cyber-readiness, with nearly three-quarters (74%) described as unprepared “novices.” Disappointingly, there was a sizeable drop in the number of large US and German firms achieving “expert” scores.

Hiscox cyber CEO, Gareth Wharton, argued that cyber-attacks have become “the unavoidable cost of doing business today.” 

‘This is the third Hiscox Cyber Readiness Report and, for the first time, a significant majority of firms report one or more cyber-attacks in the past 12 months. Where hackers formerly focused on larger companies, small and medium-sized firms now look equally vulnerable,” he explained.

“The one positive is that we see more firms taking a structured approach to the problem, with a defined role for managing cyber strategy and an increased readiness to transfer the risk to an insurer by way of a standalone cyber-insurance policy.”

Source: Information Security Magazine

Singapore Responds to Recent Cybersecurity Attacks

Singapore Responds to Recent Cybersecurity Attacks

During a visit to San Francisco, Singapore foreign affairs minister Vivian Balakrishnan commented that the country cannot "go back to pen and paper. … If people lose confidence in the integrity and security of the system, then all these aspirations cannot be fulfilled."

The comments follow information coming into the open regarding data breaches, one of which affected 14,200 individuals diagnosed with HIV up to January 2013. In a statement by the police, it was confirmed that the information was "in the possession of an unauthorized person" and had been illegally disclosed online.

The statement went on to say that the information was in the possession of Mikhy K. Farrera Brochez, a male US citizen residing in Singapore between January 2008 and June 2016. He was convicted of fraud and drug-related offences in March 2017, sentenced to 28 months in prison and deported from Singapore. The fraud offences were in relation to Brochez lying about his HIV status to the Ministry of Manpower in order to obtain and maintain his employment pass.

According to Bloomberg, Balakrishnan said the government’s response to recent cybersecurity attacks and human leaks has to be one where "it’s completely open." It follows the first meeting of the Public Sector Data Security Review Committee, which was held on April 18, 2019, according to a government statement. 

Bloomberg reported that attendees of the meeting "reviewed past data incidents" and broad approaches to raise the bar of security. The committee will submit its final report to the prime minister by the end of November 2019. 

Singapore has been trying to position itself as a "Smart Nation," with initiatives focusing on digital identity, smart urban mobility and e-payments. However, the data breaches have made many people nervous, especially with the ambitions of artificial intelligence (AI) clear. 

“The ability to deploy AI in our respective fields should be commoditized,” Balarkrishman said. “We will be one of the earliest adopters of these new technologies.”

Source: Information Security Magazine

WannaCry 'Hero' Pleads Guilty to Writing Malware in US Court

WannaCry 'Hero' Pleads Guilty to Writing Malware in US Court

Marcus Hutchins, also known as MalwareTech, has pleaded guilty in a US court to two counts of creating and spreading malware. The reverse-engineer is well known for his contribution to ending the WannaCry ransomware attacks in May 2017. 

According to Wisconsin court documents, Hutchins was charged in "10 counts of a superseding indictment." He pleaded guilty to counts one and two, saying that the US government would be able to prove that "between July 2012 and September 2016, [he] helped create and, in partnership with another, sell malicious computer code, aka malware, known as UPAS-Kit and Kronos."

Arrested in August 2017 at the Las Vegas airport by the FBI, Hutchins was accused of creating and spreading the banking Trojan Kronos, followed by additional charges in June 2018 relating to developing and distributing UPAS Kit, a "modular HTTP bot" designed to install on victims’ machines without alerting AV tools. He denied the former in 2017, making this a complete turnaround on his previous plea.

Kronos targeted banking information and was valued at $7,000 on the dark web

Hutchins made a public statement in response to reports of his plea: "As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."

The WannaCry attacks took place in May 2017, with Telefonica being the first victim. The attacks happened worldwide, including the UK's National Health Service (NHS), and impacted more than 150 countries. Hutchins created a kill switch, which helped organizations globally stop the ransomware. He won an award for his contribution, as many cited the impact would have been worse without it. 

According to the Wisconsin court documents, Hutchins could face up to six years in prison and a $250,000 fine.

Source: Information Security Magazine

WannaCry "Hero" Pleads Guilty to Writing Malware in US Court

WannaCry "Hero" Pleads Guilty to Writing Malware in US Court

Marcus Hutchins, also known as MalwareTech, has pleaded guilty in a US court to two counts of creating and spreading malware. The reverse-engineer is well known for his contribution to ending the WannaCry ransomware attacks in May 2017. 

According to Wisconsin court documents, Hutchins was charged in "10 counts of a superseding indictment." He pleaded guilty to counts one and two, saying that the US government would be able to prove that "between July 2012 and September 2016, [he] helped create and, in partnership with another, sell malicious computer code, aka malware, known as UPAS-Kit and Kronos."

Arrested in August 2017 at the Las Vegas airport by the FBI, Hutchins was accused of creating and spreading the banking Trojan Kronos, followed by additional charges in June 2018 relating to developing and distributing UPAS Kit, a "modular HTTP bot" designed to install on victims’ machines without alerting AV tools. He denied the former in 2017, making this a complete turnaround on his previous plea.

Kronos targeted banking information and was valued at $7,000 on the dark web

Hutchins made a public statement in response to reports of his plea: "As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."

The WannaCry attacks took place in May 2017, with Telefonica being the first victim. The attacks happened worldwide, including the UK's National Health Service (NHS), and impacted more than 150 countries. Hutchins created a kill switch, which helped organizations globally stop the ransomware. He won an award for his contribution, as many cited the impact would have been worse without it. 

According to the Wisconsin court documents, Hutchins could face up to six years in prison and a $250,000 fine.

Source: Information Security Magazine

Password "123456" Used by 23.2 Million Users Worldwide

Password "123456" Used by 23.2 Million Users Worldwide

The National Cyber Security Centre (NCSC) expects 42% of Britain online users to lose money due to fraud, according to its first UK Cyber Survey

Released over the Easter weekend (April 21, 2019), the report also found that the most-used password from global cyber breaches was "123456," with "ashley" the most-used name as a password. The global password-risk list was published to disclose passwords already known to hackers.

Survey Findings from Poll, NCSC
Survey Findings from Poll, NCSC

The polling was independently carried out on behalf of NCSC, a part of GCHQ and the Department for Digital, Culture, Media and Sport (DCMS). The findings, as well as 100,000 passwords already known to have been breached by hackers, were released ahead of NCSC's CYBERUK 2019 conference, which will be taking place in Glasgow this week.  These will inform government policy and guidance offered to the public.

Ian Levy, NCSC technical director, said: “We understand that cybersecurity can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable.

“Password reuse is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band."

Survey Findings from Poll, NCSC
Survey Findings from Poll, NCSC

According to the NCSC's announcement, the list was created after breached usernames and passwords were collected and published by international web security expert Troy Hunt. The website allows people to check if they have an account that has been compromised in a data breach.

The report also found that the proportions of respondents who felt they would be a victim of cybercrime in the next two years range from 12% having information stolen and a ransom demanded to 42% who feel they will have money stolen that will later be reimbursed. Only 51% feel that apps being accessed without consent will have a big personal impact, while 91% feel having money stolen without reimbursement would have a big impact.

Other findings included: 

  • Only 15% know a great deal about how to protect themselves from harmful activity.
  • The most regular concern is money being stolen, with 42% feeling it will likely happen to them by 2021.
  • 89% use the internet to make online purchases, with 39% on a weekly basis.
  • One in three rely to some extent on friends and family for help on cybersecurity.
  • Young people are more likely to be privacy conscious and careful of what details they share online.
  • 70% always use PINs and passwords for smartphones and tablets.
Survey Findings from Poll, NCSC
Survey Findings from Poll, NCSC

Margot James, DMCS’ digital and creative industries minister, said, "Cybersecurity is a serious issue, but there are some simple actions everyone can take to better protect against hackers. We shouldn't make their lives easy, so choosing a strong and separate password for your email account is a great practical step. 

“Cyber-breaches can cause huge financial and emotional heartache through theft or loss of data, which we should all endeavor to prevent."

The NCSC‘s two-day CYBERUK 2019 conference will see 2,500 delegates come to Glasgow’s Scottish Exhibition Centre on April 24 and 25 for a range of speeches, workshops and interactive displays.

Source: Information Security Magazine

Mueller Report: Individuals Deleted Data During Investigation

Mueller Report: Individuals Deleted Data During Investigation

After two years of investigating, yesterday Robert S. Mueller III finally released his investigation, Report on the Investigation into Russian Interference in the 2016 Presidential Election. The 448-page report looks into Russian interference specifically but also into any individuals in the US that may have been involved. 

Appointed in May 2017 as Special Counsel to the investigation, Mueller found that Russia's interference in the 2016 election included social media activity, which related back to the Cambridge Analytica exposé in March 2018, and "a Russian intelligence service conducted computer-intrusion operations against entities, employees, and volunteers working on the Clinton Campaign and then released stolen documents."

"The Internet Research Agency (IRA) carried out the earliest Russian interference operations identified by the investigation – a social media campaign designed to provoke and amplify political and social discord in the United States," says the report. "The IRA was based in St. Petersburg, Russia, and received funding from Russian oligarch Yevgeniy Prigozhin and companies he controlled.

"At the same time that the IRA operation began to focus on supporting candidate Trump in early 2016, the Russian government employed a second form of interference: cyber intrusions (hacking) and releases of hacked materials damaging to the Clinton Campaign. The Russian intelligence service known as the Main Intelligence Directorate of the General Staff of the Russian Army (GRU) carried out these operations."

Interestingly, data loss was discussed in the report as "the Office" had learned that some of the individuals they had interviewed – including some associated with the Trump Campaign – had deleted relevant communications or communicated during the relevant period using encrypted applications. In some instances this hindered the investigation, according to Mueller. 

However, the report concludes, there isn't sufficient evidence to prove a crime had been committed in relation to the US election. 

"The Russian contacts consisted of business connections, offers of assistance to the campaign, invitations for candidate Trump and [Russian president Vladimir] Putin to meet in person, invitations for campaign officials and representatives of the Russian government to meet, and policy positions seeking improved US-Russian relations," says the report."While the investigation identified numerous links between individuals with ties to the Russian government and individuals associated with the Trump campaign, the evidence was not sufficient to support criminal charges."

It is also unclear what will happen next. According to BBC News, Attorney General William Barr is facing "heavy criticism" of his handling of the report's release, with some accusing him of misleading them with an earlier summary on whether President Trump obstructed justice. 

According to USA Today, the Kremlin hit back at Mueller's investigation: The report "does not present any reasonable proof at all that Russia allegedly meddled in the electoral process in the US," said Dmitry Peskov, spokesman for Russian president Vladimir Putin.

Source: Information Security Magazine

Cyber-Attack Knocks the Weather Channel Off the Air

Cyber-Attack Knocks the Weather Channel Off the Air

The Weather Channel, based in Atlanta, Georgia, has been hit with a cyber-attack that knocked it off the air for 90 minutes. 

On April 18, 2019, the organization took to its Twitter channel to confirm that it had been hit by a "malicious software attack" on its network but as of press time hasn't released any specifics on the attack itself. When the AMHQ show should have started, viewers saw taped programming, Heavy Rescue. AMHQ's Twitter feed also confirmed that it was "experiencing technical difficulties." 

Around 90 minutes later, the show returned with its anchors informing of the cyber incident.

"The Weather Channel, sadly, has been the victim of a malicious software attack today," said anchor Jim Cantore.

"Yes, and it has affected our ability to bring you your weather information," added anchor Stephanie Abrams. "So we just wanted to say thank you again for your patience and we want to get right to today's severe weather."

While attacks on television networks do not always make mainstream news, many countries have fallen victim to them. In February 2018, a cyber-attack on the PyeongChang Olympic Games, attributed to Russia, took the official Olympic website offline for 12 hours and disrupted Wi-Fi and televisions at the PyeongChang Olympic stadium.

Also, in October 2018, the National Cyber Security Centre accused Russia's military intelligence services of targeting firms in Russia and Ukraine, the US Democratic Party and a small TV network in the UK.

Source: Information Security Magazine

Facebook Uploaded 1.5 Million Email Contacts Without Consent

Facebook Uploaded 1.5 Million Email Contacts Without Consent

Since 2016, Facebook has reportedly harvested email contacts of 1.5 million users without their consent. According to Business Insider, the media outlet that broke the story, the company had been collecting the contact lists of new users since May 2016. 

In a statement, Facebook confirmed that it had been unintentionally uploading this data when people were verifying their accounts. 

"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," said the statement. "When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account.

"We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings."

According to Business Insider, a security researcher realized that Facebook was asking some users to "enter their email passwords when they signed up for new accounts to verify their identities." The outlet then discovered that when a user entered their email password, "a message popped up saying it was 'importing' contacts, without asking for permission first."

A Facebook spokesperson also confirmed that these contacts were uploaded into Facebook's systems, where they were used to build "Facebook's web of social connections" and recommend friends. 

It's not known if these contacts were also used for ad-targeting purposes, similar to that of the Cambridge Analytica scandal that happened last year. The exposé, which was released by The Observer, had led to Facebook having to answer questions to the US Senate and the UK government. 

Infosecurity Magazine reported that at the beginning of April, over half a billion personal Facebook records were publicly exposed to the internet by two third-party app developers. UpGuard claimed to have found the two datasets stored in Amazon S3 buckets, which were configured to allow public download of files.

“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control. In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security,” explained UpGuard.

In regards to the latest data mishap, Facebook plans to notify the 1.5 million users affected and delete their contacts from the company's systems.

Source: Information Security Magazine