Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Vermont Schools Spy on What Students Do Online

Vermont Schools Spy on What Students Do Online

Schools in Vermont are hiring companies to monitor what their students post and search for online.

According to a report by investigative journalism platform VTDigger, five schools in the Green Mountain State hired Burlington-based firm Social Sentinel to track the online activities of their students. 

Social Sentinel uses keyword-based algorithms and machine learning to scan social media posts within a set geographic area for words that could indicate that a student is at risk or poses a threat to others. 

When a particular word is discovered, a red flag is raised, causing an alert to be sent to school officials. For an additional fee, Social Sentinel can also scan the contents of students' emails. The aim is to alleviate problems like cyber-bullying, self-harm, and teen suicide and to prevent mass shootings or other violence.

A further eight schools told VTDigger that they had contracts with vendors to monitor activity on district services and school-sponsored email for browsing habits and keywords that could mean a student is a threat or in danger. Companies hired to carry out the monitoring included SecurlyBark, and Lightspeed Systems.

Middle schools in the Burlington school district reported using a product called Admin, which is made by GoGuardian. Admin is a multi-layered filtering solution powered by advanced machine learning, which allows school officials to keep tabs on what students search for, watch, and read while using district devices. 

The information was uncovered when VTDigger sent a public records request to all 52 superintendents in Vermont, asking if any social media monitoring contracts had been signed. 

Contacted for comment by VTDigger, Social Sentinel founder Gary Margolis said: "We built a technology that actually helps prevent bad things from happening by giving information that can give context to what’s going on, in a way that respects privacy, and all I do is get questioned by you and folks in the media about privacy issues. It’s mind-bogglingly frustrating."

Brian Schaffer, principal at Lamoille Union High school, which contracted with Social Sentinel for a year in 2015, said the technology "wasn’t as functional as I had hoped it would be."

According to Schafffer, most of the daily alerts flagged irrelevant posts, some of which were written by Quebec tourists bragging about buying Heady Topper beer while on vacation in Vermont.

task force created by Gov. Phil Scott earlier this year to help prevent school shootings recommended that Vermont invest in monitoring software to scan social media posts statewide. The task force was formed after a plot by Fair Haven Union High School student Jack Sawyer to carry out a mass shooting at his school was discovered in February 2018.

Source: Information Security Magazine

Over 550 Fake US Election Web Domains Discovered

Over 550 Fake US Election Web Domains Discovered

External threat intelligence experts have detected hundreds of fake election web domains designed to target American voters.

New research by Digital Shadows uncovered over 550 fake domains ranging from false funding pages to counterfeit candidate sites set up against 19 Democrat and four Republican presidential candidates.

Most of the sites—68%—simply redirect the user to another domain, often to that of a rival candidate. Worryingly, 8% of domain squats discovered redirect users to file converter or secure browsing Google Chrome extensions that can be used to infringe on voter privacy and host potentially dangerous malware if downloaded. 

One false funding page exploited the possibility of a typo to encourage voters to switch their allegiance. Financial donors who accidentally type WinRde.com when searching for Republican fundraising page WinRed.com are taken to ActBlue.com, a fundraising site for the rival Democratic party. 

Harrison Van Riper, strategy and research analyst at Digital Shadows, told Infosecurity Magazine: "We detected a few redirecting domains (donaldtrump[.]cloud, for example), which sent the browser to doyoulikebread.weebly[.]com and would pose the straightforward question of "Do You Like Bread?" with Yes or No options. 

"Yes would lead the user to a video for “You’re the one that I want” from the musical Grease, and No would lead to a video of Oprah Winfrey exclaiming how much she likes bread. The internet can be a weird place, sometimes!"

In total, 66 of the 550+ domains were being hosted on the same IP address, registered under the privacy protection service WhoisGuard, Inc. and potentially operated by the same individual. Digital Shadows was unable to attribute any of the fake domains to a specific person or group. 

"We really can't say who is responsible for these redirects, but hackers with a sense of humor is certainly a possibility. It could also be individuals who want to see their favorite candidate succeed," Van Riper told Infosecurity Magazine.

Van Riper said that the enactment of the GDPR regulation has made it harder to tell who or what organization stands behind a specific domain. Under the new rules, domain registration details have been removed from official records.

Instead of changing the law to prevent fake sites, Van Riper suggests registrars could do more to combat the problem. He said: "I don't see this as a legal issue; rather, I think that registrars could do more to verify that people registering these domains are doing so for legitimate purposes. This is a huge task, but ultimately, it's within the registrar's control to help combat the issue of people setting up fake domains for legitimate websites."

Source: Information Security Magazine

UK Abandons Planned Online Pornography Age Verification System

UK Abandons Planned Online Pornography Age Verification System

The British government has dropped plans to introduce a national online pornography age verification system because implementing it would be too difficult.

A nationwide system to ensure X-rated online content cannot be viewed by children was first proposed in 2015 by the then culture secretary Sajid Javid. However, it took the proposal two years to become law.

Under the proposal, pornography websites would be required to verify that users were age 18 or older. Suggested ways of doing this included running verification checks on credit cards and making porn passes available to purchase from newsagents on the presentation of photo ID. 

Websites that refused to go along with the age checks could have been blocked by UK internet service providers or had their access to payment services revoked. 

The system was going to be funded and run by private companies and overseen by the British Board of Film Classification.

The system was initially due to come into force on July 15 this year but was then delayed for six months because the government had neglected to announce the plan to the European Union. 

Today, culture secretary Nicky Morgan told parliament that the age verification system would be dropped altogether. Morgan said that the government would focus instead on implementing broader child protection measures as laid out in the online harms white paper published in April 2019. 

The white paper proposes establishing in law a new duty of care toward internet users, which will be overseen by an independent regulator. Companies will be held to account for tackling a more comprehensive set of online harms, ranging from illegal activity and content to behaviors that are harmful but not necessarily illegal.

"The government’s commitment to protecting children online is unwavering. Adult content is too easily accessed online and more needs to be done to protect children from harm," said Morgan. 

"This course of action will give the regulator discretion on the most effective means for companies to meet their duty of care."

While privacy campaigners who raised data security concerns over the proposed system may be celebrating its abandonment, British businesses that had invested time and money in developing verification products are sure to be disappointed.

Source: Information Security Magazine

Industry Calls for Standardization of CISO Role

Industry Calls for Standardization of CISO Role

Professionals from the cybersecurity industry have called for clarity regarding the role of Chief Information Security Officers (CISOs).

Research from Cyber Security Connect UK (CSCUK), a forum for cybersecurity professionals, has stated that CISOs are being pulled into job requirements outside their jurisdiction and that there is a lack of transparency about the responsibilities of cybersecurity teams within UK businesses of all sizes.

The research also pointed to a lack of skilled, fully qualified professionals coming into the profession.

Mark Walmsley, the chair of the CSCUK steering committee and CISO at Freshfields Bruckhaus Deringer, said: “It is no longer a case of if a cyber-attack will occur but more appropriately, when. In addition, these attacks are increasingly becoming more complex and intelligent. With this in mind, a company’s best defense against such events is a dedicated person to lead the fight against cyber-attacks."

Not only does this person need to be qualified, Walmsley added, they must also be dedicated to the cause, have access to information and budgets that allow them to carry out their job and be able to constantly and consistently upskill to keep up with the fast-paced, ever-changing nature of the cybersecurity landscape.

“While it is true that the varying size, financial situation and purpose of a business may affect the role of the CISO or even the requirement for such a person at all, where they are in operation, clear parameters need to be set. Only with standardization and guidance can the role be fully effective. As further digitization of processes occurs and cyber-attacks become more sophisticated, this need will become only greater,” Walmsley argued.

According to CSCUK, in order for standardization to be possible, professionals believe a benchmarking process must be carried out to fully understand the scale of variations within the role.

“In order to support CISOs so that they can carry out their roles effectively, a better understanding of their current situation is required,” Walmsley explained. “This includes comparing the role within different organizations in terms of qualifications, access to the boardroom and budgets, reporting lines and salaries.”

Source: Information Security Magazine

Over 100 Million IoT Attacks Detected in 1H 2019

Over 100 Million IoT Attacks Detected in 1H 2019

A security vendor has detected over 100 million attacks on IoT endpoints in the first half of 2019 alone, highlighting the continued threat to unsecured connected devices.

Russian AV vendor Kaspersky said its honeypots had spotted 105 million attacks coming from 276,000 unique IP addresses in the first six months of the year. The number of attacks is nearly nine times more than the figure for 1H 2018 when only 12 million were detected, originating from 69,000 IP addresses, the firm added.

The figures can be seen in the context of a smart home boom, with consumers buying in increasing numbers connected devices which often have poor in-built security and/or are not properly secured by their owners.

Mirai-like attacks which take advantage of weak factory-default log-ins for such devices are increasingly common, conscripting IoT endpoints into botnets which can then be used to launch DDoS and other attacks, Kaspersky explained. Some attacks also exploit old unpatched vulnerabilities to hijack devices, it added.

The most common malware types are Mirai (39%) and Nyadrop (38.6%), which itself often serves as a Mirai downloader. Some way behind them is Gafgyt (2%), which uses brute-forcing techniques to gain persistence.

“Judging by the enlarged number of attacks and criminals’ persistence, we can say that IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations,” said Kaspersky security researcher, Dan Demeter.

“This is much easier than most people think: the most common combinations by far are usually ‘support/support,’ followed by ‘admin/admin,’ ‘default/default.’ It’s quite easy to change the default password, so we urge everyone to take this simple step towards securing your smart devices.”

Devices in China were most affected by attacks, accounting for 30% of infections in the first half of the year, followed by Brazil (19%) and Egypt (12%).

Source: Information Security Magazine

Canadian Students Are Sharing Passwords to Prove Friendships

Canadian Students Are Sharing Passwords to Prove Friendships

Canadian students are sharing their online passwords with one another as proof of friendship, according to the Quebec Access to Information Commission (CAI).

Since 2016, CAI has toured secondary schools across Quebec with a campaign called "Ce que tu publies, penses-y" which roughly translates as "Think before you publish."

The purpose of the cybersecurity campaign is to warn adolescents about the risks and consequences of being active online, especially on social media. So far, 32,000 students have been exposed to the company, but despite the efforts of CAI, the incredibly important message doesn't seem to be getting through.

Speaking to The Canadian Press, "Ce que tu publies, penses-y" program coordinator Isabelle Gosselin said that students don't believe that they are at risk and do nothing to protect their privacy.

According to Gosselin, proof of the extent of this problem is that three out of four high school students raise their hands when asked if they share passwords with friends.

Gosselin said that they are almost proud to do it, often seeing it as proof of friendship or of love. In fact, she said the trend has become very fashionable. 

Government organization CAI wants to encourage young internet users to adopt safe and responsible behavior, particularly in terms of privacy and respect for privacy. However, Gosselin said that when she tries to warn teenagers about the potentially dire consequences of sharing their passwords, they respond with "Don't you think you're exaggerating, ma'am?"

A fresh incarnation of the CAI cybersecurity tour will launch this month in an effort to convince teens to adopt best practices when it comes to online security. Gosselin said the tour's goal is to educate students who think they are invincible. 

During the 2019–2020 school year, the commission will again take their "Ce que tu publies, penses-y" to Quebec high schools in hopes of persuading students to take cybersecurity seriously. 

Students will be shown an hour-long presentation that addresses a number of concepts, such as identity theft, sexting, geolocation, and privacy settings from a privacy perspective. 

To ram the point home, the presentation includes genuine real-life examples of what happens when cybersecurity guidelines aren't followed. Some of the stories that students will hear relate to incidents that have happened within their own school.

Source: Information Security Magazine

A Quarter of Americans Want Cyber-flashers Jailed for 5 Years

A Quarter of Americans Want Cyber-flashers Jailed for 5 Years

survey has revealed that a quarter of Americans think that sending unsolicited nude digital images should carry a five-year jail sentence and a hefty fine. 

The survey of 1,058 Americans aged 18 to 73 was carried out on behalf of BadGirlsBible.com. Participants were asked questions about how they send and receive photos in the modern world. 

Seventy percent of women and 50% of men surveyed said they thought that a jail sentence is appropriate for cyber-flashing, with an average recommended term of 1.5 years or a fine of $4,400. These suggested penalties are roughly equivalent to those meted out for committing a class A misdemeanor, such as a DUI or an assault. 

Some believed the punishment should be even more severe, with 25% recommending a jail sentence of five years and a fine of $10,000, which is equivalent to the punishment for a class D felony, like voluntary manslaughter or stalking.

Overall, 89% of women and 79% of men said they think culprits should be fined, with women recommending a fine of $5,700 on average, compared to the $3,300 deemed appropriate by men.

While 40% of women and 21% of men polled thought that people who shared others’ nudes without consent should be added to a public sex offender registry, 58% of women and 38% of men thought culprits' details should be placed on a specially created database of sext offenders.

The survey, conducted in May, revealed that women under age 30 are much more likely to be the unhappy recipients of an unwanted naked image than men in the same age category. While just 12% of men said they had received a nude picture that they didn't want, nearly half of women—47%—had been imposed on by a cyber-flasher. 

Worryingly, 12% of women and 23% of men under age 30 admitted that they had obtained a nude without consent. The most popular way of doing this was by taking a screenshot of a temporary image; however, nudes had also been acquired via friends, captured from a video call, and purchased from a third party. 

Perhaps the most alarming method of getting a nude without the subject's consent—taking a photo of them in person without their knowledge—had been practiced by 10% of men and 6% of women under age 30.

Source: Information Security Magazine

Florida Women's Clinic Warns 520,000 Patients of Data Breach

Florida Women's Clinic Warns 520,000 Patients of Data Breach

A Florida clinic providing specialized medical care for women has alerted all current and former patients that their personal information and medical records may have been exposed following a data breach. 

North Florida OB-GYN, which joined Women's Care Florida on May 6, 2019, became aware that a cyber-attack had been waged against its network on July 27 of this year. The breach is thought to have taken place on or before April 29, 2019.

In a statement released on their website, North Florida OB-GYN wrote: "Shortly after becoming aware of the incident, North Florida OB-GYN completed a preliminary assessment, in consultation with third-party information technology consultants, and determined that there had been improper access to certain portions of its networked computer systems and that a computer virus had encrypted (made unreadable) certain files on its computer systems."

The assessment findings prompted the clinic to shut down its networked computer systems, initiate its incident response and recovery procedures, and notify the Federal Bureau of Investigation of the breach. The clinic has also launched a confidential forensic investigation into the cyber-incident. 

Medical or personal information affected by the incident may have included name, demographic information, date of birth, Social Security number, driver’s license or identification card number, employment information, health insurance information, and health information, such as treatment, diagnosis, and related information and medical images. 

The affected computer systems did not contain any credit or debit card or financial account information.

All 528,188 patients of North Florida OB-GYN have been contacted by letter and warned that their personal data may have been exposed. 

In a statement released on their website, North Florida OB-GYN wrote: "There is no evidence to date that any unauthorized person has actually viewed, retrieved, or copied any medical or personal information."

The clinic has advised patients to remain vigilant by regularly reviewing their account statements, monitoring free credit reports, and reporting any suspicious activity to their financial institutions.

Virtually all of the encrypted files have now been recovered, and North Florida OB-GYN has taken actions to strengthen security safeguards for the affected systems and to prevent similar incidents.

Source: Information Security Magazine

#ISWUK: Trust Erosion Preventing Business Transformation

#ISWUK: Trust Erosion Preventing Business Transformation

An Erosion trust, and a lack of situational awareness, are continuing to harm advancements in cybersecurity and digital transformation.

Speaking at NTT Security’s Information Security World event in London, Thales CTO Jason Hart reflected upon the journey of 50 million users to radio, television, internet and, most recently, the Pokemon Go app. He likened this journey to the transformation of businesses for data and digital services, as “this is happening to every part of the organization.”

Hart said that “innovation is not about new technology, it is about taking the user experience and making it easier to consume.” This can lead to “habit forming” which has both positive and negative impacts, and this should challenge businesses to make technology “easier and simpler.”

However, data breaches have led to an erosion of trust, and Hart said that “we cannot solve problems using the same thinking” as we invest money in cybersecurity products and services, yet breaches continue to happen. “The approach has not evolved, we are getting there, and I can see an improvement,” he said.

Hart predicted that we will continue to have a “major problem regarding the integrity of data” as we have the “perfect storm of more data, children born into a data world, and yet we still see breaches.” Hart argued that this can be eradicated quickly by realizing situational awareness, and for businesses to realize which of the following they fit into:

  • Situational aware – understand critical elements of data, people and process
  • Situational ignorance – not looking or considering impact of people, data and processes
  • Situational arrogance – consideration of people, data and process, however no action is taken

“Be situationally aware and look to the needs of the organization and of the user, as different users have different needs,” he concluded, recommending businesses to mitigate risks and consider these across technology, humans and processes.

Source: Information Security Magazine

Ex-TalkTalk Security Leader to Take on Firm in Unequal Pay Dispute

Ex-TalkTalk Security Leader to Take on Firm in Unequal Pay Dispute

A former TalkTalk executive who led the company’s program to recover from a major 2015 breach is crowdfunding legal fees to bring a landmark equal pay case against the ISP.

Rebecca Burke worked as program director for the embattled UK firm as part of its Top 50 Leadership Team to deliver the top 10 highest priority programs for the business.

These included a strategy to bounce back from the breach in which hackers managed to access the personal details of over 156,000 customers, including 15,000 who also had their financial data exposed.

The ISP was eventually fined £400,000 by privacy watchdog the Information Commissioner’s Office (ICO) for serious failings in its security processes which led to the incident.

However, despite her experience of over two decades working in various public and private sector organizations, Burke alleged she was being paid significantly less at the firm than some male colleagues.

“In May 2017 I was shocked to discover that I had been singled out for redundancy. The suspicious circumstances led me through a slow and painful appeals process that eventually exposed the fact that TalkTalk had been paying me 40% less salary and 50% less bonus than the three other male Programme Directors that were in my team doing the same job,” she explained on her crowdfunding page.

“Myself and my family have endured years of financial and emotional stress in this fight for justice against a giant corporation. I have sacrificed my career, sanity and financial stability because I want to help build a fairer future for our young women and girls by holding our UK businesses to account when they break the equal pay laws that women fought so hard for 50 years ago.”

A personally funded tribunal in 2018 was postponed after Burke’s barrister issued an unusual request for the panel to stand down on the grounds that it was hostile to her case.

She has already received support from BBC journalist, Carrie Gracie, women’s rights group The Fawcett Society and Sam Walker, who won her equal pay and unfair dismissal case against the Co-Op Group in 2018.

The news of Burke’s tribulations will be a PR blow for a cybersecurity industry struggling to become more gender diverse. The latest figures suggest women comprise just a quarter (24%) of roles globally.

Source: Information Security Magazine