Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

China’s Social Credit System Raises Data Security Fears

China’s Social Credit System Raises Data Security Fears

A new system of social and corporate control in China raises serious new data security risks for multi-national foreign firms operating in the country, according to a new report from the EU Chamber of Commerce in China.

The new study, The Digital Hand: How China’s Corporate Social Credit System Conditions Market Actors, is meant to serve as a wake-up call to EU firms which may not have got their compliance plans in place.

The Corporate Social Credit System (SCS) will require all firms operating in China to provide the government with data feeds covering a wide sweep of operations — in areas as diverse as environmental regulations and health and safety.

They will then be given an algorithmically calculated score which will change over time: those with low scores face more frequent audit inspections, customs delays, public shaming, and even blacklisting by the government.

However, the European Chamber warned that the data transfers themselves could be problematic for companies.

“Taken individually, most of the transferred data points are not highly sensitive information,” the report explained. “However, the integration and systematically cross-cutting use of data on the government’s side can become a challenge. It provides the government with a full picture of the detailed performance and capability of a company.”

There may also be concerns over sharing sensitive IP and information on personnel, the report claimed.

It urged foreign MNCs to engage with Beijing now “with the goal of modifying data transfer requirements and excluding such information.”

“Ensuring the security of this data is one of the key promises of the government,” it added. “Companies need to hold the government authorities to this promise and make sure that no detrimental use of this comprehensive data occurs.”

It remains to be seen how flexible the Chinese government will be in allowing firms to exclude certain sensitive data points, and how prepared it will be to ensure the security and integrity of the data.

The European Chamber warned that SMEs could be particularly at risk from non-compliance given the onerous, resource-intensive data collection requirements. A complicating factor is that the scores given to third-party suppliers may drag down a company’s overall score, so a great deal of work will need to be done to vet partner organizations.

“It is no exaggeration to say that the Corporate SCS will be the most comprehensive system created by any government to impose a self-regulating marketplace, nor is it inconceivable that the Corporate SCS could mean life or death for individual companies,” warned European Chamber President, Jörg Wuttke.

Source: Information Security Magazine

PDF Reader Biz Breached: Foxit Forces Password Reset

PDF Reader Biz Breached: Foxit Forces Password Reset

Customers of popular PDF firm Foxit Software are being asked to reset their passwords after a data breach at the firm led to unauthorized access.

The developer of the PhantomPDF editor and Foxit Reader PDF reader tools has yet to go fully public with the news and its official Twitter feed remains devoid of any updates.

However, affected customers were emailed late last week and told to choose new passwords after the firm reset their log-ins.

“Foxit has detected that unauthorized access to some of its data systems has taken place, including access to its ‘My Account’ user account data. This means that data you have entered on our website when signing up for our services has likely been accessed by hackers,” the firm admitted.

Compromised information could include user names, email addresses, their company names, phone numbers, passwords and IP addresses. No payment information was affected, Foxit Software added.

However, a number of questions remain: it’s still unclear when the breach happened and how many customers were affected. GDPR mandates 72-hour breach disclosures, so if any EU citizens were caught in the breach, this could be cause for further scrutiny.

It’s also unclear if passwords were secured with strong encryption: if they weren’t scrambled effectively then the hackers may be able to use them in credential stuffing attacks on affected users’ other accounts, in order to unlock services protected by the same passwords.

This is not the first time Foxit Software has come under cybersecurity scrutiny.

Last year, Cisco Talos researchers discovered 18 vulnerabilities in its popular Foxit Reader offering, including critical flaws which could lead to remote code execution.

Source: Information Security Magazine

MPs Bombarded by Spam as Brexit No Deal Nears

MPs Bombarded by Spam as Brexit No Deal Nears

UK MPs and parliamentary staff were sent nearly 21 million spam emails in the last financial year, according to a new Freedom of Information (FOI) request.

Cloud hosting company Nimbus Hosting submitted the request to the Parliamentary Estate, which manages the land and buildings used by the House of Parliament.

It revealed that 20,973,102 malicious or unsolicited emails were blocked between April 2018 and March 2019.

Its records for the previous year are incomplete: however, in just half a year, the figure stood at 14.3 million spam emails blocked. This would suggest that in the past financial year fewer spam emails may have been sent than in the previous 12 months, or the effectiveness of systems to spot and block them are declining.

The emails are said to include the full gamut of potentially malicious activity, including phishing attempts, malicious links and attachments, and other tactics.

However, the Parliamentary Estate refused to provide a full breakdown of the findings.

“This level of detail would reveal information about our security operations and network set-up which would be useful to potential cyber-attackers, and as such disclosure of the information would have the effect of increasing the vulnerability of the parliamentary security systems,” it claimed.

It goes without saying that the UK parliament is a major target for spam. In June 2017, around 1% of parliamentary email accounts were cracked open by suspected Iranian state-sponsored hackers. It is suspected they brute-forced or guessed the log-ins.

Those attackers then launched a vishing campaign in the aftermath in an attempt to trick users into handing over their passwords over the phone.

Spam can come from unusual places: in 2016 the Speaker John Bercow was forced to intervene after MPs complained of being bombarded by emails from Donald Trump’s election team.

Bercow described it as an “exceptionally tedious experience.”

Nimbus Hosting managing director, Tim Dunton, argued that email security is more important than ever considering the exceptional circumstances surrounding the current sitting of parliament. Prime Minister Boris Johnson recently signaled his intent to suspend parliament for five weeks in an attempt to force through a No Deal departure from the EU.

“With an increasingly complex Brexit process, it’s critical that all MPs remain vigilant and protect themselves from spam emails, which hackers use to dupe unsuspecting victims into handing over confidential information,” he added.

“Many of these messages contain viruses which could infect the IT systems of individuals or put the security of the wider parliamentary network at risk.”

Source: Information Security Magazine

Face-Off

Face-Off

Brookline has become the third Massachusetts municipality to call for a ban on the use of facial recognition technology by a municipal government. 

The proposed ban, put forward in a warrant article by town meeting member Amy Hummel, is likely to be considered by town representatives in November.

statement in support of Hummel’s proposal was issued by the Massachusetts branch of the American Civil Liberties Union (ACLU), which recently launched the Press Pause on Face Surveillance campaign. An ACLU-backed bill currently before Massachusetts legislators proposes a statewide moratorium on the government's use of facial recognition technology.

Kade Crockford, director of the Technology for Liberty Program at ACLU Massachusetts, said: “For too long, face surveillance technology has gone unregulated, posing a serious threat to our basic civil rights and civil liberties. In the absence of state or national action, municipal governments have taken the first steps towards sensible policy."

Somerville was the first city in Massachusetts to come out against the technology. A proposal to ban its use in police investigations and municipal surveillance programs was passed by Somerville City Council in June by a vote of 11 to 0. 

Last month the city of Cambridge joined the party when Mayor Marc McGovern proposed a ban on the use of facial recognition technology in the city.  

These three New England cities aren't alone in their rejection of this particular type of tech. In May this year San Francisco banned the use of facial recognition technology by the police and other agencies, while Oakland, California, City Council last month voted unanimously to ban the use of facial recognition by city departments, and Berkeley is considering following suit. 

bill to place a five-year moratorium on police using facial-recognition technology is currently under consideration in Michigan, and the tech has raised concerns at a national level too.

In July the U.S. House of Representative passed an amendment to the Intelligence Authorization Act for Fiscal Year 2020 that requires the director of national intelligence to report the U.S. government's use of facial recognition technology, detailing its accuracy and efforts to protect and potential consequences for human and civil rights.

There is an argument to be made for the use of facial recognition technology by the government to secure airports and border installations, but it remains to be seen how the growing concerns over its impact on the freedom of the general public will play out in the U.S. at municipal and state level.

Source: Information Security Magazine

Municipal Government Calls For Facial Recognition Ban

Municipal Government Calls For Facial Recognition Ban

Brookline has become the third Massachusetts municipality to call for a ban on the use of facial recognition technology by a municipal government. 

The proposed ban, put forward in a warrant article by town meeting member Amy Hummel, is likely to be considered by town representatives in November.

statement in support of Hummel’s proposal was issued by the Massachusetts branch of the American Civil Liberties Union (ACLU), which recently launched the Press Pause on Face Surveillance campaign. An ACLU-backed bill currently before Massachusetts legislators proposes a statewide moratorium on the government's use of facial recognition technology.

Kade Crockford, director of the Technology for Liberty Program at ACLU Massachusetts, said: “For too long, face surveillance technology has gone unregulated, posing a serious threat to our basic civil rights and civil liberties. In the absence of state or national action, municipal governments have taken the first steps towards sensible policy."

Somerville was the first city in Massachusetts to come out against the technology. A proposal to ban its use in police investigations and municipal surveillance programs was passed by Somerville City Council in June by a vote of 11 to 0. 

Last month the city of Cambridge joined the party when Mayor Marc McGovern proposed a ban on the use of facial recognition technology in the city.  

These three New England cities aren't alone in their rejection of this particular type of tech. In May this year San Francisco banned the use of facial recognition technology by the police and other agencies, while Oakland, California, City Council last month voted unanimously to ban the use of facial recognition by city departments, and Berkeley is considering following suit. 

bill to place a five-year moratorium on police using facial-recognition technology is currently under consideration in Michigan, and the tech has raised concerns at a national level too.

In July the U.S. House of Representative passed an amendment to the Intelligence Authorization Act for Fiscal Year 2020 that requires the director of national intelligence to report the U.S. government's use of facial recognition technology, detailing its accuracy and efforts to protect and potential consequences for human and civil rights.

There is an argument to be made for the use of facial recognition technology by the government to secure airports and border installations, but it remains to be seen how the growing concerns over its impact on the freedom of the general public will play out in the U.S. at municipal and state level.

Source: Information Security Magazine

Hack Exploited Apple Users for Two Years

Hack Exploited Apple Users for Two Years

Researchers from Google's Project Zero have discovered a threat campaign that operated against users of Apple iOs devices for two years. 

Earlier this year Google's Threat Analysis Group (TAG) discovered that a small collection of hacked websites was being used to carry out indiscriminate watering-hole attacks against visitors, using iPhone zero-day.  

Victims were ensnared just by visiting one of the hacked websites, which are estimated to have attracted thousands of visitors per week. This simple action alone was enough to inadvertently trigger an exploit server to attempt to install a monitoring implant on the user's device.

Hackers exploited flaws in iPhone software to stealthily take over a victim's device and access a user's contact info, media files and GPS location, together with data from InstagramWhatsAppTelegram and Gmail.

TAG collected five separate, complete and unique iPhone exploit chains, covering most versions of the device from iOS 10 through to the most recent version, iOS 12. 

"This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years," said Project Zero's Ian Beer.

He went on to say that investigations into the root causes of the vulnerabilities revealed code that appeared to have never worked correctly, had missed the quality assurance checks or "likely had little testing or review before being shipped to users."

TAG found 14 different software flaws, seven of which affected the iPhone's Safari web browser. The group reported the issues to Apple with a seven-day deadline on February 1, 2019, which resulted in the out-of-band release of iOS 12.1.4 on February 7, 2019. 

After summarizing the findings, Beer warned users to wise up to the very real threat of cyber-attacks and to consider where the data they constantly put into their devices may one day end up.    

He said: "The reality remains that security protections will never eliminate the risk of attack if you're being targeted. 

"All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives yet also as devices which, when compromised, can upload their every action into a database to potentially be used against them."

Source: Information Security Magazine

Biometric ID Cards Ahoy!

Biometric ID Cards Ahoy!

India is introducing biometric identity cards to keep tabs on the country's rapidly growing number of seafarers.

Recent years have seen an unprecedented 43% increase in the number of seafarers in India, from 108,446 in 2013 to 154,349 in 2018. And India, according to the International Chamber of Shipping, is currently the world's third-biggest supplier of seafaring officers. 

This vigorous growth follows various policy changes brought in by the Indian government between 2014 and 2018, including the lifting of bans on the introduction of new training courses and the opening of new maritime training institutes.

The new ID cards, dubbed Biometric Seafarer Identity Documents, will use facial biometric recognition technology and come with two optical security features: micro prints/micro texts and a unique guilloche pattern.

Each of India's approximately 350,000 seafarers who hold a valid Continuous Discharge Certificate are eligible for the new BSID, which will be rolled out over the next two years. 

The cards will carry an inbuilt chip that can be read at point-of-sale readers and ATMs and by immigration officers with the right gear. 

To make the cards, data will be captured to create a map of the seafarer's face, which will then be cross-matched with their passport photo using software designed by the Centre for Development of Advanced Computing (C-DAC) in Mumbai. The information captured will be fed into a national database, which will be accessible worldwide. 

Indian minister of shipping Mansukh Lal Mandaviya said: “The new document will give a foolproof identification to our seafarers which will facilitate their movement, provide ease of getting jobs and help in identifying them from any location in the world.”

Eight centers have been sent up in coastal locations around the country at Mumbai, Kolkata, Chennai, Goa, New Mangalore, Kochi, Vizag and Kandla to issue the cards. A ninth center has also been established in Noida, which lies roughly 1,000 km inland near New Delhi.

Source: Information Security Magazine

Fileless Malware Detections Soar 265% in 2019

Fileless Malware Detections Soar 265% in 2019

Fileless malware, BEC, digital extortion and ransomware attacks all grew significantly between 2018 and the first six months of this year, according to new data from Trend Micro.

The security giant blocked over 26.8 billion threats in the first half of the year, over 90% of which were email-borne, according to its mid-year roundup report, Evasive Threats, Pervasive Effects.

Of these detections, it spotted a massive 265% year-on-year increase in fileless techniques designed to stay hidden from traditional tools, by executing in a system’s memory, residing in the registry, or abusing legitimate tools.

Although cryptocurrency mining was the most detected threat in 1H 2019, the more eye-catching growth in detection went to digital extortion attempts, which jumped 319% from the second half of 2018, and BEC, which increased 52% over the same period.

Ransomware is also back on the rise: with related files, emails and URLs recording a 77% increase on the previous six months.

Although the number of new ransomware families dropped by 55% over the period, there were concerning signs of existing variants containing destructive capabilities beyond file encryption.

Ryuk can prevent infected systems from even rebooting, for example, while LockerGoga also modifies user account passwords. Some, such as BitPaymer, use fileless techniques such as abuse of the common PsExec tool.

One surprise from the report was the re-emergence of exploit kits, which recorded a 136% increase compared to the first half of 2018, although the volume of detections at 321,000 is far below the peak activity observed three or four years ago.

These have also been observed in conjunction with fileless techniques.

“One notable exploit kit from the first half of 2019 was Greenflash Sundown, which was used by the ShadowGate campaign through an upgraded version capable of living off the land, that is, using an updated PowerShell loader to filelessly execute the payload,” the report explained.

The volume of threats blocked by Trend Micro in the first half of 2019 increased by around six billion from the same time last year, which could signal either a ramp-up in cybercrime activity or improved detection.

Source: Information Security Magazine

HackerOne Announces Five New $1m White Hats

HackerOne Announces Five New $1m White Hats

The UK has its first $1 million white hat hacker, after bug bounty platform HackerOne announced five new security researchers had reached the milestone.

The five millionaire hackers are: Mark Litchfield (@mlitchfield) from the UK, Nathaniel Wakelam (@nnwakelam) from Australia, Frans Rosen (@fransrosen) from Sweden, Ron Chan (@ngalog) from Hong Kong, and Tommy DeVoss (@dawgyg) from the US.

They join 19-year-old Argentinian Santiago Lopez, known as @try_to_hack, whose efforts were announced back in March.

“Hacking can open doors to anyone with a laptop and curiosity about how to break things,” said Litchfield. “I hope our achievements will encourage other hackers, young and old, to test their skills, become part of our supportive community, rake in some extra $$$s along the way and make the internet a much safer place for people.”

Some $21m has been paid out via HackerOne to researchers over the past year, an increase of $10m on the previous 12 months.

The platform claimed that Russian, Indian and US researchers account for over a third (36%) of awarded bounties. However, as today’s news illustrates, there are clearly opportunities for white hats from all regions.

HackerOne claimed a top researcher can earn over 40 times the annual median wage in Argentina and more than six times that of Sweden.

However, MIT research released in January painted a different picture, revealing that it’s difficult to make good money as an ethical hacker and that talented white hats could live better as pen testers or in-house researchers.

It studied 61 HackerOne bounty programs over 23 months — including ones run for Twitter, Coinbase, Square and Facebook.

The top seven participants in the Facebook program made just $34,255 per year from an average of 0.87 bugs per month, while from the entire HackerOne dataset it was estimated that participants made just $16,544 from 1.17 bugs per month.

HackerOne argued in response to Infosecurity that the data analyzed in the study was not representative.

Source: Information Security Magazine

Phishing Campaign Hides Malware in Resumes

Phishing Campaign Hides Malware in Resumes

For many people, applying for a new job is a soul-crushing activity on a par with cleaning the bathroom in a six-person student dorm room. 

Landing a new role can mean spending hours searching for positions, rewriting your résumé and cover letter countless times and using LinkedIn to badger people you haven't spoken to for years into giving you a reference. 

Now cyber-criminals have given job seekers a fresh obstacle to contend with after targeting companies with a phishing campaign that hides malware in résumés sent as email attachments.

The advanced campaign, which uses multiple anti-analysis methods to deliver Quasar remote access tool (RAT), was uncovered by phishing defense service provider Cofense Intelligence

Quasar RAT by itself isn't dodgy, but this legitimate open-source remote administration tool that can be found on GitHub has a history of being abused.

“This campaign is concerning as the US-CERT identifies the Quasar RAT as a favored tool of advanced persistent threat actors. This means that the most dedicated cyber-criminals are seeking to utilize this tool to exploit networks," said Carl Wearn, head of e-crime at Mimecast.

From the outside the campaign appeared simple but a closer looked showed that the threat actors had done their homework. First, they used an easily accessible tool that makes attributing the campaign to a specific threat actor as easy as teaching a rhino the clarinet. 

Second, they laced the résumé attachment document being used to deliver Quasar RAT with a multitude of measures designed to deter detection, including password protection and encoded macros. 

Announcing its find, Cofense said that "educating employees on new phishing trends is the best way of countering a campaign such as this."

Wearn added: "I would urge individuals, particularly those working within HR departments and used to receiving résumés or CVs, to be particularly vigilant for this form of attack. Organizations should ensure they have an up-to-date antivirus solution that can effectively resolve and detect this form of attack.”

Source: Information Security Magazine