An unsecured online database is to blame for yet another major privacy incident after fitness tech company Kinomap accidentally leaked 42 million records including personal identity data (PII).
Researchers at vpnMentor found the wide-open data trove as part of an ongoing web mapping project.
It contacted the French firm on March 28 but received no reply. The incident was finally fixed on April 12, after the French data protection regulator had also been informed.
Kinomap allows users to create and share interactive workout videos online. Its name was peppered throughout the 40GB database vpnMentor discovered, containing 42 million records from users across the globe, including North America, Australia, Japan, the UK and several European countries.
PII exposed in the leak apparently included full names, email addresses, home countries, usernames and timestamps for exercises. However, the researchers also found personal data leaking more indirectly.
“Many of the entries contained links to Kinomap user profiles and records of their account activity. Similar to social media accounts, Kinomap profiles can reveal considerable personal details about a user,” vpnMentor explained.
“If a malicious hacker had discovered this database, they could easily combine the information contained in numerous ways, creating highly effective and damaging fraud schemes and other forms of online attack.”
These data entries also included access keys for the Kinomap API, which hackers could use to hijack accounts and lock out the owners, the researchers claimed.
They argued that hackers may be looking to target online exercise apps like Kinomap which have received an influx in users due to current stay-at-home orders. PII like this could offer a great opportunity to carry out follow-on phishing and identity fraud, or to covertly install malware on a user’s phone, vpnMentor added.
That’s besides the potential fall-out for the company if GDPR regulators find systemic negligence is behind the incident.
Ransomware attacks on the United States have diminished significantly and are "now at a level not seen in several years," according to cybersecurity company Emsisoft.
In new research published today, Emsisoft found a marked drop in ransomware attacks on US entities coinciding with the onset of the COVID-19 health crisis.
In 2019, ransomware impacted 966 government agencies, educational establishments, and healthcare providers in the US. Emsisoft experts who anticipated an even higher number of attacks in 2020 have been pleasantly surprised.
"While the early indicators were that the 2020 numbers would be similar to 2019’s or perhaps even worse, that has proved not to be the case," wrote Emsisoft researchers.
"A total of 89 organizations were impacted by ransomware in Q1. However, as the COVID-19 crisis worsened, the number of successful attacks reduced considerably and is now at a level not seen in several years."
Data gathered shows the downward trend is continuing into the second quarter of the year with only 7 successful ransomware attacks reported between April 1 and 20.
Threat analyst Brett Callow said: "Despite COVID-19 and WFH (working from home), or, more accurately, because of them, the number of successful ransomware attacks on the US public sector, including healthcare, has declined significantly."
While the reduction spells good news for the public sector, cyber-criminals have not let up on the private sector, where the rate of ransomware attacks has remained steady.
"It’s a mix of good and not-so-good news," said Callow. "On one scrupulously-washed hand, attacks on the public sector are way down and the criminals are making less money. On the other scrupulously-washed hand, the private sector is being looted at the same rate as ever."
With many companies battling for survival in the wake of the lockdown measures imposed to slow the spread of the coronavirus, a ransomware attack now could spell economic disaster.
"Companies are hurting financially and many are reliant on government support programs for their survival. I fully expect that some of the companies hit by ransomware in the coming weeks will fail; attacks will be the straw that broke the camel’s back," said Fabian Wosar, Emsisoft CTO.
New research published today by Imperva has found that bad bots made up nearly a quarter of overall website traffic in 2019.
The report was built from data collected from Imperva’s global network and includes hundreds of billions of bad bot requests anonymized over thousands of domains.
Bad bots are responsible for a whole host of problems, including account takeover, price and content scraping, and the creation of spam-spreading accounts on messaging platforms and dating sites.
According to the 2020 edition of Imperva's annual "Bad Bot" report, in 2019, bad bot traffic rose to its highest ever percentage of 24.1 percent of all traffic. Eerily, 37.2% of all traffic on the internet last year wasn't human.
Researchers noted that bad bot sophistication levels remained consistent for the third year running, with 53.6% of malicious bots being moderately sophisticated, 26.3% simple, and 20.1% sophisticated. Sophisticated bots were found to target marketplaces (28.5%) and the real estate industry (24.5%) most of all.
While some bot issues are industry-specific, researchers noted that bad pot problems run across all industries. The top five industries targeted with bad bot traffic are the financial, education, IT & services industries, marketplaces, and government.
To avoid detection, bad bots practice the art of impersonation, often mimicking web browsers.
"Bad bots continue to follow the trends in browser popularity, impersonating the Chrome browser 55.4 percent of the time. The use of data centers reduced again in 2019 with 70 percent of bad bot traffic emanating from them—down from 73.6 percent in 2018," wrote researchers.
The high volume and wide variety of bad bots out there makes defending against this malicious threat tricky.
"Unfortunately, every site is targeted for different reasons, and usually by different methods, so there is no one-size-fits-all bot solution," wrote researchers.
To combat the threat, many companies are deploying geofencing blacklists, blocking traffic from entire countries. Russia tops the list of country-specific block requests at 21.1%, followed closely by China at 19%.
"In some cases, it simply doesn’t make sense that foreign visitors would use a given site, so blocking chunks of foreign IP addresses is good hygiene," wrote researchers.
Finance ministers from the G20 and Central Bank governors have been briefed on effective practises for cyber-incident response and recovery.
The Financial Stability Board (FSB) sent its report on Effective Practices for Cyber Incident Response and Recovery last week, in advance of a three-month consultation period and an October meeting between the G20 Finance Ministers and Central Bank Governors.
Describing it as a “toolkit of effective practices” that aims to assist financial institutions in their cyber-incident response and recovery activities, it lists 46 effective practices, structured across seven components:
- Governance: frames how cyber-incident and recovery is organized and managed
- Preparation: establishes and maintains capabilities to respond to cyber-incidents and to restore critical functions, processes, activities, systems and data affected by cyber-incidents
- Analysis: ensures effective response and recovery activities, including forensic analysis, and determines the severity, impact and root cause of the cyber-incident to drive appropriate response and recovery activities
- Mitigation: prevents the aggravation of the situation and eradicates cyber-threats in a timely manner to alleviate their impact on business operations and services
- Restoration: repairs and restores systems or assets affected by a cyber-incident to safely resume business-as-usual delivery of impacted services
- Improvement: establishes processes to improve response and recovery capabilities through lessons learned from past cyber-incidents and proactive tools, such as tabletop exercises, tests and drills
- Coordination and communication: coordinates with stakeholders to maintain good cyber-situational awareness and enhances the cyber-resilience of the ecosystem
The FSB acknowledged that “efficient and effective response to and recovery from cyber-incidents by organizations in the financial ecosystem is essential in limiting any related financial stability risks,” and such risks could arise, for example, from interconnected information technology systems between multiple financial institutions or between financial institutions and third-party service providers. Issues are also present from loss of confidence in a major financial institution or group of financial institutions, or from impacts on capital arising from losses due to the incident.
The FSB added: “A major cyber-incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.”
In an email to Infosecurity, Javvad Malik, security awareness advocate at KnowBe4, said that the list looks like a useful set of guidelines, however, at this time most, if not all, financial organizations are trying to adapt to new working practices, remote workers, and public demands.
“Under such conditions, having a hefty new set of practices will likely not take priority,” he argued. “Upon first glance, while there is nothing wrong with the proposed set of practices, financial organizations are among the most heavily regulated industries, and already have mature security practices due to adopting a multitude of other standards and practices. Even among existing standards and practices there is considerable amount of overlap, so I'm uncertain as to the additional value this will provide.”
A source told Infosecurity that advice to businesses is always taken with a pinch of salt, as target businesses will already have this in place, but often have not tested it.
Drury-Smith will now assist the global legal firm in developing its data protection and cybersecurity business both in the UK and worldwide.
His role will include advising businesses from a variety of sectors on meeting their data protection requirements. These are in the areas of privacy compliance programs, implementing and assessing privacy controls, responding to data breaches, regulatory investigations and rights requests, the commercial use of data and data protection assessments of new technologies.
Stewart Room, global head of data protection and cybersecurity at DWF, commented: “We are delighted to be welcoming James to DWF. He is an extremely experienced data protection professional who brings with him technical legal excellence and a wealth of practical operational experience. James and I have worked together in different forms for over eight years, I am therefore certain his addition will help us propel the practice forward.”
Drury-Smith has over 16 years of experience in the field, helping companies build and establish their data protection and cybersecurity business, including at Barclays Bank, Orrick, Herrington and Sutcliffe and PwC. He is recognized by the legal directories, Chambers and Legal500 for his expertise in privacy and cybersecurity.
Drury-Smith said: “At DWF, we will be putting business-minded data protection subject matter experts at the heart of what we do. We aim to become the number one destination for our clients as they grapple with the practicalities and complexities associated with data protection in modern business. I am very much looking forward to working with my new colleagues to achieve this.”
L0phtCrack is used to test password strength and sometimes to recover lost Microsoft Windows passwords by using dictionary, brute-force, hybrid attacks, and rainbow tables. It was originally produced by Mudge from L0pht Heavy Industries.
The software was created 23 years ago and holds the distinction of being the world’s first commercially available password auditing solution. Since its launch, L0phtCrack has been downloaded 236,498 times by customers across the finance, healthcare, medical, and retail industries and by government organizations.
While alternatives to passwords have grown in recent years, L0phtCrack’s former head of engineering Christien Rioux said that they are still relevant to modern cybersecurity.
“Experts have called for the death of passwords for decades, but they are still in use for practically every operating system and application: web, mobile, and desktop," said Rioux.
And while passwords remain in use, the need for password auditing and recovery software is clear.
Rioux said: "Guessable, stuffable, and brute-forceable passwords are a top security risk today. You need password auditing, or you have a gaping security hole."
L0phtCrack is currently in its seventh incarnation. Terahash plans to begin work on L0phtCrack 8 immediately, with the eventual goal of integrating L0phtCrack with its own Hashstack software.
According to Terahash, the combination of L0phtCrack software and Terahash hardware appliances is positioned to address the needs of red, blue, and purple teams, penetration testers, compliance auditors, information security professionals, and IT administrators. It will also make for a more user-friendly experience for Hashstack's customers.
“While our own Hashstack software is incredibly powerful and robust, user-friendliness is one area where we have admittedly been lacking. L0phtCrack has excellent usability by both security professionals and IT administrators, and this acquisition helps fill a noticeable gap in our offering,” said Jeremi Gosney, founder & CEO at Terahash.
“L0phtCrack has a large, dedicated user base with a broad reach across IT departments in many industry verticals, and is a name that every security professional knows and trusts. We look forward to developing the L0phtCrack code base, integrating it with our existing products, and introducing new products optimized for L0phtCrack.”
OutSystems has launched the Integrated Management Platform as part of a program to combat issues raised by the COVID-19 pandemic in Lisbon, Portugal. Developed in collaboration with The Lisbon Metropolitan Area, the Lisbon City Council, Deloitte and Hi Interactive, the platform enables rapid sharing of products, equipment and services between 18 municipalities around the Lisbon region to optimize the response to the crisis.
The initiative has been created as part of the COVID-19 Community Response Program, which aims to develop up to 20 apps to help authorities tackle the coronavirus. The Integrated Management Platform should now facilitate a co-ordinated approach to taking on the virus in this large region of Portugal. Using the platform, municipalities can not only manage their assets and services efficiently, including replenishing supplies, but they can also share vital information with neighboring authorities.
The parties collaborated to develop this marketplace using OutSystems’ low-code platform in just two weeks.
Gonçalo Gaiolas, product VP at OutSystems, said: “Facing this new reality, there’s a growing need for us to adapt. The OutSystems COVID-19 Community Response Program intends to help with that adjustment in a concrete and real way. We hope that this platform can grow so other government agencies can leverage it.”
Currently, there are over 300 items that can be managed on the platform, including gel alcohol, disinfectant, nitrile gloves, surgical masks and goggles. Other essential items, such as other medical materials and food, will follow shortly.
“With this Integrated Management Platform, the Metropolitan Area of Lisbon aims to ensure that those who fight daily for our well-being can continue to do so under the best possible conditions,” commented Carlos Humberto de Carvalho, first metropolitan secretary of Metropolitan Area of Lisbon Executive Committee.
The platform is another example of how technology and data gathering are playing a key role in efforts to combat the crisis and help countries resume normality.
Speaking in the keynote session of the Genetec Connect’DX digital conference Pierre Racz, president of Genetec, reflected on the false promises of Artificial Intelligence (AI), the state of the technology and its impact on our lives.
“Science and technology are morally neutral – how we use the fruits of science and technology is not,” he said. “Be skeptical of technology that works best when you need it the least.”
Racz explained that AI is effective if the job it’s required to do is very limited, claiming that AI is at it’s best when used to solve really narrow and well-defined problems.
However, Racz also highlighted the importance of understanding the limits of AI technology, adding that proper engineering of AI requires:
- Knowing the limits
- Avoiding wishful thinking
- Being open and honest about the limits
- Operating the technology within the limits
- Making contingency plans for when technology fails
- Taking into account the secondary and tertiary effects of the technology
Furthermore, Racz argued that real AI doesn’t actually exist: “Real stupidity exists; do not confuse the appearance of intelligence with actual intelligence.”
AI does not understand what we actually ask it to do, he said, for example: “When AI identifies a pedestrian in a picture it does so by recognizing lines and textures, that’s the only concept of a pedestrian it has. Nothing more.
“The big danger is not that AI will rebel against us and take over the world, it’s that it’ll do exactly what we ask it to do,” without the ability to add any additional logic.
AI is also susceptible to designed attacks, Racz pointed out. “It has short-term memory that can be exploited to produce unintended output,” AI algorithms are “generally bad at counting” and “just like humans, AI is susceptible to optical illusions.”
To conclude, Racz warned against misinterpreting “crafty [AI] guessing for intelligence or thinking” and warned against relying on false promises of what AI technology can achieve. Instead, he said, there is no substitute for human judgement and oversight. “Keep the human in the loop and the human can provide intuition and creativity while the machine does the heavy lifting.”
Around four times more vulnerabilities are discovered in Microsoft Windows systems than Mac OS X but they are patched far quicker, according to new research from Kenna Security.
The vulnerability management firm commissioned the Cyentia Institute to analyze data from nine million assets at 450 organizations, in order to compile its report, Prioritization to Prediction Volume 5: In Search of Assets at Risk.
It revealed that the assets with fewer bugs tend to be patched slower by manufacturers, while those with more are fixed quicker.
For example, it found that a Windows-based asset has an average of 119 vulnerabilities per month: four times the median number found in Mac OS X (32) and 30 times that of network appliances (4).
However, those Windows vulnerabilities are patched within 36 days on average, while it takes an average of one year (369 days) to fix network devices like routers, printers, or Internet of Things appliances.
It was calculated that it takes Apple 70 days on average to release patches for Mac OS X machines, nearly twice as long as Microsoft, and 254 days for Linux/Unix.
Microsoft was found to have a critical patch rate of 83%, with Mac OS X in second (79%), then network appliances/devices (64%) and finally Linux (63%).
This is despite the fact that in the study, researchers found 215 million bugs on Microsoft machines. Although 179 million were fixed, the remaining 36 million exceeded the total number of patched and unpatched vulnerabilities on Mac, Linux, Unix, and network devices combined.
“With automated patching and Patch Tuesdays, the speed at which Microsoft is able to fix critical vulnerabilities on their systems is remarkable, but there still tend to be a lot of them,” said Wade Baker, partner and founder at Cyentia Institute.
“On the other hand, we see lots of assets like routers and printers where high-risk vulnerabilities have a longer shelf life. Companies need to align their risk tolerance, strategy, and vulnerability management capabilities around these trade-offs.”
A Dutch COVID-19 tracking app has leaked user data as it made its source code available for scrutiny, according to local reports.
The Covid19 Alert application was one of seven shortlisted by the government to help the country emerge from lockdown via widespread contact tracing.
However, in the race to get their source code online, its developers managed to post files containing 200 names, emails and encrypted passwords from another app it is linked to, according to local site RTL Nieuws.
The accidental breach has been reported to the local authorities, with the developers admitting that in putting the source code online as soon as possible, they made a mistake.
It would seem unlikely that the app will make it through the next round of scrutiny.
The incident highlights the potential security and privacy risks involved in developing software at speed that will eventually be rolled out to as much of the populace as possible.
With lockdown measures across Europe and much of the world severely restricting economic growth, the stakes for a swift relaxation of the rules couldn’t be higher. However, experts are agreed that to do so, governments must have in place rigorous testing and tracing capabilities.
Privacy groups have already warned that the latter could be used by certain regimes to usher in a new era of expanded digital surveillance. China appears to be leading the way on this.
The European data protection supervisor recently called for an EU-wide approach to ensure any apps being developed at a national level are consistent with the GDPR.
He and the UK information commissioner believe that tracing apps can be designed to comply with the privacy regulation, as long as certain conditions are met.
The ICO said on Friday that developers must be transparent about data collection processes, personal data use should be necessary and proportionate, systems must be as decentralized as possible, governance and accountability should be in place and there should be an exit strategy once such data is no longer needed.
Global standards producer ETSI has announced the release of a key standard to confirm the integrity of digital material used in legal proceedings. ETSI TS 103 643 provides a set of tools for those wanting to demonstrate the legitimacy of digital evidence.
Legal systems depend on a court being able to have confidence in the material that is used during legal proceedings, ETSI explained. This is essential for the proper functioning of society – to have confidence that people are being found guilty or not guilty on the basis of accurate information.
Digital material is increasingly being used as evidence as part of legal proceedings, and it is important that techniques for preserving such evidence are kept up-to-date as the formats of data evolve.
According to ETSI, ETSI TS 103 643 will provide assistance in this regard.
“This new ETSI specification helps provide confidence around the software/machine aspects helping people write appropriate software that will be able to be used in court and will stand the test of time,” said Alex Leadbeater, chair of ETSI TC CYBER. “It aims to provide reassurance to critical court material in a cost-effective way and saves time for those involved in the process.”
ETSI provides members with an open and inclusive environment to support the timely development, ratification and testing of globally applicable standards for ICT-enabled systems, applications and services across all sectors of industry and society.
The National Cyber Security Centre (NCSC) has launched what it describes as a “pioneering” Suspicious Email Reporting Service, as users continue to be bombarded by COVID-19-themed phishing attacks.
The scheme is designed to make it easier for members of the public to report online scams including those taking advantage of widespread interest in the coronavirus.
Developed in partnership with the City of London police, the “world-leading” service will enable users to report suspicious emails to firstname.lastname@example.org, where the NCSC’s automated scanners will assess whether it is malicious or not. If so, any linked phishing sites will be removed immediately.
The service will also provide police with a real-time analysis of phishing patterns to better track and stop campaigns.
The NCSC said it has already been able to take down 2000 COVID-19 online scams over the past month, including: over 470 stores selling fake coronavirus-related items, more than 550 malware distribution sites, 200 phishing sites designed to harvest user info and more than 830 advanced-free fraud attempts.
The announcement came as part of the cross-government “Cyber Aware” campaign launch, which aims to teach best practice cybersecurity tips such as effective password management to computer users.
NCSC CEO, Ciaran Martin, argued that technology will ultimately help society emerge from the COVID-19 crisis, but that makes cybersecurity more important than ever.
“With greater use of technology, there are different ways attackers can harm all of us., but everyone can help to stop them by following the guidance campaign we have launched today. However, even with the best security in place, some attacks will still get through,” he added.
“That’s why we have created a new national reporting service for suspicious emails – and if they link to malicious content, it will be taken down or blocked. By forwarding messages to us, you will be protecting the UK from email scams and cybercrime.”
Google last week claimed to be blocking 18 million malicious and phishing emails for its global customers each day.
America's National Football League has expressed cybersecurity concerns over this Thursday's virtual draft.
Traditionally, the top draft picks wait in a central location for their names to be called. But this year, due to social distancing measures introduced to slow the spread of COVID-19, the selection process will be carried out online.
NFL commissioner Roger Goodell will be announcing each pick from the basement of his home in New York. Meanwhile, a group of 58 players expected to make the cut in the first two rounds will be live-streaming from their homes so viewers can see their reactions.
According to ESPN, each NFL team will use a modified version of Microsoft's Teams—a central messaging and communications app similar to Slack—to send in their picks. Microsoft has been working directly with teams to keep the process secure and to prevent any leakage of sensitive information.
A test run of the virtual draft is taking place today with all 32 of the league's teams. The NFL told Reuters that their security measures are “comprehensive and thoughtful,” but declined to specify exactly what they are.
Ravens head coach John Harbaugh is skeptical that the virtual draft can be carried out securely, despite what his IT team says.
“They assure me we are doing everything humanly possible, and I remind them that that’s what Wells Fargo and all those other places said about our private information, so I have some real concerns," said Harbaugh.
“I really wouldn’t want the opposing coaches to have our playbook or our draft meetings. That would be preferable.”
The NFL is permitting clubs to use video-conferencing app Zoom for their internal communications but have said it must not be used between teams and the league office. Zoom made the headlines earlier this month when thousands of user videos were found online in an unsecured storage device.
Speaking with ProFootballTalk's Peter King, Rams COO Kevin Demoff said: "Someone could hack into this Zoom, and you’re probably not going to learn a lot. Hacking into a team’s draft room on Zoom is probably a lot different. That would be my biggest concern just from an encryption standpoint of how do you have these conversations confidentially.”
A US church has been ordered to close down a website selling a ‘miracle’ cure for COVID-19, brain cancer, HIV/AIDS, and Alzheimer's disease.
The Genesis II Church of Health and Healing (Genesis) was found to be in violation of the Federal Food, Drug, and Cosmetic Act (FD&C) by unlawfully distributing its Miracle Mineral Solution (MMS), variously known as Master Mineral Solution, Miracle Mineral Supplement, MMS, Chlorine Dioxide (CD) Protocol, and Water Purification Solution (WPS).
Designed to be taken orally, MMS is an unproven treatment that contains the same amount of chlorine dioxide as industrial bleach.
The Food and Drug Administration (FDA) has been issuing public warnings to consumers since 2010 that MMS can cause nausea, vomiting, diarrhea, and symptoms of severe dehydration.
A federal court in Florida has entered a temporary injunction against Genesis and four church associates, Mark Grenon, Joseph Grenon, Jordan Grenon, and Jonathan Grenon, requiring them to shut down the website advertising the fake cure and immediately halt distribution.
“Not only are these products potentially harmful, but their distribution and use may prevent those who are sick from receiving the legitimate healthcare they need,” said attorney Ariana Fajardo Orshan for the Southern District of Florida.
According to the complaint, the defendants’ disease-related treatment claims are unsupported by any well-controlled clinical studies or other credible scientific substantiation.
“Despite a previous warning, the Genesis II Church of Healing has continued to actively place consumers at risk by peddling potentially dangerous and unapproved chlorine dioxide products," said FDA Commissioner Stephen M. Hahn.
"We will not stand for this, and the FDA remains fully committed to taking strong enforcement action against any sellers who place unsuspecting American consumers at risk by offering their unproven products to treat serious diseases.”
The complaint further alleges that the labeling of the church's miracle cure is false and misleading since none of its disease-related treatment claims are supported by any clinical data.
“The Department of Justice will take swift action to protect consumers from illegal and potentially harmful products being offered to treat COVID-19,” said Assistant Attorney General Jody Hunt.
“We will continue to work closely alongside our partners at the Food and Drug Administration to quickly shut down those selling illegal products during this pandemic.”
British businesses are the target of a new phishing scam in which criminals impersonate an employee of Her Majesty's Revenue and Customs.
Victims are sent a fake email purporting to be from “Jim Harra, First Permanent Secretary and Chief Executive of HMRC,” and inviting them to make a financial claim under the genuine UK government's Coronavirus Job Retention Scheme.
The recently introduced scheme allows UK businesses to claim for 80% of their employees' wages plus any employer National Insurance and pension contributions, if their staff have been furloughed as a result of the COVID-19 outbreak.
In the fake email, the victim is asked to provide their bank account details in order to receive a Coronavirus Job Retention Scheme payment.
The email reads: “Dear customer, We wrote to you last week to help you prepare to make a claim through the Coronavirus Job Retention Scheme. We are now writing to tell you how to access the Covid-19 relief. You will need to tell your [sic] us which UK bank account you want the grant to be paid into, in order to ensure funds are paid as quickly as possible to you.”
The sender of the malicious email appears to be HM Revenue & Customs; however, the email address from which the attack originated is email@example.com.
News of the phishing attack reached Infosecurity Magazine via London-based financial services firm Lanop Accountancy Group. At time of writing, Lanop had received warnings about the suspicious email from 50 different business owners.
“We're calling upon all businesses to think twice before handing over bank details and making bank transfers in response to email requests during this crisis," said Aurangzaib Chawla, managing partner at Lanop.
"Cyber-crime is rising rapidly, and this is the first of what we expect to be many scam emails, designed to trick unsuspecting owners into handing over private company data."
Lanop expressed a desire to help companies navigate through the thickening mud of COVID-19 scams.
"We are offering free advice about how to tackle these scams and reporting any suspicious activity direct to HMRC,” said Chawla.
Recent research from cyber-security company Barracuda Networks has suggested that coronavirus-related phishing emails have risen by 667 percent since the start of March.
The UK Government is to invest in some of the UK’s most innovative startups as part of a bailout plan.
According to the FT, this is part of a £1.25bn plan to help “struggling UK startups” and venture capital-backed businesses struggling to survive the current lockdown. As part of that fund, a £500m co-investment fund will be provided for high-growth companies hit by the crisis, matching private sector money with state-backed loans that can be converted into equity stakes, and valued at a discount, if they are not repaid.
Smaller businesses focused on research and development can also apply for a part of a £750m budget in grants and loans. The £500m “Future Fund” will provide UK-based companies with between £125,000 and £5m from the government as long as the cash is at least matched by private investors.
The government is committing £250m towards the scheme, which will initially be open until the end of September. The scheme has been drawn up with the British Business Bank, the state-backed lender that already invests in many of the UK’s VC funds. To be eligible, a business must be an unlisted UK-registered company that has raised at least £250,000 in equity investment in the past five years.
A statement from British Business Investments CEO Catherine Lewis La Torre explained the £500m, made available today, will attract more institutional capital to the venture and growth asset class that is so important for high-growth businesses. “Through this Managed Funds Program, prospective investors will be able to access high quality venture and growth capital funds that will be investing in the success stories of tomorrow,” she said.
Gerard Grech, chief executive of Tech Nation, said: “Tech startups and scale-ups are crucial to the UK’s future growth, jobs and innovation. The £500m Future Fund and £750m for loans and grants for R&D for startups is a bold intervention, and although the full implementation details are still to be released, it is likely to give the sector a welcome boost in these unprecedented times.
“How to target the money effectively should be the next priority. Startups and scale-ups vary in their financial structuring and their regional location. It will be important to get the balance just right, across the UK and also across the different models of investments, from angel invested companies to VC-funded firms.”
Rick Holland, CISO and VP of Strategy at Digital Shadows, added that, historically, cybersecurity is a sector of the economy where spending still occurs even in economic downturns. “There are risks to smaller and emerging firms, but sales revenue and the amount of capital raised provides resilience. To avoid going extinct, startups must have enough funds to cover operating expenses over the next few months to weather the COVID-19 storm.”
Richard Hughes, head of the technical cybersecurity division at A&O Cybersecurity, said that with a booming global cybersecurity market, it is no surprise to see numerous smaller startup cybersecurity firms vying for a slice of the cake.
“Without an established customer base and repeat business to help weather the storm, smaller and emerging cybersecurity firms must seek new business to survive and herein lies the problem,” he said.
Thales has revealed that its technology will be used to secure Motorola’s new ‘eSIM-only’ smartphone, the razr. The device is the world’s first foldable smartphone to rely exclusively on embedded-SIM (eSIM) technology – a highly compact, programmable solution for secure mobile connectivity that is embedded directly into a device.
In using eSIM, users are able to remotely provision and update their mobile network subscriptions and no longer need to physically insert SIM cards as they benefit from a fully digitized journey.
Emmanuel Unguran, EVP mobile connectivity solutions at Thales, said: “Motorola’s decision to go eSIM-only for their premium product reflects the company’s confidence in this extremely space-efficient approach to secure mobile connectivity. It also demonstrates deep trust in Thales, a world leader in eSIM technology and related subscription management services.”
Neil Shah, VP research at Counterpoint Research, added that more than 2.8 billion eSIM-compliant smartphones are expected to be cumulatively shipped by 2025.
“The trend towards eSIM-only smartphones is going to catalyze this market further as we see greater adoption across the price-tiers unlocking multiple benefits for smartphone OEMs, operators and end-smartphone users,” he said.
The UK’s privacy regulator has given a cautious green light to a contact tracing project Google and Apple are working on to enable governments to end current COVID-19 lockdowns.
A new opinion issued by the information commissioner, Elizabeth Denham, stated that the proposed Contact Tracing Framework (CTF) appears to be “aligned with the principles of data protection by design and by default.”
The CTF uses Bluetooth technology and exchange of frequently changing anonymous identifier beacons to track and trace infections and notify users if they have been in the vicinity of someone who subsequently tests positive for the virus.
However, whilst giving the scheme a tentative thumbs-up, Denham argued that developers building apps on top of the CTF may collect other data and use different techniques than those envisaged by the tech giants.
In fact, reports emerged last month that the UK’s NHS was considering capabilities in its own app built on CTF that would allow ministers to deanonymize data in order to identify individuals if necessary.
Aaron Moss, barrister at 5 Essex Court, said that it would only be possible to check such allegations once the source code was made public.
“If the central database contains an individual’s location data, including a unique identifier for their device, people will understandably worry that the data could be used for surveillance which they would not consent to. This is what the information commissioner calls ‘function creep’,” he told Infosecurity.
“The bottom line is that individuals cannot be certain how public authorities will use their data in the future. Once public authorities hold data, they may well lawfully use it for other purposes, unknown to the data subject. The key in this case is that the app should be designed in such a way that it doesn’t collect identifying data in the first place, or minimizes this data to what is really required to fulfill its function.”
The European data protection supervisor earlier this month called for an EU-wide contact tracing app to be developed in line with GDPR principles.
Hackers have made off with at least $25m from two cryptocurrency firms after apparently targeting them with “reentrancy attacks” over the weekend.
The raids affected decentralized lending platform Lendf.Me, which is supported by a decentralized finance (DeFi) network known as dForce, and crypto exchange Uniswap.
According to Tokenlon, the organization behind digital currency imBTC, the attackers first struck on Saturday exploiting a vulnerability at Uniswap in combination with the ERC777 token standard.
A reentrancy attack enables attackers to continually withdraw digital funds without being challenged until the status of the initial transaction changes.
It was responsible for the massive $60m raid on Ethereum-backed DAO in 2016.
Around a day after attackers hit Uniswap, Tokenlon received a message from Lendf.Me saying it had also been compromised, “resulting in a large number of abnormal borrowing on the platform.”
“ImBTC is an ERC-777 token anchored 1:1 to BTC (compatible with the ERC20 standard) issued by Tokenlon,” the firm explained. “The ERC-777 token standard has — to our knowledge — no security vulnerabilities. However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the above mentioned reentrancy attacks.”
Founder of dForce, Mindao Yang, explained that the “callback mechanism” in his organization’s DeFi smart contracts enabled the hacker “to supply and withdraw ERC777 tokens repeatedly before the balance was updated.”
A more detailed explanation can be found here.
“The hacker(s) have attempted to contact us and we intend to enter into discussions with them,” said Yang.
“We are doing everything in our power to contain the situation. We have contacted law enforcement in several jurisdictions, reached out to asset issuers and exchanges to track down and blacklist the hacker(s)’s addresses, and engaged our legal teams.”
Notorious malware Trickbot has been linked to more COVID-19 phishing emails than any other, according to new data from Microsoft.
The Microsoft Security Intelligence Twitter account made the claim on Friday.
“Based on Office 365 ATP data, Trickbot is the most prolific malware operation using COVID-19 themed lures,” it said. “This week’s campaign uses several hundreds of unique macro-laced document attachments in emails that pose as messages from a non-profit offering a free COVID-19 test.”
Microsoft has been providing regular updates through the current crisis as organizations struggle to securely manage an explosion in home working while cyber-criminals step up efforts to exploit stretched IT security teams and distracted employees.
As such, attacks seem to be focused on the classic combination of email and social engineering/phishing to harvest user credentials, spread malware and attempt extortion and BEC.
Trickbot started life as a banking Trojan but is often used in attacks to drop additional malware like ransomware, VNC clients and remote access malware.
However, despite the eye-catching headlines, Microsoft claimed earlier this month that overall cybercrime levels haven’t spiked as a result of the pandemic. Black hats are merely diverting resources and renaming existing campaigns with COVID-19 lures, it said.
The tech giant claimed that only 60,000 of millions of daily phishing emails it detects have COVID-19-themed malicious attachments or URLs, which is less than 2% of the total volume of threats the firm tracks each day.
In an update last week, Google echoed the message that many of the threats it is detecting are not new but simply rebranded with coronavirus themes.
However, it claimed to be blocking 240 million COVID-19 spam messages each day for customers, plus 18 million malware and phishing emails.