Info Security

Subscribe to Info Security  feed
Updated: 17 min 2 sec ago

Ministry of Justice Suffers 17 Serious Data Breaches Last Year

Tue, 12/22/2020 - 14:45
Ministry of Justice Suffers 17 Serious Data Breaches Last Year

The Ministry of Justice (MoJ) reported 17 serious data breaches during the last financial year, according to official figures analysed by the Parliament Street think tank.

The UK government department responsible for running the country’s justice system revealed in its annual report 2019-20 that it informed the Information Commissioner’s Office (ICO) of personal data loss incidents affecting a total of 121,355 people.

In the largest of the incidents reported to the ICO, a technical error in a sub-processor made various files on a staff training database briefly accessible to unauthenticated users, resulting in one full and one partial unauthorized download. This disclosed personal information of 120,000 people, including staff data such as names, work locations, staff numbers, national insurance numbers, email addresses and training records.

The second largest incident was caused by a set of prison records being dispatched to the wrong prisoner by mistake. Impacting a total of 143 people, this exposed data relating to the offender’s friends, family, solicitors and MoJ officials.

Other breaches included an applicant’s address and the names of five children being disclosed to the respondent in a domestic violence court case, a lost unencrypted USB stick containing around 33,000 documents from a fraud trial and the leaking of sensitive data about seven staff members following the theft of a laptop and mobile phone.

A further 6425 data incidents were recorded by the MoJ in the 12-month period, although these were not substantial enough to be reported to the ICO. Most (5445) were labelled as ‘unauthorized disclosure’, while 823 were as a result of ‘inadequately protected electronic equipment, devices or paper documents’.

Commenting on the figures, Tim Sadler, CEO at Tessian said: “Data security is, today, well and truly in the hands of the employees. But, sometimes, employees make mistakes - as we can see from the breaches reported by the MoJ to the ICO. It's human nature; people misplace things, we send emails containing sensitive information to the wrong person, and we click the wrong buttons. And because people are in control of more data than ever before, the risk of that data being accidentally leaked or exposed is only growing.

“As organizations expect people to be responsible for more and more sensitive data, measures must be in place to prevent the mistakes that compromise security. Failure to do so could result in regulatory fines and ruined reputations.”

Categories: Cyber Risk News

Cybereason Adopts Oracle Cloud Infrastructure to Enhance its Platform Security

Tue, 12/22/2020 - 13:00
Cybereason Adopts Oracle Cloud Infrastructure to Enhance its Platform Security

Security firm Cybereason has announced a new partnership with Oracle to enhance protection for customers in the face of a growing cyber-threat landscape.

Firstly, it has adopted the Oracle Cloud Infrastructure to run its automated Cyber Defense Platform. Cybereason said this will improve security and risk posture as well as reduce operational costs for customers using its platform. It placed a particular emphasis on Oracle Cloud Infrastructure’s ability to accelerate artificially intelligent threat detection.

Additionally, the two companies have entered into an agreement to jointly market and sell solutions, helping organizations search for available applications and services that best fit their needs.

Cybereason hopes the partnership will help facilitate its global expansion.

Lior Div, Cybereason CEO and cofounder commented: “We’re excited to collaborate with Oracle to enhance our company’s cloud infrastructure for our award-winning unified protection platform. We chose Oracle Cloud Infrastructure because of its security-first approach and performance. Together, we will deliver unmatched visibility and risk reduction to our global customer base. Additionally, the Oracle Cloud global footprint will enable Cybereason to offer in-country hosting in more locations for meeting regulatory data sovereignty requirements.”

Clay Magouyrk, executive vice president, Oracle Cloud Infrastructure, said: “Cybereason joins a growing roster of companies adopting Oracle Cloud Infrastructure for its leading security and price performance advantages delivered across its global cloud footprint. Adopting Oracle Cloud Infrastructure will enhance Cybereason’s ability to deliver insights into threats across thousands of endpoints and enable customers to stay one step ahead of today’s most nefarious attacks.”  

In September, it was announced that a department of the UK’s Ministry of Defence (MoD) added the Oracle Cloud Infrastructure within its MODCLOUD Multi-Hybrid suite of secure services.

Adoption of cloud services has grown substantially this year as organizations looked to function efficiently following the shift to remote working as a result of COVID-19. According to a recent study by Sumo Logic, multi-cloud adoption went up by 70% year-over-year in 2020.

Categories: Cyber Risk News

Tech Giants Support Facebook in Case Against Spyware Maker

Tue, 12/22/2020 - 11:30
Tech Giants Support Facebook in Case Against Spyware Maker

Microsoft, Google, Cisco and a host of other tech giants have added their names to a legal filing supporting Facebook’s case against controversial spyware developer NSO Group.

The social network took the Israeli firm to court after alleging that the latter exploited a vulnerability in WhatsApp which helped its clients spy on over 1400 users globally. It’s believed that the bug or similar ones may also have been used to help Saudi Arabian officials spy on murdered journalist Jamal Khashoggi and his former boss, Jeff Bezos.

NSO Group has argued that its tools are only ever used for legitimate law enforcement purposes, and that, as it sells exclusively to governments, it should benefit from the “sovereign immunity” that means nation states can’t be taken to court.

The case is now at the Court of Appeals after Facebook won the argument in the Northern District of California in July.

That’s where the latest amicus brief filing comes in: it shows support for Facebook’s position from a wide range of tech firms, including rivals. As well as those listed above, the signatories also include lobby group the Internet Association, which counts among its members tech firms including Amazon, Twitter, PayPal, eBay, Uber and Reddit.

Microsoft’s VP of customer security and trust, Tom Burt, argued that NSO Group’s actions should not be granted legal immunity for three reasons.

He claimed that the firm’s tools could end up in the wrong hands, as per the Shadow Brokers hack that resulted in NotPetya and WannaCry, if sophisticated attackers decide to target NSO Group itself, or its government customers.

He also argued that, unlike governments which are bound by international laws and diplomatic norms, private companies like the Israeli firm are only motivated by profit.

Finally, Burt argued that these tools threaten human rights, despite NSO Group’s protestations to the contrary, by expanding the range of autocratic regimes that can access sophisticated spyware.

“Reporting shows foreign governments are using those surveillance tools, bought from PSOAs [private sector offensive actors], to spy on human rights defenders, journalists and others, including US citizens,” he added.

“These tools allow the user to track someone’s whereabouts, listen in on their conversations, read their texts and emails, look at their photographs, steal their contacts list, download their data, review their internet search history and more.”

Categories: Cyber Risk News

Just 8% of Firms Offer Regular Security Training

Tue, 12/22/2020 - 10:30
Just 8% of Firms Offer Regular Security Training

A majority of UK businesses are failing to adequately train their remote working employees to spot security threats, according to new research from iomart.

The cloud services company based its Cyber Security Insights Report on the views of 1167 UK workers at C-level, director, manager and employee level.

It found that over a quarter (28%) of their employers offer no cybersecurity training for the distributed workforce, while a further 42% do but only to select employees.

Of those who were offered training, 82% claimed that it was a short briefing rather than something more comprehensive. Less than a fifth (17%) said they had regular training sessions.

That means, overall, just 8% of those surveyed receive regular security training.

This comes at a time when threats are on the rise. A fifth (20%) of those surveyed reported seeing an increase in cyber-attacks as a result of working remotely.

Cyber-criminals have been targeting remote workers with phishing emails often themed with COVID-19 lures, as well as vulnerabilities in VPN infrastructure and insecure RDP endpoints that can be easily brute-forced or their credentials bought off the dark web.

The number of RDP ports exposed to the internet grew from three million to 4.5 million in the period from January to March 2020, according to McAfee research released in May.

Bill Strain, security director at iomart, warned that organizations still aren’t placing security and data protection at the top of their priority list.

“They need to understand what the potential threats are and build resilience into their business strategy so they can react quickly and maintain operations if their IT systems are compromised,” he urged.

“Many businesses would not survive the operational — let alone financial — impact of a data breach. By understanding the potential risk and introducing positive behavior around cyber awareness, they have a much better chance of surviving an incident.”

Remote workers are thought of as a potential cyber risk as many may be more distracted at home and likely to click through on phishing emails, whilst their devices may not be as well protected as corporate equivalents.

Categories: Cyber Risk News

Big Tech Joins Up to Ransomware Task Force

Tue, 12/22/2020 - 09:30
Big Tech Joins Up to Ransomware Task Force

A group of big-name security and technology vendors, non-profits and other industry stakeholders have come together to create a new group focused on combatting ransomware.

The Ransomware Task Force (RTF) is the brainchild of Bay Area firm the Institute for Security and Technology (IST) and will see member organizations unite to provide “clear recommendations for both public and private action that will significantly reduce the threat posed by this criminal enterprise.”

Members announced at the official launch yesterday include tech firms Citrix, Microsoft, McAfee, Rapid 7, Team Cymru and Cybereason, law firm Venable LLP, and policy-maker groups like Digital Aspen and the Cybersecurity Coalition. Others on board include insurer Resilience, non-profit the Shadowserver Foundation and data sharing group the Cyber Threat Alliance.

“Ransomware incidents have been growing unchecked, and this economically destructive cybercrime has increasingly led to dangerous, physical consequences. Hospitals, school districts, city governments, and others have found their networks held hostage by malicious actors seeking payouts,” the IST argued.

“This crime transcends sectors and requires bringing all affected stakeholders to the table to synthesize a clear framework of actionable solutions, which is why IST and our coalition of partners are launching this Task Force for a two-to-three-month sprint.”

According to the most recent stats, ransomware grew as a percentage of total detected malware from 39% to 51% during the period Q2-Q3 2020. Healthcare organizations have been most notably targeted through the COVID-19 crisis, as have vaccine developers.

Big names such as French IT services giant Sopra Steria have been on the receiving end of a surge in “big game hunting” attacks using APT-style tactics to infiltrate large organizations. It said a Ryuk attack in October could end up costing the firm as much as $60 million.

However, the truth is that SMBs are much more likely to get caught out, according to Coveware. The vendor claimed that organizations with up to 1000 workers accounted for 73% of attacks in Q3 2020.

“The RTF will assess existing solutions at varying levels of the ransomware kill chain, identify gaps in solution application, and create a roadmap of concrete objectives and actionable milestones for high-level decision-makers,” said the IST.

Categories: Cyber Risk News

Russia Officially Denies Large-scale US Hack

Mon, 12/21/2020 - 20:43
Russia Officially Denies Large-scale US Hack

Russia has officially denied any culpability for a recent cyber-attack that impacted at least six federal agencies in the United States.

America's Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive last week after cyber-criminals trojanized updates to SolarWinds’ Orion IT monitoring and management software to launch a large-scale cyber-attack. 

CISA said that the incident poses "unacceptable risk to the security of federal networks" and urged all federal civilian agencies to review their networks for indicators of compromise and to disconnect or power down SolarWinds Orion products immediately.

SolarWinds, an IT company based in Austin, Texas, which serves government customers across the executive branch, the military, and the intelligence services, stated on December 20 that it was the victim of a sophisticated supply-chain attack that "could potentially allow an attacker to compromise the server on which the Orion products run." 

The company has not attributed the attack to any particular threat actor, stating only that "we’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker."

While the US government has not publicly identified who might be behind the hacking, Reuters reported on December 15 that "three of the people familiar with the investigation said Russia is currently believed to be responsible for the attack."

Secretary of State Mike Pompeo publicly laid the blame for the cyber-attack at Russia's door on December 18. 

Discussing the cyber-incident during an interview with radio host Mark Levin, Pompeo stated: "This was a very significant effort, and I think it's the case that now we can say pretty clearly that it was the Russians that engaged in this activity." 

Today, Russian News Agency Tass reported that Moscow was not responsible for the hacking attack that impacted US government bodies and companies. 

"Russia is not involved in such attacks, namely this one. We state this officially and firmly," Kremlin spokesperson Dmitry Peskov told reporters on Monday.

He added that "any accusations of Russia’s involvement are absolutely baseless; they are more likely to be a continuation of blind Russophobia that is resorted to in case of any incident."

Categories: Cyber Risk News

BlueHalo Acquires Base2 and Fortego

Mon, 12/21/2020 - 18:29
BlueHalo Acquires Base2 and Fortego

Arlington Capital Partners portfolio company BlueHalo today announced that it has completed the acquisition of Maryland businesses Base2 LLC and Fortego LLC.

While both companies are leading providers of complex, mission-critical cyber and Signals Intelligence (SIGINT) solutions, Base2 specializes in the design and development of cyber-solutions in the areas of Computer Network Operations (CNO), SIGINT, and Quick Reaction Capability (QRC).

"We reached a point where it was time to consider being part of a larger organization that could help our company grow long term," said Base2 co-founders Edward Wright and Michael Curry.

"BlueHalo resonated with us because they focus on solving the hardest engineering problems while contributing to national defense imperatives."

Fortego, formed to fill a niche need for highly specialized technical analysts and developers focused on current cyber-warfare techniques and technologies, is known for its capabilities in advanced SIGINT and cyber operations solutions, with end-to-end solutions in cyber-analytics, vulnerability research, and CNO engineering.

"Combining with BlueHalo, who also believes in the importance of an employee- and mission-focused culture, was a natural fit as we lead Fortego into the next phase of its evolution," said Chad Price and Eric Rothenberger, co-founders of Fortego.

BlueHalo said that the freshly sealed deal will enable the company to address the most complex cyber programs in the national security community. 

"We are thrilled to partner with the management teams at both Base2 and Fortego," said Jonathan Moneymaker, CEO of BlueHalo. 

"The strong cultural alignment between our organizations around driving inspired engineering of complex solutions for our customers and our mission focus and unique access to specialized programs attracts the best of the best to the team.

"BlueHalo is leading the transformation of modern warfare, and the acquisitions of Base2 and Fortego enhance our ability to deliver on this vision and accelerate our ability to grow organically into new mission areas."

BlueHalo was formed through the combination of AEgis Technologies and its previously integrated acquisitions Excivity and EMRC Heli, Applied Technology Associates, and Brilligent Solutions.

The company has nearly 900 employees located across 11 states chosen for their proximity to major intelligence and Department of Defense organizations.

Categories: Cyber Risk News

Breakup Plan for Cyber Command and NSA

Mon, 12/21/2020 - 18:05
Breakup Plan for Cyber Command and NSA

The Trump administration has come up with a proposal to split up the leadership of US Cyber Command and the National Security Agency (NSA).

Under the existing "dual-hat" arrangement, the posts of CYBERCOM commander and NSA director are held by one individual. Right now, that person is General Paul Nakasone.

The proposal, which could significantly reshape America's defense policy, was received by the joint chiefs of staff and joint chiefs chairman General Mark Milley at the end of last week. 

Milley, together with Acting Defense Secretary Chris Miller, must certify that the plan meets a particular set of standards laid out by Congress in 2016. 

Given that he told Congress in 2019 that the current leadership structure was effective and should continue, Milley is unlikely to approve the proposal. 

In his Senate nomination hearing for chairman of the joint chiefs of staff on July 11, Milley said: "The current 'dual hat' configuration between US Cyber Command and the National Security Agency is working well and should be maintained."

He added that the joint chiefs of staff would benefit from a cyber-readiness review similar to that conducted by the US Navy and reported on in March 2019, including annual cyber-training for all personnel, including military, government, and contractors.

Colonel Dave Butler, a spokesperson for Milley, said on Saturday that the chairman "has not reviewed nor endorsed any recommendation to split CYBERCOM and NSA."

US Cyber Command, the digital attack–fighting branch of America's military, was established in 2009. 

The timing of the proposal to split the role into two distinct posts comes just after the United States was struck by a large-scale cyber-attack that impacted at least six federal agencies. An investigation into the true extent of the assault and from whence it originated is ongoing. 

In a joint statement issued on Sunday, Senators Ben Sasse and Angus King and Representatives Mike Gallagher and Jim Langevin said that the timing of the proposal, mere weeks before the end of Trump's presidency, was all wrong. 

“Regardless of whether it’s better to keep or end the dual-hat arrangement between NSA and CYBERCOM, now is not the time to do it," said the statement.

Categories: Cyber Risk News

Ransomware Attacks Surge in Q3 as Cyber-Criminals Shift Tactics

Mon, 12/21/2020 - 15:30
Ransomware Attacks Surge in Q3 as Cyber-Criminals Shift Tactics

A record growth in ransomware attacks took place in Q3 of 2020 compared to Q2, from 39% to 51% of all malware attempts, according to Positive Technologies’ Cybersecurity Threatscape: Q3 2020 report.

The study also found that hacking accounted for 30% of all attacks during Q3, with cyber-criminals reducing their emphasis on social engineering tactics compared with earlier this year. The researchers noted that the percentage of social engineering attacks using COVID-19 as a lure fell from 16% in Q2 to just 4% in Q3, which they attribute to people becoming more accustomed to this crisis. Additionally, social engineering attacks targeting organizations fell from 67% of all attempts in Q1 to under half (45%) in Q3.

Healthcare organizations were heavily targeted in this period, including pharmaceutical sites where COVID-19 vaccine research was being conducted. Half of all attacks against this sector involved ransomware, which resulted in serious consequences, such as the crippling of hospital functions.

The cybersecurity firm added that attackers continued to target increased network insecurity brought about by the mass shift to remote working, with exploitation of vulnerabilities up by 12 percentage points quarter-on-quarter (to 30%).

Encouragingly, there was a slow-down in the growth in attacks experienced during the first two quarters of the year, with the number of incidents rising by 2.7 percentage points compared to the previous quarter. However, the rate of targeted attacks went up from 63% to 70%.

Yana Yurakova, analyst at Positive Technologies, commented: "According to our data, COVID-19 is being exploited in attacks on individuals as well as organizations. In regard to individuals, we see that the number of phishing emails related to COVID-19 is dropping quickly. Pandemic-themed messages fell from 16% of social engineering attacks in Q2 to just 4% in Q3.

 In the previous quarter, phishing emails would advertise personal protective equipment or offer information about the virus, whereas now they are exploiting interest in a vaccine. One mailing addressed to people in the UK claimed that local vaccine efforts were going slowly and offered a supposed vaccine for sale on the site of a Canadian pharmacy chain. Individuals need to stay extra vigilant of the threats which are circulating linked to the pandemic.”

Categories: Cyber Risk News

Gallagher Appoints Three New Cybersecurity Specialists

Mon, 12/21/2020 - 14:30
Gallagher Appoints Three New Cybersecurity Specialists

Insurance broker Gallagher has announced the appointment of three new cybersecurity specialists to grow its cyber-risk knowledge, thereby helping clients better prepare themselves against attacks.

The appointments are designed to enhance Gallagher’s cyber-practice within its UK retail division, which provides clients with cyber-protection and insurance cover to prevent cyber-incidents in addition to protection in the event they suffer a cyber-attack.

Jay Lucas has taken on the role of cyber-risk technical lead, in which he will oversee penetration and vulnerability testing to allow clients to identify security weaknesses across their network architecture. Lucas was previously a cybersecurity specialist at IntaForensics and prior to that, worked for Leicestershire Police for 16 years.

Gallagher has also appointed two new cyber-risk consultants, Stephen Randles and John Clarke, who will help clients achieve relevant industry accreditation, such as Cyber Essentials. They will also conduct open source intelligence investigations on behalf of clients to understand the risk of sensitive information being harvested by those with malicious intent towards the business. Randles joins from McLaren Automotive while Clarke moves from insurance broker Clearview Credit and Financial Risks Limited.

Johnty Mongan, cyber-risk consultant at Gallagher, commented: “As businesses become more reliant on their digital capability, in part driven by the increase in remote working as a result of COVID-19, ensuring they have a high level of protection against cyber-attacks, and identifying ways in which common cybersecurity risks can be mitigated against, is now an important consideration for companies of all sizes. 

“There isn’t a one size fits all approach to cybersecurity, and our practice plays a crucial role in helping organizations identify, mitigate and respond to any cyber-risk they might be facing, and ensuring they have appropriate insurance cover in place should they become victim to cyber-criminals.”

Categories: Cyber Risk News

Stolen Card Prices Soar 225% in Two Years

Mon, 12/21/2020 - 11:45
Stolen Card Prices Soar 225% in Two Years

The price of stolen credit card details and cybercrime tools has in many cases seen triple-digit growth over the past two years, according to new dark web research compiled by Flashpoint.

The risk intelligence firm trawled some of the more established cybercrime marketplaces across the deep and dark web, across eight categories: from government-issued IDs to DDoS-for-hire services, exploit kits, RDP server access and “fullz.”

The cost of credit card dumps soared 225%, from $12.44 in 2018 to $26.50 this year, it revealed. Fake US passports can reach around $525 while the price rises even higher ($3500) for UK versions.

DDoS-for-hire services have nearly quadrupled in price since 2017, to around $165 for a fully managed attack, or provider-specific options potentially hitting $250.

According to Flashpoint, the “as-a-service” model has become increasingly popular of late because it enables those managing the services to customize on-the-fly, in order to improve success rates in response to enhanced mitigation on the defender side.

Access to RDP servers is often paired with online payment accounts to facilitate quick and easy fraud — available for upwards of $575. US bank account and routing numbers can also fetch hundreds, going for $530 when additional linked accounts are included in packages, said Flashpoint.

Phishing kits with “how-to” guides go for as little as $35, while exploit kits targeting Office 365 can cost $125.

Flashpoint argued that stolen data and cybercrime tools have increased in price across 2020 thanks to more online activity in general over the past year.

“The pricing analysis we conducted heading into 2021 illuminates some of the unique market dynamics and trends we see throughout dark web marketplaces — such as the long-tail effects of the global coronavirus pandemic and changes in buying and selling behavior stemming from an increase in working from home and online shopping,” added head of intelligence, Tom Hoffman.

Categories: Cyber Risk News

New US Bill Will Punish Foreign Firms’ IP Theft

Mon, 12/21/2020 - 10:35
New US Bill Will Punish Foreign Firms’ IP Theft

The US Senate has unanimously passed a new bipartisan bill designed to punish foreign firms that actively seek to steal American intellectual property (IP).

Co-authored by senators Chris Van Hollen and Ben Sasse, the Protecting American Intellectual Property Act will allow the authorities to place sanctions on firms and individuals associated with such activity.

It will require a report to Congress every six months identifying any individual or firm that has engaged in or benefitted from serial theft of US trade secrets, and whether this could be construed as a threat to national security, foreign policy, the economy and/or financial stability of the nation.

If a firm is identified as such, the President must impose property blocking sanctions or prohibit US exports for it, while individuals will also be hit with property blocking sanctions and be banned from entering the US.

There’s also a national interest waiver in the legislation.

Although China is not mentioned by name in the legislation, it’s clear which country and types of company were front-of-mind when the senators were drawing it up.

Van Hollen argued that the US can’t sit by while companies and the governments enabling them “cheat their way to success.

“Foreign companies are working overtime to steal US technology, damaging our economy and our national security in the process. The need to fight back could not be more urgent — especially after the series of cyber-attacks we have witnessed aimed at the COVID-19 vaccine,” he added.

“This bill draws a line in the sand — outlining clear consequences these bad actors will face if they steal American innovation and technology. I was proud to work with senator Sasse on this bipartisan effort, and I’m glad to see the Senate act to hold these foreign entities accountable and protect American jobs.”

The legislation must now make its way through the House of Representatives, although there’s broad bipartisan support for tougher action on China. The House passed another bill co-sponsored by Van Hollen earlier this month. It was designed to prevent fraudulent foreign companies listed on US stock markets from escaping regulatory scrutiny, as Chinese ones have for over a decade

Categories: Cyber Risk News

US Indicts Former Zoom China Liaison for Doing PRC’s Bidding

Mon, 12/21/2020 - 09:30
US Indicts Former Zoom China Liaison for Doing PRC’s Bidding

A former China liaison at Zoom has been indicted by the US for interfering in meetings, monitoring users and fabricating evidence against them as per Beijing’s instructions.

Xinjiang (“Julien”) Jin, faces a maximum 10 years in prison if found guilty of conspiracy to commit interstate harassment and unlawful conspiracy to transfer a means of identification. However, Jin is unlikely to face trial given that he’s based in China.

The former Zoom man was originally hired at the behest of the Communist Party after it blocked the service in China in autumn 2019. His alleged role appears to have been something akin to an unofficial content censor and spy.

“Part of Jin’s duties included providing information to the PRC government about [Zoom] users and meetings, and in some cases he provided information – such as Internet Protocol addresses, names and email addresses – of users located outside of the PRC,” the indictment noted.

“Jin was also responsible for proactively monitoring [Zoom] video communications platform for what the PRC government considers to be ‘illegal’ meetings to discuss political and religious subjects unacceptable to the Chinese Communist Party (CCP) and the PRC government.”

Most notably, Jin is said to have terminated four meetings held to remember the Tiananmen Square massacre. He and others are alleged to have infiltrated the meetings, and fabricated evidence using fake emails to claim that the attendees were supporting terrorist organizations, inciting violence and/or distributing child pornography.

They used this ‘evidence’ to justify shutting down the meeting and, in turn, the government in Beijing used it to intimidate attendees and/or their families based in China.

“The allegations in the complaint lay bare the Faustian bargain that the PRC government demands of US technology companies doing business within the PRC’s borders, and the insider threat that those companies face from their own employees in the PRC,” argued acting US attorney Seth DuCharme. 

“As alleged, Jin worked closely with the PRC government and members of PRC intelligence services to help the PRC government silence the political and religious speech of users of the platform of a US technology company. Jin willingly committed crimes, and sought to mislead others at the company, to help PRC authorities censor and punish US users’ core political speech merely for exercising their rights to free expression.”

Zoom has published a blog post in response highlighting the things it is doing to improve transparency and internal controls to protect freedom of speech. These include: end-to-end encryption, strict geo-fenced data routing to prevent content being routed through China, restricted access controls for Chinese employees and improved data protection training for all employees.

It also said that all government requests must now first be approved by Zoom’s US legal team.

Categories: Cyber Risk News

New ISAC for K–12 Schools Names National Director

Fri, 12/18/2020 - 18:15
New ISAC for K–12 Schools Names National Director

A new information sharing and analysis center (ISAC) set up to help American school districts protect themselves against cyber-threats has named its first national director.

Heading up the Kindergarten Through Twelfth Grade Security Information Exchange, or K12 SIX, is president of consulting firm EdTech Strategies and the K–12 Cybersecurity Resource Center, Douglas Levin.

Levin is the founder of the K–12 Cybersecurity Resource Center and creator of the K–12 Cyber Incident Map, a visualization of cybersecurity-related incidents reported about US K–12 public schools and districts from 2016 to the present.

“I’ve been tracking the growth in attacks in this sector since 2016,” said Levin. “We’ve seen a marked increase over time, and a real spike since COVID-19. I’m glad to be joining an action-oriented organization that is working to proactively protect schools.”

K12 SIX was softly launched in October 2020 by the Global Resilience Foundation (GRF), a nonprofit subsidiary of the National Council of ISACs. It’s the first intelligence-sharing hub to be specifically created to meet the needs of local school districts in preventing and mitigating cyber-attacks.

Staff at K12 SIX are tasked with reviewing security incidents reported to them by schools. Their role is also to enrich and share actionable alerts based on intelligence provided by private security vendors, other sharing communities, and government sources.

The role of regional director at K12 SIX has been filled by Eric Lankford, former cyber-engineer with the Birdville Independent School District near Fort Worth, Texas.

Together, Levin and Lankford came up with the idea to create an ISAC for schools and approached the GRF with their proposal two years ago.

With no federal requirement for school districts to report data breaches, Levin believes that the Government Accountability Office (GAO) is not aware of the true extent of the problem. 

The GAO counted 99 school data breaches from July 2016 to May 2020 that compromised the personal information of thousands of students in kindergarten through high school. Levin counted 458 data breaches in school districts that impacted more than a million student records. 

While the GAO counted each cyber-attack as one incident regardless of how many school districts were affected, Levin counted each district’s data breach separately.

Categories: Cyber Risk News

JIBC Launches Cybercrime Analysis Certification

Fri, 12/18/2020 - 17:36
JIBC Launches Cybercrime Analysis Certification

The Justice Institute of British Columbia (JIBC) has launched a new online Graduate Certificate in Cybercrime Analysis to help meet Canada's growing demand for professionals with cybersecurity skills.

This new post-graduate program has been established to furnish professionals with the advanced knowledge and applied analytical skills necessary to help prevent, detect, and respond to the constantly evolving landscape of cybercrime. 

“Cybercrime is an ever-increasing threat that requires constant vigilance,” said Dr. Michel Tarko, JIBC president and CEO. 

“We’re pleased to offer a new graduate-level certificate program specifically addressing cybersecurity and cybercrime that bridges the gap in available offerings across Canada.”

The JIBC will offer the new graduate certificate part-time to all Canadians, whether they are new graduates interested in pursuing a career as a cybersecurity analyst or established professionals seeking to expand their skillset and advance their careers.

Teaching will take place virtually, with the first cohort of the program slated to begin in September 2021. The program consists of five courses that are delivered one per semester sequentially and takes approximately 18 months to complete.

Students of the program will develop a broad understanding of cybercrime analysis and be provided with foundational intelligence-analysis skills. After completing the course, students will be able to conduct intelligence investigations that can be used and applied in various court proceedings.

Courses will be taught by leading industry specialists who have accrued extensive experience in their particular fields. The curriculum has been designed to meet the needs of various public security and law enforcement agencies and is highly relevant to multiple industry sectors, including banking, accounting, and finance.

“JIBC’s Justice & Public Safety Division is very proud of its intelligence analysis and tactical criminal analysis programs,” said Dr. Stuart Ruttan, dean of the School of Criminal Justice & Security and Office of International Affairs. 

"The new graduate certificate in cybercrime analysis will provide our graduates with access to education, training and internationally-recognized credentials to assist them in being a part of the solution in the battle against cybercrime in our economy, and society in general.”

Categories: Cyber Risk News

Alibaba Facial Recognition Tech Picks Out Uyghur Minorities

Fri, 12/18/2020 - 15:19
Alibaba Facial Recognition Tech Picks Out Uyghur Minorities

Chinese multinational technology company Alibaba Group Holding Ltd is offering Uyghur/ethnic minority recognition as a cloud service, according to a new report by surveillance industry researcher IPVM and The New York Times.

Users simply send photographs of people taken on their phones or pulled from surveillance videos to Alibaba's facial recognition service, then receive an alert if the subject is identified as a minority Uyghur from the western province of Xinjiang.

The Cloud Shield system offered by Alibaba Cloud “detects and recognizes text, pictures, videos, and voices containing pornography, politics, violent terrorism, advertisements, and spam, and provides verification, marking, custom configuration and other capabilities.”

A record of the technology,, details how it can perform "glasses inspection" and "smile detection," and determine whether the subject is "ethnic" and, specifically, "Is it Uighur." 

Since its discovery by IVPM, the record has been archived. 

"Alibaba Cloud quickly deleted mentions of Uyghurs and minority detection on its website after Alibaba was contacted for comment," stated an IVPM spokesperson. 

"Alibaba Cloud then claimed, without evidence or explanation, that these features were only used "within a testing environment."

Alibaba released a statement declaring that it was “dismayed” that Alibaba Cloud had developed facial recognition software that allows individuals in video imagery to be tagged by ethnicity. 

The company claimed that the feature in the software was “trial technology” that was not intended for the use of customers.

An Alibaba spokeswoman told Reuters: “We have eliminated any ethnic tag in our product offering."

IVPM researchers said that they had identified over a dozen Chinese police departments that are using analytics to track Uyghurs. 

"Alibaba's offering of this explicitly racist technology to its vast Cloud clientele shows the repression of Uyghurs goes well beyond law enforcement," stated IVPM.

Earlier this month, IPVM together with The Washington Post revealed that PRC-based tech companies Huawei and Megvii had tested and validated "Uyghur alarms" in face recognition software that were designed to be used in video surveillance projects by Chinese police.

News of Alibaba Cloud's ethnic-minority-flagging facial recognition technology follows IPVM's discovery a year ago that China's largest video surveillance manufacturer Hikvision promoted a Uyghur-detecting AI camera.

Categories: Cyber Risk News

Will the US Move to a Federal Privacy Law in 2021?

Fri, 12/18/2020 - 13:30
Will the US Move to a Federal Privacy Law in 2021?

Data privacy trends in the US in light of this year’s election and other recent events were discussed by a panel during the FTI Consulting webinar The New Privacy Landscape: California’s New Law and Prospects for Federal Action.

The significance of the California Privacy Rights Act (CPRA), passed last month to expand the existing California Consumer Privacy Act (CCPA) was firstly highlighted by the panel. Dominique Shelton Leipzig, firmwide co-chair of Perkins Coie’s Ad Tech Privacy and Data Management Practice, explained that this new law will bring about major changes to how data can be used in the state, and “companies really need to start thinking about this now.”

This includes requiring protection for sensitive information such as race, sexual preferences and trade union membership, while consumers also have a right to opt out of information sharing. Additionally, an agency will be set up to help enforce the legislation, including the power to issue fines.

Welcoming the move, Chris Calabrese, Microsoft’s senior director of privacy and data policy, said he expects the legislation to lead to greater trust in companies, and noted that “with the changes to the law we’ve moved closer to the GDPR model.” He also expressed hope that such an approach will be adopted on a wider scale in the future, including at a federal level.

A more co-ordinated approach to data privacy rules worldwide is needed to help companies implement a global strategy, according to Charles Palmer, FTI Consulting senior managing director, outlining the difficulties a lot of smaller businesses have had in staying compliant when operating across different jurisdictions. “We are at a point where there needs to be coalescing around some common standards,” he commented.

There does appear to be some movement by way of a federal privacy law getting enacted in the future, which would help resolve issues such as the ruling this year from the Court of Justice of the European Union (CJEU) that the Privacy Shield scheme for transfers of personal data from the EU to the United States is unlawful. Jason Van Beek, general counsel, Office of the Senate Majority Whip, outlined initial conversations that have taken place between a congress committee and stakeholder groups about this. “If not passing one, then just getting it out of committee would be a positive step forward for a lot of interest groups looking to find a resolution to the issue of the privacy shield,” he noted.

In the current absence of a federal law on this area, the possibility of the state of California alone achieving adequacy to allow data transfers with the US was mooted by Shelton Leipzig. “There’s definitely going to be an attempt to get California designated as an adequate territory,” she said.

Nevertheless, Calabrese argued the Schrems II case, which led to the ruling over the EU-US privacy shield, highlighted that while having a federal privacy law in the US is important, it won’t necessarily guarantee an adequacy decision from the EU. This is because the big issue in this case was about surveillance by law enforcement agencies. He commented: “We’ve got to take both sides of that coin and address both of them,” adding that “there are creative ways to address this.”

In terms of the development of privacy legislation at a federal level in 2021, Van Beek added that while it is an important issue on the agenda, the continuing uncertainty over the congress election result alongside the COVID-19 crisis means it is unclear how this will progress next year and how high it will be on the agenda of law makers.

Categories: Cyber Risk News

Decade-Long Data Silo to Address Google-Fitbit Privacy Concerns

Fri, 12/18/2020 - 12:00
Decade-Long Data Silo to Address Google-Fitbit Privacy Concerns

The European Commission finally approved Google’s acquisition of Fitbit yesterday, adding some conditions intended to protect user privacy and competition, although campaigners are disappointed in the decision.

The Commission has been mulling the $2.1bn acquisition of the fitness monitoring giant for several months, as distrust over Google’s handling of data and alleged anti-competitive practices is high in the region.

In February, the advisory European Data Protection Board raised concerns about the possibility of the tech giant accessing health and fitness data on tens of millions of users.

“There are concerns that the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to the fundamental rights to privacy and to the protection of personal data,” it noted.

However, the Commission has stipulated that Google cannot use any Fitbit data to power its advertising business and will have to store the latter in a “data silo” for 10 years, with the option of extending it for another decade.

“The Commission’s investigation found that Google will have to ensure compliance with the provisions and principles of the GDPR, which provides that the processing of personal data concerning health shall be prohibited, unless the person has given explicit consent,” it also noted.

However, Privacy International said it was disappointed at the outcome, arguing that it will further strengthen Google’s capacity to exploit user data.

It argued that any commitments from the tech titan would likely fail to be implemented in a way that upholds users’ privacy rights. In particular, the review failed because it didn’t consider any implications for the region’s digital healthcare sector and markets, which Google could go on to dominate, the rights group said.

“Nothing seems to prevent Google from further enriching their massive data troves with vast quantities of sensitive health data and potentially exploiting our data in ways that go beyond digital advertising markets,” argued Privacy International legal officer, Ioannis Kouvakas.

“Google’s latest leap forward is going to be game-changing in all the wrong ways. Enabling any company, through acquisition and merger, to embed itself so deeply into so many aspects of our lives, is deeply troubling.”

Categories: Cyber Risk News

UK Energy Firm Suffers Data Breach Impacting Entire Customer Database

Fri, 12/18/2020 - 11:05
UK Energy Firm Suffers Data Breach Impacting Entire Customer Database

UK energy supplier People’s Energy has suffered a data breach affecting its entire database, including information on previous customers.

Co-founder of the company, Karin Sode, told BBC News that sensitive personal information of its customers, including names, addresses, dates of birth, phone numbers, tariff and energy meter IDs had been stolen by hackers. Following discovery of the breach on Wednesday morning, it has contacted all its 270,000 current customers to inform them of the breach.

Additionally, the hackers accessed the bank accounts and sort codes of 15 small business customers, and People’s Energy said it had contacted them separately by phone. No other customers had their financial information accessed.

The firm added it has informed the Information Commissioners Office (ICO) of the breach, as well as the National Cyber Security Center (NCSC) and the police. It is now working with independent experts to investigate how the breach occurred and identity of the attackers.

Quoted by the BBC, Sode said: “This is a big blow in every way. We want people to feel they can trust us. This was not part of the plan. We’re upset and sorry.”

Most of those affected are unlikely to face any direct financial risk, but will likely be at risk of targeted phishing attacks in the future.

Commenting, Paul Bischoff, privacy advocate at, said: “Every data breach is cause for concern, but we should be particularly worried about attacks on critical infrastructure. In the coming days, I hope the attacker can be identified so we know whether this was a nation state threat actor or just an independent hacker looking for low-hanging fruit. Thankfully, People’s Energy’s actual service infrastructure was unaffected, and the vast majority of victims had none of their financial information stolen.

“People’s Energy customers should be on the lookout for targeted phishing messages from fraudsters posing as People’s Energy or a related company. They will use the personal information stored in the database to customize messages and make them more convincing. Never click on links or attachments in unsolicited emails, and always verify the sender’s identity before responding.”

Chris Hauk, consumer privacy champion at Pixel Privacy, added: “Data breaches like the one suffered by People’s Energy emphasizes the need for companies big and small to harden their systems against breaches of this sort. People’s Energy should be applauded for not wasting any time in alerting their customers and officials to the breach. This upfront admission could help prevent their customers from being phished by the bad actors that performed the breach.”

People’s Energy is the latest of a number of businesses that have experienced large-scale data breaches this year, including Marriot International, Experian and easyJet.

Categories: Cyber Risk News

Bouncy Castle Bug Puts Bcrypt Passwords at Risk

Fri, 12/18/2020 - 10:30
Bouncy Castle Bug Puts Bcrypt Passwords at Risk

A high impact vulnerability has been discovered in a popular Java cryptography library which could allow attackers to more easily brute force Bcrypt hashed passwords.

CVE-2020-28052 is an authentication bypass bug in the OpenBSDBcrypt class of the widely used Bouncy Castle library.

By exploiting it, attackers can effectively bypass password checks in applications using the Bcrypt algorithm for password hashing, explained Synopsys. Although attack complexity is rated high, so is the potential impact on confidentiality, integrity and availability, the vendor claimed.

“An attacker must brute force password attempts until the bypass is triggered. Our experiments show that 20% of tested passwords were successfully bypassed within 1000 attempts,” it explained.

“Some password hashes take more attempts, determined by how many bytes lie between 0 and 60 (1 to 59). Further, our investigation shows that all password hashes can be bypassed with enough attempts. In rare cases, some password hashes can be bypassed with any input.”

The flaw was disclosed to Bouncy Castle on October 20 and fixed in early November, with an advisory published yesterday.

However, 91% of organizations using the at-risk version of Bouncy Castle thus far haven’t patched, according to Sonatype.

CTO Brian Fox claimed that the popular cryptographic Java library is used by developers across 26,000 organizations to secure their applications, and has been downloaded over 170 million times in the past 12 months alone.

This makes it a potentially serious supply chain risk.

“Recent headlines about the massive SolarWinds attack highlighted the importance of software supply chain security and how easy it is for a single vulnerability to be distributed across multiple organizations, from government to security firms,” Fox argued.

“Ensuring the software you’re running across a business is built upon the most secure, updated components, requires maintaining a clean software bill of materials which automatically monitors for updates or malicious packages.”

Categories: Cyber Risk News