Month: January 2020
Zoom vulnerability would have allowed hackers to eavesdrop on calls- Comment
It has been reported that security flaws have been found in videoconferencing platform Zoom that would have allowed a potential hacker to join a video meeting uninvited and listen in, potentially accessing any files or information shared during the meeting. While Zoom has addressed the issue, the report raises deeper concerns about the safety of videoconferencing apps that require access to microphones and cameras.
Commenting on this. Jonathan Knudsen, senior security strategist at Synopsys, said “When running an online meeting, make sure you can identify all users who have joined. If you expect that any part of the meeting is information you want to keep confidential, use the password feature to protect the meeting from casual intruders. Meeting recordings should be protected with similar vigilance. For example, recording files should not be placed on unauthenticated servers, and any links to streaming recordings should be protected by some form of authentication.”
Thousands of Instagram passwords exposed by social media boosting service- Comment
It has been reported that Social Captain, a Instagram-boosting service, has exposed thousands of Instagram passwords. A website bug allowed anyone access to any Social Captain user’s profile without having to log in — simply plugging in a user’s unique account ID into the company’s web address would grant access to their Social Captain account — and their Instagram login credentials.
Commenting on this, Stuart Sharp, VP of solution engineering at OneLogin:
“It is disappointing that in 2020 we are still seeing service providers failing to follow even the most basic steps to secure their customers’ data. The vast majority of websites should never need to store a user’s password (instead they are stored as a one-way, non-reversable hash). The Social Captain use case is special — they need the user’s clear-text password to log into their customer’s account. Given the sensitive nature of this architecture, it is all the more surprising that they failed to encrypt users’ passwords by default — and it appears that they continue to store these passwords in the clear. Service providers have a duty of care to their users to follow security best practices — discovery of a vulnerability like this should prompt a service provider to go back to the drawing board and have a radical rethink their approach to security.”
Government plans new laws for smart gadgets
According to BBC News, the UK government is developing laws that would require manufacturers to ensure their smart gadgets cannot be hacked and exploited via the internet. This is in the face of concerns that many internet-enabled devices lack basic security features. Under the proposed laws, manufacturers would have to:
- ensure all internet-enabled devices had a unique password
- provide a public point of contact so anyone could report a vulnerability
- state the minimum length of time a device would receive security updates
Jake Moore, Cybersecurity Expert at ESET:
“Confidence in the security of smart devices should come as standard so this new proposal can’t come soon enough. Long has there been a standoff between security professionals and manufacturers battling it out over the protection of customers and their gadgets, so if the government muscle in on the action it could just be the answer we have been fighting for.
Unique passwords are more important than most people tend to realise, so this simple yet effective ‘security by design’ move will add an instant layer of protection without the user having to think. Security doesn’t have to be difficult, but it is far more successful when the user is obliged to protected themselves by design. However, this is no doubt the end of the matter as cyber security is a never-ending battle against persistent threat actors. If this new law is constantly monitored and updated, this could be an extremely positive movement in the right direction.”
Severe Vulnerabilities Discovered in GE Medical Devices- Comment
It has been reported that the US Cybersecurity and Infrastructure Agency (CISA) has issued an advisory for six high-severity security vulnerabilities in patient monitoring devices. These flaws could allow an attacker to make changes at the software level of a device and in doing so interfere with its functionality, render it unusable, change alarm settings, or expose personal health information.
Commenting on this, Jonathan Knudsen, senior security strategist at Synopsys, said “Software is the critical infrastructure that is the foundation for nearly everything else in the modern world. In healthcare, vulnerabilities in software can expose devices and systems to attack or misuse, which ultimately could have adverse effects on patient health. Reducing risk is a matter of finding and fixing vulnerabilities. The way this happened with MDhex was that security researchers located vulnerabilities in existing products. The researchers did the right thing by discreetly notifying the manufacturer, allowing time for a coordinated disclosure to the public.
While security research is an important component of improving the overall state of the industry, it is not the most efficient way to keep risk low while building products. The best way to stamp out vulnerabilities is to find them as soon as possible by using a secure development life cycle (SDLC). At every stage of product development, vulnerabilities are identified and eradicated.
In the design phase, this takes the form of using threat modelling and other techniques to identify design vulnerabilities and the security controls that are necessary to reduce the risk of the system. During implementation, developers can use source code analysis tools to identify vulnerabilities as they are writing source code. Likewise, a software composition analysis tool can be used to manage the security and license compliance risks of the supply chain of open source components used in assembling the system. Traditional functional software testing must be augmented with fuzz testing and interactive application testing. Manual testing, such as that performed by security researchers, can be useful as another way to search for vulnerabilities, but automated tools should be used as much as possible first.
Security is a part of every phase of the SDLC. The resulting software products are safer, more secure, and more robust, which means they present lower risk for the builder and its customers. A proactive approach to software security results in lower risk and lower costs in the long run.”
Failure is Not an Option: Realize the Potential of Data Science From Swiss Re, AmFam, and Blue Cross and Blue Shield
With 90% of carriers actively investing in new data projects, project failure is not an option.
Artificial intelligence (AI) and machine learning (ML) have become mainstays in the insurance industry, equipping insurance companies with tools that can help them to become more efficient and profitable than ever before. But with the stakes so high, carrier executives are immobilized – the volume of cutting-edge data sources has exploded and the vast majority won’t implement a project if they’re not sure of its success.
On (date), Insurance Nexus will host a webinar with Vineet Bansal, SVP, Chief Technology Officer, Swiss Re; Mingju Sun, Director of Data Science Engineering, AmFam; and Michael Y. Xiao, Divisional VP Enterprise Data Science, Blue Cross and Blue Shield. This webinar will highlight the relationship between data science and successful project management, helping insurance companies to identify areas for growth and enhanced efficiency.
Sign up for this webinar to get actionable insight to develop strategy for your organization. You’ll learn how to:
- Unlock the power of data science to ensure long-term project success: Learn how to identify the key steps to success for data science projects in a world of regular failure. Build the right strategy and ensure data science projects result in successful production and implementation.
- Embed AI across the enterprise and beyond models to impact: Discover how to build an effective and agile data ecosystem to support AI and advanced analytics application across business objectives. Foster coalitions across the enterprise to ensure the success of AI.
- Deploy predictive analytics to gain a strategic advantage: Go beyond predictive analytics. Use more accurate models to optimize pricing in real-time, at the point of sale and achieve a competitive advantage.
- Apply emerging technology to the insurance industry: Identify current and future technological trends. See how new technology can help you achieve ROI and improve existing processes.
Don’t miss out on the ultimate opportunity to incorporate data science, artificial intelligence and machine learning into your everyday business capabilities — sign up for the webinar today. You’ll receive a free recording of the webinar, even if you can’t attend.
This webinar is being run in association with the upcoming Insurance AI and Innovative Tech USA Summit 2020, an event by Insurance Nexus, a Reuters Events Company. Expecting more than 500 attendees from across the North American insurance ecosystem, the Insurance AI and Innovative Tech USA Summit brings senior innovation and business unit executives to uncover the rewards of embedding technologies such as AI, IoT, blockchain and automation to create valuable, relevant insurance products and services and seamless experiences through the power of tech-enhanced operations. For more information, please visit the website or get in touch with a member of the Insurance Nexus team.
T: + 44 (0) 207 422 4363
T: +1 800 814 3459 ext 4363
Twitter and Facebook accounts for 15 NFL teams hacked
Avast antivirus subsidiary sells highly sensitive web browsing data to many world leading companies- Comment
It has been reported that an antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data to many of the world’s biggest companies, a joint investigation by Motherboard and PCMag has found. The Avast division charged with selling the data is Jumpshot, a company subsidiary that’s been offering access to user traffic from 100 million devices, including PCs and phones. In return, clients—from big brands to e-commerce providers—can learn what consumers are buying and where, whether it be from a Google or Amazon search, an ad from a news article, or a post on Instagram.
The data collected is so granular that clients can view the individual clicks users are making on their browsing sessions, including the time down to the millisecond. And while the collected data is never linked to a person’s name, email or IP address, each user history is nevertheless assigned to an identifier called the device ID, which will persist unless the user uninstalls the Avast antivirus product.
Commenting on this, Sam Curry, chief security officer at Cybereason, said “Antivirus companies who get into the practice of data brokering cease to be security companies, in my opinion, and should defend themselves with clear, transparent language and should remove conflicts of interest or they are spyware luring in customers with benefits that are misleading and frankly disgusting. I hope that Avast is proved innocent for the industry’s sake, but if it’s not, I reject them as a security company until they resolve this and make amends, transparently.
UK cyber security legislation ‘crying out for reform’, new report finds
A new report released by the Criminal Law Reform Now Network (CLRNN) – a collaboration between academics, practitioners and other legal experts – finds the Computer Misuse Act 1990 (CMA) is “crying out for reform”.
The CMA criminalises individuals who attempt to access or modify data on a computer without authorisation. This often involves cyber-attacks like malware or ransomware attacks which seek to disrupt services, obtain information illegally or extort individuals or businesses.
But the CLRNN report, ‘Reforming the Computer Misuse Act’, details how the CMA is in fact compromising the UK’s cyber resilience by preventing cyber security professionals from carrying out threat intelligence research against cyber criminals and geo-political threat actors, leaving the UK’s critical national infrastructure at increased risk.
It also restricts journalists and academics from researching cyber threats in the public interest.
Barrister Simon McKay, a civil liberties and human rights law practitioner, member of CLRNN and project lead for the report, commented: “The Computer Misuse Act is crying out for reform. It needs to be future- and technology-proofed to ensure it can meet the challenges of protecting the embedded internet-based culture we all live in and depend on. This report delivers a blueprint for the government to use and develop to make the law more effective in policing and prosecuting cybercrime.”
The reports’ recommendations include:
- A range of measures to better tailor existing offences in line with the UK’s international obligations and other modern legal systems, including new corporate offences.
- New public interest defences to untie the hands of cyber threat intelligence professionals, academics and journalists to provide better protections against cyber-attacks and misuse, while ensuring consistency with overlapping offences within the Data Protection Act 2018.
- A set of new targeted guidance for prosecutors, including the prosecution of young defendants, and calls for greater transparency regarding the use of PREVENT programmes by police.
- The creation of new sentencing guidelines, and provides detail on their formation and function.
Dr John Child, Senior Lecturer in Criminal Law at the Birmingham Law School and co-director of CLRNN, says: “The legal case for reform of the Computer Misuse Act 1990 is overwhelming. Experts from academia, legal practice and industry have collaborated to identify the best route to ensure proper penalties are enforced to enable prosecution of hackers and companies who benefit from their activities, whilst permitting responsible cyber security experts to do their job without fear of prosecution.”
Ollie Whitehouse, Global CTO at NCC Group and spokesperson for the CyberUp campaign, commented on the release of the report: “This report shines a welcome light on the UK’s outdated cyber security crime laws, which leave the cyber industry tackling one of the biggest threats facing our national security within a regime drawn up 30 years ago – when less than 0.5% of the world’s population had access to the internet.
“The government needs to take urgent action by updating and upgrading the Computer Misuse Act so our nation’s cyber defenders no longer have to act with one hand tied behind their backs, paralysed by the fear of being prosecuted for doing their jobs.
“In today’s uncertain international climate, the ability of cyber criminals and geo-political threat actors to disrupt our technology systems will only continue to grow. We must seize the opportunity to develop 21st century to allow the industry to flourish and make the country safer and more secure.”
The report Reforming the Computer Misuse Act 1990 is also available online
Hackers Acting in Turkey’s Interests Believed to Be Behind Recent Cyber Attacks- Comment