Connect with us

Technology

Fraudsters use ‘fake emergency data requests’ to steal info • The Register

Voice Of EU

Published

on

In Brief Cybercriminals have used fake emergency data requests (EDRs) to steal sensitive customer data from service providers and social media firms. At least one report suggests Apple, and Facebook’s parent company Meta, were victims of this fraud.

Both Apple and Meta handed over users’ addresses, phone numbers, and IP addresses in mid-2021 after being duped by these emergency requests, according to Bloomberg.

EDRs, as the name suggests, are used by law enforcement agencies to obtain information from phone companies and technology service providers about particular customers, without needing a warrant or subpoena. But they are only to be used in very serious, life-or-death situations. 

As infosec journalist Brian Krebs first reported, some miscreants are using stolen police email accounts to send fake EDR requests to companies to obtain netizens’ info. There’s really no quick way for the service provider to know if the EDR request is legitimate, and once they receive an EDR they are under the gun to turn over the requested customer info. 

“In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person,” Krebs wrote.

Large internet and other service providers have entire departments that review these requests and do what they can to get the police emergency data requested as quickly as possible, Mark Rasch, a former prosecutor with the US Department of Justice, told Krebs. 

“But there’s no real mechanism defined by most internet service providers or tech companies to test the validity of a search warrant or subpoena” Rasch said. “And so as long as it looks right, they’ll comply.”

Days after Krebs and Bloomberg published the articles, Sen Ron Wyden (D-OR) told Krebs he would ask tech companies and federal agencies for more information about these schemes. 

“No one wants tech companies to refuse legitimate emergency requests when someone’s safety is at stake, but the current system has clear weaknesses that need to be addressed,” Wyden said. “Fraudulent government requests are a significant concern, which is why I’ve already authored legislation to stamp out forged warrants and subpoenas.”

Hive ransomware reportedly hits healthcare group

The Hive ransomware gang claimed it stole 850,000 personally identifiable information (PII) records from the nonprofit health-care group Partnership HealthPlan of California.

Brett Callow, a threat analyst at anti-malware company Emsisoft, alerted Santa Rosa newspaper The Press Democrat that the ransomware gang posted what was said to be details about the intrusion on its Tor-hidden blog. Hive claimed it stole 400GB of data including patients’ names, social security numbers, addresses, and other sensitive information.

Partnership HealthPlan of California did not respond to The Register‘s inquiries about the alleged ransomware attack. But a notice on its website acknowledged “anomalous activity on certain computer systems within its network.”

The healthcare group said it had a team of third-party forensic specialists investigating the incident and was working to restore its systems. “Should our investigation determine that any information was potentially accessible, we will notify affected parties according to regulatory guidelines,” it added. 

Hive, which the FBI and security researchers started paying attention to in June 2021, is known for double-extortion ransomware attacks against healthcare organizations. Still, attacking a nonprofit is a “new low,” even for these cybercriminals, said IoT security firm Armis cyber risk officer Andy Norton. 

“It also raises some tough questions,” Norton wrote in an email to The Register. “I think we assume that charities and not for profits don’t have the big cyber budgets their commercial cousins have, and yet they hold the same sensitivity of data. What constitutes appropriate and proportionate security during times of heightened risk?”

Shutterfly admits employee data stolen

Shutterfly disclosed cybercriminals stole employees data during a December 2021 ransomware attack.

In documents filed with the California Attorney General’s office, the firm revealed that “an unauthorized third party gained access to our network” in a ransomware attack on or around December 3. The online photo company said it discovered the security breach on December 13.

While Shutterfly didn’t name the third-party in its filing, it was widely reported that the notorious Conti ransomware gang was behind the intrusion. Data stolen included employees’ names, salary information, family leave, and workers’ compensation claims, according to Shutterfly.  

The company said it “quickly took steps” to restore the systems, notified law enforcement, and brought in third-party cybersecurity experts to investigate the breach. It also offered employees two years of free credit monitoring from Equifax, and “strongly encouraged” them to take advantage of this offer.

It also noted that employees “may wish” to change account passwords and security questions.

Law enforcement’s ransomware response lacking

Law enforcement agencies face a barrage of difficulties responding to ransomware attacks, and chief among them is simply not being made aware of intrusions and infections by victims.

According to an analysis by threat intelligence firm Recorded Future of ransomware enforcement operations in 2020 and 2021, law enforcement agencies around the globe aren’t equipped to respond to ransomware outbreaks. In addition to simply not knowing about the attacks, they also lack the cybersecurity skills, technology, and data such as threat intel to respond. 

Recorded Future, citing several other surveys, says law enforcement doesn’t know about the vast majority of cyberattacks, and have to learn about them from the media.

In parts of the UK alone, just 1.7 percent of all fraud and cybercrime was reported to the authorities between September 2019 and September 2020, Recorded Future claimed, citing data from the UK Office for National Statistics from its crime survey for England and Wales. 

It also cited a Europol IOCTA report from 2020, which found ransomware remains an under-reported crime. While the Europol report doesn’t provide any numbers to illustrate how under-reported ransomware is, it noted “several law enforcement authorities mentioned identifying ransomware cases through (local) media and approaching victims to assist them by potentially starting a criminal investigation.”

Unless organizations do a better job reporting ransomware attacks, law enforcement can’t get an accurate picture of the threat landscape, Recorded Future noted. “Without reliable and valid data on the number and types of cyber attacks (that is, attack vectors), it is difficult for law enforcement agencies to accurately evaluate threats and react appropriately, resulting in threats not being given the resources or priority they deserve.”

While this analysis doesn’t provide any US-specific reporting stats, it’s worth noting that a newly signed federal law will require US critical infrastructure owners and operators to report a “substantial” cybersecurity incident to Uncle Sam’s Cybersecurity and Infrastructure Security Agency within 72 hours and within 24 hours of making a ransomware payment. 

Supporters of the new law, including CISA director Jen Easterly, have said it will give federal agencies and law enforcement better data and visibility to help it protect critical infrastructure.

Orgs aren’t ready for cyber reporting rules

Despite the US cybersecurity incident reporting law, along with a related US Securities and Exchange Commission proposal that would force public companies to disclose cyberattacks within four days, organizations really aren’t prepared for these new disclosure rules, according to Bitsight.

The cyber risk ratings firm published research this week that found, among other things, it takes the average organization 105 days to discover and disclose an incident from the date it occurred.

Additionally, it takes twice as long for organizations to disclose higher-severity incidents compared with lower severity incidents. This, on average, means it takes more than 70 days to disclose a moderate-, medium- or high-severity incident once it has been discovered, and 34 days for low-security events.

For this research, Bitsight analyzed more than 12,000 publicly disclosed cyber incidents globally between 2019 and 2022. This included type of incident, date of incident, date of discovery, and date of disclosure.

BitSight used its classification methodology (a 0 to 3 scale) to analyze the severity of the security incidents. Events received a higher-severity score due to a combination of more serious incidents, such as ransomware and human error, and higher record counts.

The security firm also segmented the disclosing organizations by employee count: extra large (more than 10,000 employees), large (1,000 to 10,000 employees), medium (500 to 1,000 employees) and small (less than 500 employees).

Perhaps unsurprisingly, the extra-large organizations are 30 percent faster at discovering and disclosing incidents than the rest. Still, it takes these companies an average of 39 days to discover and 41 days to disclose an incident, BitSight found, noting that this is still way longer than the timeframes proposed in the new rules. ®

Source link

Technology

NFT sales hit 12-month low after cryptocurrency crash | Non-fungible tokens (NFTs)

Voice Of EU

Published

on

Non-fungible tokens have been swept up in the cryptocurrency crash as sales reached a 12-month low in June.

NFTs confer ownership of a unique digital item – often a piece of virtual art – upon someone, even if that item can be easily copied. Ownership is recorded on a digital, decentralised ledger known as a blockchain.

Sales of NFTs totalled just over $1bn (£830m) in June, according to the crypto research firm Chainalysis, their worst performance since the same month last year when sales were $648m. Sales reached a peak of $12.6bn in January.

“This decline is definitely linked to the broader slowdown in crypto markets,” said Ethan McMahon, a Chainalysis economist.

“Times like this inevitably lead to consolidation within the affected markets, and for NFTs we will likely see a pullback in terms of the collections and types of NFTs that reach prominence.”

The cryptocurrency market, worth about $3tn last November, is now worth less than $1tn.

NFTs rely on a blockchain – the decentralised ledger first used by bitcoin to track ownership of the cryptocurrency – to record who owns them and allow them to be traded. Most are based on the Ethereum blockchain, which is maintained through a carbon-intensive system called proof of work.

NFT chart

At its peak, the NFT market was attracting vaulting sums including $2.9m for a token of the first tweet by Twitter’s cofounder Jack Dorsey. A digital collage by the visual artist Beeple sold for $69m; the main token for the “play to earn” video game Axie Infinity hit a total value of $9.75bn; and Coca-Cola raised more than $575,000 from selling digital items such as a customised jacket to be worn in the metaverse.

According to the Chainalysis data, NFT sales peaked in January. In April an attempt to sell on the Dorsey NFT was abandoned when bids topped out at $14,000.

However, demand for so-called blue chip NFT collections has held up, according to DappRadar, a firm that tracks NFTs and blockchain-based video games.

The price of the cheapest NFT in the Bored Ape Yacht Club has declined by only 1%, to $90,00o, over the last month, according to DappRadar’s head of research, Pedro Herrera. “Blue chip collections are performing vastly better than the vast majority of NFTs,” he said.

NFT sales reached $40bn last year and the 2022 total has already exceeded that, at more than $42bn, according to Chainalysis. Sales in January and February accounted for more than half of the 2022 total so far.

The cryptocurrency market has come under pressure amid volatility in the wider stock markets, amid fears over rising inflation and higher interest rates, which have dampened appetite for riskier assets including tech stocks and digital assets.

Faith in crypto assets has also been shaken by the collapse of Terra, a so-called stablecoin whose value was supposed to be pegged to the US dollar, and troubles at crypto-related financial institutions such as the Celsius Network, a lender that has paused withdrawals.

Source link

Continue Reading

Technology

We speak to Purism’ CEO about the Librem 5 USA smartphone • The Register

Voice Of EU

Published

on

Interview In June, Purism began shipping a privacy-focused smartphone called Librem 5 USA that runs on a version of Linux called PureOS rather than Android or iOS. As the name suggests, it’s made in America – all the electronics are assembled in its Carlsbad, California facility, using as many US-fabricated parts as possible.

While past privacy-focused phones, such as Silent Circle‘s Android-based Blackphone failed to win much market share, the political situation is different now than it was seven years ago.

Supply-chain provenance has become more important in recent years, thanks to concerns about the national security implications of foreign-made tech gear. The Librem 5 USA comes at a cost, starting at $1,999, though there are now US government agencies willing to pay that price for homegrown hardware they can trust – and evidently tech enthusiasts, too.

We first wrote about the Librem 5 smartphone in 2017, considering it a privacy-centric device with a Linux OS. The Librem 5 USA, as noted, tries to use American companies with US fabrication “whenever possible.” It has a 5.7-inch 720×1440 screen with 3GB of RAM, 32GB of storage, and a user-replaceable 4,500mAh battery.

The goal is to produce a phone that can be trusted from the hardware to the OS and apps, something that Apple and Google have become vocal about, too.

The Register spoke with Todd Weaver, founder and CEO of Purism, about how things are going.

Weaver said Purism is about two weeks away from actually holding stock and selling phones, which isn’t something the company, which began with crowdfunding, has previously had to do. In the past, people have pledged funds with orders, and it has later fulfilled them; now it’s building inventory in anticipation of sales.

“We’re actually transitioning to holding stock and pushing sales,” he explained. “We’ve never had to do that before. We’ve never had to do outbound sales.”

The phone, to start at the hardware level on up, all the way to the operating system, is our manufactured hardware

Previously, said Weaver, the company’s growth has been a result of inbound requests for its products based on the material it has published about its projects.

“The phone, to kind of start at the hardware level on up, all the way to the operating system, is our manufactured hardware,” said Weaver. “It runs on a CPU that is not normally in phones.”

That would be a quad-core Arm Cortex-A53 i.MX8M running at 1.5GHz. Weaver said Purism isolated the device’s baseband modem from Wi-Fi and Bluetooth “so that you can actually turn it off with a hardware kill switch. That basically becomes the ultimate in security.”

A key thing to realize here is that baseband modems are effectively small computers running in handsets and handle the cellular communications; if a modem is compromised or made to run rogue firmware, it can potentially take over the rest of the device, hence Purism’s desire to isolate it, if the user so wishes. In fact, it has three hardware kill switches: one to cut off Wi-Fi and Bluetooth, one for cellular, and one for the microphone and cameras. All three will cut off GPS, too.

The main printed circuit board assembly (PCBA) is made by Purism in the US, and its microprocessor, from Dutch semiconductor maker NXP, is also made stateside.

The chip, Weaver explained, “is normally in airplanes, in commercial-grade devices, and in cars. It’s a quad-core CPU. But the reason we had to do that was we wanted to properly isolate. So in every other phone that’s made, the baseband modem – the cellular modem – is attached to memory and CPU. Fundamentally the carriers have firmware access that’s lower than the operating system.”

To make the phone secure, Weaver said, to protect privacy and individual freedoms, Purism had to consider security at the hardware level and move up the stack.

“There are all sorts of ways that has to be solved,” he said. “We solve it from the hardware, software, applications, data, and even services.”

The point, said Weaver, is to be able to just take the device and have peace of mind and control over your own digital life.

“We started in 2014, initially just crowdfunding laptops,” said Weaver. “My goal was to produce phones. But I knew that I had to increment through because we had to show that we can manufacture devices. We can do hardware, software, and services. Our model is very similar to Apple in that regard – we produce hardware and we have an operating system that’s married to it, so that it works.

“And then we also include services that fully respect you. If you had an iPhone or an Android phone and a Purism phone like Librem 5 sitting all next to each other, the iPhone will leak probably about three gigabytes of data without doing anything. Android devices are worse. Ours will leak exactly zero bits – nothing is sent without your explicit interaction, to make a request for weather information or browsing the web.”

Research last year suggested Android and iOS beam back telemetry to base even when users opt out of these transmissions, and a complaint was raised in 2020 over what appeared to be Android’s mysterious wireless data transfers.

While working toward phone manufacturing with the release of the Librem laptop, mini PC, and servers, Weaver explained his company was refining PureOS, its Linux distribution. “It’s our operating system that doesn’t have any mystery code in it,” said Weaver. “It’s all the source code, from the bootloader on up.”

Librem 14

Purism’s quest against Intel’s Management Engine black box CPU now comes in 14 inches

READ MORE

Purism, said Weaver, has been working on modifying the PureOS Linux kernel to conserve energy when idle.

“A lot of the things Android initially did to Linux, we are doing to mainline Linux, so that we can actually have these things idle down better,” he said. “Basically, it’s a better way to do nothing.”

He also said the processor tends toward the toasty side. “We pushed really hard with NXP, modified a bunch of Linux kernel development, so that we could get that cooler. It’s just that CPU runs hot. The next iteration, we’ll be using probably I.MX9 … that’s still probably two years away.”

Weaver also said some thought is being given to the possibility of soldering the currently modular modem in place, which would allow for thinner devices and would please government agencies that see a removable component as a security issue.

Asked what sorts of things are possible with a Librem phone that Android and iOS devices don’t offer, Weaver cited the way tethering works. Mobile providers often charge extras for tethering, but with a Librem 5 phone data is just data. He also pointed to disk encryption with user-controlled keys and chat applications that can handle multiple protocols, such as SMS, MMS, XMPP, and Matrix.

For people who want an alternative to Android or iOS, Weaver said it’s an easy sale. “I almost have to back them off to say that, you know, not all your apps are going to run there,” he said. “It’s got calls, text messaging, browsing the web, a calculator, but not Snapchat.”

It’s got calls, text messaging, browsing the web, a calculator, but not Snapchat

Given the benefit Apple and Google get from their respective app stores, it’s not surprising that Purism is trying to deal with what Weaver calls “the App Gap” – the vast number of mobile apps not available on PureOS at the moment.

“Initially, we developed a lot of the core applications,” said Weaver. “We also wrote a library that allows for all the existing GNU/Linux-based applications to shrink down and run on our mobile phone. So by doing that, you don’t have to write a new application, it’s just include our library, and it will now work on the phone.”

That takes some effort, Weaver conceded, and Purism has produced documentation and helped Linux developers adapt their existing apps.

Purism is also enhancing its PureOS Store by partnering with a group that’s funding Interledger, an open payment network federation system.

“We’re actually going to be adding to PureOS Store, which is equivalent to Apple’s App Store or Google’s Play Store, where we allow for people to charge a subscription or charge for an app,” said Weaver. “And then we also have the ability to pay bounties even, for apps that are really needed that aren’t yet developed. So basically, the solution to fill the App Gap is cash.”

“You have to incentivize developers by ‘Hey, you can get paid,'” he elaborated. “The ecosystem grows and also actually puts money towards that effort. Our business model – by selling hardware with high enough margin, having services that are attached – allows us to basically reinvest to fill the App Gap.”

Privacy has always been a tough sell in the tech industry, at least in a mass market context. But over the past decade, the Snowden revelations about the extent of government information gathering, constant privacy scandals, the online ad industry’s unrepentant intrusiveness, pushback against Big Tech and surveillance capitalism, and the always sorry state of data security have buoyed interest in privacy. Add to that trade tensions with China and the supply chain nationalism that has followed, not to mention competition and privacy regulations emerging in the US, UK, and EU, and it looks like an opportunity.

“We’re not make-or-break off any one of those issues,” said Weaver, “but by fundamentally targeting civil liberties, individual freedoms, and privacy rights, then all of those things come out, and as they do, we see an influx of sales.”

“We have devices in every letter-agency in the US and some governments from outside the US,” said Weaver. “And those devices can vary from air gap laptops, to phones and even phone service.”

Weaver declined to discuss Purism’s financial situation in detail, but said the Librem 5 crowdfunding campaign raised $2 million.

“Since then, we’ve grown by triple digits year over year and even during COVID-19, we had a growth year,” he explained. “So overall, our sales have continued to increase. And we’ve grown mostly from revenue, but we’ve also taken on north of $12 million in investment.”

Weaver said the total available market is huge – billions of people have cell phones.

‘When you’re looking at somebody who cares about privacy rights, or they care about ‘I don’t like Big Tech,’ or ‘I don’t like the duopoly a mobile phone the space,’ or ‘I don’t like the intrusion,’ or I would like to advance civil liberties,’ every one of those areas is a potential customer,” said Weaver. “And those areas are immense. So we have not had a demand problem. We have had a supply problem, from parts to actual availability.

“We lost probably about two years on specific parts to actually manufacture this device in the US. China still has a shortage. We’ve never had that lack of interest. Once we get to the point of actually holding stock, then we’re going to be able to resume promoting.”

Soon, then. ®

Source link

Continue Reading

Technology

This start-up is offering stressed techies the chance to switch off at its cabins

Voice Of EU

Published

on

Slow Cabins is coming to Ireland and aiming to tap into the trend for low-impact, sustainable, digital-free tourism.

A hospitality rental company targeting techies who want to digitally detox is preparing to welcome its first guests in Ireland.

Founded in 2017, Slow Cabins seeks to offer people the opportunity to spend time away from their tech lives in relaxed, remote and eco-friendly surroundings.

It is currently taking bookings in Ireland and will open its first cabins here from 1 August. As well as Ireland, the start-up has operations in Belgium and the Netherlands.

All of its cabin locations are secret to purposely encourage guests to switch off and detox from their day-to-day stresses. Guests book their cabins without knowing the exact location, but all cabins are located within a two-and-a-half hour drive from major cities.

Within about two weeks of the trip, guests receive details with the exact location of their cabin. Even then, they may have to park their cars and hike to get to their accommodation.

The idea behind Slow Cabins comes from low-impact and sustainable tourism. Cabins are equipped with queen-sized beds, log burners, solar panels, dry toilets, fire pits, grills and large windows. Each cabin is powered naturally by sunlight and water.

“Recent European studies show that our resilience improves and stress levels decrease by up to 70pc after a stay in nature,” said Slow Cabins Ireland director Matthew Parkinson.

“Getting away from it all brings peace, energy and a sense of perspective. And that’s where Slow Cabins have an interesting role to play in a fast ‘always-on’ society. Profit is not our only goal, but rather a means to create more positive social and environmental impact,” he added.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!