Connect with us


Japanese worker loses city’s personal data in USB fail • The Register

Voice Of EU



In brief A Japanese contractor working in the city of Amagasaki, near Osaka, reportedly mislaid a USB drive containing personal data on the metropolis’s 460,000 residents.

 The lock, 17 m wide, having 4 sector gates was designed to protect Amagasaki area with the same elevation of sea level

Amagasaki lock in Amagasaki’s Nishinomiya Ashiya port

The unidentified man, who was a contractor with the city working to disburse pandemic subsidies, placed the drive containing all the records into his bag, which he took with him on a night out on the town earlier this week. 

It’s unknown how good of a time the man had, but he did reportedly end up passing out in the street, Japanese news source NHK reported the company who employed him as saying, elaborating on an incident report from the Amagasaki city government. The company told the newspaper that, upon waking, the contractor found his bag was missing.

The incident report states that the memory stick contained names, birth dates, addresses, tax details, banking information, and social security records – all of it very private and potentially harmful if stolen.

Amagasaki officials said the data on the USB stick was encrypted, and offered apologies for harming the public’s trust in their administration.

All the worry came to naught, though. After searching the area with police, the bag and the USB stick were found. Amagasaki officials said there’s no evidence anyone attempted to access the information. 

CISA fields advisor recommendations, warns that Log4j is still around

The Cybersecurity and Infrastructure Security Agency (CISA) held its third Cybersecurity Advisory Committee meeting this week, where it made a laundry list of recommendations on its programs and policies.

After six months of prognostication here’s a quick rundown of the recommendations made by advisors from Mastercard, Apple, the University of Washington, and other organizations, which met in six subcommittees:

  • CISA needs to prioritize developing a strong workforce by improving its talent acquisition process to compete with the private sector
  • Create a new chief people officer at CISA
  • CISA should launch a nationwide “311” program to provide an emergency call line for SMBs hit by cyber attacks
  • CISA needs to expand its “More Than a Password” MFA campaign by reaching out to NGOs, other government agencies, and private sector partners
  • CISA should take all necessary steps to ensure all companies working with the US Federal Government have fully adopted MFA by 2025
  • Streamline the incident reporting and vulnerability reporting processes
  • Establish a central platform to handle intake of suspected vulnerabilities
  • Improve communication between security researchers, agencies and vendors
  • Address the risks of misinformation, disinformation, and malinformation in American society

Of the recommendations, two were mentioned by more than one subcommittee: expanding the More Than a Password campaign, and establishing the SMB 311 line.

CISA director Jen Easterly said that the next meeting would focus on strategies to develop a national alert system for cyber risks. 

CISA also released a cybersecurity alert this week warning that Log4Shell is still around and actively being exploited. Together with the US Coast Guard Cyber Command, CISA released an advisory stating that hackers and state-sponsored APT groups are still exploiting Log4Shell on devices that haven’t been patched. 

CISA said the info it reported was derived from two related incidents. It wasn’t immediately clear how the Coast Guard was involved.

Chrome add-ons can be used to fingerprint browsers

Modern privacy software has undone much of the methods for browser fingerprinting, but it’ll have a hard time undoing this problem with Chrome, which seems to be inherent to the way the browser handles extensions. 

Browser fingerprinting involves gathering information left behind by sessions that identify the browser, or the person behind it, well enough to serve ads and tailor online experiences. In the case of Chrome extensions, says a security researcher going by z0ccc on GitHub, the combination in any given browser can easily ID users. 

Chrome stores a list of its extensions in a web-accessible resource file that any web page can view. z0ccc was able to build a demo website that scans for over 1,000 Chrome browser extensions and returns a percentage-based chance that another user was using the exact same extensions. 

In this hack’s case, only 0.003 percent of Chrome users have the same set of add-ons used, meaning the extension fingerprint would be pretty likely to be identified from a pool of other visitors. 

For those concerned there’s no place safe from browser fingerprinting online, z0ccc said that Firefox uses unique extension IDs for every browser instance, and thus can’t be fingerprinted the same way. Microsoft Edge is vulnerable, however. 

Smart Jacuzzi not so smart with user data

A security researcher trying to set up their Jacuzzi SmartTub discovered an easily exploited flaw that gave them access to personal info of hot tub owners from around the world.

SmartTub, like other IoT products, lets users control their appliance from outside the home using an app. The bug in Jacuzzi’s SmartTub system comes from its web portal, which uses a white-labeled Auth0 login page.

“I entered my details, thinking this was a website alternative to the mobile app. I was greeted with an Unauthorized screen. Right before that message appeared, I saw a header and table briefly flash on my screen… I was surprised to discover it was an admin panel populated with user data,” said the researcher, who goes by Eaton Works.

All it took for Eaton to break into the admin panel was using web debugging tool Fiddler to intercept and modify an HTTP response to give himself admin access. “Once into the admin panel, the amount of data I was allowed to was staggering,” Eaton exclaimed.

Details on each tub, owner name and email address, dealer location, and more were available to view on customers from around the world. Eaton said it also appeared he could edit any data he wanted to, though he didn’t confirm if changes would be saved.

Jacuzzi wasn’t very willing to talk to Eaton about his findings either. “Dialog was not established until Auth0 stepped in. Even then, communication with Jacuzzi/SmartTub eventually dropped off completely, without any formal conclusion or acknowledgement they have addressed all reported issues,” Eaton reported. 

Eaton added that the admin panel has been taken offline, and can’t be accessed via the web anymore. Eaton also has other security concerns with Jacuzzi not addressed in their report, and is open to speaking to the hot tub maker to help.

Mitel VoIP zero-day found exploited in the wild

CrowdStrike security researchers have discovered a flaw in Mitel VoIP appliances being actively exploited to launch ransomware attacks. 

The novel exploit was found by CrowdStrike when investigating a failed ransomware attack on a customer. “All of the identified malicious activity had originated from an internal IP address” discovered to be “a Linux-based Mitel VoIP appliance sitting on the network perimeter,” CrowdStrike said.

All the attacker needed to gain access to the VoIP appliances was to send a pair of GET requests: one to mask traffic to a malicious address, and a second to inject a command that pointed the GET request to attacker-controlled infrastructure.

CrowdStrike said the attack was stopped before ransomware could be deployed, and said Mitel has released a patch that addresses the problem. Of the exploit itself, CrowdStrike said that edge appliances like Mitel VoIP devices have extremely limited security or endpoint detection options available, making timely patching a must.

Additionally, CrowdStrike emphasize security best practices, like isolating critical assets from perimeter devices, segmenting a network, maintaining an up-to-date asset inventory, keeping a short leash on service accounts and requiring MFA, especially for access to critical assets. ®

Source link


Meditation app Calm sacks one-fifth of staff | Meditation

Voice Of EU



The US-based meditation app Calm has laid off 20% of its workforce, becoming the latest US tech startup to announce job cuts.

The firm’s boss, David Ko, said the company, which has now axed about 90 people from its 400-person staff, was “not immune” to the economic climate. “In building out our strategic and financial plan, we revisited the investment thesis behind every project and it became clear that we need to make changes,” he said in a memo to staff.

“I can assure you that this was not an easy decision, but it is especially difficult for a company like ours whose mission is focused on workplace mental health and wellness.”

The Calm app, founded in 2012, offers guided meditation and bedtime stories for people of all ages. It received a surge of downloads triggered by the 2020 Covid lockdowns. By the end of that year, the software company said the app had been downloaded more than 100 million times globally and had amassed over 4 million paying subscribers.

Investors valued the firm, which said it had been profitable since 2016, at $2bn.

In the memo, Ko went on: “We did not come to this decision lightly, but are confident that these changes will help us prioritize the future, focus on growth and become a more efficient organization.”

More than 500 startups have laid off staff this year, according to, a website that tracks such announcements.

Source link

Continue Reading


Let there be ambient light sensing, without data theft • The Register

Voice Of EU



Six years after web security and privacy concerns surfaced about ambient light sensors in mobile phones and notebooks, browser boffins have finally implemented defenses.

The W3C, everyone’s favorite web standards body, began formulating an Ambient Light Events API specification back in 2012 to define how web browsers should handle data and events from ambient light sensors (ALS). Section 4 of the draft spec, “Security and privacy considerations,” was blank. It was a more carefree time.

Come 2015, the spec evolved to include acknowledgement of the possibility that ALS might allow data correlation and device fingerprinting, to the detriment of people’s privacy. And it suggested that browser makers might consider event rate limiting as a potential mitigation.

By 2016, it became clear that allowing web code to interact with device light sensors entailed privacy and security risks beyond fingerprinting. Dr Lukasz Olejnik, an independent privacy researcher and consultant, explored the possibilities in a 2016 blog post.

Olejnik cited a number of ways in which ambient light sensor readings might be abused, including data leakage, profiling, behavioral analysis, and various forms of cross-device communication.

He described a few proof-of-concept attacks, devised with the help of security researcher Artur Janc, in a 2017 post and delved into more detail in a 2020 paper [PDF].

“The attack we devised was a side-channel leak, conceptually very simple, taking advantage of the optical properties of human skin and its reflective properties,” Olejnik explained in his paper.

“Skin reflectance only accounts for the 4-7 percent emitted light but modern display screens emit light with significant luminance. We exploited these facts of nature to craft an attack that reasoned about the website content via information encoded in the light level and conveyed via the user skin, back to the browsing context tracking the light sensor readings.”

It was this technique that enabled the proof-of-concept attacks like stealing web history through inferences made from CSS changes and stealing cross origin resources, such as images or the contents of iframes.

Snail-like speed

Browser vendors responded in various ways. In May 2018, with the release of Firefox 60, Mozilla moved access to the W3C proximity and ambient light APIs behind flags, and applied further limitations in subsequent Firefox releases.

Apple simply declined to implement the API in WebKit, along with a number of other capabilities. Both Apple and Mozilla currently oppose a proposal for a generic sensor API.

Google took what Olejnik described his paper as a “more nuanced” approach, limiting the precision of sensor data.

But those working on the W3C specification and on the browsers implementing the spec recognized that such privacy protections should be formalized, to increase the likelihood the API will be widely adopted and used.

So they voted to make the imprecision of ALS data normative (standard for browsers) and to require the camera access permission as part of the ALS spec.

Those changes finally landed in the ALS spec this week. As a result, Google and perhaps other browser makers may choose to make the ALS API available by default rather than hiding it behind a flag or ignoring it entirely. ®

Source link

Continue Reading


4 supports that can help employees outside of work

Voice Of EU



Everyone has different situations to deal with outside of the workplace. But that doesn’t mean the workplace can’t be a source of support.

Employers and governments alike are often striving to make workplaces better for everyone, whether it’s workplace wellbeing programmes or gender pay gap reporting.

However, life is about more than just the hours that are spent in work, and how an employer supports those other life challenges can be a major help.

Family-friendly benefits

Several companies have been launching new benefits and policies that help families and those trying to have children.

Job site Indeed announced a new ‘family forming’ benefit package earlier this year, which is designed to provide employees with family planning and fertility-related assistance.

The programme includes access to virtual care and a network of providers who can guide employees through their family-forming journey.

Vodafone Ireland introduced a new fertility and pregnancy policy in February 2022 that includes extended leave for pregnancy loss, fertility treatment and surrogacy.

And as of the beginning of 2022, Pinterest employees around the world started receiving a host of new parental benefits, including a minimum of 20 weeks’ parental leave, monetary assistance of up to $10,000 or local equivalent for adoptive parents, and four weeks of paid leave to employees who experience a loss through miscarriage at any point in a pregnancy.

Helping those experiencing domestic abuse

There are also ways to support employees going through a difficult time. Bank of Ireland introduced a domestic abuse leave policy earlier this year, which provides a range of supports to colleagues who may be experiencing domestic abuse.

Under the policy, the bank will provide both financial and non-financial support to colleagues, such as paid leave and flexibility with the work environment or schedule.

In emergency situations where an employee needs to immediately leave an abusive partner, the bank will help through paid emergency hotel accommodation or a salary advance.

In partnership with Women’s Aid, the company is also rolling out training to colleagues to help recognise the symptoms of abuse and provide guidance on how to take appropriate action.

Commenting on the policy, Women’s Aid CEO Sarah Benson said employers who implement policies and procedures for employees subjected to domestic abuse can help reduce the risk of survivors giving up work and increase “feelings of solidarity and support at a time when they may feel completely isolated and alone”.

A menopause policy

In 2021, Vodafone created a policy to support workers after a survey it commissioned revealed that nearly two-thirds of women who experienced menopause symptoms said it impacted them at work. A third of those who had symptoms also said they hid this at work. Half of those surveyed felt there is a stigma around talking about menopause, which is something Vodafone is seeking to combat through education for all staff.

Speaking to last year, Vodafone Ireland CEO Anne O’Leary said the company would roll out a training and awareness programme to all employees globally, including a toolkit to improve their understanding of menopause and provide guidance on how to support employees, colleagues and family members.

In Ireland, Vodafone employees are able to avail of leave for sickness and medical treatment, flexible working hours and additional care through the company’s employee assistance programme when going through the menopause.

Support hub for migrants

There are also initiatives to help people get their foot on the employment ladder.

Earlier this year, Tánaiste Leo Varadkar, TD launched a new service with education and employment supports for refugees, asylum-seekers and migrants.

The Pathways to Progress platform is part of the Open Doors Initiative supporting marginalised groups to access further education, employment and entrepreneurship in Ireland.

As part of the initiative, member company Siro offered a paid 12-week internship programme for six people who are refugees. The internships include job preparation, interview skills and access to the company’s online learning portals.

Open Doors Initiative CEO Jeanne McDonagh said the chance to land a meaningful job or establish a new business is key to people’s integration into Ireland, no matter what route they took to get here.

“Some are refugees, some are living in direct provision, some will have their status newly regularised, and others will come directly for work,” she said. “Our new service aims to support all migrants in finding a decent job as they prepare to enter the Irish workforce, and to support employers as they seek to build an inclusive culture in their workplaces.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Source link

Continue Reading


Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!