Connect with us


Slap on wrist for NCC Group over CREST exam-cheating scandal as infosec org agrees to rewrite NDAs and more • The Register

Voice Of EU



British infosec firm NCC Group has been rapped over the knuckles after infosec accreditation body CREST found it was “vicariously responsible” for employees who helped staff cheat certification exams.

In a lengthy statement published yesterday, CREST said last summer’s exam-cheating scandal boiled down to just two incidents carried out between the years 2012 and 2014.

“On two occasions between 2012 and 2014, the examination-related activities of one of more NCC Group employees and candidates breached the CREST Code of Conduct and NCC Group was, as their employer, vicariously responsible for those individuals at the time,” said CREST [PDF, 19 pages]

The certification body added that NCC Group’s actions also breached its non-disclosure agreements, signed by exam candidates to confirm they won’t reveal the exams’ contents to anyone.

Last summer someone dumped a cache of files onto GitHub and Dropbox. Those files were exam walkthroughs, cheatsheets and reams of material that would be helpful to anyone sitting CREST’s CCT-INF (CREST certified tester – infrastructure), CCT-APP (applications) and CRT (pentesting) exams.

The investigation concluded in December 2020 and while CREST said it would not publish its full report into the scandal, this week’s statement is as near as the public is likely to get to the full facts.

Many people contacted The Register to say they thought this organised cheating was one of the worst-kept secrets in the British infosec industry. So why didn’t CREST tear into the NCC Group?

A retired copper, former detective superintendent Adrian Lennox-Lamb, was appointed to run the investigation into the scandal. CREST’s executive chairman, Mark Turner of NCC Group, recused himself “for the duration of the investigation” (which concluded in December 2020) while other company reps “also withdrew from other CREST activities.”

CREST rapidly identified a key problem:

The organisation’s internal complaint processes were set up so CREST would investigate complaints from third parties against third parties, not situations where the org itself would be involved. Meanwhile, the investigation ran into a bigger problem: although Lennox-Lamb set up a Gmail inbox for people to contact him, only five did.

“Of these, one was interviewed and gave a statement,” said CREST. “The other four either gave information that was assessed as not being directly relevant to the investigation or they failed to respond to the investigator’s follow-up emails.”

What did NCC fall foul of?

CREST had some of its exam assessors look at the NCC Group material leaked online. Of the hundreds of files in the cache (a list of filenames can be found on Pastebin), they identified 25 which they said were “considered problematic and deemed to contain content relating to CREST examinations.”

We asked CREST about those 25 files and were told they were “a mix of notes, some characterised as ‘brain dumps’ put together post-examination; candidates’ revision notes; training material based around content, including syllabuses, that was publicly available from CREST; and generic information relating to penetration testing.”

An NCC-branded item from the cheat sheet repo

An NCC-branded item from the cheat sheet repo, shown to us by a source who examined the cache

Multiple sources from across the British infosec world (and beyond) told The Register they recognised the full cache as being information that would be very handy for anyone about to sit CREST exams.

Six of the files were on NCC headed paper while another one was an email between NCC Group staff. The authors of those files were interviewed by Lennox-Lamb, and views were mixed; some said they “contained no actual exam content” while others gave the game away.

And the outcome

NCC Group got away lightly with a finding that it was “vicariously liable” for the actions of just two employees, who were unnamed in CREST’s statement. CREST said there was no evidence that NCC exam candidates’ pass rates were higher than its competitors, also pointing out that NCC has never been the top firm for passes as a percentage of candidates entered; though the company is many times bigger than most of the UK infosec sector and enters many more candidates as a result.

The pentesting firm issued a public statement yesterday describing the exam-cheating as “historical”, adding: “There is no evidence that NCC Group knew about, condoned, or otherwise sanctioned such activity.”

Just for good measure, the company added that it “fully accepts the requirements in the CREST statement.” It refused to answer questions from The Register beyond its prepared statement.

Those requirements mentioned by CREST are for NCC to prevent something like this from happening again by creating “a means of monitoring the application of such processes” together with evidence to be submitted to CREST. In addition, the company will cover half of CREST’s investigation costs and pay for an assessor to go through its current training material “to ensure that no CREST-related and implied content is included.”

NCC exam assessors will “remain suspended from CREST activities” until those things are done.

Part of the delay in publishing the CREST report was to allow <span feedback from NCC Group. That seems to have been successful from NCC’s point of view; CREST accepted that its NDAs created “a level of confusion” over “what is unacceptable” for companies and exam candidates alike to do when preparing for CREST exams, and the documents will be rewritten accordingly.

CREST’s member declaration will also be rewritten to explicitly state that members will abide by CREST NDAs, its code of ethics, code of conduct, and the complaints handling process.

A UK infosec bod who asked for anonymity in case of reprisals told El Reg that he was happy the CREST statement was published, saying that no matter what CREST found he couldn’t imagine it would ever eject NCC, one of its biggest backers, from membership.

Many others have expressed anger to El Reg over the scandal, believing it devalued their qualifications and was likely to call into question the integrity of the entire industry. All also expressed fears about going public.

An NCSC spokesperson told us: “NCSC has conducted an investigation into these allegations, led by an independent person. This has identified some areas for improvement in CREST’s processes and we will work with them to ensure the recommendations are implemented.

“CREST and NCC co-operated fully with the NCSC investigation, and CREST’s own investigation drew similar conclusions to the NCSC one.

“We do not believe that the sharing of this information would have conferred advantage on anyone who was significantly below the standard expected and nor do we believe that this incident is likely to lead directly to vulnerable systems.” ®

Source link


Australians’ 2021 Google searches: Covid comes out on top with sport our favoured non-pandemic distraction | Google

Voice Of EU



The Covid-19 pandemic once again dominated internet searches in Australia this year, as lockdowns gripped the two largest states, and people sought vaccines.

Google has compiled data on the most popular search terms from the previous 12 months, which showed Covid’s dominance in Australia was challenged by people looking for an escape in sports. The NBA, AFL, cricket, NRL, football, Wimbledon and the Olympics took out the top spots for most searched sport in Australia in 2021.

The Covid situation in New South Wales dominated news-related searches, with the Delta outbreak forcing the state into the longest continuous lockdown in 2021. Victorians, having endured the most number of days in lockdown since the pandemic started, did not appear to seek out information about the Covid situation in their own state nearly as much, with “coronavirus Victoria” coming in fifth in news-related searches, even behind Queensland at number three.

For the second year in a row, people Googled “how to make face masks” more than any other DIY-related search. As residents in NSW, Victoria and the ACT endured extended lockdowns, at-home activities like making your own candles, playdough, paper planes, and chatterboxes soared.

As Australia’s vaccination “strollout” gathered pace in the second half of 2021, people searched how to get their vaccination certificates, how to book their Covid vaccination, how to link their Medicare to myGov, and how to enter the Million Dollar Vax campaign.

Sign up to receive the top stories from Guardian Australia every morning

The shocking disappearance of West Australian four-year-old Cleo Smith and the dramatic rescue over two weeks later was the second biggest news event searched on Google by Australians. The ongoing search for missing toddler William Tyrrell came in sixth.

The former federal attorney general Christian Porter’s name dominated Google search trends in the days leading up to a press conference where he outed himself as the unnamed minister in an ABC report about an alleged historical rape. He vehemently denies the allegations. In his now-settled defamation suit against the ABC, lawyers for Porter raised that after the report searches of his name “increased significantly and much more so than any other senior male cabinet members”.

The former minister, who announced last week he would not recontest his WA seat of Pearce at the 2022 federal election, appears eighth in the 2021 list of news-related searches.

Porter was the fourth most-searched person overall in Australia, behind Cleo Smith, Ash Barty, and William Tyrell. The new NSW premier, Dominic Perrottet, came in sixth.

Bringing up the rear of news searches was the moment that shook Melbourne – literally – the 5.9 magnitude earthquake that hit Victoria in September.

Interest in all things cryptocurrency was also reflected in Australian searches with cryptocurrency exchange Coinspot the ninth most searched term, and people searched how to buy Dogecoin.

Prince Philip was the most searched among those who died in 2021, followed by US woman Gabby Petito, and Australian entertainment giant Bert Newton.

Thanks to Jaden Smith and Britney Spears, people were searching for the meaning of the word “emancipated” more than any other word in 2021, followed by “insurrection” after the events at the US Capitol on 6 January, then it was “gaslighting”, Naidoc and NFT.

Despite emerging late in the year, Omicron came in sixth as people looked up the meaning of the latest Covid-19 variant of concern.

Source link

Continue Reading


Shocking testimony on Afghanistan • The Register

Voice Of EU



Diplomats and soldiers were left grappling with appallingly inadequate IT and secure communications support as thousands of Afghans struggled to get help from the UK during the fall of the capital Kabul in August.

A massive shortfall in PC availability, lack of login for secure IT systems, disjointed IT systems and a desperate attempt to fall back onto printed paper methods all contributed to chaotic scenes at the newly merged Foreign, Commonwealth, and Development Office (FCDO), according to written testimony put before Parliament today.

“On the evening of Saturday 21 August, the soldiers were issued one FCDO computer for every two soldiers. These did not work because FCDO IT had not issued the passwords to unlock them. These computers were finally unlocked on the afternoon of Sunday 22 August. Until this, the soldiers worked with one computer shared between roughly eight people,” said former desk officer Raphael Marshall in his evidence [PDF] to the House of Commons Foreign Affairs Select Committee’s Inquiry on Government Policy on Afghanistan.

“This obviously considerably reduced their efficiency and speed. I printed out A3 spreadsheets for the soldiers but this was no substitute for a computer. The soldiers clearly needed computers to email travel documents to Afghans selected for evacuation,” he said.

As opposed to a simple loss of efficiency or increase in costs, these computer problems potentially may have led to a loss of life. Between 75,000 and 150,000 people applied for evacuation under the UK government scheme.

“The vast majority of these applicants feared their lives were at risk as a result of their connection to the UK and the West and were therefore eligible for evacuation,” Marshall said.

“I estimate fewer than 5 per cent of these people have received any assistance. It is clear that some of those left behind have since been murdered by the Taliban,” he said.

The failure to issue soldiers with sufficient computers for more than 12 hours delayed dispatching travel documents and would therefore have reduced the chance of selected Afghans being evacuated, and consequently may have directly resulted in the deaths of people unnecessarily left behind, his testimony read.

Chaotic technology support also extended to the phone system, Marshall said. Soldiers calling up Afghan nationals for evacuation were issued a paper list of logins for the department’s non-secure phone system. But the phone system was not suitable for classified information and did not work without logins.

“On the night of Monday 23 August, the soldiers lost this paper list in the handover between shifts. This would have prevented them from calling any Afghan nationals to the airport. My colleagues and I obtained phone logins for them from my Fast Stream WhatsApp group, the British Embassies in Beijing and Tokyo (who were online), and other sources,” Marshall said.

While the former desk officer said he tried to get around the phone log-in problem by contacting the British Embassy in Washington, it found the situation in the UK so implausible that it assumed an email to FCDO Security was a Russian phishing attempt.

Marshall was told to apologise for breaking security rules and that the correct course of action was to request new logins from the relevant IT team the next morning. “This would have wasted around 12 hours at a crucial moment to protect the integrity of an unsecure phone system,” he said.

Meanwhile a lack of integration between the IT system of the newly merged departments also contributed to difficulties, Marshall said.

“A group of around six FCDO staff formerly in DFID volunteered to assist. It was hard to integrate them effectively because we could not share live documents or give them access to the inbox because the DFID and FCO IT systems are not yet integrated. They were visibly appalled by our chaotic system,” he said.

The merger of the Department for International Development and Foreign Office was announced in June 2020, a full year before the Afghan crisis. In July 2020, Deloitte picked a £3m contract to define the “operating model, organisation design and toolset strategy” for the merged departments.

Users also lacked basic computer training for the task in hand which contributed to the failures as well, Marshall said.

He testified: “I was impressed by the soldiers’ professionalism. However, I believe that some of them were likely using Microsoft Excel or Microsoft Outlook for the first time in a professional context. I understand that some administrative mistakes reflected this lack of experience, including sending 91 travel documents from the wrong email accounts which meant that we did not have a full record of them. Again, this was not the soldiers’ fault,” he said.

The FCDO told us: “UK government staff worked tirelessly to evacuate more than 15,000 people from Afghanistan within a fortnight. This was the biggest mission of its kind in generations and the second largest evacuation carried out by any country. We are still working to help others leave.

“More than 1000 FCDO staff worked to help British nationals and eligible Afghans leave during Op Pitting. The scale of the evacuation and the challenging circumstances meant decisions on prioritisation had to be made quickly to ensure we could help as many people as possible. “Regrettably we were not able to evacuate all those we wanted to, but our commitment to them is enduring, and since the end of the operation we have helped more than 3000 individuals leave Afghanistan.” ®

Source link

Continue Reading


Instagram launches new tools to make teens safe on platform

Voice Of EU



This comes after 250 academics signed an open letter to Zuckerberg expressing concerns around Instagram’s impact on teens.

Amid growing concern around the impact of Instagram on teens, the Meta-owned company has developed new tools and features to make young people safer on the platform, including updated privacy rules, tools for parents and a “Take a Break” feature.

Head of Instagram Adam Mosseri introduced the new features in a blog post and said that the company will be taking a stricter approach to what is recommended to teens on the app and stop people from tagging or mentioning teens that don’t follow them.

Nudges to steer teens’ attention away from something they’ve been dwelling on for a long time will also be introduced, while a “Take a Break” feature to help them manage their time on the app has already been launched today in several countries, including Ireland.

“It’s important to me that people feel good about the time they spend on Instagram, so today we’re launching ‘Take A Break’ to empower people to make informed decisions about how they’re spending their time,” wrote Mosseri in a blog post.

“If someone has been scrolling for a certain amount of time, we’ll ask them to take a break from Instagram and suggest that they set reminders to take more breaks in the future. We’ll also show them expert-backed tips to help them reflect and reset.”

This comes after more than 250 international academics signed an open letter to Meta CEO Mark Zuckerberg expressing concern that the company’s internal research on potential harms caused by its platforms to adolescents is poorly designed and too secretive.

The group urged the Facebook-owner to take three concrete steps to support the mental health of young people: greater transparency on internal research, contribution to global independent research and establishing an independent oversight trust on Meta platforms.

“We have been following news reports about research within your companies on the mental health of child and adolescent users of Facebook, Instagram, and WhatsApp. Unfortunately, that research is happening behind closed doors and without independent oversight,” the letter read.

They argued that Instagram’s internal research does not “meet the high scientific standards required” and urged the company to accept independent oversight. “Sound science must come before firm conclusions are drawn or new tools are launched,” it went on.

While Mosseri did not address any of the concerns raised directly, he said in the blog post that Instagram has positive impact on young people and that the company will “continue doing research, consulting with experts, and testing new concepts to better serve teens”.

Apart from the host of new features, including monitoring tools for parents launching in March and an “educational hub” later, Mosseri said that Instagram is continuing to develop ways to verify people’s ages on Instagram.

In September, Facebook succumbed to a wave of criticism and suspended the development of Instagram Kids, a version of the app for 10 to 12-year-olds. In the following month, whistleblower Frances Haugen exposed the company for being aware of negative impacts of Instagram and doing nothing about it.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Source link

Continue Reading


Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!