Connect with us


Slap on wrist for NCC Group over CREST exam-cheating scandal as infosec org agrees to rewrite NDAs and more • The Register

Voice Of EU



British infosec firm NCC Group has been rapped over the knuckles after infosec accreditation body CREST found it was “vicariously responsible” for employees who helped staff cheat certification exams.

In a lengthy statement published yesterday, CREST said last summer’s exam-cheating scandal boiled down to just two incidents carried out between the years 2012 and 2014.

“On two occasions between 2012 and 2014, the examination-related activities of one of more NCC Group employees and candidates breached the CREST Code of Conduct and NCC Group was, as their employer, vicariously responsible for those individuals at the time,” said CREST [PDF, 19 pages]

The certification body added that NCC Group’s actions also breached its non-disclosure agreements, signed by exam candidates to confirm they won’t reveal the exams’ contents to anyone.

Last summer someone dumped a cache of files onto GitHub and Dropbox. Those files were exam walkthroughs, cheatsheets and reams of material that would be helpful to anyone sitting CREST’s CCT-INF (CREST certified tester – infrastructure), CCT-APP (applications) and CRT (pentesting) exams.

The investigation concluded in December 2020 and while CREST said it would not publish its full report into the scandal, this week’s statement is as near as the public is likely to get to the full facts.

Many people contacted The Register to say they thought this organised cheating was one of the worst-kept secrets in the British infosec industry. So why didn’t CREST tear into the NCC Group?

A retired copper, former detective superintendent Adrian Lennox-Lamb, was appointed to run the investigation into the scandal. CREST’s executive chairman, Mark Turner of NCC Group, recused himself “for the duration of the investigation” (which concluded in December 2020) while other company reps “also withdrew from other CREST activities.”

CREST rapidly identified a key problem:

The organisation’s internal complaint processes were set up so CREST would investigate complaints from third parties against third parties, not situations where the org itself would be involved. Meanwhile, the investigation ran into a bigger problem: although Lennox-Lamb set up a Gmail inbox for people to contact him, only five did.

“Of these, one was interviewed and gave a statement,” said CREST. “The other four either gave information that was assessed as not being directly relevant to the investigation or they failed to respond to the investigator’s follow-up emails.”

What did NCC fall foul of?

CREST had some of its exam assessors look at the NCC Group material leaked online. Of the hundreds of files in the cache (a list of filenames can be found on Pastebin), they identified 25 which they said were “considered problematic and deemed to contain content relating to CREST examinations.”

We asked CREST about those 25 files and were told they were “a mix of notes, some characterised as ‘brain dumps’ put together post-examination; candidates’ revision notes; training material based around content, including syllabuses, that was publicly available from CREST; and generic information relating to penetration testing.”

An NCC-branded item from the cheat sheet repo

An NCC-branded item from the cheat sheet repo, shown to us by a source who examined the cache

Multiple sources from across the British infosec world (and beyond) told The Register they recognised the full cache as being information that would be very handy for anyone about to sit CREST exams.

Six of the files were on NCC headed paper while another one was an email between NCC Group staff. The authors of those files were interviewed by Lennox-Lamb, and views were mixed; some said they “contained no actual exam content” while others gave the game away.

And the outcome

NCC Group got away lightly with a finding that it was “vicariously liable” for the actions of just two employees, who were unnamed in CREST’s statement. CREST said there was no evidence that NCC exam candidates’ pass rates were higher than its competitors, also pointing out that NCC has never been the top firm for passes as a percentage of candidates entered; though the company is many times bigger than most of the UK infosec sector and enters many more candidates as a result.

The pentesting firm issued a public statement yesterday describing the exam-cheating as “historical”, adding: “There is no evidence that NCC Group knew about, condoned, or otherwise sanctioned such activity.”

Just for good measure, the company added that it “fully accepts the requirements in the CREST statement.” It refused to answer questions from The Register beyond its prepared statement.

Those requirements mentioned by CREST are for NCC to prevent something like this from happening again by creating “a means of monitoring the application of such processes” together with evidence to be submitted to CREST. In addition, the company will cover half of CREST’s investigation costs and pay for an assessor to go through its current training material “to ensure that no CREST-related and implied content is included.”

NCC exam assessors will “remain suspended from CREST activities” until those things are done.

Part of the delay in publishing the CREST report was to allow <span feedback from NCC Group. That seems to have been successful from NCC’s point of view; CREST accepted that its NDAs created “a level of confusion” over “what is unacceptable” for companies and exam candidates alike to do when preparing for CREST exams, and the documents will be rewritten accordingly.

CREST’s member declaration will also be rewritten to explicitly state that members will abide by CREST NDAs, its code of ethics, code of conduct, and the complaints handling process.

A UK infosec bod who asked for anonymity in case of reprisals told El Reg that he was happy the CREST statement was published, saying that no matter what CREST found he couldn’t imagine it would ever eject NCC, one of its biggest backers, from membership.

Many others have expressed anger to El Reg over the scandal, believing it devalued their qualifications and was likely to call into question the integrity of the entire industry. All also expressed fears about going public.

An NCSC spokesperson told us: “NCSC has conducted an investigation into these allegations, led by an independent person. This has identified some areas for improvement in CREST’s processes and we will work with them to ensure the recommendations are implemented.

“CREST and NCC co-operated fully with the NCSC investigation, and CREST’s own investigation drew similar conclusions to the NCSC one.

“We do not believe that the sharing of this information would have conferred advantage on anyone who was significantly below the standard expected and nor do we believe that this incident is likely to lead directly to vulnerable systems.” ®

Source link


Facebook oversight board to review system that exempts elite users | Facebook

Voice Of EU



Facebook’s semi-independent oversight board says it will review the company’s “XCheck” system, an internal program that has exempted high-profile users from some or all of its rules.

The decision follows an investigation by the Wall Street Journal that revealed that reviews of posts by well-known users such as celebrities, politicians and journalists are steered into the separate system.

Under the program, some users are “whitelisted”, or not subject to enforcement action, while others are allowed to post material that violates Facebook rules pending content reviews that often do not take place. The Xcheck system, for example, allowed Brazilian footballer Neymar to post nude pictures of a woman who had accused him of rape, according to the report.

Users were identified for additional scrutiny based on criteria such as being “newsworthy”, “influential or popular” or “PR risky”, the Wall Street Journal found. By 2020 there were 5.8 million users on the XCheck list, according to the newspaper.

The oversight board said Tuesday that it expects to have a briefing with Facebook on the system and “will be reporting what we hear from this” as part of a report it will publish in October.

The board may also make other recommendations, although Facebook is not bound to follow these.

The Journal’s report, the board said, has drawn “renewed attention to the seemingly inconsistent way that the company makes decisions, and why greater transparency and independent oversight of Facebook matters so much for users”.

Facebook told the Journal in response to its investigation that the system “was designed for an important reason: to create an additional step so we can accurately enforce policies on content that could require more understanding”. The company added that criticism of it was “fair” and that it was working to fix it.

A representative for Facebook declined to comment to the Associated Press on the oversight board’s decision.

Source link

Continue Reading


Philippines imposes 12 per cent digital services tax • The Register

Voice Of EU



The Philippines has become the latest nation to impose a digital services tax.

Such taxes require the likes of Netflix and Spotify to pay local sales taxes even though their services are delivered – legally, notionally, and physically – from beyond local jurisdiction.

The Philippines has chosen a rate of 12 per cent, mirroring local value added taxes.

“We have now clarified that digital services and the goods and services traded through digital service providers should generally be subject to VAT. This is just a matter of common tax sense,” said Joey Salceda, a member of the Philippines’ House of Representatives and a backer of the change to the nation’s tax code.

Salceda tied the change to post-pandemic economic recovery.

“If brick and mortar establishments, which are the hardest-hit by the pandemic, have to pay VAT, the giants of e-commerce shouldn’t be exempt,” he said.

However, local companies that are already exempt from VAT by virtue of low turnover won’t be caught by the extension of the tax into the virtual realm.

Salceda’s amendments are designed to catch content streamers, but also online software sales – including mobile apps – plus SaaS and hosted software. The Philippines’ News Agency’s report on the amendment’s passage into law even mentions firewalls as subject to VAT.

The Philippines is not alone in introducing a digital services tax to raise more revenue after the COVID-19 pandemic hurt government revenue – Indonesia used the same logic in 2020 .

But the taxes are controversial because they are seen as a unilateral response to the wider issue of multinational companies picking the jurisdictions in which they’ll pay tax – a practice that erodes national tax bases. The G7 group of nations, and the OECD, think that collaborations that shift tax liabilities to nations where goods and services are acquired and consumed are the most appropriate response, and that harmonising global tax laws to make big tech pay up wherever they do business is a better plan than digital services taxes.

The USA has backed that view of digital services taxes, by announcing it will impose tariffson nations that introduce them – but is yet to enact that plan.

Meanwhile, the process of creating a global approach to multinational tax shenanigans is taking years to agree and implement.

But The Philippines wants more cash in its coffers – and to demonstrate that local businesses aren’t being disadvantaged – ASAP. ®

Source link

Continue Reading


How to ask your boss for more flexible working

Voice Of EU



While returning to the office is now possible for many, some workers might still want the option of flexible working some of the time. Here’s how to broach the subject.

This week marked the beginning of a phased and staggered return to workplaces for many employees in Ireland.

It essentially marked the first official green light for employers to ready their offices and start putting plans in place for their staff’s return.

Click here to check out the top sci-tech employers hiring right now.

However, HR body CIPD Ireland urged employers to be mindful of anxious workers as they face “another round of upheaval” with the return to offices.

So, while employers are finalising plans about how, where and when their teams will work, some employees may be wondering how to go about expressing their preference, worried that it’s not in line with what the company wants.

While there have been plenty of discussions and remote work advocates calling for leaders to be more flexible and recognise that the future of work will be hybrid, the reality for individual employees can feel very different.

While big-picture debates around the right to request remote work are happening, how do you ask for what you want in the here and now, when your boss is determined to have a full return to the office?

Explain your reasons

If remote or flexible working isn’t something your boss is already willing to give you, then you must treat it like a pay rise request.

Explain clearly and concisely the reasons why you want more flexibility, how it will benefit you and make you a more engaged, happier worker.

While family commitments might be an important factor, so too is work-life balance and getting rid of long commutes. And, while there is light at the end of the pandemic tunnel, Covid-19 is still a very real concern, so don’t be afraid to express your reservations about this too.

Make a business case

When you ask for a pay increase, you provide proof of the value you have added to the company. Take the same approach here and explain to your boss how flexible working will actually be beneficial to them.

Some managers who resist remote working might still have an office-based mentality where presenteeism is key. But there are numerous studies that show that knowledge workers are more productive when working remotely.

And, when done as a purposeful business strategy, remote working can help teams prioritise work more clearly as well as allowing for more downtime and work-life balance.

Be realistic

Depending on your manager, your team and the work you do, it may not be feasible to ask to work from home five days a week.

It’s important that you are realistic about asking for what you want and also realistic about what you can deliver in return. Remote workers can be more productive but they can also be in danger of burning out so be thoughtful about what strategy will work best for both you and your manager.

Listen to their perspective

While conversations around remote working appear to be mostly positive, it can be a different situation behind the office doors.

Many managers and leaders are still hesitant about moving to a fully flexible working strategy and this can lead to workers feeling like they are not being listened to.

However, one of the best ways to combat that hesitancy from managers is to listen to their concerns and address them in a problem-solving manner.

Being able to alleviate some of your manager’s worries might make them more amenable to allowing for more flexibility.

Make expectations clear

If you do convince your boss to allow for a more flexible working plan than what they had originally considered, it’s important that both sides understand what is expected.

Without clearly defining the outcomes of the new set-up, misunderstandings can lead to disappointments and feelings of mistrust in the idea of flexible working.

Source link

Continue Reading


Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!