Uber and Lyft will share information on drivers that have been banned from their platforms for reasons including sexual and physical assault. 

The Industry Sharing Safety Program, announced on Thursday, will be managed by workforce solutions provider HireRight. 
If drivers are banned from working on one of the firms’ platforms for “serious” safety incidents, at present, they could theoretically move to the other and resume work either as passenger transport or for delivery services. 
However, the new US program may stop these transitions from going under the radar. 
According to Tony West, senior VP and chief legal officer at Uber, “safety should never be proprietary.”
“Tackling these tough safety issues is bigger than any one of us and this new Industry Sharing Safety Program demonstrates the value of working collaboratively with experts, advocates, and others to make a meaningful difference,” West commented. 
The platform will allow both Uber and Lyft to exchange data on drivers ‘deactivated’ for sexual assault, misconduct, and “physical assault fatalities.” HireRight will collect and manage driver data.

Uber and Lyft say the platform will “incorporates learnings from anti-sexual violence advocates over the past several years and prioritizes safety, privacy, and fairness for both drivers and survivors.”
The program will be opened to similar transport and delivery companies in the United States. 
In other Uber news, in February, a UK court ruled that Uber drivers in the UK could not be considered self-employed. The long-running legal battle, in which Uber argued its drivers were contractors and, therefore, not entitled to certain employment protection or a minimum wage, was lost as the Supreme court disagreed. 
For drivers, this means that they may be entitled to back pay and compensation. For Uber, this means the company’s entire business model — based on gig-economy workers — needs to be revised, at least in the UK. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

ZDNet Recommends

One particularly sneaky piece of malware is trying to trick Android users into downloading it by claiming that their smartphone is already infected with that very same malware and that they need to download a security update. The text message scam delivers FluBot, a form of Android malware that steals passwords, bank details and other sensitive information from infected smartphones. FluBot also exploits permissions on the device to spread itself to other victims, allowing the infection chain to continue. While the links can be delivered to iPhones, FluBot can’t infect Apple devices.  FluBot attacks have commonly come in the form of text messages which claim the recipient has missed a delivery, asking them to click a link to install an app to organise a redelivery. This app installs the malware.  But that isn’t the only technique cybercriminals are using to trick people into downloading FluBot malware — New Zealand’s Computer Emergency Response Team (CERT NZ) has issued a warning over scam text messages which claim the user is already infected with FluBot and they need to download a security update. See also: A winning strategy for cybersecurity (ZDNet special report).After following the link, the user sees a red warning screen claiming “your device is infected with FluBot malware” and explicitly states that FluBot is Android spyware that aims to steal financial login and password data.   At this point, the device is not actually infected with anything at all, but the reason the malware distributors are being so “honest” about FluBot is because they want the victim to panic and follow a link to install a “security update” which actually infects the smartphone with malware.  

This the attackers with access to all the financial information they want to steal, as well as the ability to spread FluBot malware to contacts in the victim’s address book.  FluBot has been a persistent malware problem around the world, but as long as the user doesn’t click on the link, they won’t get infected. Anyone who fears they’ve clicked a link and downloaded FluBot malware should contact their bank to discuss if there’s been any unusual activity and should change all of their online account passwords to stop cybercriminals from having direct access to the accounts.  If a user has been infected with FluBot, it’s also recommended they perform a factory reset on their phone in order to remove the malware from the device.  It can be difficult to keep up with mobile alerts, but it’s worth remembering that it’s unlikely that companies will ask you to download an application from a direct link — downloading official apps via official app stores is the best way to try to keep safe when downloading apps.  More on cybersecurity: More

Image: ZDNet
Microsoft has released a new version of the Sysinternals package and updated the Sysmon utility with the ability to detect Process Herpaderping and Process Hollowing attacks.

Sysinternals is a collection of apps designed to help system administrators debug Windows computers or help security researchers track down and investigate malware attacks.
The Sysinternals package comes with more than 160 different apps, each useful for a particular task.
One of the most widely used Sysinternal apps is called Sysmon, or System Monitor, which works by logging system-level events (process creations, network connections, and changes to file creation time) to the default Windows event log.
Across the years, the tool has become a must-have for all security researchers, either if they’re involved in defending networks or performing digital forensics and incident response (DFIR) operations. This is because Sysmon allows them to record in-depth logs and then trace the roots of malicious attacks to specific processes and apps.
With today’s release of Sysmon 13.00, Microsoft says that the Sysmon app can now detect and log when malware tampers with a legitimate process.
When this happens, the Sysmon utility will create an alert in the Windows event log with the “EventID 25” identifier. System administrators and security researchers can then scan for this ID and detect what process a malware attack tried to modify.

Image: Olaf Hartong

Microsoft says that under the hood, the new Sysmon EventID 25 triggers “when the mapped image of a process doesn’t match the on-disk image file, or the image file is locked for exclusive access.”
Both of these types of behaviors are usually the indicators of two attacks, one known as Process Herpaderping and the other known as Process Hollowing.
Process Herpaderping is a relatively new technique that was first detailed last year and which describes a method that malware can use to hide the intentions of a process by modifying its content on disk after the image has been mapped, allowing it to pass malicious code in apps that security software designates as safe.
Process Hollowing is an older technique that works the same, but during which malware suspends a legitimate application’s process, “hollows” its content, and then injects its own malicious code to be executed from the trusted service.
While other tools in the Sysinternals package have been used in previous years to detect process hollowing attacks, this marks the first time that support has been added for detecting the newer Process Herpaderping technique, which many security researchers expect to see being used in the wild in the coming years.
Previews of both Sysmon EventID 25 warnings are available below from Mark Russinovich, one of the Sysinternals co-creators, who previewed them last year on Twitter. A deep dive into the new Sysmon 13.00 release and its support for detecting Process Herpaderping and Process Hollowing attacks is available here, from security researcher Olaf Hartong. More

Level Lock Pro <!–> ZDNET’s key takeaways The Level Lock Pro is available for $350. This smart lock looks like a regular deadbolt, but supports Apple HomeKey, Matter-over-Thread, physical key, NFC fobs, and door status detection without extra sensors. You’ll have to purchase a keypad separately if you prefer one to unlock, and Android users […] More

Outrage continues to swirl around a proposed plan from the Treasury Department to require some taxpayers to submit to facial recognition and biometric surveillance in order to access their accounts online. The proposal faced further scrutiny after it was revealed the IRS planned to involve controversial facial recognition company ID.me in the effort. Fight for the Future, Algorithmic Justice League, EPIC, and other civil rights organizations launched a website — called Dump ID.me — allowing people to sign a petition against the IRS plan. This campaign site comes after days of criticism from privacy, justice, and civil rights groups concerned about the potential for a company like ID.me to have access to peoples’ most sensitive data. 

ID.me’s CEO Blake Hall faced widespread backlash for a LinkedIn post where he admitted that the company had been lying about the way its tool works. The company initially claimed it only runs a 1:1 match, but Hall revealed that it does run some 1:many matches and compares peoples’ images to a massive database, news first reported by CyberScoop’s Tonya Riley.  Caitlin Seeley George, campaign director at Fight for the Future, said the plan to use facial recognition on taxpayers was bad from the start, and it only got worse as more information was revealed.”Part of why we launched this effort is because we think it’s critical that the IRS hears public concerns about this issue. There’s already been a swift outcry from civil rights organizations and experts, but people broadly understand that they should not have to hand over their biometrics in order to access their IRS information (or at all, really),” George told ZDNet. “ID.me is a particularly troubling tool, especially with the revelation that they have been publicly lying about how it works and the types of verification it does,” George added. “But all facial recognition tools will cause a lot of the same issues: they will amass a database of peoples’ most sensitive information that can be shared with other agencies and law enforcement, and also will be a target for hackers. No government agency should be using facial recognition or other biometrics to verify identity.”

Late last week, Bloomberg reported that the Treasury Department is now considering other vendors for the facial recognition project, but the outrage over the situation has sparked further concern about the widespread use of facial recognition across the federal government as well as state governments. 

Fast Company reported that ID.me is now used by the Department of Veterans Affairs, the Social Security Administration, and several other federal agencies. Jay Stanley, senior policy analyst at the ACLU, told ZDNet that dozens of agencies across the country mandate facial recognition in order to access government benefits. The IRS began forcing some people to use ID.me in order to access the expanded child tax credits that were part of President Joe Biden’s American Rescue Plan. There are a range of issues with facial recognition, most notably that it has been proven repeatedly to be inaccurate with the faces of Black and brown people as well as women. Artificial intelligence researchers Inioluwa Deborah Raji and Dr. Joy Buolamwini released a study in 2019 proving that Amazon’s facial recognition software made more mistakes when identifying the faces of Black people, particularly Black women.  Also: Backlash to retail use of facial recognition grows after Michigan teen unfairly kicked out of skating rinkStanley added that the use of facial recognition by government agencies creates a number of accessibility issues for people, noting that some state agencies use it to vet unemployment insurance recipients. It requires strong internet connections — something many people don’t have — and puts an undue burden on people attempting to access benefits Congress has deemed them eligible for, according to Stanley. “Its just not right to use a technology with those kinds of biases for such a public purpose. This kind of core government functions shouldn’t be done by a private company,” he said, adding that ID.me would not be subject privacy laws and certain checks and balances, despite carrying out an essential government function. Many states are using facial recognition for government services through funding coming from the federal government, and Stanley said strings need to be attached to ensure the algorithms aren’t biased. Aubrey Turner, executive advisor at Ping Identity, was critical of the outrage directed toward the IRS effort. Turner acknowledged the privacy and demographic bias concerns raised by watchdogs but said everyone’s images are captured by traffic cameras, security cameras at the airport and through social media accounts. 

“Not going so far as to call it fake outrage, but let’s be pragmatic for a moment. Overall, I think it’s a good idea for the IRS to include modern identity proofing as part of the account registration/access process. Known as document-centric identity proofing within the IAM industry, the process of uploading the document (e.g., drivers license) and taking a selfie (capturing biometric data) is to attain a desired level of confidence the taxpayer user is who they claim to be while mitigating counterfeiting/forgeries. Notwithstanding the security aspect, there is also a user convenience component. This same proofing process can also be a means to reducing and removing passwords for the account enrollment process, which also has positive user experience upside,” Turner said. “Facial recognition can certainly be creepy if used inappropriately in marketing with social media apps. But it can also be tremendously convenient clearing airport security or unlocking your smartphone. The realities of today’s cyber threats means we have to find innovative and dynamic ways to prevent things like account takeover,” Turner added.”Technological innovation is accelerating faster than at any point in modern history, and there will always be misalignment between tech and regulations. There are emerging use cases and things we have yet to conceive that will certainly challenge our notions of the balance of privacy, security, and convenience. But the bottom line is that we can’t let perfect get in the way of progress,” Turner said.He noted that a debate should be had about whether the government should have built the system itself, but said “private enterprises often innovate to close gaps.”Also: Facebook is shutting down its facial recognition systemRegardless of the outrage, more businesses will be leveraging identity proofing processes that utilize biometric and behavioral data, Turner added. “I think not using these more secure methods [is] worse than the alternatives. This is the first in an oncoming wave, so the government should be fostering this innovation and not putting up roadblocks,” Turner said. “I think there are legitimate privacy concerns with facial recognition and biometric data that shouldn’t be ignored. The time for digital identity proofing has come (will only continue to grow in government and private sectors), so we should embrace it versus being outraged without practical alternatives to the realities of today’s cyber security challenges.”Buolamwini — who has become an advocate against facial recognition since publishing her study — released a letter to the Biden Administration last week where she said the real-world impact on marginalized communities will “likely get worse because of the unchecked proliferation of facial recognition technologies generally.” “These technologies are being deployed at an unprecedented rate across state and federal agencies. They are imposed on the public without sufficient public scrutiny, debate, or oversight, causing harm to the populous generally,” Buolamwini said. “No biometric technologies should be adopted by the government to police access to services or benefits, certainly not without cautious consideration of the dangers they pose, due diligence in outside testing, and the consent of those exposed to potential abuse, data exploitation, and other harms that affect us all.”

Government More