Information Technology

Remote working has become far more commonplace over the past year. Still, even as some employees start returning to the office, businesses must be aware that there should be limitations to staff using their own laptops and other devices inside a corporate environment. Bring Your Own Device (BYOD) brings many benefits. Still, the National Cyber Security Centre (NCSC) has detailed certain situations where it should never be considered due to the potential cybersecurity risks it could cause. “You cannot do all your organisation’s functions securely with just BYOD, no matter how well your solution may be configured,” say new guidelines from the NCSC.

ZDNet Recommends

“If you’ve given BYOD users admin access to company resources, revoke that access immediately,” NCSC said.See also: A winning strategy for cybersecurity (ZDNet special report).If a personal device gets compromised by cybercriminals, they could use that admin access to gain access to critical systems and functions via the use of legitimate administration tools. That could allow cyberattackers to steal data and lay the foundations for ransomware attacks and other malware campaigns. “Existing BYOD deployments need review. Potentially, you need to undo some of those quick fixes and start afresh,” the agency said.

BYOD is the idea of allowing employees to use their personally owned devices for work. It can be a complex topic as we increasingly use personal devices for everything from answering emails to managing critical services and hardware. While businesses also issue the same or similar devices, a personal device is configured differently from a corporate device, making things more complicated and leading to additional security risks.When the COVID-19 pandemic first started, and many organisations and their employees suddenly had to adapt to working from home; the main concern was just ensuring that people could continue to do their jobs – in some cases, with employees using their own laptops in order to do so. But if businesses haven’t done so already, it’s time to think about what can and can’t be done with BYOD devices in order to ensure that employees are productive but are also secure.  “This ‘just make it work’ mentality is entirely understandable, but the time has come to deal with those wounds,” the NCSC said.See also: Ransomware attackers targeted this company. Then defenders discovered something curious.The level of access and trust BYOD devices have depends on the organisation and the user’s role. Still, some things all businesses need to consider when making this decision are what employees need to do, what employees need from a device, and what needs to be done in order to ensure the security and privacy of corporate data on their personal device.  It’s a complex issue, but NCSC advises that in order to get the best results, organisations shouldn’t rush into any decisions. More on cybersecurity: More

French transportation giant Transdev has denied that any of its information was stolen by a ransomware group after cybercriminals claimed to have 200GB of data and threatened to leak it on Sunday, October 10. 

The LockBit ransomware group listed Transdev on its leak site next to a timer set to expire at 1:00 on Sunday. But Transdev — which calls itself the “largest private provider of multiple modes of transport in North America” — said the data being hawked by Lockbit was from one of their clients. “We are aware that a cybercriminal group has made a threat to publish data, which they allege belongs to Transdev. However, we believe the data referenced by the criminal group likely belongs to a Transdev Client which was the subject of a cyber event in mid-September,” a Transdev spokesperson told ZDNet. “We have been conducting an investigation into this event with the assistance of third-party digital forensic specialists. The event involving the client’s data was limited to the client’s network, which communicates with Transdev’s corporate environment only through very strict firewall rules and is protected by our security monitoring and defense systems. At this time, there is no indication that any Transdev Corporate data or data related to any other client was subject to access and/or exfiltration.”Transdev currently operates in 18 countries, with dozens of cities, counties, airports, companies and universities contracting with them to run their transportation systems. Transdev manages 200 million passenger trips annually and brings in more than $1 billion in annual revenue, according to their website.Transdev has about 15,000 employees in the US alone and runs six different modes of transportation in the US, including buses, shuttles, school buses, paratransit, streetcars, microtransit and autonomous vehicles. 

The attack comes one day after US Homeland Security Secretary Alejandro Mayorkas announced new cybersecurity regulations for US railroad and airport operators in a bid to protect critical infrastructure from ransomware groups and nation-state attackers. Despite warnings and threats from US lawmakers, ransomware groups and cybercriminals have shown no fear in attacking companies and organizations managing transportation systems.In a statement on Friday, US President Joe Biden said that the White House plans to convene a 30-country meeting this month to address cybersecurity.”The Federal government needs the partnership of every American and every American company” to address cybersecurity, Biden said. “We must lock our digital doors — by encrypting our data and using multifactor authentication, for example — and we must build technology securely by design, enabling consumers to understand the risks in the technologies they buy.” More

Homeland Security Secretary Alejandro Mayorkas announced new cybersecurity regulations for US railroad and airport operators on Wednesday. First reported by Reuters, the rules mandate that operators disclose any hacks, create cyberattack recovery programs and name a chief cyber official. The Transportation Security Administration will manage the regulations, Mayorkas added. He said the regulations would go into effect by the end of the year. “Whether by air, land, or sea, our transportation systems are of utmost strategic importance to our national and economic security. The last year and a half has powerfully demonstrated what’s at stake,” Mayorkas said, according to Reuters. In April, the New York City’s Metropolitan Transportation Authority — one of the largest transportation systems in the world — was hacked by a group based in China. While the attack did not cause any damage and no riders were put at risk, city officials raised alarms in a report because the attackers could have reached critical systems and may have left backdoors in the system. In 2020, the Southeastern Pennsylvania Transportation Authority was hit with ransomware, and earlier this year, ferry services to Cape Cod were also disrupted by a ransomware attack. The new rules apply to railroad operators, rail transit companies, US airport operators, passenger aircraft operators and all-cargo aircraft operators. There are also lower-level transportation organizations that will be encouraged to follow the rules as well. 

The rules come days after the Washington Post revealed many of the specific emergency regulations for pipeline operators that were issued this summer after the attack on the Colonial Pipeline. 

more coverage

Ben Miller, a vice president at cybersecurity firm Dragos, said the company has been working with pipeline customers as they adjust to a changing regulatory environment. “We encourage public-private collaboration and not moving too quickly. Reliability and safety are paramount, and the industry and their facilities are not cookie-cutter. We run the risk of making too many assumptions, ultimately slowing down progress and security of these important systems and environments,” Miller said. The rules drew mixed responses from experts who questioned whether any organizations could live up to the stringent new regulations. “The security requirements laid out in the newly public TSA Security Directive are definitely ambitious. Most organizations we work with today can’t meet these requirements, nor likely can most federal government agencies,” said Jake Williams, CTO of BreachQuest. “The DNS monitoring requirements alone are far beyond what most organizations today are capable of. While effective in detecting intrusions, effort applied to implementing this sort of requirement will almost certainly distract from more important and achievable goals like foundational IT/OT network segmentation and monitoring.”Chris Grove, a Product Evangelist at Nozomi Networks and an expert in industrial cybersecurity, said the directorate follows the suit of many other attempts to secure operational technologies by “providing a blend of prevention, detection and resiliency.” But he noted that when the recommendations overlap with operational technology, they don’t actually apply. “Even patching systems, MFA, allows OT operators a way out. In other areas, it doesn’t, like weekly virus scanning of OT systems. The Directorate is high-level and non-specific enough that it doesn’t appear to be directed at pipelines, but more about OT or critical infrastructure in general,” Grove explained.”Many operators, particularly those that pursued NERC-CIP, will be well positioned, probably superseding the requirements in the directive. On page 9, part 3, to break storage and identity stores between IT and OT is a huge challenge for converged environments. Also, on page 9, C.1.a mandates prompt removal from the network and disabling of drives any infected equipment, something that’s not always possible in an OT environment. To put this directive in context, it would have had no impact on the Colonial Pipeline incident, as the operator had security at a higher level than what the directive aims for.”Former US Defense Department cybersecurity advisor Padraic O’Reilly added that the days of voluntary guidance being sufficient in critical infrastructure are coming to an end. He noted that some organizations, like the New York City’s Metropolitan Transportation Authority, will be fine with the new mandates because they have already tried to implement the voluntary guidelines. “But we know that isn’t true across the board, and pushback from private industry, when they hold assets that impact the public good, hearken back to the killing of the 2012 cybersecurity act,” O’Reilly told ZDNet. “Even then, in a much simpler threat landscape, Cyber Command and the NSA tried to explain the importance of ‘minimum security standards.’ But the issue became partisan, and that is really too bad on matters that concern national security.”O’Reilly noted that there is likely to be more industry wrangling over specific requirements but honed in on the section titled, “Security Directive (SD) Pipeline-2021-02” — which focuses on the key elements of hardening pipeline OT and IT against many current exploits. The section also effectively announces an end to some voluntary guidelines for the industry. According to O’Reilly, the timelines to submit (7, 30, and 180 days) statements all “seem reasonable even if they require quick action”, and requiring documentation of compliance is another good measure included in the document.”There will likely be industry pushback because the comment period was brief, and there are some unique considerations with respect to patching and other practices where Operational Technology is concerned. But even there, TSA has been careful to allow for a risk-based approach to patching OT, which is quite reasonable,” O’Reilly added. “The most important aspect of the directive is that cyber resiliency is no longer voluntary. Arguably allowing pipeline standards to be voluntary was a mistake. It is beyond dispute that the critical infrastructure sectors (such as finance and electrical) that are regulated generally have much better security practices in place. Where the public good is concerned, there is a clear need for oversight, and only the Federal Government can do this effectively. We can ill afford another attack like the one that hit Colonial.”  More

Cybersecurity experts have uncovered a new COVID-19 vaccination scam involving hackers tricking victims into providing their personal information under the assumption that cybercriminals can hack into European Union hospitals and falsify vaccination records.DarkOwl, the cybersecurity firm that uncovered the scam, notes that the EU Digital COVID Certificate program and most EU hospitals have stringent cybersecurity measures in place to protect user data. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

But hackers that are allegedly part of a gang called Xgroup are offering to add non-vaccinated people to the national COVID-19 vaccine registers that feed into the EU database, asking victims for a trove of personal data under the guise of theoretically adding it to the EU Digital COVID Certificate program. DarkOwl’s lead analysts said they believe the culprits behind the scam are based in the US. “This is very likely a scheme to steal people’s information and money. Scammers are always willing to prey on the vaccination-hesitant and those who desire a record of vaccination without actually getting the vaccine,” DarkOwl CEO Mark Turnage told ZDNet. “The offer has been circulated across multiple darknet forums and discussion groups. The cyber criminals also host a dedicated hidden service promoting their services. This very well could be a scam and they do not have the skills or access to actually hack any EU hospitals’ vaccination databases. Nevertheless, the idea is novel and it not out of the realm of possibility that hospitals are vulnerable to such record alterations.”Turnage said Xgroup is a relatively new brand without any known direct attributions to cyberattacks. The group does market itself as being able to “ruin someone’s life” through hacking social media accounts and financial accounts. Researchers with DarkOwl said the group has also posted “recruitment” advertisements across malware and “hacking” forums for personnel with penetration testing and criminal hacking experience.

While the scam is focused mostly on pilfering information from vaccine-hesitant victims, Turnage noted that ransomware as a service gangs have demonstrated they can easily exploit hospital information systems for their extortion agendas. Significant parts of the healthcare system in Ireland were brought down by a ransomware group this summer. “Therefore, we must consider the remote possibility that this is a legitimate offer on the darknet. Hospitals in the EU should be aware of this possibility and mitigate with increased security and auditing of logs accordingly,” Turnage said, adding some advice to those considering turning to the darknet for fake COVID-19 vaccination verifications. “Don’t be foolish enough to pay anyone money for fake vaccination records (digital, paper certificate, or otherwise).”In their report on the scam, DarkOwl researchers said Xgroup is offering to hack into EU-based local hospital digital vaccination records on behalf of their darknet customers. Victims submit payment along with their personal information which is supposedly added to their local hospital’s vaccination records database. “This information is then theoretically accessible by the EU Digital Certificate application as each issuing body (e.g. hospital, test center, or health authority) has its own digital signature key that communicates with the program,” the researchers wrote. “The cost for the vaccination record addition is $600 USD paid via Bitcoin.”According to DarkOwl, Xgroup hosts a dedicated V3 hidden service on Tor where they advertise their solutions widely. The researchers could find no proof that the group can follow through with their claims after tracking them since July. The offers only apply to EU citizens because the US does not have a nationwide COVID-19 vaccine record system, but DarkOwl noticed that the service being offered by the cybercriminals uses US mailing address formats and lists the price in US dollars. Since COVID-19 emerged, scammers have used it as a way to trick people into sending them money and information in exchange for fraudulent cures or protection schemes. Cybercriminals are now offering fake COVID-19 vaccination cards widely, and The Daily Beast reported this week that US Customs and Border Protection officials in Chicago managed to seize multiple shipments of fake vaccine cards that originated in China.In August, researchers with Check Point found that prices for EU Digital COVID certificates as well as CDC and NHS COVID vaccine cards had fallen as low as $100. Fake PCR COVID-19 tests are also sold widely, and Check Point Research’s study found groups advertising the fake vaccine verifications in forums with more than 450,000 people.  DarkOwl was previously involved in a multi-organization effort to ensure the safe and secure transportation, storage, and distribution of the Pfizer, Moderna, AstraZeneca, and Johnson & Johnson vaccines in the United States and abroad. More

A former Kent police officer has been sentenced for downloading and viewing child abuse material. 

Thomas Blant, who served as a constable for Kent Police, was arrested in January last year on suspicion of being a visitor to a website that hosted child sexual abuse content. Investigators suspected that the website, available on the dark web, had been accessed from Blant’s property in Wye, Ashford, Kent.  The 38-year-old’s home was searched and a number of devices were seized, including a mobile phone and laptop.  Blant was released on bail and suspended from the police at the time of his initial arrest, pending the results of a forensic analysis of the devices.  Law enforcement found 17 incident images, including a number in the highest severity grade, category A.  A further four images were uncovered in old mobile devices belonging to the ex-officer. 

According to the UK National Crime Agency (NCA), Blant had made “attempts” to delete the material but failed.  He was arrested a second time in February 2020, and on July 22, 2021, Blant pleaded guilty to two criminal counts of making indecent images of children (IIOC) at Folkestone Magistrates Court.  On October 6, at Maidstone Crown Court, Blant was issued with a 12-month prison term, suspended for two years, a five-year Sexual Harm Prevention Order (SHPO), and has been placed on the sex offenders register for 10 years. 
NCA
The former constable has since been dismissed from Kent Police.  “It is abhorrent that Blant has committed these offenses, particularly while working as a police officer,” commented Detective Chief Superintendent Jon Armory. “His actions helped fuel the demand for children to be exploited which is a complete betrayal of his duty to protect the vulnerable. The vast majority of our officers and staff do an outstanding job serving the public in line with the highest standards of professionalism and conduct, and we expect no less from them.” In recent news, the UK’s Metropolitan Police are investigating claims made by Patsy Stevenson, who was arrested while attending a vigil for Sarah Everard. The campaigner says that following the arrest, she received roughly 50 ‘likes’ on Tinder by security guards and police officers in what she describes as an effort to ‘intimidate’ her, leaving her “terrified.”  The vigil was taking place in Clapham Common, in memory of Sarah Everard, who was abducted and murdered by Met Police officer Wayne Couzens. The police deemed the event illegal under lockdown restrictions at the time.  Couzens has since been issued a whole-life sentence.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Four cloud providers have received certified strategic status under the Australian government’s hosting certification framework (HCF). The companies are Amazon Web Services, AUCloud, Sliced Tech, and Vault Cloud. The Digital Transformation Agency (DTA) selected these companies as part of the first wave of cloud providers to receive the certified strategic status. The HCF is responsible for a new digital infrastructure service within the DTA, which entails assessing and measuring supply chain risks presented by hosting providers, and determining standards, measures, and timelines to achieve the government’s desired hosting standards. According to the Minister responsible for whole-of-government data and digital policy Stuart Robert, the HCF positions the federal government “as an exemplar in data protection and demonstrates our continued commitment to safeguarding the security and privacy protection of government-held data”. All relevant government data under the framework can only be stored in either certified assured or certified strategic providers. In June, Australian Data Centres (ADC), Canberra Data Centres (CDC), and Macquarie Telecom’s Canberra Campus became the first three data centre providers certified to store sensitive data locally. The June certifications were for the certified assured status, however, rather than the certified strategic status. The difference between the two is that certified strategic status is for cloud providers and the certified assured status is for data centre providers.

These are the first set of certified cloud providers for the federal government since July last year, after its previous certified cloud list was scrapped upon recommendations made by the Australian Signals Directorate. Related Coverage More

Image: Getty Images
The European Parliament has voted in favour to a resolution banning law enforcement from using facial recognition systems. In explaining the resolution, the European Parliament said the use of AI by law enforcement currently poses various risks spanning opaque decision-making, discrimination, privacy intrusion, challenges to the protection of personal data, human dignity, and the freedom of expression and information. “These potential risks are aggravated in the sector of law enforcement and criminal justice, as they may affect the presumption of innocence, the fundamental rights to liberty and security of the individual and to an effective remedy and fair trial,” the European Parliament said. In addition to calling for facial recognition to be banned for law enforcement purposes, the resolution has called for the permanent prohibition of law enforcement using automated analysis of other human features too, such as gait, fingerprints, DNA, voice, and other biometric and behavioural signals. By passing the resolution, the European Parliament explicitly expressed concern about facial recognition services such as Clearview AI, which has a database of more than three billion pictures that have been collected illegally from social networks and other parts of the internet. The final vote passed 36 to 24, with six abstaining from the vote. While the Parliament has passed the resolution, it is not legally binding. Although, it comes in the midst of the European Union working on new AI rules that would apply to both the public and private sectors.

At the same time, the European Commission (EC) is reportedly preparing to release an antitrust charge against Apple regarding its Apple Pay system, according to Reuters. The charge is reportedly for Apple only allowing the NFC chip within iPhones and iPads to be used for Apple Pay. The EC is reportedly concerned about how Apple has refused competitors from accessing the payment system. The EC has been investigating whether Apple’s integration of Apple Pay into apps and websites violates EU competition rules since last June. With Europe preparing to ramp up scrutiny against Apple for not opening up access to the NFC chips in its devices, this is not the first time Apple has been in such a position. Three years ago, Apple won its fight against an Australian banking consortium when the country’s competition watchdog sided with Apple in allowing it to block Australian banks from accessing NFC on its devices. Most of the banks then caved and signed up for Apple Pay.Since then, Australian banks have continued to complain about the lack of access to Apple’s NFC antenna, with Commonwealth Bank of Australia CEO Matt Comyn in July accusing the tech giant of leaning on its market power to compel the banks into paying fees to use Apple Pay.Related Coverage More

The Justice Department has announced a new National Cryptocurrency Enforcement Team alongside a civil cyber fraud initiative designed to punish government contractors with lackluster cybersecurity. US Deputy Attorney General Lisa Monaco was speaking at the Aspen Cyber Summit on Wednesday when announcing the new efforts. “Cryptocurrency exchanges want to be the banks of the future, well we need to make sure that folks can have confidence when they’re using these systems and we need to be poised to root out abuse. The point is to protect consumers,” she said.

“For too long, companies have chosen silence under the mistaken belief that its less risky to hide a breach than to bring it forward and report it. That changes today,” Monaco added in reference to the civil cyber fraud initiative, which she said would “use civil enforcement tools to pursue companies, those who are government contractors, who receive federal funds, when they fail to follow recommended cybersecurity standards.”She went on to explain that the National Cryptocurrency Enforcement Team will be focused on disrupting financial markets that facilitate cybercrime. The effort is one of many rolled out by the White House and Justice Department in recent months to address ransomware attacks and the cryptocurrency payments that continue to plague hospitals, schools and companies across the world. Last week President Joe Biden said in a statement that the White House plans to convene a 30-country meeting this month to address cybersecurity. Despite the increased focus from law enforcement, ransomware gangs have shown little reticence in attacking any organization they think is willing to pay. 

Monaco later said according to FBI data, investigations are showing more than 100 ransomware variants implicated in at least 1,000 attacks. The civil cyber fraud initiative will leverage the False Claims Act to fine companies that either fail to keep their products secure or fail to be transparent about security incidents. The federal government is still grappling with the fallout from the SolarWinds scandal that exposed significant amounts of data and systems within dozens of US government agencies.  More