Information Technology

Singapore and India are working to link their country’s respective real-time payment system, enabling funds to be transferred via mobile numbers and virtual payment addresses. The move aims to support growing remittance traffic and drive cross-border interoperability. Work to connect Singapore’s PayNow and India’s Unified Payments Interface (UPI) infrastructures were targeted for completion by July 2022, according to a statement released Tuesday by the Monetary Authority of Singapore (MAS). It added that the initiative was established in partnership with the Reserve Bank of India.The linkage would enable residents in both countries to make real-time, low-cost fund transfers directly between their respective local bank account. Funds from India could be transferred to Singapore via mobile numbers, while funds from Singapore could be transferred to India using UPI virtual payment addresses. These addresses are used by non-bank financial institutions to connect directly to PayNow and Fast and Secure Transfers (FAST), and enable users to send and receive payments through e-wallets or mobile banking apps. User experience will be similar to how each payment system operates in its domestic market, MAS said.The Singapore central bank added that the interoperability between PayNow and UPI would better facilitate growing remittance traffic and allow more organisations to join the payment ecosystem. It would also help drive automation of capital control rules and establish standardised formats to support future services between participants, it said.Describing the partnership as a milestone in the development of next-generation cross-border payment infrastructures between both countries, MAS said such connectivity was in line with the G20’s financial inclusion priorities of driving “faster, cheaper, and more transparent” cross-border payments. 

MAS’ chief fintech officer Sopnendu Mohanty said: “By reducing the cost and inefficiencies of remittances between Singapore and India, the PayNow-UPI linkage will directly benefit individuals and businesses in Singapore and India that greatly rely on this mode of payment. “Given that PayNow and UPI are integral components of their respective national digital infrastructures, the link between the two systems also paves the way for establishing more comprehensive digital connectivity and interoperability between the two countries,” Mohanty said. Singapore in April 2021 inked a similar pact with Thailand to enable users in both nations to transfer funds using the recipient’s mobile number. The collaboration tapped the respective country’s peer-to-peer payment systems, PayNow and Thailand’s PromptPay, and was part of a regional payment initiative to ease cross-border payments. Singapore earlier this month also announced it was working with the central banks of Australia, Malaysia, and South Africa to develop and test a common platform on which to process cross-border digital payments. The initiative to pilot the use of central bank digital currencies (CBDCs) for international transactions aimed to bypass the need for intermediaries and, hence, slash the time and cost of such transactions. RELATED COVERAGE More

Image: Shutterstock / Berk Can
Kape Technologies has announced it will pick up ExpressVPN for $936 million, consisting of $237 million in Kape shares to ExpressVPN co-founders Peter Burchhardt and Dan Pomerantz, which will hand them a 14% stake in the combined entity, with the remainder to be paid in cash over the next two years. ExpressVPN said it would remain a separate service, and its team would continue to grow. Of its approximately 290 employees, ExpressVPN has 48% involved in research and development. Kape called out ExpressVPN’s OEM arrangements with HP, HMD Global, Acer, Dynabook, and Philips. The VPN service has over 3 million customers, with over 40% in North America. During the 2020 fiscal year, ExpressVPN posted revenue of $279 million, up 37%, and adjusted EBITDA of $75 million, up 35%, Kape said in its regulatory filing. “Significant cross sell and revenue opportunities across the platform; top line and operational synergies greatly improve [customer lifetime value to acquisition cost] ratios and are anticipated to generate cost savings of $19 million in 2022 and $30 million on an annualised cost basis from 2023,” Kape said.See also: Best VPN 2021: Top VPN services reviewed Cross-selling aside, ExpressVPN claimed it would be able to provide better protection from a “wider range of threats”. “We’ve been impressed by Kape’s clear commitment to protecting the privacy of users,” ExpressVPN said in a blog post.

“Their track record with upholding the exacting privacy practices and policies of other privacy protection services under the Kape umbrella is a strong testament to how seriously they take their responsibility to respect user privacy and rights.” In total, the combined company will have around 6 million paying subscribers. This is not Kape’s first VPN purchase — it previously bought VPN companies ZenMate and Cyberghost, and used to specialise in scareware under the Crossrider name. Related Coverage More

Google announced fixes for 11 different bugs in Chrome on Monday, including two zero-days currently being exploited in the wild. Google listed all 11 of the fixes as well as the researchers who discovered them and the bounties handed out. But the two that caused the most stir were CVE-2021-30632 and CVE-2021-30633. “Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild,” Google explained. The two vulnerabilities were the only ones that were listed as being submitted anonymously on September 8.Google added that CVE-2021-30632 related to an “out of bounds write in V8” and CVE-2021-30633 concerned a “use after free in Indexed DB API.”All of the updates will roll out over the coming days and weeks as part of the Stable channel update to 93.0.4577.82 for Windows, Mac and Linux, Google said.

m

Best Google Chrome extensions

If you are a Google Chrome user and you’re not making use of extensions, then you are really missing out. Here is a selection of extensions aimed specifically at boosting your productivity and privacy.
(Updated April 4, 2017)

Read More

Kevin Dunne, president at Pathlock, said this was the 10th zero-day exploit that Google had patched this year. “This milestone highlights the emphasis that bad actors are putting on browser exploits, with Chrome becoming a clear favorite, allowing a streamlined way to gain access to millions of devices regardless of OS,” Dunne said. 

“Google’s commitment to patching these exploits quickly is commendable, as they operate Google Chrome as freeware and therefore are the sole entity who can provide these updates. We expect to see continued zero-day exploits in the wild, but we are confident Google will continue to place effort on security and providing timely patches to these exploits.”Browser bugs discovered from exploitation in the wild are among the most significant security threats, added John Bambenek, principal threat hunter at Netenrich”Now that they are patched, exploitation will ramp up. That said, almost 20 years on and we haven’t made web browsing safe shows that the rapid embrace of technology continues to leave users exposed to criminals and nation-state actors,” Bambenek said. “Everyone wants to learn how to hack, too few people are working on defense.” More

Apple has released an urgent security update for Mac, iPhone, iPad and Watch users after researchers with Citizen Lab discovered a zero-day, zero-click exploit from mercenary spyware company NSO Group that gives attackers full access to a device’s camera, microphone, messages, texts, emails, calls and more.Citizen Lab said in a report that the vulnerability — tagged as CVE-2021-30860 — affects all iPhones with iOS versions prior to 14.8, all Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina and all Apple Watches prior to watchOS 7.6.2.

ZDNet Recommends

Apple added that it affects all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation. CVE-2021-30860 allows commands to be executed when files are opened on certain devices. Citizen Lab noted that the vulnerability would give hackers access without the victim even clicking anything. Citizen Lab previously showed that repressive governments in Bahrain, Saudi Arabia and more had used NSO Group tools to track government critics, activists and political opponents. Ivan Krstić, head of Apple Security Engineering and Architecture, told ZDNet that after identifying the vulnerability used by this exploit for iMessage, Apple “rapidly developed and deployed a fix in iOS 14.8 to protect our users.” “We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Krstić said. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

John Scott-Railton, a senior researcher at Citizen Lab, spoke out on Twitter to explain what he and Citizen Lab senior research fellow Bill Marczak found and reported to Apple. They found that the vulnerability has been in use since at least February. Apple credited them with discovering it. “Back in March my colleague Bill Marczak was examining the phone of a Saudi activist infected with Pegasus spyware. Bill did a backup at the time. A recent a re-analysis yielded something interesting: weird looking ‘.gif’ files. Thing is, the ‘.gif’ files…were actually Adobe PSD & PDF files…and exploited Apple’s image rendering library. Result? Silent exploit via iMessage. Victim sees *nothing,* meanwhile Pegasus is silently installed and their device becomes a spy in their pocket,” Scott-Railton explained.”NSO Group says that their spyware is only for targeting criminals and terrorists. But here we are…again: their exploits got discovered by us because they were used against an activist. Discovery is inevitable byproduct of selling spyware to reckless despots. Popular chat apps are the soft underbelly of device security. They are on every device and some have a needlessly large attack surface. Their security needs to be a *top* priority.”In a longer report about the vulnerability, Citizen Lab researchers said that it is the “latest in a string of zero-click exploits linked to NSO Group.” NSO Group has faced significant backlash globally after researchers discovered that governments, criminals and others were using its Pegasus spyware to tacitly track thousands of journalists, researchers, dissidents and even world leaders. “In 2019, WhatsApp fixed CVE-2019-3568, a zero-click vulnerability in WhatsApp calling that NSO Group used against more than 1,400 phones in a two-week period during which it was observed, and in 2020, NSO Group employed the KISMET zero-click iMessage exploit,” the researchers said.They said their latest discovery “further illustrates that companies like NSO Group are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies.” “Regulation of this growing, highly profitable, and harmful marketplace is desperately needed,” they added. Reuters reported that since the concerns about NSO Group were raised publicly earlier this year, the FBI and other government agencies across the world have opened investigations into their operations. NSO Group is based in Israel, prompting the government there to kickstart its own investigation into the company. The company designed tools to specifically get around Apple’s BlastDoor defense that was implemented in iMessage to protect users. Ryan Polk, senior policy advisor with the Internet Society, told ZDNet that the Pegasus-NSO case is a proof point for the dire consequences posed by encryption backdoors. “The tools built to break encrypted communications inherently run the risk of falling into the wrong hands — placing all who rely on encryption in greater danger. Imagine a world where tools like Pegasus come built in every app or device — however, unlike now, companies have no option to remove them and all users are targeted,” Polk said. “End-to-end encryption keeps everyone safe, especially those from vulnerable communities — like journalists, activists, and LGBTQ+ community members in more conservative countries.”In 2016, cybersecurity company Lookout worked with Citizen Lab to discover Pegasus. Hank Schless, senior manager of security solutions at Lookout, said the tool has continued to evolve and take on new capabilities. It can now be deployed as a zero-click exploit, which means that the target user doesn’t even have to tap a malicious link for the surveillanceware to be installed, Schless explained, adding that while the malware has adjusted its delivery methods, the basic exploit chain remains the same. “Pegasus is delivered via a malicious link that’s been socially engineered to the target, the vulnerability is exploited and the device is compromised, then the malware communicated back to a command-and-control (C2) server that gives the attacker free reign over the device. Many apps will automatically create a preview or cache of links in order to improve the user experience,” Schless said. “Pegasus takes advantage of this functionality to silently infect the device.” He added that NSO has continued to claim that the spyware is only sold to a handful of intelligence communities within countries that have been vetted for human rights violations. But the recent exposure of 50,000 phone numbers linked to targets of NSO Group customers was all people needed to see right through what NSO claims, he added. “This exemplifies how important it is for both individuals and enterprise organizations to have visibility into the risks their mobile devices present. Pegasus is an extreme, but easily understandable example. There are countless pieces of malware out there that can easily exploit known device and software vulnerabilities to gain access to your most sensitive data,” Schless told ZDNet.  More

Amid growing concerns about increasing threats in the cybersecurity space, the Brazilian government and the banking sector are discussing the creation of a strategy to address crime in digital environments. The president at the Brazilian Federation of Banks (FEBRABAN), Isaac Sidney, and the Minister of Justice and Public Security, Anderson Torres, have started negotiations for the creation of the National Cybercrime Strategy. The topic was discussed at a meeting at the association’s headquarters in São Paulo on Friday (6). According to FEBRABAN, the discussions around the new plan to tackle cybercrime will be informed by the experiences of the National Strategy Against Corruption and Money Laundering, which is led by the Ministry of Justice and has been in place since 2003.Under the new strategy, the idea will be to “expand the identification and repression” of the actors responsible for cybercrimes, the association said. Another goal is to expand the technical knowledge of the Brazilian security forces and “promote permanent cooperation between public and private agents.”The vision outlined by the banking association also includes the joint development of platforms for sharing fraud data by digital means, as well as supporting the training of security forces in cybersecurity and digital fraud issues and using the association’s cybersecurity laboratory. IThe plan would also include public awareness campaigns on cyber risks and fraud.

According to German consultancy Roland Berger, Brazil currently ranks fifth in a ranking of the world’s main cybercrime targets. A survey carried out by the company shows that the country has exceeded the total number of ransomware attacks seen in 2020 in the first half of 2021, with 9.1 million occurrences. In the private sector, the level of preparedness to deal with cybercrime has been impaired by lack of investment: security teams are in place in less than a third of Brazilian organizations, even though most businesses frequently suffer attacks, recent research has found. Another study, published in February, suggests that most Brazilian companies have not increased their investments in information and cyber security since the Covid-19 pandemic emerged despite an increase in threats.

Attacks targeted at Brazilian public sector organisations have also become increasingly common. Last November, a major cyberattack against the Brazilian Superior Electoral Court brought the Court’s systems to a standstill for over two weeks. More recently, the Brazilian National Treasury was the target of a ransomware attack.Brazil published its first National Information Security Policy, in 2018. The National Security Strategies for Cyber Security and Critical Infrastructure Security were published in 2020. In July, the Brazilian government created a cyberattack response network aimed at promoting faster response to cyber threats and vulnerabilities through coordination between federal government bodies. The Federal Cyber Incident Management Network will encompass the Institutional Security Office of the presidency as well as all bodies and entities under the federal governing administration. Public companies, mixed capital companies and their subsidiaries may become members of the network voluntarily. More

Moody’s Corporation announced on Monday that it would be investing in cybersecurity company BitSight and working with the firm to create a “comprehensive, integrated, industry-leading cybersecurity risk platform.”First reported by CNN, the partnership will see Moody’s invest $250 million in BitSight and the cybersecurity company will acquire Moody’s cyber risk ratings venture VisibleRisk, which they created with global venture group Team8. In a statement, Moody’s CEO Rob Fauber said organizations need a way to accurately measure and quantify cyber risk and exposure as they continue to invest in cyber defense and resilience. “Creating transparency and enabling trust is at the core of Moody’s mission — to help organizations assess complex, interconnected risks and make more informed decisions,” Fauber said. “BitSight is the leader in the cybersecurity ratings space, and together we will help market participants across disciplines better understand, measure, and manage their cyber risks and translate that to the risk of financial loss.”Moody’s said its Investors Service review of cyber vulnerability and impact found 13 sectors that have high or medium-high risk, with “total rated debt exceeding $20 trillion.”Moody’s noted that BitSight has more than 2,300 customers around the world, including dozens of Fortune 500 companies, government agencies, insurers and asset managers.

BitSight said its acquisition of VisibleRisk adds a cyber risk assessment capability and advances its ability to analyze and calculate an organization’s financial exposure to cyber risk. BitSight’s valuation grew to $2.4 billion after the investment. BitSight CEO Steve Harvey added that the partnership with Moody’s and acquisition of VisibleRisk expands the company’s “reach to help customers manage cyber risk in an increasingly digital world.””Cybersecurity is one of the biggest threats to global commerce in the 21st century,” Harvey said.The $250 million deal will make Moody’s the largest minority shareholder in Bitsight, according to CNN. Fauber told CNN Business that the effort was started because of the opacity around cyber risk and the spate of serious cyberattacks that have affected a broader range of industries. More

We’ve known it was on the way for a few weeks, and now it’s finally here. Ahead of tomorrow’s Apple event — where we’re likely to see the new iPhone and release data for iOS 15 — iOS 14.8 is out. iOS 14.8According to Apple, this release contains two security updates and is recommended for all users. Both the security vulnerabilities patched “may have been actively exploited,” which makes this update all the more important to install. iOS 14.8 security fixesAs to whether this update contains any other surprises, we’ll have to wait and see. I’ll post a rundown of any other changes I see shortly. There’s also an iPadOS 14.8 for iPad users. To install the update, go to Settings > General > Software Update and download it from there. More

An unsecured database containing over 61 million records related to wearable technology and fitness services was left exposed online.

On Monday, WebsitePlanet, together with cybersecurity researcher Jeremiah Fowler, said the database belonged to GetHealth.  Based in New York, GetHealth describes itself as a “unified solution to access health and wellness data from hundreds of wearables, medical devices, and apps.” The firm’s platform is able to pull health-related data from sources including Fitbit, Misfit Wearables, Microsoft Band, Strava, and Google Fit.  On June 30, 2021, the team discovered a database online that was not password protected.  The researchers said that over 61 million records were contained in the data repository, including vast swathes of user information — some of which could be considered sensitive — such as their names, dates of birth, weight, height, gender, and GPS logs, among other datasets.  While sampling a set of approximately 20,000 records to verify the data, the team found that the majority of data sources were from Fitbit and Apple’s HealthKit.
WebsitePlanet
“This information was in plain text while there was an ID that appeared to be encrypted,” the researchers said. “The geo location was structured as in “America/New_York,” “Europe/Dublin” and revealed that users were located all over the world.”
WebsitePlanet

“The files also show where data is stored and a blueprint of how the network operates from the backend and was configured,” the team added. References to GetHealth in the 16.71 GB database indicated the company was the potential owner, and once the data had been validated on the day of discovery, Fowler privately notified the company of his findings. GetHealth responded rapidly and the system was secured within a matter of hours. On the same day, the firm’s CTO reached out, informed him that the security issue was now resolved, and thanked the researcher.  “It is unclear how long these records were exposed or who else may have had access to the dataset,” WebsitePlanet said. “[…] We are not implying any wrongdoing by GetHealth, their customers, or partners. Nor, are we implying that any customer or user data was at risk. We were unable to determine the exact number of affected individuals before the database was restricted from public access.” ZDNet has reached out to GetHealth with additional queries and we will update when we hear back.
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More