Information Technology

SavvyShares, a survey panel which captures consumer opinions and data from survey panels has been launched by San Diego, CA-based market research company Luth Research. Unlike Killi which offers a portion of all data sales revenue each month to consumers who, through use of its ‘Paycheck’, receive a guaranteed amount of cash each week, SavvyShares does not offer cash to its members.

ZDNet Recommends

Instead it offers shares in the company, leading to annual dividends — if the company makes a profit. According to the SEC filing SavvyShares LLC will offer “sale of up to 200,000,000 unit-denominated common limited liability company interests, …. refer(red) to as SavvyShares” for a “maximum gross dollar offering of $50,000,000.”The filing says that the shares will be offered for data including “behavior data tracked through software installed to a Member’s phone, tablet or computer (our “App”), data obtained from self-reported surveys and interviews, behavior data obtained from third parties with a member’s consent, and any other social or related data.”Members who participate receive shares in the company based on the length and complexity of surveys, and additional shares for allowing digital data tracking through the app. The app runs in the background and collects data as participants surf the web. Dividends may then be paid to member shareholders annually, based on their number of shares and the profitability of the company – as long as the user remains a member. Paying dividends based on the success of the company means members have a stake in the business so they are probably more incentivized to share their data.The company was launched by Luth Research, a consumer survey business. The company is also managed by the Public Benefit Corporation (PBC), a for-profit company that is committed to specific public benefits.

SavvyShares Founder Roseanne Luth said, “As privacy concerns further restrict data collectors, SavvyShares ensures power and control is in the hands of consumers, giving them a stake in the success of the company as the ultimate reward for their opinions. As consumers are becoming more leery of data harvesting that is currently occurring through social media and other platforms, SavvyShares offers the control, compensation and privacy they deserve.”SavvyShares has filed with the SEC to use data as a form of currency — an unusual move. Compensating customers with shares in exchange for access to data could be very lucrative for people who currently share data for free. Of course the company needs to make a profit before any share dividends can be paid in cash to any member. Consumers already share their opinions and data for free with companies such as Facebook and Instagram, so there are good reasons for customers to be compensated for their data. Will paying for data sharing catch on? Or will we continue to share our data where we feel most comfortable — or stay on the platforms where are friends are most likely to be? More

There are still thousands of cyber attacks targeting zero-day security vulnerabilities in Microsoft Exchange Server every single day as cyber criminals attempt to target organisations which have yet to apply the security patches released to mitigate them, according to a tech security company.

Exchange attacks

Microsoft released critical updates to secure Microsoft Exchange Servers against the four vulnerabilities on March 2 with organisations urged to apply them as a matter of urgency to prevent cyber attacks to their email servers.But weeks later, many organisations are yet to apply the critical updates for Microsoft Exchange Server and cyber attackers are taking advantage to gain access to servers while it remains possible.And cyber criminals are doing just that, with security researchers at F-Secure identifying tens of thousands of attacks targeting organisations around the world which are still running vulnerable Microsoft Exchange Server every day. According to F-Secure analytics, only about half of the Exchange servers visible on the internet have applied the Microsoft patches for these vulnerabilities. “Tens of thousands of servers have been hacked around the world. They’re being hacked faster than we can count. Globally, this is a disaster in the making,” said Antti Laatikainen, senior security consultant at F-Secure. The fear is that an attack which successfully compromises a Microsoft Exchange Server not only gains access to sensitive information that’s core to how businesses are run, but could also open the door for additional attacks – including ransomware campaigns.In order to avoid falling victim to cyber attackers exploiting the Microsoft Exchange vulnerabilities, it’s recommended that organisations apply the critical updates as quickly as possible, because the longer the patches aren’t applied, the more time cyber criminals will have to potentially exploit the vulnerabilities as part of an attack.

Even if organisations have already applied the relevant security updates, there’s no guarantee they were not compromised by malicious hackers before the patches were applied – so it’s important to analyse the network to examine if it has already been accessed by cyber criminals.When it isn’t possible to install the critical Microsoft Exchange updates, the UK’s National Cyber Security Centre (NCSC) recommends that untrusted connections to Exchange server port 443 should be blocked, while Exchange should also be configured so it can only be accessed remotely via a VPN.In another step to protect against Exchange Server vulnerabilities, Microsoft has implemented an automatic mitigation tool within within Defender Antivirus which helps prevent unpatched servers falling victim to attacks. SEE: Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this toolTens of thousands of organisations around the world are known to have had their email servers compromised in attacks targeting Microsoft Exchange. Microsoft have attributed the campaign to a state-sponsored advanced persistent threat (APT) hacking group working out of China, dubbed Hafnium. However, once knowledge of the vulnerabilities became public following the release of the patch, other state-sponsored and cyber-criminal hacking groups have attempted to target Microsoft Exchange servers which have yet to have patches applied. It’s recommended that organisations take measures to mitigate attacks as soon as possible.”There are a ton of things they can do manually to prevent a full disaster. I just encourage them to do them immediately,” said Laatikainen.MORE ON CYBERSECURITY More

As attacks against APIs continue to increase, the enterprise is beginning to take the security aspects of API adoption more seriously.

In a new report released on Monday by Imvision, “API Security is Coming,” the company asked over 100 cybersecurity professionals in the US and Europe for insight on the current state of enterprise API security. Application programming interfaces (APIs) connect different technological services and systems. They can process queries from clients, deal with instructions server-side, and can facilitate the fetching and processing of data. While function sets contained in APIs can be of real value to an enterprise market that is becoming more data-driven every year, they may also represent an emerging cybersecurity issue for users — with API-based attacks believed to be on the rise in tandem with the continued adoption of cloud technologies.  According to the report, 91% of IT professionals say API security should be considered a priority in the next two years, especially as over 70% of enterprise firms are estimated to use over 50 APIs. The main aspects of API security respondents consider priority is access control, cited by 63% of those surveyed; regular testing (53%), and anomaly detection and prevention (43%). In total, eight out of 10 IT admins want more control over their organization’s APIs.However, finding a holistic approach to this ‘backbone’ of API security remains a challenge. Over 80% of organizations are estimated to either use, or plan to use, a centralized management solution for API security — such as an API Management (APIM) platform — but only a third of respondents believe their API setups are adequately protected from today’s cyberattacks.

Other statistics of note in the report include:19% of enterprises test their APIs daily for signs of abuse4 out of 5 organizations enable either partners or users to access data using external APIsThe current focus of API strategies is centered around application performance (64%) and development and integration (58%)Shadow APIs are considered the most vulnerable, according to 40% of those surveyed64% of survey respondents said their current solutions do not provide robust API protectionCompanies cited integrating API solutions with current systems and workflows and gaining visibility into overall API usage as the main barriers to improving API security.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Mozilla Firefox will soon include a revised Referrer Policy to tighten up queries and better protect user information. 

Firefox 87, due to ship on March 23, will cut back on path and query string information from referrer headers “to prevent sites from accidentally leaking sensitive user data.”In a blog post on Monday, developer Dimi Lee and security infrastructure engineering manager Christoph Kerschbaumer said the latest browser version will include a “stricter, more privacy-preserving default Referrer Policy.” Browsers send HTTP Referrer headers to websites to indicate which location has ‘referred’ a user to a website server. Full URLs of referring documents are often sent in the HTTP Referrer header with other subresource requests, and while this may contain innocent information used for purposes including analytics, private user data may also be included.  Referrer policies aim to protect this data, but if no policy is set by a website, this often defaults to “no-referrer-when-downgrade,” an element that Firefox says does trim down the referrer when navigating to a less secure resource, but still “sends the full URL including path and query information of the originating document as the referrer.””The ‘no-referrer-when-downgrade’ policy is a relic of the past web, when sensitive web browsing was thought to occur over HTTPS connections and as such should not leak information in HTTP requests,” the team says. “Today’s web looks much different: the web is on a path to becoming HTTPS-only, and browsers are taking steps to curtail information leakage across websites. It is time we change our default Referrer Policy in line with these new goals.” As such, Firefox 87 will introduce “strict-origin-when-cross-origin” as default in the browser’s Referrer Policy, which will cut away sensitive user information — including path and query string — accessible in URLs and in requests going from HTTPS to HTTP as well as all cross-origin requests.

“Firefox will apply the new default Referrer Policy to all navigational requests, redirected requests, and subresource (image, style, script) requests, thereby providing a significantly more private browsing experience,” Firefox says.  Google Chrome introduced also a stricter default Referrer Policy in version 85 of the browser, alongside speed improvements and tab previews. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Elon Musk has said Tesla would be “shut down” if accusations that the firm’s cars could be used for spying purposes were true.

Last week, the Wall Street Journal reported that the Chinese government has restricted the use of Tesla vehicles in military and key, state-owned company settings. Military and government staff are reportedly not permitted to drive these cars into such facilities due to the worry that Tesla vehicles could be used for covert data-gathering.People familiar with the matter told the WSJ that following a government security review, Chinese officials became concerned that Tesla’s smart car features could be abused for spying purposes.  Tesla vehicles, including the Model X, Model S, and Model Y, are electric vehicles (EVs) that come equipped with features including driver assistance, built-in mobile connectivity, an infotainment dashboard, cameras and sensors for driving, maps, and more.  However, the concern is that data-grabbing features — such as cameras or connectivity apps — could be used, with or without the driver’s knowledge, to obtain information on these facilities.  Tesla’s CEO and entrepreneur Elon Musk has commented on the Chinese government’s scrutiny of Tesla vehicle features, saying that, “if Tesla used cars to spy in China or anywhere, we will get shut down.”

Speaking at the China Development Forum, Musk added that Tesla has a “very strong incentive” to treat data confidentiality seriously, as reported by the Reuters news agency.  The United States and China have clashed over technology and national security for years, with both countries often citing national security concerns when changes in export rules are made, as well as impositions of vendor and country-specific technological product bans.  Perhaps the most high-profile case recently is that of Huawei, which together with ZTE, has been branded a national security threat by the US Federal Communications Commission (FCC).  The FCC has also recently added Hytera Communications, Hangzhou Hikvision Digital Technology Co., and Zhejiang Dahua Technology to a national security blacklist, which may restrict US companies in purchasing or installing equipment produced by these vendors. In diplomatic talks between the US and China last week, China’s foreign minister Wang Yi has accused the US of using its military and financial might to “obstruct normal trade exchanges.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

COVID-19 may have helped accelerate digitalisation efforts for many organisations worldwide, but majority of small and midsize businesses (SMBs) in Singapore that are falling behind in their adoption of digital tools are smaller companies. They cite lack of funds, concerns about cybersecurity risks, and inadequate digital skillsets as key reasons for their hesitation. Some 72% of the country’s SMBs that had yet to embark on digital transformation were smaller organisations, which had an annual turnover of less than SG$10 million ($7.45 million), according to a study released Monday by local bank UOB. Larger SMBs comprised those with turnover ranging from SG$10 million to SG$100 million ($74.45 million). 

Amongst small businesses, 34% cited cost as a key reason for not going the digital route, while 31% had concerns about cybersecurity and another 31% were worried about their employees lack of necessary digital skillsets. Some 28% found it difficult to justify the investment and 26% said they did not have sufficient funds to proceed with their digital transformation. Another 25% had to deal with interoperability issues between their old and new systems, revealed the study, which polled 782 SMBs in Singapore.Across the board, 41% that had pushed on with their digitalisation efforts saw stronger revenue growth, compared to their peers that did not do so. These included those that had done so organisation-wide or across multiple areas, in comparison to those that had only adopted digital tools in one area of their business. Furthermore, SMBs that had gone the digital route expressed more optimism for the year ahead, with 58% projecting higher revenue in 2021, compared to 32% of their peers that had yet to adopt digital tools. Another seven in 10 SMBs indicated more confidence in preparing for a post-COVID-19 growth, while just four in 10 amongst those that had not digitalised their business felt likewise. Six in 10 SMBs that did not adopt any digital tools saw a dip in their 2020 net revenue compared to the previous year. UOB’s head of group business banking Lawrence Loh said: “Digitalisation offers businesses many opportunities, from improving their processes and reaching out to new customers to having a direct and measurable impact on their revenue. Close to one in two SMBs that proactively took steps to adopt digital tools last year are already seeing benefits such as greater productivity and efficiency gains, improved customer experience, and higher revenue, even in a volatile business environment. 

“The digitalisation journey is a long one and we urge SMEs to stay the course to see their efforts pay off when they emerge stronger through the pandemic,” Loh added. The Singapore government last May set aside more than SG$500 million ($352.49 million) to support local businesses in their digital transformation efforts, which it said were increasingly imperative for enterprises to deal with the fallout of the COVID-19 crisis. The funds would go towards facilitating companies in their adoption of e-payments, e-invoicing, as well as more advanced digital tools. Funds and manpower also were offered to help SMB retailers kickstart their e-commerce journey, with the government buffering 90% of the cost for them doing so. The “e-commerce booster package” aimed to provide aid for small businesses that had little or no e-commerce experience in their digital transformation. RELATED COVERAGE More

The Australian Criminal Intelligence Commission (ACIC) decommissioned the National Firearms Licensing Registration System user interface in 2018-19, requiring law enforcement across the country to transition to the Australian Firearms Information Network (AFIN), which has been touted as a more sophisticated system that holds richer, higher quality data. ACIC CEO Mike Phelan told senators on Monday that access to accurate data has been a problem the organisation has faced in transitioning to AFIN and that given the mismatch of state, territory, and Commonwealth laws, end-to-end security could not be assured.As AFIN data is sourced from partner agencies, data quality is a local management issue. Phelan was asked how the ACIC was ensuring data consistency.”There’s no consistency in terms of any of the systems that we run when you run states and territories and a Commonwealth system. And that’s the difficulty of trying to run hybrid systems,” he said. The AFIN is not governed by the federal government’s Information Security Manual as it has no jurisdiction or management authority for partner agency’s local IT systems. Phelan was asked to comment on certain jurisdictions being “less than careful with the details of their own licenced firearm owners”.”I know from time to time … private information leaks out of databases. That’s why we have an Information Commissioner, Privacy Commissioners, all these sorts of things — these things unfortunately happen,” he said. “But systems themselves, we try to make as tight as they possibly can.”The reasons for disclosure of info, and I’m not just specifically saying firearms here, but the reasons for disclosure of information, depending on its character vary from state to state. And whilst it might seem self-evident that what you can disclose in Victoria, same piece of information should be disclosed in New South Wales, that is not the case and we’re running into that.”

There are currently around 3 million firearms registered in systems across Australia. Phelan said there’s a data cleansing process that intends to clean as much of the data the ACIC gets from states and territories as it can, and provide them with information in relation to their own holdings. “That itself is not an easy task to do,” he said. “And you can clean up the data as much as you can — everybody wants the data clean, so that you can make good tactical decisions if you need to, at the operational level rather than having to look at multiple pieces of information to make some sort of subjective judgement.”Phelan said ACIC and its law enforcement partners are working through similar issues at the moment with the development of the National Criminal Intelligence System (NCIS).The government has previously described the NCIS as a system that “will provide law-enforcement and intelligence agencies with a national repository of criminal intelligence and information”.”It’s actually the jurisdictions that place on it the caveats of the information as to whether or not it can be used and accessed by individuals … and then we decide who gets it,” Phelan said. “It’s whoever provisions the information decides the restrictions upon that information and how it can be distributed. And then we handle the information management system.”He said such a practice is consistent with all systems the ACIC monitors.”Everything that we hold goes back out to the jurisdictions and then the jurisdictions determine their own assessment and their own assessment as to who has access to those informations based upon the need to know principle or the need to use that information and it varies across states and territories,” he continued.Although they have respectively provided data into AFIN, Victoria Police and the Australian Federal Police (AFP) are yet to begin using the system. Phelan said he was “fair dinkum” that VicPol’s timeline was pushed back due to COVID-related issues requiring the state police force to focus on other IT systems.RELATED COVERAGE More

Researchers have uncovered a slew of critical vulnerabilities in remote monitoring software — an incident made worse as it could impact student safety and privacy. 

On Monday, McAfee disclosed the existence of multiple security holes in Netop Vision Pro, popular monitoring software adopted by schools for teachers to control remote learning sessions. The software is marketed for teachers to keep control of lessons. Features include viewing student screens and sharing the teachers’, implementing web filters, pushing URLs, chat functions, and freezing student screens.  “Adding technology to the classroom allows you to give your students a multitude of new resources, but it can also add more distractions,” the vendor says. “Classroom management software helps you scaffold your students’ learning while still keeping them on track. In the classroom or during remote learning, Vision’s simple features allow you to manage and monitor your students in real-time.” According to McAfee’s Advanced Threat Research (ATR) team, Netop Vision Pro contained vulnerabilities that “could be exploited by a hacker to gain full control over students’ computers.” After setting up a virtual ‘classroom’ made up of four devices on a local network, the researchers realized that all network traffic was unencrypted and there was no option to enable encryption during configuration.  In addition, students that began connecting to the classroom “would unknowingly begin sending screenshots to the teacher,” according to the report. 

“Since there is no encryption, these images were sent in the clear,” McAfee says. “Anyone on the local network could eavesdrop on these images and view the contents of the students’ screens remotely.” As a teacher begins a session, they send a network packet prompting students to join. It was possible to modify this data and for the team to masquerade as the teacher host. Attackers could also perform local elevation of privilege (LPE) attacks and ultimately gain System privileges. Chat function in the software saved files sent by a teacher into a ‘work’ directory while running as System, it was possible for an interloper to overwrite existing files and send malicious content to students without any input from them — such as malware that would ultimately compromise their PCs.  “Netop Vision Pro student profiles also broadcast their presence on the network every few seconds, allowing an attacker to scale their attacks to an entire school system,” McAfee noted. “Because it is always running, even when not in use, this software assumes every network the device connects to could have a teacher on it and begins broadcasting.” Overall, four critical vulnerabilities in the software were assigned CVEs and are tracked as CVE-2021-27192, CVE-2021-27193, CVE-2021-27194, and CVE-2021-27195: an incorrect privilege assignment problem, a default permissions error, the cleartext transmission of sensitive information, and authorization issues. Overall, the security flaws allowed for privilege escalation and Remote Code Execution (RCE) attacks within a compromised network.  “If a hacker is able to gain full control over all target systems using the vulnerable software, they can equally bridge the gap from a virtual attack to the physical environment,” the researchers added. “The hacker could enable webcams and microphones on the target system, allowing them to physically observe your child and their surrounding environment.” The insecure design principles and security flaws found in Netop’s software were privately disclosed to the vendor on December 11. The latest software release, 9.7.2, has addressed some of the issues, such as LPE bugs and the encryption of credentials. Mitigations have also been added to chat-based read/write issues.  Netop intends to roll out network encryption in the near future.  Last week, the FBI warned of increasing rates of attack against US and UK schools and universities. Law enforcement agencies have tracked a spike in attack attempts leveraging PYSA ransomware, used to exfiltrate data before encryption in order to extort payment.  ZDNet has reached out to Netop and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More