Information Technology

As politicians play whack-a-mole with COVID-19 infection rates and try to balance the economic damage caused by lockdowns, stay-at-home orders have also impacted those out there in the dating scene. 

No longer able to meet up for a drink, a coffee, or now even a walk in the park, organizing an encounter with anyone other than your household or support bubble is banned and can result in a fine in the United Kingdom — and this includes both dates and overnight stays. 
Therefore, the only feasible option available is online connections, by way of social networks or dating apps. 
Dating is hard enough at the best of times but sexual desire doesn’t disappear just because you are cooped up at home. Realizing this, a number of healthcare organizations worldwide have urged us not to contribute to the spread of COVID-19 by meeting up with others for discreet sex outside of our social bubbles, bringing new meaning to the phrase, “You are your safest sex partner.”
This doesn’t mean, however, that we’ve abandoned the search in the time of a pandemic; instead, dating apps — such as Tinder, eHarmony, and the new Quarantine Together — are signing up users in record numbers. 
Apps and chats over Zoom, however, can only go so far and after you’ve made your way through remote small talk, what’s next?
If you’re not careful, it’s blackmail. 

In a recent case documented by the UK’s Thames Valley police, a sextortion scam started innocently enough: a young man was contacted over Facebook by a woman who wanted to video chat. 
They talked twice online and the woman asked him to show off his body. While no “intimate” acts took place in the first online session, the police say, the second chat was another story — and the intimate footage he provided was then covertly recorded by the scam artist. 
She then told her victim that their online session had been recorded and demanded £200 ($270) on pain of it being sent to all of his family and friends, now available to her through the Facebook connection. 
The man refused, but over the next two hours, he received over 100 demands for payment. Eventually, he appeared to cave in — but instead blocked her and deactivated all of his accounts before contacting law enforcement. 
Thames Valley asks for us to “not do anything silly” online, but this case — as it goes, a small fish in a large phishing pond and one in which the young man escaped from the net — still highlights how careful we need to be now about sharing intimate footage or allowing the opportunity for it to be taken online without our permission. 
Sextortion is not a new concept, and unfortunately, the internet has provided a lucrative arena for people trying to extort money, sexual acts, services, or images from others. Some of the most common forms of sextortion are:
Phishing emails: Messages claim to have seen your web history or pornographic website visits, and may also say that ‘hackers’ accessed your webcam and recorded you. 
Phishing emails containing known passwords: The same, but with the addition of passwords used by you to access online accounts that may have been leaked in a data breach to try and appear more legitimate.
Revenge porn: Threats to release intimate photos or videos online, sometimes by ex-partners or other people you know. 
Internet of Things: Nest and Ring devices have been compromised to recycle old tactics and convince victims that hackers have illicit recordings of them. 
Emotional triggers are the key: humiliation, fear, worry of friends, family, or co-workers finding out or viewing footage, and the concern of the future impact such material could have on your life. 
A report conducted by Thorn and the Crimes Against Children Research Center (CCRC) estimates that in 45% of cases where a perpetrator has access to sensitive material, they will carry out their threat. 
After all, it’s not them who face humiliation.
With this in mind, it’s time to reconsider just what risks we are comfortable taking online, lockdown or not. Sextortion can be devastating but there’s no guarantee that a scammer will delete footage they have obtained after you’ve paid up — and may simply demand more and more from you.
“Anybody who is threatened with this type of blackmail by an online contact is advised to contact the police and should refuse to send the scammer any money,” commented Ray Walsh, Digital Privacy Expert at ProPrivacy. “Once a scammer knows that a victim is willing to pay they will only double down and ask for more. For this reason, it is vital that you contact the police and refuse to pay.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore has revised its current set of guidelines on technology risk management for financial institutions to include, amongst others, “strong oversight” of their partnerships with third-party service providers to ensure data confidentiality. The updated list also comprises updated guidance on security controls and stress tests as well as the appointment of third-party vendors and senior IT executives.
Detailed under the Technology Risk Management Guidelines, the revisions were made to keep pace with emerging technologies and shifts in the current threat landscape, said the Monetary Authority of Singapore (MAS) in a statement Monday. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

Noting that financial institutions increasingly were tapping cloud technologies and APIs (application programming interfaces), the industry regulatory underscored the need to incorporate security controls and stronger risk mitigation strategies as part of these organisations’ technology development and deployment lifecycle. 
“The recent spate of cyber attacks on supply chains, which targeted multiple IT service providers through the exploitation of widely-used network management software, is a clear indication of a worsening cyber threat environment,” it added. 
The use of third-party services providers, for instance, likely would be provided using IT and might involve confidential customer data stored by the service provider. Any system failure on security breach on the part of these providers could adversely impact the financial institution’s customers and operations. 
The guidelines highlighted the need to assess and manage the company’s exposure to technology risks that might affect the confidentiality and availability of IT systems and data at the third-party service provider, before a contractual agreement or partnership was established. Financial institutions also should ensure, on an ongoing basis, that the third party adopted “a high standard of care and diligence” in safeguarding data confidentiality and integrity as well as system resilience.
In addition, financial institutions must establish processes to enable the “timely analysis and sharing” of cyber threat intelligence within the sector and conduct drills to stress test their cyber defences, via the simulation of real-world attack tactics and procedures. 

Stronger oversight should further extend to human skillsets, including contractors and service providers, where financial institutions should ensure all personnel had the requisite competence to perform the necessary IT functions and manage technology risks. 
This should include the appointment of CIO or CISO and the financial institution’s board must comprise members with the necessary knowledge to offer “effective oversight of technology and cyber risks”, said MAS. 
MAS’ chief cyber security officer Tan Yeow Seng said: “Technology now underpins most aspects of financial services. Not only are financial institutions adopting new technologies, they are also increasingly reliant on third party service providers. The revised guidelines set out MAS’ higher expectations in the areas of technology risk governance and security controls in financial institutions.” 
RELATED COVERAGE More

The data regulator for the German state of Lower Saxony has fined a local laptop retailer a whopping €10.4 million ($12.5 million) for keeping its employees under constant video surveillance at all times for the past two years without a legal basis.

The penalty represents one of the largest fines imposed under the 2018 General Data Protection Regulation (GDPR) not only in Germany but across Europe as well.
The recipient is notebooksbilliger.de AG (doing business as NBB), an online e-commerce portal and retail chain dedicated to selling laptops and other IT supplies.
The State Commissioner for Data Protection (LfD) for the state of Lower Saxony said that the company installed two years ago a video monitoring system inside its warehouses, salesrooms, and common workspaces for the purpose of preventing and investigating thefts and tracking product movements.
Officials said the video surveillance system was active at all times, and recordings were saved for as much as 60 days in the company’s database.
But while the retailer thought it was running a banal video monitoring solution, as found in many other businesses across Germany and all over the world, the German data regulator found it to be a gross encroachment on the rights of German workers.
Constant video surveillance encroaches privacy rights
“We are dealing with a serious case of video surveillance in the company,” said Barbara Thiel, head for LfD Lower Saxony, in a press release earlier this month.

“Companies must understand that with such intensive video surveillance they are massively violating the rights of their employees.”
The German data regulator argued that employees do not have to give up their right to privacy because their employer puts them under suspicion of potentially committing a crime in the future.
“If that were the case, companies could extend surveillance without limit,” Thiel said.
The German official claimed that video surveillance was not to be used as a “deterrent” to prevent crime but only when an employer had justifiable suspicion against certain employees. In those cases, employees could be monitored for limited periods of time until the suspicion was confirmed, and not for years in a row.
“Video surveillance is a particularly intensive encroachment on personal rights, because, theoretically, the entire behavior of a person can be observed and analyzed,” Thiel said.
The LfD head said that because of the constant video monitoring, employees are under continuous stress and pressure to behave as inconspicuously as possible in order to avoid being criticized for their behavior.
Furthermore, the German data regulator said that NBB also recorded customers while testing devices in its salesrooms without their knowledge or consent, which represented another major privacy breach.
LfD officials said they fined the retailer for its constant video surveillance practices because they had no legal basis, citing the reasons above but also the fact that the company had failed to implement other methods of stopping thefts, such as random bag checks for customers and employees leaving their premises.
NBB describes fine “as wrong as it is irresponsible”
But in a PDF statement published on its website, NBB CEO Oliver Hellmold said the fine and accusation that it monitored employees were unfounded.
“At no point was the video system designed to monitor employee behavior or performance. It wasn’t even technically equipped for it,” Hellmold said.
The NBB CEO accused the LfD Lower Saxony office of misconduct. He argued that officials didn’t visit its premises during the three-year investigation and that NBB previously made adjustments to its video surveillance system at the office’s request in order to become compliant.
Furthermore, Hellmold called the fine disproportionate to the company’s size and said that they plan to appeal.
“It is absurd that an authority imposes a fine of more than 10 million euros without sufficiently investigating the matter. Apparently, an example is to be made here at the expense of our company,” he said.
This is the second fine that the same LfD office has imposed on a company for video monitoring employees. The Hamburg-based data regulator previously fined fashion retail store chain H&M €35.3 million ($42.6 million) last October for a similar offense of keeping employees under constant video surveillance. More

Xiaomi has released a statement saying it has no ties with the Chinese military, following allegations by the US government that it does.
“The company confirms that it is not owned, controlled, or affiliated with the Chinese military, and is not a ‘Communist Chinese military company’ defined under the NDAA,” the company said in a statement on Friday.
The company further added that the company has been “operating in compliance with the relevant laws and regulations of jurisdictions where it conducts its business”.
“The company reiterates that it provides products and services for civilian and commercial use,” the statement said.
It comes after the United States Department of Defense added the Chinese hardware manufacturer to a list of alleged Communist Chinese military companies.
Alongside Xiaomi, Advanced Micro-Fabrication Equipment, Luokong Technology, Beijing Zhongguancun Development Investment Center, Gowin Semiconductor, Grand China Aie, Global Tone Communication, China National Aviation Holding company, and Commercial Aircraft Corporation of China were also added additions to the list.
Other Chinese companies that were already on the list included Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation.

Outgoing and twice-impeached US President Donald Trump signed an executive order on 12 November 2020 that forbids trading and investing in any of the listed companies, and bans trading in any new companies 60 days after the US places such a Communist Chinese military company label on them.
The New York Stock Exchange struggled to handle the consequences and interpretation of the listings, saying it said would delist a trio of Chinese telcos — China Telecom, China Mobile, and China Unicom Hong Kong — before changing its mind, and then reverting to its original decision.  
In the executive order, Trump said China was “exploiting United States capital” to boost and update its military, which he claimed would allow Beijing to threaten the US and its overseas forces, as well as develop “advanced conventional weapons and malicious cyber-enabled actions against the United States and its people”.
“Through the national strategy of Military-Civil Fusion, the PRC increases the size of the country’s military-industrial complex by compelling civilian Chinese companies to support its military and intelligence activities,” Trump said.
“Those companies, though remaining ostensibly private and civilian, directly support the PRC’s military, intelligence, and security apparatuses and aid in their development and modernisation.”
Trump also recently signed an executive order to ban eight Chinese apps — Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office — citing national security concerns.
RELATED COVERAGE More

Image: WhatsApp
WhatsApp has announced that it will delay enforcing its new privacy terms from February 8 to May 15.
With little fanfare, in recent weeks, WhatsApp has presented users with a prompt to accept its new privacy terms by February 8, or risk not being able to use the app. In the wording used, WhatsApp says the new privacy policy will change how it partners with Facebook to “offer integrations”, and that businesses can use Facebook services to manage WhatsApp chats.
After some online consternation about what Facebook could access, WhatsApp clarified last week that its changes were focused on how businesses used the app.
“We want to be clear that the policy update does not affect the privacy of your messages with friends or family in any way,” the company said. “Instead, this update includes changes related to messaging a business on WhatsApp, which is optional, and provides further transparency about how we collect and use data.”
See also: India puts WhatsApp’s impending payments service on ice due to data localisation fracas
By the end of the week though, the company decided to delay the changes until May, saying there was a “lot of misinformation” flying around.
“We’re now moving back the date on which people will be asked to review and accept the terms. No one will have their account suspended or deleted on February 8,” it said.

“We’re also going to do a lot more to clear up the misinformation around how privacy and security works on WhatsApp. We’ll then go to people gradually to review the policy at their own pace before new business options are available on May 15.”
One of the benefactors of WhatsApp’s changes has been Signal, which has seen so many users sign up to its service that its infrastructure fell over at the weekend.
See also: Switching to Signal? Turn on these settings now for greater privacy and security
“We have been adding new servers and extra capacity at a record pace every single day this week nonstop, but today exceeded even our most optimistic projections,” the company tweeted. “Millions upon millions of new users are sending a message that privacy matters.”
Over a day later, the company said the service had resumed, however, some users have been seeing a “bad encrypted message” warning that requires users to reset the session. Signal said its next update will automatically fix this issue.
Related Coverage More

Ransomware continues to cause damage across the world. Rarely a week goes by without another company, or city, or hospital, falling prey to the gangs who will encrypt the data across PCs and networks and demand thousands or millions in exchange for setting it free.
These aren’t victimless crimes; every successful attack means a company faces huge costs and risks being pushed out of business, or public services disrupted just when we need them, or medical services put in jeopardy in the middle of a crisis.

More on privacy

And yet it seems impossible to stop the attacks or catch the gangs. That’s because the ongoing success of ransomware reflects many of the real-world failings of technology that we often forget or gloss over.
SEE: Network security policy (TechRepublic Premium)
There are obvious, fundamental weaknesses that ransomware exploits. In some cases these are problems that have existed for years, that the tech industry has failed to address; others are issues that are, right now, beyond the skills of the smartest entrepreneurs who want to tackle cybersecurity challenges.
A few examples spring to mind. Hackers would be unable to gain even their first foothold if companies took security seriously. That means applying patches to vulnerable software when they are issued, not months or years later (or never). Equally, companies wouldn’t be on the tedious treadmill of applying constant security updates if the tech industry shipped software code that was secure in the first place.
And while we tend to think of the borderless world of the internet, the real world of geopolitics looms large when it comes to ransomware as many of these gangs operate from countries that have no interest in catching such crooks or handing them over to police in other jurisdictions. In some cases that’s because the ransomware gangs are bringing in much needed funds for the country; in other cases so long as the gangs aren’t going after local victims, the authorities are quietly happy for them to create havoc elsewhere.

It’s not all doom and gloom; the fight back against ransomware is advancing on a few fronts.
Intel has showcased some new hardware-level technologies that it says will be able to detect a ransomware attack that antivirus alone might miss.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
A group of tech companies including Microsoft, Citrix and FireEye are working on a three-month project to come up with options that they promise will “significantly mitigate” the ransomware threat by identifying different ways of stopping such attacks. And more political pressure should be put on the nation states that are happy to let ransomware gangs flourish within their borders.
There is also a need to put more pressure on governments to look at whether, and in what circumstances, it should be acceptable to pay the ransom at all. Profit is the only reason that ransomware exists; if it is possible to stop the gangs from making their big payday, then the problem goes away almost immediately.
Everyone seems to agree that ransomware is a menace that can no longer be ignored. Now we need to see some tangible progress before these attacks create more chaos.
PREVIOUSLY ON MONDAY MORNING OPENER:   More

Image: DuckDuckGo
Privacy-focused search engine DuckDuckGo reached a major milestone in its 12-year-old history this week when it recorded on Monday its first-ever day with more than 100 million user search queries.
The achievement comes after a period of sustained growth the company has been seeing for the past two years, and especially since August 2020, when the search engine began seeing more than 2 billion search queries a month on a regular basis.
DuckDuckGo’s popularity comes after the search engine has expanded beyond its own site and now currently offers mobile apps for Android and iOS, but also a dedicated Chrome extension.
More than 4 million users installed these apps and extension, the company said in a tweet in September 2020.

But the search engine’s rising popularity is also due to its stated goal of not collecting user data and providing the same search results to all users.
As it highlighted last year, this lack of granular data sometimes makes it hard for the company to even estimate the size of its own userbase.
But this dedication to privacy has also helped the company gain a following among the privacy-conscious crowd. DuckDuckGo has been selected as the default search engine in the Tor Browser and is often the default search engine in the private browsing modes of several other browsers.
Historic week for privacy apps

DuckDuckGo’s historical milestone comes in a week when both Signal and Telegram, two other privacy-centric apps, also announced major periods of growth.
Telegram announced on Monday that it reached 500 million registered users, while Signal’s servers went down on Friday after seeing “millions upon millions of new users” in a sudden influx the company said exceeded even its most optimistic projections.

We have been adding new servers and extra capacity at a record pace every single day this week nonstop, but today exceeded even our most optimistic projections. Millions upon millions of new users are sending a message that privacy matters. We appreciate your patience.
— Signal (@signalapp) January 15, 2021

Both spikes in new users for Signal and Telegram are a direct result of a major public relations snafu at Facebook after the company announced last week it would be blocking access to WhatsApp accounts unless users agreed to a new privacy policy that granted Facebook access to more WhatsApp user data.
Yesterday, on Friday, Facebook delayed the new privacy policy by three months, but by that point, the damage had been done, and hundreds of millions of users were reminded of their right to privacy, flocking to Signal and Telegram — but it wouldn’t be a stretch to think that many users were reminded to use DuckDuckGo instead of Google either. More

Image: ZDNet
BugTraq, one of the cybersecurity industry’s first mailing lists dedicated to publicly disclosing security flaws, announced today it was shutting down at the end of the month, on January 31, 2021.

The site played a crucial role in shaping the cybersecurity industry in its early, fledgling days.
Established by Scott Chasin on November 5, 1993, BugTraq provided the first centralized portal where security researchers could expose vulnerabilities after vendors refused to release patches.
The portal existed for many years in a legal gray zone. Discussions on the site about the legality of “disclosing” security flaws when vendors refused to patch are what shaped most of today’s vulnerability disclosure guidelines, the axioms on which most bug hunters operate today.
Today, it sounds reasonable for a security researcher to release details about a patched or unpatched bug, but back then, such details were often controversial, sometimes resulting in many legal threats.

But as time went by, BugTraq’s popularity and principles won the day. The portal became the first place where many major vulnerabilities were announced in an era where researchers couldn’t easily host personal sites and blogs.
Similar bug disclosure lists were released following BugTraq’s original model, and many security firms founded across the years often ended up scraping the site’s content as a base for their own vulnerability databases.
BugTraq’s demise

BugTraq itself also exchanged hands several times, from Chasin to Brown University, then to SecurityFocus, which was acquired by Symantec.
The portal’s demise started in 2019 when Broadcom acquired Symantec. Three months later, in February 2020, the site stopped adding new content, remaining mostly an empty shell.
Today, the site’s last maintainers confirmed the portal’s current state of affairs and formalized BugTraq’s passing into infosec lore.
“At this time, resources for the BugTraq mailing list have not been prioritized, and this will be the last message to the list,” the message read.
Although many saw it coming, the site’s announcement triggered a wave of nostalgia from today’s cybersecurity veterans, many of which either started or were active on the mailing list since its launch.

I was an early 1980s Internet hacker. Let me explain why “Bugtraq” is probably the most important achievement in the world of cybersecurity. https://t.co/Eh1ySWdNJU
— Robᵉʳᵗ Graham😷, provocateur (@ErrataRob) January 16, 2021

“I’d liken it impact to the impact Twitter currently has on the way we communicate today,” said Ryan Naraine, former director of security strategy at Intel, and one of the cybersecurity industry’s veterans.
“Except that it was mandatory to be on there [on BugTraq] to get advisories and live commentary from what wasn’t yet a fully formed security industry.
“So many big stories were originally announced in BugTraq and FullDisclosure [another similar mailing list],” Naraine added.
“It’s the place the Litchfields made their name in the early days. I remember David Litchfield consistently dropping Oracle hacking tools and research.
“It was the watercooler that connected what was emerging as a security industry.” More