Information Technology

Developed together with SK Telecom, the Galaxy Quantum 2 is the second quantum-equipped smartphone released by Samsung.    
Image: SK Telecom
Samsung is launching a new smartphone equipped with quantum cryptography technology, which promises to deliver a new level of security to consumer applications like mobile banking. Developed together with South Korean telecoms giant SK Telecom, the Galaxy Quantum 2 device will be — at least for the foreseeable future — only available to the South Korean public, and is the second quantum-equipped smartphone released by Samsung.  With a 6.7-inch display, a 64MP main camera, and a Qualcomm Snapdragon 855+ chipset, the Quantum 2’s feature set matches some of Samsung’s flagship smartphones, with the additional security of quantum cryptography for some of the device’s services. 

The Quantum 2’s predecessor, called the Galaxy A Quantum, made its debut last year in South Korea, as the world’s first 5G smartphone with integrated quantum cryptography technology. Like the new Quantum 2, the Galaxy A includes a quantum random number generator (QRNG) that’s designed to secure sensitive transactions against the most sophisticated attacks. Developed by ID Quantique, the QRNG comes in the form of a 2.5mm-by-2.5mm chipset that leverages the unpredictable properties of quantum particles to generate completely random numbers. This is key to making cryptography keys more robust: the more random a security key, the harder it is to use logical mathematics to crack the code. Most classical systems rely on number generators that are deterministic, which means that it’s possible, with enough compute power, to figure out what makes up the cryptography keys that protect sensitive data on a device.ID Quantique’s system, on the other hand, uses an LED light source that beams photons onto a CMOS sensor. According to the laws of physics, the behaviour of photons as they are picked up by the sensor is random, and can therefore be translated into a key that’s completely unpredictable. 

In the Galaxy A Quantum, those unhackable keys are used to protect various transactions, for example by generating stronger one-time-passwords during two-factor authentication. QRNG also increases the security of storage for sensitive data such as biometrics, which is needed to authorise payments through SK Telecom’s Pay app, for example.  SK Telecom also lets users create “quantum wallets” on their phones, where useful identity documents like licences, insurance claim documents or even graduation certificates can be encrypted with QRNG. The new Quantum 2 smartphone extends the number of services that can be secured with quantum encryption. SK Telecom’s services like T World, Pass and T Membership, as well as mobile banking services with Shinhan Bank and Standard Chartered Bank Korea will be provided using QRNG. “The Galaxy Quantum 2 includes more quantum-secured applications than ever before, bringing applications and services to a new level of security in the mobile phone industry,” said Grégoire Ribordy, CEO and co-founder of ID Quantique. The ID Quantique chip’s capabilities will also work automatically with apps that use the Android Keystore APIs, which means that developers will have the opportunity to access the technology to develop more apps that support quantum cryptography. It’s hard to tell how much excitement the news of quantum-secure services on a smartphone will generate among consumers. The technology seems rather niche from a user’s perspective, and the Quantum 2’s predecessor has, so far, made little impact outside of South Korea.That said, according to SK Telecom’s latest statistics, the Galaxy A Quantum sold more than 300,000 units in the first six months following its release, figures the company described as among the highest sales volumes for Galaxy 5G smartphones released that year in South Korea — with numbers comparable, for example, to sales for the S20 and Note 20. It’s worth noting that the Galaxy S20 and the Note 20 recorded drastically lower sales than previous generations due to the impact of the COVID-19 crisis. SK Telecom nevertheless confirmed that discussions are ongoing to expand the lineup of quantum-equipped smartphones, with plans to open the technology to new applications, including to services provided by Samsung Card. “With the Galaxy Quantum 2, we have successfully expanded the application of quantum security technologies to a wider variety of services including financial and security services,” said Han Myung-jin, Vice President and Head of Marketing Group of SK Telecom. “Our efforts will continue to keep expanding services that are safely and securely provided via the Galaxy Quantum 2.” Pre-orders for the Galaxy Quantum 2 will open in South Korea from April 13 to 19, and the device will officially launch in the country on April 23.  More

The amount of time cyber criminals are spending inside compromised networks is dropping. But while that might sound like a positive development, one reason hackers are spending less time inside networks is because of the surge in ransomware attacks.Researchers at cybersecurity company FireEye Mandiant analysed hundreds of cyber incidents and found that the global median dwell time – the duration between the start of a security intrusion and when it’s identified – has dropped to below a month for the first time, standing at 24 days.According to the M-Trends 2021 annual threat report, that means incidents are being identified twice as quickly as they were last year when the average dwell time was 56 days – and much more quickly than they were a decade ago, when it often took over a year for organisations to realise that cyber criminals had infiltrated the network.While some of this reduction in dwell time is thanks to better detection and response capabilities from organisations, the rise in ransomware has also played a role.SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) Ransomware attacks have become an increasingly dangerous cybersecurity issue, with cyber criminals infiltrating networks, compromising all they can with file-encrypting malware and then demanding a ransom payment – most commonly in Bitcoin – in exchange for restoring the network.The attacks are highly lucrative for cyber criminals, but unlike most other forms of cyber attack, ransomware doesn’t remain under the radar – victims of ransomware attacks know they’ve become a victim when their network is suddenly encrypted and a ransom note is left by the attackers.

One of the key advantages of ransomware attacks for cyber criminals is that they have the potential to make them a lot of money in a relatively short space of time. Once they’ve compromised all the required assets on the network, there’s no point waiting around, so the criminals will execute the ransomware attack as quickly as possible.SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upAs long as ransomware attacks remain successful, there’s no reason to believe cyber criminals will stop launching them against organisations with vulnerable networks.”The ransomware expansion demonstrates it proves valuable to attackers. Put simply, attackers will operate in ways that produce impacts for their motivations,” Steven Stone, senior director of advanced practices at Mandiant, told ZDNet. “More and more attackers are using ransomware for a wider variety of motivations. We expect this diversity to continue over time and provide for more challenging intrusions in 2021”.Ransomware isn’t the only threat organisations face: cyber criminals will, for example, continue attempting to compromise networks in phishing and malware campaigns.While being able to quickly detect attacks inside the network is better than not detecting them at all, the best way to protect the organisation from cyber threats is to detect or prevent them before they’ve even had a chance to compromise the network.To help this, the FireEye Mandiant report recommends security fundamentals including vulnerability and patch management, so that cyber attacks can’t take advantage of known vulnerabilities in the networks.MORE ON CYBERSECURITY More

Broadcom will deliver its suite of Symantec and enterprise operations software including CA on Google Cloud. Under a strategic partnership, Broadcom said the partnership with Google Cloud will strengthen its “cloud services integration” throughout its portfolio of security, operations and DevOps applications. Broadcom said that it has migrated its Symantec Web Security Service and Cloud Access Security Broker onto Google Cloud and will soon move its other cybersecurity applications. Broadcom said the move modernized its security stack and improved service delivery. Here’s a look at how Broadcom built its software portfolio. According to Broadcom, Google Cloud’s infrastructure accelerates its development, cuts latency and scales more easily and enables it to diversify its public Internet options. For Google Cloud, landing a big SaaS player like Broadcom is a good win. Amazon Web Services frequently touts software vendors that ride on its infrastructure. Under the partnership, Broadcom will utilize Google Cloud’s analytics tools including Dataproc, Cloud SQL and Bigtable. Although Broadcom’s move to Google Cloud started with its security software the company’s business management, testing, DevOps, AIOps and agile management applications will also migrate. More

Brave, a Chromium-based browser, has removed FLoC, Google’s controversial alternative identifier to third-party cookies for tracking users across websites. FLoC, or Federated Learning of Cohorts, has just been released by Google for Chrome as its answer to improving privacy while still delivering targeted ads. “The worst aspect of FLoC is that it materially harms user privacy, under the guise of being privacy-friendly,” says Brave in a blogpost.  FLoC has been been widely criticised by privacy advocates, even though it is an improvement to third-party cookies. The Electronic Frontiers Foundation (EFF) calls it a “terrible idea” because now Chrome shares a summary of each user’s recent browsing activity with marketers.     “A browser with FLoC enabled would collect information about its user’s browsing habits, then use that information to assign its user to a “cohort” or group,” writes Bennett Cyphers, an EFF technologist.  “Users with similar browsing habits — for some definition of “similar” — would be grouped into the same cohort. Each user’s browser will share a cohort ID, indicating which group they belong to, with websites and advertisers.” Brave, a privacy-focused browser headed up by Mozilla co-founder and key JavaScript designer, Brendan Eich, says it has removed FLoC from the Nightly version of Brave for the desktop and Android. 

Brave notes the California Consumer Privacy Act of 2018 (CCPA) and Europe’s General Data Protection Regulation (GDPR) as signs that consumers are demanding privacy on the web. “In the face of these trends, it is disappointing to see Google, instead of taking the present opportunity to help design and build a user-first, privacy-first Web, proposing and immediately shipping in Chrome a set of smaller, ad-tech-conserving changes, which explicitly prioritize maintaining the structure of the Web advertising ecosystem as Google sees it,” Brave says in a blogpost.  The search engine DuckDuckGo last week released a Chrome extension to block FLoC tracking, comparing it to “walking into a store where they already know all about you”.  Brave argues that because the feature does impact user privacy, it should be something that users need to opt-in to.  “Given that FLoC can be harmful for site operators too, we recommend that all sites disable FLoC. In general, any new privacy-risking features on the web should be opt-in,” Brave says.  “This is a common-sense principle to respect Web users by default. One might wonder why Google isn’t making FLoC opt-in. We suspect that Google has made FLoC opt-out (for sites and users) because Google knows that an opt-in, privacy harming system would likely never reach the scale needed to induce advertisers to use it.” Microsoft, which is also using Chromium as the basis for its new Edge browser, responded to ZDNet’s request for its position on FLoC as follows:  “We believe in a future where the web can provide people with privacy, transparency and control while also supporting responsible business models to create a vibrant, open and diverse ecosystem. Like Google, we support solutions that give users clear consent, and do not bypass consumer choice. That’s also why we do not support solutions that leverage non-consented user identity signals, such as fingerprinting. The industry is on a journey and there will be browser-based proposals that do not need individual user ids and ID-based proposals that are based on consent and first party relationships. We will continue to explore these approaches with the community. Recently, for example, we were pleased to introduce one possible approach, as described in our PARAKEET proposal. This proposal is not the final iteration but is an evolving document.” According to the EFF, Google has rolled out FLoC to 0.5% of Chrome users in Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand, the Philippines, and the US. But the company hopes to roll it out to 5% of users.  Updated with Microsoft response at 17:30 BST, 13 April 2021 More

Security vulnerabilities in millions of Internet of Things devices (IoT) could allow cyber criminals to knock devices offline or take control of them remotely, in attacks that could be exploited to gain wider access to affected networks.The nine vulnerabilities affecting four TCP/IP stacks – communications protocols commonly used in IoT devices – relate to Domain Name System (DNS) implementations, which can lead to Denial of Service (DoS) or Remote Code Execution (RCE) by attackers. Over 100 million consumer, enterprise and industrial IoT devices are potentially affected.

Internet of Things

Uncovered and detailed by cybersecurity researchers at Forescout and JSOF, the vulnerabilities have been dubbed Name:Wreck after the way the parsing of domain names can break DNS implementations in TCP/IP stack, leading to potential attacks.SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)The report follows Forescout’s previous research into vulnerabilities in Internet of Things devices and forms part of Project Memoria, an initiative examining vulnerabilities in TCP/IP stacks and how to mitigate them. Vulnerabilities were uncovered on popular stacks including Nucleus NET, FreeBSD and NetX. While security patches are now available to fix the vulnerabilities, applying security updates to IoT devices can be difficult – if it’s even possible at all – meaning that many could remain vulnerable, potentially providing a means for cyber attackers to compromise networks and services.”This can be an entry point, a foothold into a network and from there you can decide, basically, what the attack is,” Daniel dos Santos, research manager at Forescout research labs, told ZDNet.

“One of the things that that you can do is just basically take devices offline by sending malicious packets that crash the device. Another thing is when you’re able to actually execute code on the device, that opens up the possibility of persistence on the network or moving laterally in the network to other kinds of our targets,” he explained. According to the report, organisations in healthcare could be among the most affected by the security flaws in the stacks, potentially enabling attackers to access medical devices and obtain private healthcare data, or even take devices offline to prevent patient care.The vulnerabilities could also help cyber attackers gain access to enterprise networks and steal sensitive information, and may have the potential to impact industrial environments by enabling attackers to tamper with — or disable — operational technology. It’s, therefore, recommended that organisations apply the necessary security patches as soon as possible to help protect their networks.”Complete protection against Name:Wreck requires patching devices running the vulnerable versions of the IP stacks and so we encourage all organisations to make sure they have the most up-to-date patches for any devices running across these affected IP Stacks,” said dos Santos.SEE: Security Awareness and Training policy (TechRepublic Premium)In some cases, it might not even be possible to apply patches to IoT devices. In these instances, there are additional steps organisations can take to help protect networks against exploitation.”Besides patching, which of course is the thing that everybody should try to do, there are other things that can be done, like segmentation and monitoring network traffic,” said dos Santos. It’s hoped that developers of TCP/IP stacks take heed of all of the Project Memoria reports in order to help build better security into devices in order to prevent similar security vulnerabilities being uncovered in future.”There is much work left to be done to understand the real dangers behind the foundations of IT/OT/IoT connectivity, and the more parties we can get involved in finding vulnerabilities, fixing them and providing higher-level solutions, the faster we can transition to a more secure world.” the research paper concludes.MORE ON CYBERSECURITY More

Facial recognition will increasingly be deployed to verify the identity of a user making a payment with their handset.  The next few years will see billions of users regularly using facial recognition technology to secure payments made through their smartphone, tablets or smartwatches, according to new analysis carried out by Juniper Research.Smartphone owners are already used to staring at their screens to safely unlock their devices without having to dial in a secret code; now, facial recognition will increasingly be deployed to verify the identity of a user making a payment with their handset, whether that’s via an app or directly in-store, in wallet mode.

Smartphones

In addition to facial features, Juniper Research’s analysts predict that a host of biometrics will be used to authenticate mobile payments, including fingerprint, iris and voice recognition. Biometric capabilities will reach 95% of smartphones globally by 2025, according to the researchers; by that time, users’ biological characteristics will be authenticating over $3 trillion-worth of payment transactions — up from $404 billion in 2020.  Mobile devices are increasingly used to replace credit cards, enabling users to leave their wallets at home even when visiting a shop, but also offering myriad new opportunities to make purchases online. From Instagram shopping to the Google Play store, the e-commerce ecosystem is growing rapidly — and at the same time, it’s opening many new avenues for fraudsters to exploit new vulnerabilities.Using rogue apps, malevolent actors can trick users into letting them handle financial payments, for example, while synthetic data and deepfakes can be used to commit synthetic identity payment fraud. This is why it’s vital to ensure that when a payment is made, the user spending money is who they say they are.That’s why biometrics are becoming critical to improving the security of mobile payments, with facial recognition, in particular, set to grow in popularity. But not all technologies are created equal: Juniper’s analysts effectively draw a line between software-based and hardware-based facial recognition tools.”All you need for software-based facial recognition is a front-facing camera on the device and accompanying software,” Nick Maynard, lead analyst at Juniper Research, tells ZDNet. “In a hardware-based system, there will be additional hardware layers that add additional security levels. It’s increasingly important to differentiate because hardware-based systems are the more secure of the two.” 

The leading example of hardware-based facial recognition technology is Apple’s Face ID, which can be used to authorize purchases from the iTunes Store, App Store and Apple Books, and to make payments with Apple Pay.Face ID is enabled by a camera system called TrueDepth, which is built by Apple, and which analyzes over 30,000 dots on users’ face to create a biometric map that’s coupled with an infrared shot and compared to the facial data previously enrolled by the user. The technology is precise enough to identify spoofing — for example, by distinguishing a real person from a 2D photograph or a mask.Driven by Apple’s technology, a growing number of vendors are now working to incorporate hardware-based facial recognition technology in their devices. Maynard’s research shows that between now and 2025, the number of handsets using hardware-based systems will grow by a dramatic 376% to reach 17% of smartphones.”Hardware-based systems obviously have additional costs per device,” says Maynard, “but the reason it is growing well is really that Apple has been driving it forward. They’ve made the technology a part of their high-end devices, and shown that hardware-based facial recognition technology can be done and can be very secure.”But despite the seeming popularity of hardware-based systems, Juniper’s researchers found that many vendors will first be opting for a software-based alternative. This will be the case of many Android phones, for example, where less control over the hardware can be exercised, making it tempting to deploy a technology that’s purely software-based.  To implement a software-based facial recognition system, all vendors need is the correct software development kit (SDK) installed on the device, as well as a decent-quality front-facing camera. With such low barriers to entry, Juniper expects the number of smartphone owners using the technology to secure payments to grow by 120% to 2025, to reach 1.4 billion devices — that is, roughly 27% of smartphones globally.As fraudsters refine their techniques and attacks become more sophisticated, Maynard expects hardware-based technologies to close the gap. Smartphone vendors will be deploying facial recognition on a software basis to start with, the analyst explains, before upgrading to hardware-based methods once they see how popular the technology is.”Fraudsters are always trying to evolve their tactics and develop new methods of fooling whatever security measures are in place,” says Maynard. “They experiment with photos, 3D-printed masks – you name it, it’s been tried. It’s essentially an arms race between fraudsters and security providers.””Software-based facial recognition is strong because it’s very easy to deploy,” Maynard continues, “but we are expecting a shift towards hardware-based systems as software becomes invalidated by fraudster approaches. Fraudster methods are always evolving, and the hardware needs to evolve with it.”Juniper’s research, in effect, recommends that vendors implement the strongest possible authentication tools, or risk losing the trust of users as spoofing attempts increase. This could take the form of a technology that encompasses several biometric features to secure payments, such as facial recognition, fingerprints, voice and behavioral indicators. The Juniper researchers expect that fingerprint sensors will feature on 93% of biometrically-equipped smartphones by 2025, and that voice recognition will grow to over 704 million users in the same period. That’s not to say that even state-of-the-art biometric technologies come without flaws. “The pandemic has shown that facial recognition doesn’t really work with face masks,” says Maynard. “I wear glasses — it’s even less useful because your glasses steam up and then the technology has no idea what it’s looking at.  “A lot of Apple Pay users have resorted to passcodes during the past few months, and that is problematic. So, we’ll also see more work on what vendors can do to improve the accuracy of the technology.”  More

PayPal is launching a new suite of fraud management features for mid-market and enterprise businesses that aims to help combat the rise in online payments fraud brought on by the pandemic.

The COVID-19 pandemic spurred unprecedented growth in online spending in 2020, with e-commerce penetration reaching an all-time high of 21.3% — the highest year-over-year jump for US retail sales ever recorded, according to estimates. But the spike in e-commerce and digital payments also led to an increase in online scams, sophisticated attempts at fraud by malicious actors and new operating risks for online businesses.  According to PayPal, its new Fraud Protection Advanced service uses device fingerprinting, machine learning and analytics to help businesses identify, investigate, resolve and mitigate fraudulent transactions.The technology allows for real-time data modeling to help businesses spot shifting fraud patterns, and enables high fraud decisioning performance that can lead to lower chargebacks and false declines. Additional improvements include the ability to customize filters and fields in an effort to reduce a merchant’s exposure to fraud and help them differentiate between legitimate and non-legitimate transactions. Overall, PayPal is pitching the improved service as a way for merchants to increase their authorization and conversion rates. “Fraud Protection Advanced builds on our existing Fraud Protection solution and is part of our larger suite of offerings for merchants in the PayPal Commerce Platform that help them to manage risk and payments,” PayPal wrote in a blog post. “As we build on these solutions, we will continue our commitment to democratizing access to critical tools and resources for all merchants that help better protect their businesses.”RELATED: More

Cyber criminals and nation-state cyber-espionage operations are actively scanning for unpatched vulnerabilities in Fortinet VPNs; organisations that use Fortigate firewalls on their network, and have yet to apply a critical security update released almost two years ago, should assume they’ve been compromised and act accordingly. The alert from the National Cyber Security Centre (NCSC) follows a report by Kaspersky detailing how cyber criminals are exploiting a Fortinet VPN vulnerability (CVE-2018-13379) to distribute ransomware by exploiting unpatched systems and remotely accessing usernames and passwords, allowing them to manually undertake activity on the network.

The NCSC – along with CISA and the FBI – has also warned that Advanced Persistent Threat (APT) nation-state hacking groups are still actively scanning for unpatched CVE-2018-13379 vulnerabilities as a means of gaining access to networks for cyber-espionage campaigns. SEE: The best free VPNs: Why they don’t exist  Fortinet issued a critical security update to counter the security vulnerability after it was discovered in 2019, but almost two years later a significant number of organisations have yet to apply the patch to their enterprise network, leaving them vulnerable to cyberattacks. Cyber criminals have published a list of almost 50,000 IP addresses relating to unpatched devices; the NCSC warns that 600 of these are in the UK and that the organisations running them are “at very high risk of exploitation”. In fact, the NCSC has warned that organisations using unpatched Fortinet VPN devices must assume they are now compromised, and should begin incident management procedures. That includes removing the device from service and returning it to factory settings, as well as investigating the network for suspicious or unexpected activity.

“This recent activity emphasises the importance of NCSC advice to install security updates as soon as is practicable following their release to ensure action is taken before exploitation is observed,” said the alert. The NCSC recommends that all Fortinet VPN users check weather the 2019 updates have been installed, and if they haven’t to apply them immediately to prevent cyber attackers from exploiting the vulnerability. SEE: Ransomware: Why we’re now facing a perfect storm “The security of our customers is our first priority. For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade,” a Fortinet spokesperson told ZDNet. “If customers have not done so, we urge them to immediately implement the upgrade and mitigations,” Fortinet added.

MORE ON CYBERSECURITY More