Information Technology

UK taxpayers have been connected to a reminder system used by councils that potentially exposed their sensitive data online. 

An investigation conducted by The Register found that a debt-chasing service “freely exposed to the public thousands of taxpayers’ names, addresses, and outstanding debts” via bulk SMS messages sent to remind residents of unpaid bills. The system was developed by Telsolutions who acted on behalf of an estimated dozen UK councils.  Debt defaulters were sent text message reminders containing a URL leading to a basic web page showing a council resident’s personal data and outstanding bill. However, if you changed alphanumeric characters contained in the web address, this could reveal records belonging to others — including those living in different council areas.  The publication says that no authentication or security checks were in place in a few cases. While some councils did require a postcode as a verification method, this is far from enough to stop a determined individual from collecting private, sensitive information on a target.   Telsolutions told The Register they have since resolved the issue and have “further increased security and introduced new measures to prevent malicious intent.”  A number of the councils contacted said they took security “seriously” and while one said their Data Protection Officer had been informed, others either pointed to the fact the majority of links are never accessed, or that they were now investigating the issue. 

In 2019, Gateshead council admitted to a slew of data breaches including when a list containing the details of 53 individuals who owed the council money was sent to a resident and the upload of medical data to an online forum. Last week, Birmingham council allegedly exposed the details of children deemed vulnerable by accidentally uploading them to a taxpayer service.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cloudflare has debuted a new zero-trust tool designed to help protect remote employees from cyberattacks. 

When the COVID-19 pandemic forced many of us out of the traditional office and into hastily-created home setups, instead, we — and the organizations we work for — were suddenly required to rely on either personal or company on-loan devices to continue performing our jobs. When it comes to cybersecurity, this means that the potential attack surface for threat actors increased due to remote and end-user devices that needed to connect to corporate resources.  According to Reboot Online, 44% of businesses in the UK alone have experienced a security breach since stay-at-home orders were imposed, a 20% increase year-over-year.  Working from home, whether as a permanent option or as part of hybrid models, may become standard, and so the corporate world needs to consider how best to keep their networks protected whilst also catering to a remote workforce.  To this end, Cloudflare has contributed a new zero-trust solution for browser sessions. On Tuesday, the web security firm launched Cloudflare Browser Isolation, software that creates a “gap” between browsers and end-user devices in the interests of safety. Instead of employees launching local browser sessions to access work-related resources or collaborative tools, the service runs the original, requested web page in the cloud and streams a replica to the end-user. 

Cloudflare says that tapping into the firm’s global network to run browser sessions circumvents the usual speed downgrades and potential lag caused by typical, pixel-based streaming.  As there is no direct browser link, this can mitigate the risk of exploits, phishing, and cyberattacks. In addition, Cloudflare automatically blocks high-risk websites based on existing threat intelligence.  The solution has now been made available through Cloudflare for Teams.  “Everyone uses a web browser, and that makes it the perfect target for attackers all over the world,” commented Matthew Prince, Cloudflare CEO. “We don’t believe that the most effective protection to these attacks should be restricted to a handful of large companies with huge IT teams. Cloudflare Browser Isolation can be deployed by anyone in just a few clicks and automatically protects against the majority of threats people face online.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals are sending over three billion emails a day as part of phishing attacks designed to look like they come from trusted senders. By spoofing the sender identity used in the ‘from’ field in messages, cyber criminals attempt to lure potential victims into opening emails from names they trust. This could be the name of a trusted brand like a retailer or delivery company, or even, in more sophisticated attacks, the name of their CEO or a colleague.

More on privacy

These phishing attacks might sound simple, but they work – and that’s why so many of these messages are distributed by cyber criminals. And according to a report by email security company Valimail, over three billion spoofing messages are sent every day, accounting for 1% of all email traffic. SEE:  A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  One of the reasons why email remains such a common attack vector is because of the rise of remote working. Employees are dealing with an increase in corporate communications being conducted over email, while the reality of working from home means that it’s harder for people to ask if an email is legitimate. All of this combined means that phishing emails are putting people and organisations at risk of cyberattacks, including credential theft, malware and ransomware. However, it’s possible for organisations to help defend against spoofed emails by applying DMARC (Domain-based Message Authentication, Reporting & Conformance), which is an email authentication protocol that, when implemented, means only authorized senders can send email using the domain, preventing spam emails being sent. It also contains a reporting function for ongoing improvement and protection.

DMARC enforcement helps prevent spoofed emails from being delivered in the first place, with analysis by Valimail finding that 1.9% of email from domains without DMARC enforcement is suspicious, while just 0.4% of email from domains with DMARC enforcement is suspicious. SEE: Cybercrime groups are selling their hacking skills. Some countries are buying Ultimately, domains without DMARC applied are almost five times more likely to be the target of phishing emails than domains that do have it applied, so organisations can help make the internet a safer place by protecting domains with it. “Privacy laws already exist in Europe and parts of the United States, and if a company does any business in those areas, a DMARC policy at enforcement is essential,” said Alexander García-Tobar, CEO and co-founder of Valimail. “By having valid email authentication in place, companies protect themselves and their customers from privacy violations. Without it, emails are sent without permission, fines are issued, confidential information is obtained and reputations sink.”

MORE ON CYBERSECURITY More

Shell has disclosed a data breach involving stakeholders that exposed personal information records. 

The oil and gas company said an unknown threat actor managed to gain access to “various files” during the time of intrusion which included personal data and information “from Shell companies and some of their stakeholders.”Shell has not disclosed how many individuals are involved in the security incident beyond saying that impacted parties have been contacted, alongside law enforcement agencies and regulators.  The firm added that it does not appear core IT systems have been compromised, as the route of access was isolated from the rest of Shell’s central infrastructure.  However, the data breach has been connected to Accellion’s File Transfer Appliance (FTA), enterprise software used to transfer large files — and a solution linked to a string of security incidents in December 2020 and January 2021.  Accellion FTA, a legacy product that has now been formally retired, contained a zero-day vulnerability that was patched within three days of the vendor being made aware of active attacks utilizing the security flaw.  However, thousands of organizations worldwide rely on the appliance, leading to a string of attacks against high-profile corporations and government entities. 

The first case was reported by the Reserve Bank of New Zealand. Organizations including the Australian Securities and Investments Commission (ASIC), Singtel, and Qualys soon followed.  FireEye’s Mandiant team was pulled in to conduct an assessment of the Accellion FTA vulnerability, finding two further vulnerabilities — albeit accessible only by authenticated FTA users — and all bugs, as of now, have been resolved in FTA. If systems remain unpatched, however, they also remain vulnerable to exploit.  The companies said in February that threat group FIN11 has been connected to the FTA zero-day exploit activity. “Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack,” Accellion said. “Within this group, fewer than 25 appear to have suffered significant data theft.”CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104 have now been reserved to track associated vulnerabilities. Users of Accellion FTA are recommended to switch to Kiteworks.  “We will continue to monitor our IT systems and improve our security,” Shell says. “We regret the concern and inconvenience this may cause the affected parties.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Embracing innovation comes with risk. Exciting product launches don’t always go according to plan – and when that happens, you need to act quickly, learn from it and find new ways of making a difference.That’s certainly been the case for Graeme Hackland, CIO at Williams F1, whose team had to pull a recent plan to launch its new FW43B racing car using virtual reality, when leaked images appeared online before the scheduled reveal.

Innovation

But this episode won’t put Hackland off trying to innovate. As the person responsible for IT risk at Williams, he says he will not be saying to his board to steer clear of emerging technologies.SEE: Guide to Becoming a Digital Transformation Champion (TechRepublic Premium)The firm is already investigating how it might take advantage of artificial intelligence to help improve decision-making processes. There are also plans for more data-led services that will help boost fan engagement. Hackland, in short, is keen to keep on innovating – so long as the risk to the business is kept in check.”When I get the opportunity at the next board meeting, I’ll be encouraging us to stay brave and to keep embracing new technology in this way. The digital transformation journey we’re on now is not just about our internal systems. For us, it was always about fan engagement as well,” he says.Williams is far from alone in embracing tech-led innovation. All companies have had to embrace digital transformation during the past 12 months – whether that’s in terms of establishing remote working, moving to e-commerce or using new technologies to keep socially distanced customers engaged.  

What’s more, that preparedness to try new things isn’t going anywhere soon. Gartner says creative thinking will continue to be crucial in the post-COVID age. Companies that balance embrace innovation effectively will be most likely to gain a competitive edge on their competitors. The key message from Hackland is that, in age of almost-continual digital transformation, CIOs and their organisations must be prepared to try new things. Yes, things can go wrong – but the key to success is being prepared to embrace innovation and to learn lessons when issues arise.”In Formula 1, every time we make a mistake, we learn from it, we do an after-action review: why did that happen and how do we make sure it doesn’t happen again. I think a lot of organisations are starting to do that,” he says.Evidence would suggest that this kind of review process is absolutely critical. As the demand for innovative digital projects quickens, so do the chances of failure. Boston Consulting Group research shows just 30% of digital transformations succeed in achieving their objectives. That kind of failure rate helps to explain why executives in many large corporations are reluctant to advocate for what they perceive to be risky projects. The Harvard Business Review says they quash new ideas in favour of marginal improvements, cost-cutting and safe investments. Hackland: “I’ll be encouraging us to stay brave and to keep embracing new technology.”
Image: Williams F1
Hackland recognises that it can be difficult for CIOs to gain funding for innovative projects, especially in organisations with competing priorities. But when there’s a chance to try something new, the opportunity must be grabbed – not just in terms of the potential benefits it might bring to the company itself but also in terms of professional development.”You’re learning and your people are learning,” says Hackland, referring to the importance of experimentation. “They’re engaged in something new, they’re not just doing lights-on, which I think is really important. They’re getting to play with new technologies.”Which brings us back to Williams’ recent foray into virtual reality, which was one such attempt to try something new. The intention was to allow users of a bespoke VR app to view and manipulate the new car in its livery in 3D. The app, which was created by an external agency, was made available for fans to download on the Apple App Store and Google Play Store.However, when pictures of the FW43B started appearing online, the team couldn’t be sure if only the image data for the new car had been unpacked or whether the app itself had been compromised.”We didn’t know if there had been a compromise – we just didn’t know it the app was safe, and so you just couldn’t deploy it,” says Hackland. “If the app had been compromised, and we’d delivered it to our fans, I couldn’t have lived with that decision. So the decision was made to pull it.”Hackland says the company’s subsequent investigations have shown that the issue was a “data-loss incident” rather than someone hacking the app. Everything connected to the incident took place outside the team’s enterprise network.”This was not about someone getting into our network and taking our data. It’s the first time we’ve done something like this. So yeah, we clearly missed some things that next time – and I hope there is next time – we’ll learn from,” he says.”It was just unfortunate. An error was made that exposed the data. We’re still investigating and looking at it, and we’ve got a couple of cybersecurity partners looking at it, too.”Just as Hackland and has team have learnt some important lessons about embracing innovation, so other business leaders will have to ensure the right policies, processes and partners are in place to embrace new ideas in a carefully controlled manner.And rather than showing the downsides of working with external third-party suppliers, Hackland says the incident shows the importance of IT risk management and the role of trusted partners in trying to help reduce the ongoing cybersecurity threat.”I’ve been responsible for IT risk at two racing teams now for the past 15 years, but I don’t claim to know everything. The risk landscape changes constantly, which is why we partner with these organisations,” he says. More

A former IT contractor with a grudge has been sentenced after mass-deleting the majority of a company’s Microsoft accounts. 

Deepanshu Kher was sentenced to two years in prison for breaking into the network of a Carlsbad, California-based firm after being fired potentially in connection to a consultancy job the firm hired him for. Kher worked for an IT consultancy firm from 2017 through May 2018. This company was recruited to help a client with migration to a Microsoft Office 365 environment and Kher was selected to assist.  The client was not pleased with Kher’s performance and once this feedback reached head office, the IT admin was sacked. A month after being fired, in June 2018, Kher returned to India.  However, two months later, Kher decided to exact revenge on the Californian company, according to the US Department of Justice (DoJ). The 32-year-old infiltrated the firm’s servers while outside of the US and deleted over 80% of employee Microsoft Office 365 accounts, with over 1,200 out of 1,500 wiped in total.  As staff members were suddenly unable to access emails, contacts, calendars, stored documents, as well as Microsoft’s Virtual Teams remote management platform, they were unable to work.  The company’s entire operations ground to a halt for two days. The VP of IT said, “In my 30-plus years as an IT professional, I have never been a part of a more difficult and trying work situation.”

IT issues persisted for a further three months after the cyberattack and the FBI was informed.  Kher was arrested while flying from India to the US on January 11, “unaware of the outstanding warrant for his arrest,” US prosecutors say.  US District Court Judge Marilyn Huff charged the Delhi, India resident with intentional damage to a protected computer, a crime which can lead to up to 10 years in prison and a $250,000 fine.  Kher will face two years behind bars and three years of supervised release, but must also pay $567,084 in damages — the bill his victim organization had to shoulder to restore its systems.  “The victim company’s swift notification and cooperation with the FBI contributed greatly to the successful outcome,” commented Suzanne Turner, Special Agent in Charge of FBI’s San Diego Field Office. “Living in a digital world, it is important to get ahead of the threats, be proactive and predictive in the way we approach cybersecurity.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Australian Information Commissioner and Privacy Commissioner’s office, the OAIC, has asked for the inclusion of additional privacy measures in the Bill that would allow the sharing of data held by government.The data reforms presented in the Data Availability and Transparency Bill 2020 are touted by Minister for Government Services Stuart Robert as being an opportunity to establish a new framework that is able to proactively assist in designing better services and policies.The Bill, as well as the Data Availability and Transparency (Consequential Amendments) Bill, were both introduced to Parliament in December, after two years of consultation.”Proposals to share data containing personal information will necessarily carry certain privacy risks, including the loss of control by individuals and the potential for mishandling of personal information,” the OAIC said in its submission [PDF] to the Senate Finance and Public Administration Committee currently probing the two Bills.”Privacy risks can be heightened in relation to government-held personal information, which is often collected on a compulsory basis to enable individuals to receive a service or benefit or is otherwise required by law.”The submission raised concerns that such data is often sensitive or can become sensitive when it is linked with other government datasets.It, therefore, has recommended the inclusion of additional privacy measures that would provide further protections for individuals and clarity for data scheme entities about their privacy obligations.

“The OAIC considers that these additional measures are necessary to ensure the proportionality of the scheme and to achieve the trust and confidence of the community, which is vital to the success of the DAT scheme,” it wrote. In a discussion paper in September 2019, the federal government tweaked what it proposed the year prior by removing a fundamental element of privacy — consent.The government’s position on consent has since become more nuanced, with the Bill currently stating that any sharing of personal information is to be done with the consent of the individuals, unless it is unreasonable or impracticable.”While the OAIC acknowledges the important privacy safeguards that have been included in the DAT Bill, there are other key privacy protective measures that should be included to further mitigate the risks posed by sharing personal information,” the OAIC said.Additionally, the OAIC is concerned about the proposed exemption of scheme data from the Freedom of Information Act, which the OAIC considers runs counter to the objects of both the FOI Act and the Data Availability and Transparency Bill.It said this would effectively exempt any data that government agencies share with each other through the scheme. “The OAIC is concerned that the proposal is unnecessarily broad and risks misalignment with the objects of the FOI Act to provide a fundamental legal right to access to documents,” the submission continued. “The OAIC is also concerned that this proposal reduces the information access rights of individuals, impacting on their ability to seek access to their own personal information and understand how agencies are using this information.”As a result, the OAIC recommended that the proposed consequential amendment to the FOI Act be removed, and that data shared by agencies under the scheme remains subject to the usual FOI processes and potential exemptions under the FOI Act. Elsewhere, the OAIC recommended that all accredited users – including Commonwealth bodies — are subject to the same accreditation processes and criteria as other entities seeking to become accredited under the Data Availability and Transparency scheme. Further, the OAIC has asked for definitions in the Bill to be consistent with those in the Privacy Act 1988, for example, the definition of “de-identified”. It also recommended that additional protections be included in the Data Availability and Transparency Bill to ensure that the “exit mechanism” minimise the risk to individuals’ privacy and is only used in specific and confined circumstances.Digital Rights Watch is similarly concerned that the Bill is moving ahead in parallel to the review of the Privacy Act, which the Attorney-General’s office is currently heading. In its submission [PDF] to the committee, the organisation said as the draft text stands, the Bill “threatens to further erode the limited protections enshrined in the existing Privacy Act”.”The Bill would make it easier for government agencies to share data containing personal information with each other, allowing any government entity to access any and all the information the government holds about an individual,” it explained. “The draft also permits the government to share data with accredited third parties and researchers. In absolute terms, the Bill almost constitutes an amendment of the Australian Privacy Principle 6 by redefining and altogether eliminating the limitations and protections the principle currently imposes on the data custodians.”Digital Rights Watch has also asked the Bill restrict the access of accredited parties from the single-application full access system proposed; define consent in line with international standards as presented under the GDPR, as one example; and maintain liability for data breaches, ensuring also a resolution mechanism for individuals who may want to seek redress if their data and privacy is compromised through the scheme.Also making a submission [PDF] was the Australian Privacy Foundation (APF), which considers the Bill as possessing weak legitimacy, that it erodes trust, and that it provides uncertain benefits alongside a history of underperformance.”The foundations of the proposed regime are weak, the superstructure is weaker,” APF wrote.”The proposed regime does not provide the necessary ‘strong privacy and security foundations’. Instead it embodies values of bureaucratic convenience that are antithetical to strong privacy protection.”MORE FROM THE OAIC More

SavvyShares, a survey panel which captures consumer opinions and data from survey panels has been launched by San Diego, CA-based market research company Luth Research. Unlike Killi which offers a portion of all data sales revenue each month to consumers who, through use of its ‘Paycheck’, receive a guaranteed amount of cash each week, SavvyShares does not offer cash to its members.

ZDNet Recommends

Instead it offers shares in the company, leading to annual dividends — if the company makes a profit. According to the SEC filing SavvyShares LLC will offer “sale of up to 200,000,000 unit-denominated common limited liability company interests, …. refer(red) to as SavvyShares” for a “maximum gross dollar offering of $50,000,000.”The filing says that the shares will be offered for data including “behavior data tracked through software installed to a Member’s phone, tablet or computer (our “App”), data obtained from self-reported surveys and interviews, behavior data obtained from third parties with a member’s consent, and any other social or related data.”Members who participate receive shares in the company based on the length and complexity of surveys, and additional shares for allowing digital data tracking through the app. The app runs in the background and collects data as participants surf the web. Dividends may then be paid to member shareholders annually, based on their number of shares and the profitability of the company – as long as the user remains a member. Paying dividends based on the success of the company means members have a stake in the business so they are probably more incentivized to share their data.The company was launched by Luth Research, a consumer survey business. The company is also managed by the Public Benefit Corporation (PBC), a for-profit company that is committed to specific public benefits.

SavvyShares Founder Roseanne Luth said, “As privacy concerns further restrict data collectors, SavvyShares ensures power and control is in the hands of consumers, giving them a stake in the success of the company as the ultimate reward for their opinions. As consumers are becoming more leery of data harvesting that is currently occurring through social media and other platforms, SavvyShares offers the control, compensation and privacy they deserve.”SavvyShares has filed with the SEC to use data as a form of currency — an unusual move. Compensating customers with shares in exchange for access to data could be very lucrative for people who currently share data for free. Of course the company needs to make a profit before any share dividends can be paid in cash to any member. Consumers already share their opinions and data for free with companies such as Facebook and Instagram, so there are good reasons for customers to be compensated for their data. Will paying for data sharing catch on? Or will we continue to share our data where we feel most comfortable — or stay on the platforms where are friends are most likely to be? More