Information Technology

In 2000, the European Commission (EC) introduced Safe Harbor. It was a principles-based, voluntary framework to allow companies to transfer personal data of European residents to the US. And Austrian law student Maximilian Schrems took Facebook to court claiming that, once his data reached US soil, privacy protection faded.  

Five years later, the European Court of Justice (ECJ) declared Safe Harbor invalid. To replace it, the EC issued the EU-US Privacy Shield. The new framework was supposed to provide additional protection to EU citizens’ data with the creation of new safeguards, such as the Data Protection Ombudsman, and the “promise” that US surveillance would be limited. Today, the ECJ decided that these expectations have not been met and invalidated the privacy shield. 
About 5,000 companies currently rely on the framework to transfer personal data to the US, and these transfers contribute to transatlantic trade, which is worth about £5.6 trillion. To keep these vital transfers flowing while complying with the ECJ’s ruling, security, and risk (S&R) pros must take these steps: 
Map out your data transfers today. S&R pros must start mapping out their data transfers today to understand which transfers are impacted. 
Assess alternatives and adopt standard contract clauses (SCCs) with caution. SCCs have become the go-to strategy for most companies, and the ECJ affirmed their validity. But, experts expect the EC to adopt an updated version of SCCs soon. 
Review your third parties’ data flows and contracts. First, remediate any problems with data transfers that involve cloud providers. This is the time to find out where they’re actually keeping your data and respond accordingly. 
Assess changes to data transfers from Europe to countries beyond the US. More changes are likely. For example, European data protection authorities can stop transfers under SCCs if they don’t believe they offer adequate protection. Thus, companies must examine not only which data transfers are happening but also how business-critical they are, and start planning for the future. 
Green-light transfers to “adequate countries.” Currently, the EC has recognized 12 countries as adequate from a data protection perspective. If you transfer data to one of them, no further red tape is required. 
This post was written by Senior Analyst Enza Iannopollo, and it originally appeared here.  More

The top five global risks identified in terms of likelihood in the World Economic Forum’s annual The Global Risks Report 2020 were all environmental or climate-related: 1. extreme weather events; 2. failure to adapt to climate change; 3. man-made environmental damage; 4. biodiversity and ecosystem loss; and 5. natural disasters. There is no doubt about it: The climate crisis is a risk multiplier, and as we continue to rely on fossil fuels, it is only going to get worse. 

Climate risk concerns are top of mind for enterprises 
Climate change is having an impact on business today, from sea level rise that threatens the value of coastal assets to exaggerated hurricanes, wildfires, and floods that inflict billions of dollars in damages on cities, businesses, and individuals. While business leaders commit to lofty climate goals to appease empowered stakeholders, bolster their reputation, and mitigate climate change, they are also realizing the reality: Acute and chronic physical impacts of climate change are a significant risk to their business operations, infrastructure, supply chain, and more. The Forrester Analytics Global Business Technographics Security Survey, 2019, shows that seven out of 10 global enterprise security decision-makers consider climate change and the potential impact it could have on their organization to be concerning, with about half feeling highly or extremely concerned. Across market verticals — financial services, manufacturing, utilities, services, healthcare, retail, and more — risk professionals are worried about climate risk. 
New technology helps companies understand the impacts of climate change on their business
Software to help business leaders make informed decisions and adapt to climate change is emerging. These vendors offer advanced spatial, socioeconomic, financial, and climate data analysis to help organizations understand their unique exposure and vulnerabilities to a range of climate change hazards. They use predictive and probabilistic models based on a company’s assets and the latest climate data to help business leaders make reliable investments in climate change adaptation planning. 
Historical weather data alone isn’t a reliable factor for modeling climate change. Instead, risk managers and business leaders need to be equipped with an understanding of climate impacts under several climate change scenarios. As traditional approaches to catastrophe modeling become less useful for strategic planning, climate risk analytics solutions are fueling the next evolution of disaster risk reduction and climate change risk management. These solutions offer features such as UI/UX, visualization, data quality and advanced analysis, a variety of hazard types and climate scenarios, and more. If you’re interested to learn more, Forrester has done some research evaluating some of the top vendors in the climate risk analysis market in a new report, “The Forrester New Wave: Climate Risk Analytics, Q3 2020”. 
This post was written by Principal Analyst Renee Murphy, and it originally appeared here. 

Innovation More

Smartwatch and wearables maker Garmin has shut down several of its services on July 23 to deal with a ransomware attack that has encrypted its internal network and some production systems.

The company is currently planning a multi-day maintenance window to deal with the attack’s aftermath, which includes shutting down its official website, the Garmin Connect user data-syncing service, and even some production lines in Asia.
In messages shared on its website and Twitter, Garmin said the same outage also impacted its call centers, leaving the company in the situation of being unable to answer calls, emails, and online chats sent by users.
The incident didn’t go unnoticed and has caused lots of headaches for the company’s customers, most of which rely on the Garmin Connect service to sync data about runs and bike rides to Garmin’s servers, all of which went down on Thursday.

Image: Victor Gevers
When ZDNet reached out for comment earlier, a Garmin spokesperson declined to confirm that the outage was caused by a ransomware attack, citing an ongoing investigation, and they redirected us to a message the company had shared on its website and Twitter profile.

This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience. (2/2)
— Garmin (@Garmin) July 23, 2020

However, since the incident took root at around 03:00am UTC, several Garmin employees took to social media to share details about the attack, all calling it a ransomware attack.
Some Garmin employees speaking online attributed the incident to a new strain of ransomware that appeared earlier this year, called WastedLocker. ZDNet has not been able to verify these claims during our interviews with Garmin employees, and this remains just speculation, at this point in time.
However, the incident appears to be much larger and more devastating than Garmin indicated via its initial statement.
iThome, a Taiwanese tech news dedicated to IT topics and smart devices, shared an internal memo that Garmin’s IT staff sent its Taiwan factories, announcing two days of maintenance mode planned for Friday and Saturday, July 24 and July 25.
While the memo didn’t specifically blame the impromptu maintenance mode on a ransomware attack, sources told the Taiwanese news site the incident was caused by a “virus.”
In today’s cyber-security landscape, only ransomware attacks have the destructive power to cause companies to shut down production lines, online services, websites, email servers, and call centers in a matter of hours and enter into an impromptu maintenance mode.
Must read:
The reach of the infection remains unknown to third-party observers. Besides home consumer-grade wearables, sportswear, and smartwatches, Garmin also provides mapping and tracking solutions for the automotive, maritime, and aviation industry. The impact of the ransomware attack on these services remains unclear.
It also remains unclear if any customer data has been lost or stolen during today’s incident. Over the past several months, ransomware gangs have modified their modus operandi to also include data theft besides file encryption.
Until Garmin manages to restore its services, users have now taken to social media sites to share tips with each other on how to save run and bike ride information to Garmin partner services, such as Strava, to avoid losing workout information.

to all the people freaking out because @garmin @GarminFitness services have been down for 7+ hours: mount you watch via USB on your computer- >browse to the activities directory- >take today’s .fit file- >manually upload it to a 3rd party service (e.g. strava)- >breath
— Marco Abis (@capotribu) July 23, 2020

This is a developing story. More updates will follow.

learn more More

Microsoft has announced a public preview of a new option for enterprise customers to control Windows 10 diagnostic data (aka “telemetry”). The program is of particular interest to customers in the European Union and the European Economic Area, who are governed by strict data protection and privacy regulations under the European Union’s General Data Protection Regulation (GDPR).

Currently, Microsoft customers in these regions have two options for managing diagnostic data collected by Windows 10 and sent to Microsoft’s servers. They can allow Microsoft to be the controller of that data, potentially allowing personal information to be transferred across international borders, or they can opt-out of diagnostic data collection completely.
The latter option isn’t practical for most organizations, because it eliminates the ability of Windows Update to deliver security and driver updates that are tailored for devices in that organization.
Also: Windows 10 privacy guide: How to take control
The new data processor service option allows enterprise customers running Windows 10 Enterprise subscription editions (including Microsoft 365 E3 and E5) to designate their own organizations as the controller for that diagnostic data. (This option is not available for devices running Windows 10 under retail and OEM licenses.)  With this configuration in effect, the organization acts as the data controller and Microsoft becomes the data processor, handling diagnostic data on behalf of the organization.

After an organization enables this option, diagnostic data from devices within the organization will be routed to a separate data store. Customers can then use their Microsoft Azure portal to respond to GDPR requests from people within the organization, including requests to delete that data, download a copy of the data for personal inspection, or restrict its processing.
This new option allows customers to take advantage of the changes Microsoft published to its online service terms in November 2019. With that update, Microsoft clarified it acts as a data controller only in cases in which data is processed “for specified administrative and operational purposes incident to providing the cloud services covered by the contractual framework” (such as Azure, Office 365, Dynamics, and Intune), but “remain[s] the data processor for providing the services, improving and addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date.”
Also: Microsoft 365 vs G Suite: Which is best for your business?
According to Microsoft’s Marisa Rogers, Windows, browsers, and devices privacy officer, the new policy has been under development for several months. Coincidentally, last week, the EU’s Court of Justice (ECJ) struck down the EU-US Data Privacy Shield, which had been designed to prevent the bulk collection and access of user information associated with EU citizens, especially by US law enforcement agencies. Today’s changes allow EU-based organizations to take control of that Windows 10 data and restrict Microsoft’s ability to respond to requests from US agencies for access to the data.
To enroll in the preview, organizations need to run Windows 10 Enterprise 1809 or later (or Windows Server 2019 or newer) and fill in the Public Preview Signup form, including their Azure Active Directory Tenant ID. The form requires acknowledging that enrollment removes access to the Desktop Analytics and Update Compliance features.
After enrolling, administrators can deploy the new data processor service using Group Policy or mobile device management software such as Microsoft Intune. Detailed documentation is available in the support article, “Data processor service for Windows Enterprise Overview.”
Microsoft expects the preview program to last approximately six months before it’s generally available.

Windows 10 More

Working from home leaves staff open to security exploits.
Getty Images/iStockphoto

Computer security firm SonicWall says it has detected many COVID-19 related enterprise security threats and warns that criminals are increasingly taking advantage of insecure work from home setups. Its mid-year CyberSecurity Report 2020 found a big rise in exploits involving common workplace documents such as Microsoft Office.
SonicWall has a global list of small to large business customers for which it handles a wide range of computer security tasks. It recently rewrote its security suite to outpace advances by hackers. Its global services means it monitors trillions of security attempts and intrusions, and spots trends in attacks. This data is compiled into semi-annual reports.
Bill Conner, CEO of SonicWall, said the shift towards work from home that “we thought would take decades, [we saw] happen virtually overnight.” Companies scrambled to provide their workers with secure home connections but the criminals moved faster.
“While the historic disruption accompanying the COVID-19 pandemic has been challenging for businesses, it’s been a boon for cybercriminals,” said Conner.
Over the past year, hackers moved away from web browser exploits, partly because of better browser security, but also because there were easier opportunities in Microsoft Office document exploits in working from home environments. Malicious PDFs dropped by 8% but malicious Office documents jumped 176%. 

Another area seeing increased attention from hackers is Internet of Things (IoT) devices, with a 50% increase in intrusion attempts from a year ago. Again, it is the ease that attracts criminal attention. In one incident, a Las Vegas Casino enterprise IT system was penetrated by hackers via an Internet-connected thermometer in an aquarium.
Overall, intrusion attempts rose 19% to 2.3 trillion over the past year. Ransomware attacks rose 20% to 121.4 million. Malware attacks dropped by one-third to 3.2 billion. And phishing was down 15% however, 7% of the volume was COVID-19 related.
Conner said that nation state hackers are increasingly using cybercriminal tactics to try and hide their activities. These include attempts to disrupt healthcare and access research data in other nations. 
SonicWall says that it discovered the first COVID-19 related exploit on February 4. It has now counted 20 COVID-19 related exploits in nearly every category, from malware to ransomware, Trojans, and more are expected.

Chips are under attack. A troubling trend is new forms of malware that focus on weaknesses in chip hardware such as microprocessors. 
SonicWall says its machine learning technologies can detect attacks that have never been seen before, including encrypted attacks that do not exhibit outward malicious behavior. 
And criminal attacks are becoming more sophisticated. In recent weeks, SonicWall Capture Labs detected never before seen techniques to evade signature-based anti-malware systems, and new types of “nefarious” threats targeting common office documents.
SonicWall says its security products can monitor and block attacks in real-time and detect and neutralize hundreds of thousands of malware variants — which increased 62% in the second half of 2019. Hackers will move onto easier targets.
The SonicWall CyberSecurity report can be found here. More

A new tool has been proposed for cloaking our true identities when photos are posted online to prevent profiling through facial recognition systems. 

Deep learning tools and facial recognition software has now permeated our daily lives. From surveillance cameras equipped with facial trackers to photo-tagging suggestions on social media, the use of these technologies is now common — and often controversial. 
A number of US states and the EU are considering the ban of facial recognition cameras in public spaces. IBM has already exited the business, on the basis that the technology could end up enforcing racial bias. Amazon and Microsoft, too, have said they will stop providing facial recognition tools to law enforcement. 
UK and Australian regulators are also probing facial recognition software firm Clearview AI over the use of image scraping across social media platforms in the creation of substantial profiles without consent. 
Scraping images and training a neural network to find matches could lead to “highly accurate facial recognition models of individuals without their knowledge,” says University of Chicago academics, who have now published a paper on a tool proposed as a means to foil these systems. 

In a paper (.PDF) due to be presented at the USENIX Security 2020 symposium, researchers Shawn Shan, Emily Wenger, Jiayun Zhang, Huiying Li, Haitao Zheng, and Ben Zhao introduce “Fawkes,” software designed to “help individuals inoculate their images against unauthorized facial recognition models.”
See also: The US Army uses facial recognition to train AI. Now, it needs to protect it
In what could be considered the introduction of garbage code and data to images we share online, Fawkes works at the pixel level to introduce imperceptible “cloaks” to photos before they are uploaded to the Internet. 
Invisible to the naked eye, these tiny changes are still enough to produce inaccurate facial models accepted by deep learning systems and image scrapers — without noticeably changing how an image looks to human viewers. 
“As Clearview AI demonstrated, anyone can canvas the Internet for data and train highly accurate facial recognition models of individuals without their knowledge,” the researchers say. “We need tools to protect ourselves from potential misuses of unauthorized facial recognition systems.”
The Fawkes system is a form of data poisoning. The aim is to post photos which, once scraped by a machine learning service, teach the model the wrong features and misdirect them in what makes a subject unique. 
CNET: Apple’s new security program gives special iPhone hardware, with restrictions attached
During experiments, Fawkes provided high levels of protection against facial recognition models, the team said, regardless of how the models were trained. In addition, even in scenarios where ‘clean’ images have already been made available to image scrapers, processing an image with Fawkes results in a misidentification rate of at least 80%. 
In real-world tests against the Microsoft Azure Face API, Amazon Rekognition, and Face++, the system appears to be successful in preventing users from being identified. 
Fawkes worked in 100% of cases against the Azure Face training endpoint and 34% of the time against Amazon Rekognition’s similarity score system — rising to 100% when more robust cloaking is put into place. When set against Face++, the original success rate was 0%, but when strengthened cloaking was introduced, this rose to 100%. 
TechRepublic: Phishing attacks and ransomware are the most challenging threats for many organizations
In practice, many of us already have countless images of ourselves online, and so Fawkes would likely only serve as an accessory to privacy. It is also worth noting that for every pushback against facial recognition, the technology can become smarter and overcome them over time — and so tools like Fawkes would need to stay ahead of the curve to be useful. 
“Fawkes is most effective when used in conjunction with other privacy-enhancing steps that minimize the online availability of a user’s uncloaked images,” the researchers say. “The online curation of personal images is a challenging problem, and we leave the study of minimizing online image footprints to future work.” 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Inside Weather, CouchSurfing
CouchSurfing, an online service that lets users find free lodgings, is investigating a security breach after hackers began selling the details of 17 million users on Telegram channels and hacking forums.
The CouchSurfing data is currently being sold for $700, ZDNet has learned from a data broker, a person who buys and sells hacked data for profit on the hacking underground.
The data broker, who requested anonymity for this article, was not able to identify the hacker but said the CouchSurfing data, which first appeared in private Telegram channels last week, has been advertised as being taken from CouchSurfing’s servers earlier this month, in July 2020.
No passwords leaked
ZDNet received a small sample of the data. The sample included user details such as user IDs, real names, email addresses, and CouchSurfing account settings.
User passwords were not included, although it is unclear if hackers got their hands on passwords and simply chose not to share them.

Reached out for comment last night, a CouchSurfing IT staffer did not immediately provide an on-the-record statement but said that the company has already engaged with a cyber-security firm to investigate the breach, along with law enforcement agencies.
While the CouchSurfing data was initially shared in private Telegram channels, this week, the company’s data has slowly made its way onto more public hacker forums, including the infamous RAID Forum, the go-to place for buying and selling stolen databases on the public internet.

CouchSurfing is currently ranked as one of the top 11,000 most popular websites on the internet, according to Amazon’s Alexa traffic ranking. The service, founded in 2004, lists 12 million registered users on its site, but the company has purged inactive users a few years back when it listed a total of 15 million registered users, which would explain why hackers are currently selling 17 million user records.
The impact of the CouchSurfing breach is lower than other security incidents at other companies, as password information was not included. This means that the CouchSurfing data can’t be used to as part of credential stuffing botnets that take leaked credentials and attempt to break into a user’s accounts at other online services.
Instead, the CouchSurfing user emails can be used for spam lists by spam and malware distribution operations.
A theory shared by the data broker with ZDNet is that the CouchSurfing data could have originated from a misplaced backup file, as most companies regularly back up their user databases and don’t usually include password strings in their backups. Furthermore, most backup files are also stored in cloud hosting environment that sometimes gets exposed online by accident, in misconfigured storage mediums, or after firewalls or VPNs go down, exposing a company’s internal infrastructure on the public internet. More

It is the bane of every security researcher: no matter how sophisticated the tool is to fight harmful behavior on any given interface, hackers will always adapt, scale up their game, and find new ways to work around the mechanism. 
In an effort to get ahead of the scammers, Facebook is trying a new approach: to unleash an army of bots on a version of the platform, tasked with harmful actions – so that the Facebook-controlled bots can discover the loopholes before the real scammers even get to them.

Innovation

The technology will be operating in an alternative version of Facebook, dubbed WW to reflect that the system is a scaled-down version of the World Wide Web (WWW). 
SEE: Managing AI and ML in the enterprise 2020: Tech leaders increase project development and implementation (TechRepublic Premium)
Contrary to traditional simulations, in which the simulated bots would be working on a simulated platform, WW is built on Facebook’s real-world software platform. 

The company’s engineering team developed a method called Web-Enabled Simulation (WES), which consists of carrying out simulations on real web infrastructures, rather than artificial ones, to better reflect real user interactions and social behavior.
Using WES, Facebook’s engineers built WW – a parallel version of the social media platform, complete with Messenger, profiles, pages, and inopportune friend requests, but exclusively reserved for bots. 
Presenting the technology at a webinar, Mark Hartman, research scientist at Facebook, said: “The simulations happen on the actual tens of millions of lines of code that make up the Facebook infrastructure. The bots use all of the same software and tools that a user would be using on the platform.” 
“It means the simulation results are much closer to the reality of what happens on the platform, and to the many subtleties where harmful behavior can occur,” he added. 
The bots, therefore, operate in an environment that is very close to the actual users on the platform, but a safe distance has wisely been kept. The bots’ actions are carefully constrained, and the engineers set up both a privacy layer and interaction mechanism layer to separate the two worlds. 

Facebook’s engineers built WW – a parallel version of the social media platform, exclusively reserved for the artificial doing of bots.  
Image: Facebook
Hartman’s team is currently focusing on using the bots to simulate scamming behavior, to find out if the detection mechanisms on Facebook are good enough, but also to uncover the new ways that scammers might try to extort money from unknowing users. 
Real-life scammers typically crawl over the social-media platform until they find a target. And so, in a similar vein to game development, the engineering team recreated a scenario in which innocent bots simulate interactions with bots that are rewarded for crawling and acquiring another agent that they can scam.
Hartman explained that several methods were used to train the bots. They ranged from the old-fashioned rule-based approach, in which bots chose to carry out actions like sending a friend request based on a predetermined set of rules, to unsupervised learning, in which the bots are given the reward criteria but not the rules to get there.
SEE: Sixteen Facebook apps caught secretly sharing data with third-parties
Supervised learning was also a part of the mix: using anonymized data, the researchers defined patterns of real user behavior and trained the bots to imitate them.
“There is a strong relationship with AI-assisted gameplay,” said Hartman. “Simulated game players are a little bit like our bots. We are automating the process of making the game ever-more challenging, because we want to make it harder for potentially sophisticated and well-skilled bad actors.” 
From an engineering perspective, the proposal is ambitious, and Hartman stressed that the project is still in a research phase. Hartman hopes that it is only a matter of months before the WW initiative comes to life, but admitted that further research was needed in various fields such as machine learning, graph theory or AI-assisted gameplay.
If the project were to come about at scale, however, the research team anticipated a significant boost to Facebook’s defense in the war against harmful behavior. 
“The bots, in theory, can do things we haven’t seen before thanks to reinforcement learning,” said Hartman. “That’s something we want because it will let us get ahead of the bad behavior, rather than catch up with it.”
What’s more: using the WES method, WW could be replicated for any large-scale web system in which a community’s behavior can be observed. It could go a long way, therefore, in alleviating moderation efforts for many organizations. More