The security consequences of massive change in how we work

Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.

security consequences work

The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.

The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.

As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.

Cloud adoption also accelerated

Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.

As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.

“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”

Additional report findings

So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.

Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.

Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.

Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.

iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.

Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.

Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.

Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).

On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.

UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.

Zoom lied to users about end-to-end encryption for years, FTC says

Zoom founder Eric Yuan speaking at Nasdaq.

Enlarge / Zoom founder and CEO Eric Yuan speaks before the Nasdaq opening bell ceremony on April 18, 2019, in New York City as the company announced its IPO.

Zoom has agreed to upgrade its security practices in a tentative settlement with the Federal Trade Commission, which alleges that Zoom lied to users for years by claiming it offered end-to-end encryption.

“[S]ince at least 2016, Zoom misled users by touting that it offered ‘end-to-end, 256-bit encryption’ to secure users’ communications, when in fact it provided a lower level of security,” the FTC said today in the announcement of its complaint against Zoom and the tentative settlement. Despite promising end-to-end encryption, the FTC said that “Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.”

The FTC complaint says that Zoom claimed it offers end-to-end encryption in its June 2016 and July 2017 HIPAA compliance guides, which were intended for health-care industry users of the video conferencing service. Zoom also claimed it offered end-to-end encryption in a January 2019 white paper, in an April 2017 blog post, and in direct responses to inquiries from customers and potential customers, the complaint said.

“In fact, Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom’s ‘Connecter’ product (which are hosted on a customer’s own servers), because Zoom’s servers—including some located in China—maintain the cryptographic keys that would allow Zoom to access the content of its customers’ Zoom Meetings,” the FTC complaint said.

The FTC announcement said that Zoom also “misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.”

To settle the allegations, “Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic,” the FTC said. (The 10 million and 300 million figures refer to the number of daily participants in Zoom meetings.)

No compensation for affected users

The settlement is supported by the FTC’s Republican majority, but Democrats on the commission objected because the agreement doesn’t provide compensation to users.

“Today, the Federal Trade Commission has voted to propose a settlement with Zoom that follows an unfortunate FTC formula,” FTC Democratic Commissioner Rohit Chopra said. “The settlement provides no help for affected users. It does nothing for small businesses that relied on Zoom’s data protection claims. And it does not require Zoom to pay a dime. The Commission must change course.”

Under the settlement, “Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false,” Democratic Commissioner Rebecca Kelly Slaughter said. “This failure of the proposed settlement does a disservice to Zoom’s customers, and substantially limits the deterrence value of the case.” While the settlement imposes security obligations, Slaughter said it includes no requirements that directly protect user privacy.

Zoom is separately facing lawsuits from investors and consumers that could eventually lead to financial settlements.

The Zoom/FTC settlement doesn’t actually mandate end-to-end encryption, but Zoom last month announced it is rolling out end-to-end encryption in a technical preview to get feedback from users. The settlement does require Zoom to implement measures “(a) requiring Users to secure their accounts with strong, unique passwords; (b) using automated tools to identify non-human login attempts; (c) rate-limiting login attempts to minimize the risk of a brute force attack; and (d) implementing password resets for known compromised Credentials.”

FTC calls ZoomOpener unfair and deceptive

The FTC complaint and settlement also cover Zoom’s controversial deployment of the ZoomOpener Web server that bypassed Apple security protocols on Mac computers. Zoom “secretly installed” the software as part of an update to Zoom for Mac in July 2018, the FTC said.

“The ZoomOpener Web server allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware,” the FTC said. “Without the ZoomOpener Web server, the Safari browser would have provided users with a warning box, prior to launching the Zoom app, that asked users if they wanted to launch the app.”

The software “increased users’ risk of remote video surveillance by strangers” and “remained on users’ computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app—without any user action—in certain circumstances,” the FTC said. The FTC alleged that Zoom’s deployment of the software without adequate notice or user consent violated US law banning unfair and deceptive business practices.

Amid controversy in July 2019, Zoom issued an update to completely remove the Web server from its Mac application, as we reported at the time.

Zoom agrees to security monitoring

The proposed settlement is subject to public comment for 30 days, after which the FTC will vote on whether to make it final. The 30-day comment period will begin once the settlement is published in the Federal Register. The FTC case and the relevant documents can be viewed here.

The FTC announcement said Zoom agreed to take the following steps:

  • Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
  • Implement a vulnerability management program; and
  • Deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.

The data deletion part of the settlement requires that all copies of data identified for deletion be deleted within 31 days.

Zoom will have to notify the FTC of any data breaches and will be prohibited “from making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information,” the FTC announcement said.

Zoom will have to review all software updates for security flaws and make sure that updates don’t hamper third-party security features. The company will also have to get third-party assessments of its security program once the settlement is finalized and once every two years after that. That requirement lasts for 20 years.

Zoom issued the following statement about today’s settlement:

The security of our users is a top priority for Zoom. We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs. We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.

Enterprise IT security teams continue to struggle

CyberEdge conducted a web-based survey of 600 enterprise IT security professionals from seven countries and 19 industries in August 2020 in an effort to understand how the pandemic has affected IT security budgets, personnel, cyber risks, and priorities for acquiring new security technologies.

enterprise IT security teams

Impacts from the work-from-home movement

Prior to the pandemic, an average of 24% of enterprise workers had the ability to work from home on a full-time, part-time, or ad hoc basis. As of August 2020, that number more than doubled to 50%.

Many enterprises without existing BYOD policies were instantly compelled to permit employee-owned laptops, tablets, and smartphones to access company applications and data – in some instances without proper endpoint security protections.

Resulting IT security challenges

A 114% increase in remote workers coupled with a 59% increase in BYOD policy adoption has wreaked havoc among enterprise IT security teams.

The top-three challenges experienced by enterprise IT security teams have been an increased volume of threats and security incidents, insufficient remote access / VPN capacity, and increased risks due to unmanaged devices.

Furthermore, an astounding 73% of enterprises have experienced elevated third-party risks amongst their partners and suppliers. Adding fuel to the fire, 53% of these teams were already understaffed before the pandemic began.

Healthy 2020 and 2021 IT security budgets

While most enterprises searched for ways to reduce overall operating expenses in 2020, 54% of those surveyed increased their IT security operating budgets mid-year by an average of 5%.

Only 20% of enterprises reduced their overall IT security spending after the start of the pandemic. With regard to the impact of the pandemic on next year’s security budgets, 64% of organizations plan to increase their security operating budgets by an average of 7%.

Increased demand for cloud-based IT security investments

Arguably the biggest impact that the COVID-19 pandemic has had on the IT security industry is an increased appetite for cloud-based IT security solutions. This is primarily driven by the massive increase in remote workers but may also be influenced by having fewer IT security personnel available on site to install and maintain traditional on-premises security appliances.

Exactly 75% of respondents have indicated an increased preference for cloud-based security solutions. The top-three technology investments to address pandemic-fueled challenges are cloud-based secure web gateway (SWG), cloud-based next-generation firewall (NGFW), and cloud-based secure email gateway (SEG).

Reducing IT security personnel costs

Despite increased funding for cloud-based security technology investments, 67% of enterprise security teams were forced to temporarily reduce personnel expenses through hiring freezes (36%), temporary reductions in hours worked (32%), and temporary furloughs (25%). Fortunately, only 17% were forced to lay off personnel.

Training and certification make a huge difference

78% of those with IT security professional certifications feel their certification has made them better equipped to address pandemic-fueled challenges.

Next year, enterprises anticipate increasing their security training and certification budgets by an average of 6%.

Taking third-party risks seriously

The doubling of remote workforces has significantly increased third-party risks. As a result, 43% of enterprises have increased their third-party risk management (TPRM) technology investments. 77% are seeking technologies to help automate key TPRM tasks.

Securing employee-owned devices

In an effort to secure employee-owned devices connecting to company applications and data, 59% of enterprises are providing antivirus (AV) software, 52% are investing in mobile device management (MDM) products, and 48% are acquiring network access control (NAC) solutions.

Security professionals enjoy working from home

Not surprising, 81% of IT security professionals enjoy working from home. Once a COVID-19 vaccine is developed and the pandemic is over, 48% would like to continue working from home part-time while 33% would like to work from home full-time.

Businesses struggle with data security practices

43% of C-suite executives and 12% of small business owners (SBOs) have experienced a data breach, according to Shred-it.

businesses data security

While businesses are getting better at protecting their customers’ personal and sensitive information, their focus on security training and protocols has declined in the last year. This decline could pose issues for businesses, as 83% of consumers say they prefer to do business with companies who prioritize protecting their physical and digital data.

The findings reinforce the need for business owners to have data protection policies in place as threats to data security, both physical (including paper documents, laptop computers or external hard drives) and digital (including malware, ransomware and phishing scams), have outpaced efforts and investments to combat them.

The report, which was completed prior to COVID-19, also exposes that more focus is needed around information security in the home, where C-suites and SBOs feel the risk of a data breach is higher.

While advancements in technology have allowed businesses to move their information to the cloud, only 7% of C-suites and 18% of SBOs operate in a paperless environment. Businesses still consume vast amounts of paper, dispelling the myth of offices going digital and signaling a need for oversight of physical information and data security.

Having policies in place can mitigate the risk of physical security breaches

C-suites and SBOs indicated external threats from vendors or contractors (25% C-suites; 18% SBOs) and physical loss or theft of sensitive information (22% C-suites, 19% SBOs) are the top information security threats facing their business.

Yet, the number of organizations with a known and understood policy for storing and disposing of confidential paper documents adhered to by all employees has declined 13% for C-suites (73% in 2019 to 60% in 2020) and 11% for SBOs (57% in 2019 to 46% in 2020).

In addition, 49% of SBOs have no policy in place for disposing of confidential information on end-of-life electronic devices.

While the work-from-home trend has risen over the years, the COVID-19 pandemic abruptly launched employees into work-from-home status, many without supporting policies.

77% of C-suites and 53% of SBOs had employees who regularly or periodically work off-site. Despite this trend, 53% of C-suites and 41% of SBOs have remote work policies in place that are strictly adhered to by employees working remotely (down 18% from 71% in 2019 for C-suites; down 8% from 49% in 2019 for SBOs).

“As we adjust to our new normal in the workplace, or at home, it’s crucial that policies are adapted to align with these changes and protect sensitive information,” said Cindy Miller, president and CEO, Stericycle.

“As information security threats grow, it’s more important than ever that we help businesses and communities protect valuable documents and data from the risks of an information breach.”

Better training on security procedures and policies is needed

When it comes to training, 24% of C-suites and 54% of SBOs reported having no regular employee training on information security procedures or policies.

Additionally, the number of organizations that regularly train employees on how to identify common cyber-attack tactics, such as phishing, ransomware or other malicious software, declined 6% for C-suites (from 88% in 2019 to 82% in 2020) and 7% for SBOs (from 52% in 2019 to 45% in 2020).

“As a society, we are facing new information security challenges every day, from the rise of remote working to increased consumer concern,” said Michael Borromeo, VP of data protection, Stericycle.

“To protect businesses now and for the long haul, it’s instrumental that leaders reevaluate information security training and protocols to adjust to our changing world and maintain consumer trust.”

Businesses deal with data security and declining consumer trust

While many U.S. businesses feel they are getting better at protecting sensitive information, declining consumer trust and increased expectations may impact the bottom line.

  • 86% of consumers are concerned that private, personal information about them is present on the internet.
  • 24% of consumers would stop doing business with a company if their personal information was compromised in a data breach. Beyond losing their loyalty, consumers would lose trust in the business (31%) and demand to know what the business is doing to prevent future breaches (31%).
  • 38% consumers trust that all physical and digital data breaches are properly disclosed to consumers (up 4% from 34% in 2019).

Businesses are reducing focus on policies for disposing of confidential information despite physical theft and vendor threats being top risks.

  • While 60% of C-suites and 46% of SBOs have a known and understood policy for storing and disposing of confidential paper documents, strict employee adherence to these policies has declined from 2019. Down 13% from 73% in 2019 for C-suites and down 11% from 57% in 2019 for SBOs.
  • Additionally, 10% of C-suites and 38% of SBOs admit they have no policies in place for disposing of confidential paper documents, up 4% for C-suites (from 10% in 2019) and 8% for SBOs (from 30% in 2019).

Remote work has increased over the years, but information security policies are lacking.

  • Prior to the COVID-19 pandemic, 45% of small businesses did not have a policy for storing and disposing of confidential information when employees work off-site from the office.
  • A secondary study found that 75% of employees own a home printer that they use to print work documents and 43% print work-related documents weekly.

78% of Microsoft 365 admins don’t activate MFA

On average, 50% of users at enterprises running Microsoft 365 are not managed by default security policies within the platform, according to CoreView.

Microsoft 365 MFA

Microsoft 365 administrators fail to implement basic security like MFA

The survey research shows that approximately 78% of Microsoft 365 administrators do not have multi-factor authentication (MFA) activated.

According to SANS, 99% of data breaches can be prevented using MFA. This is a huge security risk, particularly during a time when so many employees are working remotely.

Microsoft 365 admins given excessive control

Microsoft 365 administrators are given excessive control, leading to increased access to sensitive information. 57% of global organizations have Microsoft 365 administrators with excess permissions to access, modify, or share critical data.

In addition, 36% of Microsoft 365 administrators are global admins, meaning these administrators can essentially do whatever they want in Microsoft 365. CIS O365 security guidelines suggests limiting the number of global admins to two-four operators maximum per business.

Investing in productivity and operation apps without considering security implications

The data shows that US enterprises (on average, not collectively) utilize more than 1,100 different productivity and operations applications, which indicates a strong dedication to the growing needs of business across departments, locations, and time zones.

While increased access to productivity and operations apps helps fuel productivity, unsanctioned shadow IT apps have varying levels of security, while unsanctioned apps represent a significant security risk.

Shadow IT is ripe for attack and according to a Gartner prediction, this year, one-third of all successful attacks on enterprises will be against shadow IT resources.

Many orgs underestimate security and governance responsibilities

Many businesses underestimate the security and governance responsibilities they take on when migrating to Microsoft 365. IT leaders often assume that Microsoft 365 has built-in, fool-proof frameworks for critical IT-related decisions, such as data governance, securing business applications, and prioritizing IT investments and principles.

The research disprove this by revealing that many organizations struggle with fundamental governance and security tasks for their Microsoft 365 environment. Today’s remote and hybrid working environment requires IT leaders to be proactive in prioritizing security and data governance in Microsoft 365.

Study shows which messengers leak your data, drain your battery, and more

Stock photo of man using smartphone.

Link previews are a ubiquitous feature found in just about every chat and messaging app, and with good reason. They make online conversations easier by providing images and text associated with the file that’s being linked.

Unfortunately, they can also leak our sensitive data, consume our limited bandwidth, drain our batteries, and, in one case, expose links in chats that are supposed to be end-to-end encrypted. Among the worst offenders, according to research published on Monday, were messengers from Facebook, Instagram, LinkedIn, and Line. More about that shortly. First a brief discussion of previews.

When a sender includes a link in a message, the app will display the conversation along with text (usually a headline) and images that accompany the link. It usually looks something like this:

For this to happen, the app itself—or a proxy designated by the app—has to visit the link, open the file there, and survey what’s in it. This can open users to attacks. The most severe are those that can download malware. Other forms of malice might be forcing an app to download files so big they cause the app to crash, drain batteries, or consume limited amounts of bandwidth. And in the event the link leads to private materials—say, a tax return posted to a private OneDrive or DropBox account—the app server has an opportunity to view and store it indefinitely.

The researchers behind Monday’s report, Talal Haj Bakry and Tommy Mysk, found that Facebook Messenger and Instagram were the worst offenders. As the chart below shows, both apps download and copy a linked file in its entirety—even if it’s gigabytes in size. Again, this may be a concern if the file is something the users want to keep private.

Link Previews: Instagram servers download any link sent in Direct Messages even if it’s 2.6GB.

It’s also problematic because the apps can consume vast amounts of bandwidth and battery reserves. Both apps also run any JavaScript contained in the link. That’s a problem because users have no way of vetting the security of JavaScript and can’t expect messengers to have the same exploit protections modern browsers have.

Link Previews: How hackers can run any JavaScript code on Instagram servers.

Haj Bakry and Mysk reported their findings to Facebook, and the company said that both apps work as intended. LinkedIn performed only slightly better. Its only difference was that, rather than copying files of any size, it copied only the first 50 megabytes.

Meanwhile, when the Line app opens an encrypted message and finds a link, it appears to send the link to the Line server to generate a preview. “We believe that this defeats the purpose of end-to-end encryption, since LINE servers know all about the links that are being sent through the app, and who’s sharing which links to whom,” Haj Bakry and Mysk wrote.

Discord, Google Hangouts, Slack, Twitter, and Zoom also copy files, but they cap the amount of data at anywhere from 15MB to 50MB. The chart below provides a comparison of each app in the study.

Talal Haj Bakry and Tommy Mysk

All in all, the study is good news because it shows that most messaging apps are doing things right. For instance, Signal, Threema, TikTok, and WeChat all give the users the option of receiving no link preview. For truly sensitive messages and users who want as much privacy as possible, this is the best setting. Even when previews are provided, these apps are using relatively safe means to render them.

Still, Monday’s post is a good reminder that private messages aren’t always, well, private.

“Whenever you’re building a new feature, always keep in mind what sort of privacy and security implications it may have, especially if this feature is going to be used by thousands or even millions of people around the world,” the researchers wrote. “Link previews are a nice feature that users generally benefit from, but here we’ve showcased the wide range of problems this feature can have when privacy and security concerns aren’t carefully considered.”

Undocumented backdoor that covertly takes snapshots found in kids’ smartwatch

Undocumented backdoor that covertly takes snapshots found in kids’ smartwatch

A popular smartwatch designed exclusively for children contains an undocumented backdoor that makes it possible for someone to remotely capture camera snapshots, wiretap voice calls, and track locations in real time, a researcher said.

The X4 smartwatch is marketed by Xplora, a Norway-based seller of children’s watches. The device, which sells for about $200, runs on Android and offers a range of capabilities, including the ability to make and receive voice calls to parent-approved numbers and to send an SOS broadcast that alerts emergency contacts to the location of the watch. A separate app that runs on the smartphones of parents allows them to control how the watches are used and receive warnings when a child has strayed beyond a present geographic boundary.

But that’s not all

It turns out that the X4 contains something else: a backdoor that went undiscovered until some impressive digital sleuthing. The backdoor is activated by sending an encrypted text message. Harrison Sand, a researcher at Norwegian security company Mnemonic, said that commands exist for surreptitiously reporting the watch’s real-time location, taking a snapshot and sending it to an Xplora server, and making a phone call that transmits all sounds within earshot.

Sand also found that 19 of the apps that come pre-installed on the watch are developed by Qihoo 360, a security company and app maker located in China. A Qihoo 360 subsidiary, 360 Kids Guard, also jointly designed the X4 with Xplora and manufactures the watch hardware.

“I wouldn’t want that kind of functionality in a device produced by a company like that,” Sand said, referring to the backdoor and Qihoo 360.

In June, Qihoo 360 was placed on a US Commerce Department sanctions list. The rationale: ties to the Chinese government made the company likely to engage in “activities contrary to the national security or foreign policy interests of the United States.” Qihoo 360 declined to comment for this post.

Patch on the way

The existence of an undocumented backdoor in a watch from a country with known record for espionage hacks is concerning. At the same time, this particular backdoor has limited applicability. To make use of the functions, someone would need to know both the phone number assigned to the watch (it has a slot for a SIM card from a mobile phone carrier) and the unique encryption key hardwired into each device.

In a statement, Xplora said obtaining both the key and phone number for a given watch would be difficult. The company also said that even if the backdoor was activated, obtaining any collected data would be hard, too. The statement read:

We want to thank you for bringing a potential risk to our attention. Mnemonic is not providing any information beyond that they sent you the report. We take any potential security flaw extremely seriously.

It is important to note that the scenario the researchers created requires physical access to the X4 watch and specialized tools to secure the watch’s encryption key. It also requires the watch’s private phone number. The phone number for every Xplora watch is determined when it is activated by the parents with a carrier, so no one involved in the manufacturing process would have access to it to duplicate the scenario the researchers created.

As the researchers made clear, even if someone with physical access to the watch and the skill to send an encrypted SMS activates this potential flaw, the snapshot photo is only uploaded to Xplora’s server in Germany and is not accessible to third parties. The server is located in a highly-secure Amazon Web Services environment.

Only two Xplora employees have access to the secure database where customer information is stored and all access to that database is tracked and logged.

This issue the testers identified was based on a remote snapshot feature included in initial internal prototype watches for a potential feature that could be activated by parents after a child pushes an SOS emergency button. We removed the functionality for all commercial models due to privacy concerns. The researcher found some of the code was not completely eliminated from the firmware.

Since being alerted, we have developed a patch for the Xplora 4, which is not available for sale in the US, to address the issue and will push it out prior to 8:00 a.m. CET on October 9. We conducted an extensive audit since we were notified and have found no evidence of the security flaw being used outside of the Mnemonic testing.

The spokesman said the company has sold about 100,000 X4 smartwatches to date. The company is in the process of rolling out the X5. It’s not yet clear if it contains similar backdoor functionality.

Heroic measures

Sand discovered the backdoor through some impressive reverse engineering. He started with a modified USB cable that he soldered onto pins exposed on the back of the watch. Using an interface for updating the device firmware, he was able to download the existing firmware off the watch. This allowed him to inspect the insides of the watch, including the apps and other various code packages that were installed.

A modified USB cable attached to the back of an X4 watch.

Enlarge / A modified USB cable attached to the back of an X4 watch.
Mnemonic

One package that stood out was titled “Persistent Connection Service.” It starts as soon as the device is turned on and iterates through all the installed applications. As it queries each application, it builds a list of intents—or messaging frameworks—it can call to communicate with each app.

Sand’s suspicions were further aroused when he found intents with the following names:

  • WIRETAP_INCOMING
  • WIRETAP_BY_CALL_BACK
  • COMMAND_LOG_UPLOAD
  • REMOTE_SNAPSHOT
  • SEND_SMS_LOCATION

After more poking around, Sand figured out the intents were activated using SMS text messages that were encrypted with the hardwired key. System logs showed him that the key was stored on a flash chip, so he dumped the contents and obtained it—“#hml;Fy/sQ9z5MDI=$” (quotation marks not included). Reverse engineering also allowed the researcher to figure out the syntax required to activate the remote snapshot function.

“Sending the SMS triggered a picture to be taken on the watch, and it was immediately uploaded to Xplora’s server,” Sand wrote. “There was zero indication on the watch that a photo was taken. The screen remained off the entire time.”

Sand said he didn’t activate the functions for wiretapping or reporting locations, but with additional time, he said, he’s confident he could have.

As both Sand and Xplora note, exploiting this backdoor would be difficult, since it requires knowledge of both the unique factory-set encryption key and the phone number assigned to the watch. For that reason, there’s no reason for people who own a vulnerable device to panic.

Still, it’s not beyond the realm of possibility that the key could be obtained by someone with ties to the manufacturer. And while phone numbers aren’t usually published, they’re not exactly private, either.

The backdoor underscores the kinds of risks posed by the increasing number of everyday devices that run on firmware that can’t be independently inspected without the kinds of heroic measures employed by Sand. While the chances of this particular backdoor being used are low, people who own an X4 would do well to ensure their device installs the patch as soon as practical.

Why are certain employees more likely to comply with information security policies than others?

Information security policies (ISP) that are not grounded in the realities of an employee’s work responsibilities and priorities expose organizations to higher risk for data breaches, according to a research from Binghamton University, State University of New York.

information security policies

The study’s findings, that subcultures within an organization influence whether employees violate ISP or not, have led researchers to recommend an overhaul of the design and implementation of ISP, and to work with employees to find ways to seamlessly fit ISP compliance into their day-to-day tasks.

“The frequency, scope and cost of data breaches have been increasing dramatically in recent years, and the majority of these cases happen because humans are the weakest link in the security chain. Non-compliance to ISP by employees is one of the important factors,” said Sumantra Sarkar, associate professor of management information systems in Binghamton University’s School of Management.

“We wanted to understand why certain employees were more likely to comply with information security policies than others in an organization.”

How subcultures influence compliance within healthcare orgs

Sarkar, with a research team, sought to determine how subcultures influence compliance, specifically within healthcare organizations.

“Every organization has a culture that is typically set by top management. But within that, you have subcultures among different professional groups in the organization,” said Sarkar. “Each of these groups are trained in a different way and are responsible for different tasks.”

Sarkar and his fellow researchers focused on ISP compliance within three subcultures found in a hospital setting – physicians, nurses and support staff.

The expansive study took years to complete, with one researcher embedding in a hospital for over two years to observe and analyze activities, as well as to conduct interviews and surveys with multiple employees.

Because patient data in a hospital is highly confidential, one area researchers focused on was the requirement for hospital employees to lock their electronic health record (EHR) workstation when not present.

“Physicians, who are dealing with emergency situations constantly were more likely to leave a workstation unlocked. They were more worried about the immediate care of a patient than the possible risk of a data breach,” said Sarkar.

“On the opposite end, support staff rarely kept workstations unlocked when they were away, as they felt they were more likely to be punished or fired should a data breach occur.”

The conclusion

Researchers concluded that each subculture within an organization will respond differently to the organization-wide ISP, leaving organizations open to a higher possibility of data breaches.

Their recommendation – consult with each subculture while developing ISP.

“Information security professionals should have a better understanding of the day-to-day tasks of each professional group, and then find ways to seamlessly integrate ISP compliance within those job tasks,” said Sarkar. “It is critical that we find ways to redesign ISP systems and processes in order to create less friction.”

In the context of a hospital setting, Sarkar recommends touchless, proximity-based authentication mechanisms that could lock or unlock workstations when an employee approaches or leaves a workstation.

Researchers also found that most employees understand the value of ISP compliance, and realize the potential cost of a data breach. However, Sarkar believes that outdated information security policies’ compliance measures have the potential to put employees in a conflict of priorities.

“There shouldn’t be situations where physicians are putting the entire hospital at risk for a data breach because they are dealing with a patient who needs emergency care,” he said. “We need to find ways to accommodate the responsibilities of different employees within an organization.”

Five critical success factors for the 5G economy

Policymakers should focus on five critical success factors in order to ensure the US continues to build its emerging 5G economy, according to a report from Boston Consulting Group (BCG).

5G economy

Drawing on an in-depth analysis of the factors that secured America’s leadership of the 4G economy, the study concludes that spectrum availability and wireless network deployments, along with broader economic factors such as a pro-investment and innovation business climate, private sector R&D, and workforce readiness are key to expanding a country’s 5G penetration rate and 5G-powered economic growth.

“A country’s 5G progress shouldn’t be based on misleading snapshots in time such as the number of 5G subscribers or the amount of 5G base stations deployed in a given quarter,” said Enrique Duarte Melo, a BCG managing director and senior partner and lead author of the report.

“Policymakers should instead look at how these factors—network coverage, spectrum availability, the quality of the innovation ecosystem, business climate, and technology talent—will blend together to drive 5G penetration and make 5G use cases widely available throughout society.”

Spectrum availability

Spectrum is the foundation of mobile wireless service, and particularly for 5G networks, providers need a mix of low-, mid-, and high-band spectrum.

The study finds that the US has made significant amounts of low- and high-band spectrum available, but lags in crucial midband spectrum.

Networks

Widespread network deployment is critical to laying the foundations of a 5G economy and achieving high levels of wireless penetration—the number of active 5G subscribers per capita.

The study finds that US telecom companies have invested seven times more than Chinese companies and that from 2020 to 2025, US operators are expected to invest over $250 billion to build 5G networks, more than any other country.

Innovation ecosystem

Strong R&D investment and IP protection will help spur the development of innovative new 5G services as well as cross-industry collaboration.

The study finds that US technology and telecom companies spend significantly more on R&D, as a percentage of sales, than other global competitors. On an absolute basis, US wireless companies invest five times as much as Chinese companies.

Business climate

Capital expenditures and investment and an openness to risk-taking, combined with business-friendly policies, will create an environment conducive to wireless innovation and entrepreneurship.

The study finds that the US ranks in the top three nations on key drivers of new business creation and ranks first for entrepreneurship. It’s also home to 12 of the world’s top 30 cities for startups and serves as a startup hub for key 5G technologies like artificial intelligence and cybersecurity.

Talent

A workforce with digital and technical skills will provide countries the expertise to build state-of-the-art wireless networks and develop new 5G applications.

The study finds that the US’s ability to attract the best global talent has promoted innovation and that training and retraining employees in tech-related certifications and degrees will be critical.

Further, the study finds that that the foremost impact of 5G will be the services and applications unlocked by powerful and ubiquitous 5G networks.

25% of IT workers don’t enforce security policies

14% of IT workers are consumed with Identity and Access Management (IAM), spending at least an hour per day on routine IAM tasks, according to 1Password.

enforce security policies

IAM continues to be a significant productivity bog for IT and employees alike, with 57% of IT workers resetting employee passwords up to five times per week, and 15% doing so at least 21 times per week.

Shadow IT issues

IAM is often used to detect shadow IT, and 1Password’s survey revealed that it’s largely successful. Four in five workers report always following their company’s IT policy, meaning that just 20% of workers are driving all shadow IT activity in the enterprise. These employees don’t act out of malice but rather a drive to get more done, with 49% citing productivity as their top reason for circumventing IT’s rules.

“The shadow IT picture is more complicated than many think,” said Jeff Shiner, CEO, 1Password. “Most of us follow the rules, but a small group of employees trying to get more done circumvent policies and create openings for credential attacks. They’re sometimes enabled by IT workers who empathize with their pursuit of productivity.”

Ignoring the IT policy

Employees who break their company’s IT policy tend to be:

  • Speed demons: They’re nearly twice as likely to say convenience is more important than security—and almost 50% more likely to say strict password requirements aren’t worth the hassle.
  • Pessimistic about IT capabilities: Employees who break IT policies are nearly twice as likely to say it’s unrealistic for companies to be aware of and manage all apps and devices used by employees at work, and say the IT department is more of a hindrance than a help.
  • Millennials and Gen Z: Nearly three times as many workers who are 18-39 say they do not always follow IT policies, compared to those ages 56 and up.

Lack of tools amid the relentless quest for productivity

IT workers cited lack of suitable technology resources and concern for employee effectiveness as the reason nearly one in three IT workers are not fully enforcing security policies.

Twenty-five percent of IT workers say they don’t enforce security policies universally and 4% don’t enforce those policies at all due to the hassle involved with managing policies to concerns over workforce productivity.

Thirty-eight percent of IT workers who do not strictly enforce security policies said their organization’s method for monitoring is not robust, while 29% agreed “it’s just too hard and time consuming to track and enforce” and 28% said “our employees get more done if we just let them manage their own software.”

One in three IT workers say that strict password requirements at work aren’t worth the hassle.

The usage of enterprise password managers

89% of IT departments using a password manager say it’s had a measurable impact on security at their company.

IT departments using EPMs report that they save time and frustration for employees (57%), reduce time for IT departments (45%), enhance productivity (37%), reduce breaches/attacks (26%) and create happier employees (26%).

340 GDPR fines for a total of €158,135,806 issued since May 2018

Since rolling out in May 2018, there have been 340 GDPR fines issued by European data protection authorities. Every one of the 28 EU nations, plus the United Kingdom, has issued at least one GDPR fine, Privacy Affairs finds.

GDPR fines

Whilst GDPR sets out the regulatory framework that all EU countries must follow, each member state legislates independently and is permitted to interpret the regulations differently and impose their own penalties to organizations that break the law.

Nations with the highest fines

  • France: €51,100,000
  • Italy: €39,452,000
  • Germany: €26,492,925
  • Austria: €18,070,100
  • Sweden: €7,085,430
  • Spain: €3,306,771
  • Bulgaria: €3,238,850
  • Netherlands: €3,490,000
  • Poland: €1,162,648
  • Norway: €985,400

Nations with the most fines

  • Spain: 99
  • Hungary: 32
  • Romania: 29
  • Germany: 28
  • Bulgaria: 21
  • Czech Republic: 13
  • Belgium: 12
  • Italy: 11
  • Norway: 9
  • Cyprus: 8

The second-highest number of fines comes from Hungary. The National Authority for Data Protection and Freedom of Information has issued 32 fines to date. The largest being €288,000 issued to an ISP for improper and non-secure storage of customers’ personal data.

UK organizations have been issued just seven fines, totalling over €640,000, by the Information Commissioner. The average penalty within the UK is €160,000. This does not include the potentially massive fines for Marriott International and British Airways that are still under review.

British Airways could face a fine of €204,600,000 for a data breach in 2019 that resulted in the loss of personal data of 500,000 customers.

Similarly, Marriott International suffered a breach that exposed 339 million people’s data. The hotel group faces a fine of €110,390,200.

The largest and highest GDPR fines

The largest GDPR fine to date was issued by French authorities to Google in January 2019. The €50 million was issued on the basis of “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.”

Highest fines issued to private individuals:

  • €20,000 issued to an individual in Spain for unlawful video surveillance of employees.
  • €11,000 issued to a soccer coach in Austria who was found to be secretly filming female players while they were taking showers.
  • €9,000 issued to another individual in Spain for unlawful video surveillance of employees.
  • €2,500 issued to a person in Germany who sent emails to several recipients, where each could see the other recipients’ email addresses. Over 130 email addresses were visible.
  • €2,200 issued to a person in Austria for having unlawfully filmed public areas using a private CCTV system. The system filmed parking lots, sidewalks, a garden area of a nearby property, and it also filmed the neighbors going in and out of their homes.

Hong Kong downloads of Signal surge as residents fear crackdown

Hong Kong downloads of Signal surge as residents fear crackdown

d3sign / Getty

The secure chat app Signal has become the most downloaded app in Hong Kong on both Apple’s and Google’s app stores, Bloomberg reports, citing data from App Annie. The surging interest in encrypted messaging comes days after the Chinese government in Beijing passed a new national security law that reduced Hong Kong’s autonomy and could undermine its traditionally strong protections for civil liberties.

The 1997 handover of Hong Kong from the United Kingdom to China came with a promise that China would respect Hong Kong’s autonomy for 50 years following the handover. Under the terms of that deal, Hong Kong residents should have continued to enjoy greater freedom than people on the mainland until 2047. But recently, the mainland government has appeared to renege on that deal.

Civil liberties advocates see the national security law approved last week as a major blow to freedom in Hong Kong. The New York Times reports that “the four major offenses in the law—separatism, subversion, terrorism and collusion with foreign countries—are ambiguously worded and give the authorities extensive power to target activists who criticize the party, activists say.” Until now, Hong Kongers faced trial in the city’s separate, independent judiciary. The new law opens the door for dissidents to be tried in mainland courts with less respect for civil liberties or due process.

This has driven heightened interest among Hong Kongers in secure communication technologies. Signal offers end-to-end encryption and is viewed by security experts as the gold standard for secure mobile messaging. It has been endorsed by NSA whistleblower Ed Snowden.

One of Signal’s selling points is that it minimizes data collection on its users. When rival Telegram announced it would no longer honor data requests from Hong Kong courts, Signal responded that it didn’t have any user data to hand over in the first place.

Bloomberg has also reported on the surging adoption of VPN software in Hong Kong as residents fear government surveillance of their Web browsing.

Realizing cybersecurity risks does not mean sticking to the rules

72% of remote workers say they are more conscious of their organization’s cybersecurity policies since lockdown began, but many are breaking the rules anyway due to limited understanding or resource constraints, Trend Micro reveals.

realizing cybersecurity risks

The study is distilled from interviews with 13,200 remote workers across 27 countries on their attitudes towards corporate cybersecurity and IT policies. It reveals that there has never been a better time for companies to take advantage of heightened employee security awareness.

The survey reveals that the approach businesses take to training is critical to ensure secure practices are being followed.

High level of security awareness

The results indicate a high level of security awareness, with 85% of respondents claiming they take instructions from their IT team seriously, and 81% agree that cybersecurity within their organization is partly their responsibility. Additionally, 64% acknowledge that using non-work applications on a corporate device is a security risk.

However, just because most people understand the risks does not mean they stick to the rules.

For example:

  • 56% of employees admit to using a non-work application on a corporate device, and 66% of them have actually uploaded corporate data to that application.
  • 80% of respondents confess to using their work laptop for personal browsing, and only 36% of them fully restrict the sites they visit.
  • 39% of respondents say they often or always access corporate data from a personal device – almost certainly breaking corporate security policy.
  • 8% of respondents admit to watching / accessing porn on their work laptop, and 7% access the dark web.

Productivity still wins out over protection

Productivity still wins out over protection for many users. 34% of respondents agree that they do not give much thought to whether the apps they use are sanctioned by IT or not, as they just want the job done. Additionally, 29% think they can get away with using a non-work application, as the solutions provided by their company are ‘nonsense.’

Dr Linda Kaye, Cyberpsychology Academic at Edge Hill University explains: “There are a great number of individual differences across the workforce. This can include individual employee’s values, accountability within their organization, as well as aspects of their personality, all of which are important factors which drive people’s behaviors.

“To develop more effective cybersecurity training and practices, more attention should be paid to these factors. This, in turn, can help organizations adopt more tailored or bespoke cybersecurity training with their employees, which may be more effective.”

Rik Ferguson, Vice President of Security Research at Trend Micro, argues: “It’s really heartening to see that so many people take the advice from their corporate IT team seriously, although you have to wonder about the 15% who don’t… At the same time those people also accept their own role in the human firewall of any organization.

“The problem area seems to be translating that awareness into concrete behavior. To reinforce this, organizations to take into account the diversity across the organization and tailor training to identify and address these distinct behavioral groups.

“The time to do this is now, to take advantage of the new working environment and people’s newfound recognition of the importance of information security.”

80% of consumers trust a review platform more if it displays fake reviews

Many people are using COVID-19 quarantine to get projects done at home, meaning plenty of online shopping for tools and supplies. But do you buy blind? Research shows 97% of consumers consult product reviews before making a purchase.

fake reviews

Fake reviews are a significant threat for online review portals and product search engines given the potential for damage to consumer trust. Little is known about what review portals should do with fraudulent reviews after detecting them.

A research looks at how consumers respond to potentially fraudulent reviews and how review portals can leverage this information to design better fraud management policies.

“We find consumers have more trust in the information provided by review portals that display fraudulent reviews alongside nonfraudulent reviews, as opposed to the common practice of censoring suspected fraudulent reviews,” said Beibei Li of Carnegie Mellon University.

“The impact of fraudulent reviews on consumers’ decision-making process increases with the uncertainty in the initial evaluation of product quality.”

Fake reviews aid decision making

A study conducted by Li alongside Michael Smith, also of Carnegie Mellon University, and Uttara Ananthakrishnan of the University of Washington, says consumers do not effectively process the content of fraudulent reviews, whether it’s positive or negative. This result makes the case for incorporating fraudulent reviews and doing it in the form of a score to aid consumers’ decision making.

Fraudulent reviews occur when businesses artificially inflate ratings of their own products or artificially lower the ratings of a competitor’s product by generating fake reviews, either directly or through paid third parties.

“The growing interest in online product reviews for legitimate promotion has been accompanied by an increase in fraudulent reviews,” continued Li. “Research shows about 15%-30% of all online reviews are estimated to be fraudulent by various media and industry reports.”

Platforms don’t have a common way to handle fraudulent reviews. Some delete fraudulent reviews (Google), some publicly acknowledge censoring fake reviews (Amazon), while other portals, such as Yelp, go one step further by making the fraudulent reviews visible to the public with a notation that it is potentially fraudulent.

This study used large-scale data from Yelp to conduct experiments to measure trust and found 80% of the users in our survey agree they trust a review platform more if it displays fake review information because businesses are less likely to write fraud reviews on these platforms.

Transparency over censorship

Meanwhile, 85% of users in our survey believe they should have a choice in viewing truthful and fraudulent information and the platforms should leave the choice to consumers to decide whether they use fraudulent review information in determining the quality of a business.

The study also finds that consumers tend to trust the information provided by platforms more when the platform distinguished and displayed fraudulent reviews from nonfraudulent reviews, as compared to the more common practice of censoring suspected fraudulent reviews.

“Our results highlight the importance of transparency over censorship and may have implications for public policy. Just as there are strong incentives to fraudulently manipulate consumer beliefs pertaining to commerce, there are also strong incentives to fraudulently manipulate individual beliefs pertaining to public policy decisions,” concluded Li.

When this fraudulent activity information is made available to all consumers, platforms can effectively embed a built-in penalty for businesses that are caught writing fake reviews.

A platform may admit to users that there is fraud on its site, but that is balanced by an increase in trust from consumers who already suspected that some reviews may be fraudulent and now see that something is being done to address it.

Employees often overlooked when companies adopt new technology

Companies are placing business and shareholder goals above employee needs when they adopt new technology, according to Lenovo.

companies adopt new technology

The research, conducted among 1,000 IT managers across EMEA, found that just 6% of IT managers consider users as their top priority when making technology investments. This approach to IT adoption is ultimately leading to productivity being stifled.

When businesses implement new technologies without considering the human impact, many employees become overwhelmed due to the complexity and pace of change, with 47% of IT managers reporting that users struggle to embrace new software.

With all industries having to adapt to the ‘next normal’ and take stock of their responsibility – to employees, to the environment and to the wider world – businesses are encouraged to place the needs of their people at the heart of IT decisions.

Untapped potential

There is an understandable desire for businesses to embrace transformational technologies, such as Artificial Intelligence, and the Internet of Things, as soon as possible.

The benefits these promise – innovation, improved productivity, reducing cost and greater customer experience most importantly – are tantalizing for any organization, but their true potential is completely untapped if adoption is purely led by business goals.

While successfully implemented technology should act as an enabler for employees and businesses to achieve greater things, a poor strategy can see technology become an inhibitor – hampering users whose needs have not been carefully considered and catered for.

48% of respondents reported a negative outcome where technology implementations have actively inhibited their teams’ ability to operate.

Businesses need to focus on people, offering everything from comprehensive training, to change management, while ensuring leadership KPIs, robust policy and strategy and thorough rollout analyses are aligned with a people-first ethos.

Businesses should also ask people-centric questions during any adoption process – is this technology intuitive, will it solve rather than create challenges for employees, will users get a good experience.

By taking these steps, businesses can realize the benefits new tools promise, seeing greater productivity and driving innovation. In fact, 52% of IT managers are optimistic about emerging tech’s ability to deliver improved productivity.

However, with 21% of users reporting new technology has actually slowed down processes, it is imperative for businesses to embrace the right technology at the right time. It’s also vitally important businesses consider everyone in the organization – from those who use it every day, to the IT teams implementing it, to the boardroom decision makers.

The goal should be to adopt smarter technology that is always connected, seamless, agile, flexible, easy to collaborate, adaptive to needs, reliable, high performance and with enhanced security and privacy. Not only that, but it should be suited to the needs of everyone in an organization.

Responsible business in the ‘next normal’

Organizations are currently re-evaluating how they operate in order to thrive in the next normal. Being a responsible business must now be a priority – placing human impact on the same level as achieving business goals. With 62% of IT managers reporting their investment decisions are entirely business-centric, it will require a fundamental mindset shift for many businesses.

However, as flexible working policies are embraced in order to provide more support to employees during the COVID-19 outbreak, a people-first approach is beginning to emerge, with 70% of respondents seeing more emphasis within their organization on responsible business.

Giovanni Di Filippo, President of Lenovo’s Data Center Group, EMEA, says: “Times are changing rapidly, not only for businesses, but the technology industry as a whole. Stripped of office walls, we are seeing organizations place greater emphasis on the wellbeing of their employees, and it’s heartening to see this shift in priorities from being all about the bottom line. But the study shows that this is only the beginning.”

“If there is a change of heart and mind within the industry, taking a people-first approach to IT adoption, we will see positive change for both organizations and wider society. Happier employees, greater productivity and a faster pace of innovation – these are the benefits of placing people at the centre of IT decisions.”

Companies adopt new technology: Time to think human

IT vendors whose portfolio can empower businesses to think human, will help employees embrace change and enable them to be more productive. Such vendors do this by having an open mindset in working with other organizations, thinking about customer outcomes, not just adoption, reducing the burden on customers as well as the IT department nad by helping put usability and experience first.

Giovanni Di Filippo says, “For too long IT decisions have placed pure cost above a business’s most valuable asset: people. It’s people that change the world, and we know that data and technology cannot be transformative without humans bringing it to life and giving it purpose.”

“We want businesses to think human by investing in ‘Smarter Technology for All’. As for vendors – it’s time to think beyond what they make and consider who they make it for. If people are put first, we know the benefits and desired company outcomes will be great.”

Privacy and security concerns related to patient data in the cloud

The Cloud Security Alliance has released a report examining privacy and security of patient data in the cloud.

patient data cloud

In the wake of COVID-19, health delivery organizations (HDOs) have quickly increased their utilization of telehealth capabilities (i.e., remote patient monitoring (RPM) and telemedicine) to treat patients in their homes. These technology solutions allow for the delivery of patient treatment, comply with COVID-19 mitigation best practices, and reduce the risk of exposure for healthcare providers.

Remote healthcare comes with security challenges

Going forward, telehealth solutions — which introduce high levels of patient data over the internet and in the cloud — can be used to remotely monitor and treat patients who have mild cases of the virus, as well as other health issues. However, this remote environment also comes with an array of privacy and security challenges.

“For health care systems, telehealth has emerged as a critical technology for safe and efficient communications between healthcare providers and patients, and accordingly, it’s vital to review the end-to-end architecture of a telehealth delivery system,” said Dr. Jim Angle, co-chair of CSA’s Health Information Management Working Group.

“A full analysis can help determine whether privacy and security vulnerabilities exist, what security controls are required for proper cybersecurity of the telehealth ecosystem, and if patient privacy protections are adequate.”

The HDO must understand regulations and technologies

With the increased use of telehealth in the cloud, HDOs must adequately and proactively address data, privacy, and security issues. The HDO cannot leave this up to the cloud service provider, as it is a shared responsibility. The HDO must understand regulatory requirements, as well as the technologies that support the system.

Regulatory mandates may span multiple jurisdictions, and requirements may include both the GDPR and HIPAA. Armed with the right information, the HDO can implement and maintain a secure and robust telehealth program.

Bad habits and risky behaviors put corporate data at risk

IT and application development professionals tend to exhibit risky behaviors when organizations impose strict IT policies, according to SSH.

risky behaviors

Polling 625 IT and application development professionals across the United States, United Kingdom, France, and Germany, the survey verified that hybrid IT is on the rise and shows no signs of slowing down.

Fifty-six percent of respondents described their IT environment as hybrid cloud, an increase from 41 percent a year ago. On average, companies are actively using two cloud service vendors at a time.

While hybrid cloud offers a range of strategic benefits related to cost, performance, security, and productivity, it also introduces the challenge of managing more cloud access.

Cloud access solutions slowing down work

The survey found that cloud access solutions, including privileged access management software, slow down daily work for 71 percent of respondents. The biggest speed bumps were cited as configuring access (34 percent), repeatedly logging in and out (30 percent), and granting access to other users (29 percent).

These hurdles often drive users to seek risky workarounds, with 52 percent of respondents claiming they would “definitely” or at least “consider” bypassing secure access controls if they were under pressure to meet a deadline.

85 percent of respondents also share account credentials with others out of convenience, even though 70 percent understand the risks of doing so. These risks are further exacerbated when considering that 60 percent of respondents use unsecure methods to store their credentials and passwords, including in email, in non-encrypted files or folders, and on paper.

“As businesses grow their cloud environments, secure access to the cloud will continue be paramount. But when access controls lead to a productivity trade-off, as this research has shown, IT admins and developers are likely to bypass security entirely, opening the organization up to even greater cyber risk,” said Jussi Mononen, chief commercial officer at SSH.

“For privileged access management to be effective, it needs to be fast and convenient, without adding operational obstacles. It needs to be effortless.”

Orgs using public internet networks

In addition to exposing the risky behaviors of many IT and application development professionals when accessing the cloud, the survey also revealed some unwitting security gaps in organizations’ access management policies. For example, more than 40 percent of respondents use public internet networks – inherently less secure than private networks – to access internal IT resources.

Third-party access was also found to be a risk point, with 29 percent of respondents stating that outside contractors are given permanent access credentials to the business’ IT environment.

risky behaviors

Permanent credentials are fundamentally risky as they provide widespread access beyond the task at hand, and can be forgotten, stolen, mismanaged, misconfigured, or lost.

Mononen continued, “When it comes to access management, simpler is safer. Methods like single sign-on can streamline the user experience significantly, by creating fewer logins and fewer entry points that reduce the forming of bad IT habits.

“There is also power in eliminating permanent access credentials entirely, using ephemeral certificates that unlock temporary ‘just-in-time’ access to IT resources, only for time needed before access automatically expires. Ultimately, reducing the capacity for human error comes down to designing security solutions that put the user first and cut out unnecessary complexity.”

Researchers say online voting tech used in 5 states is fatally flawed

Voting machines are shown at a polling location on June 9, 2020 in West Columbia, South Carolina.

Enlarge / Voting machines are shown at a polling location on June 9, 2020 in West Columbia, South Carolina.
Sean Rayford/Getty Images

OmniBallot is election software that is used by dozens of jurisdictions in the United States. In addition to delivering ballots and helping voters mark them, it includes an option for online voting. At least three states—West Virginia, Delaware, and New Jersey—have used the technology or are planning to do so in an upcoming election. Four local jurisdictions in Oregon and Washington state use the online voting feature as well. But new research from a pair of computer scientists, MIT’s Michael Specter and the University of Michigan’s Alex Halderman, finds that the software has inadequate security protections, creating a serious risk to election integrity.

Democracy Live, the company behind OmniBallot, defended its software in an email response to Ars Technica. “The report did not find any technical vulnerabilities in OmniBallot,” wrote Democracy Live CEO Bryan Finney.

This is true in a sense—the researchers didn’t find any major bugs in the OmniBallot code. But it also misses the point of their analysis. The security of software not only depends on the software itself but also on the security of the environment on which the system runs. For example, it’s impossible to keep voting software secure if it runs on a computer infected with malware. And millions of PCs in the United States are infected with malware.

The issue has particular urgency right now because the ongoing COVID-19 pandemic is forcing election officials to make significant changes to election procedures. Right now, most jurisdictions using the OmniBallot software don’t use its “electronic ballot delivery” feature. But enabling the feature would require little more than a configuration change. There’s a risk that election officials, under pressure to make remote voting easier, will decide to enable the software’s online voting feature for this November’s general election.

How OmniBallot works

Experimenting with a live election system would be unethical and likely illegal. Instead, Specter and Halderman obtained a copy of the OmniBallot software, reverse-engineered it, and then created new server software that mimicked the behavior of the real server. This allowed them to experiment with the software without risking interference with a real election.

OmniBallot offers a number of different capabilities that state election officials have the option to offer to voters. The most basic is a blank ballot delivery feature that will provide a voter with a PDF ballot that can be printed out and mailed back to the polling place.

Jurisdictions can also offer a ballot-marking feature, which will mark a ballot on the voter’s behalf before it’s printed out. This can enable blind voters to fill out a ballot independently. It can also prevent overvotes (voting for two or more candidates) and warn voters about undervotes (failing to vote in a race).

But Specter and Halderman argue that this capability comes with some added risks. Malicious software could be programmed to switch votes some fraction of the time. Theoretically, voters are supposed to check that the votes are correct before mailing in their ballot, but research suggests voters are lax about doing so. One study by Halderman and others found that only 6.6 percent of voters in a realistic mock election reported a changed vote to election supervisors.

By default, the software generates the marked ballot PDF on an OmniBallot server, not on the user’s own device. This creates an unnecessary risk to the privacy of the voter’s ballot, Specter and Halderman argue, since it means that Democracy Live gets an unnecessary copy of the voter’s votes.

Fortunately, Democracy Live also offers an option for client-side ballot marking. Andrew Appel, a computer scientist at Princeton, told Ars that this option was added at the insistence of California officials who objected to server-side ballot marking. When this option is chosen by election administrators, the ballot is marked on the user’s own device, without sharing the data with Democracy Live’s servers. The computer scientists recommend that all jurisdictions using OmniBallot’s ballot marking feature switch to the client-side version of the software.

The problems with online voting

While there are some security concerns with ballot-marking software, the researchers say that these problems pale in comparison to security vulnerabilities of OmniBallot’s “electronic ballot delivery” system.

The fundamental problem is that the complexity and opacity of online voting systems creates numerous opportunities for a hacker to tamper with a ballot during the submission process. Malware on the client device could modify the ballot before it’s transmitted to Democracy Live’s servers. OmniBallot is built on Amazon Web Services using JavaScript libraries delivered by Google and Cloudflare. So hackers or malicious insiders at any of these companies could potentially alter ballots if they had access to one of these companies’ systems.

And the nature of online voting means there’s no reliable way for a voter to verify that a ballot was transmitted correctly. Software engineers have developed theoretical designs for voting systems with end-to-end security. These systems use sophisticated cryptography to enable voters to cryptographically verify that their vote has been counted correctly. But Democracy Live doesn’t do anything like that. In their paper, Specter and Halderman describe how an attacker could exploit the lack of end-to-end verification.

“The web app would show a ballot containing the selections the voter intended, but the ballot that got cast would have selections chosen by the attacker,” they write. “The attack would execute on the client, with no unusual interactions with Democracy Live, so there would be no way for the company (or election officials) to discover it.”

Auditing doesn’t fix the problem

Democracy Live conducts post-election audits using Amazon’s AWS CloudTrail software to verify that no Democracy Live employees abused their access to company servers. These checks could detect some forms of election tampering, but Specter and Halderman point out that they are far from foolproof.

These methods wouldn’t detect any attacks executed from the client side. If malware on a user’s PC modified the user’s ballot before sending it to Democracy Live’s servers, that wouldn’t show up in the CloudTrail logs. If someone with access to Google or Cloudflare servers delivered malicious JavaScript libraries to OmniBallot users, that wouldn’t show up in AWS logs. Someone with administrative access to Amazon’s servers might be able to modify Democracy Live’s software in a way that wouldn’t show up in the logs.

Of course, most of these attacks wouldn’t be trivial to pull off. Google, Amazon, and Cloudflare are three of the most sophisticated software companies in the world and take elaborate precautions to defend their systems. The audit I linked to above is from an election for the King County Conservation District. It’s farfetched that anyone would go to so much trouble to attack such a low-stakes election.

But sophisticated attacks would become far more plausible if the software were used to elect members of Congress and even the president. In that case, we can imagine foreign governments like Russia or China being willing to invest significant resources to compromise election results in a way that’s difficult to detect. We don’t know the full extent of these countries’ offensive capabilities, of course. But it’s reasonable to think that they’d be able to compromise OmniBallot’s software in ways that wouldn’t be revealed in a post-election audit.

To be fair to Democracy Live, the issues the researchers highlighted aren’t unique to the OmniBallot software. Rather, there’s an overwhelming consensus among computer security experts that Internet-based voting is a bad idea in general. Halderman and Specter cite a 2018 report from the National Academies of Sciences, Engineering, and Medicine that found that “no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.”

FIRST releases updated coordination principles for Multi-Party Vulnerability Coordination and Disclosure

The Forum of Incident Response and Security Teams (FIRST) has released an updated set of coordination principles – Guidelines for Multi-Party Vulnerability Coordination and Disclosure version 1.1.

FIRST coordination principles

Stakeholder roles and communication paths

The purpose

The purpose of the Guidelines is to improve coordination and communication across different stakeholders during a vulnerability disclosure and provide best practices, policy and processes for reporting any issues across multiple vendors.

It is targeted at vulnerabilities that have the potential to affect a wide range of vendors and technologies at the same time.

Previous best practices, policy and process for vulnerability disclosure focused on bi-lateral coordination and did not adequately address the current complexities of multi-party vulnerability coordination.

Factors such as a vibrant open source development community, the proliferation of bug bounty programs, third party software, supply chain vulnerabilities, and the support challenges facing CSIRTs and PSIRTs are just a few of the complicating aspects.

Art Manion, Vulnerability Analysis Technical Manager, CERT Coordination Center said: “As software development becomes more complex and connected to supply chains, coordinated vulnerability disclosure practices need to evolve. The updated Guidelines are a step in that evolution, deriving guidance and principles from practical use cases.”

The content

The Guidelines for Multi-Party Vulnerability Coordination and Disclosure contains a collection of best current practices that consider more complex as well as typical real-life scenarios that go beyond a single researcher reporting a vulnerability to a single company.

The Guidance includes:

  • Establish a strong foundation of processes and relationships
  • Maintain clear and consistent communications
  • Build and maintain trust
  • Minimize exposure for stakeholders
  • Respond quickly to early disclosure
  • Use coordinators when appropriate
  • Multi-Party Disclosure Use Cases

FIRST Chair, Serge Droz said: “The Guidelines for Multi-Party Vulnerability Coordination and Disclosure is an important step towards a better and more responsible way of managing vulnerabilities.

“It was crucial that these Guidelines were created in tandem with key stakeholders who may be affected by multi-party vulnerabilities. I am proud that FIRST was able to bring these stakeholders together to work on this very important document.”

Almost 8,000 could be affected by federal emergency loan data breach

Three people stand by a podium in front of the White House logo.

Enlarge / Small Business Administrator Jovita Carranza is flanked by Donald Trump and Secretary of Treasury Steve Mnuchin on April 2, 2020.

Almost 8,000 business owners who applied for a loan from the Small Business Administration may have had their personal information exposed to other applicants, the SBA admitted on Tuesday.

The breach relates to a long-standing SBA program called Economic Injury Disaster Loans (EIDL). It has traditionally been used to aid owners whose businesses are disrupted by hurricanes, tornadoes, or other disasters. It was recently expanded by Congress in the $2.2 trillion CARES Act. In addition to loans, the law authorized grants of up to $10,000 that don’t need to be paid back.

The EIDL program is separate from the larger Paycheck Protection Program that was also part of the CARES Act. The SBA says that PPP applicants were not affected by the breach.

A Trump administration official described the problem to CNBC:

The official said that in order to access other business owners’ information, small business applicants must have been in the loan application portal. If the user attempted to hit the page back button, he or she may have seen information that belonged to another business owner, not their own.

The SBA says it discovered the flaw on March 25 and notified affected users. One victim posted a copy last Friday of a paper letter she received about the breach. The letter stated that personally identifiable information—including Social Security numbers, addresses, dates of birth, and financial data—may have been exposed. The letter said that, as of last week, there was no sign yet of the data being misused.

The SBA says that it immediately disabled the portion of its website that was exposing applicant data, fixed the problem, and re-launched the website. Affected businesses have been offered a year of free credit monitoring.

Overwhelming demand

The SBA has struggled to deal with demand for EIDL loans. Before the coronavirus crisis, small businesses were supposed to be eligible for up to $2 million in disaster loans.

But with millions of firms seeking assistance, the SBA was forced to limit the loans to as little as $10,000. Despite the limits, the SBA website currently states that it is not accepting new applications due to a lack of funds.

As of April 19, SBA had approved almost 27,000 EIDL loans valued at $5.6 billion. Another 755,000 businesses received EIDL grants worth a total of $3.3 billion. The Trump administration official told CNBC that 4 million business owners had applied for assistance worth $383 billion—far more than the $17 billion allocated for the program.

The PPP has also seen overwhelming demand, with funding running out in a matter of days. A legislative compromise announced on Tuesday could replenish both programs, with the PPP getting another $320 billion and the EIDL getting $60 billion.