Healthcare data breach in Singapore affected 1.5M patients, targeted the prime minister

In what’s believed to be the biggest data breach in Singapore’s history, 1.5 million members of the country’s largest healthcare group have had their personal data compromised. The breach affected SingHealth, Singapore’s biggest network of healthcare facilities. Data obtained in the breach includes names, addresses, gender, race, date of birth and patients’ national identification numbers. Around 160,000 of the 1.5 million patients also had their outpatient medical information accessed by unauthorized individuals. All patients affected by the hack had visited SingHealth clinics between May 1, 2015 and July 4, 2018, Singapore newspaper The Straits Times reports. “Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System confirmed that this was a deliberate, targeted and well-planned cyberattack,” a press release from Singapore’s Ministry of Health stated. “It was not the work of casual hackers or criminal gangs.” The hackers appear to have accessed
Continue reading "Healthcare data breach in Singapore affected 1.5M patients, targeted the prime minister"

Surprise! Top sites still fail at encouraging non-terrible passwords

You would think that Amazon, Reddit, Wikipedia and other highly popular websites would by now tell you that “password1” or “hunter2” is a terrible password — just terrible. But they don’t. A research project that has kept tabs on the top sites and their password habits for the last 11 years shows that most provide only rudimentary password restrictions and do little to help users. Steven Furnell, of the University of Plymouth, first did a survey of websites’ password practices in 2007, repeating the process in 2011 and 2014 — and then once more this week. His conclusions?
It is somewhat disappointing to find that the overall story in 2018 remains largely similar to that of 2007. In the intervening years, much has been written about the failings of passwords and the ways in which we use them, yet little is done to encourage or oblige us to follow the
Continue reading "Surprise! Top sites still fail at encouraging non-terrible passwords"

UK government panel issues inconclusive Huawei security report

Huawei’s had a rough go of it here in the States, after concerns around ties to the Chinese government have left the company scrambling to gain a commercial toehold. Over the past several years, top U.K. security officials have also put the company under the microscope over potential security concerns. 

A new report issued by a government panel with the straightforward name “Huawei Cyber Security Evaluation Centre” this week presents some fairly inconclusive findings.

“Identification of shortcomings in Huawei’s engineering processes have exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management,” the report notes, early on. “The Oversight Board can provide only limited assurance that any risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated.”

Sure, it’s not as damning as the time the FBI, CIA and NSA issued a bold proclamation against buying

Continue reading "UK government panel issues inconclusive Huawei security report"

A vacuum vulnerability could mean your Roomba knockoff is hoovering up surveillance

Yet again we are reminded that the mild conveniences of the smart home are all well and good, right up until someone decides to turn one of those wifi-connected things you invited in against you. But you probably didn’t think it was going to be the vacuum, did you? Two researchers with enterprise security company Positive Technologies discovered vulnerabilities affecting the Dongguan Diqee 360 line of robotic vacuum cleaners and have shared details of the security flaw. The vacuum cleaners, manufactured by Chinese smart home manufacturer Diqee, are equipped with wifi and a 360 degree camera for a mode known as “dynamic monitoring” that turns the machine into a home surveillance device. The camera is probably what you need to be worried about. The remote code vulnerability, known as CVE-2018-10987, can give an attacker who obtains the device’s MAC address system admin privileges. According to the report, the vulnerability
Continue reading "A vacuum vulnerability could mean your Roomba knockoff is hoovering up surveillance"

Cloudflare recruits state and local governments for free election site security program

After launching a free program to protect election systems last December, Cloudflare has an update on how things are going. The program, known as the Athenian Project, provides Cloudflare’s services for free to state and local government websites that administer elections, host voter registration or verification data or report election results. Those services include the DDoS protection the company is best known for but also its Web Application Firewall service, IP reputation database and the ability to cut off web traffic from a particular country or IP address. Cloudflare is also offering how-to videos and other documentation to explain its protections to potential clients. “In November, every state and district in the country will hold congressional elections. Election officials — and all of us — want to make sure that voter information remains secure and that websites stay online as voters seek out information on polling places and voting
Continue reading "Cloudflare recruits state and local governments for free election site security program"

PureSec exits Beta to secure serverless code

PureSec, a startup out of Israel emerged from Beta today to provide a way to make serverless computing more secure. Serverless computing reduces programming to writing functions, so that when a certain event happens, it triggers an automated action. The cloud vendor takes care of the underlying infrastructure and developers just write the code. It may sound like Shangri La for tech, but in reality there are still security concerns. You might think that a process that lasts only milliseconds wouldn’t be subject to conventional kinds of attacks, but the fact is serverless functions are designed to take human checks and balances out of the equation, says company co-founder Ory Segal, and if you don’t set up the functions correctly you could be vulnerable. As with any type of cloud security, there is a shared security model with serverless computing. On the vendor side, they ensure their data centers
Continue reading "PureSec exits Beta to secure serverless code"

Okta nabs ScaleFT to build out ‘Zero Trust’ security framework

Okta, the cloud identity management company, announced today it has purchased a startup called ScaleFT to bring the Zero Trust concept to the Okta platform. Terms of the deal were not disclosed. While Zero Trust isn’t exactly new to a cloud identity management company like Okta, acquiring ScaleFT gives them a solid cloud-based Zero Trust foundation on which to continue to develop the concept internally. “To help our customers increase security while also meeting the demands of the modern workforce, we’re acquiring ScaleFT to further our contextual access management vision — and ensure the right people get access to the right resources for the shortest amount of time,” Okta co-founder and COO Frederic Kerrest said in a statement. Zero Trust is a security framework that acknowledges work no longer happens behind the friendly confines of a firewall. In the old days before mobile and cloud, you could be pretty
Continue reading "Okta nabs ScaleFT to build out ‘Zero Trust’ security framework"

Instagram is building non-SMS 2-factor auth to thwart SIM hackers

Hackers can steal your phone number by reassigning it to a different SIM card, use it to reset your passwords, steal your Instagram and other accounts, and sell them for Bitcoin. As detailed in a harrowing Motherboard article today, Instagram accounts are especially vulnerable because the app only offers two-factor authentication through SMS that delivers a password reset or login code via text message. But now Instagram has confirmed to TechCrunch that it’s building non-SMS two-factor authentication system that works with security apps like Google Authenticator or Duo. They generate a special code that you need to login that can’t be generated on a different phone in case your number is ported to a hacker’s SIM card. Buried in the Instagram Android app’s APK code is a prototype of the upgraded 2FA feature, discovered by frequent TechCrunch tipster Jane Manchun Wong. Her work has led to confirmed TechCrunch scoops on
Continue reading "Instagram is building non-SMS 2-factor auth to thwart SIM hackers"

Putin proposes a joint cybersecurity group with the US to investigate Russian election meddling

Over the course of Monday’s controversial Helsinki summit, Russian President Vladimir Putin pushed an agenda that would ostensibly see the U.S. and Russia working side by side as allies. The two countries make stranger bedfellows than ever as just days prior, Trump’s own Department of Justice indicted 12 Russian intelligence officials for the infamous 2016 Democratic National Committee hack. Nonetheless, the Russian president revived talks of a joint group between the U.S. and Russia dedicated to cybersecurity matters. For anyone with the security interests of the U.S. at heart, such a proposal, which Trump endorsed in a tweet one year ago, would truly be a worst-case scenario outcome of the puzzlingly cozy relationship between the two world leaders. “Once again, President Trump mentioned the issue of the so-called interference of Russia [during] the American elections and I had to reiterate things I said several times…,” Putin said
Russian Election Interference
Continue reading "Putin proposes a joint cybersecurity group with the US to investigate Russian election meddling"

3D printed guns are now legal… What’s next?

On Tuesday, July 10, the DOJ announced a landmark settlement with Austin-based Defense Distributed, a controversial startup led by a young, charismatic anarchist whom Wired once named one of the 15 most dangerous people in the world. Hyper-loquacious and media-savvy, Cody Wilson is fond of telling any reporter who’ll listen that Defense Distributed’s main product, a gun fabricator called the Ghost Gunner, represents the endgame for gun control, not just in the US but everywhere in the world. With nothing but the Ghost Gunner, an internet connection, and some raw materials, anyone, anywhere
Continue reading "3D printed guns are now legal… What’s next?"

Landmark California privacy bill heads to Governor’s desk

A data privacy bill in California is just a signature away from becoming law over the strenuous objections of many tech companies that rely on surreptitious data collection for their livelihood. The California Consumer Privacy Act of 2018 has passed through the state legislative organs and will now head to the desk of Governor Jerry Brown to be enacted. The law puts in place a variety of powerful protections against consumers having their data collected and sold without their knowledge. You can read the full bill here, but the basic improvements are as follows:
  • Businesses must disclose what information it collects, what business purpose it does so for, and any third parties it shares that data with.
  • Businesses would be required to comply with official consumer requests to delete that data.
  • Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or
    Continue reading "Landmark California privacy bill heads to Governor’s desk"

JASK nets $25m from Kleiner to build out autonomous security operations

Cyberthreats are on the rise everywhere. Companies are facing a barrage of attacks from hackers near and far, and their security operations centers are struggling to keep up. They can no longer rely on manual processes to respond to automated attacks, forcing security chiefs to consider new approaches to automating their defenses. That’s where JASK comes in. The startup offers an autonomous security operations platform to respond to this new security environment, and it’s a mission that is finding resonance among investors. After raising a $12 million Series A round led by Dell Technologies Capital last year, the company has now received a $25 million Series B from Ted Schlein of Kleiner Perkins, bringing the company’s total funding to $39 million including its seed. Schlein will join the board of directors. Schlein is a distinguished security investor, having invested in such noted security exits as Mandiant, LifeLock, and CarbonBlack. He
Continue reading "JASK nets $25m from Kleiner to build out autonomous security operations"

Yet another massive Facebook fail: Quiz app leaked data on ~120M users for years

Facebook knows the historical app audit it’s conducting in the wake of the Cambridge Analytica data misuse scandal is going to result in a tsunami of skeletons tumbling out of its closet. It’s already suspended around 200 apps as a result of the audit — which remains ongoing, with no formal timeline announced for when the process (and any associated investigations that flow from it) will be concluded. CEO Mark Zuckerberg announced the audit on March 21, writing then that the company would “investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity”. But you do have to question how much the audit exercise is, first and foremost, intended to function as PR damage limitation for Facebook’s brand — given the company’s relaxed
Continue reading "Yet another massive Facebook fail: Quiz app leaked data on ~120M users for years"

ProtonMail suffers DDoS attack that takes its email service down for minutes

It’s been an unexpectedly slack day for digital comms services. It’s not just workplace IM tool Slack suffering outages but end-to-end encrypted email service ProtonMail too. In the latter case, the company has blamed several hours’ worth of sporadic outages on a major DDoS attack.

In a statement on Reddit the company says the attack is “unlike the more ‘generic’ DDoS attacks that we deal with on a daily basis” — which in turn meant its upstream DDoS protection service (Radware) needed more time than usual to mitigate the attack. The longest outage has been “on the order of 10 minutes”, according to ProtonMail. Back in 2015 the then fledgling startup 

Continue reading "ProtonMail suffers DDoS attack that takes its email service down for minutes"

Social SafeGuard scores $11M to sell alerts for brand-damaging fakes

Social SafeGuard, a 2014-founded U.S. startup which sells security services to enterprises aimed at mitigating a range of digital risks that lie outside the corporate firewall, has closed an $11 million Series B funding round, from AllegisCyber and NightDragon Security. It’s hoping to ride the surge in awareness around social media fakery — putting the new funding towards sales and marketing, plus some product dev. “As one of the few dedicated cybersecurity venture firms, we know how big this challenge has become for today’s security executives,” said Spencer Tall, MD of AllegisCyber, in a supporting statement. Tall is joining the Social SafeGuard board. “This is no longer a fringe need that can be ignored or deferred. Digital risk protection should be on the shortlist of corporate security priorities for the next decade,” he adds. Social SafeGuard’s SaaS platform is designed to alert customers to risks that might cause
Continue reading "Social SafeGuard scores $11M to sell alerts for brand-damaging fakes"

Balbix raises $20M for a predictive approach to enterprise cybersecurity

Security breaches are a disaster for corporate companies, but good news if you’re someone who offers preventative solutions. Today in 2018, wide-ranging attacks on the likes of Equifax, Sony Pictures and Target have only added value to those charged with safeguarding companies. Balbix, one such solutions provider, has pulled in a $20 million Series B to grow its business and try to prevent high-profile cybersecurity disasters using a predictive model of measuring and assessing threats. The round is led by Singtel Innov8, the corporate fund of Singapore telco Singtel which owns Trustwave and is active in the security space, and Mubadala Ventures, the Abu Dhabi firm that’s well known for backing SoftBank’s $100 billion Vision Fund. Existing Balbix investor Mayfield Fund also took part alongside angels including ex-Cisco CEO John Chambers, former Cisco EVP Pankaj Patel and entrepreneurs BV Jagadeesh and Gary Gauba. Balbix raised $8.6 million a year ago when it came out of stealth
Continue reading "Balbix raises $20M for a predictive approach to enterprise cybersecurity"

Twitter puts a tighter squeeze on spambots

Twitter has announced a range of actions intended to bolster efforts to fight spam and “malicious automation” (aka bad bots) on its platform — including increased security measures around account verification and sign-up; running a historical audit to catch spammers who signed up when its systems were more lax; and taking a more proactive approach to identifying spam activity to reduce its ability to make an impact. It says the new steps build on previously announced measures to fight abuse and trolls, and new policies on hateful conduct and violent extremism. The company has also recently been publicly seeking new technology and staff to fight spam and abuse. All of which is attempting to turn around Twitter’s reputation for being awful at tackling abuse. “Our focus is increasingly on proactively identifying problematic accounts and behavior rather than waiting until we receive a report,” Twitter’s Yoel Roth and Del Harvey write in the latest
Continue reading "Twitter puts a tighter squeeze on spambots"

Ping Identity acquires stealthy API security startup Elastic Beam

At the Identiverse conference in Boston today, Ping Identity announced that it has acquired Elastic Beam, a pre-Series A startup that uses artificial intelligence to monitor APIs and help understand when they have been compromised. Ping also announced a new product, PingIntelligence for APIs, based on the Elastic Beam technology. They did not disclose the sale price. The product itself is a pretty nifty piece of technology. It automatically detects all the API IP addresses and URLs running inside a customer. It then uses artificial intelligence to search for anomalous behavior and report back when it finds it (or it can automatically shut down access depending on how it’s configured). “APIs are defined either in the API gateway because that facilitates creation or implemented on an application server like node.js. We created a platform that could bring a level of protection to both,” company founder Bernard Harguindeguy told
Continue reading "Ping Identity acquires stealthy API security startup Elastic Beam"

Fraud detection startup CashShield secures $20M Series B led by Temasek and GGV

Online fraud detection startup CashShield, whose clients include Alibaba and Razer, announced today that it has raised a $20 million Series B led by Temasek Holdings and returning investor GGV Capital. Participants also included Nest co-founder Tony Fadell, another returning investor, Wavemaker Partners and Tao Zhang. CashShield says it has now raised a total of $25.5 million, including a Series A announced last September. Founded in 2008 and headquartered in Singapore, CashShield also has offices in Europe, China and the United States, where it launched last year and now counts Yamibuy and Scalefast among its users. CashShield claims its technology currently secures about 10 million user accounts and $500 million GMV in transactions each month. The startup says personal account data is much more valuable than credit card information, because it can sell for 60 times more. Some of the Series B will be spent on research and
Continue reading "Fraud detection startup CashShield secures $20M Series B led by Temasek and GGV"