Tag Archive for: answer

BharOS, India’s answer to Android, may not be as ‘secure’ or competent as you think

/in


A cosmetic clone

BharOS, however, appears to be nothing more than a simple ‘find and replace’ job where strings originally referring to ‘GrapheneOS’ have been collectively replaced with ‘BharOS’ instead, raising questions about the intent, integrity, and competency of the team involved with its development. Claiming technology developed by open source contributors as part of what was painted as an ‘Atmanirbhar’ effort is disingenuous. It invisibilises the labour and intellectual property of open source contributors.

The BharOS project might also be in violation of the open source software licence with which GrapheneOS is shipped. While the GrapheneOS licence does permit use, modification, and redistribution of the source code, it also requires that the licence be further included in any modified distribution of the source code. The same software licence was, however, conveniently omitted from the BharOS repository.

The claims surrounding the security and privacy features of such a project should also be taken with a grain of salt. This is primarily because of a fundamental security flaw that is introduced when existing open-source software projects are forked. Vulnerabilities uncovered in the upstream (parent) source tree for a project become harder to patch in the downstream (child project) source tree, due to divergences in the code of the two projects.

This essentially means that any security updates released for GrapheneOS might not result in simultaneous security updates being released for BharOS, if at all. 

These concerns highlight the importance of transparency, ethical conduct, and respect for the contributions of others in the realm of open source technology development and innovation.

Technological mysticism

Professor V Kamakoti, director of IIT-M and a long-time proponent of BharOS, said at a that BharOS would “revolutionise the way users think about security and privacy on their mobile devices”. The Press Information Bureau, reporting from the same press conference, wrote that BharOS was already “being provided to organisations [with] stringent privacy and security requirements”.

Apart from his association with BharOS, Kamakoti is also a member of…

Source…

Hackney Council could be forced to answer questions about IT security training after Psya ransomware

/in


A council hit by a cyber attack could be forced to answer questions about the IT and security training it gave staff when they were forced to work from home because of the pandemic.

Cyber criminals struck Hackney Council in October 2020, with Pysa, or Mespinoza, ransomware paralysing some of its online services.

Four months later, employees’ and residents’ data was allegedly published on the dark web by hackers who claimed it came from the attack on the London council’s IT systems.

The council said the attack affected “a limited set of data, it has not been published on a widely available public forum, and is not available through search engines on the internet”.

The National Crime Agency is still investigating the attack, as is the National Cyber Security Centre.

Missing data

The attack has cost the council millions of pounds and it is still missing data across many services.

It said the most critical services were Mosaic for social care, Academy for its benefits and revenues, and M3 for planning and land charges and delivering modern digital tools in housing.

Other local authorities have been targeted by hackers. Gloucester Council became the latest victim when it was attacked for the second time in December, when hackers hit services including revenue and benefits and planning.

Salisbury, Copeland and Islington councils were also affected by cyber attacks over the 2017 August bank holiday, when hackers unsuccessfully asked for a bitcoin ransom in return for data.

The attack on Hackney affected benefits data. Some people were unable to perform property searches, which affected some house sales in the east London borough.

Information commissioner to take action

The council now faces action from the information commissioner after refusing to say whether it gave council staff security training when they were required to work from home during the pandemic.

Liberal Democrat campaigner Darren Martin submitted a Freedom of Information request to ask the council what IT security training was given to staff in the two years leading up to the cyber attack.

“If it turns out that the attack that has left our vital services crippled in the borough since 2020…

Source…

Cybersecurity experts struggle to answer lawmakers’ questions on Log4J hacking

/in


Cybersecurity experts struggled Tuesday to answer lawmakers’ basic questions about the danger of a flaw in the open-source logging platform Apache Log4J that could plague computer network defenders for years to come.

The vulnerability was discovered in December, and the software’s widespread use led the FBI to tell victims in the immediate aftermath that it may not respond to them because of how large the pool of potential victims had grown.

After nearly two more months since its revelation, cybersecurity professionals said they were unable to answer senators’ questions about how the vulnerability may have been weaponized for years without detection and about the full picture of who was at-risk.

Potential victims reside in a range of industries including electric power, water, transportation, food, and manufacturing, according to the cybersecurity firm Dragos.

Source…

Virgin Media just won’t take no for an answer, NFT apes, and bad optics • Graham Cluley

/in


Smashing Security podcast #256: Virgin Media just won't take no for an answer, NFT apes, and bad optics

After a brief discussion of the Log4Shell vulnerability panic, we discuss how Virgin Media has got itself into hot water, a fat-fingered fumble at the Bored Ape Yacht Club, and how to hack around your girlfriend’s facial recognition.

All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley.




Hosts:

Graham Cluley – @gcluley
Carole Theriault – @caroletheriault

Guest:

Mark Stockley – @markstockley

Show notes:

Sponsor: 1Password

The first annual 1Password “State of Access” benchmark study illuminates the grave dangers unwittingly posed by checked-out, apathetic employees — including security professionals.

Burned-out employees are 3 times more likely to say security rules and policies “aren’t worth the hassle,” and nearly half of burned-out security professionals say it’s unrealistic for companies to be aware of and manage all apps and devices that employees use.

Read the report and find out what you can do at 1password.com/resources

Sponsor: Uptycs

Uptycs is a cloud-native security analytics platform built to protect the modern attack surface.

Uptycs zeros in on the blind spots that are preventing you from rapidly identifying and responding to existing threats and vulnerabilities in your ecosystem.

Uptycs normalizes telemetry from across macOS, Linux, Windows, and containers; records system activity for historical investigation even when no alert has fired; and enables you to build complex custom detections in addition to its industry-leading MITRE ATT&CK mapping.

Uptycs provides observability across both cloud workloads and endpoints in a single centralized platform.

Find out more and try it for free at uptycs.com

Follow the show:

Follow the show on Twitter at @SmashinSecurity, on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Found this article interesting? Follow…

Source…