Tag Archive for: Makers

EU to Force IoT, Wireless Device Makers to Improve Security

/in


The European Union is poised to place more demands on manufacturers to design greater security into their wireless and Internet of Things (IoT) devices.

In an amendment to the EU’s 2014 Radio Equipment Directive (RED), the European Commission noted that as wireless devices, from mobile phones to fitness trackers to smart watches, become increasingly embedded into everyday consumer and business life, they also become a greater security risk.

The goal of the amendment – called a “delegated act” – is to ensure that all wireless devices are safe before they are sold in the EU. Manufacturers will be required to adhere to the new cybersecurity safeguards when designing and producing these products. In addition, the amendment also will ensure greater privacy of personal data, prevent financial fraud, and improve resilience in European communications networks, according to EU officials.

“Cyberthreats evolve fast,” Thierry Breton, commissioner for the Internal Market, said in a statement. “They are increasingly complex and adaptable. With the requirements we are introducing today, we will greatly improve the security of a broad range of products, and strengthen our resilience against cyberthreats, in line with our digital ambitions in Europe.”

The U.S. has made some strides on IoT security at the federal level; it remains to be seen if the EU initiative will spur the U.S. to greater action or result in a general improvement in device security.

Common EU Security Standards

It’s also part of a larger EU effort to create a comprehensive set of common cybersecurity standards for products and services that come into the European market, Breton said.

That said, it will take a while for the market to see the results of the amendment, which was announced in late October. It will need the approval of the European Council and European Parliament and then undergo a two-month period of review and scrutiny. Once in place, manufacturers will have 30 months to begin meeting the new legal requirements, giving them until mid-2024 to bring the devices into compliance.

The amendment addresses the ongoing concern about security at a time when the use of wireless devices and the IoT…

Source…

Germany wants phone makers to offer 7 years of security updates

/in


Your current phone might get security patches for several years to come, at least if Germany has its way. C’t reports the German federal government is pushing the European Union to require seven years of security updates and spare parts for smartphones as part of negotiations with the European Commission. That’s two years longer than a recent Commission proposal, and would effectively give phones a more computer-like support cycle.

Both proposals are unsurprisingly facing pushback from manufacturers. The industry advocacy group DigitalEurope (which counts Apple, Google and Samsung as some of its members) wants a requirement for just three years of security updates, and wants to limit spare parts to screens and batteries rather than cameras, speakers and other components that are supposedly more reliable.

DigitalEurope is effectively arguing for the status quo, in other words. While Apple typically delivers five years of regular feature and security updates, many Android vendors stop at three or less. Samsung only committed to four years of security fixes in 2021. Some of this has been dictated by Qualcomm’s update policy, but it’s clear the brands themselves are sometimes reluctant to change.

This extended support might become crucial. The EU’s proposal, potentially in effect by 2023, is meant to help the environment by letting you keep phones for longer. They’d stay protected and functional for roughly twice the 2.5 to 3.5 years you see today.

However, this could also be vital for bolstering mobile security as a whole. Just over 40 percent of Android users are running 9.0 Pie or earlier, according to StatCounter’s August 2021 usage share data — a large portion of mobile users have devices that either stopped receiving security updates or are close to losing them. Longer support periods could prevent attackers from targeting old phones that, at present, have been left permanently vulnerable to exploits patched in newer software.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Source…

Hackers target ‘Indian vaccine makers SII, Bharat Biotech’

/in



NEW DELHI:

A Chinese state-backed hacking group has in recent weeks targeted the IT systems of two Indian vaccine makers whose coronavirus shots are being used in the country’s immunisation campaign, cyber intelligence firm Cyfirma told Reuters.

Rivals China and India have both sold or gifted Covid-19 shots to many countries. India produces more than 60% of all vaccines sold in the world. 

Goldman Sachs-backed Cyfirma, based in Singapore and Tokyo, said Chinese hacking group APT10, also known as Stone Panda, had identified gaps and vulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech and the Serum Institute of India (SII), the world’s largest vaccine maker. 

“The real motivation here is actually exfiltrating intellectual property and getting competitive advantage over Indian pharmaceutical companies,” said Cyfirma Chief Executive Kumar Ritesh, formerly a top cyber official with British foreign intelligence agency MI6. 

He said APT10 was actively targeting SII, which is making the AstraZeneca vaccine for many countries and will soon start bulk-manufacturing Novavax shots. 

“In the case of Serum Institute, they have found a number of their public servers running weak web servers, these are vulnerable web servers,” Ritesh said, referring to the hackers. 

“They have spoken about weak web application, they are also talking about weak content-management system. It’s quite alarming.” 

China’s foreign ministry did not reply to a request for comment. 

SII and Bharat Biotech declined to comment. The office of the director-general of the state-run Indian Computer Emergency Response Team (CERT) said the matter had been handed to its operations director, S.S. Sarma. 

Sarma told Reuters CERT was a “legal agency and we can’t confirm this thing to media”. 

Cyfirma said in a statement it had informed CERT authorities and that they had acknowledged the threat. 

“They checked and they came back,” Cyfirma said. “Our technical analysis and evaluation verified the threats and attacks.” 

The U.S. Department of Justice said here in 2018 that APT10 had acted in association with the Chinese Ministry of State…

Source…

Facebook sues makers of malicious Chrome extensions for scraping data

/in


Facebook sues makers of malicious Chrome extensions for scraping data

Facebook has taken legal action against the makers of malicious Chrome extensions used for scraping user-profiles and other information from Facebook’s website and from users’ systems without authorization.

The two defendants developed and distributed the malicious browser extensions through the Chrome Web Store working under the “Oink and Stuff” business name.

“They misled users into installing the extensions with a privacy policy that claimed they did not collect any personal information,” Jessica Romero, Director of Platform Enforcement and Litigation, said.

“Four of their extensions — Web for Instagram plus DM, Blue Messenger, Emoji keyboard, and Green Messenger — were malicious and contained hidden computer code that functioned like spyware.”

The four extensions are still available for download in Google’s Chrome Web Store and they currently have more than 54,000 users.

Facebook systems’ not compromised

After being installed on the users’ computers, these Chrome extensions also installed malicious code in the background which allowed the defendants to scrape user data from Facebook’s site.

The malicious Chrome add-ons were also used to surreptitiously collect data unrelated to Facebook from the users’ web browsers.

While the users were browsing the Facebook website, the extensions automatically scraped account information including the victims’ name, user ID, gender, relationship status, and age group among others.

Malicious Chrome extensions

Romero added that the defendants did not compromise Facebook’s security systems during their malicious activity but, instead, they only used the extensions installed on users’ devices to scrape data.

“We are seeking a permanent injunction against defendants and demanding that they delete all Facebook data in their possession,” Romero concluded.

“This case is the result of our ongoing international efforts to detect and enforce against those who scrape Facebook users’ data, including those who use browser extensions to compromise people’s browsers.”

Legal action against platform abuse

This action is part of a long series of instances where Facebook took legal action against entities attempting to abuse the company’s platform and services.

For…

Source…