Tag Archive for: Wasn’t

The internet ‘wasn’t designed to be secure’: Gilbane CIO

/in


Cybersecurity incidents are on the rise, and contractors need to be prepared.

Karen Higgins-Carter, the chief information and digital officer for Providence, Rhode Island-based Gilbane Building Co., brings a wealth of experience from previous roles protecting the banking and financial services industries from cyber criminals. She warns that the internet wasn’t originally built to be secure, and that the onus is on contractors to make sure they’re up to snuff on today’s security demands.

Here, Higgins-Carter spoke with Construction Dive about where the biggest threats come from, how Gilbane keeps its employees up to date and what the industry can do to protect itself.

Editor’s Note: This interview has been edited for brevity and clarity.

CONSTRUCTION DIVE: What’s the state of cybersecurity in the construction industry?

KAREN HIGGINS-CARTER: I’ll start with my view on cybersecurity in general. I think it’s important to understand two things. First, the internet was not designed to be secure. It was designed to be open. Second, we are going to continue to see a volume of attacks coming from countries that are effectively safe harbor for this type of activity.

A headshot of Karen Higgins-Carter

Karen Higgins-Carter

Permission granted by Gilbane Building Co.

 

Because of that environment, we’re seeing the regulatory response. SEC disclosure requirements being first and foremost, that were implemented in December.

What I find is the need to adjust and connect with our people based upon their current level of awareness. There’s a predictable cycle of bringing our people from a position of not really being aware of the threats to feeling invested in protecting the company and being on board with that mission.

How do you get everyone to an optimal level of comfort with cybersecurity when their experiences differ?

One of the things that we have implemented in building, in terms of our innovation practices, is responsible innovation. That it’s important to take risks in order to grow. 

There is no risk-free path to achieving your strategic objectives. 

Where that’s important in innovation is understanding, how does this innovation support our…

Source…

Nothing’s iMessage app wasn’t its only security lapse (Update: Statement)

/in


Nothing Phone 2 Essential Glyph Light On

C. Scott Brown / Android Authority

TL;DR

  • Nothing’s CMF Watch app encrypted emails and passwords suboptimally, allegedly allowing for decryption using the same decryption keys.
  • The issue was partially fixed, as the encryption method of the passwords was updated, but not that of emails.
  • Nothing claims it is currently working to resolve the issues.

Update, December 4, 2023 (12:45 PM ET): Nothing has now provided a comment to Android Authority about the issues. A spokesperson for the company states:

CMF takes privacy issues very seriously and the team is investigating security concerns regarding the Watch app. We rectified initial credential concerns earlier in the year and are currently working to resolve the issues raised. As soon as this next fix is complete, we will roll out an OTA update to all CMF Watch Pro users. Security reports can now be more easily submitted via https://intl.cmf.tech/pages/vulnerability-report

Original article, December 4, 2023 (3:29 AM ET): Nothing has had some good success with the Nothing Phone 2, considering the novelty of the phone and the nascent brand image. To win over some of the iPhone audience, Nothing partnered with Sunbird to launch an iMessage-for-Android app called Nothing Chats. The app lasted about a day in the wild before being pulled down due to glaring security oversights. But there seem to be more skeletons in Nothing’s closet, as two more vulnerabilities have emerged.

Android developer and reverse engineer Dylan Roussel posted on X that he found two vulnerabilities centered around Nothing. The first was found in September in the CMF Watch app, which was built in partnership with a company called Jingxun. The CMF Watch app encrypted email usernames and passwords, but the encryption method allegedly left the door open for decrypting the same with the same decryption keys, defeating the purpose of encryption.

Nothing/Jingxun fixed this vulnerability, but curiously, only for the password. You could still allegedly decrypt the email that is used as the username.

The second vulnerability has not been publicly detailed, but it relates to Nothing’s internal data. Nothing was informed of the same in August, but it hasn’t been fixed…

Source…

Ransomwared health insurer wasn’t using anti-virus software • The Register

/in


A recent ransomware attack on the Philippine Health Insurance Corporation (PhilHealth) occurred while the organization’s antivirus software subscription had expired.

PhilHealth was attacked around September 22 and shut down many of its systems to battle an infection for which the Medusa ransomware gang claimed responsibility.

The incident saw a huge leak of personal information. PhilHealth was also slow to restore service, delaying medical matters for many.

Filipinos are justifiably outraged that their national health insurer was attacked and disrupted.

But they can express stronger emotions still – because on Monday local media outlet GMA’s 24 Oras program reported the attack took place while PhilHealth was not running antivirus software. The insurer’s license had apparently lapsed several months before, but government procurement regulations made it impossible to renew.

It’s not unusual for government agencies in developing nations to use unlicensed software, when commercial licenses are often priced beyond their means. In 2021, for example, The Register covered an outage at Pakistan’s Federal Board of Revenue that it swore could not have been caused by unpaid licenses because it caught up on its bills. Your correspondent also once spoke to a major vendor of design software that had 500 people show up to a conference in India – a nation in which it had sold no licenses and in which users felt they could pirate with impunity.

Whatever the reason for PhilHealth’s security fail, its repercussions are serious: personal information has reached the dark web.

The insurer on Sunday posted a press release warning customers to ignore unexpected calls, messages, and emails asking for passwords and other information.

The insurer also “appealed to refrain from further circulating leaked data as it has dire consequences under the law,” including up to 20 years in jail.

As if that will scare ransomware and phishing scum.

PhilHealth is presently using antivirus software – reportedly a trial license that expires in 30 days. ®

Source…

Facebook says the leak of 533 million users’ data online wasn’t a hack

/in


mark zuckerberg facebook

Facebook CEO Mark Zuckerberg in Washington, DC, on October 23, 2019. Andrew Harnik/AP

  • Insider reported last week that data for 533 million Facebook users was posted on a hacking forum.

  • Facebook on Tuesday said the data was “scraped” sometime before September 2019.

  • Its explanation for what happened doesn’t quite make sense.

  • See more stories on Insider’s business page.

Facebook wants you to know that the leak of 533 million users’ data on an online hacking forum wasn’t a hack – or at least not a new one.

Insider reported on Saturday that 533 million Facebook users’ personal details, including names, email addresses, and phone numbers, had been posted to a low-level hacking forum.

Facebook published a blog post on Tuesday explaining why it had not disclosed the apparent breach.

Facebook said the data had not been obtained by hacking into its systems. Instead, it said it had been scraped off the platform at some point before September 2019.

“Scraping is a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums like this,” the Facebook product-management director Mike Clark wrote in the blog post.

Clark said the method used to obtain the data exploited a vulnerability in Facebook’s contact importer, a tool that allows users to find the Facebook profiles of people using phone numbers. Facebook says that it fixed that particular vulnerability in August 2019 and that it was previously reported on.

This would mean it was not a new breach and the company therefore wasn’t obliged to notify anyone about it.

Read more: Facebook is hosting animal-abuse content disguised as rescues – and some of the videos have racked up millions of views

As reported by Wired’s Lily Hay Newman, however, Facebook’s timeline doesn’t quite make sense.

Facebook’s post links to a September 2019 CNET article as an example of previous reporting on the data leak. CNET’s article refers back to a September 2019 article from TechCrunch, which details a server containing the data of 419 million Facebook users being exposed online.

A Facebook representative told TechCrunch in 2019: “This data set is old and appears to have…

Source…