A UK parliamentary committee has concluded there are no technical grounds for excluding Chinese network kit vendor Huawei from the country’s 5G networks.
In a letter from the chair of the Science & Technology Committee to the UK’s digital minister Jeremy Wright, the committee says: “We have found no evidence from our work to suggest that the complete exclusion of Huawei from the UK’s telecommunications networks would, from a technical point of view, constitute a proportionate response to the potential security threat posed by foreign suppliers.”
Though the committee does go on to recommend the government mandate the exclusion of Huawei from the core of 5G networks, noting that UK mobile network operators have “mostly” done so already — but on a voluntary basis.
If it places a formal requirement on operators not to use Huawei for core supply the committee urges the government to provide “clear criteria” for the exclusion so that it could be applied to other suppliers in future.
Reached for a response to the recommendations, a government spokesperson told us: “The security and resilience of the UK’s telecoms networks is of paramount importance. We have robust procedures in place to manage risks to national security and are committed to the highest possible security standards.”
The spokesperson for the Department for Digital, Media, Culture and Sport added: “The Telecoms Supply Chain Review will be announced in due course. We have been clear throughout the process that all network operators will need to comply with the Government’s decision.”
In recent years the US administration has been putting pressure on allies around the world to entirely exclude Huawei from 5G networks — claiming the Chinese company poses a national security risk.
Australia announced it was banning Huawei and another Chinese vendor ZTE from providing kit for its 5G networks …Read More
But, you should never roll out a personal or business website without properly securing it first. Not only is dealing with the fallout from being hacked a headache, as the owner of the website, you are responsible for the content on its pages as well as the mechanisms that people will use to interact with it.
If you plan to store user information, such as passwords or phone numbers, then it is critical that you safeguard that data appropriately. How critical? You could be subject to data breach fines under certain legislation.
Here are the five most important steps that you need to take to secure your new website.7/14/2019 10:00 am
In the early days of the World Wide Web, individuals and companies would obtain and maintain their own servers in a localized data center or office. The cloud computing movement radically shifted that model and the majority of websites are now hosted through a third-party provider.
Cloud computing reduces overhead costs and responsibilities for website owners, but it brings some security concerns along with it. Essentially, you have to trust an outside organization with the data on your website as well as with its overall stability and reliability.
If you choose the wrong cloud hosting provider, it could leave your website exposed to an array of different vulnerabilities. The provider could suffer a data breach or its entire data center could go down, in which case your website might lose critical information.
Not to scare you off of cloud computing, but it’s not risk-free.
If you plan to transmit any sensitive user data on your web servers, then a secure sockets layers (SSL) certificate is a necessity. SSL is an encryption protocol that occurs at the browser level and …Read More
Old bot, new tricks.
TrickBot, a financially motivated malware in wide circulation, has been observed infecting victims’ computers to steal email passwords and address books to spread malicious emails from their compromised email accounts.
The TrickBot malware was first spotted in 2016 but has since developed new capabilities and techniques to spread and invade computers in an effort to grab passwords and credentials — eventually with an eye on stealing money. It’s highly adaptable and modular, allowing its creators to add new components. In the past few months it was adapted for tax season to try to steal tax documents for making fraudulent returns. More recently the malware gained cookie-stealing capabilities, allowing attackers to log in as their victims without needing their passwords.
With these new spamming capabilities, the malware — which researchers are calling “TrickBooster” — sends malicious emails from a victim’s account, then removes the sent messages from both the outbox and the sent items folders to avoid detection.
Researchers at cybersecurity firm Deep Instinct, who found the servers running the malware spamming campaign, say they have evidence that the malware has collected more than 250 million email addresses to date. Aside from the massive amounts of Gmail, Yahoo and Hotmail accounts, the researchers say several U.S. government departments and other foreign governments — like the U.K. and Canada — had emails and credentials collected by the malware.
“Based on the organizations affected it makes a lot of sense to get as widely spread as possible and harvest as many emails as possible,” Guy Caspi, chief executive of Deep Instinct, told TechCrunch. “If I were to land on an end point in the U.S. State Department, I would try to spread as much as I can and collect any address or credential possible.”
If a victim’s computer is …Read More
T-Mobile has reported a small decline in the number of government data requests it receives, according to its latest transparency report, quietly published this week.
The third-largest cell giant in the U.S. reported 459,989 requests during 2018, down by a little over 1% on the year earlier. That includes an overall drop in subpoenas, court orders and pen registers and trap and trace devices used to record the incoming and outgoing callers; however, the number of search warrants issued went up by 27% and wiretaps increased by almost 3%.
The company rejected 85,201 requests, an increase of 7% on the year prior.
But the number of requests for historical call detail records and cell site information, which can be used to infer a subscriber’s location, has risen significantly.
For 2018, the company received 70,224 demands for historical call data, up by more than 9% on the year earlier.
Historical cell site location data allows law enforcement to understand which cell towers carried a call, text message or data, and therefore a subscriber’s historical real-time location at any given particular time. Last year the U.S. Supreme Court ruled that this data was protected and required a warrant before a company is forced to turn it over. The so-called “Carpenter” decision was expected to result in a fall in the number of requests made because the bar to obtaining the records is far higher.
T-Mobile did not immediately respond to a request asking what caused the increase.
The cell giant also reported that the number of tower dumps went up from 4,855 requests in 2017 to 6,184 requests in 2018, an increase of 27%.
Tower dumps are particularly controversial because these include information for all subscribers whose calls, messages …Read More
In a long-awaited decision, the Federal Elections Commission will now allow political campaigns to appoint cybersecurity helpers to protect political campaigns from cyberthreats and malicious attackers.
The FEC, which regulates political campaigns and contributions, was initially poised to block the effort under existing rules that disallow campaigns to receive discounted services for federal candidates because it’s treated as an “in kind donation.”
For now the ruling allows just one firm, Area 1 Security, which brought the case to the FEC, to assist federal campaigns to fight disinformation campaigns and hacking efforts, both of which were prevalent during the 2016 presidential election.
Campaigns had fought in favor of the proposal, fearing a re-run of 2016 in the upcoming presidential and lawmaker elections in 2020.
FBI director Christopher Wray said last April that the recent disinformation efforts were “a dress rehearsal for the big show in 2020.”
In an opinion published Thursday, the FEC said the rules would be relaxed because Area 1 “would offer these services in the ordinary course of business and on the same terms and conditions as offered to similarly situated non-political clients.” In other words, political campaigns are not given a special deal but are offered the same price as others on its lowest tier of service.
Several other companies, like Facebook and Google-owned Jigsaw, have already offered free services to campaigns to fight disinformation and foreign hacking efforts.
However, many political campaigns still are not taking basic security precautions, researchers found.
A spokesperson for Area 1 did not return a request for comment.Read More
Here’s a thing that should have never been a thing: Bluetooth-connected hair straighteners.
Glamoriser, a U.K. firm that bills itself as the maker of the “world’s first Bluetooth hair straighteners,” allows users to link the device to an app, which lets the owner set certain heat and style settings. The app can also be used to remotely switch off the straighteners within Bluetooth range.
Big problem, though. These straighteners can be hacked.
Security researchers at Pen Test Partners bought a pair and tested them out. They found that it was easy to send malicious Bluetooth commands within range to remotely control an owner’s straighteners.
The researchers demonstrated that they could send one of several commands over Bluetooth, such as the upper and lower temperature limit of the device — 122°F and 455°F respectively — as well as the shut-down time. Because the straighteners have no authentication, an attacker can remotely alter and override the temperature of the straighteners and how long they stay on — up to a limit of 20 minutes.
“As there is no pairing or bonding established over [Bluetooth] when connecting a phone, anyone in range with the app can take control of the straighteners,” said Stuart Kennedy in his blog post, shared first with TechCrunch.
There is a caveat, said Kennedy. The straighteners only allow one concurrent connection. If the owner hasn’t connected their phone or they go out of range, only then can an attacker target the device.
Here at TechCrunch we’re all for setting things on fire “for journalism,” but in this case the numbers speak for themselves. If, per the researchers’ findings, the straighteners could be overridden to the maximum temperature of 455°F at the timeout of 20 minutes, that’s setting up a prime condition for a fire — or …Read More
GDPR, and the newer California Consumer Privacy Act, have given a legal bite to ongoing developments in online privacy and data protection: it’s always good practice for companies with an online presence to take measures to safeguard people’s data, but now failing to do so can land them in some serious hot water.
Now — to underscore the urgency and demand in the market — one of the bigger companies helping organizations navigate those rules is announcing a huge round of funding. OneTrust, which builds tools to help companies navigate data protection and privacy policies both internally and with its customers, has raised $200 million in a Series A led by Insight that values the company at $1.3 billion.
It’s an outsized round for a Series A, being made at an equally outsized valuation — especially considering that the company is only three years old — but that’s because of the wide-ranging nature of the issue, according to CEO Kabir Barday, and OneTrust’s early moves and subsequent pole position in tackling it.
“We’re talking about an operational overhaul in a company’s practices,” Barday said in an interview. “That requires the right technology and reach to be able to deliver that at a low cost.” Notably, he said that OneTrust wasn’t actually in search of funding — it’s already generating revenue and could have grown off its own balance sheet — although he noted that having the capitalization and backing sends a signal to the market and in particular to larger organizations of its stability and staying power.
Currently, OneTrust has around 3,000 customers across 100 countries (and 1,000 employees), and the plan will be to continue to expand its reach geographically and to more businesses. Funding will also go toward the company’s technology: it already has 50 patents …Read More
Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer’s iPhone without consent, the company told TechCrunch this evening.
Apple has apologized for the bug and for the inconvenience of being unable to use the feature while a fix is made.
The Walkie Talkie app on Apple Watch allows two users who have accepted an invite from each other to receive audio chats via a ‘push to talk’ interface reminiscent of the PTT buttons on older cell phones.
A statement from Apple reads:
We were just made aware of a vulnerability related to the Walkie-Talkie app on the Apple Watch and have disabled the function as we quickly fix the issue. We apologize to our customers for the inconvenience and will restore the functionality as soon as possible. Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously. We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent. We apologize again for this issue and the inconvenience.
Apple was alerted to the bug via its report a vulnerability portal directly and says that there is no current evidence that it was exploited in the wild.
The company is temporarily disabling the feature entirely until a fix can be made and rolled out to devices. The Walkie Talkie App will remain installed on devices, but will not function until it has been updated with the fix.
Earlier this year a bug was discovered in the group calling feature of FaceTime that allowed people to …Read More
Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.
The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app.
Apple said the update does not require any user interaction and is deployed automatically.
The video conferencing giant took flack from users following a public vulnerability disclosure on Monday by Jonathan Leitschuh, in which he described how “any website [could] forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.” The undocumented web server remained installed even if a user uninstalled Zoom. Leitschuh said this allowed Zoom to reinstall the app without requiring any user interaction.
He also released a proof-of-concept page demonstrating the vulnerability.
Although Zoom released a fixed app version on Tuesday, Apple said its actions will protect users both past and present from the undocumented web server vulnerability without affecting or hindering the functionality of the Zoom app itself.
The update will now prompt users if they want to open the app, whereas before it would open automatically.
Apple often pushes silent signature updates to Macs to thwart known malware — similar to an anti-malware service — but it’s rare for Apple to take action publicly against a known or popular app. The company said it pushed the update to protect users from the risks posed by the exposed web server.
Zoom spokesperson Priscilla McCarthy told TechCrunch: “We’re happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today. We appreciate our users’ patience …Read More
Visa and Andreessen Horowitz are betting even bigger on cryptocurrency, funding a big round for fellow Facebook Libra Association member Anchorage’s omnimetric blockchain security system. Instead of using passwords that can be stolen, Anchorage requires cryptocurrency withdrawals to be approved by a client’s other employees. Then the company uses both human and AI review of biometrics and more to validate transactions before they’re executed, while offering end-to-end insurance coverage.
This new-age approach to cryptocurrency protection has attracted a $40 million Series B for Anchorage led by Blockchain Capital and joined by Visa and Andreessen Horowitz. The round adds to Anchorage’s $17 million Series A that Andreessen led just six months ago, demonstrating extraordinary momentum for the security startup.
“As a custodian, our work is focused on building financial plumbing that other companies depend on for their operations to run smoothly. In this regard we have always looked at Visa as a model” Anchorage co-founder and president Diogo Mónica tells me.
“Visa was ‘fintech’ before the term existed, and has always been on the vanguard of financial infrastructure. Visa’s investment in Anchorage is helpful not only to our company but to our industry, as a validation of the entire ecosystem and a recognition that crypto will play a key role in the future of global finance.”
Cold-storage, where assets are held in computers not connected to the Internet, has become a popular method of securing Bitcoin, Ether, and other tokens. But the problem is that this can prevent owners from participating in governance of certain cryptocurrency where votes are based on their holdings, or earning dividends. Anchorage tells me it’s purposefully designed to permit this kind of participation, helping clients to get the most out of their assets like capturing returns from staking and inflation, or joining in on-chain …Read More