Slot Gacor
Cybersecurity Archives ✔️ News For Finance
Home Archive by category Cybersecurity

After months of build-up, everyone was expecting Apple’s iOS 14.5’s much-hyped privacy feature to arrive with a bang. Quite rightly, privacy advocates believed iOS 14.5’s App Tracking Transparency (ATT) would shake up internet advertising for the better. 

But so far, Apple’s new iPhone privacy feature has not worked as it was billed. Among the issues, many Apple users are complaining about a lack of “Ask to Track” prompts since upgrading to iOS 14.5. Some people haven’t seen any at all, while others have seen heavily customised prompts—not the uniform iOS prompts seen in Apple’s marketing—many of which do not ask specifically to track iPhone users. 

“The reality is that App Tracking Transparency in iOS 14.5 is a mess,” says Johnny Lin, a former Apple engineer and co-founder of tracker-blocking app Lockdown Privacy. “It’s possible it could sort itself out in the long run, but right now, it’s inconsistent, with low compliance rates, confusing since it doesn’t work the same way as other permissions, and easy to get around.”

It’s certainly disappointing for many iPhone users, who had expected transparency about which apps were tracking them once upgrading to iOS 14.5. Others just wanted to try out the new privacy feature when it launched. So, what’s happening?

Reason 1: Check Your Settings in iOS 14.5

Some people won’t be receiving any Ask to Track notices because they have already disallowed collection of the identifier for advertisers (IDFA) in their settings. This will have carried over to iOS 14.5.

The setting can be found in Settings > Privacy >Tracking.

If you have already toggled it to off, apps have already been sent the message not to collect the IDFA and this carries over to iOS 14.5. You can turn on Allow Apps to Request to Track, but if apps have already been given the instruction not to track, they won’t ask again. In other words, you may need to wait for new apps to ask.

However, according to 9to5Mac some users are complaining that the toggled switch is grayed out to stop apps from requesting to track. There could be a reason for this: For example, those under 18 will find they are unable to turn on tracking (which is a good thing). It is also grayed out if your Apple ID is managed by an educational institution or uses a configuration profile that limits tracking, or if your Apple ID was created in the last three days.

The other explanation is that the grayed out button is a bug in iOS 14.5 that needs fixing. 

Reason 2: The developer’s app isn’t ready for ATT yet

Despite Apple’s PR machine indicating ATT would emerge suddenly and dramatically upon updating to iOS 14.5, in reality, it will take time for app developers to adjust. Facebook said in a statement to CNET that ATT would be rolling out over the coming weeks.

So other apps may also be slow to get their ATT alerts out, but rest assured: Just because the ATT pop up isn’t appearing, it doesn’t mean apps can track you in iOS 14.5. Apple has indicated that app makers who don’t ask will not be given access to the IDFA. Instead of the unique IDFA code that identifies you, the app developer will receive a string of 000s. 

Developers need to use the AppTrackingTransparency framework to request permission to track the user. “If called properly, the framework displays a system prompt on behalf of the app,” says security researcher Tommy Mysk. “Without receiving permission from the user, the value of the advertising identifier, or IDFA,  will be all zeros.”

He says none of the apps he tested triggered the system prompt to be displayed: “Even though we could clearly see the IDFA value in their network traffic, it was all zeros. This is consistent with Apple’s documentation.”

As for the heavily customised prompts that are clearly not the uniform iOS permission (see picture below), these shouldn’t be used to allow tracking. They are allowed by Apple as a pop up before the native iOS prompt comes up—not instead of it. 

This is how it should work: When you say yes to tracking, the app will appear in your privacy settings, where you can turn it off. Watch the video demo included in this article to see how it works. 

But the real issue is that third party tracking goes beyond just the IDFA. Apple says it is “not considered tracking when the app developer combines information about you or your device for targeted advertising or advertising measurement purposes if the developer is doing so solely on your device and not sending information off your device in a way that identifies you.”

In addition, the app is allowed to share information with data brokers if this is used for fraud detection or prevention or security. 

However, iPhone developers are not allowed to use fingerprinting methods—another way of uniquely identifying you—to track people, according to Apple’s developer documentation.

Mysk explained in a tweet how he found the IDFA blocking process is working, and apps only gain access to the IDFA if they are using the iOS native prompt. However, it did not stop the app from collecting other data.

“There are many other ways apps can and do third-party tracking of users without the IDFA,” says Lin. “At a very basic level, apps always have access to the user’s IP address, so the IDFA is not really needed to uniquely identify someone—it’s more like a ‘nice to have’. Another example is that third-party trackers can just generate their own unique identifier for each user to track them.”

So why are these non-native prompts appearing? One possibility is that many apps are doing this as a pre-prompt or primer before they show the user the iOS native prompt, in order to increase initial opt-in rates, says Lin.

This is because once the user denies tracking, it’s hard to get them to go to the Settings app to change it back, Lin says. “This same UX pattern, while confusing, has been used for some time for other permission requests like push notifications—a game might have its own explainer prompt for why it wants to enable push notifications before presenting the native iOS prompt.”

Lin says however that the simplest explanation is that these are bugs in the apps, and developers are messing up because it’s their first time implementing ATT. Another possibility, he says, is that it’s an iOS bug (like the grayed out button).

“It’s also possible that some apps are trying to comply with ATT, but can’t figure out how their third-party tracker usage ‘fits in’ with Apple’s ATT rules—for example, if they don’t use IDFA at all, but they do other third-party tracking, so they create their own dialog in the hope of passing App Review’s scrutiny.”

Confusingly, Lin tells me ATT doesn’t work the same way as other permissions. “Other permissions are very cut-and-dry: if you disable Camera access, the app does not have access to your camera, period. However, if you disable access to “Allow Apps to Request To Track”, the app can definitely still track you with third-party trackers; it’s just that if the app wanted to be honest (by their own choice), they could show the Request to Track dialog and respect it. 

“IOS 14.5 supposedly does cut off IDFA for apps that don’t show the dialog, but that isn’t needed to do third-party tracking, and the setting isn’t ‘Allow Apps to Use IDFA’; the setting is ‘Allow Apps to Request To Track’.”

Reason 3: App developers are trying to get around the iOS 14.5 privacy changes

App developers are allowed to customize the text inside the iOS 14.5 pop up, but they need to use the native iOS prompt and can only change the central text. This text needs to offer the user the information they need to decide whether to allow tracking or not without for example, threatening to take away functionality or offering monetary incentives. 

No doubt at first, some developers will push this, but hopefully they will be weeded out during Apple’s review process. Apple has said it will police ATT in iOS 14.5, so let’s hope it keeps its word and the big privacy change will make the difference we were all expecting. 

However, Lin says his app Lockdown, which shows who is tracking you on your iPhone, has been monitoring to see the compliance rate of apps with ATT. “As far as I can tell, it’s very low. For example, he says, opening one food and drink app resulted in Lockdown Privacy blocking 49 third-party tracking attempts, including Facebook trackers. “Even with Allow Apps to Ask To Track enabled, there is no prompt to ask for tracking, and the app doesn’t even show up in the list.”

At the same time, says Lin, Apple isn’t retroactively removing apps that do third-party tracking. “So, even if an app, in the worst case, is being egregious about selling user data to third parties without any consent, as long as they don’t submit a new version, they can keep doing this as long as they want.”

Apple’s explanation

Apple has further explained ATT in a support document. The document explains how iOS app developers can customize part of the message to explain why the app is asking to track your activity. You can also visit the app’s product page in the App Store for more details about how the app developer uses your data.

But Apple states: “If you choose Ask App Not to Track, the app developer can’t access the system advertising identifier (IDFA), which is often used to track. The app is also not permitted to track your activity using other information that identifies you or your device, like your email address.”

I asked Apple for a comment on this story and will update it if the iPhone maker responds.

Cybersecurity startup Darktrace, one of the U.K.’s most promising tech companies, has started trading on the London Stock Exchange, valuing the business at $2.3 billion (£1.7 billion). The company said Friday morning that it had raised $200 million as a result or the initial public offering (IPO).

Trading began at 8am London time under the ticker “DARK” and has had an auspicious opening, with shares trading up from 250p per share to 350p on opening. That would give it a market cap of $3.3 billion.

It’s an exciting start for the cybersecurity company, which had been dogged by the continuing allegations of fraud facing one of its key investors, Mike Lynch, who helped launch the company back in 2013. Lynch is facing extradition to the U.S. where he faces criminal charges relating to HP’s $11 billion acquisition of his old company Autonomy. Lynch has denied all wrongdoing. Reports had also raised issues around Darktrace’s hard-driving sales culture, whilst Forbes had previously reported on the abiding influence of Lynch and another former Darktrace director, Sushovan Hussein, who was convicted in the HP fraud case, though has been fighting an appeal. There were also allegations of sexual harassment within the startup.

The Darktrace offering will also be a boon for the London Stock Exchange, which has struggled to compete with New York and Hong Kong for high-growth tech listings, with food delivery startup Deliveroo’s IPO flop weighing on its prospects. Shares of the company slumped 30% on opening. That knocked $2.6 billion off the Amazon-backed company’s value

“Our company is deeply rooted in the UK’s tradition of scientific and mathematic research so we are especially proud to be listing on the London Stock Exchange,” said Poppy Gustafsson, chief executive of Darktrace. “This is a momentous day for Darktrace and for the UK’s unparalleled science and technology sector.

“Our mission has always been to apply fundamental technology to the universal challenge of cybersecurity and we would not have got to this point without the determination and dedication of our talented employee base, as well as the continuing loyalty and feedback from our customers. As we look to the future, we are eager to build on our AI technology and to accelerate its deployment in existing and new markets worldwide.”

Darktrace claims its artificial intelligence can learn how networks operate and then spot anomalies, with the ability to eradicate threats on its own without human intervention. It’s one of a handful of British tech companies worth more than $1 billion, in a country where few cybersecurity businesses grow so large or go public. Its past customers have included corporate giants like BT and HSBC.

The company says it plans to use its new funds to invest in its research center in Cambridge, U.K., and expand globally.

The Vivaldi browser has introduced a new feature that hides the annoying cookie permission pop-ups that plague modern web browsing.

Vivaldi claims that while the cookie requests were introduced with the best of intentions by the European Union, they’ve become an irritation and actually prove counter-productive in many instances. “Users are often required to click on multiple steps to manage such cookies, including hidden options, a dialog on every single page, or at times no way to deny them at all,” Vivaldi claims. “Naturally, this makes for a frustrating browsing experience.”

The new setting in Vivaldi 3.8 – which is released today – will allow users to remove cookie warnings. “This will simply block the service that asks for consent or hides the consent dialog, in the same way as it might remove a tracker or an ad,” Vivaldi claims.

The feature relies on third-party blocklists compiled by EasyList and I Don’t Care About Cookies. The browser firm admits its solution is imperfect, “as there will be a few websites that use other tactics to obtain cookie consent”.

It also warns that some sites may not let users in or may not work as expected if cookie permissions are not granted.

Privacy protection

Vivaldi, which is based on the same browser engine as Google Chrome, has long attempted to distance itself from Google by building in privacy protections. In addition to a built-in ad blocker, Vivaldi’s Private Windows default to the DuckDuckGo search engine to ensure that private browsing sessions are not traced.

Vivaldi has also come out strongly against Google’s proposed successor to third-party cookies. Google is planning to shift to a technology called FLoC, which the search giant claims reduces the risk of people being identified by their browsing history by putting them in larger cohorts.

Vivaldi claims that FLoC is flawed and has blacklisted the technology in Vivaldi 3.8.

Fraud detection company Inscribe, cofounded by Irish twin brothers and Under 30 honorees Ronan and Conor Burke, announced today that it has raised $10.5 million in a Series A funding round. The round was co-led by Uncork Capital, Foundry Group, and Crosslink Capital, with participation from Y Combinator.

Inscribe is a fraud detection company that detects fraud in costumer supplied information, such as documents that a customer gives to business to prove things about themselves when they are applying about something like mortgage or online insurance.

“Moving these processes online opens up the flood gates for frauds,” Ronan Burke, who serves as the company’s CEO, says. “These systems become even more vulnerable as these businesses strive for automated decisioning so giving customers answers in a couple of hours or minutes, it’s good customer experience but it brings about a lot of fraud.”

Burke says that the issues they are dealing with usually involve application fraud, such as individuals inflating their revenue or income for their business to try to get better terms or a larger loan. Other examples include international fraudsters pretending to live in the U.S. by tampering an address on a utility bill in order to open a merchant account or account on crypto exchange.

One of Ronan Burke’s favorite example of fraudsters they’ve caught is a man from Florida who had received nearly $4 million in federal loans, used it to buy a Lamborghini among other things, and was eventually charged for bank fraud. In July of last year, his story made it to the New York Times.

At the moment, Inscribe is focused on document fraud, following three steps to confirm the veracity of a certain document or point out its falsehoods.

The first one is document forensics, where the company examines every detail of the document, including font structures and pixels in the document to uncover evidence of fraud. This also includes suspicious behavior in the metadata and the non-visual evidence in the file.  The second one is the company’s data network, as throughout their previous work they have found strong patterns for fraud from prolific fraudsters and organized fraud rings. The final thing we do is validation and verification of the information on the document, where Inscribe checks things like names, dates, addresses, income, to make sure they match with what the financial institutions have on file. 

The company’s revenue model is such that they charge on a per document basis. Since launching in March of last year, the company had grown 12x YoY, and clients include fintechs like Amount and BlueVine.

Ronan and Conor, native Dubliners, cofounded Inscribe in 2017 (Conor serves as the CTO). They participated with the idea in Y Combinator in the summer class of 2018. The company raised a $3.2 million seed round and went live in the beginning of 2020.

Jeff Clavier, a managing partner at Uncork Capital, who co-led the round says that they were attracted by Inscribe because of the magnitude of the problem, the technology they’ve introduced, and the founding team.

“Everywhere you look people are finding ways to cheat by forging documents and faking their income or financials and thats true for individuals, companies, businesses of all sizes,” Clavier says. “The naked eye can’t see it, you need a machine, and Inscribe has the technology. What the company has done so far is just a drop in the bucket.”

Apple’s long-awaited iPhone operating system update, iOS 14.5 has just arrived. Here’s a stunning reason why you need to update your device right now. 

It’s been a long time coming, but Apple’s iOS 14.5 is finally here. It comes with a bunch of game-changing new features, but the most stunning by far is App Tracking Transparency (ATT)—the anti-tracking technology that has being causing a massive fist fight between Apple and Facebook over the last few months.

This new technology launching in iOS 14.5 is a big win for privacy on your iPhone. That’s because it requires you to explicitly opt in to being tracked on your Apple device across apps and websites.

The new iOS 14.5 privacy feature will look something like this: When you open an app, you’ll get a notification asking: “Allow X to track your activity across other companies’ apps and websites?”

You can choose to “Allow” or “Ask App Not To Track.”

Apps that you ask not to track will lose access to the IDFA, a unique code that is assigned to you to track you as you use your device. App developers aren’t allowed to track you in other ways such as using your email address either. 

If you don’t want to see the pop up, but you want to increase your privacy, you can also turn off tracking altogether in your Privacy Settings by toggling “Allow Apps to request to Track” to “Off.’

As well as this stunning new privacy feature, iOS 14.5 also comes with the ability to unlock your iPhone using your Apple Watch. It’s late, but better than never since we are all still wearing masks.

Apple’s iOS 14.5 is certainly a game-changer when it comes to privacy, and it’ll be interesting to see how this affects Android phones as well. So what are you waiting for? Go to your Settings > General, check for a Software Update and if it’s there, install iOS 14.5 now and have a play with these brilliant new features.

Companies around the globe are scrambling to update critical credentials this weekend The reason: the popular password management app Passwordstate fell victim to hackers, who injected malware via the app’s update mechanism.

Click Studios, the developer of Passwordstate, alerted its customers about the incident late this week immediately after it was discovered. The email noted that the breach occurred between April 20 and 22.

During that time, the attackers “[used] sophisticated techniques” to insert a malicious file alongside legitimate Passwordstate updates. At this point in time it appears as though the malicious update did indeed make its way onto Passwordstate users’ computers.

Full Impact Difficult To Assess

In its online Passwordstate brochure, Click Studios reports “Empowering more than 29,000 Customers and 370,000 Security & IT Professionals globally.” With numbers like those in play, it could take weeks or even months before the full impact of the breach is known.

Even at a small or medium organization, IT staff manage dozens if not hundreds of credentials for services and devices.

“Affected customers password records may have been harvested,” states the breach notification (PDF link). Indeed, users would do well to assume the worst even though there are some mitigating factors.

Click Studios notes that the malicious activity spanned 28 hours. Customers who did not receive an automatic update during that name should not be affected. Likewise, users who perform updates manually should be safe.

The downside is that those groups could be fairly small. Keeping software fully updated is supposed to be one of the cornerstones of good security, after all. We’ve grown to rely on automatic update systems to take the hassle out of the process for us.

Security researchers at the Denmark-based CSIS Group detected the rogue file on a system during an investigation. Once it had been delivered to a victim’s computer, the file would attempt to establish communications with a remote server to download additional malicious components.

Automatic Updates Become a Double-Edged Sword

Automatic updates are great, when they perform as expected. When they don’t, however, there’s tremendous potential for trouble.

Somtimes it’s as innocuous as a handful of documents that refuse to print. Others, it might be an antivirus update that renders your computer unable to boot at all. And sometimes it might give hackers the keys to your corporate password fault. Here’s hoping the malware in this incident was able to dig that deep.

Either way, this is a clear illustration of why elite — often state-sponsored — hackers choose to target these systems in supply chain attacks. Why go after just one corporate target when a well-placed attack on a provider can provide access to hundreds or even thousands of networks?

Rick and Tom Smith introduced the world to the Taser in the 1990s. Now the siblings compete in a $7 billion market for non-lethal weapons, at a time of intense scrutiny of police violence.

In December, police in Fruitland, Maryland, responded to a report of a man in distress. They’d had to deal with him before: His seizures caused him to become violent with his family. Rather than reaching for a Taser or using physical force, they turned to a device called Bola Wrap. When the officer fired, a Kevlar rope exploded from his hand like a web from Spider-Man’s wrist and wrapped itself around the target’s arms. The man’s mother asked, “So, it’s not like a Taser?” The officer responded, “It’s for stuff like this because they don’t mean to hurt anybody.”

The product is the creation of Wrap Technologies, whose chief executive officer is Tom Smith, one of two brothers behind the Taser non-lethal weapon. Though he left that business in 2013 after 20 years there, Tom, now 53, says he doesn’t see the Bola Wrap as a competitor to his former company’s better-known stun device, but rather as a complementary weapon to help immobilize an assailant in certain situations.

“It is pretty unique,’’ says Tom, who joined Wrap as president in 2019 and became CEO in March. “We’ve got two brothers who are CEOs at public companies and selling devices to this really contentious space, trying to solve these really difficult problems.”

Rick Smith, the 50-year-old chief executive officer of Taser’s $10 billion (market cap) parent company Axon, says his older brother’s product is definitely competition. “With my brother over there, we’ve just kind of agreed not to talk work,’’ says Rick.

The brothers are both operating in a market that seems poised to grow in light of ongoing scrutiny of police use of lethal force and outrage in Minnesota and elsewhere. According to a November 2020 report by Global Market Outlook, cited by Wrap, the global non-lethals industry — a category that includes hand-held weapons like the Taser and Bola Wrap but also a variety of other gear from batons to tear gas — logged $6.8 billion in sales in 2019 and is expected to expand to $8.1 billion by 2025. By comparison, the best estimates of the global lethal weapons industry, excluding military equipment, range from $6 billion to $8 billion.

Taser, which recorded $360 million in revenue in 2020, is still the dominant player in the pistol alternative niche, with smaller rivals like Phazzer, Digital Ally and Wattozz making few waves. “There’s nothing else on the market really,” says Kim O’Toole, who heads up Toronto Police Department’s police college. Its parent company Axon posted total sales of $650 million and less than $1 million in net profits last year but things are looking up:  net income for the fourth quarter hit $25 million and, according to 2021 estimates, revenue is expected to reach $780 million and net profit up to $140 million this year. As a result of that market dominance and Axon’s other successful businesses in police body cameras and evidence storage, Rick is rich and likely to get richer. Forbes estimates his wealth at more than $160 million and he could also be in line for an almost $1 billion windfall in the form of vested stock options if his company hits certain targets including a market cap of $13.5 billion, up from almost $10 billion now, and 12 of 16 revenue and profit milestones.

Tom and Wrap aren’t yet close to those kinds of numbers. Wrap reported revenue of just $4 million and a $12.5 million loss last year. Tom, who had more than 220,000 shares as of his last Taser filing in November 2011, sold them all when he left in 2013. (At the time, Taser shares were trading for $10; they are now priced at over $150 a share). He has stock options but no shares in Wrap, which is worth just under $200 million.

The brothers grew up under the influence of their father’s entrepreneurial ambitions. “We were pretty competitive brothers growing up. So that dynamic is in place,” says Rick. Though they’ve reconnected lately after losing their father in April just a few months after their mother died, their personalities have clashed over the years. Rick tends to be flashier, Tom more reserved. “We never really got along,” Tom told the New Yorker in 2018. “He goes to Vegas, I go to Montana. We’re polar opposites.”

When Rick was in college at Harvard University, two of his high school friends were shot dead. It was at that point, he says, that he started thinking about alternatives to the horrors of gun violence. After a stint studying in Belgium, where fellow students were disturbed by the proliferation of guns in the U.S. he began researching non-lethal tools that could replace lethal weapons. He wrote the original plan for a non-lethal weapons business during a class on entrepreneurship towards the end of his business school course at the University of Chicago. During his research, he singled out Jack Cover, an inventor, who created the original Taser technology, working with Rick out of a garage in Scottsdale. The name Taser is an acronym, coined by Cover after a book he loved, Tom Swift and his Electric Rifle, which included a fictional gun not dissimilar to the Taser.

Tom came on board, at first working nights and weekends, and helping to set up basic operations: bank accounts, payroll and offices. They looked to their father, who was CEO of a software company, for a helping hand, and the elder Smith provided a $100,000 angel investment, while coming on board as chairman. Tom later became president and director of the Taser company, albeit owning about half as much of the business as his brother and his dad by the time the company went public in 2001. As Rick ran the company at home, ramping up marketing and developing the Taser’s efficacy, and getting thousands of police agencies to sign up, Tom says he was building the business globally. “I took it to 120 countries around the world,” he says.

Tom says he left Taser hoping for a new lease on life. “I like the startup side of companies,” he says. A pilot like his father, Tom in 2012 cofounded and became CEO of Set Jet, a private jet charter flight platform. He later cofounded ATS Armor, a law enforcement armor supplier, but the company filed for bankruptcy in 2019.

When he was out on the road demonstrating and selling the Taser, Tom recalls, one request he kept hearing from police was the need for a non-lethal that didn’t inflict pain, as the Taser does. The first time he saw Bola Wrap in action in early 2019, he believed it was the answer. The Wrap inventor, Eldwood Norris, now the company’s CTO, was already known as the creator of the Long Range Acoustic Device, sometimes referred to as a sonic weapon, for its piercing noise designed to stop people in their tracks.

Taser’s solution is well-known: a stun gun that fires electrified barbs that latch onto suspects and produce muscle spasms intended to immobilize them. Once described as a non-lethal tool, the Taser is better labelled a “less lethal” option, perhaps because of hundreds of cases over the years when those who’ve been shot with a Taser have subsequently died, often by cardiac arrest, according to data collected by Reuters.

Tom sells the Bola Wrap as a relatively painless alternative to the Taser. It lassoes a target in Kevlar rope, acting as “remote handcuffs.” With no bullets or electricity, the chance of killing someone with Bola Wrap is billed as lower than using a gun or a Taser and just as effective. With Bola Wrap, Tom says, there’s no need to be precise as an officer only needs to fire close enough so that the 2.5 metre cord can ensnare a target. The biggest safety issue, he admits, are the hooks, similar to fishing hooks, that connect the ends of the cord together. “Our concern is more about those going into somebody’s eye. So we really try to train (users) to stay away from the face.”

Tom says 430 U.S. police agencies use the Wrap today, with sales in 38 countries. The Los Angeles Police Department is experimenting with the product, and other customers include the Portland and Buffalo police departments. It’s a minuscule share compared with Tasers, which Axon says are used by 90% of America’s 18,000 law enforcement agencies.

Some in law enforcement have doubts about Bola Wrap. A group from Toronto’s Police Department recently took a trip to Arizona to test out the tech. “In scenarios where people are running or walking or erratically moving, to be able to wrap both legs with a good wrap the first time is a bit difficult,” says superintendent Kim O’Toole. “I think they have some work to go.”

Tom’s ambitions for Wrap, meanwhile, are literally sky-high: He says Wrap is talking with drone companies about adding its non-lethal weapon to unmanned flight systems so the lasso can ensnare suspects from above. “Let’s say you have a barricaded suspect… and maybe get them wrapped before the officers have to go in there. It reduces the risk,” Tom says.

Back on land, Rick continues to refine the Taser’s design with hopes that it will be so effective that police won’t need to use guns. He also aspires to sell more Tasers to armed forces throughout the world. “I think it makes no sense for a major military to send their personnel abroad with only highly-lethal weapons. That is a recipe for bad things to happen,” he says.

There is plenty of skepticism that either of the brothers has the right answer to improve police and citizen safety. Kroll executive Daniel Linksey, former Superintendent-in-Chief of the Boston Police Department, thinks police need more training in basic techniques: learning to use words to deescalate a situation, and, when that fails, to use their hands. Many police officers, he says, have become reluctant to strike suspects for fear of going viral on YouTube. “I would argue that sometimes the old-fashioned ability to fight and roll around is probably the best thing for everyone involved,” Linskey says.

Researchers from the Cisco Talos Intelligence Group have uncovered security vulnerabilities in a popular kitchen appliance, the Cosori Smart Air Fryer. The blog post confirming these vulnerabilities states that these could “hypothetically allow an adversary to change temperatures, cooking times and settings on the air fryer.” The remote code execution vulnerabilities, CVE-2020-28592 and CVE-2020-2859 could allow remote code injection by an attacker. Temperature and timer controls in the hands of a malicious attacker could prove dangerous in the extreme, but what is the real-world risk?

Vacuum cleaners, coffee machines and sex toys

The internet of not so smart things is a security and privacy nightmare, no doubt about that, but some vulnerabilities are more worrying than others.

Last year I reported on a robot vacuum cleaner that could be hacked to spy on the user. Out of the lab and in the real world, this would require a firmware update, access to the local network and the correct ambient light and sound levels to work.

There are, truth be told, much easier ways to use technology to eavesdrop on someone.

Smart lock issues, yep. Coffee machine ransomware, less so. Connected car hacking and even permanently locking an internet-connected chastity belt, well, yeah.

Air fryer hacking, not so much.

The problem with air fryer security vulnerabilities

Obviously, the ability to tamper with temperature and timer controls on a cooking device dangerous thing that, if successfully exploited, could potentially start a fire. So why am I not overly concerned about this one?

Well, to begin with, the researchers admit that the attacker “must have physical access to the air fryer for some of these vulnerabilities to work.” Given that there are only two vulnerabilities to begin with, the exploit opportunity has already shrunk considerably, it would seem to me.

OK, you have to allow for the ingenuity of persistent threat actors, which might see a scenario involving a stack of other exploits and malware to gain access to the local network and then the air fryer firmware. Still, it’s a bit of a stretch. At least as far as the average user, or rather risk to the average user, is concerned. Equally, the firmware could be mucked about with somewhere in the supply chain, but that’s also unlikely in anything but a very niche victim-targeting scenario.

“Security issues in IoT devices, even with complex exploitation scenarios, are concerning because often a user can usually never easily tell if a device is vulnerable to an issue or even if a device has already been compromised” Craig Williams, the Cisco Talos director of outreach, told me. With regards to the air fryer vulnerabilities, Williams says “in CVE-2020-28593, for example, the bug could be used to implant malicious firmware into the device. This could then be used for any number of nefarious purposes, perhaps most likely as a proxy point for attackers to route their traffic through during future campaigns.”

Who needs an internet-connected food fryer anyway?

Sure, maybe I am overly cynical, but scary sounding hacker warnings are not always things to set off the real-world panic alarm. It’s crucial for researchers to keep finding and reporting these vulnerabilities to hold manufacturer’s feet to the fire and make products safer for the user. Nobody is going to argue against that. However, I would advance the case for arguing that nobody needs their air fryer, or any fryer for that matter, to be connected to the internet. I can’t think of a single instance when I’ve been away from home and wished I could get the French fries cooked by the time I got back. Maybe I live at a slower pace than some, but perhaps that’s not a bad thing.

Tim Erlin, vice-president of product management and strategy at Tripwire, said, “it can seem like it’s worth a laugh when vulnerabilities are found in these network-connected smart devices, but the increasing ubiquity of connected devices combined with vulnerabilities like these increasingly creates an attack surface with real risk. Your air fryer or light bulbs might not be that interesting in and of themselves, but they could provide a point of entry to other devices on the network.”

Craig Williams advises users to “consider do you really need the device to be on the internet? If so, then one should look for a device vendor that is likely to continue to be around for a while and support the device with security updates. This can usually be checked by searching for the name of the device and the acronym ‘CVE’. If you see advisories with patches available, you’re probably doing OK.”

Cosori confirms firmware update for the air fryer concerned

I reached out to Cosori regarding the matter as Cisco Talos went public in disclosing these issues as it says the manufacturer “did not respond appropriately” during the 90 days outlined in its vulnerability disclosure policy.

“Cosori deeply cares about the safety of the users of smart products,” a Cosori spokesperson says, “we have set to solve this issue immediately.” The Cosori statement continues:

“First, as a result of a detailed analysis, we are sure the scope of the vulnerability is limited to the local area network, and it cannot be controlled remotely through the WAN. And then, we have resolved the problem, an upgraded version of the appliance will be released soon. So, the air fryer can be upgraded with repaired firmware on April 25, 2021.”

Cosori advises users to upgrade the firmware to the latest version and says it will “keep on developing a safe and convenient system for our customers.”

Cyber threats are a fact of life for nations and companies around the world. The United States government has recognized and addressed the growing risk of cyber attacks from adversaries dating back to at least 2001, when President George Bush appointed Richard Clarke as the first Cybersecurity Czar—a special adviser to the president on issues of computer security. A lot has changed since 2001—both in terms of the technology attack surface and the threat landscape—and cyberattacks have emerged as the primary battlefield in a new “Cold War” between the United States and its primary adversaries. In March, a panel of experts got together for a virtual roundtable titled “Restoring National Cybersecurity: A Look into the First 100 Days of the New Administration” to discuss the challenges we face and offer guidance for how to address them effectively.

We are nearing the end of President Joe Biden’s first 100 days in office. The first 100 days is generally recognized as a combination of honeymoon phase—as cabinet positions are filled, and individuals get acquainted with their roles and ramped up on the work to be done—as well as a significant milestone—as the nation considers the early tenor and vision of the policies being pursued by the new president. The job of President of the United States is never easy, but President Biden’s challenges were compounded by inheriting the fallout of gross negligence and incompetence by the former administration on virtually every front—from the economy, to foreign relations, to the climate, to education and infrastructure, to the urgent need to implement a functional plan for dealing with the COVID-19 pandemic and expediting vaccinations across the country. On top of all of that, the nation is facing a large and growing cyber threat from adversary nation-states and cybercriminals that can’t be ignored.

The roundtable discussion was hosted by Cybereason and moderated by David Spark. The panel of experts was comprised of Lior Div, co-founder and CEO of Cybereason, Theresa Payton, CEO of Fortalice Solutions and former White House CIO, Corey Thomas, CEO of Rapid7 and a board member of the Cyber Threat Alliance and Michael Daniel, president and CEO of the Cyber Threat Alliance, and President Obama’s former Cybersecurity Coordinator. Each person on the panel brings valuable cybersecurity expertise to the table, as well as experience addressing cyber threats from nation-states.

The roundtable was coordinated in the wake of the SolarWinds attacks that were discovered at the end of 2020. US intelligence sources and cybersecurity experts have attributed those attacks—which affected tens of thousands of systems around the world—to Russia. The agenda of the discussion was to develop an action plan that might help guide the Biden Administration as it strives to respond to these types of attacks and strengthen the cybersecurity posture of the nation in general to prevent similar attacks in the future. The discussion became even more relevant and poignant when another massive attack was revealed just days before the roundtable sessions took place. HAFNIUM—a hacker group based in China—targeted a variety of zero-day vulnerabilities to compromise tens of thousands of Microsoft Exchange Servers.

David Spark started the session talking about the budget allocated for cybersecurity in the American Rescue Plan legislation and asked Lior Div for insight on how he would begin restoration of America’s cybersecurity defenses.

Lior noted that the United States is under virtually continuous attack from Russia and China and suggested that we need to start by changing our mindset. He pointed out how the current situation is a rekindling or extension of the Cold War, but also that the objectives have shifted. “You can gather information, and you can manipulate information as much as you want. In general, I would say two things. One goal is espionage. And the other one is to control kind of what people think. And we can go back all the way back to 2016, when we had the election, when the Russians tried to influence it heavily, and even in the last election.”

David then asked Theresa Payton to weigh in on what she believes we are doing poorly now and what is the first thing we need to address. Theresa started off by offering praise and appreciation for the Herculean task that CIOs and CSOs have been faced with during the COVID-19 pandemic as entire organizations suddenly went 100% remote—simultaneously obliterating any concept of a network perimeter and vastly expanding the attack surface that needs to be monitored and protected.

Theresa stressed that super control access should be strictly limited, and that organizations should ensure users are rotating and using unique passwords. She added, “Accounts have got to be monitored with behavioral-based monitoring, segmentation of everything. So, the more you can segment everything down to the most granular level, when that data incident happens—which it will—you have the ability to go shields up and flip kill switches so that you can actually mitigate the incident and still have resiliency in the organization.”

Michael Daniel pointed out that nobody wants to get hacked, and nobody is intentionally doing cybersecurity poorly. He recommended that we need to step back and understand why it is that government agencies and private sector organizations struggle with the basic fundamentals of cybersecurity and try to figure out what we can do to improve it. For starters, he suggested that we not place so much of the burden on the end user. He explained that we expect drivers to be responsible for actually clicking their seatbelt into place when driving a vehicle, but there are other elements of vehicle safety that are automated. “We don’t have a car say, ‘Excuse me, you’re about to have an accident. Would you like me to deploy the airbags: Yes, or no?’ Like, it just does it, right?”

Corey Thomas noted that it may sometimes seem futile—especially when facing a nation-state attacker that has significantly more resources at their disposal. He stressed, though, that it isn’t just about completely eradicating the threat. There is value in simply raising the bar and making it more challenging so there are fewer attacks, or the attacks take longer to execute, or the impact of the attacks is diminished.

Lior emphasized that he spent more than 20 years of his life being on the other side—being a nation-state hacker for the West. With the benefit of perspective from both sides of the fence, he stressed that we need to stop treating nation-state attacks as being too complex or sophisticated for us to defend against effectively. “I think that that was an excuse for many, many years for many companies of saying, ‘Oh, this is nation-state. We cannot do anything about it.’ I think that by now we have the technology. We’re 10 years into that after this event. I think that there is enough innovation that we drove collectively in order to fight against them.”

It was a valuable and insightful roundtable discussion. As we approach the end of the first 100 days of the Biden Administration, the cyber threat landscape seems to be intensifying even more. Acer was reportedly hit by a ransomware attack demanding $50 million in ransom. A few weeks later, in the wake of sanctions by the Biden Administration against Russia and potentially in retaliation for that action, Quanta—a major partner and supplier for Apple—was also hit by a $50 million ransomware attack. Meanwhile, researchers found that the Prometei Botnet is leveraging the exploits from the HAFNIUM attack to target vulnerable Microsoft Exchange systems. The breaches and compromises seem to be increasing in frequency and escalating in scope and impact, so its imperative we take action quickly.

I expect and hope that the Biden Administration would seek out experts like those who participated in this panel and involve them to better understand the threats we face, and to provide guidance for how to address those threats affectively and improve cybersecurity.

A notorious cybercrime gang behind the REvil ransomware operation claims to have stolen the schematics for new Apple Watch and MacBook Pro products, amongst other confidential documents related to major brands.

Bleeping Computer reports that Apple supplier Quanta Computer was the target of the ransomware attack. The ransom demand, it says, was initially made of Quanta, but when the company didn’t communicate with the attackers, they switched to Apple to demand payment of a $50 million ransom. 

REvil has already published several documents on the dark web ‘Happy Blog’ it uses. Although many of the schematics leaked so far appear to be component-specific and not necessarily related to new products, that doesn’t appear to be the case for all of them. Online publication 9to5Mac has determined that documents relating to the 2021 MacBook Pro reveal a lack of Touch Bar and changes to ports, for example.

REvil has, unsurprisingly, ‘recommended’ that “Apple buy back the available data by 1 May.”

In the meantime, Quanta has released a brief statement that neither confirms nor denies the scale of the ransomware attack. It states that it has “worked with a number of external security company technical experts to deal with this network attack on a small number of servers” and has “informed the relevant government law enforcement departments and security units.” The statement continues to say that the day-to-day operations of the company were not affected.

I have reached out to Apple and will update this story if any comment is forthcoming.

It looks like Apple may not be the only business that REvil may turn to for a ransom payment. As Lewis Jones, a threat intelligence analyst at Talion, points out, “Quanta have a number of high-profile customers including Alienware, Lenovo, Cisco, and Microsoft, and it appears that the ransomware gang will work through the list depending on the levels of information stolen for each customer.”

As well as being one of the first cybercrime operations to implement a double-extortion ransomware attack whereby systems are taken offline and data also stolen, it has become the most significant ransomware-as-a-service player. Affiliate groups take responsibility for carrying out the attack in the first place, using REvil-developed malware, while REvil itself handles the ransom negotiations. “Once a ransom payment is paid to REvil, the core developers and the affiliates split the payment,” Jones said.

That ransomware attacks make the headlines so often is hardly surprising, given the high-profile targets and the skyrocketing ransom demands being made. “Out of all the various types of cyber-crime activities,” Niamh Muldoon, global data protection officer at OneLogin, said, “ransomware is the one activity that has a high direct return of investment associated with it.”

“Paying the ransom may seem like the obvious decision a business would make here,” Muldoon continued, “but there are other factors that the business needs to consider when making this decision.” Factors such as an analysis of factors associated with the attack: the means, the motive, and opportunity. “This can be accompanied by industry, economic and market conditions,” Muldoon said, “factoring three or four variables into this business decision will help support a business in making an informed decision on the possible impact to the business, including brand and reputational damage.”

Andy Norton, European cyber-risk officer at Armis, however, insists that paying a ransom should never be encouraged. “In terms of dealing with personal data leaks, how could you possibly trust a criminal group not to later leak the data anyway,” he said, adding, “a payment would reek of a cover-up attempt and possibly money laundering charges. The breach happens the second the data leaves the building, and response actions have to be based around minimizing the potential impact to victims that are in your control.”

I’ll leave the final words to ESET cybersecurity specialist Jake Moore. “Apple takes great pride in securing its data alongside its supply chain, which attracts bad actors to test their securities for the possible kudos at stake. However, recent attempts suggest they will not pay, however frightened they might be. There is only a very limited amount of ‘proof’, which could still turn out to be stolen from a variety of other sources, so it is never advised to pay ransom demands. Furthermore, if Apple were to pay, it would open the floodgates for more attempts to extort them – leading to problems on a whole new level.”