A Canadian maker of smart padlocks has agreed to implement a comprehensive security program and not misrepresent its privacy and security practices under an agreement with the U.S. Federal Trade Commission.
Earlier this month, the FTC gave final approval to a settlement with Tapplock Inc. of Toronto, maker of a fingerprint-enabled padlock sold to enterprises and consumers, related to allegations it falsely claimed that its internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data collected through a mobile app.
Security researchers identified both physical and electronic vulnerabilities with Tapplock’s smart locks, according to the complaint. The FTC also alleged that Tapplock failed to implement a security program or take other steps that might have helped the company discover electronic vulnerabilities with its locks.
Under the settlement, Tapplock is required to implement a comprehensive security program and obtain independent biennial assessments of the program by an assessor that the FTC approves. The company also is prohibited from misrepresenting its privacy and security practices.
The two sides came to an agreement on a settlement of the allegations in April. That needed final approval of the commission.
Under the consent order, Tapplock agreed to not transfer, sell, share, collect, maintain, or store personal information or manufacture or sell devices unless it implements a comprehensive security program that protects the security of devices and the security, confidentiality, and integrity of personal information.
According to its website this week, the company sells two models: The Tapplock one+, described as “Sturdy” and “Secure” and stores up to 500 fingerprints per lock; and the Tapplock lite, described as having a “strong, lightweight chassis” and stores up to 100 fingerprints. Bluetooth lets users share remote access.
For organizations that issue and control multiple padlocks, the company offers an enterprise software-based management console allowing an administrator to set custom permissions for users and manage them by groups. Customers listed on the site include Bombardier, Lufthansa and Foxconn.
The FTC’s background complaint document supporting the consent order says that in 2018 “security researchers identified critical physical and electronic vulnerabilities” with Tapplock smart locks. “Some could be opened within a matter of seconds, simply by unscrewing the back panel.”
One alleged vulnerability in the API could have been exploited to bypass the account authentication process in order to gain full access to the accounts of all Tapplock users and their personal information, including usernames, email addresses, profile photos, location history, and precise geolocation of smart locks. Because the company failed to encrypt the Bluetooth communication between the lock and the app, a second vulnerability could have allowed a bad actor to lock and unlock any nearby Tapplock smart lock. Finally, a third vulnerability prevented users from effectively revoking access to their smart lock once they had provided other users access to that lock.
The second count alleges that Tapplock deceived consumers about its data security practices by falsely representing that it took reasonable precautions and followed industry best practices to protect the personal information provided by consumers.
Tapplock neither admitted nor denied any of the allegations in the complaint other than those stated in the final decision and consent order.
The company didn’t respond to an email request Wednesday for comment.
Failure to patch old vulnerabilities is still a leading cause of breaches of security controls, says a new report.
In its annual Global Threat Intelligence Report released this week, global services company NTT Ltd. said threat actors continue to focus on vulnerabilities that are several years old with apparent success.
“In our first report [seven years ago] we mentioned one of the problems is vulnerabilities 10 years or older represent 22 per cent of all breaches in our client base,” Matthew Gyde, CEO of NTT Ltd.’s security division, noted in an interview.
“While that’s got a little bit better, many organizations are still not maintaining their systems to prevent people from going after old vulnerabilities … Old school attacks are still strong.”
The report, which uses data from the company’s customers collected between October 2018 and September 2019, noted that during the period organizations continued to experience high levels of malicious scanning focused on identifying the six-year-old Shellshock (CVE-2014-6271) vulnerabilities. Continued attacks against vulnerabilities such as the six-year-old HeartBleed (CVE-2014-0160) helped make OpenSSL the second most targeted software technology with 19 per cent of hostile activity globally. Seventeen vulnerabilities in OpenSSL identified in the last two years contributed to a constant focus of attacks against vulnerable implementations.
Ironically, response to the current COVID-19 pandemic may change that, Gyde said, as CIOs shift from on-premise to cloud-based applications, which get regular updates from their developers.
NTT Ltd. is a subsidiary of Japanese telecom giant NTT Corp. which includes well-known units as Dimension Data and White Hat Security. NTT Ltd. operates in 31 countries outside of Japan. It has a staff of 60 in Canada, including 12 focusing on cybersecurity solutions.
The finding that threat actors continue to leverage old vulnerabilities in 2019 was one of six trends identified in the 73-page report. Others include the increased use of machine learning and artificial intelligence tools by threat actors to automate attacks; the weaponization of infected Internet of Things devices; increased attacks on content management systems; the tightening by governments and regulators of governance and privacy laws; and the increasing targeting by attackers of technology firms and governments.
The attack data indicates that over half (55 per cent) of all attacks in the study period were a combination of web-application and application-specific attacks, up from 32 per cent the year before. Twenty per cent of attacks targeted CMS suites and more than 28 per cent targeted technologies that support websites. For organizations that are relying more on their web presence during COVID-19, such as customer portals, retail sites, and supported web applications, they risk exposing themselves through systems and applications that cybercriminals are already targeting heavily.
The trends analysis is broken down geographically and by five industry sectors.
Among the recommendations for IT leaders:
- Mature your organization’s approach to be secure by design. Understanding your organization’s goals, identifying acceptable risk, and building cyber-resilient capabilities are essential to navigating the threat landscape. An entire section of the report deals with cyber-resiliency.
- Pursue intelligence-driven cybersecurity. Cybersecurity and business leadership must change the way they think and apply security, and must transform from a reactive mindset, to a more effective, proactive, intelligence-driven approach.
- Monitor the threat environment. Leverage intelligent cybersecurity to guide decisions, support business agility, and maintain an acceptable risk level for the organization is essential to success.
- Focus on standardization of controls. Cybersecurity defenders should focus on leveraging standards, knowledgebases, and frameworks such as the MITRE ATT&CK and NIST Cybersecurity Framework. These will help organizations mitigate risks and provide excellent information to help organizations assess organizational risk.
The report can be downloaded here. Registration required.
Credential theft, social engineering attacks (including phishing and business email compromise) and human errors were involved in just over two-thirds of almost 4,000 data breaches around the world last year, according to the 13th annual Verizon Data Breach Investigations Report.
“These tactics prove effective for attackers,” say the report’s authors, so they return to them time and again. For most organizations, these three tactics should be the focus of the bulk of security efforts.”
The 130-page report released this morning aims at giving CISOs a better understanding of the varied threats they face not only generally but in regions and across several industries. This year’s report looks at 16 verticals.
Written in a slightly cheeky style and chock full of statistics, the report uses data from 81 partners (ranging from IT vendors to the U.S. Secret Service) to analyzes 32,000 incidents (events that compromise the integrity, confidentiality or availability of an information asset) and 3,950 data breaches (confirmed disclosures of data).
Among the highlights (or lowlights):
- Hacking (defined as an attack using stolen credentials, exploiting vulnerabilities or using back doors) was involved in 45 per cent of breaches; 22 per cent involved attacks through social media (including email); 22 per cent involved malware. Also, employee errors were causal events in 17 per cent of breaches, while eight per cent involve the misuse of data by authorized users.
- Ransomware accounted for 27 per cent of malware incidents (and it was higher some verticals like government and higher education);
- Web application attacks doubled from 2018 to 43 per cent of all breaches.
- Internal-error-related breaches almost doubled from 2018 (881, versus last year’s 424). However, report authors believe this increase is likely due to improved reporting requirements because of new legislation and changes in existing law rather than insiders making more frequent mistakes.
There is some good news:
- Security tools are getting better at blocking common malware. Data shows that Trojan-type malware peaked at just under half of all breaches in 2016 and has since dropped to only 6.5 per cent. Malware sampling indicates that 45 per cent of malware is either droppers, backdoors or keyloggers. “Although this kind of threat is still plentiful, much of it is being blocked successfully,” say the authors.
- Less than five per cent of breaches involved the exploitation of a vulnerability. “In our dataset, we do not see attackers attempting these kinds of attacks that often; only 2.5 per cent of security information and event management (SIEM) events involved exploiting a vulnerability. This finding suggests that most organizations are doing a good job at patching,” says the report. However, it adds, while patching does seem to be working, poor asset management can hide big problems. “Most organizations we see have internet-facing assets spread across five or more networks. It’s the forgotten assets that never get patched that can create dangerous holes in your defences.”
Finally, for those CISOs worried about insiders keep it in perspective: The report’s numbers continue a historical trend showing that insiders account for about 24 per cent of breaches — and a lot of times that’s a user error (losing laptop, misconfigurations).
“What continues to frustrate people like me is email phishing,” commented report co-author John Loveland in an interview. “We all know that it’s problematic, we all know we shouldn’t be clicking on [links in] emails, but there continue to be click-throughs.”
All that’s needed is one person to click on a malicious link for an attack to start, he noted, “but in this day and age with all the attention around phishing and the technologies that are used to intercept phishing emails it’s still a soft-side of security.”
“We as an industry have to get better and removing the human factor out of that exploit, not only from a training perspective but also from a technology perspective… because that is the primary attack vector. That’s an ongoing frustration every year for me.”
Most worthwhile security controls
Finally, the report points to eight controls the data suggests will be worthwhile for most organizations to tighten their security posture. (The numbers in brackets correspond to the Center for Internet Security Critical Security Controls):
- Continuous vulnerability management (CSC 3). Use this method to find and remediate things like code-based vulnerabilities; also great for finding misconfiguration.
- Secure configurations (CSC 5, CSC 11). Ensure and verify that systems are configured with only the services and access needed
to achieve their function.
- Email and Web Browser Protection (CSC 7). Lock down browsers and email clients to give your users a fighting chance.
- Limitation and Control of Network Ports, Protocols and Services (CSC 9). Understand what services and ports should be exposed on your systems, and limit access to those.
- Boundary Protection (CSC 12). Go beyond firewalls to consider things like network monitoring, proxies and multifactor authentication.
- Data Protection (CSC 13). Control access to sensitive information by maintaining an inventory of sensitive information.
encrypting sensitive data and limiting access to authorized cloud and email providers.
- Account Monitoring (CSC 16). Lock down user accounts across the organization to keep bad guys from using stolen credentials. Use of multifactor authentication also fits in this category.
- Implement a Security Awareness and Training Program (CSC 17).
Download the full report here. Registration required.
With governments around the world making billions of dollars available for COVID-19 financial relief, criminals are making every effort to take advantage. That includes building phony official coronavirus relief templates for websites to trick victims into giving up sensitive personal information.
Among the sites discovered by security vendor Proofpoint are the bilingual Government of Canada site pages that attempt to get credentials from victims in either English and French. The news is part of a blog released Friday that also details phishing financial relief pages for the U.S. Internal Revenue Service, the U.K. Revenue and Customs and the official registration site for France.
The goal of the Canadian site is to capture social insurance numbers, which are valuable for creating fake IDs.
“This spoof is noteworthy because while it copies the behaviour of the Canadian government website effectively, it does not match the look and feel of the current Canadian government website,” Proofpoint notes. “The malicious template correctly copies the name of Canada’s revenue ministry in English and French, Canada Revenue Agency and Agence du revenu du Canada respectively. However, the layout, colours, and branding of the malicious template do not match that of the legitimate Canadian government website.”
Fake websites would be created for people doing internet searches for financial relief programs. They would also be the landing pages for links in a mass email and text campaigns previously outlined in our Cyber Security Today podcasts.
Proofpoint says it’s found more than 300 different COVID-19 campaigns since January across nearly every industry it tracks. The creators include well-known, established threat actor groups and unknown individuals.
Creation of Covid-19 phishing landing pages increased sharply in early March, peaking around the beginning of April and then sharply dropping off, says the blog. That plunge probably is caused by a combination of saturation for COVID-19 payment theme phishing templates and a move towards other COVID-19 themes as many one-time payments were disbursed, Proofpoint believes.
“It’s clear threat actors follow trends closely,” the blog adds. “We’ve seen throughout the COVID-19 situation how threat actors have followed the news and adapted their themes to match the unfolding public narrative. The movement by governments in particular to offer financial support has caught the attention of threat actors who have moved not only to target those funds directly but to use them as themes for their malware and credential phishing attacks.”
Canadian governments are planning to approve COVID-19 mobile contact tracing apps to help health authorities track the spread of the infectious disease. However, two recent surveys offer conflicting numbers on whether residents here want the apps to be voluntary or mandatory.
The issue is crucial: Health experts say wide adoption of an app — perhaps as much as 50 per cent of the population — is needed for it to be useful.
In the most recent survey, released this morning by KPMG Canada, 55 per cent of respondents said digital contact tracing should be voluntary, citing privacy concerns and potential abuse of civil liberties. Two-thirds of respondents said they wouldn’t download such an app, calling it still “too invasive.”
Yet 57 per cent of respondents don’t believe such an app would be effective unless it is mandatory.
On the other hand, a survey commissioned by three Canadian Senators released last week found 65 per cent of respondents support the mandatory use of contact tracing apps.
However, in an interview one of those senators acknowledged the question on mandatory/voluntary adoption may not have been neutral. And Canadian privacy expert Ann Cavoukian said the Senate survey question “has no validity.” (See below for more detail)
Most privacy experts around the world say COVID contact tracing apps must be voluntary to get widespread adoption. That’s the position of federal and provincial privacy commissioners as part of a statement of principles they urge governments here follow on tracing apps. Alberta, the first Canadian jurisdiction to release an app, has made its adoption voluntary. But some privacy experts worry that if adoption is low a government will be tempted to make it mandatory.
Despite Alberta jumping the gun, federal and provincial officials are looking at about a dozen proposed apps for approval.
A number of contact tracing apps are being developed around the world, some — like Alberta’s — based on one of the earliest developed by Singapore. Broadly speaking, tracing apps use Bluetooth to capture encrypted ID signals from closeby mobile devices that also have an app, usually with a time limiter. (For example, Alberta’s app won’t obtain an ID number unless a person is nearby another for a total of 15 minutes over 24 hours). Depending on the app, each mobile device holds a list of contacts for a set number of days.
Depending on the app, one of two things happens if a person tests positive for COVID-19: Either the list of encrypted digital IDs is uploaded by the user so a health authority can notify and trace those who have been in contact with the victim, or the app transmits an alert directly to the apps of those on the list for those users to see. Either way, recipients of warnings would be expected to take appropriate steps, such as notify their doctors, monitor their health or take a COVID-19 test.
KPMG Canada surveyed 2,000 Canadians online between May 7 and 12.
Among the highlights:
- 62 per cent of respondents are in favour of letting the government use location tracking to send phone alerts to people who have come into contact with a person infected by COVID-19;
- 82 per cent would be more comfortable with an app run by the health system that shows aggregate community “hot spots” for COVID-19 so they can make their own decisions about their health;
- 65 per cent say any contact-tracing program needs to be administered by an independent body from the provincial or federal government.
“It’s clear that Canadians understand that contact-tracing apps are effective if participation is high, but the design of such apps must limit threats to privacy as most people aren’t comfortable letting the government have free rein to track their phones,” Sylvia Kingsmill, partner and national digital privacy leader for KPMG, said in a statement. “To make this work, governments will need to be completely transparent on how data will be collected, stored, erased, and managed – it’s about trust.
“There should be clarity about the circumstances under which that data will be shared, now and in the future. To this end, policies should be implemented and enforced to prevent misuse and/or abuse of the data to provide assurances to the public that principles of accountability and data minimization are being respected.”
The Senate’s online survey of 1,530 respondents was commissioned by Senators Colin Deacon, Donna Dasko and Rosemary Moodie and conducted between May 2 and May 4.
Among the findings:
- In the absence of a vaccine or treatment for COVID-19, 90 per cent of respondents believe that it will be necessary to continue contact tracing in general (that may or may not include an app).
- 80 per cent of respondents support the use of mobile device data by public health officials to notify those who have
been close to someone who has tested positive for COVID-19.
- 87 per cent of respondents believe contact tracing apps should trigger testing of themselves and others.
- If assured that their data was kept confidential, large numbers of Canadians would share information from contact tracing apps with their physician (96 per cent), their family (95 per cent), public health officials (91 per cent) and health researchers (87 per cent). Fewer would share with employers and co-workers (75 per cent), other government officials (73 per cent), law enforcement (68 per cent), and social media platforms (35 per cent).
- 65 per cent of respondents support the mandatory use of contact tracing apps.
[UPDATE, May 14, 3:30 pm EST]: In an interview this afternoon, Senator Colin Deacon acknowledged the question on mandatory/voluntary use of an app may not have been fair. The question was: “In some countries the installation of this app is mandatory. How supportive would you be for this to be the case in Canada.” Twenty-three per cent were very supportive and 42 per cent were somewhat supportive.
Asked if he thought that was a loaded question, Deacon said “potentially it is … I don’t know that it does. It asks, ‘What are your thoughts.'”
When it was suggested a neutral question would be ‘Should adoption be mandatory or voluntary,’ Deacon said, “That’s a fair point.”
Some experts object to the use of a mobile contact tracing app on privacy grounds, saying any system that collects personal data puts a user at risk. However, Deacon said the use of a contact tracing app has to be looked at as an aid to COVID-19 infection control. He said any approved app must protect privacy first. But, he added, many critics use smartphones and social media and manage access to their data. “As long as the [contact] data doesn’t leave your phone” except to notify people they should get tested “I don’t see how that is any more invasive” than people who test positive for the virus have to tell health authorities who they have recently been in close contact, with, he said.
“Alongside this strong support for the use of contact tracing apps, we do find concerns about personal privacy and the security of personal data,” said a report that analyzed the Senate survey findings. “Accordingly, any roll-out of an app(s) will require robust privacy protection to be in place in a manner that earns the support of potential users of the app.”
A contact tracing app could help health authorities who do manual contact tracing he said. It’s “unsustainable” to have large numbers of Canadians at home and not working because of the virus.
Former Ontario privacy commissioner Ann Cavoukian denounced the Senate survey mandatory adoption question. “It’s crazy,” she said in an interview. “It’s so skewed. To me this [question and result] has no validity … It creates the myth that the app is going to be mandatory,”
To her, the response to the KPMG Canada survey question is more credible.
Asked how an app should be introduced in Canada, Cavoukian urged governments to follow the Apple/Google framework, which doesn’t send the mobile IDs gathered by an app to health authorities for decryption and follow-up with individuals. Instead, when a user tests positive for COVID-19 they instruct the app to send a warning direct to those with a similar app whose mobile ID has been connected. That’s why Apple and Google have recently changed the description of their framework from a contact tracing app to “exposure notification,” she said.
(This story has been updated from the original by adding comments by Senator Colin Deacon and Ann Cavoukian)
It’s bad enough that hackers are able to exploit software vulnerabilities in IT environments to make off with sensitive data, but too often mistakes and misconfigurations by employees also lead to data being exposed. Two incidents reported this week show how serious this can be.
CBC News discovered the first incident recently which involved perhaps a decade’s worth of unedited appeal decisions of the Nova Scotia Workers Compensation Board being posted on a legal website name of workers. Some of the informati0n also included intimate personal information about claimants. Usually, names and other identifying information in those cases are deleted.
- Configuration mistakes blamed for bulk of stolen records last year
- Errors blamed for 21 per cent of data breaches
Nova Scotia removed the unedited documents after being told of their discovery by CBC.
“It’s terrible to hear,” the broadcaster quoted one WCB claimant whose 2009 case was posted. “I was shocked more than anything.”
The incident involves decisions between 1998 and 2009 of the Nova Scotia Workers Compensation Appeals Tribunal (WCAT) that were uploaded to the website of the Canadian Legal Information Institute (CANLII). Lawyers and legal researchers use the decisions filed there to support their cases. However, the database is open to the public.
According to the CBC, all WCAT cases filed after 2010 had the names of the worker and their employer redacted.
Asked for comment, the tribunal issued a statement saying it “is aware of this situation, and WCAT is following the Province’s privacy breach protocol. The WCAT has reported this incident to the Privacy Review Officer.”
The provincial information and privacy commissioner’s office has been notified of the incident. Provincial legislation doesn’t mandate that victims of a WCAT data breach be notified.
In the second case, Wired.com discovered a presumably confidential U.K. health department document on a public Google drive with possible new features for the country’s COVID-19 contact tracing app. The series of slides, marked ‘OFFICIAL – SENSITIVE’, was part of a group of documents intended to be open so the public can see how the app, now in a trial, was developed.
Wired says the sensitive document was part of a group published by the U.K. National Health Service (NHS) on a Google Drive. It was accompanied by a privacy impact assessment of a U.K. COVID-19 contact tracing app now being tested and could be seen by anyone with a link. While other documents could not be accessed without approval, the sensitive slide deck with potential features wasn’t.
What could make the slide deck embarrassing to the government is it contains possible features to be added to the already controversial app now being tested among the population of the Isle of Wight. In addition to disputes over whether such mobile apps are effective in helping control the rate of infection, privacy and health experts are fighting over whether an approved app should hold encrypted contact information on a mobile device (the decentralized model pushed by Google and Apple) or uploaded to a government-controlled server (the centralized model). The U.K. app being tested uses a centralized model. However, this week news emerged that the U.K. government is also paying for the development of a decentralized app.
The slides say a future version of the app being tested could allow users to periodically enter their personal health status, as well as their postal code, demographic and location information to help the NHS in infection planning.
Android developers using Google’s Firebase application development platform are being warned to check their configurations after security researchers discovered thousands of apps are leaking sensitive data.
News website Comparitech says a team analyzed 155,066 apps on the Google Play store, of which 11,730 had publicly exposed databases. Of those 4, 282 apps were leaking sensitive information including email addresses, user names, passwords, full names credit card data and photos of government-issued IDs.
In addition, of the 11,730 with publicly-exposed databases, 9,014 of them included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it.
The story says Firebase is used by an estimated 30 per cent of all apps on the Google Play Store. If the tested apps are representative, an estimated 0.83 per cent of all Android apps on Google Play leak sensitive data through Firebase, says Comparitech. That would work out to roughly 24,000 apps.
The article says Google was notified on April 22nd. In response, Google said it’s “reaching out to affected developers to help them address these issues.”
Of the analyzed vulnerable apps, 24 per cent were games, 14,7 per cent were categorized as educational, six per cent related to entertainment, just under 5.3 per cent were business-related and 4.3 per cent were described as travel or local related.
A common Firebase misconfiguration allows attackers to easily find and steal data from storage, according to the article. By simply appending “.json” to the end of a Firebase URL, the attacker can view and download the contents of vulnerable databases. Google scrubs these vulnerable database URLs from its search results. However, the article adds, they are still indexed by other search engines like Bing.
App developers can use Firebase for a wide range of functions including authentication, hosting, cloud storage and as a real-time database. Google offers developers guidance on securing data.