The Weekly Cypher is specially curated to keep you up-to-date on the latest in cybersecurity, biometrics, and related news and innovations. Here are a few of the headlines you might have missed this week.
The U.S. and its four closest allies have issued a statement calling on tech companies to give them access to data and communications, saying “privacy is not absolute.” The statement from the U.S., Canada, the United Kingdom, Australia and New Zealand, collectively known as the Five Eyes, describes law enforcement’s inability to access otherwise-encrypted communications from criminals and terrorists as “a pressing international concern that requires urgent, sustained attention.” While the statement stopped short of urging new laws to mandate that cooperation, it did warn that “should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.” [Read More]
Justice Department Charges North Korean in Sony Hacking Case | Washington Post
The Justice Department is charging a North Korean government spy in connection with the 2014 attack on Sony Pictures. The charge is part of a broad complaint outlining a series of wide-ranging cyber operations. It also is the first time the US has brought such charges against a Pyongyang operative. Pak Jin Hyok, allegedly conducted hacking on behalf of North Korea’s Reconnaissance General Bureau, the military intelligence agency that controls most of the country’s cyber capabilities, according to US officials. He is linked to the notorious Lazarus Group, which has also been implicated in trying to use cyber techniques to steal $1 billion from the Bangladesh Bank in 2016, and to the WannaCry computer virus that affected more than 230,000 computers in 150 countries last year. [Read More]
Colorado’s new consumer data protection law, which contains some of the toughest standards for consumer data protection in the country, went into effect on Sept. 1. The Protections for Consumer Data Privacy Act was signed into law May 29 after winning unanimous approval during Colorado’s 2018 legislative session. The law establishes three key responsibilities for businesses and government entities that keep either paper or electronic documents containing Coloradans’ personal identifying information, the Colorado Office of the Attorney General says. It requires all businesses, from one-person operations to multi-national corporations, to
*Have a written policy explaining how they will dispose of the personal information they keep and follow through on those procedures.
*Alert consumers that their data has been compromised within 30 days of a breach being detected. If more than 500 Coloradans are impacted, they must alert the attorney general’s office.
*Take “reasonable” steps to protect the personal information they keep.
That statute defines personal identifying information as Social Security numbers, driver’s license or ID numbers, personal passwords, health insurance ID numbers and biometric data such as fingerprints. [Read More]
Two Department of Homeland Security components are moving ahead with a second phase of testing on a biometric verification system for passengers leaving the United States on international flights. The Transportation Security Administration and Customs and Border Protection are continuing to test the Traveler Verification Service, which compares photos of passengers against a temporary, cloud-based database that houses previously captured passenger photos. CBP has been working with TSA since 2017 to test the system at various airports in order to track whether people are overstaying their visas via biometric identification. And GCN reports that TVS “can shave 15 minutes off of traditional manual methods of comparing passenger ID photos against larger databases, according to airports and airline partners where it is being tested.” Traveler participation in the process is voluntary. [Read More]
Malware Targeting Biometric Security Found in Brazil Bank Attacks | Biometric Update
Malware known as “CamuBot” is targeting Brazilian bank customers, and may compromise biometric authentication, according to IBM researchers. The attack was first noticed in August 2018, when business banking customers were targeted with a combination of social engineering and malware tactics. Malicious actors pose as bank personnel in a phone call to run a phony security check, and suggest the installation of a new security app, which is in fact CamuBot. The app is disguised with bank logos and brand imaging to appear to be a legitimate security tool provided by the financial institution. Once it is downloaded it changes the rules for the target’s firewall and antivirus software. When the process is complete, the target is asked to log into the account, and the attacker intercepts the credentials. The most notable element of the attack, however, is what happens if the endpoint is protected with a strong authentication device. In that case, the malware installs a driver for the device, and the attacker asks the victim to share it remotely. If the victim shares access to the device, the attacker can intercept one-time passwords. The attack could also bypass biometric security measures. [Read More]