Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security. Facial recognition systems for use by law enforcement are all the rage these days. China has employed it on a vast scale to establish a surveillance network of sorts, while law enforcements’ use of facial databases in the US and UK have drawn scrutiny. These tools often mix AI with a curated database of images pulled from other databases, which could be anywhere from government ID databases to Facebook, Instagram, LinkedIn, and other websites. As The New York Times’ Kashmir Hill reported recently, Clearview AI’s software can virtually match any face and reveal their true identity. It’s been put to use by 600 law enforcement agencies and other private companies. India is the latest country to jump on this bandwagon. The tool, developed by INNEFU Labs, converts every face into 512 data points which are fed into an AI algorithm looking for close matches. The system, dubbed Advanced Facial Recognition Software (AFRS), has been employed by police forces during parades, and once at a political rally last month to screen crowds. According to the company’s founder, Tarun Wig, the tool can be simply plugged into a facial database. “The original database for the images depend on what the client feeds our tool. This is under the discretion of the customer, and if they want, they can even take data from Google, Facebook and other public sources, and ingest it into the system to recognize the faces,” Wig told News18. All this is well and good. But good intentions alone don’t always ensure good outcomes. First off, there’s no guarantee the facial matches will be wholly accurate. Then comes the issue of incomplete and biased datasets. But given the general lack of privacy regulations, deploying such technologies at a vast scale is doubly frustrating from a data privacy and security point of view. The EU has GDPR, the state of California now has CCPA, but it’s non-existent pretty much elsewhere. For its part, the Indian government presented a revised draft of the Personal Data Protection bill last month, but it has now been deferred and is expected to be passed later this year. Internet Freedom Foundation, a Delhi-based non-profit that works on digital liberties, said: “While technology is very well a force for good, prior to its integration in society, adequate safeguards and protection of target audiences need to be in place.” Truer words have never been spoken!
Do you have a burning cybersecurity question, or a privacy problem you need help with? Drop them in an email to me, and I’ll discuss it in the next newsletter! Now, onto more security news.
What’s trending in security?
The past two weeks were about Apple’s encryption showdown, the data breaches at Mitsubushi Electric and the United Nations, and how antivirus maker Avast sold its users’ browsing habits to a variety of clients, including Facebook, Google, Microsoft, and Pepsi. In a troubling development, pilfered Wawa restaurant customers’ payment info are now on sale on the dark web.
There’s now a web portal that can alert companies when their employees get phished! [I Got Phished] WeLeakInfo, a website for finding and purchasing breached personal data, is shut down by the FBI. [The US Department of Justice] Hackers put payment card details of more than 30 million Americans and over one million foreigners on Joker’s Stash, the internet’s largest carding fraud forum. The stolen data has been traced to convenience store chain Wawa that reported a major data breach last month. [Gemini Advisory] Suspected members of a MageCart cybercrime group have been arrested by the Indonesian police for stealing payment card information from customers of hundreds of hacked online stores by inserting malicious JavaScript code. [Bleeping Computer] Citrix released the final patch for a severe flaw that could allow unauthenticated attackers to execute arbitrary code and deploy “NOTROBIN” malware on vulnerable servers. [Citrix / FireEye] Online sneaker marketplace StockX suffered a breach last August, but customers are still reeling from the aftermath — ranging from fraudulent purchases to hackers attempting to sell their own shoes for inflated prices. [Input] Chipmaker Intel has issued a third patch for the “Zombieland” bug that lets hackers trick the microprocessors into revealing sensitive information. [WIRED] Zoom fixed a bug that could have let uninvited folks join video conference calls. [The Hacker News]
Data Point
IBM’s Cost of Insider Threats 2020 Report — which surveyed 964 security professionals in 204 organizations across the world — found over 4,716 insider breaches in the past 12 months. Credential theft emerged as the costliest threat, with an average cost of $871,686 per incident. Negligent employees and criminal insiders were the other two top causes. According to the report, all the 3 types of insider threats have been steadily rising since 2016. The average number of incidents involving employee or contractor negligence increased from 10.5 to 14.5 in 2019, and the average number of credential theft incidents per company have tripled over the past three years, from 1.0 to 3.2. Takeaway: It’s 2020. Companies need to be on the lookout for insider-related threats, as incident response and recovery can be expensive, not to mention other external costs such as lost business opportunities and revenue loss. What’s essential is that organizations invest in technologies that enhance mitigation or early detection of such attacks and possibly prevent them from happening in the first place. That’s it. See you all in a couple of days. Stay safe! Ravie x TNW (ravie[at]thenextweb[dot]com)
