STE WILLIAMS

Sponsored If software is eating the world, then hackathons are its fast-food restaurants. Groups of developers come together for short periods to try to solve pressing problems. This happens in sectors from healthcare to retail, and now it’s happening in transportation too.

London, the UK’s capital, is a city groaning under its own weight. Its road network supports roughly 21 million trips each day, accounting for around 80 per cent of all trips in the city, according to Transport for London, the local government body that manages its transport network. Buses carry 6.5 million people each day, picking their way around 500,000 roadwork jobs each year.

Things are getting more challenging over time. There will be around 10 million people in the city by 2030, up from around 8.6 million in 2015, travelling on road and tube systems built years ago to cope with far lower traffic volumes. In 25 years, the system will have to support another five million daily trips, warns Lauren Sager-Weinstein, TfL’s chief data analyst.

TfL has turned to analytics to solve the problem and spends a lot of its time gathering data and turning it into useful insights.

Data, data everywhere

“For example, the 19 million daily transactions that we see through our ticketing system feed into models that our transport planners use to forecast future demand on the network,” she says, adding that the introduction of Oyster in 2003 was a huge leap. Before that, it had been gathering passenger journey data using paper-based surveys.

“When we combine this ticketing data with other data sets, such as bus location data, we use this to plan our bus network – at the route level and even at bus stop location level.”

TfL has also embraced the open data movement, publishing a variety of feeds via its own unified API, available to the public. Apparently, developers quite like it. Maybe a little too much.

Anyone can access live data on transportation and related information, ranging from live bus arrivals, through to train status on the tube, and live traffic disruptions. It produces a lot of these data using its connected Split Cycle Offsets Optimization Technique (SCOOT) system, which uses embedded road sensors to see how traffic is flowing on the street, and what emissions are like.

Alongside this live data, you can also get access to more static information in the form of structured data feeds, ranging from Oyster ticket stop locations through to Wi-Fi access points on the tube, and even walking times between adjacent stations. The latter might make stunts like this one far easier, incidentally.

How can TFL turn all that juicy data into something actionable that helps it solve problems such as managing road traffic, or keeping trains on the line and at capacity? Could it use data to maintain or improve air quality?

Hack to the future

Last September, the organisation hosted its first hackathon to try to solve some of these problems. Anyone could enter the contest, which TfL held in conjunction with Amazon Web Services and Geovation, a London-based innovation hub owned by Ordnance Survey that helps entrepreneurs take location-based technology ideas to market.

As part of the event, TfL organized “surgeries” with subject matter experts.

“It was a great opportunity to test new data, have a close dialogue with developers (we have since launched a tech forum) and for TfL to promote the data that is available,” says Rikesh Shah, lead digital partnership manager for TfL.

There were a mixed bag of teams at the event, explains Alex Wrottesley, who heads up Geovation. “There were some very new, early stage hackers and then some more developed companies,” he says.

One of these more established firms was WSO2, a large Sri Lankan middleware company that has seen multiple rounds of investment from Intel’s VC arm, Intel Capital. WSO2 focuses on analytics and big data solutions as part of its integrated application platform for businesses.

WSO2 won because it pulled together a solid, functional prototype from scratch in a short time, says Wrottesley, which was one of the things that impressed him as a judge for the event.

WSO2’s product used a map to explore the crowding level at different underground stations on the network, Wrottesley says, articulating its key benefit: “Looking at a map, and knowing in real time what the on-platform capacity and congestion would be for different stations, and how it would impact your transition through the system.”

Mapping Londoners’ journeys

The WSO2 team used the firm’s own Complex Event Processor, an open source back-end analytics engine that identifies and prioritises real-time events based on underlying details such as latitude and longitude. It uses an SQL-like language to process queries.

WSO2 poured a combination of data feeds into the CEP to solve this problem. First, it consumed historical data on passenger numbers to predict how many people would be at a station at a given time, and plotted this on Google Maps.

The company analysed passenger data to understand the flow of people through various stations from entrance to platform and platform to exit. It could even predict passenger flow between platforms, it said in its description of the project.

It combined this with sensor data from TfL’s SCOOT network to understand current traffic flows, and overlaid data about roadworks currently in play.

Then it analysed this data using random forest classification. This approach to machine learning uses hundreds of decision trees, each taking a random sample from the data set. It then collates the results from each tree, aggregating them to produce a predictive result.

Random forest analysis is a model that lends itself well to machine learning, which played a big part in the WSO2 project and is having a wider impact on analytics, according to Senaka Fernando, director of solutions architecture at WSO2.

“Predictive analytics (aka machine learning) can make predictions helping organizations and the public to be prepared for the future,” he says. “For example, in the case of TfL, it’s very important to understand catastrophic incidents that have just happened.”

Using analytics on the ground like this can help transport managers to take action quickly and help the public plan their way around everything from criminal incidents through to accidents and natural disasters.

In WSO2’s case, the machine learning model predicted traffic five or ten minutes into the future, and got it right 88 per cent of the time, according to the company. That enabled it to recommend the best route to a destination for commuters.

The project also included air quality data across London, using a feed from King’s College London accessed via the TfL unified API. WSO2 used that to recommend the best walking and cycling routes across Greater London.

Travelling by the numbers

Wrottesley sees other uses for analytics in transportation over time. One idea involves using data to help shape passenger behaviour and spread the load more evenly across the system.

“Most of our transport networks are massively underused most of the time,” he points out. “Are there innovative pricing models? Are there different ways to use technology and communications to help people stagger their departure times and reduce peak time impact on transport systems?”

This is all good stuff, but the products that hackathons create don’t always get used in their final form. Most of the also-ran entries in the Hack Week were listed as ideas or prototypes. There are some interesting concepts in there, though.

One of them proposed a reader on the side of buses to tell passengers how crowded they were, while another posited a cycle hire solution linked to a demand-driven market that would encourage particular journeys. Yet another used gamification in journeys to get people to travel along less congested routes, and maybe do a little more walking.

Shah liked the idea of voice-controlled travel updates, which was another idea floated at the event. “The conversational user interface arena is interesting so hearing devices like Amazon Alexa promoting real-time bus information was good,” he says. “I would like to see more adoption of new hardware using our open data to find innovative ways to engage with our customers.”

The WSO2 prototype didn’t go forward in its hackathon form, says Wrottesley, but it did enable WSO2 to demonstrate its expertise to TfL.

Shah says that the process still delivered TfL a lot of value. “Because the station business data was a snapshot which we tested with developers, the feedback from the hackathon helped us to develop more enhanced data which we recently launched,” he says. “We are hoping to re-engage with app developers to use this new data.”

This isn’t the first time that TfL has dabbled with data. A couple of years ago it had the temerity to meddle with Londoners’ habit of standing on the right side of the escalator and leaving the left hand side free for walkers. According to TfL beancounters, the numbers showed that by standing on both sides, 40 per cent more people could get up the stairs at the same time.

It tried this for three weeks, enforcing the policy with a mixture of pleas to passengers, and secretive plants who would stand on the left side. It worked, in spite of loud protests from angry Tube riders. And as soon as the trial stopped? Everyone went back to standing on the right again. Which just goes to show – analytics is great from 50,000 feet, but there are some numbers that Londoners will always find difficult to swallow.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/18/tfl_hackathon_results/

Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.

Cisco Talos discovered that servers distributing the program were leveraged to deliver malware to unsuspecting victims.

“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” researchers explained. “On September 13, 2017, Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities.”

CCleaner has been downloaded over 2 billion times, with 5 million additional downloads a week.

Cisco Talos said it came across the malicious downloads while beta-testing a new exploit detection technology. Subsequent analysis revealed that hackers hijacked and hid malware inside versions of Avast’s CCleaner application available for download between August 15 and September 12.

Anyone who downloaded the 5.33 version or updated their existing product during this timeframe became infected with a covert backdoor capable of spying on everything they did online.

Cisco Talos contacted Avast on September 13. The anti-malware specialist acted promptly to remove the compromised code. However, infected users are still at risk and will need to clean up their systems. The tainted downloads carried a version of the Floxif malware.

Malware process flow [source: Cisco Talos]

The dodgy software was signed using a valid certificate that was issued to Piriform Ltd by Symantec. Piriform, the original developer of CCleaner, was recently acquired by Avast.

In a statement, Avast acknowledged the problem, adding that users would be protected simply by installing a new version of its software.

We estimate that 2.27 million users had the v5.33.6162 software, and 5,010 users had the v1.07.3191 of CCleaner Cloud installed on 32-bit Windows machines. We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.

There is no indication or evidence that any additional malware has been delivered through the backdoor. In the case of CCleaner Cloud, the software was automatically updated. For users of the desktop version of CCleaner, we encourage them to download and install the latest version of the software.

Ondrej Vlcek, Avast’s CTO, told The Register that there was “no indication that the second-stage payload activated” and hence no need to do a wipe and clean install as recommended by Cisco Talos. Vlcek added that the 2.27 million affected, “a small number compared to the overall user base”, were largely users who were installing the software from scratch.

Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organisation. It is also possible that an insider with access to either the development or build environments within the organisation intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.

The attack is particularly dangerous because it exploits the trust consumers have with their software suppliers, a vector that has been seen before.

“Like the Nyetya malware in late June, in this instance attackers hacked into a legitimate, trusted application and turned it malicious,” Cisco Talos concludes. “These types of attacks are often successful because consumers trust that these well-known and broadly used applications are safe.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/18/tainted_ccleaner_downloads/

There’s a good chance that you’ve watched a popular music video from Vevo, either via YouTube,  Vevo’s website or its mobile app.

Most popular music artists release their videos through Vevo these days. The company – a joint venture between Warner Music Group, Sony Music Entertainment, Universal Music Group, Alphabet Inc and Abu Dhabi Media – has taken the position that MTV and MuchMusic used to have in delivering music videos to the general public.

Vevo has secured about $200 million USD in advertising revenue this year, on the strength of the tremendous popularity of videos from artists such as Taylor Swift, Beyonce, and Rihanna.

Well now, Vevo confirms that they’ve been hit by a huge cyber attack.

A Vevo spokesperson said to Gizmodo on Friday:

(We) can confirm that Vevo experienced a data breach as a result of a phishing scam via LinkedIn. We have addressed the issue and are investigating the extent of exposure.

OurMine has claimed responsibility for the attack.

The group has previously taken over Mark Zuckerberg’s Pinterest and Twitter accounts, taken over HBO’s Twitter account, attacked BuzzFeed and TechCrunch, and poisoned WikiLeaks’ DNS.

Through a LinkedIn phishing scam, OurMine was able to compromise a Vevo employee’s account for Okta, an app used to sign into workplace networks. From there, they were apparently able to gain access to Vevo’s media storage servers.

About 3.12 TB of internal files have been leaked online, which include videos, internal office documents, promotional material, yet to be used social media content, and information about recording artists signed to the participating record companies.

On its website OurMine describes itself as a collection of White Hat hackers:

We have no bad intentions and only care about the security and privacy of your accounts and network.

It appears to be motivated by attention, wanting to publicise its business and a misguided desire to demonstrate its targets’ poor security.

Having hacked Vevo, OurMine apparently decided to leak its giant cache of stolen files because of a bad tempered exchange with an unnamed employee of the victim:

Hi, it’s OurMine, you don’t have to worry, we just got into too many private documents but we won’t share it

F*ck off, you don’t have anything

The OurMine web page that hosted the leaked data now says that the stolen files have been deleted “because of a request from VEVO”:

For some excellent tips on how to protect yourself from phishing read about why you should be cautious of emails from friends or colleagues and how to protect your boss from phishing attacks.

Follow @NakedSecurity
Follow @kim_crawley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mYxnEvZtJ4g/

Equifax’s chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software.

The retirements and more details about the company’s mega-breach are revealed in a new entry to equifaxsecurity2017.com/ in which the company describes what it knew, when it knew it, and how it responded.

The update reveals that the the attack hit the company’s “U.S. online dispute portal web application” and that the source of its woes was CVE-2017-5638, which “which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header.” Equifax acknowledges that bug was disclosed in early March 2017.

The next point on the company’s list says “Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”

But elsewhere in the statement, Equifax just-about-confesses that those efforts either missed the Struts implementation or failed to patch it properly. The key passages explain that the company “observed suspicious network traffic” on July 29th, “continued to monitor network traffic and observed additional suspicious activity” on the 30th and “took offline the affected web application that day.”

It was only then on the 30th that “Equifax patched the affected web application before bringing it back online.”

The statement leaves many questions unanswered. The phrase “aware of this vulnerability at that time” could mean anything, perhaps even something as trivial as a single email reaching an inbox in Equifax’s security team. The words “took efforts to identify and patch vulnerable systems” don’t definitively say whether Struts was identified as vulnerable or whether an attempt was made to patch it. Indeed, the company’s statement goes on to say “While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing. The company will release additional information when available.”

That review is being conducted with security outfit Mandiant, which the new statement says was engaged on August 2nd. The new update also reveals that news of the breach was kept from the public until “As soon as the company understood the potentially impacted population”.

The company says its investigations are ongoing and that it continues to assist the FBI with its probe into the matter.

Which means lots of fun for new interim CIO Mark Rohrwasser and interim chief security officer Russ Ayres. Good luck, gents, it looks like you’ll need it! ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/17/equifax_cio_and_cso_retire/

The impact of the Equifax data leak in the UK remains unclear days after the breach was first made public, amid reports estimating that the personal details of up to 44 million Brit could have been exposed.

The credit reference agency and its UK subsidiaries provide services for UK companies including BT, Capital One and British Gas. Customers of these companies might, as such, be affected by the attack despite not having signed up for Equifax’s services.

The US agency holds the personal details of 44 million UK citizens, the Daily Telegraph has reported. What percentage of these users are affected remains unclear and unconfirmed.

BT confirmed it was a user of Equifax services and told us it was in dialogue with Equifax about the data leakage. A BT spokesman told El Reg he was unable to share more at this point.

Data privacy watchdogs at the Information Commissioner’s Office (ICO) have advised Equifax to alert affected UK customers as soon as possible. Notification in such cases is not mandatory under current UK data protection laws.

A spokeswoman at the ICO was not able to provide any guidance on the extent to which UK consumers were affected by the breach when we called.

In a breach disclosure notice last Thursday, Equifax said criminal hackers had exposed the personal data of 143 million customers in the US, which was stolen between mid-May and late July this year after taking advantage of an (unspecified) “web application vulnerability”.

Industry talk this weekend indicated hackers might have exploited a recently disclosed flaw in Apache Struts but this was denied by Apache Software Foundation earlier today, as previously reported.

According to Equinox, the purloined US data includes names, social security numbers, dates of birth, addresses and, in some instances, driver’s licence numbers. In addition, credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 US consumers, were accessed.

Equifax has also admitted without going into details that “limited personal information” from British and Canadian residents had been compromised.

El Reg put in a query to Equifax’s UK PR representatives asking for clarification on what information belonging to UK consumers had been exposed and how many had been affected. Our query was redirected towards a central (crisis management) PR team, which we understand is US-based.

We’ll update this story as more pertinent information comes to light.

Equifax’s dedicated breach-handling site can be found here. In updates on Friday, Equinox said it had drafted more people to work in its call centres. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/11/equifax_breach_uk_exposure/

Further evidence has emerged regarding the insecurity of Equifax’s web setup, as independent security researcher Scott Helme reports having uncovered all manner of problems with Equifax’s security header configuration.

The finding from Helme comes as a date was confirmed for the Equifax CEO to appear before Congress earlier next month, and the FTC said it was investigating the credit reference agency.

Equifax’s security header configuration

“Many of the headers are more about addressing the basics, but as a site that serves over HTTPS they should really have features like HSTS and CSP enabled to offer their visitors a higher level of protection,” Helme told El Reg.

“The current misconfiguration that is present on the site with duplicated headers and conflicting values just raises questions about why the basics aren’t being done properly.”

Earlier this week, Equifax admitted that hackers exploited an Apache Struts vulnerability (CVE-2017-5638) to break into its systems. The flaw had been patchable since March 7 but Equifax had failed to patch promptly. The intrusion but was only detected more than two months later.

The breach – which began in mid-May, was discovered in late July, but was disclosed only last week – affected 143 million US consumers and an as-yet undisclosed number of Brits and Canadians.

Criminals gained access to names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers of millions of Americans – as well as the credit card numbers of 209,000 US consumers. The whole sorry mess raises a number of important questions.

Three top Equifax executives, including its chief financial officer, sold a combined $1.8m worth of stock in the consumer credit reporting agency after the breach was detected but before it was made public. Equifax said that the executives had had “no knowledge that an intrusion had occurred at the time they sold their shares.”

US data privacy watchdogs at the Federal Trade Commission have taken the unusual step of confirming they had launched an investigation into the Equifax breach.

Equifax chief exec Richard Smith has been called to testify before congressional lawmakers at the beginning of October. Smith is due to appear before the House Energy and Commerce Committee on October 3. ®

Bootnote

Another security researcher reported that he’d begun receiving spam emails at a single-use email address he’d used uniquely to register with Equifax years earlier, but we’ve not seen widespread evidence that data has escaped into the wild yet.

If you have any info you’d like to share, drop us a line here.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/15/equifax_sitrep/

Equifax UK has surfaced to say that British systems were not affected by a recently disclosed megahack, however 400,000 UK people were affected due to a “process failure.”

The credit reference agency is saying that UK dedicated systems were not affected by the security breach at its US parent firm that exposed the personal details of millions of consumers.

Equifax Ltd and TDX Group systems and platforms are “entirely separated from those impacted by the Equifax Inc cybersecurity incident,” it said.

As part of its investigation, Equifax has identified unauthorised access to limited personal information for certain UK consumers:

Regrettably, the investigation shows that a file containing UK consumer information may potentially have been accessed. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016.

The information was restricted to: Name, date of birth, email address and a telephone number, and Equifax can confirm that the data does not include any residential address information, password information or financial data.

Having concluded the initial assessment, Equifax has established that it is likely to need to contact fewer than 400,000 UK consumers in order to offer them appropriate advice and a range of services to help safeguard and reassure them.

Equifax plans to contact Brits affected by the breach to advise them and give them access to a free comprehensive identity protection service which will allow them to monitor their personal data, including their credit information, and be alerted to any potential signs of fraudulent activity.

The service will also incorporate web and social media monitoring, alerting the consumer to any publicly available information about them.

Patricio Remon, Europe president at Equifax Ltd, said: “We apologise for this failure to protect UK consumer data. Our immediate focus is to support those affected by this incident and to ensure we make all of the necessary improvements and investments to strengthen our security and processes going forward.”

The compromised UK consumer data does not relate to any single Equifax business client or institution, the firm added.

The Equifax investigation is ongoing. The firm said it’s in dialogue with the Financial Conduct Authority and Information Commissioner’s Office.

Equifax UK’s statement came late on Friday, after normal business hours, following days of stonewalling customer queries. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/15/equifax_uk_breach_statement/

You know how you are regularly reminded that good “security hygiene” includes immediately installing all software patches and updates?

Apparently not all the time.

Wordfence reported this week that since June, about 200,000 WordPress websites had been corrupted after a plugin they were using called Display Widgets was updated with malicious code – multiple times.

The warning from Wordfence CEO Mark Maunder was blunt:

If you have a plugin called ‘Display Widgets’ on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor.

Actually, Maunder said, from June 22 through September 8, the plugin had been “removed and readmitted to the WordPress.org plugin repository a total of four times. This time we hope it is permanent,” he said. WordPress said this week that yet another, clean version of the plugin is now “safe and available”.

According to Wordfence, the alleged source of these multiple malicious updates, described in a couple of lengthy blog posts, is a 23-year-old Brit.

It started last May, when Stephanie Wells, of Strategy 11, original author of the plugin, sold it to Soiza for $15,000 because it was an open-source version and she wanted to concentrate on a premium version. She said Soiza told her that he was “trying to build one of the largest WordPress plugin companies” which was “already managing more than 34 plugins”.

Maunder was unable to confirm the 34, but did confirm that one of those plugins was “404 to 301”, found last year to deliver spam. The Briton alleged to be behind these plugins owns the domains that are used for spamming with that plugin. So, it is probably not surprising that shortly after his purchase of Display Widgets, the problems began, with the release of version 2.6.0 on June 21.

David Cameron Law, an SEO consultant and author of a competing plugin named Display Widgets SEO Plus, noticed it immediately, and emailed WordPress.org on June 22 telling them that version 2.6.0 was breaking WordPress plugin rules by downloading more than 38MB of code from the author’s own server. He said the code contained tracking features that collected data from websites using the plugin – data including IP addresses, domains and the pages being viewed.

Maunder credited Law with being

… the first person to raise a concern about this plugin and pursued his case relentlessly on the WP forums with, at times, resistance from the plugin authors and others.

Law’s notice prompted the first takedown of the plugin, on June 23. But version 2.6.1 arrived June 30, which was allowed back into the repository even though it contained a file called geolocation.php because “no one realized at the time [it] contained malicious code,” Maunder said.

Once again, Law notified WordPress – this time that the plugin was logging website visits to an external server. A day later, on July 1, that version was removed. But 2.6.2 arrived just five days later, on July 6, even though it still contained the malicious code.

That version remained until July 24, when the plugin was again taken down after users complained about it injecting spam content into their websites.

Finally, 2.6.3 was released on September 2, and this time, Maunder said, it included a minor fix to the malicious code “which makes it clear that the authors themselves are maintaining the malicious code and understand its operation”.

It prompted more complaints about the plugin delivering spam to websites, so it was taken down, apparently for good, on September 8. WordPress’s Pizdin Dim posted that the plugin was no longer available, followed by a post from Samuel Wood, who said for existing users, “the 2.7 version being offered thru the upgrade system is safe and available”.

And what of the 23-year-old Briton? Maunder was able to get into email contact with him, who said that he had sold Display Widgets for $20,000, “to a company in California who made me sign a NDA”.

He also said he had been diagnosed with lung cancer and had “only a few months/maybe a year left on this earth. So I sold up all my plugins to numerous people.”

Maunder is skeptical of the lethal disease story. Besides being involved in a string of other sketchy enterprises – payday loans (he is listed as CEO of Payday Loans Now), gambling and escort services – the man appears to be living large, posting on Facebook that he had attended the Monaco Grand Prix earlier this year, an drinking $16 cocktails at a New York bar. We think he’ll be with us for a while.

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NSNLxL15oyI/

India’s national identification card scheme — commonly called the Aadhar card — came to fruition in 2009 with an ambitious goal: to register and identify a nation of more than a billion people, each with their own 12-digit unique identification (UID), and adoption of this ID card schema has rolled ahead at a fast clip.

Estimates as of August 2017 have more than 1.17bn unique identifiers under Aadhaar, with 99% of Indians over the age of 18 enrolled in the program. Enrolling more than a billion people in under a decade is indeed quite a feat.

The Aadhaar card serves as a proof of address and positive identification for a number of important services and transactions in India, including opening bank accounts, obtaining a driver’s license, filing income taxes, applying for social services, even filing a death certificate.

As part of the process to obtain an Aadhaar card, the applicant must also submit biometrics: a photograph, scans of all 10 fingerprints, and an iris scan. These biometrics, tied to the individual’s home address and UID, are all stored in a centralized database, the Central Identities Data Repository (CIDR), which is managed by the Unique Identification Authority of India (UIDAI).

One of the goals of the scheme is to make the identification process easy enough that most people in India, regardless of if they have been able to afford or obtain official paperwork previously, can easily obtain a card. In turn, residents can use their card to enroll in day-to-day services and products much more easily than before with much less bureaucratic overhead (also potentially reducing bribery and fraud), and/or participate in social welfare programs they might not have been able to before due to lack of documentation.

India’s former prime minister Manmohan Singh said at the launch of the project in 2010:

The poor did not have any identity proof. Due to this shortcoming, they could not open bank accounts or get ration cards. They could not avail the benefits of government welfare programmes because of this and many times, these benefits were pocketed by others.

The government’s stated incentive to enroll as many people as possible in Aadhaar was to reduce fraud in these social programs. That said, Aadhar did not receive universal support in Indian politics by any means, with major political parties — such as the BJP, to which current Indian PM Narendra Modi belongs — at one time opposing Aadhar over concerns about privacy and abuse.

The privacy concerns over Aadhaar have grown as the program continues to grow, with cases brought before the Indian Supreme Court monitored closely by privacy advocates such as the EFF.

As Aadhaar becomes nigh-ubiquitous in Indian daily life, the argument is that there are still unanswered questions over how the identification data collected is used and secured, and what kind of privacy rights citizens are potentially signing away when they enroll in Aardhaar. These questions have greater heft after India’s Supreme Court ruled recently that Indian citizens absolutely have a fundamental right to privacy. While there is no immediate impact on Aadhaar or its application, this ruling certainly gives those working to slow the growth of Aadhaar program a bit more leverage.

The biggest counter to any criticism of Aadhaar is that it is, technically, a voluntary program. It’s true that the government does not require its citizens to enroll in Aadhaar, but just as the US.. social security number is not technically required of every citizen unless they want to pay into the social security program, good luck getting almost any kind of job or opening a bank account without one.

The idea of having the biometrics of more than 1bn people — a mode of authentication that cannot (almost) ever be changed — stored in any kind of repository is problematic on its own. Despite whatever security measures put in place, such a repository will always be a tempting target for criminals to try and breach. The most cynical among us will no doubt say that it’s just a matter of time until such a high-value target is breached; whether or not this is realistic or just FUD is a fair debate.

That said, once biometrics data are potentially leaked, their usefulness is void. Just as we saw with the Equifax breach just recently, with nearly half of all Americans social security numbers leaked, this authentication value that’s unchangeable and so crucially tied to so many sensitive transactions has suddenly left millions of people less secure and with little to no recourse.

The biometrics are included as an attempt to dissuade or at least make fraud more difficult, but to be fair to Aadhaar, there are several authentication options, two of which doesn’t use biometrics data at all. UIDAI says the CIDR does all authentication at its own data centers and that at no point during authentication would any personal data, including biometrics data, be transmitted during the process. The authentication process returns only a yes or no value to the requestor. In addition, card holders can lock out access to their biometrics (including for authentication), and unlock them as needed; however, this is an opt-in measure at the moment.

There’s also concern that the degree of tracking in such a centralized database could be rife for exploitation by the government to surveil, or even to discriminate against religious or ethnic groups. The EFF outlines its concerns this way:

By using Aadhaar, the government can match existing records such as driving license, ration card, financial history to the primary identifier to create detailed profiles. Aadhaar may not be the only mechanism, but essentially, it’s a surveillance tool that the Indian government can use to surreptitiously identify and track citizens.

The delay in sorting out the nature and scope of privacy as right in India has allowed the government to continue linking Aadhaar to as many schemes as possible, perhaps with the intention of ensuring the scheme becomes too big to be rolled back.

In addition, it’s not clear if there’s any way to unsubscribe or remove yourself from Aadhaar once you’ve enrolled (and presumably given your government all your biometric data) — it could be that the only way to get rid of this information is to never enroll in the first place.

The key question with Aadhaar is quite simply: do the benefits of a centralized ID system like this — which can help reduce burdensome bureaucratic overhead and enable thousands, if not millions, of people to get services they need — outweigh the risks to personal privacy and potential for abuse and fraud?

Follow @NakedSecurity
Follow @mvarmazis

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ajXD5X8fGtY/

As the water rose, they called 911. They called after they had climbed on to kitchen cabinets, fled to upper floors, or just watched the water climb, first up to their waists, and then on up to their necks.

But all too often, those who were swallowed by Hurricane Harvey got no response from the overloaded emergency number. That’s not surprising: the 911 emergency call system is limited by a finite number of phone lines, dispatchers, and resources, and it was quickly overloaded by the scale of Harvey’s desperate flood victims.

So many turned to social media instead. Hashtags like #sosHarvey and #helphouston were used to flag citizen rescuers, accounts like @HarveyRescue compiled databases of addresses and names of people in critical need throughout the storm, and volunteers with boats joined the Cajun Navy, aided by a walkie-talkie-type app called Zello to communicate with each other, locate victims, and get directions.

And, of course, they turned to Facebook. Rescuers responded to pleas for help; others used the social media platform to raise donations for the rebuilding effort; and still others used Facebook’s Safety Check to find out if loved ones were OK.

Now, Facebook has announced that it’s pulling its disaster relief tools together under one central hub that it’s calling Crisis Response. The hub will offer quick access to Safety Check, Community Help and Fundraisers to support crisis recovery, all in one place.

Crisis Response will also include links to articles, videos and photos posted publicly by Facebook users to help people be more informed about a crisis.

As Facebook said at the end of August when it made the Safety Check feature permanent, Safety Check will be automated if enough people post about a crisis in a given area. Users will be prompted to use the tool to let friends know that they’re safe and to check up on others who might be in danger.

These are the tools you’ll see when you access a crisis page through the Crisis Response hub:

• Safety Check: an easy way to let your friends and family know you’re safe. It will continue to work the same way as it does now and will be featured at the top of each crisis page if you’re in the affected area. Safety Check has its detractors, who criticize it as being a tool for those who overreact, but we think it’s a good thing. Reassuring loved ones that you’re OK is a welcome way to calm their fears.
• Links to Articles, Photos and Videos: crisis-related content from public posts can help people learn more about a crisis.
• Community Help: people can ask for and give help to communities affected by the crisis.
• Fundraisers: lets people create fundraisers and donate to support those affected by the crisis and nonprofit organizations helping with relief efforts.

Facebook says the Crisis Response hub will be available over the next few weeks, accessible via the homepage on the desktop app or from the menu button on your phone.

Facebook says it hopes the updates provide people with helpful information to keep safe and help communities to rebuild and recover.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XUWyCSc2bCU/