STE WILLIAMS

The Royal Bank of Scotland and NatWest have issued customers with replacement cards as a result of last year’s Ticketmaster breach that hit around 40,000 Brits.

The banks said on social media they were swapping out the plastic used by punters on Ticketmaster’s website as part of efforts to ensure “significant levels of security”.

Good evening Emma, we have issued letters to customers who have been affected by this breach, this is a genuine letter from us. Sorry for any confusion caused. PH

— Royal Bank (@RBS_Help) January 9, 2019

Hi there Michael. These letters are genuine :) SG

— NatWest (@NatWest_Help) January 10, 2019

The letter states that replacement cards are being sent to anyone who used their card at Ticketmaster, noting it is a “precaution” and that in some cases there is no indication that person’s information has been accessed.

@TicketmasterUK how comes a letter from my bank telling me they’re sending me a new card is the first I’ve heard about it. Surely you should have contacted me all those months ago to let me know I might be effected by your data breach😡. #ticketmaster #databreach #irresponsible pic.twitter.com/CSVGYY5bWU

— ꃅꂦ꒒꒒ꌗßꂦ꒒꒒ꌗ (@BollsHolls) January 9, 2019

In a statement, RBS said: “Our priority is to make sure our customers’ data is secure. Following the data breach disclosed by Ticketmaster, we are proactively reissuing cards to all impacted cardholders.”

Ticketmaster admitted in June that its website’s payment pages had become infected by Magecart malware. At the time, it blamed third-party supplier Inbenta Technologies – but that firm said the custom JavaScript it had written for Ticketmaster should not have been used on payment pages.

“Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat,” said Inbenta CEO Jordi Torras.

Ticketmaster said all cards used between February and June 2018, for UK customers, and between September 2017 and June 2018, for international customers, were at risk.

Some 40,000 Brits were estimated to have been hit in the incident, which exposed people’s names, addresses, email addresses and payment details.

In December, one Reg reader told us that two of his cards – both of which were linked to his Ticketmaster account – were being used for unauthorised transactions.

The decision by RBS – which is the parent company of NatWest – to replace affected customers’ cards, while welcomed by customers, comes about nine months after online banking upstart Monzo took similar action.

When Ticketmaster went public, Monzo piped up to say its internal fraud detection systems had “spotted signs” as early as April, blocking a number of cards that had also been used at Ticketmaster. The firm said it told Ticketmaster and then “proactively replaced the cards of all Monzo customers who could have been affected”.®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/14/banks_issue_cards_ticketmaster/

In 2019, there will be no end in sight to email-driven cybercrime such as business email compromise, spearphishing, and ransomware.

The year 2018 was another record-breaking year for cyberattacks, and organizations should expect more of the same in 2019. Attackers, who continue to prioritize email as the primary attack vector, are increasingly deploying more sophisticated phishing techniques to bypass traditional email security safeguards, thereby complicating cybersecurity initiatives for many government agencies and private sector businesses. Thus, it’s a safe bet that advanced phishing threats, such as business email compromise (BEC), spearphishing, ransomware, and brand impersonation attacks, will continue to ascend in the year ahead.

The 2019 Threat Landscape
Attackers have steadily increased their attacks on both business and government entities, while financial gain continues as the primary motivator. In 2018, ransomware and spoofing attacks grew by 350% and 250% respectively, according to IndustryWeek. The Securities and Exchange Commission (SEC) reports that the average cost of a cyber breach hit $7.5 million in 2018, up from $4.9 million in 2017. Those are alarming statistics by any measure, but what’s even more concerning are the number of municipalities, large corporations, and small businesses impacted by cyberattacks in 2018. 

In March, a ransomware attack shut down online systems at the City of Atlanta, forcing the government of the sixth largest metro to go without digital services for a week. While attribution remains inconsistent, most security officials believe that nation-state actors continued to target US elections and government entities, with several high-profile attacks against US senators and critical infrastructure, according to Gov Tech. Meanwhile, major companies such as Under Armour, Panera, Facebook, Strava, and Orbitz all suffered notable data breaches this year while there was a massive spike in attacks targeting small and midsized companies across industries.

Attackers no longer discriminate their targets with such frequency as in year’s past. Today, launching an automated phishing campaign requires very little work for potentially very high ROI. So with no decline to email-driven cybercrime in sight, here are some trends we can expect to see:

• More Sophisticated Attacks Executed by Unsophisticated Attackers: Attackers of all skill levels can now access a whole range of online black-market tools, including how-to guides, AI-enabled programs, and cloud-based phishing-as-a-service solutions that enable anyone to orchestrate complex attacks. They’re also scouring social media for information and cross-referencing with company websites and job listings to cultivate personal messages.
• Nation-State Attacks Will Continue: Emboldened by recent successes and a lack of consequences, it is expected that attacks by nation-states will expand and continue in 2019. As government entities increase their security efforts, attackers with government finances at their disposal may also shift more efforts to businesses and private entities, which will be challenging for those organizations to detect and respond. Several cybersecurity firms predict 2019 will be a troublesome year for cyberwars and nefarious nation-state activities, according to an article at ZDnet.com.
• Attacks Will Become “Smarter” More Automated: Just as artificial intelligence and machine learning will help detect and prevent phishing attacks, it will also aid cybercriminals. Attackers are now using these technologies to scan for vulnerabilities and create malware that can better avoid detection. Symantec executives said in a recent blog post that whereas in the past crafting individual messages was labor-intensive and costly, AI-powered toolkits could soon make spearphishing more abundant and easy to perpetrate.  
• History Will Repeat Itself: As attackers develop new strategies, they’re also bringing back old tactics. Email flooding, a strategy that dates to the 1990s, has been revived as a smokescreen for BEC attacks, spearphishing, and malware. Criminals now use it to flood inboxes and distract victims while they perpetrate fraudulent transactions. According to a global security report by AppRiver, criminals are using distributed span distraction (DSD) to bombard accounts for a period of 12 to 24 hours. Anyone can now pull off an email bomb attack as services on the Dark Web will bomb an email account with 5,000 messages for as little as $20. Kraken — an earlier, simple and effective ransomware — also re-emerged in September 2018 when a researcher found it bundled in an exploit kit, according to an article in Dark Reading.
• Ongoing Attempts to Bypass Two-Factor Authentication: Over the last year, hackers have continuously attempted to bypass two-factor authentication. According to the McAfee Labs 2019 Cybersecurity Threats Report, that won’t show any signs of slowing down in the coming year, as cybercriminals continue to develop a stronger and more sophisticated underground to organize and discover new ways to exploit information that is key to authentication such as usernames, passwords, and web session cookies.

Automation Pluses Minuses 
One of the biggest challenges to mitigating the risk of phishing is keeping up with the sheer volume of attacks. Fidelis Cybersecurity surveyed security practitioners from companies in multiple industries and found 60% of analysts could only handle up to eight investigations per day. 

To keep pace with the threats, some modern email security solutions have introduced automation — which, in theory, is of great benefit to SOC and security teams — as automated technology could alleviate the burden of manual phishing investigation and response.

Yet, despite the introduction of automation, automated email security tools in some cases offer only partial automated functionality. For example, fractional automation — like the preset of very basic processes, standardized playbooks, and linear technology built on YARA rules — doesn’t actually save security teams time because so much manual input is still required.

Having basic awareness of trending attacks and an understanding of modern attacker preferences is often the first step in measurable risk reduction. However, awareness is not enough; instead, automation that can help security teams expedite the time from threat identification to attack remediation is what will move the needle the most.

Related Content:

• 6 Ways to Beat Back BEC Attacks
• Ryuk Ransomware Attribution May Be Premature
• Managing Security in Today’s Compliance and Regulatory Environment

 

Eyal Benishti has spent more than a decade in the information security industry, with a focus on software RD for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/advanced-phishing-scenarios-you-will-most-likely-encounter-this-year/a/d-id/1333632?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

German antitrust regulators prepare to require changes from Facebook regarding privacy and personal information.

According to an article in German newspaper Bild am Sonntag, German regulators will soon present Facebook with a list of changes it must make in the way it collects and shares users’ personal data if it wants to stay on the good side of privacy laws.

The Federal Cartel Office has been looking into Facebook since at least 2015, concentrating much of its investigation into the way Facebook collects and shares data with third-party apps.

According to Reuters, it’s expected that the agency will set a deadline for compliance rather than require immediate action. A Facebook spokesman said the company disputes the agency’s findings.

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/privacy/facebook-faces-action-from-german-watchdog/d/d-id/1333647?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The firm says risk assessment should begin with understanding attacker taxonomy and continue with vulnerability analysis.

Radiflow has a new approach for organizing attack characteristics and evaluating vulnerabilities on OT networks, the industrial cybersecurity company announced today.

While reporting on security incidents and attack campaigns is growing, each reporting organization has a different approach for analysis, the firm explains in a new whitepaper. “The current lack of a single taxonomy to analyze security incidents leads to difficulties in understanding the threat landscape in an unbiased way,” says Yehonatan Kfir, Radiflow’s CTO.

The whitepaper dives into several highly publicized security incidents over the past 10 years — for example, the Triton and Ukraine electricity blackout incidents. Experts present a new evidence-based taxonomy for assessing and classifying the impact of each on OT networks.

Radiflow says the next step in risk analysis for critical infrastructure operators and industrial firms is determining the impact of disclosed vulnerabilities. It says this should be done based on the context of the firm’s OT network and business logic related to relevant attacker models.

Experts argue there are issues with existing classification methods. NIST and ICS-CERT, the two major vulnerability disclosure organizations, use scoring standards for assessing security flaws with a bias toward IT networks. In particular, they say, there are issues with the potential of a vulnerability to compromise sensitive data and cause noncompliance with regulations.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/radiflow-new-approach-for-classifying-ot-attack-flaws/d/d-id/1333648?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A man identified as a Facebook executive got SWATted on Tuesday night.

The Palo Alto Daily Post reports that police, fire department and public safety agents swarmed the exec’s home in Palo Alto, California, in response to a hoax call from a man claiming to be him who said he’d shot his wife with an assault rifle, tied up his kids, put “pipe bombs all over the place,” and that he’d kill police or anyone else if they came near.

Police said in a statement that the prank call came in at 9:16pm.

When officers – including trained crisis negotiators – responded, they surrounded the exec’s home and ordered the residents to come out. Two befuddled but calm people emerged: the executive and a woman who lives in a separate unit. They had no idea what was going on, and police found no children, tied-up or otherwise.

“The entire call was a hoax,” the police department said, with the suspect having impersonated the man by using his name.

Police Agent Marianna Villaescusa, who spoke as a negotiator with the prankster, said she stayed on the phone with the SWATter for about an hour, though he didn’t talk much. The Palo Alto Police Department said that the man placed the call to a 24-hour dispatch center using an untraceable number.

Whoever he is, he’ll potentially be facing multiple criminal charges, as well as a potential civil liability to offset the cost of the law enforcement response. From the police statement:

Hoax threats such as this are not only criminal in nature, but they also create a great deal of stress and anxiety for neighbors. The law enforcement response to this incident took officers away from their other important duties and calls. Anyone found responsible for placing a hoax call like this will be prosecuted to the fullest extent of the law.

The people who carry out these kinds of assaults consider them “pranks,” but the consequences can be lethal. Beyond wasting crisis responders’ time and resources, they can result in the death of innocent people.

In the US and other countries, the crime of SWATting – which takes its name from elite law enforcement units called SWAT (Special Weapons and Tactics) teams – involves making a false report to emergency services about shootings, bomb threats, hostage taking, or other alleged violent crime in the hopes that law enforcement will respond to a targeted address with deadly force.

Convicted SWATters such as Tyler Barriss will tell you that their intention isn’t to have anybody shot or killed. It is, rather, to shock or cause alarm. It doesn’t matter what their “intentions” are, though; it won’t buy back the life of 28-year-old Andrew Finch, whom police shot to death when responding to Barriss’s hoax call.

Fortunately, the Facebook exec – whom the company declined to name – wasn’t harmed, though he was handcuffed during questioning. Facebook spokesman Anthony Harrison said in a statement that the company is grateful for how Palo Alto’s crisis responders handled the incident:

We thank the city of Palo Alto for their swift and thoughtful response. They quickly identified this as a prank, and we are glad that our colleague and his family are safe.

Palo Alto police are asking for help to track down the caller. Anonymous tips can be emailed to [email protected] .

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JKdDP3wyGjk/

What do Stuxnet, BadUSB, USB Killer, and rubber duckies have in common?

The common theme isn’t hard to spot – they’re all computer attacks that launch from USB flash drives.

The problem with USB devices (or the attraction, if you’re a cybercriminal) is that they’re a devastatingly simple way to sneak malware on to computers, especially important ones protected by air gaps.

There are so many malicious possibilities, in fact, that Israeli researchers were recently able to list no fewer than 29 different ways USB devices can compromise almost anything they’re plugged into.

In 2016, the USB 3.0 Promoter Group (Apple, Microsoft, Intel and others) announced its solution in the form of the USB Type-C Authentication specification.

This protocol would, they promised, cryptographically verify the identity of USB-C devices such as flash drives and chargers before a data or power connection is made, making it impossible for fake or malicious drives to exploit a computer.

At a stroke, organisations would have a way of blocking rogue devices from being plugged into their computers by disallowing unverified devices by policy.

Consumers, meanwhile, would be able to use chargers at airports without fear of attacks and know that any chargers, cables, docks, adapters, and drives they bought were the real deal and not fakes.

In theory, it would also make it impossible for attackers to alter a device’s firmware somewhere in the supply chain because this would break verification.

Last week, an important element of this – the program under which DigiCert will dish out digital certificates used to verify devices at firmware level – was confirmed by the USB Implementers Forum (USB-IF), which means that USB-C Authentication should start appearing in products this year.

It sounds like a long-overdue security upgrade so why are some commentators still wary?

Look no further than paragraph two of last week’s press release:

USB Type-C Authentication empowers host systems to protect against non-compliant USB chargers and to mitigate risks from malicious firmware/hardware in USB devices attempting to exploit a USB connection.

Notice the phrase “non-compliant USB chargers”, which has been interpreted by some as the beginnings of a DRM-like system tying buyers to branded products.

Own a smartphone from manufacturer X? USB-C Authentication would rule out counterfeit products but it might also mean you’re tied to buying ‘approved’ cables, chargers and other accessories from that device’s maker too.

It’s not clear whether this would be an issue for devices plugging into a Windows PC (e.g. a laptop maker forcing users to buy branded USB sticks) because the drivers enabling this would be controlled by Microsoft. Android smartphones might offer more leeway.

It’s important to remember that, unlike USB standards of old, USB-C is being pitched as a ubiquitous interface for almost everything that’s not covered by wireless standards such as Bluetooth, including monitors and headphones, as well as storage.

On the other hand, USB-C Authentication is not mandatory so the concern over manufacturer power might end up focussed on a few types of devices such as chargers, where fakes have become an issue.

Certainly, companies selling USB flash drives meeting government standards such as FIPS-140 Level 1 and above will be a welcome new layer of security. It would be a great shame then if worries over hardware DRM by the back door erodes the image of an initiative with such promising security benefits.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7L8B1oKnvTM/

Martin Gottesfeld, the hacker who attacked Boston Children’s Hospital (BCH), fled the US when the Feds came knocking, was subsequently plucked off a sailboat bobbing off the coast of Cuba, and who says his only regret is that he “didn’t get to Justina sooner,” has been sentenced to 10 years in jail.

Gottesfeld represented himself at a hearing in US District Court in Boston on Thursday. After the hearing, he told Judge Nathaniel Gorton that he believes that he made a big difference in the life of Justina Pelletier.

Starting 14 February 2013, then-15-year-old Justina was held in custody as a ward of the state in Massachusetts, at the order of a Boston hospital that decided her illness was all in her head, aggravated by what some doctors perceived to be medical abuse doled out by her parents.

In April 2014, hacktivists who slapped themselves with the Anonymous brand of hacktivism decided to inject themselves into the situation by launching #opJustina.

That #op entailed flooding multiple hospitals’ computer networks with distributed denial of service (DDoS) e-garbage and the standard, monotone, Guy Fawkes mask-wearing call for others to join in.

Gottesfeld was charged in February 2016 and found guilty in August 2018.

He’s never publicly expressed remorse.

Gottesfeld’s first target was Wayside Youth and Family Support Network, the Framingham residential facility where Justina had been living under state custody. Then he went after BCH.

According to the Department of Justice (DOJ), Gottesfeld customized malware that he installed on 40,000 network routers that he was then able to control from his home computer. The ensuing attack not only knocked BCH off the internet; it also spilled over and swamped several other hospitals in Boston’s Longwood Medical Area.

It was all done as what Gottesfeld considered justifiable payback for BCH’s “parentectomy.”

At Thursday’s hearing, Gottesfeld urged Judge Gorton to sentence him to time served. He said his only regret was not making his attacks bigger, badder and sooner:

My only regret is that I didn’t get to Justina sooner. I wish I had done more.

The State reports that Gottesfeld’s wife, Dana, said after the hearing that the couple plan to appeal.

This was always about protecting a child.

Judge Gorton rebuked Gottesfeld over his lack of remorse, telling him that his crime was “contemptible, invidious and loathsome” and that he was basically full of himself:

It was your arrogance and misplaced pride that has been on display in this case from the very beginning that led you to believe you know more than the doctors at Boston Children’s Hospital.

The prosecutor asked that Gottesfeld be sentenced to more than 12 years, describing him as a “self-aggrandizing menace” who’s tried to portray himself as a human rights activist from behind bars.

Given that Gottesfeld continues to peddle “lies and conspiracy theories about his prosecution,” he’s at serious risk of offending again, Assistant US Attorney David D’Addio said:

He did not save a girl’s life. He is not a hero. He committed crimes and today is about holding him accountable for those crimes.

Justina was returned to her parents four years ago. Her parents, Lou and Linda Pelletier, are currently suing BCH over their daughter’s alleged medical kidnapping.

In November, Lou Pelletier told The Daily Wire that the court date looks to be in January 2020.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/u3EbGXTR0oc/

The US government shutdown is affecting more than just physical sites like national parks and monuments. Now, government websites are shutting down as their TLS certificates expire, according to internet security and statistics company Netcraft. In an online post, the company says that more than 80 websites using the .gov domain have been made insecure or inaccessible thanks to expired certificates.

TLS certificates are used by websites communicating over encrypted, HTTPS connections. A certificate is used to sign a website’s public encryption key, which ensures that your communication with that website is private and secure: you know which site you’re talking to, and that nobody else is listening in.

The website’s certificate is itself signed for by a CA (Certificate Authority) that your browser trusts. Site owners have to renew their certificates every so often, to prove that they’re still the legitimate owners of the site’s encryption keys.

If you visit a site with an expired certificate then your browser will notice and issue a strong warning.

The US government isn’t doing anything deemed nonessential under the current shutdown, and that seems to include renewing TLS certificates. As they expire, sites are beginning to throw expired certificate warnings, and in many cases become unavailable altogether.

One example is NASA’s rocket testing site at https://rockettest.nasa.gov, which throws what’s called an interstitial warning. This means that the certificate has expired, but the browser gives you the option to ignore the warning and visit the website anyway at your own risk. Another site taking this approach to its expired certificate is https://ecf-test.ca6.uscourts.gov, a site used by the US Court of Appeals.

Some sites don’t allow visitors to click past certificate warnings at all, thanks to their inclusion on the HSTS (HTTP Strict Transport Security) preload list. This is a list of sites, maintained by most browser vendors, that can only be visited over HTTPS and have prohibited click-throughs should their domains expire.

Many sites often include themselves on the HSTS Preload list as a failsafe. The argument is that it’s better to block visits altogether in the event of an expired certificate rather than to risk having your communications with the site being intercepted or diverted.

For example, the certificate for the Department of Justice website https://ows2.usdoj.gov expired on 5 January, meaning that it throws a certificate warning when people try to visit it. Because it includes itself on the HSTS preload list, visitors don’t get the chance to click past the warning and see the site.

How bad could things get for the US government’s web presence? It’s possible that more government site certificates will expire if things continue, but some might be set to auto-renew, meaning that their certificates are updated before they expire.

Could things get worse as government domains themselves – which also have to be renewed – expire? Perhaps, although it’s worth noting that .gov domains can only be registered by authorized departments via the US Government’s DotGov organization. This makes it far less likely that some online crook somewhere could begin buying them and impersonating government departments online.

Having said that, manipulating search results is likely to be a lot easier for attackers if government websites shut down completely. It will be easier to increase the ranking for a fake site with the same name as a government site if search engines can no longer reach the real site.

The other worry facing government website users is that they may stay available, but not be updated. While still technically accessible online, several sites have explained that they will not be maintained during the shutdown: https://www.data.gov, https://www.selectusa.gov, https://www.nist.gov, and https://www.iat.gov are among them.

The takeaway? Be wary when visiting US government sites that display a certificate error. Just because a certificate warning allows you to click through to a site doesn’t mean that you should. Better safe than sorry.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8MZr1zIjLns/

Nervous Nissan UK drivers were today assured by the car maker that Connect EV app log-in failures are related to a migration of data onto a new platform rather than anything more nefarious.

Customers contacted The Reg after receiving what one described as a slew of password resets and some speculated on the potential cause.

Upgrades like this really do not need users to reset passwords if done right…

Nissan’s UK arm denied that ongoing problems with its Connect EV electric car app were the result of any error, but claimed a roll out of a “new computer system’ meant users had been asked to reset their passwords.

“There has been no data breach,” it said. “The data was simply migrated over to a new computer system and therefore customers have been asked to reset their passwords as a security protocol.”

Taxi drivers and socially conscious road users, among other Nissan owners, have been experiencing problems with the app for some time.

One who spoke to us ventured: “It’s looking a bit like they may have managed to expose a big pile of data they should not have done.”

The Reg notes there was no evidence of any such breach.

Over on Twitter, Nissan UK’s electric car tentacle was busy reassuring drivers that all was well.

Hi, recently, we made a changes to website APP protocols that caused unexpected disruption in access to the EV APP and intermittent login failures. We are currently working on resolving this and want to apologise to our customers for any inconvenience. ^AL

— Nissan Electric UK (@NissanEV_UK) January 14, 2019

Hi Colin, we’re aware that some customers are experiencing login problems. Have you downloaded the latest update from December 19th? If you have and you are still having problems logging in please contact our customer care team on 0330 123 1231 for help. ^AL

— Nissan Electric UK (@NissanEV_UK) January 14, 2019

Not all were successful, however:

Yes, changed the Nissan+You password as requested by Nissan email, but since then can’t log into Nissan Connect aka CarWings on web, or on app

— 電気⚡️自動車 (Denki Jidousha) (@DenkiJidousha) January 14, 2019

The Nissan Connect app allows car owners to access third-party apps via the big dashboard display screen in more recent models. The EV version of the app allows ‘leccycar drivers to see time to full charge, driving range, time to flat battery and other useful car-related information.

Recent user reviews on Google Play (the Android app store) were scathing. Kelly Moses wrote on 13 January: “It is not possible to access any data or indeed even to log in, since the most recent update in Dec 18. The app has always been a little hit-and-miss, which is a great shame as it would otherwise be really useful.”

Similarly, Colin McAllister wrote on 12 January: “This app continually responds ‘This service cannot be provided. Please contact Nissan’. Nissan told me to change the country from ‘UK’ to ‘Japan’ because ‘The servers can get busy’. It’s 7am on a Saturday morning – I don’t believe UK servers are really under that much stress!”

Security researcher Scott Helme (who described issues with Nissan’s EV API several years ago, as well as problems controlling his Nissan Leaf via Amazon Alexa) agreed, telling us:

“People will understandably be suspicious of a hack, but it’s probably just bad handling from Nissan if we give them the benefit of the doubt. Upgrades like this really do not need users to reset passwords if done right. They also could have communicated this better to avoid people assuming something bad has happened.”

Where possible explanations for a bad situation boil down to “cockup or conspiracy”, we favour “cockup” every time – with good reason. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/14/nissan_ev_app_no_weve_not_been_hacked/

A Polish official has said he couldn’t rule out “legislative changes” to allow the nation to ban the use of a company’s products, following the local arrest of a Huawei staffer.

The country’s internal security agency (Agencja Bezpieczeństwa Wewnętrznego, ABW) last week detained a man named by Polish media as Wang Weijing, a sales director at Huawei, on allegations of spying.

Soon after the arrest was made public, Huawei sought to distance itself by sacking the employee on the basis that the “incident has brought Huawei into disrepute”.

The Chinese-headquartered telecoms hardware maker has continually denied accusations its kit is being used by the Chinese government to spy on foreign nations, but the arrest in Poland marks a recent escalation of related concerns in the West.

This has seen the US, Australia and New Zealand implement official bans on using Huawei tech for state-funded 5G projects.

Poland now appears to be considering joining these nations – according to Reuters, the minister of digital affairs Karol Okonski floated the idea of a ban.

“We will analyze whether…our decision can include an end to the use…of Huawei products,” the official said of a potential review of Huawei’s networking gear.

Okonski also suggested further, more broad steps: “We do not have the legal means to force private companies or citizens to stop using any IT company’s products. It cannot be ruled out that we will consider legislative changes that would allow such a move.”

Huawei has insisted that it “complies with all applicable laws and regulations in the countries where it operates, and we require every employee to abide by the laws and regulations in the countries where they are based”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/14/poland_huawei_ban_mooted/