By Eric Limer for Popular Mechanics 

Twitter is suggesting all users change their passwords as a precaution after a reported glitch caused some passwords to be stored in plain text. If you’ve ever used your Twitter password for another service, you’d be wise to change it in both places.

Twitter says there is no evidence of a breach, but the error would have allowed any snoopers inside the system to scoop up unprotected passwords with ease. Typically, passwords are “hashed” before they are stored, a process which transforms them password into a unique series of numbers and letters that can’t be translated back into the actually sequence of numbers and letters you type in. This prevents hackers from snagging a phrase they can try on your other accounts.

Even with no evidence of an actual breach, this bug serves as a good reminder for some basic security hygiene. Use unique passwords for every service you use; a password manager can help you keep track of them all. Turn on two-factor authentication where available (it is available on Twitter). And while you’re at it, go look at the apps that have access to your account. These apps, if they’re insecure themselves, can offer hackers a limited way into your account without ever having to figure out your password.

Source: EWN 

Nearly 60 000 South African users have allegedly been impacted by the Facebook/Cambridge Analytica data breach.

The breach which affects more than 87-million Facebook users came after some 270,000-people allowed use of their data by a researcher.

In 2013, a Cambridge University researcher named Aleksandr Kogan created a personality quiz app. Through the app, Kogan scraped the data of all their friends as well, a move allowed by Facebook until 2015.

The researcher then sold the data to Cambridge Analytica, which was against Facebook rules.

A Facebook spokesperson says 33 users in South Africa downloaded the quiz app and the 59,777 were friends of those who would have installed the app elsewhere in the world.

Facebook CEO Mark Zuckerberg says there was a breach of trust between Kogan, Cambridge Analytica and Facebook.

“But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.”

Zuckerberg says Facebook has a number of plans to prevent something like this happening again.

“First, we will investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity. We will ban any developer from our platform that does not agree to a thorough audit. And if we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps. That includes people whose data Kogan misused here as well.”

By Sipho Masondo for City Press

Fears are mounting that up to 15 municipalities across the country could collapse because they are not likely to recover their R1.5bn investments at VBS Mutual Bank.

Their exposure to VBS was “too large compared to their operating revenue”, according to a Treasury document sent to the affected municipalities last week.

The SA Reserve Bank (Sarb) placed VBS under administration in March, following a liquidity crisis. VBS’s main source of cash was illegal short-term municipal deposits which it used to fund long-term loans to clients.

Senior Treasury officials fear that some of the municipalities – based in Limpopo, North West, Gauteng and Mpumalanga – could collapse. This would force their provincial governments to place them under administration.

The Treasury report reveals that the 15 councils are unlikely to recover their R1.5bn total investment.

“The payout to municipalities is highly uncertain,” the document reads. Its authors point out that Sarb is likely to prioritise retail depositors and not bail municipalities out.

“In line with the mandate of protecting the most vulnerable, the restructuring will focus on the depositors. At this stage, the ordinary depositors will get back almost all their deposits,” reads the document.

Sarb has already approved a restructuring that would benefit rural retail depositors, funeral insurance collectives, stokvels “and other vulnerable groups”.

“There may be little left for municipalities, which deposited illegally. It is a general principle that no bailouts are provided to municipalities,” the Treasury document says.

A senior Treasury executive said there were concerns that because of their “reckless investments” at VBS, some of the municipalities may no longer be financially viable.

“Some of their finances are in tatters, and they may need to be placed under administration,” the executive said.

Salaries in jeopardy

The official cited the example of Giyani, which invested R158m of its R302m operating revenue in VBS.

“How does a municipality without half of its operating revenue survive?” the official said.

The newly established Lim 345 Municipality, in the Thohoyandou area, had invested R122m of its R344m operating revenue in VBS. Greater Tubatse in Sekhukhune had put R210m, or 38%, of its R548m operating revenue in the bank.

Another Treasury executive said this money was part of municipalities’ annual budgets and not extra money that the councils could function without.

“Unfortunately, they have lost all that money and it is only a matter of time before you hear that some of them are not able to pay salaries. I’ve heard that one of them nearly didn’t pay salaries in November last year,” he said.

An executive member of the SA Local Government Association said it was “almost a foregone conclusion that some of these municipalities will crash”.

“We are losing sleep over the issue. The money was strictly for operational issues, not reckless investments,” said the official.

Fictitious deposits, untraceable lending

The Treasury report reveals that about R900m is missing at VBS.

“This money appears to have disappeared due to fictitious deposits and untraced lending. There is evidence of large, unrecoverable loans to directors and related parties. There is some evidence that VBS paid a lawyer a ‘commission’ when municipalities deposited money with the bank. It is not, at this stage, evident if this commission was passed on to municipal managers.”

The report says the bank’s business model was “ill-fated and doomed to fail”.

“VBS made long-term loans, knowing that their primary funding was short-term in nature and lumpy. Hence the business model is almost certainly designed to generate liquidity problems when a few municipalities withdraw their funds to spend on budgeted programmes,” the report reads.

Law was broken

Treasury says VBS actively flouted the law by focusing on municipal deposits, which made up almost 75% of all its deposits. Despite being aware of the restrictions on accepting municipal deposits, the bank continued to accept more. This continued even after it started talking to Treasury about phasing out its past municipal deposits, in order to comply with the Municipal Finance Management Act.

The Mahikeng, Greater Tubatse, Ruth Segomotsi Mompati and Elias Motsoaledi municipalities appear to have been enticed by the high returns the bank promised and disregarded the act.

Curator’s ‘extortionate’ fees

Two VBS senior managers accused the bank’s curator, Anoosh Rooplal, employed by auditing firm SizweNtsalubaGobodo, of charging “exorbitant and extortionate” fees. He sent the bank a bill of R2.6m for three weeks of work.

Sarb appointed Rooplal when it placed VBS under administration in the middle of March.

Rooplal sent the bank his invoice on March 31. The bank paid three days later.

One of the managers said: “If you invoice R2.6m in three weeks, how much will you be paid every month? How much will Anoosh and SizweNtsalubaGobodo be paid by the time the bank is back on its feet? It all looks exorbitant and extortionate.”

Another manager lamented the fact that while depositors could not access their money, the curator was being paid handsomely.

“It simply just doesn’t make any sense to me,” the manager said.

The curator’s spokesperson, Louise Brugman, said Sarb had approved the remuneration and fee structure for the curatorship upfront.

She said that, as per normal governance practice, the curator was required to regularly update Sarb on fees, related activities and the bank’s financial position.

“As further irregularities have been uncovered within the bank, additional experts have been required to assist to restore the bank, all of which is reported and explained to Sarb,” she said.

Make your router hacker-proof

By Sandeep Nair Narayanan, Anupam Joshi and Sudip Mittal for The Conversation 

In late April, the top federal cybersecurity agency, US-CERT, announced that Russian hackers had attacked internet-connected devices throughout the U.S., including network routers in private homes. Most people set them up – or had their internet service provider set them up – and haven’t thought much about them since. But it’s the gateway to the internet for every device on your home network, including Wi-Fi connected ones. That makes it a potential target for anyone who wants to attack you, or, more likely, use your internet connection to attack someone else.

As graduate students and faculty doing research in cybersecurity, we know that hackers can take control of many routers, because manufacturers haven’t set them up securely. Router administrative passwords often are preset at the factory to default values that are widely known, like “admin” or “password.” By scanning the internet for older routers and guessing their passwords with specialized software, hackers can take control of routers and other devices. Then they can install malicious programs or modify the existing software running the device.

Once an attacker takes control
There’s a wide range of damage that a hacker can do once your router has been hijacked. Even though most people browse the web using securely encrypted communications, the directions themselves that let one computer connect to another are often not secure. When you want to connect to, say, theconversation.com, your computer sends a request to a domain name server – a sort of internet traffic director – for instructions on how to connect to that website. That request goes to the router, which either responds directly or passes it to another domain name server outside your home. That request, and the response, are not usually encrypted.

A hacker could take advantage of that and intercept your computer’s request, to track the sites you visit. An attacker could also attempt to alter the reply, redirecting your computer to a fake website designed to steal your login information or even gain access to your financial data, online photos, videos, chats and browsing history.

In addition, a hacker can use your router and other internet devices in your home to send out large amounts of nuisance internet traffic as part of what are called distributed denial of service attacks, like the October 2016 attack that affected major internet sites like Quora, Twitter, Netflix and Visa.

Has your router been hacked?
An expert with complex technical tools may be able to discover whether your router has been hacked, but it’s not something a regular person is likely to be able to figure out. Fortunately, you don’t need to know that to kick out unauthorized users and make your network safe.

The first step is to try to connect to your home router. If you bought the router, check the manual for the web address to enter into your browser and the default login and password information. If your internet provider supplied the router, contact their support department to find out what to do.

If you’re not able to login, then consider resetting your router – though be sure to check with your internet provider to find out any settings you’ll need to configure to reconnect after you reset it. When your reset router restarts, connect to it and set a strong administrative password. The next step US-CERT suggests is to disable older types of internet communications, protocols like telnet, SNMP, TFTP and SMI that are often unencrypted or have other security flaws. Your router’s manual or online instructions should detail how to do that.

After securing your router, it’s important to keep it protected. Hackers are very persistent and are always looking to find more flaws in routers and other systems. Hardware manufacturers know this and regularly issue updates to plug security holes. So you should check regularly and install any updates that come out. Some manufacturers have smartphone apps that can manage their routers, which can make updating easier, or even automate the process.

By Tehillah Niselow for Fin24 

Steinhoff, once referred to as “the Ikea of Africa” and its former CEO Markus Jooste as the African Warren Buffet has seen a spectacular fall from grace since December when it revealed accounting irregularities in its books.

More than 95% of its market capitalisation has been wiped out and the international retailer faces angry investors, from public servant pension funds to Wall Street’s biggest banks.

Four months later, and there’s still no official word on what the accounting irregularities were, the former CEO Markus Jooste is yet to answer burning questions and the share price remains volatile.

The complex and opaque nature of the company, registered in the Netherlands, listed in Frankfurt and Johannesburg and headquartered in Stellenbosch have increased the difficulty in investigations.

Fin24 takes a look at the events of recent months which saw the once giant company, nearly collapse.

24 August 2017

• German media reports that German prosecutors are investigating whether Steinhoff inflated earnings.
• JSE listed shares fell 16% in intra-day trade.
• The company rejects the allegations in the report.

6 December 2017

• Disclosure of “accounting irregularities” and appointment of PricewaterhouseCoopers to investigate the financial statements.
• CEO Markus Jooste resigns, apologising to staff
• Share price dives on JSE by a record 62%, wiping out R117bn in the company’s market capitalisation.

7 December 2017

• Moody’s Investor Services cuts Steinhoff’s credit rating from “lowest investment grade” Baa3 to “highly speculative” B1 as a junk bond.
• Steinhoff’s second largest shareholder, the Public Investment Corporation’s (PIC) 56% stake is worth just R3.6bn. Two weeks prior it was worth R20bn.
• Steinhoff announces new sub-committee to improve governance, all of the 3 appointees are members of the board.

13 December 2017

• Steinhoff announces that the company’s 2016 financial statement can no longer be relied upon and will need to be re-stated.
• The Government Employees’ Pension Fund (GEPF) and its asset manager, the PIC, insist on having 2 representatives on Steinhoff’s board committee investigating the company.

14 December 2017

• Largest Steinhoff shareholder, chairperson and acting CEO Christo Wiese resigns from the board. Continues to insist that he was unaware of the accounting irregularities.

4 January 2018

• Steinhoff chief financial officer (CFO) Ben la Grange resigns.

8 January 2018

• European Central Bank sells entire holding of Steinhoff bonds. The ECB bought into Steinhoff Europe’s €800m bond issue in July 2017, when the bonds carried an investment grade rating. It had to sell due to the central bank’s requirements.

12 January 2018 to 17 January 2018

• JP Morgan, Citigroup, Bank of America and Goldman Sachs reveal losses relating to hundreds of millions of dollars in Steinhoff.

30 January 2018

• Former CEO Markus Jooste declines an invitation from the three parliamentary portfolio committees jointly probing Steinhoff, to appear before MPs saying he’s no longer involved in Steinhoff.
• Acting chairperson Heather Sonn tells MPs that Steinhoff has handed over evidence of fraud to the Hawks, against Jooste.
• Board and Christo Wiese say they are unable to reveal the state of affairs at Steinhoff, until PwC has completed its independent investigation.

12 February 2018

• Steinhoff’s former chairperson Christo Wiese involuntarily sells shares related to his margin loans reducing his shareholding in Steinhoff from 20.52% to 6%.

2 March 2018

• Moneyweb publishes leaked emails which show how former CEO Markus Jooste worked with other executives to move revenue figures around subsidiaries to boost their balance sheets and hide losses.

28 March 2018

• Hawks accuses Steinhoff board of “malicious compliance” with the law in handing over documents related to former CEO Markus Jooste, saying there was nothing contained in them to assist authorities with gathering evidence.
• Parliament’s joint committees probing Steinhoff resolve to subpoena Jooste as he twice declined an invitation to answer questions

5 April 2018

• Following public outrage, Steinhoff directors decide against the proposal to shareholders to reward themselves bonuses for working to restore the company after its collapse.

20 April 2018

• Annual General Meeting, in Amsterdam, Netherlands where the company’s board will for the first time come face to face with shareholders, since the December crash, and face tough questions about their handling of the crisis.

Source: Randburg Sun 

There’s a new parcel delivery scam that post office users should remain alert for and guard against, Southlands Sun reports.

The SA Post Office warned the public to be on the alert for the new scam which is designed to defraud them.

The conmen place phone calls to members of the public, alleging to be from the Customs division of the SA Post Office. The caller informs them that a parcel is ready for collection, provided they first pay ‘customs fees’ into a bank account.

The SA Post Office insisted that it does not require customers to make any bank deposit before parcels are released. In instances where a SARS levy import tax is payable on parcels from abroad, the import tax must be paid at the Post Office counter when the item is collected. The customer will receive a point-of-sale receipt for this payment.

Where the Post Office has the recipient’s cellphone number, the customer will receive an SMS requesting them to collect the parcel at a specific branch. The SMS will not request funds to be deposited into an account.

Members of the public who have information regarding this scam are requested to call the police or the Post Office’s crime buster hotline on 0800-020-070.

The SA Post Office advises the public to ignore communication of this nature.

By Sne Masuku for IOL

Black publishers and stationery service providers in KwaZulu-Natal have criticised the provincial Department of Education for awarding its R263-million stationery/textbook contract to one company to distribute these items to all public schools in the province. They claimed they were being put out of business.

The publishers and service providers, who own medium and small businesses, had previously serviced Section 21 schools. They alleged the new central procurement system tender awarded to one company in 2014 had expired in 2016, but the contract had been renewed for the past two years “illegally and uncompetitively”.

Complaints by the Learner Teacher Support Material (LTSM) Forum, comprised of representatives of the affected businesses, threatened legal action against the central procurement system and planned to challenge the legality of the tender. Should this matter end up in court, it would be the fourth procurement tender of the provincial department taken to court.

The department’s Nutrition Programme, the Scholar Transport Programme and the sanitary pads tender, worth millions, were some of the tenders suspected of irregularities, with some going to court.

Last week, the forum lodged a complaint with the provincial portfolio committee on education. The service providers asked the committee to escalate their matter to Basic Education Minister Angie Motshekga after their requests for a meeting with department officials were allegedly ignored.

Most schools had waited nearly a year for the department to give them funds for books and stationery.

Later in the year, the department, through a circular, advised schools that quotes which had exceeded 20% of the catalogue price including VAT, transport costs and other costs, would be migrated to the central procurement system using the service provider appointed by the department.

Service providers which supplied Section 21 schools with their stationery lost business when the department migrated their orders with private service providers to a company it had appointed.

“We are questioning why the department was so eager in doing business with a company that does not have a valid contract.

“The department is deliberately delaying payment of Section 21 school funds to take away business from us. The intention is to create a new monopoly in the Learner Teacher Support Material (LTSM) business,” said Mandla Shangase, the interim LTSM Forum chairperson.

According to the South African Schools Act, Section 21 schools which chose to order through private service providers had a right to do so.

This time, schools were told not to confirm their orders before they received a written confirmation from the department that the funds had been transferred.

A multidisciplinary task team appointed by Motshekga is currently investigating allegations of misappropriation of funds levelled by the National Teachers’ Union against the provincial department.

Department spokesperson Kwazi Mthethwa said any contractual obligations that the department may have with service providers remained confidential.

He said the department would never be involved in unlawful activities because they believed in good governance and transparency.

By Alex Hern for The Guardian 

Facebook has started the process of notifying the approximately 87 million users whose data was harvested by the election consultancy Cambridge Analytica.

The social network eventually hopes to inform every user who was affected with a warning at the top of their Facebook news feed. For now, however, individuals can check by going to a new help page on the site or searching for “How can I tell if my info was shared with Cambridge Analytica?” in Facebook’s help centre.

Most users will see a message saying that “neither you nor your friends logged into ‘This Is Your Digital Life’”, the personality quiz that Cambridge Analytica used to gather its data.

Around 87 million individuals, including more than 1 million people in the UK, will receive a different response saying “a friend of yours did log in”.

That means that their public profile, page likes, birthday and current city were likely shared with the company, as well as potentially the contents of their news feed at the time.

Around 300,000 people – including 53 people in Australia, 10 people in New Zealand, and an unknown number of users in the UK – will receive a message informing them that they installed the This Is Your Digital Life app.

This means they almost certainly handed over the personal information of all their Facebook friends at the time, as well as formed part of the core group for the psychometric profiling that Cambridge Analytica carried out during the US election campaign.

Facebook has promised widespread changes to its platform to prevent further “abuse” of the sort it attributes to Cambridge Analytica. “These actions would prevent any app like [This Is Your Digital Life] from being able to access so much data today,” the company said in March.

Stock losses, fraud not top-of-mind in SA

South African businesses need a different mindset to address ongoing stock losses and fraud.

In the absence of a “proper” risk mitigation plan and loss control blueprint, South African business owners will never really address the critical levels of theft and fraud impacting on our economy, according to commercial investigator and international risk consultant, Kyle Condon (Managing Director at D&K Management Consultants).

“Experience has taught me that trust and effective loss control do not go together. We live in a society that has criminal presence constantly lurking around us. Old style security measures and trusting of everybody have left businesses open to losses like an open wound exposed to a sewer. Employees need to be watched continuously and loss control tactics need to be revised to accommodate this,” says Condon.

With many businesses operating on shoe-string budgets, security is often one of the first things to go. Ironically, says Condon; “it should be one of the portfolios that get additional budget assistance. When, companies cut security, those employees that were always dissuaded from going through with criminal action often go over the edge and ‘raid the cookie jar’.”

While South Africa has one of the most corrupt governments sketched on the political portrait, expecting every employee to behave in a moral honest way is far from realistic. We see what our leaders do and follow suit.

Sadly, most companies choose to ignore this red flag and continue to fool themselves into believing that the presence of a uniformed security officer or two is adequate to prevent and deal with internal criminal activity. Condon believes that “old school” security is a thing of the past. “It is time we accept that our businesses, like our homes, require proper defences,” states Condon.

So, what exactly does this mean?

“Our business sector has major structural employment weaknesses, due largely to political pressures, window-dressed appointments and fear of union retribution, this has led to a breakdown of strong policies and procedures that existed in the past. Many managers are just too afraid to confront the issues or speak out in fear of being branded or painted with the race brush. And, as a result, policies and zero tolerance are eroded. Unions have gained a lot of power, often holding companies to “ransom” when it comes to enforcing strong security measures. Polygraphs, for example, are always declined by Union reps, searching procedures get labelled as an invasion of one’s privacy, etc. Old school security methods have been watered down to create a mere ‘illusion of loss control’,” he says.

Modern day loss control and security plans must include the following key concepts:

• Internal investigation specialists (undercover agents) deployed as, I like to say, ‘modern day spies’.
• Quarterly sweeping and debugging of executive offices and meeting rooms.
• Strike action plans, designed specifically for the individual company and its employees to provide proper Duty of Care during strike action.
• Alignment with a reputable forensic investigator or company who understands the methods, methodology and principles of fraud and financial crimes, in the workplace.
• Thorough pre-employment screening of new candidates, including checking of criminal records through fingerprinting.
• A steadfast CCTV viewing plan conducted off site by an independent viewer, providing monthly viewing reports covering all aspects of risky behaviour, suspicious actions and overall health and safety concerns.
• Travel risk reports, for employees traveling to potentially hostile environments both locally and internationally. This would include arranging VIP protection, where needed.
• Annual security surveys to address all shortcomings of the physical security measures of the business.
• Due diligence must become part and parcel of the sales teams’ portfolios, before stock or material leaves for suspicious clients an investigation unit should first check out that all is above-board, and that you are not being scammed.
• Handing over the time consuming and demanding security portfolio to a dedicated and qualified loss control manager.

“I do not agree with companies splitting up the security portfolio and contracting various players for various things. Managing this portfolio is a job that requires full time participation. This is exactly what D&K Management Consultants does for its clients. We provide the correct expertise in one unique portfolio designed around modern-day risk,” says Condon.

“We are in many ways a country at war with itself, and business is not spared any of the risks that a ‘war’ environment brings. Therefore, defending your company requires a modern day ‘warfare’ approach. Intelligence, logic, expertise and strategy have replaced uniforms, guns and electric fences to a large extent”, Condon says, as he smiles.

Fin24 recently publishing article with the headline: “Massive Afrihost security flaw exposed”.
The article stated that “a massive security flaw” left the ADSL credentials of users vulnerable. The situation was brought to light by a Durban software expert, Taylor Gibb, who recently posted on Facebook that “Afrihost staff had been able to provide ADSL account credentials to users over the phone, leaving information at risk”.

Afrihost has released the following statement:

1. There was no breach of data at any time

No databases, personal information, payment information or account details have been breached or hacked in any way. The article is based on hypothetical scenarios conceived by the author of the article, who was never (at any time) in possession of the data mentioned.

2. Our clients are not at risk

Since no data was actually obtained, our clients are not at risk at all. We have also now ensured that consultants cannot view encrypted data, so there is no risk to clients whatsoever (based on the scenario in this article).

3. Passwords were never stored in plain text

The writer makes several assumptions regarding the state of personal data, such as passwords being stored in plain text, which are inaccurate. Passwords are encrypted.

4. The information relates ONLY to ADSL usernames and passwords

No payment information, personal information or ClientZone user login information were ever at risk. At absolute worst, the information in question could only be used to login to an ADSL account (and one that allows concurrent logins). Any client could still view their ADSL sessions via their ClientZone and request any unknown numbers be blocked from accessing their account. There would be zero possibility that these details could ever lead to obtaining payment or personal information.

5. Our team of staff are trustworthy

The article only refers to scenarios where a staff member of Afrihost could access vulnerable information. Our staff have no motivation to steal data from our clients, as they receive free internet for both fixed line (DSL or Fibre) and Mobile Data. In many cases, our staff give out their personal accounts to help our clients test their connectivity. While we did trust our staff with access to passwords – this ability has since been removed – this was always subject to identity verification. However, we have removed this feature for our client’s peace of mind and will find new ways to ensure that our clients enjoy the same level of convenience when interacting with our consultants.

We’ve always had to balance our need for increased security and safeguards with our client’s convenience. Changes to our security is in ongoing development at all times, and we had planned to devise a convenient way to roll these out with minimal impact to our clients.

As mentioned, no data was breached, no personal information was compromised and not a single client was adversely affected in any way.

Platinum:

         

Gold:


Silver:

           

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top