A huge trove of data, containing the personal information of millions of South Africans, including property ownership, employment history, income and company directorships, has been discovered by information security researcher Troy Hunt.

Hunt, the founder of HaveIbeenPwned.com, said the breach contains data of more than 30-million unique South African ID numbers.

The data trove was discovered among a large dump of other breaches, and Hunt could identify it as South African source by the personal address details contained in it. He said that to date he hasn’t seen it offered for sale, but that “it is definitely floating around between traders”.

The date of the database file indicates that the breach took place in March 2017, or perhaps before. The actual data includes information from at least as far back as the early 1990s.

Hunt is now attempting to identify the source of the database and has shared its headers to help get to the bottom of it. The headers can be viewed here.

Some of the data headers seem to indicate that the source may be government, but this is not definitive. It may be that this information is from a commercial entity such as a bank or credit bureau.

Once the owner of the data is identified and informed, Hunt will upload the info to his HaveIbeenPwned service (although he notes that the data only includes around 2,2-million valid e-mail addresses).

By Andrew Fraser for Tech Central 

Nedbank, Telkom, Discovery and Investec are among top South African listed companies with the most exposure to cybersecurity risks.

This is according to a new research report from the Cyber Intelligence Research Group, the results of which are being released on Monday at CyberCon, a cybersecurity conference in Johannesburg.

The Cyber Exposure Index (CEI) was launched in Singapore earlier this month. Over the next few months, indices for eleven major global stock exchanges outside of the US will be released. Following the release of the Singaporean and Finnish indices, the South African index is the third to be published.

In the ICT sector, those scoring a 4 included Telkom, MTN and EOH. Mix Telematics, Vodacom, Huge Group, Mustek, Adapt IT, Blue Label Telecoms and Naspers all scored 3
The CEI scores listed companies on their levels of exposure. South African companies received an average exposure rating of 1.9.

The index aggregates data that is publicly available through the dark and deep Web, or as the result of third-party data breaches. This data is used to identify top listed companies’ vulnerability to hacker group activity, disclosed sensitive information and leaked credentials.

Companies are then scored from 0-5, where 0 indicates no exposure and 5 places a company among the 1% of firms with the most exposure.

While no South African company scored a 5, many household names — from Sasol to Liberty Holdings and from Woolworths to Anglo American — scored a 4.

ICT sector

In the ICT sector, those scoring a 4 included Telkom, MTN and EOH. Mix Telematics, Vodacom, Huge Group, Mustek, Adapt IT, Blue Label Telecoms and Naspers all scored 3. ICT companies scoring at the other end of the scale, with 0, included Alviva Holdings (formerly Pinnacle Holdings) and Labat Africa.

Telecommunications companies have among the highest levels of exposure in South Africa at 13.1%, compared to the global average of 2.4%, according to the researchers.

 

 

South Africa’s global relative cyber exposure by industry, according the Cyber Exposure Index

South African companies have received an average exposure rating of 1.9 in the debut results of the Cyber Exposure Index
The company responsible for the index, Kinkayo, is a Singapore-based cyber intelligence organisation founded by professionals in the cybersecurity field.

The CEI has been developed as a way for companies to gauge their cyber exposure, empower them with the opportunity to identify where their vulnerabilities lie and take decisive action against their risks, it said.

Download the full list here.

Source: Tech Central 

New Gumtree scam uses Uber drivers

A MyBroadband reader recently faced a scam involving Gumtree, Taxify, and his iPhone 7 Plus.

It started when he posted his iPhone 7 Plus 256GB on Gumtree, and received five calls to purchase the device on the first day.

“All of them said they do not use WhatsApp. All said they will send an Uber to collect. All offered to send documents,” he said.

Scammers appear to be trawling Gumtree for high-value items, like an iPhone, then try to steal them by offering to purchase the item, and sending forged documents and notifications.

This is done when potential victims agree to accept an EFT.

The scammer knows which bank the victim uses and sends an SMS stating a deposit has been made into their bank account from a different bank.

This is so they have an excuse for why the money hasn’t cleared if checked. They then send an SMS that looks like a deposit notification from the victim’s bank.

Scam

In the reader’s case, the scammer said he was sending his “friend” to collect the iPhone after he had made the “payment”.

The “friend” turned out to be a Taxify driver, who had little knowledge of the person he was collecting the phone for.

The reader said after handing his device over, he felt something was wrong, and went to the guard house where he stays and got the driver’s number from the sign-in book.

He called the driver, explained he thought the collection was a scam, and the driver returned – cancelling the trip.

The scammer the driver did the pickup for was a cash customer, who then contacted him and offered R1,500, then R3,000, to complete the delivery. The driver declined.

“These criminals are using Uber and Taxify with cash payment options to get the drivers to do the hard work and collect the items from victims,” said the reader.

Fighting cons

Gumtree said fraudulent proof of payment is not new in online marketplaces.

“Although we haven’t seen many cases like this, it seems that Uber or Taxify is another way of making it harder to trace the actual perpetrator,” said Gumtree.

“We urge community members to inform us via our 24/7 contact centre if they encounter a suspicious buyer or seller.”

Gumtree stated that victims or potential victims must also contact the SAPS about any scam incidents.

The company said it will speak to Uber and Taxify to collaborate and combat this activity.

Uber recently introduced new safety features which require cash riders to link a Facebook account to their Uber profile, which it verifies, before using the service.

Called Social Connect, only new sign-ups are currently required to link their Facebook account.

Uber said there is potential for Social Connect to expand to existing users in future.

Taxify did not respond to requests for comment.

Safety features

One way to avoid falling victim to a scam is to use a third-party escrow service, like Shepherd – which is offered by Gumtree in conjunction with Standard Bank.

The service charges 3.95% of the transaction value, with a minimum charge of R30.

Shepherd also charges separately for its shipping service – starting at R100 for items below 2kg, and R169 for items up to 10kg.

“If you opt not to use Shepherd, always check that funds have cleared before handing over goods,” said Gumtree.

By Jan Vermeulen for MyBroadband

Wi-Fi is under attack

A huge vulnerability in Wi-Fi that fundamentally breaks the security we use to protect our wireless networks has just been exposed.

The exploit, revealed on Monday, breaches a newly found vulnerability in WPA2, the security protocol used to safeguard all modern Wi-Fi networks, and researchers say it could violate virtually any Wi-Fi network previously thought to be secure.

“The attack works against all modern protected Wi-Fi networks,” explains the security researcher who discovered the vulnerability, Mathy Vanhoef from Belgium’s KU Leuven university.

“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.”

By taking advantage of the vulnerability in what is called a key reinstallation attack (KRACK), a hacker could read information supposed to be encrypted on a Wi-Fi network, intercepting potentially sensitive information like credit card numbers, passwords, photos, and messages.

In the worst case, Vanhoef says, it could be possible for someone to use KRACKs to inject and manipulate data on a compromised Wi-Fi network, hijacking devices to inject ransomware or other malware onto systems.

“Wow. Everyone needs to be afraid,” researcher Robert Graham of Errata Security, who wasn’t involved with the discovery, wrote in a blog post.

“It means in practice, attackers can decrypt a lot of Wi-Fi traffic, with varying levels of difficulty depending on your precise network setup.”

The good news in all this is that the hack can’t be executed online: any attacker trying to take advantage of the flaw needs to do so locally, to be within range of the wireless network they’re trying to breach.

That’s because the attack works by fooling a security layer in WPA2 called the four-way handshake, which determines whether devices seeking to join a Wi-Fi network have the right credentials.

When this happens, the handshake is supposed to generate a fresh encryption key to encrypt all subsequent traffic, but KRACKs manage to fool the network into reusing a previously issued encryption key.

“Essentially, to guarantee security, a key should only be installed and used once,” Vanhoef explains.

“Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.”

In the researchers’ testing, the attack worked with varying levels of success against client devices running Apple, Windows, Android, and many other operating systems on compromised networks, and while websites and apps using HTTPS encryption were harder to breach, they weren’t always fool-proof.

Fortunately, the code that makes this attack possible hasn’t been publicly released – so it’s unlikely we’ll see a wave of hackers taking advantage of it straight away, because first they’d need to reverse-engineer how it works.

Before that happens, technology companies – who were given fore-warning of the vulnerability – are already busy patching their systems, and some of these patches are already available, which Vanhoef says we should all grab as soon as possible.

“Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack,” he explains in an FAQ about the new attack vector.

“Instead, you should make sure all your devices are updated, and you should also update the firmware of your router.”

Of great ongoing concern are the many ‘Internet of Things’ (IoT) devices and appliances now in use that are difficult to update or go unsupported by their manufacturers. These include things like Wi-Fi enabled home security cameras and televisions.

The vulnerability is detailed in a research paper available online, which is due to be presented at the ACM Conference on Computer and Communications Security in Dallas in November.

By Peter Dockrill for Science Alert

The rapidly evolving story about Moscow-based Kaspersky Lab’s involvement in helping Russian government hackers steal sensitive National Security Agency materials has taken yet another turn, as The Wall Street Journal reports that the assistance could have come only with the company’s knowledge.

Wednesday’s report, citing unnamed current and former US officials, said the help came in the form of modifications made to the Kaspersky antivirus software that’s used by more than 400 million people around the world. Normally, the programs scan computer files for malware. “But in an adjustment to its normal operations that the officials say could only have been made with the company’s knowledge, the program searched for terms as broad as ‘top secret,’ which may be written on classified government documents, as well as the classified code names of US government programs, these people said.”

The report is the latest to detail a 2015 event in which an NSA worker—described as a contractor by the WSJ and an employee in articles from The Washington Post—sneaked classified materials out of the agency and onto an Internet-connected computer that had Kaspersky AV installed on it. The WSJ, WaPo, and The New York Times have all reported that hackers working for the Russian government were able to home in on the documents with the help of the Kaspersky software.

On Tuesday, the NYT was first in reporting that NSA officials first learned of the help provided by Kaspersky AV from Israeli intelligence officials who had hacked into Kaspersky’s corporate network and witnessed the assistance in real time.

Wednesday’s report is the first to explicitly say the assistance wasn’t the result of a covert hack or the exploitation of an inadvertent weakness but rather likely came with the knowledge of at least one Kaspersky official.

“There is no way, based on what the software was doing, that Kaspersky couldn’t have known about this,” the WSJ quoted a former US official with knowledge of the 2015 event saying. The official went on to explain that the Kaspersky software was designed in a way that it would have had to be programmed to look for specific keywords. Kaspersky employees, the official continued, “likely” would have known such a thing was happening. The evidence, Wednesday’s report said, has now caused many US officials to believe the company was a “witting partner” in locating the materials on the home computer.

In a statement issued Wednesday, Kaspersky officials wrote:

Kaspersky Lab was not involved in and does not possess any knowledge of the situation in question, and the company reiterates its willingness to work alongside US authorities to address any concerns they may have about its products as well as its systems.
The company has long maintained it has no inappropriate ties to any government, including Russia’s, and vigorously defends against all malware threats.

Meanwhile, Reuters reported that German officials had no evidence to back the reports Kaspersky AV played a role in the theft of the NSA materials and had no plans to warn against the use of the software. Last month, the US Department of Homeland Security took the unprecedented step of banning all federal government agencies and departments from using any Kaspersky goods or services.

The WSJ went on to report that US intelligence agencies spent months studying and experimenting with Kaspersky software to see if they could trigger it into behaving as if it had discovered classified materials on a computer being monitored by US spies. “Those experiments persuaded officials that Kaspersky was being used to detect classified information,” Wednesday’s report said.

By Dan Goodin for ARS Technica 

Uber on the brink

Shortly after taking over Uber in September, Dara Khosrowshahi told employees to brace for a painful six months.

US officials are looking into possible bribes, illicit software, questionable pricing schemes and theft of a competitor’s intellectual property. The very attributes that, for years, set the company on a rocket-ship trajectory – a tendency to ignore rules, to compete with a mix of ferocity and paranoia – have unleashed forces that are now dragging Uber back to down to earth.

Uber faces at least five criminal probes from the Justice Department – two more than previously reported. Bloomberg has learned that authorities are asking questions about whether Uber violated price-transparency laws, and officials are separately looking into the company’s role in the alleged theft of schematics and other documents outlining Alphabet’s autonomous-driving technology.

Uber is also defending itself against dozens of civil suits, including one brought by Alphabet that’s scheduled to go to trial in December.

“There are real political risks for playing the bad guy”

Some governments, sensing weakness, are moving toward possible bans of the ride-hailing app. London, one of Uber’s most profitable cities, took steps to outlaw the service, citing “a lack of corporate responsibility” and specifically, company software known as Greyball, which is the subject of yet another US probe.

(Uber said it didn’t use the program to target officials in London, as it had elsewhere, and will continue to operate there while it appeals a ban.) Brazil is weighing legislation that could make the service illegal – or at least treat it more like a taxi company, which is nearly as offensive in the eyes of Uber.

Interviews with more than a dozen current and former employees, including several senior executives, describe a widely held view inside the company of the law as something to be tested.

Travis Kalanick, the co-founder and former CEO, set up a legal department with that mandate early in his tenure. The approach created a spirit of rule-breaking that has now swamped the company in litigation and federal inquisition, said the people, who asked not to be identified discussing sensitive matters.

Kalanick took pride in his skills as a micromanager. When he was dissatisfied with performance in one of the hundreds of cities where Uber operates, Kalanick would dive in by texting local managers to up their game, set extraordinary growth targets or attack the competition.

His interventions sometimes put the company at greater legal risk, a group of major investors claimed when they ousted him as CEO in June. Khosrowshahi has been on an apology tour on behalf of his predecessor since starting. Spokespeople for Kalanick, Uber and the Justice Department declined to comment.

Kalanick also defined Uber’s culture by hiring deputies who were, in many instances, either willing to push legal boundaries or look the other way. Chief security officer Joe Sullivan, who previously held the same title at Facebook, runs a unit where Uber devised some of the most controversial weapons in its arsenal. Uber’s own board is now looking at Sullivan’s team, with the help of an outside law firm.

Salle Yoo, the longtime legal chief who will soon leave the company, encouraged her staff to embrace Kalanick’s unique corporate temperament. “I tell my team, ‘We’re not here to solve legal problems. We’re here to solve business problems. Legal is our tool,’” Yoo said on a podcast early this year. “I am going to be supportive of innovation.”

From Uber’s inception, the app drew the ire of officials. After a couple years of constant sparring with authorities, Kalanick recognised he needed help and hired Yoo as the first general counsel in 2012. Yoo, an avid tennis player, had spent 13 years at the corporate law firm Davis Wright Tremaine and rose to become partner. One of her first tasks at Uber, according to colleagues, was to help Kalanick answer a crucial question: Should the company ignore taxi regulations?

Around that time, a pair of upstarts in San Francisco, Lyft and Sidecar, had begun allowing regular people to make money by driving strangers in their cars, but Uber was still exclusively for professionally licenced drivers, primarily behind the wheel of black cars. Kalanick railed against the model publicly, arguing that these new hometown rivals were breaking the law. But no one was shutting them down. Kalanick, a fiercely competitive entrepreneur, asked Yoo to help draft a legal framework to get on the road.

By January 2013, Kalanick’s view of the law changed. “Uber will roll out ridesharing on its existing platform in any market where the regulators have tacitly approved doing so,” Kalanick wrote in a since-deleted blog post outlining the company’s position.

Uber faced some regulatory blowback but was able to expand rapidly, armed with the CEO’s permission to operate where rules weren’t being actively enforced. Venture capitalists rewarded Uber with a $17bn valuation in 2014. Meanwhile, other ride-hailing startups at home and around the world were raising hundreds of millions apiece. Kalanick was determined to clobber them.

One way to get more drivers working for Uber was to have employees “slog.” This was corporate speak for booking a car on a competitor’s app and trying to convince the driver to switch to Uber. It became common practice all over the world, five people familiar with the process said.

Staff eventually found a more efficient way to undermine its competitors: software. A breakthrough came in 2015 from Uber’s office in Sydney. A program called Surfcam, two people familiar with the project said, scraped data published online by competitors to figure out how many drivers were on their systems in real-time and where they were.

The tool was primarily used on Grab, the main competitor in Southeast Asia. Surfcam, which hasn’t been previously reported, was named after the popular webcams in Australia and elsewhere that are pointed at beaches to help surfers monitor swells and identify the best times to ride them.

Surfcam raised alarms with at least one member of Uber’s legal team, who questioned whether it could be legally operated in Singapore because it may run afoul of Grab’s terms of service or the country’s strict computer-crime laws, a person familiar with the matter said. Its creator, who had been working out of Singapore after leaving Sydney, eventually moved to Uber’s European headquarters in Amsterdam. He’s still employed by the company.

“This is the first time as a lawyer that I’ve been asked to be innovative.”

Staff at home base in San Francisco had created a similar piece of software called Hell. It was a tongue-in-cheek reference to the Heaven program, which allows employees to see where Uber drivers are in a city at a given moment. With Hell, Uber scraped Lyft data for a view of where its rival’s drivers were.

The legal team decided the law was unclear on such tactics and approved Hell in the US, a program first reported by technology website the Information.

Now as federal authorities investigate the program, they may need to get creative in how to prosecute the company. “You look at what categories of law you can work with,” said Yochai Benkler, co-director of Harvard University’s Berkman Klein Centre for Internet and Society. “None of this fits comfortably into any explicit prohibitions.”

Uber’s lawyers had a hard time keeping track of all the programs in use around the world that, in hindsight, carried significant risks. They signed off on Greyball, a tool that could tag select customers and show them a different version of the app.

Workers used Greyball to obscure the actual locations of Uber drivers from customers who might inflict harm on them. They also aimed the software at Lyft employees to thwart any slog attempts.

The company realised it could apply the same approach with law enforcement to help Uber drivers avoid tickets. Greyball, which was first covered by the New York Times, was deployed widely in and outside the US without much legal oversight.

Katherine Tassi, a former attorney at Uber, was listed as Greyball supervisor on an internal document early this year, months after decamping for Snap in 2016. Greyball is under review by the Justice Department. In another case, Uber settled with the Federal Trade Commission in August over privacy concerns with a tool called God View.

Uber is the world’s most valuable technology startup, but it hardly fits the conventional definition of a tech company. Thousands of employees are scattered around the world helping tailor Uber’s service for each city. The company tries to apply a Silicon Valley touch to the old-fashioned business of taxis and black cars, while inserting itself firmly into gray areas of the law, said Benkler.

“There are real political risks for playing the bad guy, and it looks like they overplayed their hand in ways that were stupid or ultimately counterproductive,” he said. “Maybe they’ll bounce back and survive it, but they’ve given competitors an opening.”

Kalanick indicated from the beginning that what he wanted to achieve with Yoo was legally ambitious. In her first performance review, Kalanick told her that she needed to be more “innovative.” She stewed over the feedback and unloaded on her husband that night over a game of tennis, she recalled in the podcast on Legal Talk Network. “I was fuming. I said to my husband, who is also a lawyer: ‘Look, I have such a myriad of legal issues that have not been dealt with. I have constant regulatory pressures, and I’m trying to grow a team at the rate of growth of this company.’”

By the end of the match, Yoo said she felt liberated. “This is the first time as a lawyer that I’ve been asked to be innovative. What I’m hearing from this is I actually don’t have to do things like any other legal department. I don’t have to go to best practices. I have to go to what is best for my company, what is best for my legal department. And I should view this as, actually, freedom to do things the way I think things should be done, rather than the way other people do it.”

Prosecutors may not agree with Yoo’s assumptions about how things should be done. Even when Yoo had differences of opinion with Kalanick, she at times failed to challenge him or his deputies, or to raise objections to the board.

After a woman in Delhi was raped by an Uber driver, the woman sued the company. Yoo was doing her best to try to manage the fallout by asking law firm Khaitan & Co to help assess a settlement. Meanwhile, Kalanick stepped in to help craft the company’s response, privately entertaining bizarre conspiracy theories that the incident had been staged by Indian rival Ola, people familiar with the interactions have said.

READ: Indian woman accuses Uber driver of sexual harassment
Eric Alexander, an Uber executive in Asia, somehow got a copy of the victim’s medical report in 2015. Kalanick and Yoo were aware but didn’t take action against him, the people said. Yoo didn’t respond to requests for comment.

The mishandling of the medical document led to a second lawsuit from the woman this year. The Justice Department is now carrying out a criminal bribery probe at Uber, which includes questions about how Alexander obtained the report, two people said. Alexander declined to comment through a spokesperson.

In 2015, Kalanick hired Sullivan, the former chief security officer at Facebook. Sullivan started his career as a federal prosecutor in computer hacking and intellectual property law. He’s been a quiet fixture of Silicon Valley for more than a decade, with stints at PayPal and EBay Inc. before joining Facebook in 2008.

It appears Sullivan was the keeper of some of Uber’s darkest secrets. He oversees a team formerly known as Competitive Intelligence. COIN, as it was referred to internally, was the caretaker of Hell and other opposition research, a sort of corporate spy agency.

A few months after joining Uber, Sullivan shut down Hell, though other data-scraping programs continued. Another Sullivan division was called the Strategic Services Group. The SSG has hired contractors to surveil competitors and conducts extensive vetting on potential hires, two people said.

Last year, Uber hired private investigators to monitor at least one employee, three people said. They watched Liu Zhen, then the head of strategy in China and the cousin of local ride-hailing startup Didi Chuxing, as the companies were negotiating a sale. Liu couldn’t be reached for comment.

Sullivan wasn’t just security chief at Uber. Unknown to the outside world, he also took the title of deputy general counsel, four people said. The designation could allow him to assert attorney-client privilege on his communications with colleagues and make his e-mails more difficult for a prosecutor to subpoena.

Sullivan’s work is largely a mystery to the company’s board. Bloomberg learned the board recently hired a law firm to question security staff and investigate activities under Sullivan’s watch, including COIN. Sullivan declined to comment. COIN now goes by a different but similarly obscure name: Marketplace Analytics.

As Uber became a global powerhouse, the balance between innovation and compliance took on more importance. An Uber attorney asked Kalanick during a company-wide meeting in late 2015 whether employees always needed to follow local ride-hailing laws, according to three people who attended the meeting. Kalanick repeated an old mantra, saying it depended on whether the law was being enforced.

A few hours later, Yoo sent Kalanick an email recommending “a stronger, clearer message of compliance,” according to two people who saw the message. The company needed to adhere to the law no matter what, because Uber would need to demonstrate a culture of legal compliance if it ever had to defend itself in a criminal investigation, she argued in the email.

Kalanick continued to encourage experimentation. In June 2016, Uber changed the way it calculated fares. It told customers it would estimate prices before booking but provided few details.

Using one tool, called Cascade, the company set fares for drivers using a longstanding formula of mileage, time and demand. Another tool called Firehouse let Uber charge passengers a fixed, upfront rate, relying partly on computer-generated assumptions of what people traveling on a particular route would be willing to pay.

Drivers began to notice a discrepancy, and Uber was slow to fully explain what was going on. In the background, employees were using Firehouse to run large-scale experiments offering discounts to some passengers but not to others.

“Lawyers don’t realize that once they let the client cross that line, they are prisoners of each other from that point on”

While Uber’s lawyers eventually looked at the pricing software, many of the early experiments were run without direct supervision. As with Greyball and other programs, attorneys failed to ensure Firehouse was used within the parameters approved in legal review. Some cities require commercial fares to be calculated based on time and distance, and federal law prohibits price discrimination. Uber was sued in New York over pricing inconsistencies in May, and the case is seeking class-action status. The Justice Department has also opened a criminal probe into questions about pricing, two people familiar with the inquiry said.

As the summer of 2016 dragged on, Yoo became more critical of Kalanick, said three former employees. Kalanick wanted to purchase a startup called Otto to accelerate the company’s ambitions in self-driving cars. In the process, Otto co-founder Anthony Levandowski told the company he had files from his former employer, Alphabet, the people said.

Yoo expressed reservations about the deal, although accounts vary on whether those were conveyed to Kalanick. He wanted to move forward anyway. Yoo and her team then determined that Uber should hire cyber-forensics firm Stroz Friedberg in an attempt to wall off any potentially misbegotten information.

Alphabet’s Waymo sued Uber this February, claiming it benefited from stolen trade secrets. Uber’s board wasn’t aware of the Stroz report’s findings or that Levandowski allegedly had Alphabet files before the acquisition, according to testimony from Bill Gurley, a venture capitalist and former board member, as part of the Waymo litigation. The judge in that case referred the matter to U.S. Attorneys. The Justice Department is now looking into Uber’s role as part of a criminal probe, two people said.

As scandal swirled, Kalanick started preaching the virtues of following the law. Uber distributed a video to employees on March 31 in which Kalanick discussed the importance of compliance. A few weeks later, Kalanick spoke about the same topic at an all-hands meeting.

Despite their quarrels and mounting legal pressure, Kalanick told employees in May that he was promoting Yoo to chief legal officer. Kalanick’s true intention was to sideline her from daily decisions overseen by a general counsel, two employees who worked closely with them said. Kalanick wrote in a staff email that he planned to bring in Yoo’s replacement to “lead day to day direction and operation of the legal and regulatory teams.” This would leave Yoo to focus on equal-pay, workforce-diversity and culture initiatives, he wrote.

Before Kalanick could find a new general counsel, he resigned under pressure from investors. Yoo told colleagues last month that she would leave, too, after helping Khosrowshahi find her replacement. He’s currently interviewing candidates. Yoo said she welcomed a break from the constant pressures of the job. “The idea of having dinner without my phone on the table or a day that stays unplugged certainly sounded appealing,” she wrote in an email to her team.

The next legal chief won’t be able to easily shed the weight of Uber’s past. “Lawyers don’t realize that once they let the client cross that line, they are prisoners of each other from that point on,” said Marianne Jennings, professor of legal and ethical studies in business at Arizona State University.

“It’s like chalk. There’s a chalk line: It’s white; it’s bright; you can see it. But once you cross over it a few times, it gets dusted up and spread around. So it’s not clear anymore, and it just keeps moving. By the time you realize what’s happening, if you say anything, you’re complicit. So the questions start coming to you: ‘How did you let this go?’”

Source: Fin24

Office tech fails cost nine working days a year

UK workers are losing on average nine working days due to technology failing around the office, a new survey by Ebuyer.com has revealed.

The survey of UK office workers, conducted by the UK’s largest independent online tech retailer, revealed that one in ten workers wastes up to 30 minutes a day due to technology not working in the workplace, with the average time lost totalling 15 minutes and 17 seconds.

With 253 working days in 2018, this totals over nine working days being lost next year – a staggering number, especially for small businesses.

Workers in the legal sector lost the most amount of time each day due to technology issues, spending an average of 17 minutes and 10 seconds waiting for issues to be resolved. Those working in the IT industry lost on average 17 minutes.

Engineering and manufacturing workers also featured in the top three, losing on average 16 minutes, 44 seconds.

The industries that saw workers lose the most time due to office tech fails were:

• Legal (17 minutes, 10 seconds).
• Information technology (17 minutes, 2 seconds).
• Engineering and manufacturing (16 minutes, 44 seconds).
• Recruitment and HR (16 minutes, 26 seconds).
• Marketing, advertising and PR (15 minutes, 59 seconds).
• Accountancy, banking and finance (15 minutes, 40 seconds).
• Property and construction (15 minutes, 28 seconds).
• Healthcare (15 minutes, 23 seconds).
• Teaching and education (15 minutes, 9 seconds).
• Public services and administration (15 minutes, 8 seconds).

In an ever increasing digital world, it is no surprise that internet connectivity issues was the most common tech fail in UK offices, with 44% of workers claiming this has affected them in the last six months.

Computers and laptops crashing was the second most common tech fail (41%), followed by the printer breaking (40%).As businesses look to implement measures throughout the company in line with GDPR, which comes into effect from May 2018, a worrying amount of workers claim they have accidentally sent an email to the wrong person (15%), with a further 7% losing time at work due to the work system being hacked.

Over 6% of workers have accidentally clicked on a spam email – a sure fire way to cause a headache for the company’s IT team.

Dave Jones, product buyer at Ebuyer.com, said: “The research we conducted has revealed some really shocking figures. Over nine working days lost to technology is sure to have a huge impact on businesses, especially small businesses and start-ups.

“Making sure that technology is regularly updated will stop issues with computers regularly crashing, and having systems backed up on servers should keep time lost to a minimum. Keeping equipment around the office updated and replacing old and slow technology may cost in the short term, but the time saved will soon balance this out.

“Keeping office supplies stocked is also a quick and easy way to keep time lost to a minimum, as over one in seven (13%) workers lost time in work due to the printer running out of paper.”

By Nick Ismail for Information Age 

Cyber insurance for local businesses launched

Local insurance firm King Price has launched a new product that will cover local firms in the event of a cyberattack.

The product is known as cybersure and it includes cover for cyber liability and cybercrime, data breach expenses, damage to computer systems and data, associated loss of income, and more.

“Cyber attacks can be devastating from both a financial and reputational point of view, and it’s clear that cybercrime has become a major threat to South African businesses. Having cyber insurance is non-negotiable,” says King Price spokesperson Wynand van Vuuren.

At the moment the product is only available to businesses but King Price says it will be launching a personal cyber insurance product in 2018.

Cybersure customers will be covered for a variety of cyber attacks including ransomware. King Price says that in the event of a ransomware attack it will pay the ransomware if that is what is needed.

It seems like a rather solid product but we’d urge you to contact King Price or visit the website to get more information about cybersure to see if its right for you.

BY Brendyn Lotz for HTXT 

Google is warning users that Secure Sockets Layer (SSL) certificates purchased from Symantec, VeriSign, GeoTrust, Thawte, Equifax and RapidSSL are not secure – raising questions for businesses using them.

SSL certificates are small data files that digitally bind a cryptographic key to an organisation’s details. When installed on a Web server, it activates the padlock and the https protocol and allows secure connections from a Web server to a browser.

Browser developers, including Google, have raised questions about the way Symantec issued SSL certificates, and have threatened to stop recognising them, a move that could hurt Symantec’s customers and worry visitors to the Web sites using the affected certificates.

Improper issuances
In March, Google accused Symantec of misusing at least 30 000 such certificates, potentially allowing attackers to masquerade as legitimate Web sites.

The Internet giant expects root certificate authorities like Symantec to validate domain ownership before issuing certificates and to secure their operations and infrastructure against signs of improper issuances as well as auditing logs to review issuance activity.

Google stated Symantec had not met these standards and had allowed outside access to their certificate infrastructure without proper oversight.

Symantec SSL certificates – estimated to make up one in every six SSL certificates currently deployed online – include certificates issued by VeriSign, GeoTrust, Thawte, Equifax and RapidSSL because Symantec bought their certificate authorities and they were subsequently added to the Symantec root.

The search-engine giant indicated last month that it has added a new feature under the “Developer Tools” menu item in the latest version of its Web browser, Google Chrome, alerting users that Symantec, VeriSign, GeoTrust, Thawte, Equifax and RapidSSL SSL certificates issued before 1 June 2016 will be considered distrusted from next March.

The core of the issue surrounding Symantec certificates – the business operates under brand names such as VeriSign, Thawte, Equifac, RapidSSL or GeoTrust – is that Symantec “entrusted several organisations with the ability to issue certificates without the appropriate or necessary oversight,” says Google.

The latest version of Google Chrome – the world’s most popular browser – called version 62 is scheduled to go live between 22 and 28 October. According to Net Market Share, Chrome dominates the browser market with a 59.61% market share.

The next big upgrade, called Chrome 66, is expected mid-April 2018 and visitors to Web sites using Symantec certificates issued before 1 June 2016 will receive warnings that the sites are “untrusted”.
Google has also indicated that Chrome 70 – estimated for roll-out in October 2018 – will distrust any certificate issued by Symantec’s old infrastructure, including those sold after 1 June 2016.

DigiCert deal
Following the impasse, Symantec has since entered an agreement with identity and encryption solutions provider DigiCert, which will acquire Symantec’s Web site security and related public key infrastructure solutions.
Under the terms of the agreement, Symantec will receive approximately $950 million in upfront cash proceeds and approximately a 30% stake in the common stock equity of the DigiCert business at the closing of the transaction.
However, Lauren Collier, SSL sales manager at cyber security firm LAWtrust, says while DigiCert – which is buying Symantec’s certificate authority business – is promising to issue replacement certificates from December this year, businesses should think carefully about how to proceed.

“One of the important parts of the SSL ecosystem is trust. If a certificate authority neglects to properly verify the legal existence and identity of an entity before issuing SSL certificates for domains, as Symantec has been accused of doing, this breaks the chain of trust,” she says.

Serious concern
For Jon Tullett, IDC’s research manager for IT services for Africa, SSL certificates are absolutely fundamental to modern Internet security. “They’re far from perfect – as this incident shows – but they are used to secure a tremendous amount of online activity.”

He explains that when a browser like Chrome removes a certificate, users will get a warning before they visit a site which uses that certificate to validate its identity.

“Google’s Chrome team has indicated serious concerns with a large number of the certificates in question, prompting this action, so it’s likely quite a number of sites and services may be affected – many thousands, potentially,” says Tullett.

Meanwhile, Manuel Corregedor, COO of information security company Telspace Systems, says digital certificates allow for the communication between the user’s machine and the Web site (server) to be encrypted.
“This makes it difficult for an attacker to intercept communications between the user’s computer and/or to masquerade as the authentic Web site.”

He notes organisations will have to replace their certificates or face potential reputational or financial harm.
“However, this is easier said than done especially for organisations that make use of certificates on devices or terminals that are hard to get to. In such cases, organisations will find it very difficult to update the certificates before the imposed deadline by Google,” says Corregedor.

By Admire Moyo for ITWeb

Facebook and Twitter face a levy on cyber bullying

Social-media giants such as Facebook and will have to reveal the scale of cyber bullying in the UK and face being made to pay the cost of dealing with it.

Under the latest guidance by the UK government, technology companies will be required to publish an annual report on how complaints are handled, the reported abuse that is pulled down and the extent of their efforts to moderate bullying or offensive content about children, women, gay people or religions.

One of the proposals is for “an industry-wide levy so social-media companies and communication service providers contribute to raise awareness and counter internet harms,”​ according to a statement published Wednesday that didn’t give further details.

“Behavior that is unacceptable in real life is unacceptable on a computer screen,” Culture Secretary Karen Bradley said in an email released by her office.

“We need an approach to the internet that protects everyone.”

The campaign is part of the government’s wider strategy to force technology companies to accept greater responsibility for their content.

Home Secretary Amber Rudd has also called on companies to “step up” and assume moral responsibility for ridding their platforms of terrorist content, refusing to rule out the prospect of compulsion by fines or legislation.

The UK has been pushing the envelope in terms of how willing it is to go after Silicon Valley.

Efforts to end hate speech and trolling on social media have intensified in the wake of five terror attacks this year, yet the desire to regulate tech firms – in ways that are unprecedented – risks driving them offshore.

On Tuesday, Sharon White, the chief executive of UK media regulator Ofcom, said she viewed companies like Facebook as news publishers.

Prime Minister Theresa May’s spokesman, James Slack, later told reporters that the government was “looking at the role Google and Facebook play in the news environment” as well as “the roles, responsibility and legal status of the major internet platforms.”

In May 2016, a number of social-media companies, including Facebook, Twitter and Google’s YouTube voluntarily committed to trying to take down illegal content within 24 hours.

But last month the European Commission called upon the tech firms to do more to block illegal content.

Germany has passed a law requiring hate speech to be removed within 24 hours of it being flagged, with penalties of up to 50 million euros ($60 million) for repeated failures to comply.

In September, May went further. At a meeting at the United Nations, she propose new rules requiring internet companies to take down extremist content within two hours.

Source: BusinessTech/Bloomberg

  • 1
  • 2
  • 5

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top