Google Discloses 20-Year-Old Unpatched Flaw Affecting All Versions of Windows

A Google security researcher has just disclosed details of a 20-year-old unpatched high-severity vulnerability affecting all versions of Microsoft Windows, back from Windows XP to the latest Windows 10.

The vulnerability resides in the way MSCTF clients and server communicate with each other, allowing even a low privileged or a sandboxed application to read and write data to a higher privileged application.

MSCTF is a module in Text Services Framework (TSF) of the Windows operating system that manages things like input methods, keyboard layouts, text processing, and speech recognition.

In a nutshell, when you log in to your Windows machine, it starts a CTF monitor service that works as a central authority to handle communications between all clients, which are actually windows for each process running on the same session.

"You might have noticed the ctfmon service in task manager, it is responsible for notifying applications about changes in keyboard layout or input methods. The kernel forces applications to connect to the ctfmon service when they start, and then exchange messages with other clients and receive notifications from the service," the researcher explained.

Tavis Ormandy from Google's Project Zero Team discovered that since there is no access control or any kind of authentication in place for this interaction, any application, any user and even sandboxed processes can:

• connect to CTF session,
• read and write the text of any window, from any other session,
• fake their thread id, process id, and HWND,
• pretend as a CTF service, tricking other applications, even privileged ones, to connect to it, or
• escape from sandboxes and escalate privileges.

"There is no access control in CTF, so you could connect to another user's active session and take over any application, or wait for an Administrator to login and compromise their session," Ormandy explains in a blog post published today.

"It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed."

If exploited, the weakness in CTF protocol could allow attackers to easily bypass User Interface Privilege Isolation (UIPI), letting even an unprivileged process to:

• read sensitive text from any window of other applications, including passwords out of dialog boxes,
• gain SYSTEM privileges,
• take control of the UAC consent dialog,
• send commands to the administrator's console session, or
• escape IL/AppContainer sandboxes by sending input to unsandboxed windows.

Ormandy has also published a proof-of-concept video demonstrating how the issue can be exploited to gain SYSTEM privileges in Windows 10.

Besides this, CTF protocol reportedly also contain many memory corruption flaws that, according to the researcher, can be exploited in a default configuration.

"Even without bugs, the CTF protocol allows applications to exchange input and read each other's content. However, there are a lot of protocol bugs that allow taking complete control of almost any other application. It will be interesting to see how Microsoft decides to modernize the protocol," Ormandy says.

The researcher has also released a custom open-source "CTF Exploration Tool" on Github that he developed and used to discover many critical security issues in the Windows CTF protocol.

Ormandy responsibly reported his findings to Microsoft in mid-May this year and released the details to the public today after Microsoft failed to address the issue within 90 days of being notified

Joburg City Power hit by virus, affecting electricity purchases

A computer virus which has hit City Power has resulted in a blackout to its internet technology system, leaving scores of Johannesburg residents unable to purchase electricity, as their kilowatts approach 0.00.

The power utility’s spokesperson Isaac Mangena said the virus had attacked its database and other software, impacting on most of its applications and networks.

The virus has also prevented those who had already bought their electricity from uploading it to their meter boxes.

The City Power website is also affected by the virus.

"It may also affect our response to some outages, as the system to order and dispatch material is affected. City Power IT team has been working since early morning 01:00 to fix this problem," Mangena said.

He said they hoped to have the glitch fixed by midday on Thursday.

On Wednesday, the utility announced that it was experiencing capacity constraints due to the cold weather in Johannesburg.

Mangena said cold weather conditions could result in unplanned outages, as the electrical system experienced overloading when demand increased.

He said plans were in place to deal with unplanned outages. The key focus of the plan was to attend to those areas that experienced repeated unplanned outages on the same day or week, he said.

"We have also increased the number of technicians in areas that are prone to repeated unplanned power outages.

"More teams have been put on standby so that they can be dispatched to attend to outages and respond to emergency calls," he said.

Residents have been urged to use electricity sparingly during this time.

iNSYNQ Cloud Hosting Provider Hit by Ransomware Attack

Cloud computing provider iNSYNQ experienced a ransomware attack which forced the company to shut down some of its servers to contain the malware infection from spreading and affecting more customer data.

iNSYNQ is an authorized Microsoft, Intuit, and Sage host which provides customers with cloud-based virtual desktops designed to host business applications such as QuickBooks, Sage, Act & Office.

"iNSYNQ experienced a ransomware attack on 7/16/19 perpetrated by unknown malicious attackers. The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible," says a status update published on the company's support website.

"As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment. This effort was made to protect our clients data and backups.

The cloud hosting firm also says that it has hired cybersecurity experts to help restore access to affected customer data and to all clients' virtual desktops, with "major traction" to be made "by early next week" according to a letter sent to customers by iNSYNQ's CEO.

As iNSYNQ's CEO Elliot Luchansky also added in his letter, "Understandably, there have been many requests for backups I want to be very clear that we are not withholding data or backups, we simply cannot safely access them at this time.

"We'll still doing everything in our power to ensure that the backups are available to you once we have addressed the underlying problem. Our entire team is working diligently to protect and restore access to your impacted data [..]"

Luchansky also answered some of the questions asked by iNSYNQ's customers following the downtime caused by the ransomware attack stating that:

Unfortunately, these kinds of things are inevitable. No system is 100% impervious to malware, and we collectively were victims of an attack perpetrated by unknown malicious actors. We wish we had a quick-fix or a way to fully eliminate these risks. If we did, then obviously this kind of event would never happen.

He also said that a timeline for when the customers' environments will be back up is not yet available but the iNSYNQ team is accelerating the process of restoring the clients' data and getting all systems online.

Letter from iNSYNQ's CEO (h/t TC)

"We turned off servers as soon as we identified that we were being attacked, and are currently working very closely with industry-leading experts that specialize in working through events like this, so that we are able to restore the access as quickly as we possibly can," added Luchansky.

"We contained the situation as soon as we became aware of it. There is no evidence to suggest that any of your files have been copied from the iNSYNQ environment. The issue at hand centers on being able to access your files that have been encrypted; it is not a matter of your data being stolen or copied," iNSYNQ's CEO also said.

While the letter sent by the CEO to the company's customers after the security incident provides some extra info on what happened, there is no mention of the ransomware attack that hit iNSYNQ on Luchansky's Twitter account or on the iNSYNQ account that is no longer accessible — a Google-cached version of the account's contents can be found here).

A customer who got in touch with the iNSYNQ team says that the clients' data backups were stored on a separate server but on the same network affected by the cyber-attack. 

The company also believes that all the customer data will be recovered and restored but it will take some time until all the backups will be checked to make sure that the malware did not affect them in any way.

Russian FSB Intel Agency Contractor Hacked, Secret Projects Exposed

A contractor for the Russian Federal Security Service (FSB) has been hacked and secret projects that were being developed for the intelligence agency were leaked to Russian Media. These projects detail Russia's attempt to de-anonymize users on the Tor network, collect data from social networks, and how to isolate the Russian portion of the Internet from the rest of the world.

On July 13th, 2019, a contactor for the Russia FSB named "Sytech" was claimed to be hacked by a hacking group named 0v1ru$. As part of this hack, the group defaced the contactor's site to show an image of "Yoba-face", which they posted an image of on their Twitter feed.

Yoba-face on Sytech's site

In addition, BBC Russia reports that the hackers stole 7.5TB of data from the contractor's network. This data includes information about numerous non-public projects that were being developed by Sytech on behalf of the Russian government and its intelligence agency.

To prove they gained access to Sytech's servers, 0v1ru$ posted images of internal pages of Sytech's web site and of server drives and users in their Windows domain controller.

This stolen data was then passed on to another hacking group named DigitalRevolution, who shared the data with Russian media.  Digital Revolution claimed to have hacked the Russian research institute "Kvant" in 2018.

The stolen data seen by BBC Russia outlines a variety of projects being developed by Sytech. These projects include:

Mentor was allegedly being developed for the Russian military unit No. 71330, which is reportedly the radio-electronic intelligence of the FSB of Russia. This project would monitor selected email accounts at specified intervals in order to collect information related to certain phrases.

Nadezhda, or Hope in English, is a project designed to visualize how Russia is connected to the rest of the Internet. This research is part of Russia's attempts to create a "sovereign Internet" where Russia can isolate itself from the rest of the Internet.

Nautilus is a project developed between 2009 and 2010 to collect information about users on social networks such as Facebook, LinkedIn, and MySpace.

Nautilus-S is research into de-anonymizing users on the Tor network by creating exit nodes that were controlled by the Russian government. This project was allegedly started at the request of the Russian Research Institute "Kvant".

Reward was being designed to penetrate and perform covert operations on peer-to-peer networks. This includes BitTorrent, Jabber, OpenFT, and ED2K

Tax-3 is the most recent project and was commissioned by "Chief Scientific Innovation Innovation Center JSC, reporting to the Federal Tax Service.".  This project would provide the ability to manually remove information from the Federal Tax Service about people under state protection.

The site for Sytech (www.sytech.ru) has since been shut down and have not responded to inquiries by the BBC.

While this data breach is not nearly as concerning as the Vault 7 WikiLeaks leak of NSA exploits, the BBC has stated that this is the largest data leak in the history of Russian special services.

ever, warn police Microsoft opens Dynamics 365 bug bounty with $20k top prize

Microsoft has launched one more bug bounty to its security rewards lineup. Now researchers will for the first time be able to hunt for bugs in Dynamics 365 ERP and CRM software and get rewards of up to $20,000. 

The Dynamics 365 Bounty program opened two , inviting researchers to find and report vulnerabilities in Microsoft's Dynamics 365 applications with incentive rewards of between $500 and $20,000 for valid bugs. 

There are dozens of online and on-premise Dynamics 365 applications: online apps include Dynamics 365 for sales, customer service, field service, talent, finance and operations, retail and more. The latest releases of on-premise Dynamics 365 apps are also in scope, including Dynamics AX, CRM, GP, NAV, and SL.

Microsoft has also updated its main Microsoft Bug Bounty Program with simplified high-level requirements for them and extra links and resources. 

And it's reorganized its bug bounties into three main categories: Cloud Programs; Platform Programs; and Defense Programs. 

Dynamics 365 is the newest under the Cloud Programs section, which also includes Microsoft Identity services, such as Azure Active Directory. Also in this group are Azure DevOps Services, .NET Core and ASP.NET Core, andthe Microsoft Cloud Bounty. 

The Platform Programs cover Microsoft Hyper-V, the Windows Insider Preview, Windows Defender Application Guard, the Edge on Windows Insider Preview, and Office Insider. 

The Defense Programs currently only includes the 'Mitigation Bypass and Bounty for Defense', which offers the highest rewards of up to $100,000.

The extra resources include links to frequently asked questions, examples of low and high quality reports, the Windows security servicing criteria, a directory of Azure Services, Microsoft product documentation, and a link to the Microsoft Security Research & Defense blog.    

The Dynamics 365 top payout is in line with the top reward for the Microsoft Cloud Bounty, which recently got bumped up to $20,000 from $15,000. 

Earlier this year Microsoft handed off payment-processing responsibilities to third-party bug bounty platform HackerOne and has since added Bugcrowd to its payment roster. Microsoft continues to handle triage of bug reports and deciding on the value of rewards, but moved to HackerOne and Bugcrowd in order to speed up payments to researchers offer different payment options, including in cryptocurrency. 

MUST READ: ZDNet is giving away $1,000 in Amazon gift cards Hacker discloses Magyar Telekom vulnerabilities, faces jail term

An ethical hacker who reported serious vulnerabilities in Magyar Telekom has been arrested and faces years behind bars for "disturbing a public utility."

Magyar Telekom, a Hungarian telecommunications company, filed a complaint against the hacker who is now being defended by the Hungarian Civil Liberties Union (HCLU/TASZ).

According to local media, the man discovered a severe vulnerability in the telecom provider's systems in April 2018. These findings were reported to the company and both parties met.

The idea of working together was floated but never came into fruition, and in the meantime, the researcher continued probing Magyar Telekom's networks.

In May, the hacker found another vulnerability which the publication says, if exploited, could have been used to "access all public and retail mobile and data traffic, and monitor servers."

According to Index.hu, the first vulnerability allowed the hacker to obtain an administrator password through a public-facing service. The second bug allowed him to "create a test user with administrative privileges."

On the same day, the company noticed strange activity on their network and reported a cyberintrusion to the police, leading to the man's arrest.

The trial has already begun. Hungary's prosecution service is requesting a prison term, while the HCLU has fought back, claiming that the indictment is "incomplete" as "it is not clear what exactly he has done."

Magyar Telekom told Napi.hu:

"The hacker, beyond the limits of ethical hacking, launched new attacks after the first attack, and began to crack additional systems with the data he had acquired so far."

A plea deal was on the table. If the man admitted his 'guilt,' he would be given a two-year suspended sentence. However, this was refused and now the researcher is being charged with an upgraded crime --  the "disrupting the operation of a public utility" -- and could end up behind bars for up to eight years.

Ethical hacking is often considered outside of criminal law as intrusions can benefit companies and society as a whole, a "good faith" concept which is argued as part of HCLU's defense strategy.

However, there are still rules which should be observed, such as making sure no private data is taken and day-to-day operations are not disrupted due to testing and probes.

This encapsulates the prosecutor's case. Law enforcement claim that the hacker crossed an ethical line and his actions may have posed a "danger to society," and therefore he can be charged under the country's criminal laws.

However, there is no evidence that the man in question disregarded these rules, and in a separate statement, the company said itself that the customer data was "safe and secure."

"If someone finds a mistake on a system of Magyar Telekom Group and reports it to Telekom immediately, it does not use it in any way (eg does not modify, delete, save information, etc.), cooperates with Telekom's own investigation and does not publish (this endangers the system), Telekom will not file a complaint against it," Magyar Telekom added.

The case is ongoing

Engineer flees to China after stealing source code of US train firm

Insider threats are a common problem for companies now increasingly reliant on computers and electronic systems, with the risk of intellectual property theft a constant worry. 

For one locomotive manufacturer in Chicago, a software engineer handed the keys to the kingdom became the ultimate example of how much data can be stolen by a single individual -- and where it may end up. 

According to newly unsealed federal indictment charges revealed by the US Department of Justice (DoJ) on Thursday, Xudong "William" Yao is currently in hiding after allegedly stealing a vast array of information belonging to his former employer. 

The unnamed locomotive manufacturer hired Yao in 2014. US prosecutors say that within two weeks of starting his new job, Yao downloaded over 3,000 electronic files containing "proprietary and trade secret information relating to the system that operates the manufacturer's locomotives."

This was not the end of the matter. Over the course of the next six months, the software engineer allegedly continued to download and steal more files containing corporate and intellectual property.

Notably, this included nine complete copies of the company's control system source code and the technical blueprints which described how the source code worked in depth.

While Yao pilfered the US company's trade secrets, the engineer also reportedly accepted a job with a business in China that specializes in automotive telematics. 

In February 2015, Yao was fired for reasons which were not related to theft by the US locomotive firm. In July 2015, following his dismissal, Yao made copies of the stolen data, traveled to China, and began working for his new employer. The engineer then traveled to Chicago with the stolen intellectual property in his possession before once again returning to China. 

Since his last known movements, the engineer has not been traced, but US law enforcement believes Yao is on the run in the country. A federal warrant was issued in 2017 but the engineer is yet to be apprehended. 

Yao is charged with nine counts of theft of trade secrets. If found and convicted, the software engineer faces up to 10 years in prison. 

Earlier this month, a 64-year-old electrical engineer was found guilty of conspiring to smuggle military-grade semiconductor chips to China. The engineer and co-conspirators posed as customers to gain access to custom processors, and the physical products were then shipped to a Chinese company. The processors are used by clients including the US Air Force and DARPA.

UK Home Secretary doubles down on cops' deeply flawed facial recognition trials

As if further indication was needed of Britain's slide into a surveillance state, Home Secretary Sajid Javid has backed highly flawed police trials of facial recognition cameras.

Speaking at the launch of tools to be used to combat online child abuse, he said it was right for forces to "be on top of the latest technology".

"I back the police in looking at technology and trialling it," he told the BBC. Javid added that "different types of facial recognition technology is being trialled especially by the Met at the moment and I think it's right they look at that,"

"If they want to take it further it's also right that they come to government, we look at it carefully and we set out through Parliament how that can work."

However, a report by researchers at the University of Essex into the Met's facial recognition trials last week found that just eight correct matches were made out of 42 suggested.

The researchers were granted unprecedented access to the final six tests and concluded that not only is the technology highly inaccurate but its deployment is likely to be found "unlawful" if challenged in court.

An individual in Cardiff has already mounted a legal challenge to the use of facial recognition tech in public areas by South Wales Police - this was the first such case to be launched in the UK.

Javid's comments come hot on the heels of remarks by the head of London's Metropolitan Police union that the authoritarian Chinese government's use of facial recognition was "spot on".

Speaking on the BBC Essex Breakfast Show, Ken Marsh said: "Although China is a very intrusive country and I don't agree with a lot of what they do, they've got it absolutely correct. They're recognising individuals per second and they've got it spot on."

The Information Commissioner, the UK's data watchdog, has also raised concerns about the technology, saying forces have to demonstrate that it is effective and less intrusive alternatives are not available.

Javid was speaking at the launch of new tools costing £1.7m designed to counter online child abuse.

They include a fast-forensic tool to analyse seized devices and find images already known to law enforcement; an image categorisation algorithm to assist officers to identify and categorise the severity of illegal imagery; and a capability to detect images with matching scenes to help identify children in indecent images in order to safeguard victims.

Javid said: “This game-changing tech will help us do this and will be vital in the fight against online child abusers.” 

TrickBot returns with new attack that compromised 250 million email addresses

The TrickBot malware, which earlier this year worked in tandem with the Ryuk ransomware to siphon millions of dollars for hackers, is back with a new attack that may have compromised as many as 250 million email accounts.


In a report by Deep Instinct, the cybersecurity company revealed a new variant of TrickBot that teams it up with a malicious, email-based infection and distribution module dubbed TrickBooster.

The new attack starts the same as in previous methods, with TrickBot infiltrating a victim’s computer. The malware then forces the machine to download TrickBooster, which reports back to a dedicated command and control server with lists of email addresses and log-in credentials harvested from the victim’s inbox, outbox, and address book. Afterwards, the TrickBooster server instructs the infected machine to send out malicious infection and spam emails, with the emails deleted from the outbox and trash folder to remain hidden from the victim.

In Deep Instinct’s investigation of TrickBooster and its associated network infrastructure, the cybersecurity firm discovered a database containing 250 million email accounts that were harvested by TrickBot operators. The addresses were likely also targeted with the malicious emails.

The recovered email dump includes about 26 million addresses on Gmail, 19 million on Yahoo, 11 million on Hotmail, 7 million on AOL, 3.5 million on MSN, and 2 million on Yahoo U.K. The compromised accounts also involved many government departments and agencies in the United States, including but not limited to the Department of Justice, the Department of Homeland Security, the Department of State, the Social Security Administration, the Internal Revenue Service, the Federal Aviation Administration, and the National Aeronautics and Space Administration. Others affected include government organizations and universities in the United Kingdom and Canada.

Nigeria -- Banks, PSPs race to comply with CBN risk-based cyber security framework

Central Bank of Nigeria (CBN) has released a risk-based cybersecurity framework and guidelines for Deposit Money Banks (DMBs) and Payment Service Providers (PSPs) which they must comply with by January 1, 2019.
This is in line with its new licensing regime as well as in compliance with Nigeria Cyber security act of 2015.

In a circular to the concerned organisations which accompanied the framework and guideline, CBN noted that the framework represents the minimum requirements to be put in place by all DMBs in their respective cybersecurity programmes.

In the guideline made available to Nigeria Communications week, CBN stated that: “In recent times, cybersecurity threats have increased in number and sophistication as DMBs and PSPs, use information technology to expedite the flow of funds among entities.
“In this regard, threats such as ransomware, targeted phishing attacks and Advanced Persistent Threats (APT), have become prevalent; demanding that DMBs and PSPs remain resilient and take proactive steps to secure their critical information assets including customer information that are accessible from the cyberspace.
“DMBs/PSPs should note that for a cybersecurity programme to be successful, it must be fully integrated into their business goals and objectives, and must be an integral part of the overall risk management processes.”
Ahmed Adesanya, IT Security and Connectivity Consultant, commended CBN for rising to the occasion of protecting the country’s economy with this regulatory framework.
He said that the risk-based cyber security framework and guideline have lifted the responsibility of cyber security from the IT departments of banks to board and top management issues.

“This framework will increase banks cyber security readiness in the event of any cyber-attack or electronic fraud and stakeholders in the highest authority of banks and payment service providers are now involved in addressing cyber security issues. This is a move in the right direction by CBN to protect customers of Deposit Money Banks and PSP,” he noted.
Engr. Ike Nnamani, chief executive officer, Demadiur Systems – a cybersecurity firm, said that the involvement of senior management in cyber security policies in organizations as contained in the CBN framework was listed in the 2017 Nigeria Cyber Security Report published by Demadiur Systems Limited.
“This became necessary because in the survey done in 2017 and even 2016 it was discovered that over 95% of the Nigerian business do not have a specific budget for confronting cyber treats.
Only when there is a problem that the IT team makes request for cyber security solutions and often it is not approved based on the fact that it not in the annual budget.
This has led to a situation where most organizations suffer cyber security losses that are avoidable if given priority.
“The decision by the CBN is therefore a welcomed development that will create a more secured cyber space for the country. It is recommended that other agencies and organizations adopt this policy also,” he said.

Microsoft challenges Nigeria to use technology to address unemployment

Global tech giant, Microsoft, has challenged Nigeria to take advantage of technology to address the endemic problem of unemployment in the country.

Public Sector Government Leader, Microsoft Middle East and Africa, Salwa Smaoui, threw the challenge in an interview with our correspondent on the sidelines of a summit with government official titled ‘Re-imagining the future of Nigeria.’

Smaoui said instead of seeing emerging technologies such as Artificial Intelligence as a challenge, Nigeria could take advantage of such technologies and position its youthful population to be relevant in the emerging global knowledge economy.

 She listed cybersecurity as one of the areas where Nigeria could help to fill the gaps existing in the global pool of experts.

 According to the Microsoft egghead, a gap of 3.5 million people currently exist in cybersecurity and Nigeria can possibly exploit the opportunity through training and positioning of its youthful population to take advantage of the global skills gap in the field.

 Smaoui said that Nigeria could also be part of the forthcoming Fourth Industrial Revolution by repositioning its universities to train products that could take up opportunities that were available all over the world.

 She identified the management of energy as another area that technology could help Nigeria to reposition its economy, adding that through adequate deployment of technology, Nigeria can introduce transparency in the management of its oil and gas resources.

Smaoui said, “Digital transformation can enable a lot of Nigerians. When we talk about energy and oil; how can technology drive transparency? How can technology drive better management of subsidies to the oil companies? How can we diversify the economy so that it doesn’t stay on oil and gas?”

 She added, “Sixty five per cent of the population – they are going to school today – will work on jobs that we don’t even know. How do we prepare for that? How do we make sure that we are preparing a smart nation that will not only serve Nigeria but also serve the world?

The Microsoft leader also listed tax collection as another area that technology could help Nigeria to improve its economy. She said Nigeria could borrow a leaf from Zimbabwe which she said had leveraged the power of technology to transform its tax collection process.

She also advocated the use of cloud resources as a viable alternative to investing in data centres, adding that hybrid cloud could help any nation to safeguard its sensitive data resources.

Speaking at the event, Director- General of the National Information Technology Development Agency, Dr Isah Ibrahim, said that the Federal Government had recorded some successes in the deployment of technology to solve local challenges.

He said that the unflinching commitment of the government to stamping out the menace of corruption led to the implementation of Treasury Single Account driven essentially by information technology.

Nigeria -- Banks lose to cyber-crime globally, says CIBN

Banks’ loss to cyber-crime globally has risen to $700 billion yearly, President/Chairman of Council, Chartered Institute of Bankers of Nigeria (CIBN), Uche Olowu, has said.
Speaking during the roundtable on information security meeting in Lagos, he said despite the benefits provided by financial technology (Fintech), there are equally heightened risks of cyber threats and fraudulent activities with Nigerian banks alone losing N198 billion to the threat annually.
He said criminal activities such as credit card fraud, phishing, Automated Teller Machine (ATM) fraud and identity theft have increasingly become threat to banking operations.
“Statistics put the cost of cyber-crime globally at $700 billion annually, a figure projected to rise to about $2 trillion by 2019, due to the rapid digitisation of consumer lives and company records. In the case of Nigeria, about N198 billion is said to be lost to the ever-increasing cases of cyber-crimes per annum usually perpetrated through the financial system,” he said.
Olowu explained that while a variety of organisations are exposed to cybercrime, the financial sector is particularly vulnerable given its crucial role of financial intermediation in a highly connected global financial system.
He said: “Nigerian banking or financial services sector company should no longer ask if they are going to be hacked and instead when Cybersecurity is no longer just about protecting a business’ information. It is critical to maintaining trust with the public and customers, building company reputation, as well as safeguarding data, and critical infrastructure. This can all influence higher-level issues like maintaining competitiveness in the market, stock price, and shareholder value.
“For financial sector institutions, cybersecurity has become an issue from the top down. Board of Directors, Chief Executive Officers and Senior Executive must ensure that they are making the right decisions about cybersecurity for their institution. Shareholders and company Board of Directors are now asking questions about companies’ approach to cybersecurity and readiness to face an attack and CEOs must make it clear that security is not just an IT problem – it is a priority for the business. CEOs need to be able to answer tough questions and prove that they are working with the senior leadership team to develop a cybersecurity strategy and that they understand the cybersecurity landscape and how it can affect key business function in the company.”
He said it is incumbent upon CEOs to learn more about cybersecurity to ensure that their company is taking appropriate actions to secure their most valuable information assets. “This does not mean that every CEO needs to become a cybersecurity expert. Rather, CEOs should increase their knowledge of core cybersecurity concepts and leverage their own leadership skills to conceptualise and manage risk in strategic terms, understanding the business impact of risk. Most executives want to manage cybersecurity risks in the same thoughtful and intelligent way as they manage other aspects of their business,” he said.
Speaking on data security, he said banks are privy to an immense amount of data, which if put in the wrong hands could be harnessed for illicit activities. The most popular example being Facebook data and the data harnessed by Cambridge Analytica through the Application Programmable Interface (API) and the interference in the 2016 American Elections.
“As a solution, I implore intermediaries such as Payment Solutions Service Providers (PSSP) to efficiently act on data breaches. Furthermore, I believe that Data Privacy challenges could be effectively tackled with adequate legislation, which would enforce best practices in data protection. Also, a constant review of compliance with global standards such International Standard Organisations (ISO) and Payment Card Industry Data Security Standards (PCI-DSS) are ensured by the players in the financial service industry,” he said.
He said identity theft is on the rise due to the adoption of digitised platforms globally. The ease at which personal data could be illegally harvested is now more sophisticated than ever. “As a suggestion, I implore all banks to invest further in user education of customers on possible threats with remedies for mitigating such threats. I, also implore banks to further employ the use of intelligence systems and tools such as Predictive Analytics solutions to determine irregular activities on bank accounts, which have been compromised or inconspicuous fraudulent activities.”

Nigeria-- Banks, Fintechs Urged to Invest in Cyber Security Solutions

Banks and financial technology companies have been urged to invest in innovative solutions in combating cybercrimes.

The charge was given at a breakfast meeting organised by Best of Breed Business Solutions Limited (BBBS) in conjunction with its Partner, Barac Uk, to address enterprise fraud and cyber security challenges in the Nigeria market.

 

Speaking at the event, the Chief Executive Officer, Best Business Solution Limited, Mbama Ethelbert, said to address issues around the fraud and cyber threats, it was important for companies to understand the kind of data that was being generated by organisations such as banks and telecommunication companies.

“Most organisations, especially, service oriented organisations like banks, telecoms, fintech companies are moving toward digital transformation as a key strategy. “This means opening up of its platforms to third party vendors/partners, using multiple channels to offer services to their customers such as social media channels, mobile, web, PoS and others.

“These generate massive volumes of data and expose the organisations to threats,” he noted.

He also stated that presently, there are two kinds of data known as structured and unstructured data, “and a third one that sits between both data types known as semi-unstructured data.”

He stated that structured data can be stored in a relational database such as Oracle, MS SQL and other, “here, data is stored in tables with rows and columns. They have relational key and can be easily be mapped into pre-designed fields. Thus, they are highly organised information that uploads neatly into a relational database.”

In his remarks, the Chief Executive Officer, Barac Uk, Omar Yaacoubi, noted that there are various measures which the banks has to put in place, so that when hackers change their behaviours, the solutions that they are using can also change their behaviour as well.

He explained that modifying the rules was complex, noting that solutions such as artificial intelligence, machine learning and behaviour analytics, would help solve part of the challenges.

Continuing, Ethelbert added: “Structured data concerns all data which can be stored in a Relational Database like Oracle, MS SQL etc. Here, data is stored in tables with rows and columns.”

Unity Bank Wins Award

Unity Bank Plc has won the Central Bank of Nigeria (CBN) 2018 sustainable banking award.

Specifically, the financial institution won the ‘Sustainable Transaction of the Year in Agriculture’ award.

The bank won the award for its compliance with the sustainable banking principles as it relates to the management of environmental and social risk set out by the CBN for adoption by Nigerian banks, discount houses and development banks.

A statement explained that at the recently held Bankers’ Committee held in Lagos, the CBN had while presenting the award commended Unity Bank’s efforts in promoting the Anchor Borrowers Program (ABP), Rice Farmers Association of Nigeria (RIFAN) project.

According to the statement, the regulator had added that the lender deserved the award because of the role it played in actualisation and management of this audacious projects.

The active involvement of the bank in various financing schemes had resulted in creating huge social and economic impact on the income of households involving over 270,000 participating small holder farmers thereby boosting not only the gross domestic product but also helping to achieve self-sufficiency in food production.

Commenting on the development, the Managing Director/Chief Executive Officer of Unity Bank Plc, Mrs. Tomi Somefun, dedicated the award to all farmers and businesses in agriculture value chain, adding: “we have successfully on-boarded over 90,000 hitherto financially excluded farmers and generated bank verification number for them to facilitate financial and banking transaction.”

She added: “Capacities of about 60 agro input suppliers were expanded through provision of facilities and financial advisory services.

“The bank’s environmental and social management program covers comprehensive business operations that minimises adverse impact on the environment in the scope of its business activities.”

According to Somefun, the bank’s environmental management policies and strategies comprehensively covers priority areas that encourages bio-diversity, green initiatives, recycling of waste, reduction of carbon emission geared towards promoting sustainability, conservation and environmental protection.

Unity Bank Plc is a niche player in agricultural financing in Nigeria, with active participation in most government intervention schemes and support for key policy initiatives.

These are aimed at driving growth and transformation of Nigeria’s agricultural economy.