Technology is at the heart of everything we do today, and mobility is no exception.

Since the Internet of Things (IoT) term was coined in 1999 by computer scientist Kevin Ashton, weve come a long way in developing the concept. Put simply, the Internet of Things is a network of objects and people that is connected through technology.

As passengers seek seamless, convenient, and fast transport experiences, the mobility sector has been on the hunt for the latest technology that can take the passenger experience to the next level.

Here, we discuss how the latest innovations in the IoT are enhancing the passenger experience.

Safe and reliable railway infrastructureIn todays competitive world, being able to make decisions quickly is key. Long gone are the days when a driver was pretty much fully responsible for operating a vehicle. Today, cutting-edge computing and machine learning are driving not just the train forwards but also the future of railway connectivity.

Utilising computing power, railway operators can collect data and process it within milliseconds to enable near-real-time decision-making and responsiveness. This then opens the door to improving the safety and reliability of railway infrastructure.

Track and train part failures are common issues that cause delays and reduced passenger satisfaction. Big data collection and analysis through sensors can help streamline business processes and generate insights that can reduce downtime by predicting maintenance issues and allowing better management of staff and security. In return, railway operators can increase capacity, improve reliability, and reduce maintenance costs.

Data is collected through sensors that are placed on critical parts of the trains, such as brakes, wheels, and engines, or on the actual tracks. They can measure variables that have predictive value to maintenance teams, such as track condition and air and track temperatures.

Seamless passenger experienceThe IoT is providing an enhanced passenger experience not only through optimising the rail infrastructure and train operations to offer safety and reliability but also by modernising day-to-day passenger service.

What that means is that the passenger journey from A to B is seamless and informed by digital services that promote connectivity, efficiency, and convenience. There are the latest passenger service tools.

Real-time passenger information (RTPI)For example, big data can provide accurate scheduling information. With the advancement of real-time passenger information (RTPI), details about service updates, time schedules, accurate bus locations, and destination data can be shown on both passenger information displays and mobile apps. That way, connectivity allows riders to plan their journeys much in advance and improve their passenger satisfaction rate.

Wi-Fi connectivityMany IoT devices make use of WiFi to connect to the internet. A high capacity WiFi service can also be used to elevate the passenger experience significantly. Outfitting the train with onboard Wi-Fi connectivity means that passengers can optimise their travel times, especially commuters. A recent study at the University of Glasgow investigated the relationship between internet use while commuting and travelling and modes of transport. It became evident that internet use on public transport impacts the value of travel time. As a result, ridership was increased.

InfotainmentWi-Fi connectivity also facilitates infotainment. This is commercial content and useful travel information displayed on onboard screens. Infotainment is a vital communication link between a transit agency and its passengers. It connects to the trains ecosystem through a network connection and displays commercial content through scheduled programming technology that can be controlled based on prime times and locations.

The displays showcase information about schedule updates, safety measures, and the companys policies, and are also a great way to promote the companys services and offers. It can also be used as a monetisation tool by allowing advertising content from other parties.

Smart Ticketing Automated Fare Collection

In order to eliminate queue lines at ticket machines, operators can implement automated fare collection that fuses cloud-based technologies with cutting-edge computing. Through sensors on platforms or trains, specific smartphone apps can be detected as passengers enter the station or train. That way, theyre automatically being charged the correct fare.

This is beneficial in terms of optimising the passenger experience and operations and collecting data about passenger behaviour to inform future optimisations.

With innovations of the Internet of Things, were enjoying a more connected, frictionless, and convenient passenger experience that is benefiting not only the riders but also the transit companies. We are excited to see what the future of mobility holds!

About the Author

Paul Vaclik is Head of R&D Architecture at Nomad Digital. Nomad Digital is a world leading provider of passenger, fleet management and monitoring solutions to the transport industry. We offer a broad solutions portfolio to both transport operators and builders that facilitates a significantly enhanced passenger experience with seamless connectivity, real-time journey information and on-board entertainment.

Featured image: allvision

Go here to see the original:
How the Internet of Things Can Facilitate an Enhanced Passenger ... - TechNative

The BBC, British Airways , Boots and Aer Lingus have been caught up in a cyber incident that has exposed employee personal data, including bank and contact details, to hackers.

A ransonware group named Clop has claimed responsibility for the breaches centered around the MOVEit file transfer software.

In an email to Reuters on Monday, the hackers said "it was our attack" and that victims who refused to pay a ransom would be named and shamed on the group's website.

Work by Microsoft had earlier suggested that the Russian-speaking ransomware gang was behind the attack.

It emerged last week that a so-called zero-day vulnerability - a flaw - in the file transfer system MOVEit, produced by Progress Software, had been exploited by cyber criminals.

It had allowed the hackers to access information on a range of global companies using MOVEit Transfer.

Thousands of firms are understood to be affected.

UK-based payroll provider Zellis confirmed on Monday that eight of its clients were among them.

It did not name the organisations.

BA, however, confirmed it had been caught up in the affair.

The airline employs 34,000 people in the UK.

The BBC and Boots, which has 50,000 staff, said they had been affected too.

The broadcaster did not believe its employees' bank details had been exposed though company ID and national insurance numbers were compromised.

Current and former staff at Aer Lingus have also been affected, the airline said, but no financial or bank details nor phone numbers were compromised in the incident.

Analysis: Origins 'appear to have Russian links'

Experts said corporate victims could expect the group responsible to make contact with a list of demands within weeks.

In this instance, the compromised information included contact details, national insurance numbers and bank details.

BA told Sky News: "We have been informed that we are one of the companies impacted by Zellis's cybersecurity incident which occurred via one of their third-party suppliers called MOVEit.

"Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.

"This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice."

Please use Chrome browser for a more accessible video player

A Boots spokesperson said: "A global data vulnerability, which affected a third-party software used by one of our payroll providers, included some of our team members' personal details.

"Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware."

Read more from business:New business group launched to rival CBI Six Nations backer CVC plots 4bn takeover of Center Parcs

Zellis said in its own statement: "A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software's MOVEit Transfer product.

"We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.

"All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.

"Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring."

Charles Carmakal, chief technology officer at Google cyber security specialist Mandiant Consulting, said: "At this stage it is critical for victim organisations to prepare for potential extortion, publication of stolen data, and victim shaming.

"It is likely that the threat actor will soon begin to make contact with extortion demands and begin to work through their list of victims.

"Mandiant's investigations into prior campaigns from the suspected threat actor show that extortion demands are usually in the 7- or 8-figure range, including a few demands for more than $35m.

"Any organisation that had the MOVEit web interface exposed to the internet should perform a forensic analysis of the system, irrespective of when the software was patched," he warned.

Click to subscribe to The Ian King Business Podcast

"Watch out for scammers too. Some of our clients impacted by the MOVEit exploitation received extortion emails over the weekend.

"The extortion emails were unrelated to the MOVEit exploitation and were just scams, but organisations could easily confuse them as being authentic."

A MOVEit spokesperson said: "Our customers have been, and will always be, our top priority. When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps."

"We disabled web access to MOVEit Cloud to protect our cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit."

"We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies with respect to the vulnerability."

"We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products."

Read more:
BA, BBC and Boots hit by cyber security breach with contact and ... - Sky News

5 June 2023

Image source, Getty Images

The BBC, British Airways, Boots and Aer Lingus are among a growing number of organisations affected by a mass hack.

Staff have been warned personal data including national insurance numbers and in some cases bank details may have been stolen.

The cyber criminals broke into a prominent piece of software to gain access to multiple companies in one go.

There are no reports of ransom demands being sought or money stolen.

In the UK, the payroll services provider Zellis is one of the companies affected and it said data from eight of its client firms had been stolen.

It would not reveal names, but organisations are independently issuing warnings to staff.

In an email to employees, the BBC said data stolen included staff ID numbers, dates of birth, home addresses and national insurance numbers.

Staff at British Airways have been warned that some may have had bank details stolen.

The UK's National Cyber Security Centre said it was monitoring the situation and urged organisations using the compromised software to carry out security updates.

The hack was first disclosed last week when US company Progress Software said hackers had found a way to break into its MOVEit Transfer tool. MOVEit is software designed to move sensitive files securely and is popular around the world with most of its customers in the US.

Progress Software said it alerted its customers as soon as the hack was discovered and quickly released a downloadable security update.

A spokesperson said the firm is working with police to "combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products".

The US Cybersecurity and Infrastructure Security Agency issued a warning on Thursday to firms that use MOVEit, instructing them to download a security patch to stop further breaches.

But security researcher Kevin Beaumont said internet scans revealed thousands of company databases could still be vulnerable as many affected firms are yet to install the fix.

"Early indications are there are a large number of prominent organisations impacted," he said.

Experts said it is likely the cyber criminals will attempt to extort money from organisations rather than individuals.

No ransom demands have been made public yet but it is expected cyber criminals will begin emailing affected organisations to demand payment.

They will likely threaten to publish the stolen data online for other hackers to pick through.

Victim organisations are reminding staff to be vigilant of any suspicious emails that could lead to further cyber attacks.

Although no official attribution has been made, Microsoft said it believed the criminals responsible are linked to the notorious Cl0p ransomware group, thought to be based in Russia.

In a blog post the US tech giant said it was attributing attacks to Lace Tempest, known for ransomware operations and running the Cl0p extortion website where victim data is published. The company said the hackers responsible have used similar techniques in the past to steal data and extort victims.

"This latest round of attacks is another reminder of the importance of supply chain security," said John Shier, from cyber security company Sophos.

"While Cl0p has been linked to this active exploitation it is probable that other threat groups are prepared to use this vulnerability as well," he added.

The National Crime Agency told the BBC that it was aware that a number of UK-based organisations had been "impacted by a cyber incident", as a result of a previously unknown security flaw relating to MOVEit Transfer.

The NCA added it was "working with partners to support those organisations and understand the full impact on the UK".

More:
MOVEit hack: BBC, BA and Boots among cyber attack victims - BBC

DUBAI, 6th June, 2023 (WAM) -- The 6th Edition of the Cyber Security Innovation Series and Awards kicked off today at The Meydan Hotel in Dubai. The event is organised by Market Solutions Events Management (MS Events), in partnership with the UAE Cybersecurity Council and with the support of Dubai Electronic Security Centre

Held on 6th and 7th June, 2023, this prominent event aims to explore the cutting-edge realm of next-generation cybersecurity in the digital era.

Mohammed Hamad Al-Kuwaiti, Head of Cyber Security for the Government of the UAE, stated that the future of cybersecurity lies in the ability to understand and confront evolving threats and technological advancements to create an advanced and secure cyber environment.

He added that in 2022, the cost of global cybercrime exceeded 6 trillion dollars, doubling over five years, and it is expected that damages resulting from internet crimes will surpass 10.5 trillion dollars globally by 2023. Furthermore, ransomware attacks increased by 311 percent in the past year, highlighting the growing sophistication of attackers. He emphasised that approximately 95 percent of information security breaches are the result of human errors, underscoring the importance of employee awareness and training.

"We are thrilled to host the Cyber Security Innovation Series and Awards in Dubai," said Emirati architect and entrepreneur Madiha Salem, CEO and Founder of MS Events. This event will bring together leading experts, government officials, and industry professionals to discuss the latest trends and strategies in cybersecurity. We believe that by fostering collaboration and knowledge sharing, we can collectively shape the future of cyber defence in the digital era.

The event is featuring an engaging agenda filled with thought-provoking keynotes, insightful panel discussions, and networking opportunities. Attendees are enjoying the chance to connect with industry experts and thought leaders, gaining valuable knowledge and insights into the latest trends, challenges, and strategies in the cybersecurity landscape.

The first day of the conference, June 6, kicked off, by welcome remarks from MS Events and the day was packed with engaging sessions, including VIP keynotes, thought leadership speeches, panel discussions, and informative keynotes by industry experts. Ayesha Almarzooqi, Permits Section Head, Dubai Electronic Security Center delivered the opening keynote titled: From policies to certifications to harmonisation.

During the first day, Biju Hameed, Head of Technology Infrastructure Operations at Dubai Airports, delivered a VIP keynote on best practices for developing a comprehensive security strategy plan, emphasising the importance of consistent strategic planning, innovative practices, and effective communication to stakeholders.

Song Haibin, Chief Security Officer, Huawei Cloud Europe, presented a thought leadership keynote on redefining cloud security governance in the digital era, addressing the challenges on cloud security governance, and introducing 3CS (Cloud Service Cybersecurity & Compliance Standard) as a Unified Compliance tool for overall cloud security governance.

Ahmed Sherif, Senior IT Support Engineer & Cloud Solutions Expert, Government Entity moderated a panel discussion on key strategies for protecting critical resources and ensuring cyber defence in the cloud. The panellists were Adel Alhosani, CISO & Information Security Senior Manager at Dubai Customs, Dr. Ebrahim Al Alkeem Al Zaabi, Digital Transformation expert, Director at the Government of Abu Dhabi; Mohamed Al Maleki, Senior Information Security Specialist at the Federal Tax Authority, and Ashraf Esmat Khalil, Senior Solution Architect at Huawei Middle East and Central Asia.

The second day of the conference, June 7, will begin with a VIP Majlis hosted by Huawei, followed by opening remarks from MS Events. Keynotes and panel discussions will continue to explore critical cybersecurity topics, including ransomware response, governance, risk management, compliance, and the future of cybersecurity.

Day 2 will see Dr. Al Kuwaiti deliver a VIP keynote address on cybersecurity predictions and best practices for 2023-2024, providing valuable insights into the future of cybersecurity in the digital age, followed by the Cybersecurity innovation awards ceremony, recognising exceptional achievements in the field of cybersecurity.

Dubai Electronic Security Centre will launch a Huawei cloud security whitepaper, and Dr. Alyosius Cheang, Huawei Middle East & Central Asia Chief Security Officer, will deliver a thought leadership keynote on the cybersecurity playbook in the digital era, sharing strategic insights and best practices to safeguard the journey to the Cyberverse.

Read more:
6th Cyber Security Innovation Series and Awards kicks off in Dubai -

Chicago is famous for many reasons, including the Bears, specific style of hot dogs, and of course, for giving the world skyscrapers. PHP is also known for legendary architecture, being the underlying language for 77.5% of the web via frameworks like Laravel, Drupal, and WordPress. Community members from all over the world, representing all those frameworks and more, got together for php[tek] 2023.

This was the 15th annual convention of PHP, where users shared knowledge and best practices for leveraging the language that came to define the internet over the last 28 years. There was real sense of community at the event, summarized very succinctly in the day one keynote, "Let Go of Ownership," from Tim Lytle. He encouraged us to think about our code and the community as not things we own but instead as things we are entrusted to take care of over time. He said we should think in terms of stewardship, which is a word that sums the subject up nicely.

Over the three days of the event, speakers told their stories about working with PHP and the opportunities it has afforded them. They also dove into some highly technical topics, even showing how PHP itself is compiled. Multiple speakers also covered security and customer data compliance. Here are just a few highlights from the event.

In his talk, "The Many Layers of OAuth," Keith Danger Casey walked us through OAuth, the open protocol to allow secure authorization. He described OAuth through the analogy of a fancy hotel.

In a hotel, you present your credit card and other form of ID to the front desk to prove you are who you say you are. They check you are authentic and expected. They then issue you a hotel key card to get into your room, the gym, and any other restricted areas. The benefits of the key card are that you do not need to constantly re-prove who you are with your complete ID and credit card at all times. The key cards also automatically expire and are easily replaceable.

In OAuth language, the front desk is the OAuth Authorization Server. The key card is your Access Token. Your room and all the other areas where you are allowed access with your key card are the system Resources.

This model achieves the main goals of OAuth:

Delegation Sharing access without sharing credentials. Scoping and Expiration Granting limited access for a short amount of time. Separating policy decisions from enforcement mechanisms.

One crucial point that Keith noted is that OAuth itself does not specify how you do the authentication, just authorization. Authentication, often abbreviated as AuthN, verifies you are who you say you are. This is commonly achieved though opening a web browser and having you log in through another trusted service like GitHub or Google, relying on OpenID Connect. Authorization, abbreviated as AuthZ, is concerned with 'if' you are allowed to perform an action or access a resource.

You end up with a three-step security process where you prove who you are, AuthN, then get approval to reach certain resources, AuthZ, before finally accessing those resources by using the token the process provides.

Attackers commonly target each of these steps and the connections required throughout the process. It is vital to think through security at each of these vectors. This starts by always using HTTPS to prevent man-in-the-middle attacks. It is also important to scope any tokens appropriately, only allowing authorization for the resources required to complete the work. Tokens also need to be short-lived; the shorter the time to live, the better.

Keith also echoed a lot of these same lessons about security in his other talk at the event, "Webhooks: Lessons (Un)learned." Keith was responsible for the initial research that became the website webhooks.fyi. While investigating webhooks, he realized that every company does them slightly differently, but there are some underlying security concerns that we all need to be aware of.

It is vital to secure the payload itself. There are a number of ways to accomplish this, from having shared secrets or using OAuth, to much more secure methods like keyed-hash message authentication codes, HMAC, or mTLS, Mutual Transport Layer Security. It is also important to protect against 'replay attacks' by using timestamps. We are proud to say that GitGuardian Custom Webhooks make use of HMAC and Timestamps to keep our customers safe.

Back on the topic of APIs, Tim Bond talked about external threats in his session "Attackers want your data, and they're getting it from your API." He said APIs are everywhere, including, in the broadest sense, the front of your website.

The first step to securing your API is limiting the responses to only the data absolutely needed to make the app work. HTTPS should always be enforced, echoing what Keith said earlier in the event. He also encouraged using "certificate pinning," where you only accept specific, pre-approved certificates. If possible, he suggests enforcing dynamic integrity checking, as you can do through the Google Play store.

One way you can discourage attackers is by rate limiting. Hackers will often try to enumerate endpoints, especially around user IDs. Someone looking up `user/123`, `user/124`, then `user/125` in rapid calls is likely someone up to no good. Shutting them down should not interfere with legitimate business. Further, he suggested using Unique User IDs, UUIDs, so instead of sequential user numbers, each is assigned a long random number that is unrelated to other user IDs. For example, instead of `user/123`, making them `user/SINFKLDFDF51F` will make it harder for an attacker to guess what other user IDs could be.

Toward the end of his session, Tim suggested familiarising yourself with the OWASP API Security Top 10. For those who wanted to dig deeper, he suggested the free training course from PortSwigger.

Data privacy laws are always evolving, and it can be tricky to keep up to date with the latest news. That is why we were all glad for the session "Data Privacy in Software Development" by Jana Sloane, an attorney at Microsoft. She was quick to state that this session was not giving legal advice but was intended to point us in the right direction to know how to talk to internal legal teams. Having those conversations early in the development lifecycle can help keep everyone compliant and safe.

Jana gave us a brief overview of today's data privacy landscape. In the US, every state has implemented its own framework. In the EU, it is a little clearer, thanks to legislation like GDPR, but she said there is a lot of case law being worked out right now, so talking to legal teams earlier in the process can help you stay ahead of what is on the horizon. In addition to government regulation, software developers need to be aware of any contractual obligations their company must comply with. For example, ensuring your new feature or product will still fall within SOC II compliance is important so there are no surprises when you try to launch.

When thinking about access management, who can get our data, we need to ensure data is:1. Necessary and proper We are only collecting what is truly needed for the application to work.2. Accessed by proper personnel There is a clear log and authorization policy in place for anyone or any service that can obtain the data.3. Used correctly If you say exactly what you will use the data for in the terms of service, you must limit the use to only those purposes.4. Retained accurately Properly storing data means encrypting the data properly and thinking through geolocation issues, only storing it in places allowed by data sovereignty law.

Lastly, you should have a clear policy for how long you are allowed to keep use data. It should not be forever. Your policy should also allow the user to request for it to be deleted at any time. Any time you want to use the data for a new or different reason, you need to inform the customer and have them opt-in for the new use, letting them opt out of the system if they choose.

Scott Keck-Warren began his session "Reducing Bugs With Static Code Analysis" by telling the story of breaking live production websites when he tried to fix bugs on the live server. He quickly learned that there needed to be a way to test his fix before it got to the production machine.

His team moved to manual code analysis, which was a step up from breaking production, but was slow and error-prone. Human beings were still too involved in the process. His team moved next to dynamic testing. While this is much more reliable overall, it takes a while to run, reliable though. What they finally found that was both fast and reliable was a form of source code analysis or SCA, called static code analysis. This allows the code to be analyzed without needing to go through a build step and can save a lot of time and resources.

He found PHP-specific tools like PHPStan and PHP_CodeSniffer were good fit for their needs, given the codebase was mostly PHP. He also is a fan and user of Rector, a tool that "instantly upgrades and refactors the PHP code of your application."

What made these tools truly successful for his org was consistent use, through automation. His favorite way of automating testing is through git hooks. We love git hooks at GitGuardian, as that is how you can leverage ggshield to prevent yourself from committing secrets.

We are also big believers in source code analysis, especially for security. This is why we have officially partnered with Snyk to help our users, and the world, strengthen developer security through SCA. While the tools Scott cited are excellent for debugging PHP code for functionality, Snyk can help any developer deliver more secure code no matter what language your company relies on.

When you think of approaches to building software, you might think of Agile, Waterfall, or even DevOps. However, there is a concept underneath all those approaches which deals with how to think about the code itself. Cori Lint covered this in her talk, "Building a SOLID Foundation."

The SOLID framework was introduced to the world in a 2000 paper from Robert C. Martin defining best practices for Object-oriented Programming, OOP. OOP is the predominant approach of modern software languages and frameworks.

SOLID stands for:

Cori gave multiple examples of these principles, including a `PlayInstrument` class. One can imagine a class for plying instruments that implements the methods:

Let's imagine we try to use 'PlayInstrument' to play a violin. Violins can't toot() or pressKey(). Thus this class violates the Interface Segregation Principle, and we should find a better approach. You could do this by creating new classes to replace the generic `PlayInstrument` class, one for wind instruments and one for string instruments, and perhaps new ones for percussion. These new classes would be simpler and reusable, making the program ultimately more resilient and easier to implement in code.

PHP is at the heart of the internet, taking the form of many frameworks and language behind many services. Just as the code is widespread and used in diverse ways, the community itself varies from security experts focused on APIs, to traditional website builders, to microservice architects. It is truly a global community, as we had folks from all over the world attend php[tek].

No matter where you are on the planet or what particular focus you have in your day-to-day work, security surely lies at the heart of it. We are proud to support developers, DevOps, and security teams as they work to make their code more secure by keeping their secrets secret. If you are not sure where your secrets are right now in your PHP, or any other code, sign up to get started for free for secrets detection and start automating the prevention process with ggshield.

*** This is a Security Bloggers Network syndicated blog from GitGuardian Blog - Automated Secrets Detection authored by Dwayne McDaniel. Read the original post at: https://blog.gitguardian.com/php-tek-2023/

Excerpt from:
php[tek] 2023 A Community Of Communities Powering The Internet - Security Boulevard