Companies are moving to incorporate the cloud into their computing infrastructure at a phenomenal rate. This is, without question, a very positive move. It permits companies to scale processing resources up and down in response to changing demands, giving companies the operational equivalent of unlimited resources while paying only for the resources that are actually […]… Read More
Few would dispute the idea that an effective cybersecurity profile requires candid assessments of potential vulnerabilities. Here’s a closer look at the challenges facing the federal cybersecurity mission and the efforts of state-level agencies. Federal Though the federal government demonstrates an ongoing commitment to ramping up its cybersecurity mission with annual spending in the tens […]… Read More
The post Inside the Government Cybersecurity Landscape: Federal vs. State Level Challenges appeared first on The State of Security.
How much of your personal data is stored online? Well, if you are anything like the ‘average Jo’ – the answer is a lot! In 2019, the vast majority of us bank and shop online, have official documentation stored online, have all sorts of personal information stored in our emails and let’s not forget about our photos and videos.
And the scary thing – the only thing that is stopping cybercriminals from accessing our vital information that is saved online is our passwords.
Today is World Password Day – a perfect opportunity to give our password strategy a health check. Because if we are serious about protecting our vital data that is stored online then we need to get SUPER serious about managing our passwords!
So, let’s give your passwords an overhaul. Why not schedule some time in your calendar to ensure your passwords are in the best shape? Here are my top tips on what you can do today to ensure you are doing all you can to protect your private online data.
How To Give Your Passwords A Health Check:
1. Check To See Whether Your Passwords Have Been Exposed
The first step is to see whether your passwords have been compromised in a data breach. Check out www.haveibeenpwned.com.au to see whether cybercriminals have already discovered your passwords. If so, then they need to be changed wherever they are used ASAP.
2. Commit to Not Using Common Passwords
Using common passwords such as ‘password’, ‘123456’ or ‘qwerty’ is quite frankly, a waste of time. It would take cybercriminals a matter of seconds to unlock your online banking data. Also avoid using simple personal details within your passwords such as your birthday, name or kids and pet names as a quick scan of your social media accounts would allow cybercriminals to find this in just seconds. Always make your passwords random and obscure. Why not consider a nonsensical sentence?
3. Add Numbers and Symbols to Your Passwords
When you are setting up a new online account, many organisations will require you to add a number or symbol to your proposed password to give it additional ‘password strength’. Passwords that include a variety of capital and lowercase letters, numbers and symbols are far harder to crack so get creative and layer up your passwords.
4. Ensure Every Password Is Unique
Many people use the same password across all of their online accounts. And while this makes life easier, it increases your risk of your vital online data being compromised big time. Remember, if a hacker discovers just one of your passwords – and it’s the only one you use – all of your online personal information is at risk! Therefore, it is crucial to ensure all your passwords are different! I know, it sounds like a lot of work and brain power!
5. Simplify Your Life with a Password Manager
If the idea of creating individual complex passwords for each of your online accounts – oh, and changing them every 2 months, is giving you palpitations, then I have a solution – a password manager!
McAfee’s Total Protection includes Password Manager, which stores, auto-fills and even generates unique passwords. Creating and remembering (!) complex password for each online account is taken care off. All you need to do is remember one master password in order to access the rest of the passwords! And if there is a data breach, it’s super easy to quickly change a password too.
6. Set up Two-Factor Authentication Where Possible
If you have the option to enable two-factor or multi-factor authentication with any of your online accounts, then do it!! In simple terms, this will mean that you need to provide more than one way of identifying yourself before gaining access to your account. Often it is your password plus a code sent to your smartphone or even your fingerprint. It’s an absolute no-brainer as it adds another layer of security making it harder to cybercriminals to access your vital online data.
Now, if you are thinking about skipping out of your password overhaul, then please think again! Passwords are the first line of defence to protect your vital online data from cybercriminals. So, put the kettle on and make today the day!
Till next time!
The post It’s World Password Day – the Perfect Excuse to give your Passwords an Overhaul! appeared first on McAfee Blogs.
When considering new language support, we think about our customers’ existing technology stacks and the new and emerging languages that will enable them to securely bring innovations to market faster. With this in mind, we recently added support for Apex, Go, and PLSQL:
- Apex, a Salesforce.com proprietary language, enables businesses to enhance their Salesforce.com deployments to improve how they accelerate their business growth and connect with customers.
- Go, voted the third most-wanted language by more than 90,000 developers in the 2019 Stack Overflow survey, offers advantages in speed of execution, concurrency, and portability.
- PLSQL is used by more than 50 percent of professional developers and in some of our customers’ most sensitive databases.
Support for each one of these languages is only released after extensive testing to help you meet your business goals while ensuring the necessary depth of coverage to protect your organization. (Get our full list of supported languages here.) Our approach to language coverage helps you:
Save time, effort, and costs
Veracode Static Analysis removes the need for application security managers to manually review flaws or create custom rules for each unique application to suppress findings for accuracy. Furthermore, trusted results and prescriptive remediation advice enable developers to quickly remediate flaws. Each Veracode language coverage is continually refined for accuracy based on feedback from millions of scans, resulting in a less than 1.1 percent false positive rate for Veracode customers from their first scan. Across our customers, this represents tangible cost savings, with an 80 percent reduction in security team effort and a developer time savings of more than 2 hours when remediating flaws found.
Scan all your apps quickly
Veracode scans are constantly getting faster as we continuously work to reduce scan times to meet DevOps release cycles. To put this into numbers: Veracode Static Analysis scans are three times faster this year. In 2018, more than 250,000 apps scanned in less than 5 minutes, and more than 50 percent of all scans finished in less than 15 minutes.
Easily onboard apps and scale to cover your entire application landscape
Our SaaS-based approach covers all your applications – even large, complex and difficult-to-scan apps – from day one with no burden on your infrastructure. In addition, you can assess an unlimited amount of applications concurrently. No matter the size or geographic distribution of your organization, concurrent scanning means you don’t have to wait for a scan to complete before starting the next one.
Get all your testing results in one place
Thanks to the Veracode Platform, you can see your static analysis results alongside all your AppSec tests – dynamic, SCA, pen testing – in one central location. This single view of test results provides total visibility into each application’s risk and makes it easy to coordinate remediation between multiple teams and track your progress.
Keep your code secure across the software lifecycle, without slowing development cycles. Get more details on Veracode Static Analysis.
- Defence Secretary Gavin Williamson sacked over Huawei leak
- Daily Telegraph publishes details of a meeting about using the Chinese telecoms firm to help build the UK's 5G network
- Huawei row: Inquiry to be held into National Security Council leak
- Is Huawei a Threat to UK National Security?
- What's the greater risk to UK 5G, Huawei backdoors or DDoS?
- Backdoors found in Huawei-supplied Vodafone equipment between 2011 and 2012
- Microsoft researchers find NSA-style backdoor in Huawei laptops
- 5G cyber-attack: What would be the effect on the UK?
- Huawei: Why UK is at odds with its cyber-allies
- NCSC: Huawei threat to national security
A survey by the NCSC concluded most UK users are still using weak passwords. Released just before CyberUK 2019 conference in Glasgow, which I was unable attend due work commitments, said the most common password on breached accounts was"123456", used by 23.2 million accounts worldwide. Next on the list was "123456789" and "qwerty", "password" and "1111111". Liverpool was the most common Premier League Football team used as a password, with Blink 182 the most common music act. The NCSC also published a separate analysis of the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches. So password still remains the biggest Achilles' heel with our security.
The UK hacktivist threat came back to the fore this month, after the Anonymous Group took revenge on the UK government for arresting WikiLeaks founder Julian Assange, by attacking Yorkshire Councils. I am not sure what Yorkshire link with Assange actually is, but the website for Barnsley Council was taken down by a DDoS attack, a tweet from the group CyberGhost404 linked to the crashed Barnsley Council website and said "Free Assange or chaos is coming for you!". A tweet from an account called 'Anonymous Espana' with an image, suggested they had access to Bedale Council's confidential files, and were threatening to leak them.
Finally, but not lest, a great report by Recorded Future on the raise of the dark web business of credential stuffing, titled "The Economy of Credential Stuffing Attacks". The report explains how low-level criminals use automated 'checkers' tools to validate compromised credentials, before selling them on.
I am aware of school children getting sucked into this illicit world, typically starts with them seeking to take over better online game accounts after their own account is compromised, they quickly end up with more money than they can spend. Aside from keeping an eye on what your children are up to online as a parent, it goes to underline the importance of using unique complex passwords with every web account (use a password manager or vault to help you - see password security section on the Security Expert website). And always use Multi-Factor Authentication where available, and if you suspect or have are informed your account 'may' have compromised, change your password straight away.
- How Business can address the Security Concerns of Online Shoppers
- Third Party Security Risks to Consider and Manage
- Huawei to be given limited access to UK 5G Network
- The NCSC launches Cyber Security tool for UK Businesses and Authorities
- German Drug Manufacturer Beyer hit by Malware Attack originating from China
- Aebi Schmidt latest Manufacturer dealing with Ransomware Cyberattack
- 540M Facebook Member Records exposed by an Unsecure AWS S3 Bucket
- Microsoft will drop Password Expiration Policies in Windows 10 and in Windows Server
- 'Assange Supporters’ Claim to Hack Yorkshire Councils
- Hackers beat University Cyber-Defences in Two Hours
- App leaves over 2 Million WiFi Network Passwords Exposed on Open Database
- Two in Three Hotel Websites Leak Guest Booking Details and Allow Access to Personal Data
- Yahoo to pay £90M in latest settlement of Massive Breach
- Hackers nab emails and more in Microsoft Outlook, Hotmail, and MSN Compromise
- 4 in 5 IT Chiefs are delaying Security Patches to avoid Business Disruption
- A Public Database Exposed the Medical Records of 150,000 Rehab Patients
- Amnesty Intl. says Cyberattack on Hong Kong office appears linked to known APT group
- Cyber-Attacks ‘Damage’ National Infrastructure
- Microsoft Patches 75 Vulnerabilities, including 14 Critical for Windows, IE\Edge, Chakra and Adobe Flash
- Adobe Releases fixes 21 Vulnerabilities in Acrobat and Acrobat Reader
- Machines running popular AV software go unresponsive after Microsoft Windows update
- Apache Tomcat Vulnerability Results in Remote Code Execution
- Adobe’s Patch Tuesday includes Security Updates for Flash Player and AIR
- Attackers Exploit WordPress Zero Day following Disclosure
- WinRAR Exploit used by MuddyWater APT phishing gang
- ISC Patches Three Vulnerabilities in BIND
- Flawed P2P technology Threatens Millions of IoT Devices
- The Economy of Credential Stuffing Attacks
- ShadowHammer code Found in several Video Games
- Researchers uncover new ‘TajMahal’ APT framework, plus a new Gaza Cybergang malware campaign
- Baldr Stealer Malware Active in the Wild With ongoing Updates
- TA505 Targets Financial and Retail using 'Undetectable' Methods
- Lazarus Targets Mac Users With Malware
- Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
The Government Accountability Office recently released a report that analyzed the results as well as the relative effectiveness of the identity theft services, including insurance, provided to victims of data breaches and other forms of digital compromise.
The report is entitled, “Range of Consumer Risks Highlights Limitations of Identity Theft Services,” and it largely reiterates the GAO’s 2017 assertion that the identity theft insurance provided to agencies in the wake of a data breach were both unnecessary and largely ineffective. The findings also included a conclusion that credit monitoring, identity monitoring, and identity restoration services were of questionable value. The GAO recommended that Congress should explore whether government agencies should be, or indeed are, at present, legally required to offer victims of federal data breaches any of the services examined in the report.
At the center of the report’s finding was $421 million set aside by the Office of Personnel Management for the purchase of a suite of identity protection products and services following the 2015 data breach that exposed extremely sensitive personal information of 22 million individuals. According to the report, the “obligated” money expended was largely squandered.
“3 million had used the services and approximately 61 individuals had received payouts from insurance claims, for an average of $1,800 per claim… GAO’s review did not identify any studies that analyzed whether consumers who sign up for or purchase identity theft services were less subject to identity theft or detected financial or other fraud more or less quickly than those who monitored their own accounts for free…” To be clear, there is a jump in logic here. Just because the GAO was unable to find data to support these services does not mean the services are ineffective. In fact, it could just as easily be that the services work.
Then there was the GAO’s observation that, “The services also do not prevent or directly address risks of nonfinancial harm such as medical identity theft.” When millions of Social Security Numbers have been exposed, prevention of identity theft is purely aspirational. Frankly, this assertion would not pass muster with the FTC, since it is actually frowned upon to suggest that any service provider can prevent identity theft. The goal is awareness and targeted action, and medical fraud, in particular, is an area where detection is, at best, difficult and resolution is often complicated and requires professional assistance.
While the report raises an important point, it is too limited in scope to pinpoint it effectively. Not all identity theft services are the same. Those offered by the OPM to victims of its massive breach may or may not have been ineffective, but if they were, mostly likely it was because they were inadequate to the task or “mis-underestimated” during on-boarding, not because they’re unnecessary. In other words, it’s not a question of how much money changed hands, it’s how those funds were spent.
In the case of the services offered to victims of the OPM breach, the results do look damning: 61 paid insurance claims out of 3 million service users is the kind of figure unworthy of rounding error status. The above result must not, however, be mistaken for a demonstration of why identity theft insurance isn’t useful, but rather should be understood as a real-life metric of the usefulness of the specific plan provided, and the applicability of that’s plan provisions to the majority of the individuals covered by it.
Consider this counterpoint: If the services provided worked, little to no insurance payments would be necessary. (See above.)
Rather than scrapping the requirement, policies should either be expanded to cover more of the expenses associated with identity theft (there are many), or they should prioritize more robust monitoring tools and full identity fraud remediation solutions with the funds available.
Lack of Participation
Another issue raised by the report is participation on the part of those affected by data breaches. According to data from OPM, only 13 percent of those affected took advantage of the services made available to them–at least as of September 30, 2018. While the number may seem low, anecdotally it’s not really. Regardless, the question remains: Were those services made available in an accessible way that encouraged action on the part of users?
History suggests that paltry participation figures are due in no small part to a lack of awareness among consumers of the dangers posed by the exposure of personal information and the often free (to the consumer) availability of products and services that help manage the damage. Workplace education in this area is lacking, for sure, but that alone doesn’t explain it. Beyond breach fatigue, a larger factor may be lack of confidence in or clarity about the services provided–and that is an issue that belongs to vendor selection, because it’s their job to make clear what’s at risk and how the proffered solutions can help.
As described elsewhere in the report: Organizations that offer services, don’t do it based on what should be the pivotal question here: “how effective these services are.” Instead, “some base their decisions on federal or state legal requirements to offer such services and the expectations of affected customers or employees for some action on the breached entities’ part.” If the standard is to offer a certain amount of protection, they do that. Does it matter what kind? Can it be a generic? That’s the crux of the matter here.
Spoiler alert: It matters what service provider you choose. If you take nothing else away here let it be this: identity protection services and insurance are useless in a low-information environment. Indeed, if the service provider doesn’t produce an ocean of content that explains to users why they need to use the services, then it’s probably not right for mass allocation.
Data breaches have become so commonplace and the threat of identity fraud so widespread that token offerings to those affected are increasingly viewed as a B.S. attempt at better optics while a company is in disaster mode. A vicious cycle ensues: lack of confidence in a breach response leads to lack of participation in identity theft protection offered, and lack of participation is used to justify offering less comprehensive protection–all while identity theft incidents and data breaches increase.
The GAO report raises many salient points about the services offered in the wake of data breaches. The current legislation and its requirements for both identity theft protection services and insurance can rightly be viewed as an expensive boondoggle with little to show when it comes to actual results, but the conclusion of the GAO–to pull back instead of getting the right services in place to protect against future breaches and assist their victims when they can’t be avoided–is worrisome.
We need to focus now more than ever on high-information, robust solutions that provide greater protection as well as more guidance and assistance–not less.
This article originally appeared on Inc.com.
The post The Government Claims a Private Sector Fail, But It Just Doesn’t Know How to Pick a Vendor appeared first on Adam Levin.
When you see “software update available,” does it spark joy? For many of us, the answer is a resounding “no.” But, don’t be fooled into thinking that our new 12.0 release of Cisco Email Security is anything other than extraordinary. Here are three reasons why:
- Our SVP of Product Management, Jeff Reed, puts it best: “It’s our biggest update in years.” We’ve poured resources into our Cisco Email Security product and it shows in a release that’s full of new features that directly impact our customers’ biggest pain points.
- Cisco’s 12.0 release is threat focused. From the ground up, this release aims to arm organizations against common threats like phishing and business email compromise. As the frequency of email threats continue to rise, our customers can be confident that we continue to improve our security technology with updates to Sender Domain Reputation and External Threat Feeds (ETF).
- We’re investing in the user experience. 12.0 for Security Management Appliance introduces Cisco’s next generation user interface and drives administrative intuition forward. A quicker UI, easy-to-read reporting summaries, and the continued trusted results makes it easier than ever to have an integrated approach to your email security posture.
Ready to dive into our latest release? We’ve compiled several resources to help you realize the value of these updates. First, the Release Notes for 12.0 for Email Security and the Release Notes for 12.0 for SMA include what’s new in the release and provides an easy-to-use guide to updating your software. Next, be sure to check out these videos below for a more in depth look at our most noteworthy features:
New to 12.0 is our How-Tos Widget. This contextual widget provides in-app assistance to users in the form of walkthroughs to accomplish configuration and administrative steps within Cisco Email Security. This video provides a brief walkthrough of this useful new tool.
External Threat Feeds
We’re excited—this release includes External Threat Feeds (ETF), which support STIX/TAXII. If you’re looking to take advantage of integrating external threat information, this video walks through how you can add third-party threat feeds into your appliance and configuration.
Sender Domain Reputation (SDR)
Cisco SDR is our next level of providing a reputation verdict for email messages based on a sender’s domain and other attributes. How does SDR work? This video explains how the reputation of an email is collected and what impact it has on email security.
DNS-based Authentication of Named Entities (DANE)
DANE adds additional ability to our encryption capabilities in Cisco Email Security. This video dives into the new DANE features and explains how to configure it.
Why consider using a smart license? It’s easier to control usage, simplifies maintenance and eliminates the need for right-to-use licensing.
Cisco Threat Response
This video is an introduction to the new Cisco Threat Response (CTR) integration with AsyncOS 12.0 for Cisco Email Security. This video will explain how to integrate your Security Management Appliance (SMA) with CTR as a step-by-step walkthrough tutorial.
Once you are up to speed on what our 12.0 release can do for you, the final step is to upgrade! After, be sure to reference the 12.0 User Guide for in-depth administration and further questions regarding services and configuration.
For even more email security resources, be sure to check our Cisco Email Security page regularly for whitepapers, analyst reports, videos and more.
The Increasing Regulatory Focus on Privacy
The ongoing trend of data breaches and the increasing privacy risks associated with social media continue to be a national and international concern. These issues have prompted regulators to seriously explore the need for new and stronger regulations to protect consumer privacy. Some of the regulatory solutions focus on U.S. federal-level breach and privacy laws, while individual U.S. states are also looking to strengthen and broaden their privacy laws.
The focus on stronger consumer privacy has already sparked new regulations like Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). Many customers of U.S. companies are covered by GDPR’s broad privacy protections, which protects the rights of residents of the European Economic Area. As U.S. states increasingly pass their own privacy laws, the legal environment is becoming more fragmented and complex. This has led to an increased focus on potentially creating a U.S. federal privacy law, perhaps along the lines of the GDPR or otherwise protecting individuals’ information more broadly than the sectoral laws now in place. Although it is not clear whether effective national legislation will pass in the immediate future, the continued focus on regulatory solutions to strengthen consumer data privacy appears certain.
Privacy is Important to McAfee
For technology to be effective, individuals and corporations must be able to trust it. McAfee believes that trust in the integrity of systems – whether a corporate firewall or a child’s cell phone – is essential to enabling people to get the most possible out of their technologies. Fundamental to that trust is privacy and the protection of data. McAfee is committed to enabling the protection of customer, consumer and employee data by providing robust security solutions.
Why Privacy Matters to McAfee
- Protecting our customers’ personal data and intellectual property, and their consumer and corporate products, is a core value.
- Robust Privacy and Security solutions are fundamental to McAfee’s strategic vision, products, services and technology solutions.
- Privacy and Security solutions enable our corporate and government customers to more efficiently and effectively comply with applicable regulatory requirements.
- McAfee believes privacy and security are necessary prerequisites for individuals to have trust in the use of technology.
Effective Consumer Privacy Also Requires Data Security
Today, electronic systems are commonly used by government, business and consumers. There are many types of electronic systems and connected devices used for a variety of beneficial purposes and entertainment. The use of data is a common element across these systems, some of which may be confidential information, personal data and or sensitive data.
A reliable electronic system must have adequate security to protect the data the system is entrusted to process and use. Data leaks and security breaches threaten the ability of customers to trust businesses and their products. Flawed or inadequate data security to provide robust data protection puts consumers’ privacy at risk.
Too often, privacy and information security are thought of as separate and potentially opposing concerns. However, there are large areas of interdependency between these two important policy areas. Privacy and information security must work in harmony and support each other to achieve the goal of consumer privacy. Privacy requires that consumers have the capacity to decide what data about them is collected and processed, and the data must have safeguards driven by appropriately secure technologies and processes.
Data security is the process of protecting data from unauthorized access and data corruption throughout its lifecycle. Privacy is an individual’s right or desire to be left alone and or to have the ability to control her own data. Data security also enables the effective implementation of protective digital privacy measures to prevent unauthorized access to computers, databases and websites. Data security and privacy must be aligned to effectively implement consumer privacy protections.
An effective risk-based privacy and security framework should apply to all collection of personal data. This does not mean that all frameworks solutions are equal. The risks of collection and processing the personal data must be weighed against the benefits of using the data. Transparency, choice and reasonable notice should always be a part of the way data is collected. The specific solutions of a framework may vary based on the risk and specific types of data. The key is to have in place a proactive evaluation (Privacy and Security by Design principles) to provide the most effective protection for the specific application and data use.
Examples Where Privacy Regulations Require or Enable Robust Data Security
Breach Notification Safe Harbor for Encrypted Data in U.S. State Privacy Laws
Data breach notification laws require organizations to notify affected persons or regulatory authorities when an unauthorized acquisition of personal data occurs as defined by the applicable law or regulation. Many U.S. state laws provide a “safe harbor” for data breach notice obligations if the data was encrypted. A safe harbor may be defined as a “provision of a statute or a regulation that reduces or eliminates a party’s liability under the law, on the condition that the party performed its actions in good faith or in compliance with defined standards.”
Security safe harbor provisions may be used to encourage entities and organizations to proactively protect sensitive or restricted data by employing good security practices. Encrypting data may protect the organization from costly public breach notifications. Encrypted data may be excluded from breach requirements or unauthorized access to encrypted data may not be considered a “breach” as defined in the statute. To be protected by an encryption “safe harbor” exemption, the breached organization must encrypt data in compliance with the state statute. The state-specific statutes may also require control of the encryption keys to claim safe harbor.
GDPR Security Requirements
The General Data Protection Regulation (GDPR) went into effect in the European Economic Area (EEA) in 2018, enhancing further the privacy rights of residents of the EEA. In addition to allowing EEA residents access to personal data collected about them, the GDPR requires companies interacting with this data to perform risk analyses to determine how to secure the data appropriately. The GDPR lays out basic security requirements in Article 32, GDPR Security of processing, which requires entities to “ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.”
Controllers of personal data must also have appropriate technical and organizational measures to satisfy the GDPR. Business processes that handle personal data must be designed and implemented to meet the GDPR security principles and to provide adequate safeguards to protect personal data.
Implementing a robust security framework to meet the GDPR requirements means the organization should proactively evaluate its data security policies, business practices and security technologies, and the organization must develop security strategies that adequately protect personal data.
Federal policymakers need to pass uniform privacy legislation into law. A key part of this effort must include sufficiently strong cybersecurity provisions, which are imperative to protecting data, as evidenced by GDPR and thoughtful state breach notification laws. Instead of relying on hard regulations to incent organizations to implement strong security, policymakers should include a liability incentive – a rebuttable presumption or a safe harbor – in privacy legislation. Such an approach, ideally aligned to NIST’s flexible Cybersecurity Framework, would enable policy makers to promote the adoption of strong security measures without resorting to a “check the box” compliance model that has the potential to burden customers and discourage innovation in cyber security markets.
A Washington federal court has received a $9.8 million settlement that would resolve a data breach class-action lawsuit filed against Eddie Bauer. Filed on 26 April, the proposed settlement is the product of two years of litigation between Eddie Bauer and Veridian Credit Union, a process which included an in-person mediation meeting held in February, […]… Read More
The post $9.8M Settlement to Eddie Bauer Data Breach Filed in Federal Court appeared first on The State of Security.
What is biometric authentication?
Biometric authentication is simply the process of verifying your identity using your measurements or other unique characteristics of your body, then logging you in a service, an app, a device and so on. What’s complicated is the technology behind it, so let’s see how it works.
To understand it better, just know that biometrics is the name for any type of body measurements and calculations. Biometric identification verifies you are you based on your body measurements. Biometric authentication goes one step further and uses that information to compare you against a database and enters your information in a service.
Think of it like this: biometric identification is like a neighbor who looks through the peeping hole at the 2 people who just rung the bell. The neighbor decides which one of them is Dave based on height, hair color, eye color and so on.
Biometric authentication is the neighbor who looks through the peeping hole to see who is calling the door. If it’s Dave, the neighbor lets him in.
If it’s not Dave, the door remains shut.
This is just the simplified explanation for biometric authentication but stay tuned!
Here’s what we will cover in this extensive explanation of biometric authentication, a fascinating technology with significant adoption in the present and huge potential in the future.
Table of contents
- How biometric authentication works
- Popular biometric authentication methods and how they work
- Fingerprint Scanners and how they are stored
- Facial recognition
- Eye scanners
- Speaker recognition
- Other biometric technologies
- Advantages and disadvantages of biometric authentication
- Hacking methods
- How to secure smartphone/laptop fingerprint readers
How biometric authentication works
Biometric authentication works by comparing two sets of data: the first one is preset by the owner of the device, while the second one belongs to a device visitor. If the two data are nearly identical, the device knows that “visitor” and “owner” are one and the same, and gives access to the person.
The important thing to note is that the match between the two data sets has to be nearly identical but not exactly identical. This is because it’s close to impossible for 2 biometric data to match 100%. For instance, you might have a slightly sweaty finger or a tiny, tiny scar that changes the print pattern.
Designing the process so that it doesn’t require an exact match greatly diminishes the chance of a false negative (the device doesn’t recognize your fingerprint) but also increases the odds that a fake fingerprint might be considered genuine.
Popular biometric authentication methods and how they work
There are quite a few types of identifying a user by way of his own body. Below are the most popular biometric technologies that have made their way into users’ hands.
Fingerprint Scanners and how they are stored
There are three types of fingerprint scanners: optical, capacitive and ultrasound.
- An optical scanner takes a photo of the finger, identifies the print pattern, and then compiles it into an identification code.
- A capacitive scanner works by measuring electrical signals sent from the finger to the scanner. Print ridges directly touch the scanner, sending electrical current, while the valleys between print ridges create air gaps. A capacitive scanner basically maps out these contact points and air gaps, resulting in an absolutely unique pattern. These are ones used in smartphones and laptops.
- Ultrasonic scanners will make their appearance in the newest generation of smartphones. Basically, these will emit ultrasounds that will reflect back into the scanner. Similar to a capacitive one, it forms a map of the finger unique to the individual.
How are your fingerprints stored?
Both Google and Apple store your fingerprint on the device itself and do not make a copy of it on their own servers.
Apple’s TouchID won’t store the actual image of the fingerprint, but a mathematical representation of it. So even if a malicious hacker reaches this mathematical representation, he cannot reverse engineer it to reveal an actual image of your fingerprint. Not only that, but the fingerprint data itself is encrypted.
As this security researcher pointed out, TouchID can be hacked but it’s still an extremely safe method of biometric authentication. For someone to hack an iPhone using TouchID sensors, they would need a really good copy of someone’s fingerprint. This will get them access to your unlocked phone, but not to a copy of your fingerprint, so it differs from stealing a password.
Also, not even the device’s OS can access the fingerprint data directly, much less an app. Instead, there’s a gatekeeper security software called Secure Enclave that sits between the fingerprint data, and the program making the fingerprint scan request.
Android phones operate under similar guidelines. They store the fingerprint data in a secure part of the main processor called Trusted Execution Environment, or TEE for short. The TEE is isolated from other parts of the processor and doesn’t directly interact with installed apps.
Just as with Apple devices, fingerprint data is stored in an encrypted state. In addition, removing a user from the device should also delete any fingerprints stored on it.
While Apple has moved away from fingerprint scanning authentication and replaced TouchID with FaceID, other companies still rely on it.
Indeed, in 2018, a lot of smartphone developers are aiming to incorporate fingerprint scanners in the screen itself. Vivo is the first one to market such a device. The Vivo phone has a Synaptic CMOS sensor, a small camera, taped to the back of the OLED panel. Whenever the OLED screen lights up, it also illuminates your fingerprint, which the sensor sees and then compares it to the info already stored. For users, the result is a seamless experience: simply touch the screen with your finger and your phone will unlock.
Security researchers consider the eye as one of the most reliable body parts for biometric authentication since it the retina and iris remains almost completely unchanged during a person’s lifetime.
- A retinal scan will illuminate the complex blood vessels in a person’s eye using infrared light, making them more visible than the surrounding tissue. Just like fingerprints, no two persons will ever have the same retinal pattern.
- Iris scanners rely on high-quality photos or videos of one or both irises of a person. Irises too are unique to the individual. However, iris scanners have proven to be easy to trick simply by using a high-quality photograph of the subject’s eyes or face.
How iris scanners work
When it comes to biometrics, the iris has several major advantages compared to a fingerprint:
- You don’t spread the information around every time you touch something.
- The iris stays virtually unchanged throughout a person’s life. A fingerprint, on the other hand, can be dirtied, scarred or eroded.
- You can’t use a fingerprint with dirty or sweaty hands. Irises, however, have no such problem.
The only major disadvantage of an iris scanner is that high-quality photos of your face or eyes can trick the scanner and unlock the device.
Despite these limitations, the technology has made its way as a security feature in airports, banks, and other sensitive buildings. Of course, just like with other security measures, it’s used in conjunction with multiple authentication technologies.
How it works. In the enrollment phase, the scanner will make a photograph of your iris using both normal light, as well as infrared light to capture details that wouldn’t be visible otherwise.
After the device records the person’s iris, it will remove any unnecessary details, such as eyelashes, and then transform the information into mathematical data and encrypt it.
During verification, an iris scanner will again emit infrared light to spot those hidden details. Because an iris scanner supplies its own light, it also works in low light or dark conditions.
Speaker recognition, unlike voice recognition, wants to identify who is talking, and not what is being said.
In order to identify the speaker, the specialized software will break down their words into packets of frequencies called formants. These packets of formants also include a user’s tone, and together they form his voice print.
Speaker recognition technology is either:
- Text-dependent, meaning it unlocks after identifying certain words or phrases (think “Hey Alexa!” for the Amazon Echo).
- Text-independent, where it tries to recognize the voice itself but ignores what is actually said.
Unlike other methods mentioned here, speaker recognition comes with a significant usability problem, since it’s easy for background noises to distort the person’s voice and make it unrecognizable.
When it comes to consumer devices, voice activation can come across as awkward (a.k.a. talking to Siri in the subway).
But the biggest issue with speech recognition is how easy it is to create a high-quality reproduction of a person’s voice. Even low-quality smartphones can accurately record a person’s voice, complete with inflections, tone, and accents.
This hasn’t stopped speaker recognition and similar technologies from gaining mainstream adoption. Just look at the success of Amazon Echo, Google Home, and other voice controlled speakers integrated into a lot of smart homes. What do you get when you combine an Amazon Alexa with an Amazon Key that unlocks your home to couriers when you’re at work?
It’s an amazing biometric authentication experience for users. At the same time, it’s a security risk of nightmare proportions.
We don’t mean just biometric authentication exploits, but “classic” hacker methods as well. Rhino Security Labs demonstrated just how to attack Amazon Key via WiFi so the camera is blind to whoever would enter your home.
We covered the risk of using IoT devices and we explained how to secure them here. In this guide, you’ll find the best ways to protect your home wireless network. But let’s return to biometric authentication types and how they work because we’ll later explain how their advantages and disadvantages.
Other biometric technologies
The methods above are the most well known and most popular, but not the only ones. Here are some other technologies:
Facial recognition systems
Generally speaking, facial recognition systems approach biometric authentication from a lot of angles.
The classic way is to simply extract your face’s features from an image (eyes, nose, distance between your lips and your nose etc) and compare them to other images to find a match.
Through skin texture analysis, your unique lines, beauty marks, wrinkles and so on are turned into a mathematical space, which is then compared to other images.
Both of them can be easily fooled with makeup, masks or, in some cases, simply obstructing part of your face. This is where thermal imagery and other technologies stepped up the game until we got to this point – that of widespread adoption of systems like the Apple FaceID.
The iPhone FaceID uses more than 30,000 infrared dots to map your face, then creates essentially a 3D map of your features. This map, like Touch ID, is sent to the Secure Enclave in the CPU to be compared with the one already stored on the device. The result? Your phone is unlocked just by looking at it.
In the marketing materials, Apple said there is a 1 in a million chance for someone else to unlock an iPhone using FaceID. Of course, that just sounded like a challenge for security experts. A researcher from Vietnam fooled FaceID with a 3D printed mask made from silicone and paper tape.
2. Hand and finger geometry
While not as unique as prints, iris scanners or tridimensional face maps, our hands are different enough from other people’s. That makes them a viable authentication method in certain cases.
A hand geometry scanner will measure palm thickness, finger length and width, knuckle distance and so on.
Advantages of this kind of system are cheapness, ease of use and unobtrusiveness. It also has a few major disadvantages. A hand’s size can vary over the time. Health problems might limit movements. More importantly, a hand is not that unique, so the system has low accuracy.
2. Vein geometry
Our vein layout is completely unique and not even twins have the same vein geometry. In fact, the overall layout is different from hand one hand to another.
Veins have an added advantage since they are incredibly difficult to copy and steal because they are visible under tightly controlled circumstances.
A vein geometry scanner will light up the veins with near-infrared light, which makes your veins visible on the picture.
Advantages and disadvantages of biometric authentication
Ultimately, biometric authentication techniques are all about security. As a feature, their main competitor is the password (or PIN code, on occasion), so a comparison between the two will reveal both their flaws and weaknesses. Let’s see.
Advantage: Ease of use
A fingerprint or iris scan is much easier to use than a password, especially a long one. It only takes a second (if that) for the most modern smartphones to recognize a fingerprint and allow a user to access the phone. Ultrasound scanners will soon become commonplace, since manufacturers can place them directly behind the screen, without taking any extra real estate on a phone.
Voice recognition, on the other hand, is a bit iffier and background noises can easily scramble the process and render it inoperable.
Disadvantage: You cannot revoke the fingerprint/iris/voice print remotely
A big disadvantage of biometric security is that a user cannot remotely alter them. If you lose access to an email, you can always initiate a remote recovery to help you regain control. During the process, you will be able to change your password or add two-factor authentication to double your account’s security.
Biometrics, however, don’t work like that. You have to be physically near the device to change its initial, secure data set.
A thief could steal your smartphone, create a fake finger, and then use it to unlock the phone at will. Unless you quickly locked your phone remotely, a thief would quickly steal every bit of information on the device.
Advantage: The malicious hacker has to be near you
The biggest advantage of biometrics is that a malicious hacker has to be in your physical proximity in order to collect the information required to bypass the login.
This narrows down the circle of possible suspects in case your biometric lock is somehow bypassed.
The proximity also puts him at risk of getting caught red-handed, in a way that regular malicious hackers working from another continent cannot.
Disadvantage: “Master fingerprints” can trick many phones and scanners
When you first register a fingerprint, the device will ask you for multiple presses from different angles. These samples will then be used as the original data set to compare with subsequent unlock attempts.
However, smartphone sensors are small, so they often rely on partial matches of fingerprints.
Researchers have discovered that a set of 5 “master fingerprints” can exploit these partial matches, and open about 65% of devices.
The number is likely to go down in real life conditions, but an open rate of even 10% to 15% is huge and can expose millions of devices.
Disadvantage: Biometrics last a lifetime
You can always change your password if somebody learns it, but there’s no way to modify your iris, retina or fingerprint. Once somebody has a working copy of these, there’s not much you can do to stay safe, other than switching to passwords or using another finger.
In one of the biggest hacks ever, the US Office of Personnel Management leaked 5.6 million employee fingerprints. For the people involved, a part of their identity will always be compromised. In CPO Magazine, we explored even more risks of using biometric data, especially in the context of law enforcement.
Disadvantage: Vulnerabilities in biometric authentication software
A couple of years ago, security researchers discovered weaknesses in Android devices that allowed them to remotely extract a user’s fingerprint, use backdoors in the software to hijack mobile payments or even install malware.
What’s more, they were able to do this remotely, without having physical access to the device.
Since then, patches have come for the vulnerabilities, but bug hunters are constantly on the hunt for new ones.
Whitehat security researchers have proved time and again how to fool fingerprint or iris scanners. Here are just some of the methods they use.
Creating a fake finger (spoofing the fingerprint)
To open up a smartphone secured with a fingerprint, the attacker will first need to find a high-quality print, that contains a sufficient amount of specific patterns to open up the device.
Next, an attacker will lift the fingerprint, place it on a plastic laminate, and then cast a finger to fit this mold.
Once the malicious hacker creates the fake finger, all he has to do is to place it on the scanner, press with his finger to conduct electricity and then use the unlocked phone.
Tricking an iris scanner
For some iris scanners, all it takes is taking a photo with a cheap camera in night mode, print the iris on paper, and then putting a wet contact lens to mimic the roundness of the human eye.
Hacking the biometric sensor and stealing the data
Another, more insidious method of obtaining the fingerprint data of a phone, and unlocking it, is to directly hack the part of the phone responsible for storing the information.
For iOS devices, this means breaking into the Secure Enclave. Technically, this is possible, but it is far beyond the scope of your average, day-to-day cyber criminal. The few confirmed hackings have been done by Cellebrite.
Still, the software and expertise might reach mass-market, and into the hands of script kiddies.
In the case of Android devices, researchers have proven it is possible to trick the Qualcomm provided Trusted Execution Environment by loading a customized app, which then runs a privilege escalation until it obtains greater access to the TEE.
Fortunately for us users, a cybercriminal would need considerable expertise to hack your phone in such a way.
Biometric security for mobile devices, such as smartphones and laptops
A fingerprint lock is useless if somebody steals your smartphone, and then simply lifts the print off from the device.
How to secure smartphone/laptop fingerprint readers
Here are a few simple tips to help minimize the number of prints that are on your phone:
- Dress your phone with a fingerprint-resistant or oleophobic cover and screen protector.
- Use a different finger other than your index or thumb.
- If convenience is not your primary concern, use both the fingerprint and the password/PIN lock. This is especially useful for sensitive business smartphones and laptops. Here is a comprehensive guide for your smartphone security, and we compiled the best password tips here.
- If your laptop or other device supports it, use a fingerprint randomizer. In short, you register 2-3 fingerprints, and the lock screen will ask you provide a different finger each time you log in.
Biometric authentication has strongly expanded in the last few years, with more and more consumers relying on it and even demanding for it.
Do you use any sort of biometric technology? How do you feel about it, especially in government’s hands, and how secure do you think is?
This post was originally published in July 2017 by Paul Cucu and updated on January 12, 2018 by Ana Dascalescu.
INSTALL IT, FORGET IT AND BE PROTECTEDDownload Thor FREE
The post Biometric Authentication Overview, Advantages & Disadvantages [Updated 2019] appeared first on Heimdal Security Blog.
One in three UK companies fell victim to cyber attacks in 2018, with the majority of the damage occurring in small businesses, according to a report by Beaming.
The study found that cyber crime cost UK organisations £17.8 billion last year, of which £13.6 billion came from small businesses.
The average cost of a cyber attack for small businesses was £65,000 per victim. This accounts for damaged assets, financial penalties and business downtime.
Small businesses are becoming more vulnerable
Large organisations have always been the most likely target of cyber attacks. That remains true, according to Beaming’s study, with 70% of large organisations falling victim to an attack in 2018, compared to 63% of small organisations. However, in 2017 only 47% of small organisations were attacked, meaning the gap is narrowing.
That, along with the fact that small organisations make up the majority of UK businesses, explains why they contributed so much towards the cost of cyber crime last year. After all, multiple small breaches are more expensive to handle than one incident affecting the same number of people because standard processes – like detection and breach notification – are largely the same regardless of the scale of the incident.
Sonia Blizzard, managing director of Beaming, said: “Our research shows that cyber criminals don’t care how big your business is, everyone is a potential victim and the cost of an attack can be devastating. Larger businesses fall victim at the greatest rate because they have more people and more potential sources of vulnerability.
“However, they also tend to have multiple layers of protection in place to limit the spread of an attack and are able to recover more quickly after one.
“Small businesses are trusting more data to the cloud and accessing it from lots of locations. This provides greater flexibility and efficiencies, but also adds to the importance of ensuring data is held and transported securely.
“A specialist ISP can help here by managing a network with the security of business traffic in mind, assisting with the implementation of additional security measures such as managed firewalls and provide advice to clients to enhance the protection on offer. When choosing cloud products, businesses should ensure they have the right connectivity to go with it.”
The post Small businesses spent £13.6 billion recovering from cyber crime in 2018 appeared first on IT Governance Blog.