Daily Archives: January 22, 2020

Zero Trust: Beyond access controls

As the Zero Trust approach to cybersecurity gains traction in the enterprise world, many people have come to recognize the term without fully understanding its meaning. One common misconception: Zero Trust is all about access controls and additional authentication, such as multi-factor authentication. While these two things help organizations get to a level of Zero Trust, there is more to it: a Zero Trust approach is really an organization-wide architecture. Things aren’t always as they … More

The post Zero Trust: Beyond access controls appeared first on Help Net Security.

There is no easy fix to AI privacy problems

Artificial intelligence – more specifically, the machine learning (ML) subset of AI – has a number of privacy problems. Not only does ML require vast amounts of data for the training process, but the derived system is also provided with access to even greater volumes of data as part of the inference processing while in operation. These AI systems need to access and “consume” huge amounts of data in order to exist and, in many … More

The post There is no easy fix to AI privacy problems appeared first on Help Net Security.

CIOs using AI to bridge gap between IT resources and cloud complexity

There’s a widening gap between IT resources and the demands of managing the increasing scale and complexity of enterprise cloud ecosystems, a Dynatrace survey of 800 CIOs reveals. IT leaders around the world are concerned about their ability to support the business effectively, as traditional monitoring solutions and custom-built approaches drown their teams in data and alerts that offer more questions than answers. CIO responses in the research indicate that, on average, IT and cloud … More

The post CIOs using AI to bridge gap between IT resources and cloud complexity appeared first on Help Net Security.

NETSCOUT delivers DDoS visibility and protection for service providers and large enterprises

NETSCOUT, a market leader in service assurance, security, and business analytics, announced Arbor Sightline with Sentinel to deliver the next generation of DDoS visibility and protection for service providers and large enterprises. Combining core ARBOR NETWORKS and NETSCOUT Layer 7 technologies with intelligent analytics, machine learning, and automation, Sightline with Sentinel integrates network infrastructure defense functions into an orchestrated capability that delivers unparalleled protection for network, customer, and application services at a lower cost. “As … More

The post NETSCOUT delivers DDoS visibility and protection for service providers and large enterprises appeared first on Help Net Security.

GoSecure adds Insider Threat Detection and Response to its portfolio

GoSecure, a leading provider of Managed Detection and Response (MDR) services and a predictive Endpoint Detection and Response (EDR) platform, announced the addition of Insider Threat Detection and Response to their portfolio. Insider incidents caused by malicious insiders, or where credential theft was the goal, accounted for 32% of incidents. With the remaining 68% the result of end-use negligence, the challenge increasingly is knowing good behavior from bad. Whereas many Insider Threat solutions are focused … More

The post GoSecure adds Insider Threat Detection and Response to its portfolio appeared first on Help Net Security.

How CISOs Can Expand Their Security Duties into Industrial Environments

Digital attacks are a top concern for Industrial Control System (ICS) security professionals. In a survey conducted by Dimensional Research, 88 percent of these personnel told Tripwire that they were concerned about the threat of a digital attack. An even greater percentage (93 percent) attributed their concerns to the possibility of an attack producing a […]… Read More

The post How CISOs Can Expand Their Security Duties into Industrial Environments appeared first on The State of Security.

OneLogin launches Trusted Experience Platform, a complete IAM solution for enterprises

OneLogin introduced the Trusted Experience Platform, an identity foundation that enables companies to provide secure, scalable and smart experiences. The platform is a complete identity and access management (IAM) solution that leverages OneLogin’s investment and expertise in AI, seamlessly managing all of an enterprise client’s digital identities for its workforce and customers. “The OneLogin Trusted Experience Platform provides unparalleled security and reliability to companies so leaders can focus on what matters the most – growing … More

The post OneLogin launches Trusted Experience Platform, a complete IAM solution for enterprises appeared first on Help Net Security.

Privafy unveils cloud-native, security-as-a-service application to protect Data-in-Motion

Privafy unveiled a fundamentally new approach to data security that protects organizations against modern Data-in-Motion threats while disrupting the cost associated with complex, archaic network solutions. The company’s cloud-native application will secure Data-in-Motion as it moves across locations, clouds, mobile and the IoT. Additionally, the company announced it received $22 million in minority investments to date from prominent private investors to continue scaling its cloud-based security business. The company was founded by Verizon and NXP … More

The post Privafy unveils cloud-native, security-as-a-service application to protect Data-in-Motion appeared first on Help Net Security.

buguroo enhances its bugFraud solution with New Account Fraud prevention capabilities

buguroo, the online fraud prevention solutions specialist for the financial sector, unveiled further capabilities that make it easier for banks to identify fraudsters attempting to open new bank accounts. These enhanced New Account Fraud prevention capabilities – included in the latest version of buguroo’s bugFraud solution – employ advanced deep learning technologies to analyze new customer onboarding sessions in real-time, analyzing each user’s behavior and environment without adding friction to their journey. Features include: Analysis … More

The post buguroo enhances its bugFraud solution with New Account Fraud prevention capabilities appeared first on Help Net Security.

RiskRecon joins with Mastercard to help customers achieve good third-party risk outcomes

RiskRecon, the world’s leading platform for easily understanding and acting on third-party cyber risk, and now a Mastercard company, announces its continued commitment to enabling the success of its customers in achieving good third-party risk outcomes, built on a foundation of great customer service and rapid technology innovation. “We are honored to join with Mastercard in serving our rapidly growing customer base who rely on us to provide them accurate and actionable cybersecurity risk ratings … More

The post RiskRecon joins with Mastercard to help customers achieve good third-party risk outcomes appeared first on Help Net Security.

Axio joins the Cyber Readiness Institute to help orgs become more resilient and cyber ready

The Cyber Readiness Institute (CRI) is excited to welcome Axio, a leading cyber risk management SaaS company, to its Champion network. In collaboration with Axio, CRI Champions, members and users will now have access to a free tool, offered by Axio specifically for CRI users, that can help organizations assess cyber risk. “Organizations can be stronger and more secure with tools to assess their unique cyber risks,” said Kiersten Todt, managing director of the Cyber … More

The post Axio joins the Cyber Readiness Institute to help orgs become more resilient and cyber ready appeared first on Help Net Security.

Zenuity chooses HPE to develop next generation autonomous driving systems

Hewlett Packard Enterprise (HPE) has been selected by Zenuity, a leading developer of software for self-driving and assisted driving cars, to provide the crucial artificial intelligence (AI) and high-performance computing (HPC) infrastructure it needs in order to develop next generation autonomous driving (AD) systems. Zenuity is a joint venture between Volvo Cars (VCC) and Veoneer, two Swedish companies whose names are synonymous with automotive safety. Its platforms have been designed to deliver world-class performance in … More

The post Zenuity chooses HPE to develop next generation autonomous driving systems appeared first on Help Net Security.

FireEye acquires Cloudvisory to add cloud workload security capabilities to FireEye Helix

FireEye, the intelligence-led security company, announced the acquisition of Cloudvisory. The acquisition, which closed on January 17, 2020, will add cloud workload security capabilities to FireEye Helix, offering customers one integrated security operations platform for cloud and container security. “Customers need consistent visibility across their public and hybrid cloud environments, as well as containerized workloads,” said Grady Summers, Executive Vice President of Products and Customer Success at FireEye. “Cloudvisory delivers this visibility and allows FireEye … More

The post FireEye acquires Cloudvisory to add cloud workload security capabilities to FireEye Helix appeared first on Help Net Security.

Coalition improves its cyber insurance and security platform with the acquisition of BinaryEdge

Coalition, the leading cyber insurance provider for small and midsize businesses, announced it has acquired Internet scanning and cybersecurity pioneer BinaryEdge. Coalition will integrate BinaryEdge’s technology with its cyber insurance and security platform, allowing Coalition policyholders to easily map their Internet attack surface, monitor risk exposures in real-time, and proactively fix vulnerabilities so that they can stay one step ahead of their adversaries. Although the recent data breaches at Facebook, Capital One, and Travelex dominate … More

The post Coalition improves its cyber insurance and security platform with the acquisition of BinaryEdge appeared first on Help Net Security.

Varicent acquires Symon.AI to provide enhanced analytics to business users and data scientists

Varicent, the leading provider of next generation Sales Performance Management (SPM), announced that it has acquired Symon.AI, a visionary technology platform built on sophisticated Natural Language and Machine Learning algorithms that provide easy to use, advanced analytics to business users and data scientists alike. The acquisition brings to the Varicent SPM platform a full suite of data connectors, data preparation and augmented intelligence features. With the addition of Symon.AI, Varicent leapfrogs the competition to enable … More

The post Varicent acquires Symon.AI to provide enhanced analytics to business users and data scientists appeared first on Help Net Security.

FireMon expands leadership team with Andrew Warren as vice president of global channel sales

FireMon has announced the latest addition to its innovative leadership team, Andrew Warren, as vice president of global channel sales. As a leading network security policy management company, FireMon improves visibility and control over cloud and hybrid infrastructures to reduce risks for businesses around the world. “Andrew’s breadth of sales leadership experience and business development achievements in the security industry over the last decade make him a perfect fit to lead our channel sales team,” … More

The post FireMon expands leadership team with Andrew Warren as vice president of global channel sales appeared first on Help Net Security.

Alison Lewis joins Neustar’s Board of Directors

Neustar, a global information services company and leader in identity resolution, announced that Alison Lewis has been appointed as an independent, non-executive director to the Company’s Board of Directors. Lewis is Chief Growth Officer and member of the Global Executive Leadership Team for Kimberly-Clark, an $18+ billion consumer goods product company of trusted brands in more than 175 countries. “With more than 30 years of experience in global marketing and product management, Alison’s range of … More

The post Alison Lewis joins Neustar’s Board of Directors appeared first on Help Net Security.

Apple Addresses iPhone 11 Location Privacy Concern

Apple is rolling out a new update to its iOS operating system that addresses the location privacy issue on iPhone 11 devices that was first detailed here last month.

Beta versions of iOS 13.3.1 include a new setting that lets users disable the “Ultra Wideband” feature, a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature.

In December, KrebsOnSecurity pointed out the new iPhone 11 line queries the user’s location even when all applications and system services are individually set never to request this data.

Apple initially said the company did not see any privacy concerns and that the location tracking icon (a small, upward-facing arrow to the left of the battery icon) appears for system services that do not have a switch in the iPhone’s settings menu.

Apple later acknowledged the mysterious location requests were related to the inclusion of an Ultra Wideband chip in iPhone 11, Pro and Pro Max devices.

The company further explained that the location information indicator appears because the device periodically checks to see whether it is being used in a handful of countries for which Apple hasn’t yet received approval to deploy Ultra Wideband.

Apple also stressed it doesn’t use the UWB feature to collect user location data, and that this location checking resided “entirely on the device.” Still, it’s nice that iPhone 11 users will now have a disable the feature if they want.

Spotted by journalist Brandon Butch and published on Twitter last week, the new toggle switch to turn off UWB now exists in the “Networking & Wireless” settings in beta versions of iOS 13.3.1, under Locations Services > System Services. Beta versions are released early to developers to help iron out kinks in the software, and it’s not clear yet when 13.3.1 will be released to the general public.

How Phishing Has Evolved and Three Ways to Prevent Attacks

English

The term “phishing” can be traced back to 1996, when it was used to reference a group of attackers that were imitating AOL employees using AOL messenger, asking people to verify their accounts or billing information. Many unsuspecting users fell prey to this scam purely due to their novelty. Though we would like to believe that we would never be fooled by such an attack these days, phishing remains as popular as ever. Though internet users may have become more discerning, attackers have also become more skilled in how they’re luring in more victims. Read on to find out how these phish are more sophisticated, and how your organization and its employees can outsmart them.

Advanced Phishing Strategies

In some ways, the core tenants of phishing have remained the same. The motives are still getting malware past the perimeter or accessing credentials. This is still most frequently accomplished through malicious links or attachments.

What has changed is presentation. Though there are still emails with obviously fake email addresses, riddled with spelling errors, an increasing number are nearly impossible to tell from the real thing. Many lead to websites prompting credentials that look almost identical to the site they are imitating. More recently, threat actors have been making conversation-hijacking attacks, using previously compromised email accounts to reply to ongoing email threads. They slide in with an email that has malicious links or attachments right in the midst of a conversation, easily catching other members of the thread off guard.

How Phish Get to Your Inbox

The backend of phishing has also evolved. There have been increasing advancements in evading filters. One simple method is using images of text to avoid being readable and tagged as junk mail. Another is obfuscating URLs by simply adding a few additional characters—spoofing URLs and email addresses, fooling both the filter and recipient into opening an email or proceeding as normal when on a fake website. Mostly, attackers have just become more shrewd in constantly trying new tactics, knowing that as soon as one obfuscation or evasion technique is exposed, they’ll need to move on to another.

Who is Phishing and Who is Getting Phished

Another change is in who is targeted. While there are still massive campaigns aimed at whoever will click a link, other phishing attacks are far more precise. Spear-phishing, for instance, targets specific individuals or organizations using sites they are familiar with or imitating known individuals in order to lure them in. Whaling is even more precise, aimed at high level executives. In both cases, extensive research is conducted so threat actors know what may entice these organizations or individuals to open a message. From there, an email is crafted to both personalize the content and convey the right tone for the business or individual. For example, a whaling attack against a c-level employee may require a certain level of urgency to ensure that it’s opened, typically involving financial, legal, or, ironically, security matters.

Finally, there is an increasing number of people who have the ability to phish. Before, threat actors were only those who understood the mechanics of phishing. Now, phishing kits can be purchased readily on the dark web, giving nearly anyone who has the desire to phish the tools needed to do so. This has helped boost the amount of attacks even farther upward. With constant attacks being launched, it’s no wonder that so many people have been fooled.

How Can Organizations Avoid Getting Phished

Advancements are being made to help strengthen filters and prevent phish from ever arriving in your inbox, and browser security is also evolving to detect malicious websites the moment you land on them. For the foreseeable future, however, phishing will continue to be an ongoing challenge for organizations. Strategically manage this threat by following these three steps:

  1. Deploy anti phishing pen tests.
    You don’t want to wait until after you’ve been hit to find out that your employees are particularly susceptible to phishing. Social engineering testing imitates phishing campaigns in order to safely determine whether your employees are vulnerable to, and what types of phish are most likely to fool them. Using social engineering pen testing services or tools allows you to find out where your weaknesses are by safely launching an attack just like those currently being used by actual threat actors. Such campaigns can be the difference between a company that suffers a huge breach, and one that remains secure.
  2. Educate employees and follow best practices.
    No matter the outcome of your pen test, it is always worthwhile to educate your employees. Teach them ways to identify phish—from lack of personalization to odd URLs. Urge caution when opening links or attachments, particularly those that come unprompted or from unusual sources. Follow best practices, like going directly to a website instead of using a link when possible. Encourage employees to keep an eye on OpenPhish and PhishTank to familiarize themselves with the most common phish currently floating around.
  3. Retest on a regular basis.
    Anti phishing penetration tests can and should be utilized frequently. The best way to ensure your education efforts are effective is to test again. Additionally, new phish are constantly being introduced, so you’ll want to stay up to date on the latest tactics. Regular testing keeps employees accountable, vigilant, and ensures that new employees aren’t a security weakness that goes unaddressed for too long.

cs-phishing-prevent-attacks-blog-700x350.jpg

How to prevent phishing attacks
Penetration testing
Big text: 
Blog
Resource type: 
Blogs
Ready to run your first anti phishing pen test?

Learn what to do from an expert in our Best Practices for Effective Phishing Simulations eCourse.

VMware acquires Nyansa to improve SD-WAN capabilities

VMware’s appetite for acquisitions hasn’t waned since it acquired Pivotal last summer for $2.7 billion, and this week announced its intention to buy network analytics software provider Nyansa.

For an undisclosed sum, VMware indicated Jan. 21 to acquire Nyansa to bolster its network visibility and monitoring capabilities by combining VMware SD-WAN by VeloCloud with Nyansa’s cloud-based AIOps platform.

Also:

Nyansa adds 10 new channel partners to partner program

Nyansa launches network analytics solutions, searches for new Canadian partners to distribute them

The Nyansa platform’s ability to display network telemetry from multiple hardware vendors in a single could compete directly with other monitoring tools such as Cisco Prime, SolarWinds and Aruba Airwave.

“Abe and his team have done a fantastic job building a highly differentiated solution that meets a real customer pain point,” wrote Sanjay Uppal, vice-president and general manager of the VeloCloud business unit for VMware, in a blog post.

Abe Ankumah, chief executive officer and co-founder of Nyansa, wrote in a separate blog post that Nyansa Voyance will extend the VMware portfolio further into the enterprise campus and branch by adding software capabilities on Wi-Fi and LAN devices, as well as analytics tools to the VMware data centre portfolio.

The two companies, added Ankumah, are aligned on more than just the technologies involved in this strategy.

“Over the years at Nyansa, we’ve obsessed about building a customer-first, radically candid, and openly communicative culture that facilitates innovation and learning. In all our interactions thus far, the VMware team has embodied similar values that will allow the Nyansa team to continue to thrive, while also leveraging the resources and scale of VMware,” he wrote.

The deal is expected to close between February and March.

Intel processor constraint to continue in 2020, says HPE

Hewlett Packard Enterprise has warned the industry to brace for an Intel processor shortage throughout 2020, specifically the Intel Cascade Lake server processors. After issuing a statement to The Register earlier this week, HPE’s Canadian division provided IT World Canada with a similar message: “HPE is experiencing a constraint on certain processors. There are other processors…

FBI Shuts Down Website Trafficking in Breached Data

The FBI has seized the domain of WeLeakInfo.com, an online service that sold data from hacked and breached websites.

The domain seizure and termination of WeLeakInfo’s services was the result of a joint operation with the UK National Crime Agency, the Netherlands National Police Corps, the German Bundeskriminalamt (the Federal Criminal Police Office of Germany), and the Police Service of Northern Ireland. 

“The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts.  The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months),” wrote the Justice Department in a public statement.

Records were available on the site for as little as $2 for a single day’s use, or $70 per month for unlimited access to the breached data.

Dutch authorities arrested a 22-year-old man on suspicion of operating the site following the seizure.

The relative frequency and scope of data breaches over the last several years has created a secondary market for aggregated records. Another site offering access to breached passwords, LeakedSource, was seized by Canadian authorities in 2017.

The post FBI Shuts Down Website Trafficking in Breached Data appeared first on Adam Levin.

The 2020 Tax Frauds: Old is New and Better than Ever

This tax season it’s the same old story when it comes to fraud; but the 2020 reboot is going to require tax professionals and taxpayers to level-up when it comes to staying cyber safe. The targets remain the same (employers, payroll companies, tax preparers and taxpayers) as does the approach: Social engineering. But the bad guys got in great shape during the off-season and have a stealthier playbook in 2020. 

The threats persist because we still use easily decipherable passwords shared across our universe of “secure” accounts (often mixing personal and work-related logins), we don’t use 2 Factor Authentication whenever it’s available, we click on links or open attachments sent by people or organizations we think we know, and we don’t lie when responding to security questions easily answered by our poorly protected social media accounts. 

Their goal is to acquire as much personal and financial information as possible (so they can effectively impersonate us to representatives of institutions where we do business) or trick us into giving up the credentials necessary to access payroll accounts, tax preparation organizations, or the HR Department of employers that hold tax-related information or tax preparation software programs that enable taxpayers and tax preparers to file their returns.

The social engineering is accomplished through the four ishings of the cyberapocalypse:

Generic phishing: Dear Taxpayer, tax professional, cardholder, policyholder, member, employee, etc, a horrible/miraculous thing has happened: click here Mr/Mrs/Ms Fomo.

Spearphishing (direct phishing): Dear Chris: You really messed up this time. See attached. 

Vishing (Phone-based): Mr/Mrs/Ms, I am with the security department of your bank, the IRS, the Social Security Administration, the Jury Commission, Board of Elections. It is crucial that we confirm your information on file.

SMishing (Text): Your account has been frozen due to suspicious activity, please click on this link and enter your USER ID in order to resolve this issue.

When malware-laden links are clicked, the clone sites for the most part these days are close to perfect with authentic looking graphics, excellent grammar, no misspellings. Often the only way to tell something is amiss is by looking at the URL—but even that can be misleading. Criminals are now adept at securing domain names that seem legit and include security certificates, (i.e., HTTPS and a padlock).

A new trend: Intensified ransomware attacks on tax preparers. Time-sensitive files are frozen and only thawed when bitcoin is paid to the hackers. That is, if they are lucky. We have seen in the wider cyber eco system instances where a ransom is paid, the files are released, but the data has also been stolen by the hackers who use the information to file false returns. 

To better protect against social engineering attacks, taxpayers should:

Use 2-Factor Authentication whenever available

Never click a link or open an attachment without independent confirmation of the sender.

Never authenticate yourself to anyone who contacts you. Only provide sensitive information when you’re in control of the interaction (navigate to a site yourself, and call an organization, don’t trust caller-ID) and know exactly to whom you are speaking or communicating.

Tax preparers should be vetted:

Beware of guarantees. No organization can realistically claim to always deliver the biggest or fastest refund. So, don’t click on banner ads when someone does. 

Avoid remorse, check the source. How did you find out about the particular preparer? Are they part of a larger organization? Are they a tax-season pop-up? Do they come recommended? What are their qualifications (CPA, PA, some guy who does it for his friends)? Are they a member of an organization that requires members to be ethical? Did you find them in an ad, get an email, etc?

Know the deal, or get peeled.  Is the fee set, or are you paying by the hour? Never agree to a percentage of the refund. Will your preparer be there for you after the return is filed? Is this part of the contract or not?

Know the facts, or feel the tax axe:
When you were presented with your return what did it look like? Did the preparer sign it Are there any blanks which might make an audit more likely? Do the numbers look right?

And let’s not forget the “oldies but goodies.”

Fake IRS representatives calling taxpayers and threatening them with arrest for having failed to pay in a timely fashion, demanding payment in gift or pre-paid cards (it really happens and people fall for it all the time) or via wire.

Fake Social Security Administration agents calling to inform you that they have to freeze accounts or suspend benefits due to criminal activity, something that can be avoided if you give them your sensitive personal information via phone or email and (bonus: they ask your payment information).

The post The 2020 Tax Frauds: Old is New and Better than Ever appeared first on Adam Levin.

US Journalist Denounced for Alleged Involvement with Brazilian Criminal Organization

US Journalist Denounced for Alleged Involvement with Brazilian Criminal Organization

Brazilian prosecutors have denounced American journalist Glenn Greenwald for his alleged involvement with a cybercrime organization that hacked cell phones to commit bank fraud.

Greenwald is best known for a series of reports published from June 2013 by The Guardian newspaper that detailed the global surveillance programs of the United Kingdom and the United States. The reports were based on classified documents disclosed by Edward Snowden and whistle-blowing events involving WikiLeaks.

In a criminal complaint filed by federal prosecutors in Brazil on Tuesday, Greenwald is accused of being involved with a criminal organization that hacked mobile devices and committed bank fraud and money laundering. 

According to the complaint, the organization is behind a number of hacks perpetrated last year in which cell phones belonging to public officials and prosecutors were compromised. Among the officials whose devices were hacked was the Brazilian minister of justice and public security, Sérgio Moro.

Seven individuals are named and denounced in the complaint, including computer programmer Gustavo Henrique Elias Santos and his wife, Suelen Oliveira, who allegedly recruited people to participate in a series of scams.

Greenwald was named as an auxiliary to the criminal organization’s activities after a recording of a conversation between the journalist and the organization’s alleged hacker Luiz Molição emerged. The recording was found on a MacBook seized by Brazilian police from the house of Walter Delgatti Netto, who prosecutors allege was one of the organization’s leaders. 

In the audio, Molição confirms that a phone hack is ongoing. He then asks Greenwald for guidance on the possibility of "downloading" the content of other people's Telegram accounts before the journalist publishes certain articles on his website, The Intercept.

Prosecutors allege that Greenwald then advised Molição to cover the criminal gang's tracks by deleting archives of material that they had sent to the journalist. Deleting the material could hinder a police investigation and possibly reduce the criminal liability of the individuals behind the hack. 

The complaint states that the criminal organization carried out 126 telephone, telematic, or computer interceptions and 176 invasions of third-party computer devices. An investigation into whether the hacks resulted in financial profits is ongoing, and the possibility of future judicial proceedings has not yet been ruled out.

The Intercept and Greenwald both released statements on Tuesday labeling the federal prosecutor’s allegations as an attack on Brazil’s free press "in line with recent abuses by the government of far-right President Jair Bolsonaro."

Investigators: Saudis Hacked Amazon CEO Jeff Bezos’ Phone

Saudi Arabia Dismisses Report; United Nations Demands Full Investigation
The mobile phone of Amazon CEO Jeff Bezos was hacked via a malicious file sent directly from the official WhatsApp account of Saudi Arabia's Crown Prince Mohammed Bin Salman, investigators have concluded. While the Saudis deny involvement, the United Nations has called for an immediate investigation.

In for the weakness, in for the Hack

On my 1st week of the basic course in the Israeli army I was taught that in terms of information security there is no information item that is too negligible or too small to deal with.

The base location, the unit’s name, how big is my team – shall not be told.
There is no need to brag about the amazing projects we do
and
There is no reason to connect external media to computers

EVERYTHING about information security is important and must be afterthought.

That approach is based on the assumption, that a person who was educated from the very 1st moment not to disclose the name of the unit (barely the city it is located at) will be very minded and aware with information of real potential harm.

This is an excellent and well-proven attitude with regard to security, and I’d expect it to be a corner stone in mission critical cyber security organizations and industries such as: medical, energy, avionics and automotive.

You can imagine how surprised I was when I heard too many times from too senior executives in tone-dictating companies:

“The distance between weakness to hack to actually take over a vehicle and put people in jeopardy is very large. We shall not be excited by each vulnerability.”

Technically, to some extent, they are right. The transition from weakness to exploitation is significant and sometimes impossible. Not every weakness will end in ransomware massage on your airplane infotainment screen.

But this is exactly the intricate approach to security events that we must not remain indifferent to.

After all, taking control of a Jeep Cherokee was a combination of weaknesses, exploitation methods, not well protected communication, etc.

At the end of the day, each cyber incident begins with a weakness that was not well covered, or published or addressed – piling  on top of that a great motivation, high technical skills and tenacity will lead to an assault that will make you wanna cry.

As Lau Tzu said ‘A journey of a thousand miles begins with a single step

In cyber-security arena a small buffer overflow – can sometimes be this single step required

With cyber security we must go ‘All-In’ and leave nothing to luck. We must identify all the threats and evaluate the degree of exposure each one produces.

This knowledge provides us with options to tackle and resolve – some as simple as use different compilation method, some as complex as applying to the supply chain and development teams and some can be solved through an operative mechanism and processes.

I know that this ‘epiphany’ moment about the security status of your product usually causes more headaches than reliefs – since it usually brings a flood of new issues and gaps and their treatment does not make it easier to meet the schedule or increase the margins.

Much easier and more fun is to cover with the warm blanket of the blessed ignorance and practice surprised gestures.

To my opinion this is not a privilege we have in critical infrastructures and specifically in the current era of revolution. We strive for a shared, electronic and autonomous world – cyber attack will stave off the revolution and create a severe blow to the spirit of progress we all enjoy anticipating.

I know that the cyber security industry aware of these needs, there are solution (am sure that they can get better) for doing just that: Cyber Risk Assessment – mapping vulnerabilities, finding violation of security policies, competence with the emerging ISO 21434, hardening issues, mal performance of encryption and even identifying the entire software stack. Risk assessment is conducted to avoid incidents and the right measures should be devoted to do just that – Avoid incidents, not respond, avoid.

To sum up, as I was told by the first sergeant while patrolling around the base, and as ‘Ivar the Boneless’ discovered at the last season of the Vikings – A single uncovered crack and you may loose the fortress, Loose the Trust of the people and find yourself dinning with the Gods at Valhalla.

Therefore, don’t oversee your flaws and vulnerabilities – the progress starts there – you should accept yourself (and your not perfect code) as you are and strive for improvement.

Guest blog Written by Eddie Lazebnik  – Brining 15 years of cyber experience – both in private and public sector and recently in a groundbreaking startup.  Served for about a decade the Isreali government and military organizations of Cyber Security. Possessing education in business administration, having a proven technical execution record and great passion for technology and innovation. Very excited about the revolution of IoT and specifically in Automotive industry -connected and autonomous vehicles. These days leading strategy and strategic partnerships activity in Cybellum.

The post In for the weakness, in for the Hack appeared first on CyberDB.

250 Million Microsoft Customer Support Records Exposed Online

If you have ever contacted Microsoft for support in the past 14 years, your technical query, along with some personally identifiable information might have been compromised. Microsoft today admitted a security incident that exposed nearly 250 million "Customer Service and Support" (CSS) records on the Internet due to a misconfigured server containing logs of conversations between its support

Malware attack took down 600 computers at Volusia County Public Library

System supporting libraries in Volusia County were hit by a cyber attack, the incident took down 600 computers at Volusia County Public Library (VCPL) branches.

600 staff and public access computers were taken down at Volusia County Public Library (VCPL) branches in Daytona Beach, Florida, following a cyberattack. The attack started around 7 AM on January  9, 2020.

“The county’s technology staff were immediately notified and coordinated recovery efforts with library staff,” reads the official statement.

“Approximately 50 computers are back online, enabling library staff to perform patron business, such as checking books in and out, and making reservations.”

The library did not disclose the family of malware that infected its system, but experts believe that the computers were infected with ransomware.

The good news is that the cyber attack did not affect the ordinary operations of the Volusia County Public Library, the website of the library was not impacted too. Public Wi-Fi in the library was also not impacted by the attack, according to the statement, “the public is able to safely use Wi-Fi within the libraries on personal devices.”

As a result of the incident, the computers at the library were not able to surf the web.

“The county is conducting an investigation and more information will be available at a later date,” VCPL staff also said.

“Some Californian libraries are also affected by a ransomware attack that encrypted computers at 26 community libraries in Contra Costa County on January 3.” reported BleepingComputer.

Pierluigi Paganini

(SecurityAffairs – Volusia County Library, hacking)

The post Malware attack took down 600 computers at Volusia County Public Library appeared first on Security Affairs.

Fake Smart Factory Captures Real Cyber-threats

Fake Smart Factory Captures Real Cyber-threats

A fake industrial prototyping company created by cybersecurity researchers has become the target of real-life cyber-attackers. 

Researchers at Trend Micro established the faux firm and maintained it for a six-month period in 2019 to learn about the threats facing companies that use Operational Technology. The honeypot was compromised for cryptocurrency mining, targeted by two separate ransomware attacks, and used for consumer fraud.

The fake concern consisted of real industrial control systems (ICS) hardware and a mix of physical hosts and virtual machines that ran the factory. Among these machines were several programmable logic controllers (PLCs), human machine interfaces (HMIs), separate robotic and engineering workstations, and a file server.

The honeypot went live on May 6, with a fake client base composed of large anonymous organizations from critical industries. By July 24, a threat actor had entered the fake company's system and downloaded a cryptocurrency miner. Researchers observed the attacker returning regularly to relaunch their miner.

By August, researchers had observed multiple incidences of compromise, with one threat actor performing reconnaissance activities and another causing system shutdowns. Ransomware attacks using Crysis and a Phobos variant were carried out against the fake company in September and October, respectively. 

Greg Young, vice president of cybersecurity for Trend Micro, said the research indicated that industrial companies are primarily vulnerable to bog standard cyber-threats.

He said: "Too often, discussion of cyber threats to ICS has been confined to highly sophisticated, nation-state level attacks designed to sabotage key processes. While these do present a risk to Industry 4.0, our research proves that more commonplace threats are more likely."

Young warned owners of small smart factories against the dangers of thinking that their company's size makes them somehow immune to the threat of cyber-attack.

He said: "Owners of smaller factories and industrial plants should not assume that criminals will leave them alone. A lack of basic protections can open the door to a relatively straightforward ransomware or cryptojacking attack that could have serious consequences for the bottom line."

Smart factory owners can reduce the risk posed by malicious threat actors by minimizing the number of ports they leave open and also by strictly enforcing access control policies.

Facebook Crime Rises 19% as UK Tries to Police Social Media

Facebook Crime Rises 19% as UK Tries to Police Social Media

The UK government is planning to police social media by issuing sites with a new code of conduct.

Social media firms will be required by law to protect children from viewing any content deemed to be "detrimental to their physical or mental health or wellbeing," according to a report published yesterday in The Daily Telegraph.

Failure to act in line with the government-backed code could result in fines and penalties that could potentially lose an offending company billions of pounds in revenue.  The current code of conduct was created in 2017 and updated in April 2019.

News of the stricter code comes as statistics obtained from the British police reveal an alarming increase in the number of reported crimes linked to Facebook. 

Data obtained from 20 different UK police forces under a Freedom of Information (FOI) request indicates that in the financial year 2019–20, the number of Facebook-related crimes reported to the police was 32,451. When compared to the same period in 2017–18, this total shows an increase in crime of 19%.

Official figures from the police list the total number of crimes with a connection to Facebook as 55,643. Data shared under the FOI request revealed that Leicestershire Police received the highest number of reports of Facebook-linked crimes. In total, the English Midlands force said it had recorded 10,405 such incidents, of which 408 involved victims categorized as "vulnerable."

Lancashire Constabulary reported the second-highest number of crimes linked to the social media giant. The North West England force said it had recorded 8,829 Facebook-connected crimes, of which 718 were harassment, 179 were sexual offences, 1,007 involved offensive messages, and 1,497 were classified as malicious communication.  

Greater Manchester Police reported 8,230 Facebook-linked crimes, many of which involved "engaging in sexual activity with a child."

The FOI request was put out by the Parliament Street think tank. Figures obtained by the think tank via a FOI request for offenses that mentioned Instagram or Facebook in the crime notes found that Instagram had been used by pedophiles, stalkers, burglars, and drug dealers to commit 15,143 crimes since 2017. The total number of cases associated with both sites since 2017 is 70,786.

Researchers find open Microsoft database with 250 million support records

Configuration mistakes by staff can be a huge embarrassment to organizations, defeating even the biggest IT security budget. Often these mistakes result in databases of sensitive information being left open on the internet for a lucky hacker to trip over.

The latest publicly-identified victim is Microsoft. Researchers at Comparitech, a U.K.-based site that reviews consumer IT security products said this morning they recently found five Elasticsearch servers belonging to the software giant with identical copies of nearly 250 million customer service and support exposed without password or other authentication needed for access.

The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to last December. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.

Microsoft quickly secured the data after being notified.

Independent researcher Bob Diachenko, who lead the team, was quoted as saying most of the personally identifiable information such as email aliases, contract numbers, and payment information was redacted in the data.

However, many records contained plain text data, including customer email addresses, IP addresses, locations, descriptions of claims and cases, Microsoft support agent emails, case numbers, resolutions, and remarks, and internal notes marked as “confidential”.

One can speculate that a Microsoft employee wanting to look for trends in the customer support data figured with the personally identifiable information redacted the database didn’t need to be password protected.

However, Comparitech argues that readable data could still be valuable to hackers, particularly to give credibility to those involved in Microsoft tech support scams. For example, knowing a customer’s email address would allow a scammer to craft an email starting “Following up on your recent support incident.”

Diachenko is one of several researchers who use the Shodan search engine to find and expose companies with unprotected databases, often sitting on Amazon AWS infrastructure. In 2018 he found a MongoDB server of data management company Veeam Software. Just over a year ago he and a team found an open database belonging to a Texas data processing company.

Other researchers are also finding easy pickings. In 2018 one found Canadian and British government staffers misconfigured some of their web-based Trello project management software and exposed details of software bugs and security plans, as well as passwords for servers and other sensitive information.

Many of these discoveries — as in the Microsoft case — are repositories of data held by Elasticsearch searches. Last summer, for example, Canadian security consultant Darryl Burke found two open Elasticsearch databases, one of which held sensitive personal information of Middle East residents looking to immigrate to Canada.

Elasticsearch is an open-source analytics search engine organizations use to hunt through their data. What many companies don’t realize, Burke said in an interview at the time, is that it keeps a cache of data it indexes. If the Elasticsearch server is open to the Internet but not secured with a username and password — and, ideally, two-factor authentication — then that data is open to discovery by an attacker.

To combat misconfigurations cloud storage providers like Amazon AWS and Microsoft Azure are either making storage closed to the Internet by default or beefing up their security detection tools.

AI, automation emerge as critical tools for cybersecurity

Artificial intelligence and automation adoption rates are rising, and investment plans are high on enterprise radars. AI is in pilots or use at 41% of companies, with another 42% actively researching it, according to the 2019 IDG Digital Business Study.

Cybersecurity has emerged as an ideal use case for these technologies. Digital business has opened a score of new risks and vulnerabilities that, combined with a security skills gap, is weighing down security teams. As a result, more organizations are looking at AI and machine learning as a way to relieve some of the burden on security teams by sifting through high volumes of security data and automating routine tasks.

To read this article in full, please click here

IDG Contributor Network: AI, automation emerge as critical tools for cybersecurity

Artificial intelligence and automation adoption rates are rising, and investment plans are high on enterprise radars. AI is in pilots or use at 41% of companies, with another 42% actively researching it, according to the 2019 IDG Digital Business Study.

Cybersecurity has emerged as an ideal use case for these technologies. Digital business has opened a score of new risks and vulnerabilities that, combined with a security skills gap, is weighing down security teams. As a result, more organizations are looking at AI and machine learning as a way to relieve some of the burden on security teams by sifting through high volumes of security data and automating routine tasks.

To read this article in full, please click here

NIST Releases Privacy Risk Management Framework

Last week, NIST announced version 1.0 of its Privacy Framework, a tool designed to support organizations in managing their privacy risks.

In September 2019, NIST released a revised draft Privacy Policy when it called for public feedback. The organization had initially hoped to introduce version 1.0 by the end of 2019, but only on 16 January was it officially announced.

The NIST Privacy Framework has been designed to help organizations of all sizes manage privacy risks by focusing on three main aspects: privacy when developing a product or service, information on privacy practices and interinstitutional cooperation.

The architecture consists of three main components: the heart, the profiles and the implementation stages. The core provides a granular set of activities and results aimed at facilitating internal communication. Profiles represent the core functions, categories and sub-categories of an organisation. Finally, implementation levels help organizations optimize the resources needed for their target profile to be achieved.

NIST stated that the Privacy Framework is a collaborative mechanism not a statute or rule to mitigate threats and enforce compliance with existing legislation, like the GDPR and CCPA in California.

“What you’ll find in the framework are building blocks that can help you achieve your privacy goals, which may include laws your organization needs to follow,” said Naomi Lefkovitz

“If you want to consider how to increase customer trust through more privacy-protective products or services, the framework can help you do that. But we designed it to be agnostic to any law, so it can assist you no matter what your goals are.”

The system should also make it easier for companies to keep up with technological developments and new uses for results, according to Lefkovitz.

“A class of personal data that we consider to be of low value today may have a whole new use in a couple of years, or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit,” she explained. “That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”

NIST states that the NIST cyber security system is intended to be complementary and both will be revised over time.

NIST Privacy System: An Business Risk Management Security Compliance Guide is accessible in PDF format on the NIST website.

The post NIST Releases Privacy Risk Management Framework appeared first on .

Did Apple drop end-to-end encrypted iCloud backups because of the FBI?

Two years ago, Apple abandoned its plan to encrypt iPhone backups in the iCloud in such a way that makes it impossible for it (or law enforcement) to decrypt the contents, a Reuters report claimed on Tuesday. Based on information received by multiple unnamed FBI and Apple sources, the report says that the decision was made after Apple shared its plan for end-to-end encrypted iCloud backups with the FBI and the FBI objected to it. … More

The post Did Apple drop end-to-end encrypted iCloud backups because of the FBI? appeared first on Help Net Security.

Hashtag Trending – Huawei CFO hearing; Apple bends to FBI; North shotgunning patents

Today’s top news is that Huawei’s CFO hearing is now officially underway. In other news, North’s new smart-glasses to include some cool new bleeding-edge features, and Apple supposedly abandoned encrypting iCloud backups after FBI intervention. Thank you for tuning in to Hashtag Trending, it’s Wednesday, January 22nd, and I’m your host, Tom Li. Trending everywhere,…

Download: The State of Security Breach Protection 2020 Survey Results

What are the key considerations security decision-makers should take into account when designing their 2020 breach protection? To answer this, we polled 1,536 cybersecurity professionals in The State of Breach Protection 2020 survey (Download the full survey here) to understand the common practices, prioritization, and preferences of the organization today in protecting themselves from

Apple Dropped iCloud Encryption Plans After FBI Complaint: Report

Apple Dropped iCloud Encryption Plans After FBI Complaint: Report

Apple dropped plans to offer end-to-end encrypted cloud back-ups to its global customer base after the FBI complained, a new report has claimed.

Citing six sources “familiar with the matter,” Reuters claimed that Apple changed its mind over the plans for iCloud two years ago after the Feds argued in private it would seriously hinder investigations.

The revelations put a new spin on the often combative relationship between the law enforcement agency and one of the world’s biggest tech companies.

The two famously clashed in 2016 when Apple refused to engineer backdoors in its products that would enable officers to unlock the phone of a gunman responsible for a mass shooting in San Bernardino.

Since then, both FBI boss Christopher Wray, attorney general William Barr and most recently Donald Trump have taken Apple and the wider tech community to task for failing to budge on end-to-end encryption.

Silicon Valley argues that it’s impossible to provide law enforcers with access to encrypted data in a way which wouldn’t undermine security for hundreds of millions of law-abiding customers around the world.

They are backed by world-leading encryption experts, while on the other side, lawmakers and enforcers have offered no solutions of their own to the problem.

Apple’s decision not to encrypt iCloud back-ups means it can provide officers with access to target’s accounts. According to the report, full device backups and other iCloud content was handed over to the US authorities in 1568 cases in the first half of 2019, covering around 6000 accounts.

Apple is also said to have handed the Feds the iCloud backups of the Pensacola shooter, whose case sparked another round of calls for encryption backdoors from Trump and others.

It’s not 100% clear if Apple dropped its encryption plan because of the FBI complaint, or if it was down to more mundane usability issues. Android users are said to be able to back-up to the cloud without Google accessing their accounts.

UPS Says Phishing Incident Might Have Exposed Some Customers’ Data

The United Parcel Service (UPS) revealed that a phishing incident might have exposed the information of some of its customers. In its “Notice of Data Breach” letter, UPS disclosed that an unauthorized person had used a phishing attack to gain access to store email accounts at some of its store locations between September 29, 2019 […]… Read More

The post UPS Says Phishing Incident Might Have Exposed Some Customers’ Data appeared first on The State of Security.

Half a Million IoT Device Passwords Published

It's a list of easy-to-guess passwords for IoT devices on the Internet as recently as last October and November. Useful for anyone putting together a bot network:

A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) "smart" devices.

The list, which was published on a popular hacking forum, includes each device's IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet.

According to experts to who ZDNet spoke this week, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.

Report: Apple Scuttled Encryption Plans for iCloud Backups

Technology Giant Didn't Want to 'Poke the Bear,' Sources Tell Reuters
Apple previously scuttled plans add end-to-end encryption to iCloud backups, Reuters reports, noting that such a move would have complicated law enforcement investigations. But the apparent olive branch hasn't caused the U.S. government to stop vilifying strong encryption and technology giants who provide it.

First Node.js-based Ransomware : Nodera

Recently while threat hunting, Quick Heal Security Labs came across an unusual Node.js framework based Nodera ransomware. The use of Node.js framework is not seen commonly across malware families. Latest development by threat actors reveal a nasty and one-of-its-kind ransomware being created; one that uses Node.js framework, which enables it to infect Windows…

Microsoft Exposes 250 Million Call Center Records in Privacy Snafu

Microsoft Exposes 250 Million Call Center Records in Privacy Snafu

Microsoft briefly exposed call center data on almost 250 million customers via several unsecured cloud servers late last year, according to researchers.

Bob Diachenko spotted the major privacy snafu a day after databases across five Elasticsearch servers were indexed by the BinaryEdge search engine on December 28.

Each contained a seemingly identical trove of Microsoft Customer Service and Support (CSS) records spanning a 14-year period. The records included phone conversations between service agents and customers dating back to 2005, all password-free and completely unprotected, according to Comparitech.

Most personally identifiable information (PII) was redacted from the records, but “many” apparently contained customer email and IP addresses, support agent emails and internal notes and descriptions of CSS cases.

This presented not just a phishing risk but a valuable collection of data for tech support scammers who impersonate call center agents from Microsoft and other companies to install malware on victim machines and steal financial data.

“With detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets,” explained Comparitech’s Paul Bischoff.

“If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices.”

However, Microsoft was praised for acting swiftly to lock down the exposed servers.

After being informed by Diachenko on December 29, the firm had secured all data by December 31.

Microsoft is just the latest in a long line of companies that have exposed sensitive consumer data through cloud misconfigurations.

These include Choice Hotels, Honda North America, Adobe and Dow Jones.

Sometimes the leaks come from suspected cyber-criminals. Back in December, over one billion email and password combos were exposed via an unsecured Elasticsearch database, with many collected from a previous 2017 breach.

Honeywell Maxpro VMS/NVR systems vulnerable to hijacking

Honeywell’s Maxpro VMS and NVR, network video recorders and video management systems deployed in commercial, manufacturing and energy facilities around the world, sport critical vulnerabilities that may allow attackers to take control of them. Patches available for the Honeywell Maxpro vulnerabilities Two vulnerabilities have been discovered and reported by Joachim Kerschbaumer: CVE-2020-6959, stemming from an unsafe deserialization of untrusted data, which could allowed an attacker to remotely modify deserialized data using a specially crafted web … More

The post Honeywell Maxpro VMS/NVR systems vulnerable to hijacking appeared first on Help Net Security.

Jeff Bezos phone was hacked by Saudi crown prince

The phone of the Amazon billionaire Jeff Bezos was hacked in 2018 after receiving a WhatsApp message from the personal account of the crown prince of Saudi Arabia.

In April 2019, Gavin de Becker, the investigator hired by Amazon chief Jeff Bezos to investigate into the release of his intimate images revealed that Saudi Arabian authorities hacked the Bezos’s phone to access his personal data.

Gavin de Becker explained that the hack was linked to the coverage by The Washington Post newspaper, that is owned by Bezos, of the murder of Saudi journalist Jamal Khashoggi.

Gavin De Becker investigated the publication in January of leaked text messages between Bezos and Lauren Sanchez, a former television anchor who the National Enquirer tabloid newspaper said Bezos was dating.

Jeff Bezos hired Gavin de Becker & Associates to find out how his intimate text messages and photos were obtained by the Enquirer.
Jeff Bezos blamed the Enquirer publisher American Media Inc of “blackmail” for threatening to publish the private photos if he did not stop the investigation. Jeff Bezos refused and decided to publicly disclose copies of emails from AMI.

In an article for The Daily Beast website, De Becker wrote that the parent company of the National Enquirer, American Media Inc., had demanded that De Becker deny finding any evidence of “electronic eavesdropping or hacking in their newsgathering process.”

“Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private
 leaked text messages between Bezos and Lauren Sanchez, a former television anchor who the National Enquirer tabloid newspaper said Bezos was dating. ,” de Becker wrote on The Daily Beast website.

Now The Guardian provides additional details on the spying asserting that the intimate pictures were obtained through a sophisticated hacking operation directed by the crown prince of Saudi Arabia, Mohammad bin Salman.

According to anonymous sources of The Guardian, Bezos’ phone was hacked using a WhatsApp message from the personal account of bin Salman himself.

“The Amazon billionaire Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia, sources have told the Guardian.” reads the article published by The Guardian.

“The encrypted message from the number used by Mohammed bin Salman is believed to have included a malicious file that infiltrated the phone of the world’s richest man, according to the results of a digital forensic analysis. “

According to the sources, Bezos received a bait video file sent on May 1, 2018, that allowed it to infect its mobile device. The malicious code was used to spy on Bezos siphoning large amounts of data from his phone. The paper pointed out that at the time, the relationship between Bezos and the prince was good and the two were exchanging friendly messages.

The revelation could have severe repercussions, first of all it will complicate the position of Mohammad bin Salman and his alleged involvement in the murder of Jamal Khashoggi at the Saudi embassy in Istanbul, Turkey, in October 2018.

Saudi Arabia has previously denied its involvement in the murder of Khashoggi that was attributed to a “rogue operation”. In December, a Saudi court convicted eight people of involvement in the murder after a secret trial that was criticised as a sham by human rights experts.

The revelation will have a significant impact on the business relationships of the Saudi “MBS” with western investors in Saudi Arabia.

Another aspect to evaluate is the impact on the personal relationship between Trump and his son-in-law Jared Kushner with the crown prince.

US President always ignored the warning of the US intelligence and publicly expressed dislike of Jeff Bezos.

The Guardian asked the Saudi embassy in Washington about the claims, and later a message on Twitter refused any accusation and labeled them as “absurd”.

The UN as announced the imminent release of an investigation.

Pierluigi Paganini

(SecurityAffairs – Bezos, hacking)

The post Jeff Bezos phone was hacked by Saudi crown prince appeared first on Security Affairs.

Campaigners Threaten ICO with Legal Action for AdTech Failings

Campaigners Threaten ICO with Legal Action for AdTech Failings

Campaigners are threatening to take the Information Commissioner’s Office (ICO) to court for failing to enforce data protection laws in tackling what they see as widespread illegality in the adtech industry.

The Open Rights Group (ORG) responded to an update from the ICO last Friday detailing what action has been taken since the latter’s June 2019 report raised serious concerns about real-time bidding (RTB).

RTB is the process where website publishers auction space on their pages to advertisers in near real-time. However, that process often involves the advertiser seeing detailed information about the individual web user they want to reach, including their browsing history and perceived interests.

The ICO duly raised multiple concerns in its report claiming: the methods of obtaining informed consent from data subjects are often insufficient; privacy notices lack clarity; and that the scale of data profiling and sharing is “disproportionate, intrusive and unfair.”

It also argued that the widespread use of contractual agreements to protect how bid request data is shared, secured and deleted is inappropriate given the scale of the supply chain and type of data shared.

However, in an update last week, the ICO seemed to hold back from enforcing GDPR and other relevant laws, choosing instead to focus on positive steps taken by Google and the Internet Advertising Bureau (IAB) to act on its concerns.

That’s not good enough for the ORG’s executive director, Jim Killock, who filed an initial complaint with the ICO regarding RTB practices 16 months ago.

"The ICO is a regulator, so needs to enforce the law. It appears to be accepting that unlawful and dangerous sharing of personal data can continue, so long as 'improvements' are gradually made, with no actual date for compliance,” he argued.

"Last year the ICO gave a deadline for an industry response to our complaints. Now the ICO is falling into the trap set by industry, of accepting incremental but minimal changes that fail to deliver individuals the control of their personal data that they are legally entitled to.”

Killock and co-complainant Michael Veale, a lecturer in digital rights and regulation at UCL, are now considering whether to take legal action against the regulator for failing to act, or individual companies for breaking the law.

“When an industry is premised and profiting from clear and entrenched illegality that breach individuals' fundamental rights, engagement is not a suitable remedy,” argued Veale. “The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now.”

However, the ICO’s primary impulse has always been to educate rather than punish the industry, so it’s likely that harsher enforcement measures will eventually come for those in the adtech ecosystem that fail to change their ways.

“The most effective way for organisations to avoid the need for further regulatory scrutiny or action is to engage with the industry reform and transformation, and to encourage their supply chain to do the same,” argued ICO executive director for technology and innovation, Simon McDougall.

“I am both heartened at how much progress we have made, and disappointed that there are some who are still ignoring our message. Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilize its wider powers.”

KnowBe4 Donates $250,000 to Stetson University College of Law

KnowBe4 Donates $250,000 to Stetson University College of Law

Security awareness training provider KnowBe4 has donated $250,000 to Stetson University College of Law, Florida’s first law school.

The donation includes:

  • Creation of the the KnowBe4 Cybersecurity Law Scholarship Fund which will provide $5000 merit-based scholarships for the next five years;
  • Creation of the KnowBe4 Cybersecurity Law Program Fund to support the establishment and growth of the cybersecurity law program at Stetson Law
  • A subscription to KnowBe4’s diamond-level new-school security training platform to enhance security and data protection awareness with Stetson’s staff, faculty and students

“We see this donation as a great opportunity to contribute to and build our community,” said Stu Sjouwerman, CEO of KnowBe4. “It’s also an opportunity to help fulfill the need to educate and train more cybersecurity talent. We’re excited to work with Stetson University College of Law to help develop an entire collegiate program that’s focused on cybersecurity in the Tampa Bay area.”

The agreement includes the creation of other initiatives, such as a weekend course on the topics of cybersecurity and data privacy for Stetson Law students, speaking events, student-led research, student organizations, internship opportunities for law students and providing general support for business law initiatives at Stetson Law with cyber-law course offerings and other resources related to cybersecurity law.

“We strive to be at the forefront of all that we do at Stetson Law – whether it is educating students in emerging areas of law or ensuring our faculty and staff are highly trained in new technology – so this collaboration with KnowBe4 is a fantastic opportunity to advance both our mission and theirs,” added Michèle Alexandre, dean of Stetson University College of Law.

Security awareness training provider KnowBe4 has donated $250,000 to Stetson University College of Law, Florida’s first law school.

The donation includes:

  • Creation of the the KnowBe4 Cybersecurity Law Scholarship Fund which will provide $5000 merit-based scholarships for the next five years;
  • Creation of the KnowBe4 Cybersecurity Law Program Fund to support the establishment and growth of the cybersecurity law program at Stetson Law
  • A subscription to KnowBe4’s diamond-level new-school security training platform to enhance security and data protection awareness with Stetson’s staff, faculty and students

“We see this donation as a great opportunity to contribute to and build our community,” said Stu Sjouwerman, CEO of KnowBe4. “It’s also an opportunity to help fulfill the need to educate and train more cybersecurity talent. We’re excited to work with Stetson University College of Law to help develop an entire collegiate program that’s focused on cybersecurity in the Tampa Bay area.”

The agreement includes the creation of other initiatives, such as a weekend course on the topics of cybersecurity and data privacy for Stetson Law students, speaking events, student-led research, student organizations, internship opportunities for law students and providing general support for business law initiatives at Stetson Law with cyber-law course offerings and other resources related to cybersecurity law.

“We strive to be at the forefront of all that we do at Stetson Law – whether it is educating students in emerging areas of law or ensuring our faculty and staff are highly trained in new technology – so this collaboration with KnowBe4 is a fantastic opportunity to advance both our mission and theirs,” added Michèle Alexandre, dean of Stetson University College of Law.

OP Glowing Symphony – How US military claims to have disrupted ISIS ‘s propaganda

US military claims to have disrupted the online propaganda activity of the Islamic State (ISIS) in a hacking operation dating back at least to 2016.

In 2016, the US Cyber Command carried out successful operations against the online propaganda of the Islamic State (ISIS), this is what emerged from declassified national security top-secret documents released on Tuesday.

The documents have been release under a Freedom of Information Act request.

According to the documents, the US Cyber Command “successfully contested ISIS in the information domain,” its operations had a significant impact on online radicalization and recruitment of the terrorist organization.

The first offensive hacking operation dated back 2016 and dubbed “Operation Glowing Symphony” was detailed in the documents released by the National Security Archive at George Washington University.

“Today the National Security Archive is releasing 6 USCYBERCOM documents obtained through FOIA which shed new light on the campaign to counter ISIS in cyberspace.” reads a post published by the National Security Archive at George Washington University. “These documents, ranging from a discussion of assessment frameworks to the 120-day assessment of Operation GLOWING SYMPHONY, reveal the unprecedented complexity of the operation, resulting challenges in coordination and deconfliction, and assessments of effectiveness.”

ISIS OP Glowing Symphony

The offensive Operation Glowing Symphony was carried out in November 2016 by Joint Task Force Ares (JTF-Ares), it mainly aimed at disrupting ISIS propaganda efforts by hacking or hijacking online social media accounts, and taking down websites used by the terrorist organization to spread propaganda.

The documents reveal the result of a 120-day assessment US Cyber Command conducted after the completion of Operation Glowing Symphony.

The assessment pointed out problems faced by the US cyber units, including the challenges of storing a huge amount of data contained in the hacked ISIS servers and accounts and the difficulty in coordination with other coalition members and US government agencies.

The Operation Glowing Symphony was approved in 2016 by president Barack Obama. It was initially approved for a 30-day period in late 2016, but it was later extended.

Operation GLOWING SYMPHONY is considered an important mileston in the counter-terrorism efforts and demonstrates the efficiency of the US offensive cyber capability against online propaganda of the Islamic State (ISIS).

“Operation GLOWING SYMPHONY was originally approved for a 30-day window, but the a July 2017 General Administrative Message reported the operation’s extension to an unknown date. Whether the operation is currently ongoing or not, it is public knowledge that JTF-ARES continues to operate.” continues the post. “It is also increasingly apparent that the counter-ISIS mission, JTF-ARES, and Operation GLOWING SYMPHONY are viewed within the US military’s cyber-warfighting community as not just a chapter in counter-terrorism and ‘low-intensity conflict’, but as demonstrations of the nation’s offensive cyber capability and a model for conducting an “American way” of cyber warfare.”

Pierluigi Paganini

(SecurityAffairs – OP Glowing Symphony, ISIS)

The post OP Glowing Symphony – How US military claims to have disrupted ISIS ‘s propaganda appeared first on Security Affairs.