Category Archives: Data Breach

Stack Overflow Q&A platform announced a data breach

The popular question-and-answer platform for programmers Stack Overflow announced on Thursday that is has suffered a data breach.

The news of a data breach makes the headlines, this time the victim is the popular question-and-answer platform for programmers Stack Overflow.

The company announced on Thursday that it has discovered unauthorized access to its production systems over the weekend.

The company immediately launched an investigation. At this time the company did not share technical details about the intrusion, it only revealed that has found no evidence that customer or user data was compromised.

“Over the weekend, there was an attack on Stack Overflow. We have confirmed that some level of production access was gained on May 11.” reads a data breach notification published by Mary Ferguson, VP of Engineering at Stack Overflow. “We discovered and investigated the extent of the access and are addressing all known vulnerabilities,”

Stack Overflow has more than 10 million registered users and it has over 50 million unique visitors every month. The Q&A platform is the most important website of the Stack Exchange Network.

Stack Overflow data breach

In December 2018, another popular Q&A platform, Quora, revealed to have suffered a data breach.

Back in December, the popular Q&A website Quora revealed that has suffered a data breach.

Unknown hackers breached its systems and accessed 100 million user data, exposed data included names, email addresses and hashed password.

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Stack Overflow Q&A platform announced a data breach appeared first on Security Affairs.

The largest breaches over the past three years have caused massive and irreparable damage

Publicly traded companies suffering the worst data breaches averaged a 7.5 percent decrease in stock price, a Bitglass report reveals. Bitglass researched the three largest data breaches of publicly traded companies from each of the last three years in order to uncover cybersecurity trends and demonstrate the extensive damage that can be done by improper security. Among the incidents detailed in the Kings of the Monster Breaches report are the Marriott breach of 2018, the … More

The post The largest breaches over the past three years have caused massive and irreparable damage appeared first on Help Net Security.

Magecart hackers inject card Skimmer in Forbes Subscription Site

The Magecart gang made the headlines again, the hackers this time compromised the Forbes magazine subscription website.

The Magecart group is back, the hackers this time compromised injected a skimmers script into the Forbes magazine subscription website.

The malicious traffic was spotted by the security expert Troy Mursch
Chief Research Officer of Bad Packets, on Wednesday.

Magecart forbes magazine

Magecart hackers have installed malicious JavaScript skimmer on forbesmagazine.com to siphon payment card data entered into the site by subscribers. Crooks injected an obfuscated JavaScript in the HTML code of the payment section, the script decoded is here.

The expert immediately attempted to report his discovery to Forbes via email, but without success.

The payment page was taken down at around 1400 UTC and it is still offline at the time of writing.

A Forbes spokesperson told El Reg that is investigating the incident and that at this stage, it is not aware of the theft of any customers’ credit card information. Recent subscribers should remain vigilant and check their credit card statements for signs of fraudulent activities.

Forbes was likely a victim of a supply chain attack, Magecart hackers have compromised a company that provides services to the media outlet.

During the weekend, the forensic expert Willem de Groot discovered that the records of customers of Picreel, a web marketing software supplier, had been leaked online.

Forbes is one of the customers of Picreel, and Magecart hackers used the leaked data to access Forbes infrastructure and install the skimmer script.

“Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.” reads the analysis published RiskIQ.

Thousands of other companies that are customers at Picreel are at risk, potentially affected domains are listed here.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data, but they are quite different from each other.

According to a joint report published by RiskIQ and FlashPoint in March, some groups are more advanced than others. The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmaster, and Feedify​​

Recently the Magecart group stole payment card details from the e-commerce system used by colleges and universities in Canada and the US.

Pierluigi Paganini

(SecurityAffairs – Magecart, Forbes)

The post Magecart hackers inject card Skimmer in Forbes Subscription Site appeared first on Security Affairs.

WhatsApp urges users to update app after massive security failure

If you’ve recently had a missed call on WhatsApp from a number you didn’t recognise, cyber criminals might be spying on you.

The Facebook-owned app has admitted that cyber criminals have exploited a major vulnerability in its voice call function and are planting spyware on users’ phones. This enables crooks to turn on devices’ cameras and microphones, read emails and instant messages, and collect users’ location data.

The breach was discovered earlier this month, and WhatsApp released an update addressing the issue on Friday. The messaging service is now urging users to install the patch to ensure they don’t fall victim. Updates are often installed automatically, but it’s worth checking that this feature is enabled.

Who is responsible for the attack?

The technology behind the attack was developed by the Israeli cyber surveillance organisation NSO Group, but the firm has denied playing a part in the breach. It said that the Pegasus spyware is licenced to authorised government agencies “for the sole purpose of fighting crime and terror” and that it doesn’t use it itself.

WhatsApp believes the “attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems”.

The identity of that company is currently unclear, but we would guess the attack was politically motivated. The spyware has been planted on a relatively small number of devices, which wouldn’t be the case if crooks were trying to obtain personal information for financial gain, and those who have reported being targeted hold politically and socially important roles, such as human rights activists, journalists and lawyers.

The severity of the breach means an investigation is bound to be launched, but we doubt that the perpetrators’ identity will ever be discovered. It’s incredibly difficult to investigate sophisticated attacks like this, and it’s even harder to find the necessary evidence to bring about a conviction.

Things should improve as new technologies become available to cyber crime investigators like the National Crime Agency, the FBI and Europol. They will also be helped by organisations paying greater attention to cyber security and engaging in threat intelligence sharing, but it’s always worth remembering that the best defence is prevention. By making it harder for crooks to breach your systems, you’ll make cyber crime a less prosperous endeavour and reduce the likelihood of being targeted.

Subscribe to our weekly newsletter for all the latest cyber security news and advice >>

The post WhatsApp urges users to update app after massive security failure appeared first on IT Governance Blog.

Unprotected DB exposed PII belonging to nearly 90% of Panama citizens

Personally identifiable information belonging to roughly 90% of Panama citizens were exposed on a poorly configured Elasticsearch server.

Security researcher Bob Diachenko discovered an unprotected Elasticsearch server exposing personally identifiable information belonging to nearly 90% of Panama citizens.

Exposed data includes full names, birth dates, national ID numbers, medical insurance numbers, and other personal data.

The database contained 3.4 million records related to Panamanian citizens, labeled as “patients,” and 468,086 records labeled as “test-patient.”

“On May 10th I identified a massive bulk of data sitting in an unprotected and publicly available Elasticsearch cluster (hence visible in any browser).” reads the blog post published by Diachenko.

“This database contained 3,427,396 records with detailed information on Panamanian citizens (labeled as ‘patients‘), plus 468,086 records with records labeled as ‘test-patient‘ (although, this data also appeared to be valid and not purely test data).”

Panama Citizens data leak

The expert reported his discovery to CERT Panama, and within 48 hours the database has been secured.

At this time, it is unclear who was running the poorly secured server, anyway the exposed information appears to be authentic.

Querying the Shodan search engine service, the researcher discovered that the IP address associated with the unprotected server has been indexed since April 24th, 2019. Of course, it is impossible to determine if anyone else has accessed the data.

“The danger of having an exposed Elasticsearch or similar NoSql databases is huge.” concludes Diachenko. “I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges.” “Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”

Pierluigi Paganini

(SecurityAffairs – Panama, data leak)

The post Unprotected DB exposed PII belonging to nearly 90% of Panama citizens appeared first on Security Affairs.

Chinese National Indicted For Anthem’s 2015 Massive Data Breach

The U.S. Department of Justice State Prosecutors found probable cause to charge 32-year old Fujie Wang, a Chinese national for allegedly responsible for the data breach in Anthem, a health insurance firm, four years ago in 2015. The incident which resulted in Anthem losing control of at least 78.8 million records. Accused as a member of a Chinese hacking syndicate, Wang is now facing four cases of:

  • Intentional damage to a Protected Computer
  • Conspiracy to Commit Wire Fraud
  • Conspiracy to Commit Fraud
  • And other Related Activity in Connection with Computers

Anthem in 2015 confirmed that 78.8 million of their customers had their information was stolen, which included their full names, birth dates, addresses, employment information, and its corresponding income data, medical information and social security numbers. Aside from him, the other suspects that are still at large at the time of this writing were using their online aliases of Zhou Zhihong, Kim Young and Deniel Jack.

The Federal Bureau of Investigation before Wang was arrested posted a wanted notification to inform the public that the authorities was looking for him:

Federal Bureau of Investigation

The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history. These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their personal identifiable information,” explained Brian Benczkowski, U.S. Assistant Attorney General.

Unlike a typical breach where an attacker takes out the information stored in the target company’s website, cloud storage or server in a 1-time, big time event, Wang’s team were very deliberate with the infiltration by using stealthy techniques. The indictment decision of the DOJ coincides with the current trade negotiations between China and the United States in hopes to harmonize if not end the current trade war happening between the two top economies of the world.

Aside from Anthem, Wang is also facing charges for infiltrating three more businesses which the DOJ has refused to name but hinted that those were from the communication, technology industry and basic industrial material sector respectively. Anthem was also lax when it comes to training their employees with cybersecurity topics such as anti-phishing techniques to minimize the chance for them to fall for online frauds and scams. The primary suspect on how Anthem’s system was infiltrated was due to an employee with privileged access to the system opened a malicious email, through clever social engineering method, the contents of the email was able to convince the user to open a phishing link or an attachment which contains a malware dropper.

October 20, 2018, hackercombat.com broke the story about Anthem’s decision to pay their affected stakeholders $16 million as settlement for their data breach episode. It was labeled as the “biggest sum gathered by the government in a healthcare data breach”. This was the result of Anthem’s verification of their own systems, and most of the amount will be paid for the credit monitoring and identity theft protection of all its affected customers.

Source: https://threatpost.com/chinese-hackers-anthem-data-breach-indicted/144572/

Also, Read:

Data Breaches in Healthcare Comes From Within

Data Breach at Georgia Tech Impacts 1.3 Million People

Tougher Legislation Proposed in California For Data Breaches

All about Data Breaches, How They Happen and Their Impact

500px’s Data Breach, Happening Since July 2018

 

The post Chinese National Indicted For Anthem’s 2015 Massive Data Breach appeared first on .

A Changing Threat Landscape: Inside Verizon’s 2019 DBIR

Verizon Enterprise has once again released its annual Data Breach Investigations Report (DBIR). The publication doesn’t disappoint in providing crucial insight into today’s digital threats. On the one hand, Verizon’s 2019 report captures how many forces in the threat landscape have remained the same since its previous report. The study observed how sending data to […]… Read More

The post A Changing Threat Landscape: Inside Verizon’s 2019 DBIR appeared first on The State of Security.

2019 Verizon Data Breach Investigations Report (DBIR) Key Takeaways

The 2019 Verizon Data Breach Investigations Report (DBIR) was released today, and I was lucky enough to be handed a hot off the press physical copy while at the Global Cyber Alliance Cyber Trends 2019 event at Mansion House, London. For me, the DBIR provides the most insightful view on the evolving threat landscape, and is the most valuable annual “state of the nation” report in the security industry.

Global Cyber Alliance Cyber Trends 2019

The DBIR has evolved since its initial release in 2008, when it was payment card data breach and Verizon breach investigations data focused. This year’s DBIR involved the analysis of 41,686 security incidents from 66 global data sources in addition to Verizon. The analysed findings are expertly presented over 77 pages, using simple charts supported by ‘plain English’ astute explanations, reason why then, the DBIR is one of the most quoted reports in presentations and within industry sales collateral.

DBIR 2019 Key Takeaways
      • Financial gain remains the most common motivate behind data breaches (71%)
      • 43% of breaches occurred at small businesses
      • A third (32%) of breaches involved phishing
      • The nation-state threat is increasing, with 23% of breaches by nation-state actors
      • More than half (56%) of data breaches took months or longer to discover
      • Ransomware remains a major threat, and is the second most common type of malware reported
      • Business executives are increasingly targeted with social engineering, attacks such as phishing\BEC
      • Crypto-mining malware accounts for less than 5% of data breaches, despite the publicity it didn’t make the top ten malware listed in the report
      • Espionage is a key motivation behind a quarter of data breaches
      • 60 million records breached due to misconfigured cloud service buckets
      • Continued reduction in payment card point of sale breaches
      • The hacktivist threat remains low, the increase of hacktivist attacks report in DBIR 2012 report appears to be a one-off spike

Online Tutoring Program Reveals Customer Data Breach

An online tutoring program has revealed that it suffered a data breach in which an unauthorized individual might have compromised customers’ information. The Hacker News received a copy of a notice sent out by Wyzant to its customers informing them about the data breach. According to this letter, the online tutoring program detected the security […]… Read More

The post Online Tutoring Program Reveals Customer Data Breach appeared first on The State of Security.

Digital Parenting: ‘Eat Your Veggies, Brush Your Teeth, Strengthen Your Passwords’

strong password

strong passwordAs adults, we know the importance of strong passwords, and we’ve likely preached the message to our kids. But let’s rewind for a minute. Do our kids understand why strong passwords are important and why it needs to become a habit much like personal health and hygiene?

If we want the habit to stick, the reason why can’t be simply because we told them so. We’ve got to make it personal and logical.

Think about the habits you’ve already successfully instilled and the reasoning you’ve attached to them.

Brush your teeth to prevent disease and so they don’t fall out.
Eat a balanced diet so you have fuel for the day and to protect yourself from illness and disease.
Get enough sleep to restore your body and keep your mind sharp for learning.
Bathe and groom to wash away germs (and to keep people from falling over when you walk by). 

The same reasoning applies to online hygiene: We change our passwords (about every three months) to stay as safe as possible online and protect what matters. When talking to kids, the things that matter include our home address, our school name, our personal information (such as a parent’s credit card information, our social security number, or other account access).

Kids Targeted

We falsely believe that an adult’s information is more valuable than a child’s. On the contrary, given a choice, 10 out of 10 hackers would mine a child’s information over an adult’s because it’s unblemished. Determined identity thieves will use a child’s Social Security number to apply for government benefits, open bank, and credit card accounts, apply for a loan or utility service or rent an apartment. Also, once a child’s information is hacked, a thief can usually get to a parent’s information.

How to Stay Safe

It’s a tall task to prevent some of the massive data breaches in the news that target kids’ information. However, what is in our control, the ability to practice and teach healthy password habits in our home.

Tips for Families

strong passwordShake it up. According to McAfee Chief Consumer Security Evangelist Gary Davis, to bulletproof your passwords, make sure they are at least 12 characters long and include numbers, symbols, and upper and lowercase letters. Consider substituting numbers and symbols for letters, such as zero for “O” or @ for “A”.

Encourage kids to get creative and create passwords or phrases that mean something to them. For instance, advises Gary, “If you love crime novels you might pick the phrase: ILoveBooksOnCrime
Then you would substitute some letters for numbers and characters, and put a portion in all caps to make it even stronger, such as 1L0VEBook$oNcRIM3!”

Three random words. Password wisdom has morphed over the years as we learn more and more about hacking practices. According to the National Cyber Security Centre, another way to create a strong password is by using three random words (not birthdates, addresses, or sports numbers) that mean something to you. For instance: ‘lovepuppypaws’ or ‘drakegagacardib’ or ‘eatsleeprepeat’ or ‘tacospizzanutella’.

More than one password. Creating a new password for each account will head off cybercriminals if any of your other passwords are cracked. Consider a password manager to help you keep track of your passwords.

Change product default passwords immediately. If you purchase products for kids such as internet-connected gaming devices, routers, or speakers, make sure to change the default passwords to something unique, since hackers often know the manufacturer’s default settings.

When shopping online, don’t save info. Teach kids that when shopping on their favorite retail or gaming sites, not to save credit card information. Saving personal information to different accounts may speed up the checkout process. However, it also compromises data.

Employ extra protection. Comprehensive security software can protect you from several threats such as viruses, identity theft, privacy breaches, and malware designed to grab your data. Security software can cover your whole family as well as multiple devices.

Web Advisor. Keep your software up-to-date with a free web advisor that helps protect you from accidentally typing passwords into phishing sites.

strong password

Use unique passwords and MFA. This is also called “layering up.” 1) Use unique passwords for each of your accounts. By using different passwords, you avoid having all of your accounts become vulnerable if you are hacked (think domino effect). 2) MFA is Multi-Factor Authentication (also called two-step verification or authentication ). MFA confirms a user’s identity only after presenting two or more pieces of evidence. Though not 100% secure, this practice adds a layer of security to an account.

Keep it private. Kids love to show one another loyalty by sharing passwords and giving one another access to their social network accounts. DO NOT encourage this behavior. It’s reckless and could carry some serious privacy consequences. (Of course, sharing with parents, is recommended).

Credential Cracking

According to the Identity Theft Resource Center® (ITRC), the reported number of consumer records exposed containing sensitive personally identifiable information jumped 126 percent in 2018. The report explicitly stated password cracking as an issue: “The exploitation of usernames and passwords by nefarious actors continues to be a ripe target due to the increase in credential cracking activities – not to mention the amount of data that can be gleaned by accessing accounts that reuse the same credentials.”

May 2 is World Password Day and the perfect time to consider going over these password basics with your family.

The post Digital Parenting: ‘Eat Your Veggies, Brush Your Teeth, Strengthen Your Passwords’ appeared first on McAfee Blogs.

High Value Cryptocurrency Stolen by Hackers

Reading Time: ~2 min.

Hackers Breach Private Keys to Steal Cryptocurrency

A possible coding error allowed hackers to compromise at least 732 unique, improperly secured private keys used in the Ethereum blockchain. By exploiting a vulnerability, hackers have successfully stolen 38,000 Ethereum coins so far, translating to over $54 million in stolen funds, though the current number is likely much higher. While uncommon, such attacks do show that the industry’s security and key-generation standards have plenty of room for improvement.

Prominent Malware Reverse Engineer Faces Jail Time

The malware researcher Marcus Hutchins, who successfully reversed and stopped the WannaCry ransomware attacks in 2017, is facing up to six years of jail time for prior malware creation and distribution. Hutchins’ charges all tie back to his involvement in the creation of Kronos, a widespread banking Trojan that’s caused significant damage around the world.

Data Exposed for Thousands of Rehab Patients

Personally identifiable data belonging to nearly 145,000 patients of a Pennsylvania rehab facility have been found in a publicly available database. After a Shodan search, researchers discovered the database that contained roughly 4.9 million unique documents showing information ranging from names and birthdays to specific medical services provided and billing records, all of which could be used to to steal the identity of these thousands of individuals.

Study Finds Password Security Still Lacking

After this year’s review of password security it may come as no surprise that the top five passwords still in use are simple and have remained at the top for some time. Using a list generated from past data breaches, researchers found the password “123456” was used over 23 million times, with similar variations rounding out the top five. Several popular names, sports teams, and bands like blink182 and Metallica are still in use for hundreds of thousands of accounts. While these passwords may be easy to remember, they are exceedingly simple to guess. Stronger passwords should include multiple words or numbers to increase the complexity.

Bodybuilding Site Breached through Phishing Campaign

The website bodybuilding.com has announced they were the victim of a data breach stemming from an email phishing campaign in July 2018 that could affect many of the site’s clients. Fortunately, the site doesn’t store full payment card data, and the data it does store is only stored at the customer’s request, leaving little data for hackers to actually use. The site also forced a password reset for all users issued a warning about suspicious emails coming from bodybuilding.com, noting they may be part of another phishing campaign.

The post High Value Cryptocurrency Stolen by Hackers appeared first on Webroot Blog.

Learning from the Big Data Breaches of 2018

Guest article by Cybersecurity Professionals

What can we learn from the major data breaches of 2018?
2018 was a major year for cybersecurity. With the introduction of GDPR, the public’s awareness of their cyber identities has vastly increased – and the threat of vulnerability along with it. The Information Commissioner’s Office received an increased number of complaints this year and the news was filled with reports of multi-national and multi-millionaire businesses suffering dramatic breaches at the hand of cybercriminals.

2018 Data Breaches
Notable breaches last year include:

5. British Airways
The card details of 380,000 customers were left vulnerable after a hack affected bookings on BA’s website and app. The company insists that no customer’s card details have been used illegally but they are expected to suffer a major loss of money in revenue and fines as a result of the attack.

4. T-Mobile
Almost 2 million users had their personal data, including billing information and email addresses accessed through an API by an international group of hackers last August.

3. Timehop
A vulnerability in the app’s cloud computing account meant that the names and contact details of 21 million users were affected on Timehop. The company assured users that memories were only shared on the day and deleted after, meaning that the hackers were not able to access their Facebook and Twitter history.

2. Facebook & Cambridge Analytica
One of the most sensationalised news stories of the last year, Facebook suffered a string of scandals after it was released that analytics firm Cambridge Analytica had used the Facebook profile data of 87 million users in an attempt to influence President Trump’s campaign and potentially aid the Vote Leave campaign in the UK-EU referendum.

1. Quora
After a “malicious third party” accessed Quora’s system, the account information, including passwords, names and email addresses, of 100 million users was compromised. The breach was discovered in November 2018.

GDPR
As the UK made the switch from the Data Protection Act to GDPR, businesses and internet users across the country suddenly became more aware of their internet identities and their rights pertaining to how businesses handled their information.

With the responsibility now firmly on the business to protect the data of UK citizens, companies are expected to keep a much higher standard of security in order to protect all personal data of their clients.

How many complaints to the ICO?
Elizabeth Denham, the UK’s Information Commissioner, said that the year 2017-18 was ‘one of increasing activity and challenging actions, some unexpected, for the office’.

This is shown in an increase in data protection complaints by 15%, as well as an increase in self-reported breaches by 30%. Since this is the first year of GDPR, it is expected that self-reported breaches have increased as businesses work to insure themselves against much higher fines for putting off their announcement.

The ICO also reports 19 criminal prosecutions and 18 convictions last year and fines totalling £1.29 million for serious security failures under the Data Protection Act 1998. The office has assured that they don’t intend to make an example of firms reporting data breaches in the early period of GDPR but as time goes on, leniency is likely to fade as businesses settle into the higher standards.

What does it mean for SMEs?
With 36% of SMEs having no cybersecurity plan, the general consensus is that they make for unpopular targets. However, with the GDPR, the responsibility is on the business to protect their data so being vulnerable could result in business-destroying costs. Considering the cost to businesses could total the higher of 2% of annual turnover or €10 million, data protection is of paramount importance to small businesses.

How exposed are we in the UK?
At 31%, our vulnerability rating is higher than the Netherlands, Germany, Estonia (30%) and Finland (29%), but the UK is a more likely target for cybercriminals looking to exploit high tech and financial services industries, which are some of the most vulnerable across Great Britain.

Despite a higher level of vulnerability, the UK has one of the largest cyber security talent pools, showing there is time and manpower being dedicated to the protection of our data online.

https://www.cybersecurity-professionals.com/blog/2019/03/01/cybercrime-in-the-uk-infographic/

Cyber Security Roundup for February 2019

The perceived threat posed by Huawei to the UK national infrastructure continued to make the headlines throughout February, as politicians, UK government agencies and the Chinese telecoms giant continued to play out their rather public spat in the media. See my post Is Huawei a Threat to UK National Security? for further details. And also, why DDoS might be the greater threat to 5G than Huawei supplied network devices.

February was a rather quiet month for hacks and data breaches in the UK, Mumsnet reported a minor data breach following a botched upgrade, and that was about it. The month was a busy one for security updates, with Microsoft, Adobe and Cisco all releasing high numbers of patches to fix various security vulnerabilities, including several released outside of their scheduled monthly patch release cycles.

A survey by PCI Pal concluded the consequences of a data breach had a greater impact in the UK than the United States, in that UK customers were more likely to abandon a company when let down by a data breach. The business reputational impact should always be taken into consideration when risk assessing security.


Another survey of interest was conducted by Nominet, who polled 408 Chief Information Security Officers (CISOs) at midsize and large organisations in the UK and the United States. A whopping 91% of the respondents admitted to experiencing high to moderate levels of stress, with 26% saying the stress had led to mental and physical health issues, and 17% said they had turned to alcohol. The contributing factors for this stress were job security, inadequate budget and resources, and a lack of support from the board and senior management. A CISO role can certainly can be a poisoned-chalice, so its really no surprise most CISOs don't stay put for long.

A Netscout Threat Landscape Report declared in the second half of 2018, cyber attacks against IoT devices and DDoS attacks had both rose dramatically. Fuelled by the compromise of high numbers of IoT devices, the number of DDoS attacks in the 100GBps to 200GBps range increased 169%, while those in the 200GBps to 300GBps range exploded 2,500%. The report concluded cybercriminals had built and used cheaper, easier-to-deploy and more persistent malware, and cyber gangs had implemented this higher level of efficiency by adopting the same principles used by legitimate businesses. These improvements has helped malicious actors greatly increase the number of medium-size DDoS attacks while infiltrating IoT devices even quicker.

In a rare speech, Jeremy Fleming, the head of GCHQ warned the internet could deteriorate into "an even less governed space" if the international community doesn't come together to establish a common set of principles. He said "China, Iran, Russia and North Korea" had broken international law through cyber attacks, and made the case for when "offensive cyber activities" were good, saying "their use must always meet the three tests of legality, necessity and proportionality. Their use, in particular to cause disruption or damage - must be in extremis".  Clearly international law wasn't developed with cyber space in mind, so it looks like GCGQ are attempting to raise awareness to remedy that.

I will be speaking at the e-crime Cyber Security Congress in London on 6th March 2019, on cloud security, new business metrics, future risks and priorities for 2019 and beyond.

Finally, completely out of the blue, I was informed by 4D that this blog had been picked by a team of their technical engineers and Directors as one of the best Cyber Security Blogs in the UK. The 6 Best Cyber Security Blogs - A Data Centre's Perspective Truly humbled and in great company to be on that list.

BLOG
NEWS 
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

    Don’t Take the Bait! How to Steer Clear of Tax Time Scams

    tax time scamsFor cybercriminals tax time is the most wonderful time of the year. They are in the shadows giddy, eager, and methodically setting a variety of digital traps knowing that enough taxpayers take the bait to render their efforts worthwhile.

    Indeed, with the frenzy of online tax filings, personal information (and money) moving through mailboxes, and hardworking people eagerly awaiting tax refunds, crooks are perfectly positioned for big returns this year.

    So let’s be wiser and let’s be ready.

    Last year, the IRS noted a 60 percent spike in bogus email schemes seeking to steal money or tax information. This year its a surge in phishing scams, says the IRS, that should have taxpayers on alert.

    “The holidays and tax season present great opportunities for scam artists to try stealing valuable information through fake emails,” said IRS Commissioner Chuck Rettig. “Watch your inbox for these sophisticated schemes that try to fool you into thinking they’re from the IRS or our partners in the tax community. Taking a few simple steps can protect yourself during the holiday season and at tax time.”

    Scams to Look For

    According to the IRS, phishing emails are circulating with subjects such as “IRS Important Notice,” “IRS Taxpayer Notice” and other iterations of that message. The fraudulent emails may demand payment with the threat of seizing the recipient’s tax refund or even jail time.

    tax time scams

    Attacks may also use email or malicious links to solicit tax or financial information by posing as a trustworthy organization or even a personal friend or business associate of the recipient.

    While some emails may have obvious spelling errors or grammar mistakes, some scammers have gone to great lengths to piece together a victim’s personal information to gain their trust. These emails look legitimate, have an authentic tone, and are crafted to get even skeptics to compromise personal data using malicious web links.

    Scams include emails with hyperlinks that take users to a fake site or PDF attachments that may download malware or viruses designed to grab sensitive information off your devices. With the right data in hand such as a social security number, crooks can file fake returns and claim your tax return, open credit cards, or run up medical bills.

    Other tax scams include threatening phone calls from bogus IRS agents demanding immediate payment of past due tax bills and robocalls that leave urgent callback messages designed to scare victims into immediate payment.

    Remember, the IRS will NOT:

    • Call to demand immediate payment over the phone, nor will the agency call about taxes owed without first having mailed you several bills.
    • Call or email you to verify your identity by asking for personal and financial information.tax time scams
    • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
    • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
    • Ask for credit or debit card numbers over the phone or
      e-mail.
    • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.

    How to Protect Yourself

    Be hyper-aware. Never open a link or attachment from an unknown or suspicious source. In fact, approach all emails with caution even those from people you know. Scams are getting more sophisticated. According to the IRS, thieves can compromise a friend’s email address, or they may be spoofing the address with a slight change in the email text that is hard to recognize.

    Reduce your digital footprint. Now is a great time to go through your social accounts and online profiles, posts, and photos and boost your family’s privacy. Edit out any personal information such as your alma mater, your address, birthdate, pet names, children’s names, or mother’s maiden name. Consider making your social profiles private and filtering your friends’ list to actual people you know.

    Have a strong password strategy. Cybercrooks count on their victims using the same password for multiple accounts. Lock them out by using unique passwords for separate accounts. Also, consider using two-factor authentification that requires a security code (sent to your phone) to access your account.

    Install security software. Phishing emails carry malware and viruses designed to infect your devices and grab your family’s sensitive data or even seize your computer via ransomware. Crooks aren’t messing around so neither should you. Meet fire with fire by investing in comprehensive security software to protect your devices.

    If you are the victim of tax fraud or identity theft, take the proper reporting steps. If you receive any unsolicited emails claiming to be from the IRS, forward them to phishing@irs.gov  (then delete the emails).

    The post Don’t Take the Bait! How to Steer Clear of Tax Time Scams appeared first on McAfee Blogs.

    The Risks of Public Wi-Fi and How to Close the Security Gap

    public wi-fi risksAs I write this blog post, I’m digitally exposed, and I know it. For the past week, I’ve had to log on to a hospital’s public Wi-Fi each day to work while a loved one recuperates.

    What seems like a routine, casual connection to the hospital’s Wi-Fi isn’t. Using public Wi-Fi is a daily choice loaded with risk. Sure, I’m conducting business and knocking out my to-do list like a rock star but at what cost to my security?

    The Risks

    By using public Wi-Fi, I’ve opened my online activity and personal data (via my laptop) up to a variety of threats including eavesdropping, malware distribution, and bitcoin mining. There’s even a chance I could have logged on to a malicious hotspot that looked like the hospital network.

    Like many public Wi-Fi spots, the hospital’s network could lack encryption, which is a security measure that scrambles the information sent from my computer to the hospital’s router so other people can’t read it. Minus encryption, whatever I send over the hospital’s network could potentially be intercepted and used maliciously by cybercriminals.

    Because logging on to public Wi-Fi is often a necessity — like my situation this week — security isn’t always the first thing on our minds. But over the past year, a new normal is emerging. A lot of us are thinking twice. With data breaches, privacy concerns, the increase in the market for stolen credentials, and increasingly sophisticated online scams making the headlines every day, the risks of using public Wi-Fi are front and center.

    Rising Star: VPNpublic wi-fi risks

    The solution to risky public Wi-Fi? A Virtual Private Network (VPN). A VPN allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects the data on your computer, a VPN protects your online activity by encrypting your data when you connect to the internet from a remote or public location. A VPN also conceals your location, IP address, and online activity.

    Using a VPN helps protect you from potential hackers using public Wi-Fi, which is one of their favorite easy-to-access security loopholes.

    Who Needs a VPN?

    If you (or your family members) travel and love to shop online, access your bank account, watch movies, and do everyday business via your phone or laptop, a VPN would allow you to connect safely and encrypt your data no matter where you are.

    A VPN can mask, or scramble, your physical location, banking account credentials, and credit card information.

    Also, if you have a family data plan you’ve likely encouraged your kids to save data by connecting to public Wi-Fi whenever possible. Using a VPN, this habit would be secured from criminal sniffers and snoopers.

    A VPN allows you to connect to a proxy server that will access online sites on your behalf and enables a secure connection most anywhere you go. A VPN also allows hides your IP address and allows you to browse anonymously from any location.

    How VPNs work

    To use a VPN you subscribe to VPN service, download the app onto your desktop or phone, set up your account, and then log onto a VPN server to conduct your online activity privately.

    If you are still logging on to public Wi-Fi, here are a few tips to keep you safe until VPNs become as popular as Wi-Fi.

    Stay Safe on Public Wi-Fi 

    Verify your connection. Fake networks that mine your data abound. If you are logging on to Wi-Fi in a coffee shop, hotel, airport, or library, verify the exact name of the network with an employee. Also, only use Wi-Fi that requires a password to log on.public wi-fi risks

    Don’t get distracted. For adults, as well as kids, it’s easy to get distracted and absorbed with our screens — this is risky when on public Wi-Fi, according to Diana Graber, author of Raising Humans in a Digital World. “Knowing how to guard their personal information online is one of the most important skills parents need to equip their young kids with today,” says Graber. “Lots of young people visit public spaces, like a local coffee shop or library, and use public Wi-Fi to do homework, for example. It’s not uncommon for them to get distracted by something else online or even tempted to buy something, without realizing their personal information (or yours!) might be at risk.”

    Disable auto Wi-Fi connect. If your phone automatically joins surrounding networks, you can disable this function in your settings. Avoid linking to unknown or unrecognized networks.

    Turn off Wi-Fi when done. Your computer or phone can still transmit data even when you are not using it. Be sure to disable your Wi-Fi from the network when you are finished using it.

    Avoid financial transactions. If you must use public Wi-Fi, don’t conduct a sensitive transaction such as banking, shopping, or any kind of activity that requires your social security or credit card numbers or password use. Wait until you get to a secured home network to conduct personal business.

    Look for the HTTPS. Fake or unsecured websites will not have the HTTPS in their address. Also, look for the little lock icon in the address bar to confirm a secure connection.

    Secure your devices. Use a personal VPN as an extra layer of security against hackers and malware.

    The post The Risks of Public Wi-Fi and How to Close the Security Gap appeared first on McAfee Blogs.

    Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account

    Online Dating ScamsIt’s hard to believe that as savvy as we’ve become about our tech, people are still getting catfished, scammed, and heartbroken in their pursuit of love online.

    The dinner conversation between bystanders goes something like this: “How could anyone be so dumb? Seriously? If they are going to be that reckless and uninformed, then maybe they deserve what they got!”

    Some friends and I recently had a similar conversation about online dating scams. I noticed, however, that one friend, Sarah*, wasn’t so eager to jump into the conversation. She shrunk back in the booth and quietly sipped her margarita. Only later did she share her story with me.

    The power of love

    A single mom in her late 40s, well-educated, and attractive, Sarah’s teenager had convinced her to join a dating site the year before. She was especially lonely after her divorce three years earlier, so she agreed to create a profile on a popular dating app. After a handful of dates fell flat, she found Scott. He was charismatic, kind. “We had an instant connection,” according to Sarah. They spent hours on the phone sharing their deepest secrets and even started imagining a future together. But after about three months, Scott fell on hard times. At first, he needed to borrow $400 to pay for airfare to visit a dying relative, which he paid back immediately. Over the next few months, the numbers grew to $1,000 for rent and $3,000 for a business venture.

    Online Dating Scams

    Before long, Sarah had loaned her new love over $8,500. When she pressed him to repay the money, Scott ghosted Sarah online, moved out of town, and she never saw him again. My friend didn’t share her story with many people. She didn’t report it. She was too embarrassed and humiliated and even became depressed following what she calls “the Scott scam.” Her trust in other people and in love itself has been obliterated.

    Sarah’s story doesn’t just echo that of desperate, clueless people, or lonely older women. Scammers are targeting good people who still believe in and value love and companionship. The pursuit of love online extends to adults as well as teens.

    Confidence Fraud

    Law enforcement calls these kinds of online romance scams confidence fraud because scammers will take a considerable amount of time gaining the trust and confidence of their victims. They will appear empathetic and supportive as they gather personal information they can use over time to carry out their scam.

    According to the Federal Bureau of Investigation (FBI) confidence fraud has jumped 20% in the past year despite reports and warnings — especially around this time of year.

    The FBI’s Internet Crime Complaint Center (IC3) reports that romance scams top all other financial online crimes. In 2016, people reported almost 15,000 romance scams to IC3 (nearly 2,500 more than the previous year), with losses exceeding $230 million.

    Tips for Safe Online Dating

    Never send money. Be it a romantic relationship you’ve engaged with or a phishing email, no matter the sob story, do not send money to anyone online. If you do send money, put a loan agreement in place that is legally enforceable should one party default.

    Suspicious behavior. If someone promises to meet you somewhere but keeps canceling or if he or she refuses to video chat, those are red flags. Technology means anyone from anywhere in the world can successfully maintain a scam.Online Dating Scams

    Take things slow. If someone is pushing the pace of a relationship or too quick to declare love and talk about the future, pause and assess the situation.

    Do a background check. Love is a powerful force and can easily cloud a person’s correct understanding of reality. If you dare to create a dating profile, make a deal with yourself that you will extend the same courage to doing a background check on someone.

    Be a sleuth. Don’t be afraid to gather facts on someone you’ve met online. Simple steps such as Googling the person’s name or dropping their photo in Google’s Reverse Image Search will help you get a better understanding of a person. Have faith: Good, legitimate people do exist. However, if there’s anything dubious, it’s best to find it out earlier rather than later. Part of doing your homework is tracking down mutual friends and making inquiries about the person you are talking with online.

    Keep your social profiles private. Experts agree that you should edit your online footprint before you start dating people you’ve met online. Making your Instagram, Twitter, and Facebook private will guard you against potential.

    Never send racy photos. Some scammers gain the confidence of their victims with every intention of extorting them in the future. They will threaten to send any racy photos with your family, friends, or business associates. The best way to avoid this is to never, ever send racy photos to anyone.Online Dating Scams

    Google yourself, restrict info. Google yourself to see if there are any digital breadcrumbs that give away your home address or phone number. If possible, delete or revise that info. Likewise, go through your social accounts and remove any personal information you’ve shared in the past. Digital stalking is a risk for people who date online so turn off GPS on your dating apps and make sure your profile information is vague. Even if you get comfortable online with others, never get too comfortable since apps have privacy loopholes that can easily be exploited by hackers.

    Take solid precautions. Enlist at least one friend as your dating safety pal. This will be the person who knows where you are going, who you will be with, and the background on the person you are meeting. Ask that person to check in with you during the date and carry pepper spray or a taser for physical protection. Go the extra step and turn on your Friend Finder or a location app that allows safety friend to track your whereabouts during a date.

    *Names have been changed

    The post Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account appeared first on McAfee Blogs.

    Customers Blame Companies not Hackers for Data Breaches

    RSA Security latest search reveals over half (57%) of consumers blame companies ahead of hackers if their data is stolen. Consumer backlash in response to the numerous high-profile data breaches in recent years has exposed one of the hidden risks of digital transformation: loss of customer trust.

    The RSA Data Privacy & Security Survey 2019 identified that companies have lost the trust of customers as a disconnect has formed between how companies are using customer data and how consumers expect their data to be used.

    Despite the fact that consumers harbour heightened concerns about their privacy, they continue to exhibit poor cyber hygiene, with 83% of users admitting that they reuse the same passwords across many sites, leaving them more vulnerable.

    Key takeaways from the RSA Data Privacy study, include:

    • Context matters: Individuals across all demographics are concerned about their financial/banking data, as well as sensitive information such as passwords, but other areas of concern vary dramatically by generation, nationality and even gender. For example, younger demographics are more comfortable with their data being used and collected than older survey respondents. 
    • Privacy expectations are cultural: Consumers respond to data privacy differently based on their nationality due to cultural factors, current events and high-profile data breaches in their respective countries. For example, in the months of the GDPR being implemented, German attitudes shifted in favour of stricter data privacy expectations, with 42% wanting to protect location data in 2018 versus only 29 percent in 2017.
    • Personalisation remains a puzzle: Countless studies have demonstrated that personalised experiences increase user activity and purchasing. However, the survey results showed that respondents do not want personalized services at the expense of their privacy. In fact, a mere 17% of respondents view tailored advertisements as ethical, and only 24% believe personalisation to create tailored newsfeeds is ethical. 
    “With a growing number of high-profile data breaches, questions around the ethical use of data and privacy missteps, consumers increasingly want to know how their data is being collected, managed and shared,” said Nigel Ng, Vice President of International, RSA. “Now is the time for organisations to evaluate their growing digital risks, doubling down on customer privacy and security. Today’s leaders must be vigilant about transforming their cybersecurity postures to manage today’s digital risks in a way that ensures consumer trust and confidence in their business.

    43% of Cybercrimes Target Small Businesses – Are You Next?

    Cybercrimes cost UK small companies an average of £894 in the year ending February of 2018. Small businesses are an easy target for cybercrooks, so it little surprise that around about 43% of cybercrime is committed against small businesses. According to research conducted by EveryCloud, there is much more at stake than a £900 annual loss, with six out of ten small businesses closing within six months of a data breach.

    Damage to a small company’s reputation can be difficult to repair and recover from following a data breach. Since the GDPR data privacy law came in force in May 2018, companies face significant financial sanctions from regulators if found negligent in safeguarding personal information. Add in the potential for civil suits the potential costs start mounting up fast, which could even turn into a business killer.  Case in point is political consulting and data mining firm Cambridge Analytica, which went under in May 2018 after being implicated with data privacy issues related to its use of personal data held on Facebook. However, most small businesses taken out by cyber attacks don't have the public profile to make the deadly headlines.

    Most big companies have contingency plans and resources to take the hit from a major cyber attack, although major cyber attacks prove highly costly to big business, the vast majority are able to recover and continue trading. Working on a tight budget, small businesses just doesn't the deep pockets of big business. Cyber resilience is not a high priority within most small businesses strategies, as you might image business plans are typically very business growth focused.

    Cyber resilience within small business need not be difficult, but it does involve going beyond installing antivirus. A great starting point is UK National Cyber Security Centre's Cyber Essentials Scheme, a simple but effective approach to help businesses protect themselves from the most common cyber attacks. You’ll also need to pay attention to staff security awareness training in the workplace.

    Every employee must ensure that the company is protected from attacks as much as possible. It’s your responsibility to make sure that everyone understands this and knows what preventative measures to put in place.

    It may cost a few bob, but getting an expert in to check for holes in your cybersecurity is a good place to start. They can check for potential risk areas and also educate you and your staff about security awareness.

    We all know the basics, but how many times do we let convenience trump good common sense? For example, how many times have you used the same password when registering for different sites?

    How strong is the password that you chose? If it’s easy for you to remember, then there’s a good chance that it’s not as secure as you’d like. If you’d like more tips on keeping your information secure, then check out the infographic below.


    #PrivacyAware: Will You Champion Your Family’s Online Privacy?

    online privacyThe perky cashier stopped my transaction midway to ask for my email and phone number.

    Not now. Not ever. No more. I’ve had enough. I thought to myself.

    “I’d rather not, thank you,” I replied.

    The cashier finished my transaction and moved on to the next customer without a second thought.

    And, my email and phone number lived in one less place that day.

    This seemingly insignificant exchange happened over a year ago, but it represents the day I decided to get serious and champion my (and my family’s) privacy.

    I just said no. And I’ve been doing it a lot more ever since.

    A few changes I’ve made:

    • Pay attention to privacy policies (especially of banks and health care providers).
    • Read the terms and conditions of apps before downloading.
    • Block cookies from websites.
    • Refuse to purchase from companies that (appear to) take privacy lightly.
    • Max my privacy settings on social networks.
    • Change my passwords regularly and keep them strong!
    • Delete apps I no longer use.
    • Stay on top of software updates on all devices and add extra protection.
    • Have become hyper-aware before giving out my email, address, phone number, or birth date.
    • Limit the number of photos and details shared on social media.

    ~~~

    The amount of personal information we share every day online — and off — is staggering. There’s information we post directly online such as our birth date, our location, our likes, and dislikes. Then there’s the data that’s given off unknowingly via web cookies, Metadata, downloads, and apps.

    While some data breaches are out of our control, at the end of the day, we — along with our family members — are one giant data leak.

    Studies show that on average by the age of 13, parents have posted 1,300 photos and videos of their child to social media. By the time kids get devices of their own, they are posting to social media 26 times per day on average — a total of nearly 70,000 posts by age 18.

    The Risksonline privacy

    When we overshare personal data a few things can happen. Digital fallout includes data misuse by companies, identity theft, credit card fraud, medical fraud, home break-ins, reputation damage, location and purchasing tracking, ransomware, and other risks.

    The Mind Shift

    The first step toward boosting your family’s privacy is to start thinking differently about privacy. Treat your data like gold (after all, that’s the way hackers see it). Guiding your family in this mind-shift will require genuine, consistent effort.

    Talk to your family about privacy. Elevate its worth and the consequences when it’s undervalued or shared carelessly.

    Teach your kids to treat their personal information — their browsing habits, clicks, address, personal routine, school name, passwords, and connected devices — with great care. Consider implementing this 11 Step Privacy Take Back Plan.

    This mind and attitude shift will take time but, hopefully, your kids will learn to pause and think before handing over personal information to an app, a social network, a retail store, or even to friends.

    Data Protection Tips*

    1. Share with care. Think before posting about yourself and others online. Consider what it reveals, who might see it and how it could be perceived now and in the future.
    2. Own your online presence. Set the privacy and security settings on websites and apps to your comfort level for information sharing. Each device, application or browser you use will have different features to limit how and with whom you share information.online privacy
    3. Think before you act. Information about you, such as the games you like to play, your contacts list, where you shop and your geographic location, has tremendous value. Be thoughtful about who gets that information and understand how it’s collected through websites and apps.
    4. Lock down your login. Your usernames and passwords are not enough to protect critical accounts like email, banking, and social media. Strengthen online accounts and use strong authentication tools like a unique, one-time code through an app on your mobile device.

    * Provided by the National Cyber Security Alliance (NCSA).

    January 28 National Data Privacy Day. The day highlights one of the most critical issues facing families today — protecting personal information in a hyper-connected world. It’s a great opportunity to commit to taking real steps to protect your online privacy. For more information on National Data Privacy Day or to get involved, go to Stay Safe Online.

    The post #PrivacyAware: Will You Champion Your Family’s Online Privacy? appeared first on McAfee Blogs.

    AI & Your Family: The Wows and Potential Risks

    artificial intelligenceAm I the only one? When I hear or see the word Artificial Intelligence (AI), my mind instantly defaults to images from sci-fi movies I’ve seen like I, Robot, Matrix, and Ex Machina. There’s always been a futuristic element — and self-imposed distance — between AI and myself.

    But AI is anything but futuristic or distant. AI is here, and it’s now. And, we’re using it in ways we may not even realize.

    AI has been woven throughout our lives for years in various expressions of technology. AI is in our homes, workplaces, and our hands every day via our smartphones.

    Just a few everyday examples of AI:

    • Cell phones with built-in smart assistants
    • Toys that listen and respond to children
    • Social networks that determine what content you see
    • Social networking apps with fun filters
    • GPS apps that help you get where you need to go
    • Movie apps that predict what show you’d enjoy next
    • Music apps that curate playlists that echo your taste
    • Video games that deploy bots to play against you
    • Advertisers who follow you online with targeted ads
    • Refrigerators that alert you when food is about to expire
    • Home assistants that carry out voice commands
    • Flights you take that operate via an AI autopilot

    The Technology

    While AI sounds a little intimidating, it’s not when you break it down. AI is technology that can be programmed to accomplish a specific set of goals without assistance. In short, it’s a computer’s ability to be predictive — to process data, evaluate it, and take action.

    AI is being implemented in education, business, manufacturing, retail, transportation, and just about any other sector of industry and culture you can imagine. It’s the smarter, faster, more profitable way to accomplish manual tasks.

    An there’s tons of AI-generated good going on. Instagram — the #2 most popular social network — is now using AI technology to detect and combat cyberbullying on in both comments and photos.

    No doubt, AI is having a significant impact on everyday life and is positioned to transform the future.

    Still, there are concerns. The self-driving cars. The robots that malfunction. The potential jobs lost to AI robots.

    So, as quickly as this popular new technology is being applied, now is a great time to talk with your family about both the exciting potential of AI and the risks that may come with it.

    Talking points for families

    Fake videos, images. AI is making it easier for people to face swap within images and videos. A desktop application called FakeApp allows users to seamlessly swap faces and share fake videos and images. This has led to the rise in “deep fake” videos that appear remarkably realistic (many of which go viral). Tip: Talk to your family about the power of AI technology and the responsibility and critical thinking they must exercise as they consume and share online content.

    Privacy breaches. Following the Cambridge Analytica/Facebook scandal of 2018 that allegedly used AI technology unethically to collect Facebook user data, we’re reminded of those out to gather our private (and public) information for financial or political gain. Tip: Discuss locking down privacy settings on social networks and encourage your kids to be hyper mindful about the information they share in the public feed. That information includes liking and commenting on other content — all of which AI technology can piece together into a broader digital picture for misuse.

    Cybercrime. As outlined in McAfee’s 2019 Threats Prediction Report, AI technology will likely allow hackers more ease to bypass security measures on networks undetected. This can lead to data breaches, malware attacks, ransomware, and other criminal activity. Additionally, AI-generated phishing emails are scamming people into handing over sensitive data. Tip: Bogus emails can be highly personalized and trick intelligent users into clicking malicious links. Discuss the sophistication of the AI-related scams and warn your family to think about every click — even those from friends.

    IoT security. With homes becoming “smarter” and equipped with AI-powered IoT products, the opportunity for hackers to get into these devices to steal sensitive data is growing. According to McAfee’s Threat Prediction Report, voice-activated assistants are especially vulnerable as a point-of-entry for hackers. Also at risk, say security experts, are routers, smartphones, and tablets. Tip: Be sure to keep all devices updated. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, be sure to change the default password and secure your primary network and guest network with strong passwords.

    The post AI & Your Family: The Wows and Potential Risks appeared first on McAfee Blogs.

    The Collection #1 Data Breach: Insights and Tips on This Cyberthreat

    As the cybersecurity landscape evolves to match new trends in technology, it’s important for consumers to prioritize the protection of their online presence. That means remaining aware of the internet’s more common cyberthreats, including malware, phishing, and data breaches, and how they could potentially affect you. And while most of us already know about the Equifax data breach, a new monster breach now has to become top of mind for us all. Say hello to Collection #1, a data set exposing 772,904,991 unique email addresses and over 21 million unique passwords.

    Discovered by security researcher Troy Hunt, Collection #1 first appeared on the popular cloud service called MEGA. The Collection #1 folder held over 12,000 files that weigh in at over 87 gigabytes. When the storage site was taken down, the folder was then transferred to a public hacking site. What’s truly astonishing about this is that the data was not for sale; it was simply available for anyone to take.

    You may be wondering, how was all this data collected? It appears that this data was comprised of a breach of breaches, aggregating over 2,000 leaked databases containing cracked passwords, in order to achieve maximum exposure. The sheer volume of this breach makes Collection #1 the second largest in size to Yahoo, and the largest public breach ever (given the data was openly exposed on the internet).

    It appears that this data set is designed for use in credential-stuffing attacks, where cybercriminals will use email and password combinations to hack into consumers’ online accounts. The risks could be even greater for those who reuse credentials across multiple accounts. In order to help protect yourself from this threat, it’s vital that users act fast and use the following tips to help protect their data:

    • Use strong, unique passwords. In addition to making sure all of your passwords are strong and unique, never reuse passwords across multiple accounts. You can also enable a password manager to help keep track of your credentials.
    • Change your passwords. Even if it doesn’t appear that your data was breached, it’s better to err on the side of caution and change all of your passwords to better protect yourself.
    • Enable two-factor authentication. While a strong and unique password is a good first line of defense, enabling app-based two-factor authentication across your accounts will help your cause by providing an added layer of security.

    And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

    The post The Collection #1 Data Breach: Insights and Tips on This Cyberthreat appeared first on McAfee Blogs.

    The Biggest Data Breaches of 2018

    Online security label manufacturer Seareach.plc.uk who specialise in asset labels and asset tracking, has collated some of the biggest data breaches of 2018.



    February

    • 150 million MyFitnessPal app users had their details leaked in a data breach including usernames, email addresses and passwords.
    March
    • Orbitz had 880,000 customers payment card details, stolen by a hacker, thanks to a security vulnerability in the travel site's legacy booking system.
    • Fifa More than 3.4 terabytes of data and 70 million documents from FIFA, containing numerous allegations of corruption, was leaked to German magazine Der Spiegel by the Football Leaks organisation.
    • Cambridge Analytica harvested data (without user permission) from Facebook, more than 80 million people were affected by the data exposure.
    April
    • Macy’s and Bloomingdale's online customers may have had their personal information and credit card details exposed to a third party between April 26 and June 12.
    May
    • Rail Europe, breach saw customer details including credit card numbers, expiration dates, and card verification codes, stolen over three months.
    June
    • Over a million Adidas customers were affected by their data breach. The website was hacked with contact information, usernames, and hashed passwords stolen.
    July
    • Timehop suffered a significant data breach on 7 July 2018 names, email addresses and phone numbers of 21 million users were accessed.
    • Ticketmaster suffered data breach which saw hackers operating a massive credit card skimming operation, via third-party code installed on e-commerce websites.
    • 23,000 Fortnum and Mason customers details were accessed in a data breach, including addresses and contact phone numbers.
    August
    • British Airways data breach hit 380,000 transactions through their website and mobile app. Personal and financial information was stolen.
    September
    • 90 million Facebook user accounts were exposed when hackers stole access tokens that they could then use to take over almost 50 million profiles.
    November
    • Cathay Pacific admitted this month that they had suffered a significant data breach affecting up to 9.4 million passengers, in March.
    • Over 100 million Quora users had their emails, passwords and names taken. The breach occurred after unauthorised access by a malicious third party.
    • Details from over 500 million guest reservations, were stolen from Marriot's Starwood database. Customers were notified in November but authorised accessed could date back to 2014.
    December

    • Twitter was hit by a data breach on its platforms support form. It exposed user data to IP addresses from Saudi Arabia and China.

    Busting 5 Cybersecurity Myths

    It is not a secret that many people nowadays do not pay much attention when they surf the web at home or at work. There are new data breaches and exploits on a daily basis and still avoiding to take any precautions may result in a catastrophic consequences. Even the biggest corporations are paying millions of dollars so they can improve their cybersecurity and remain safe. However, if you still believe in some of the cybersecurity myths you may put your own computer or even your whole organization to a huge risk. We from CyberDB have decided to bust some of the top 5 cyber security myths and make it clear for you.

    Only the IT department is responsible for cybersecurity

    It is not wrong to say that the IT department is responsible to implement new processes and policies to keep the cybersecurity in a top notch state. However, they just don’t have a magic stick to protect all of the computers in the network. In reality each employee should be extremely careful when receiving and opening different e-mail messages from colleagues or third parties. It is dangerous since the infection can spread across all of the departments within the organization and this may cause a further data breach for example.

    Using just an antivirus software is enough

    Antivirus software might have been enough to safe your business from potential attack 20 years ago – nowadays it definitely is just not enough to protect your whole organization. Hackers find new ways to disable your antivirus and hide their attacks in the system. With ransomware gaining more popularity among hackers the time of getting infected and getting your information locked is just a matter of seconds. So using an antivirus is not always enough, but you also need to stay informed about the latest threats. Check out our database of cyber security vendors to find the best solution for your personal or business needs.

    A strong password is enough

    It is not a secret that having a long and complex password on your accounts is an essential. However, even big tech giants like Facebook or Apple experience data breaches and are pretty often a target for hackers. Every website requires you to create a strong password, but it is also good to use two-factor-authentication (2FA). At first the user was getting an SMS with a code for 2FA, but even this can be compromised by using a cloned sim card. So make sure you have an app like Google Authenticator for example to make your accounts more secure.

    Threats are being spread only through the Internet

    Some users may think that disconnecting from the internet will prevent the threats spreading around the network and they are completely wrong. Just imagine what happens if an employee brings an infected flash drive and plugs it in – all of the computers may become infected and your company may lose valuable information. You may have your information stolen even when you shop at a local retailer. So threats are not only online, but in our daily life and we need to be very careful and take care of our personal information.

    Only certain industries experience cyber attacks

    Some businesses still believe that they may be not targeted by hackers because they are a small or mid-sized business or in a specific industry. Well, they are completely wrong. Some companies also believe they do not have anything that hackers may find valuable to steal. In reality there is information like personal addresses or credit card numbers which can make every business in every industry a potential target. Here are the industries which are most vulnerable to cyber-attacks nowadays:

     Top 10 Sectors Breached

    The post Busting 5 Cybersecurity Myths appeared first on CyberDB.

    State Actor Cyber Reports Overshadow the Extensive Threat of Cyber Crime

    There has been recent focus on alleged Iran cyber activity the past few weeks, spurned on by the publication of a vendor report on Iranian operations.  Per the vendor’s findings, not only was Iran likely behind the activity that was targeting government and private sector in the Middle East, it was implementing National Security Agency exploits that were stolen and dumped into the public domain by the Shadow Brokers group in April 2017.  As recently as late August 2018, Iran is suspected of trying to launch influence operations ahead of the midterm elections.  The conclusion is that Iran is increasingly using asymmetric attacks, particularly via cyberspace, as part of its tool box to conduct retaliatory attacks.

    The new reporting comes at a time when Russia’s cyber malfeasance has largely dominated the press, due to its influence operations efforts and election shenanigans, not just in the United States but in other countries as well.  Prior to the Russia focus, North Korea was the focal point with its suspected cyber activities targeting cryptocurrency, and the SWIFT banking transactions before that.  Iran was propelled onto the scene with Operation Ababil

    DDoS attacks against U.S. banks, as well as its suspected involvement in the wiper malware incident against Saudi AramcoSome consider Iran a powerful cyber nation on par or close to it to China and Russia.  Others, maintain that Iranian actors are much less sophisticated, preferring to implement “tried-and true tactics while targeting many individuals.”  China initially led the state-led cyber espionage activity, which largely was curbed against the United States once the “no hack” pact was agreed to in 2015.

    There seems to be a perpetual “revolving door” of news-cycle focus on suspected state activity, with new reports reporting on hostile espionage and exploitation occurring against global targets.  The purpose of these appears to track the latest and greatest escapades of these governments using – in most cases – publicly available tools and exploits that are publicly accessible (see Shadow Brokers above) and using vectors that for the most part are routine for any hostile cyber actor (certainly, if a state actor is “sophisticated”, the intimation is that the activity hasn’t been detected as of yet, or the sophisticated tools/exploits haven’t been implemented yet).

    Between the ongoing stories of adversarial state activity as aforementioned above and news of smaller nations looking to acquire offensive cyber capabilities, all indications are that media and vendor reporting will continue to push the “hostile state actor as monolith” narrative into the public eye.  Yet, like the saying goes, “if everything is important, nothing is important,” which rings with authenticity with regards to state cyber activity.  Actual activity or incidents that threaten to disrupt, destroy, degrade, deny, or manipulate data systems or the data resident on them deserve to be pushed to the forefront as they potentially impact everyone at all levels.

    But theft of intellectual property and state secrets affect a minority, and rarely if ever will impact everyday citizens.  Such vigorous scrutiny and analysis of suspected state activity should apply to the cyber crime ecosystem whose nefarious endeavors directly impact the global population.  And while there are isolated incidents of law enforcement efforts arresting groups and individuals or taking down marketplaces, this has failed to put a dent into a global industry that was cited as the second most reported economic crime, according to a 2017 report by the same vendor.

    This needs to change and it would be welcome to see such vendors with a wide and deep visibility into the cyber threat space to uncover some of the more “sophisticated” state actors, to apply that precision against a threat intent on exploiting everyone on the planet.  Some of the more notable breaches have exposed a high volume of individual data:

    2013/14         Yahoo                                                 3 Billion Accounts

    2016               Adult Friend Finder                          412 Million Accounts

    2014               eBay                                                    145 Million Users

    2017               Equifax                                               143 Million User

    2008               Heartland Payment Systems            134 Million credit cards

    One thing is clear – cyber criminals have proven to be as sophisticated and resourceful as state actors, often times using the same tools and techniques.  The fact that this category of cyber actor is not as robustly tracked, and information shared directly to the appropriate authorities is disappointing.

     

    This is a guest post by Emilio Iasiello

    The post State Actor Cyber Reports Overshadow the Extensive Threat of Cyber Crime appeared first on CyberDB.